Posts by Raji

Google is Abandoning XSS Auditor For A Better Tool

July 22, 2019 Posted by News 0 thoughts on “Google is Abandoning XSS Auditor For A Better Tool”

When Google released XSS Auditor in 2010 for Chrome v4, the plan was to provide a tool that would make the faulty regular expression-based XSS filtering a relic. The often error prone IES XSS and other client-side XSS filters of the time produced a myriad of false positives, allowed for alternative ways to bypass their filters, and even created vulnerabilities where there were none. From a technical standpoint, what set XSS Auditor apart from its contemporaries was its architecture. Many XSS filters at the time filtered responses and requests between the network layer in the hope of intercepting information headed towards a malicious server. XSS Auditor, on the other hand, interfaced with the HTML parser and JavaScript engine.

In introducing XSS Auditor, the Google Chrome team provided a highly performant alternative that set Chrome apart from other browsers when it came to developing websites. What XSS Auditor does is scour a website’s source code looking for malicious query parameters in the JavaScript. If it finds what it is looking for, the query is blocked or removed. Sometimes, the website is completely blocked.

Nine years ago, XSS Auditor’s features may have been a welcome addition to the security community, but the filter has recently resembled a gaping hole through which various bypasses and exploits can be used to render it useless. The very problems that XSS Auditor set out to solve have reared their ugly heads in a particularly malevolent way; a clever attacker can use XSS Auditor’s architecture to run their own scripts that will deem certain JavaScript code to be malicious, even if they aren’t. This gives the attacker the ability to block code on a legitimate website. Frederick Braun illustrates this point in a blog post warning against the dangers of XSS Auditor’s filter:

 “So, let’s say you have three script blocks on your website. The website that frames you doesn’t mind two of them – but really hates the third one. maybe a framebuster, maybe some other script relevant for security purposes. So the website that frames you just turns that one script block off – and leave the other two intact. Now how does that work? Well, it’s easy. All the framing website is doing, is using the browser’s XSS filter to selectively kill JavaScript on your page.”

One thing to note is that many bypasses exist simply because the authors of XSS Auditor chose not to account for them. XSS Auditor was only designed to address a specific XSS attack. In their proof of concept paper, Google researchers said, “[i]deally, a client-side XSS filter would prevent all attacks against all vulnerabilities. However, implementing such as filter is infeasible. Instead, we focus our attention on a narrower threat model that covers a certain class of vulnerabilities. For example, we consider only reflected XSS vulnerabilities, where the byte sequence chosen by the attacker appears in the HTTP request that retrieved the resource.”

Reflected XSS vulnerabilities are non-persistent, so their countermeasures do not address persistent XSS attacks. They also don’t account for attacks on the DOM. With JavaScript frameworks like React pushing developers closer to the DOM and in so doing increasing exposure to DOM XSS attacks, XSS Auditor has simply been overtaken by its own limitations.

That’s why, amid the outcries from researchers and jokes from bug hunters, the Google Chrome team has finally pulled the plug on XSS Auditor. Thankfully, the Google Chrome team will replace it with a web standard called Trusted Types. This API will address the pressing issues posed by the recent threat of DOM CSS attacks by restricting DOM injection points. The Google Dev team believes that their new API will “obliterate DOM XSS.”

 

Resource:

Regular Expressions Considered Harmful in Client-Side XSS Filters

Please follow and like us:
0

FaceApp’s Privacy Policy Isn’t The Problem

July 18, 2019 Posted by Apps 0 thoughts on “FaceApp’s Privacy Policy Isn’t The Problem”

FaceApp, an app that uses machine learning algorithms to alter facial images, has been riding the ebbs and flows of popularity for its brief 2 year existence. The app owes its popularity to viral sensations like the one it’s currently experiencing, which has users sharing photos of their older or younger counterparts. This aging filter was preceded by the controversial “blackface” filter and the equally controversial “hotness” filter. The former features have been a cause of criticism, but those criticisms pale in comparison to the scrutiny the app faces from security researchers and anyone concerned with privacy.

The crux of the issue is the rights that FaceApp claims over your photos. There have been several tweets and articles dedicated to the legalese that allows FaceApp to practically do whatever it is they want to do with the photos you upload to the app.

Though the concerns about the potential for abuse are valid, one wonders why a fad app bears the brunt of privacy concerns. One doesn’t have to go too far to find the answer; FaceApp is based in Russia. Senate Minority Leader Chuck Schumer spelled out his reasoning for calling for an FBI investigation of FaceApp in a tweet, saying, “It’s owned by a Russian-based company.” The company that has Schumer and others concerned is called Wireless Lab.

Its CEO, Yaroslav Goncharov, has had to allay concerns about FaceApp’s privacy through a press statement provided to TechCrunch. In the statement, he claims that FaceApp does not share or sell any user data to third parties(that’s different from allowing third part advertisers to deliver targeted ads). User can also delete all their data by “sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line.” It’s a finicky process that doesn’t guarantee anything. But Goncharov also claims that FaceApp deletes most photos from its servers after 48 hours, anyway.

The above sounds like the usual rebuttal that a tech company that stewards large amounts of data might provide. Rather than mob this single entity, we should use these legitimate concerns to push for more privacy awareness. We should be able to realize that most free apps that allow you to upload photos and share your personal information profit from that information. Facebook, Twitter, Snapchat, you name it. You’re essentially using your privacy as currency to benefit from their services. Facebook, for example, allows researchers to use your data without your consent because, as stipulated in their privacy policy, you sign away the right to consent when you agree to their policy.

There’s nothing wrong with demanding those in charge of handling your data to use it responsibly. Images are of a special concern with the rise of neural networks that can map a face to a body, a technique known as deepfaking. However, FaceApp isn’t the only photo app out there. Instagram houses millions of photos and there are a bevy of other photo manipulation apps that hackers can exploit. Instead of hyper-focusing on the latest sensation and pushing a Red Scare narrative, political leaders in the U.S.should  take a page out of the EU and draft a comprehensive data regulation bill that will make privacy concerns a moot point.

Still, it falls on large tech companies to prioritize privacy. If disruptors like DuckDuckGo are the only ones concerned, then we can’t expect others to follow suit. If the Googles of the world invest in educating their user base about the importance of privacy and the steps in which they take to secure their data, more users will look for this in the apps they download. In the future, they might see an app like FaceApp and either pass it by or knowingly install it, content with selling their privacy for a bit of viral fun.

Please follow and like us:
0

DuckDuckGo Expands Use of Apple Maps To Enhance Private Search

July 17, 2019 Posted by News 0 thoughts on “DuckDuckGo Expands Use of Apple Maps To Enhance Private Search”

As internet users have become more and more aware about the various ways in which large internet companies like Google and Facebook keeps tabs on them, the louder the cry for privacy has gotten. DuckDuckGo has responded to these cries by creating a privacy-oriented alternative to the data guzzler that is Google. In so doing, DuckDuckGo is tasked with the need to provide a feature that has become nearly synonymous with smart phones, and that is Maps. Google Maps for years has been the unchallenged, vaunted representation of Google’s data collection and mapping ability. Even Apple Maps has gained ground recently since its poor early days. Users have grown accustomed to data-rich offerings of the nearest location within the context of a map.

To keep up with these mapping apps, DuckDuckGo recently integrated Apple’s MapKit JS framework to provide more effective address searches, improved satellite imagery, and so on. Besides inheriting some of the tools that Apple provides to developers, DuckDuckGo used these tools to expand upon some of DuckDuckGo Map’s weaknesses. Some of these improvements that DuckDuckGo details in their blog post is map re-querying, local autocomplete, and a dedicated Maps tab that makes the maps feature more available.

Some may question how DuckDuckGo could take advantage of Apple’s mapping technology without sacrificing privacy. DuckDuckGo’s response to this concern is that they do not send IP addresses to Apple or other third parties. Localized searches are not stored and are deleted immediately after use. Technically, DuckDuckGo performs an approximation of location information using GEO:IP lookup, but this can be inaccurate on mobile networks. So, the search company asks the user to opt in to sharing their location with DuckDuckGo through your web browser which would then share their GPS location/cell tower location/ etc with DuckDuckGo. The problem here is that depending on the browser, opting in can compromise one’s privacy through no fault of DuckDuckGo. In short, if you want more accurate localized searches, you may have to compromise security, but the process is inherently anonymous due to the fact that DuckDuckGo does not store data in their server logs.

Though those faithful to Google Maps may scoff at these improvements, one cannot argue against the value of privacy. By shadowing some of Google’s valuable apps, DuckDuckGo can continue to coax more internet users to join their private platform while also informing uses of the rights they hold over their personal data. All with the goal of “setting a new standard of trust online.”

Please follow and like us:
0

Atlanta-based DefenseStorm Secures $15M in Series A Funding

July 16, 2019 Posted by Startups 0 thoughts on “Atlanta-based DefenseStorm Secures $15M in Series A Funding”

With cyber breaches up 50% in 2019, DefenseStorm, an Atlanta-based cybersecurity startup, has raised $15 million in a series A round led by Georgian Partners to help stem the tide. All told, the company has raised $30 million.

The funding will be used to hire new employees in the sales, product management, and product department. The goal here is to allow the business to continue to grow in size and quality. “DefenseStorm is growing rapidly,” says Howard Brewer, CEO of DefenseStorm, “and our primary goal is not only to ensure that we take care of both our current and potential customers, but also that we invest in our employees and the innovation they continue to bring to the table.”

However, Georgian Partners isn’t simply investing dollars, they’re providing DefenseStorm with their shock team, a team that goes by the name of Georgian Impact. The Impact team, according to their website constitutes “experienced technology practitioners and Ph.D.’s with expertise in areas including deep learning, software engineering, natural language processing and privacy.” Unlike most VCs, Georgian Partners differs in that they classify themselves as a growth equity firm, which means that they source talent as well. DefenseStorm will take advantage of Georgian Partners’ resources to increase the capabilities of its GRID platform.

The GRID platform fosters a co-managed security operation whereby both the financial institution’s security team and DefenseStorm’s security team or TRAC team monitor the security of the financial institution through real-time alerts. The platform’s offerings all serve to streamline cloud-based cybersecurity to allow for faster response times, something that is crucial when sensitive data is at risk. In regards to the future of GRID, Brewer says, “As we evolve the GRID, we see more banking-specific use cases for our security and compliance platform that are natural extensions to the work we do and the methods we use today.”

It’s no surprise that a cybersecurity company that focuses on finance sector has found a home in Atlanta, a city known for its digital transactions. DefenseStorm was founded in 2014 with the goal of providing smaller banks and credit union with state of the art security by leveraging both a powerful collaborative platform and a team of security experts.

With cybersecurity threats on the rise, DefenseStorm has proven its value in the market. “We are thrilled to have the support of the Georgian Impact team and look forward to a lasting partnership benefiting the entire cybersecurity community.”

Please follow and like us:
0

How To Get an IT Job in Atlanta

July 15, 2019 Posted by Recruiting 0 thoughts on “How To Get an IT Job in Atlanta”

With accelerators like Techstars and Atlanta Tech Village housing up and coming startups and with high rankings in the tech category, Atlanta  is an excellent location if you’re in need of a tech job. The key to getting a tech job in Atlanta(or anywhere) is to know which jobs are in demand, know how to make connections with the right people, and know how to market yourself.

Get the lay of the land

The job market is a market like any other market. There are goods that are in high demand and there are goods that are in low demand. The commodity that job seekers want is relevant skills matured by experience. The first thing you want to do is find out what employees are looking for in order to solve their pain point. The quickest way to accomplish this is to read statistics. For example, according to a TechRepublic article, cybersecurity is the highest in demand followed by AI, full stack development, and so on. What you can do with statistics is use it to heighten or temper expectations. For example, since Atlanta is known to harbor a large quantity of fintech companies, a COBOL programmer may have a higher chance of landing a job there than in a city like Saint Louis.

Knowing the peaks and valleys of a job market can also allow you to set up a realistic runway. This knowledge can allow you to set up subsidiary goals if your main goals have not been met. The problem is that knowledge of a market is not enough to succeed in a market. You have to become familiar with the players in the market. And the best people to lead you to the players are those who’ve been hired by them.

 

Make connections

Job boards are constantly flooded with faceless applicants. And only 2% of all applicants are ever called in for an interview. Then, those who are interviewed have to jump through hurdles like phone interviews, behavioral interviews, and technical interviews. All of these interviews, including the formal lunch sessions, are to gauge talent level and personality fit. Basically, you’re dating an employer and if it works out, you enter into a long term relationship akin to marriage.

Unfortunately, a company is not a human being and would love to be as efficient as possible. It would prefer to know the person before they enter the interview room. That means a company would love if one of its employees vouched for you. According to a LinkedIn report, employee referrals are “the top source of quality hires.”

They way you get yourself referred(if you don’t know any engineers) is to throw yourself into the tech community. Engage heavily in communities like Dev.to, Hacker News, Reddit, Stack Overflow, and GitHub. Most importantly, join meetups to create bonds with other job seekers who may be able to refer you once they land a job. On Meetup.com, you can hone in your search to any meetup within miles of your current location. Atlanta itself has a bevy of meetups ranging from JavaScript to Data Science.

 

Market yourself

However, the connection-building activity can be a wasted effort if you don’t know how to market yourself throughout. You have to have a sort of elevator pitch. In that way, when someone recommends you, they might say that you are, for example, a “CSS master.” That sounds a lot better than “X is a good programmer.”

They way to best market yourself in this way is to specialize. Your Stack Overflow contributions should show that you’re really knowledgeable in X. Specialization forces you to crack open books to explore the nuances of a language. As you post blog articles about this knowledge, you’ll find that you’re beginning to also hone your communication skills in regards to your specialization. So, by the time you meetup with like-minded people, you’ll find that you would’ve gained their respect. The passion you have for your specialization will show through your level of knowledge in the subject matter. It would then be much easier for people to receive your business card favorably.

 

In the end…

Getting a job isn’t easy, but at Codesmith Dev, we bridge the gap between Technology Staffing and Application Development. We can help you succeed in today’s changing environment. Visit out job board for opportunities.

 

 

 

Please follow and like us:
0

Chinese-based Agent Smith Malware Infects 25 Million Android Users

July 12, 2019 Posted by News 0 thoughts on “Chinese-based Agent Smith Malware Infects 25 Million Android Users”

Checkpoint Researchers Aviran Hazum, Feixiang He, Inbal Marom, Bogdan Melnykov, and Andrey Polkovnichenko discovered yet another Android malware infecting users. Usually, Android malware effects users in foreign countries since those users often trust third party app vendors. These vendors do a pretty poor job of gate-keeping, so malware is often able to gain a foothold in countries like India. And that’s exactly what attackers have done in the case of Agent Smith, the name of this latest Android malware campaign. The third party app store in question here is 9Apps, a store that targets Indian, Arabic, and Indonesian Android users. What Agent Smith does is disguise itself as a regular app like WhatsApp or Opera. When the user downloads an infected app, Agent Smith then uses its escalated privileges to infect other apps on the victim’s phone. The eventual payload is a stream of illegitimate apps. As of now, Agent Smith has infiltrated 25 million devices 15 million of which are from India. 300,000 infected devices are from the U.S, which makes this hack unique in that it was able to infiltrate more complex Android systems.

Check Point acknowledges this fact by observing that the “actors behind Agent Smith seem to have moved into the more complex world of constantly searching for new loopholes, such as Janus, Bundle and Man-in-the-Disk, to achieve a 3-stage infection chain, in order to build a botnet of controlled devices to earn profit for the perpetrator.” The researchers claim that this is the first campaign that leverages all of these loopholes at once.

It’s important to note the similarity between Agent Smith’s method of infection and ViceLeaker. Both campaigns  appear to backdoor apps and inject them with malicious code. What makes Agent Smith more insidious is the fact that it backdoors apps on the fly or just-in-time(JIT). Also, the means behind Agent Smith are more dangerous than its end; though the attack results in ad displays, the researchers note that the malware can easily be re-purposed to allow for the theft of sensitive data.

The researchers were able to boil down an Agent Smith attack into three phases:

  • An enticing sex-related, gaming, or photo app hiding a Feng Shui Bundle would find a home in 9Apps waiting to be installed.
  • Once installed, a malware APK is decrypted and bundled with the app disguised as Google Update and other update variants. Hackers can now maliciously patch and update the malware.
  • Finally, the core malware extracts a list of installed apps, finds apps specified by code or C&C commands, and “updates” their APKs with malicious code.

 

For now, the source of the Agent Smith campaign is 9Apps; but, the Check Point research team discovered 11 apps in the Google Play store that contain dormant SDK similar to those found in Agent Smith apps. Within the SDK lies a kill switch that awaits the keyword “infect” in order to become a malicious payload.

credit: checkpoint

 

From this finding the researchers conclude that, “Evidence implies that the ‘Agent Smith’ actor is currently laying the groundwork, increasing its Google Play penetration rate and waiting for the right timing to kick off attacks.” The researchers have also concluded that the attackers are most likely from a Chinese internet company located in Guanghzou. The report ends with this statement: “Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from private messages to banking credentials and much more.”

Please follow and like us:
0

Popular Ruby Gem Found Hiding Malicious Code

July 12, 2019 Posted by Uncategorized 0 thoughts on “Popular Ruby Gem Found Hiding Malicious Code”

Tute Costa, a developer at Epion Health, recently discovered malicious code in a Ruby gem called strong_password. This discovery came after he heavily scrutinized changes that were made to each gem following an update. Costa discovered that no changes were made to strong_password even though the version number had been incremented from 0.0.6 to 0.0.7

After digging a little further, he discovered code that looped a GET request to pastebin.com, a code snippet sharing site, if  running in production. The code also handled errors to mask its presence.

What we can surmise from the code that Costa made available is that the get request would fetch the code found on pastebin and immediately execute it using eval. The request would then lay dormant for a random interval before requesting code from pastebin once more. The code found embedded in strong_password allows the hacker to modify their attack without constantly interfering with the modified strong_password gem. As a side note, this non-monolithic approach is good design. Unfortunately, good design is being used for nefarious purposes.

The code gets even more interesting when we look at the pastebin snippet provided by Costa. There, the code evaluates anything in a special cookie  that matches  an __id suffix. The attacker’s server would then be notified about the infected hosts because of HTTP requests made using the Faraday gem.  In the end, the attacker would not only be able to affect the production site itself, but then use that site to infect other users who stumble upon the infected site as well thanks to the middleware injected into cookies.

How did the attacker gain the privileges required to perform this exploit? Well, Rafael France, the creator of strong_password, attributed it to a “simple account hijack.” He went on to say, “The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.”

The irony is pretty thick.

It’s hard to say how many users may have been effected. Download numbers alone aren’t enough to arrive at an estimate since it’s well known that a sizable portion of users do not update gems. Even so, this incident serves as a warning to those that rely on open source tools that are not rigorously maintained. RubyGems is then left with the task of policing bad actors who take advantage of abandoned projects that devs continue to rely on.

If you had updated to the bogus 0.0.7 version, you should update to the new version 0.0.8 release. Or, you can just downgrade.

 

 

 

Please follow and like us:
0

Zoom Patched Vulnerability That Allowed Access to Cameras on Mac

July 10, 2019 Posted by News 0 thoughts on “Zoom Patched Vulnerability That Allowed Access to Cameras on Mac”

It took over 90 days for Zoom to finally patch a zero day that they were alerted to as early as March 8. The vulnerability was detailed in a Medium post written by Jonathan Lietschuh. Here’s the tl;dr of Jonathan’s post:

  • The vulnerability allows hackers to force you into a call, DoS your Mac with repeated calls, reinstall the app on your computer, and take over your Mac’s camera.
  • This is made possible because hackers can take advantage of a server that is surreptitiously included when you install Zoom.
  • This server works as a background process and can be accessed even if the desktop app is closed or uninstalled. With a tailored GET request, Jonathan was able to initiate a Zoom meeting.
  • Thanks to poor design, the cameras of participants are on by default. So, in one fell swoop, a hacker can initiate a call and access a user’s camera.
  • An experienced hacker can use phishing attacks or iframes to get you to inititiate a request to the web server without your knowledge. They could then send repeated GET requests to your server to DoS your Mack,  or they could reinstall the Zoom app to continue attacks.

 

One would think that the above information would be enough to spur a move towards patching the vulnerability. However, Zoom fell into the trap of favoring a feature over usability. They only performed quick fixes suggested by Jonathan and avoided doing away with the web server. It was only after Jonathan’s public disclosure went viral that Zoom finally realized its mistake. The company released a statement saying, “Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. ” The quote exposes the resistance the company had towards modifying their “seam-less join” feature. It would be nice to say that this event should serve a lesson to product teams that a feature is only as good as the security it provides to its users, but tight deadlines and tight budgets discourage the use of pen-testing.

Now, the best way to protect yourself from this vulnerability is to access your Zoom app and update it; the new patch removes the web server entirely. If you’re feeling a bit paranoid, you can run pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus; to remove the web server from your computer.

Please follow and like us:
0

IBM Acquires Red Hat To Stay Relevant in the Cloud Market

July 9, 2019 Posted by News 0 thoughts on “IBM Acquires Red Hat To Stay Relevant in the Cloud Market”

A few days ago, I posted an article about how giant tech companies can save themselves from antitrust lawsuits by committing to open source. Now, Red Hat has recently announced that they’ve been acquired by IBM for a whopping $34 billion. The steep price tag is a reflection of the immense value one can accrue by being a pioneer of cloud technology. Microsoft and Amazon have exhibited their profitability in this sector long enough to prove the concept. Not only that, they’ve been able to shroud themselves in popularity. Once upon a time, Microsoft was an infamous company within the dev community. In moving towards the cloud, Microsoft had to shed its notorious anti-open source streak. A large reason for Microsoft’s about-face is the fact that cloud technology incentivizes collaboration; if you want to increase market share, it would behoove you not to alienate Linux users. This attitude has created such a fine line between open source and cloud technologies that an opensource.com article stated, “…open source licenses are becoming almost a de facto standard for how new cloud technologies are being developed.”

We all know that IBM has read the proverbial tea leaves, thus taking the plunge on a popular cloud technology like Red Hat. Though we may question the motives of this aging tech giant, this news is one of many signs that companies will use their open source involvement as a bulwark against lawsuits. The not so altruistic motivation still has benefits for the open source community; open source projects will continue to be funded.  Jim Whitehurst, CEO of Red Hat, mentioned in a press statement that “[j]oining forces with IBM gives Red Hat the opportunity to bring more open source innovation to an even broader range of organizations and will enable us to scale to meet the need for hybrid cloud solutions that deliver true choice and agility.” In this swath of PR sugar, we can probably assume that affiliates like CentOs may be sidelined for new “hybrid solutions.” Some of these solution include OpenShift, which will allow IBM to compete with other severless computing platforms like AWS lambda.

To further that point, Red Hat announced that they will be leveraging the acquisition to offer a “next-generation hybrid multicloud platform.” This technology would presumably put IBM at the forefront of cloud competing thanks to the reputation that Red Hat has garnered over the years. Red Hat’s press statement practically devotes an entire section to explain why IBM is now at the cutting edge, a position that IBM has long been absent from.

But being cutting edge is no longer good enough. That’s why Red Hat’s press statement ends with a sort of pledge of allegiance to open source. When a merger of this magnitude occurs, what giant tech companies like IBM must show is how the acquisition will benefit the community at large.

 

Please follow and like us:
0

Coding Should Be Considered an Art Form

July 8, 2019 Posted by Programming 0 thoughts on “Coding Should Be Considered an Art Form”

Learning how to code is something that many start and few complete. Like many other activities, getting over the beginner hurdle can be difficult, especially when you don’t see much progress in the beginning. Specifically for programming, lack of early success may lead one to believe that a mathematical background is required before you can start developing anything. This form of impostor syndrome is detrimental to those who find their strength in the reading and writing portion of the liberal arts. There has to be a shift away from the idea that code is the sole domain of science. I remember one of my coding instructors surprising me by saying that he believed coding is an art. That statement jogged my mind. I’d always seen code as an austere beast, one incapable of expression. A means to an end.

However, code is much more than that; it’s a form of expression. All you need to do is look up Erick Steven Raymond’s hacker manifesto. In it, he refers to hackers(or coders) as part of a group of “creative people.” To hack, ideally, is to use a programming language to solve a problem. Of course, you can argue that this puts coding squarely into the domain of mathematics. Though that may be true, that doesn’t mean you can’t apply coding to another field. Skilled writers solve the problem of communicating ideas one sentence at a time. They refactor their words to heighten comprehension.  Mark Twain once said, “I didn’t have time to write a short letter, so I wrote a long one instead.” The quote exhibits a logical decision that the author made when setting out to write. The difficulty of writing concisely is similar to the problems that professional programmers face during crunch time. The elegant ideal that hackers seek to achieve must be compromised by deadlines that facilitate the need to write in-concise code.

Once you realize that code is expressive, you will start to see how semantic code can be. If you read different source code, you’ll notice different styles. Tech companies use style guides just as  online editorials use AP style guides to achieve a level of uniformity. Above all else, code must be legible so that others who stumble upon it can comprehend it. The emphasis is on writing code for humans and not for computers. Code isn’t the Matrix thanks to high level programming languages. JavaScript, Java, and Python are just a few examples of the many high level programming languages out there. They exist for a reason; they help us read and maintain code by pulling us away from the 1s and 0s of binary. Binary is how computers really communicate. What the high level languages allow us to do is communicate with computers with a translator(the compiler) there to tell the computer what we’ve written down. With that in mind, you can think of code as detailed grocery instructions.

So all the code you see out there in the wild are just that: instructions written in a foreign language. In order to be fluent in any language, it helps to read the language. So, reading well-written code is one of the best ways to learn how to program. As you read the code, you should ask yourself what purpose the line of code serves. In other words, what problem does it solve? Why was it written in this way? Could it have been written in any other way?

This sort of immersion is better than spending countless hours  slogging through a programming book or dabbling in brief tutorials. Languages aren’t learned passively. They’re learned by actually using them and discovering nuances and asking questions about those nuances. Just like you get better at writing by reading and writing, you get better at coding by reading and writing code. Though it’s true that coding involves problem solving, many of the problems you encounter can be solved by recognizing a few patterns and using trial and error. We solve many of our daily problems in this way.

If we want coding to become more of a mainstream phenomenon, the stigma of complexity must be removed. Rather, coding should become a basic skill taught in elementary and middle schools to develop intuitive problem solving skills. If we can think of coding as yet another art form, then perhaps the idea of a group of eight-year-olds coding on their free time may not be a pipe dream. The computer science stuff, like grammar, can come later.

 

Please follow and like us:
0