Extracting full path while uploading a file to server in Flex

In my free prototyping time I decided writing a simple uploader in AIR (what else?). I could create a working application in minutes using FileReference class and its method browse() (for opening a File Selection Dialog) and upload() method to upload the file.

But something looked odd. I wished to show the user the filepath he has selected in a disabled text box (the good old way..) but FileReference does not have the full path information. Googling helped. It said that “for security reasons full path of a file won’t be available in flash”. Valid. But then it clicked in my mind that I’m developing an AIR application. I talked to a friend, asked him for resolution. And that helped -

Use File intead of FileReference while developing AIR application. It is an extension to FileReference with more functionality (including a getter/setter to the private variable nativepath). Cool!

Thanks Raghu.

A generic binary search implementation in C - thoughts

Wish you a very happy new year!

This is an attempt to discuss a problem I’ve come across. Some common things that I would like to suggest people going for computer science interviews are -

• listen to the question with full concentration on every word; avoid wandering for the similar questions that your friend discussed this morning
• do not assume anything (even if this means asking the dumbest questions, don’t hesistate)
• if you know the problem and the solution (or you’ve been asked the same or similar question in a previous round of interview), tell them. don’t waste your and their time.
• break the problem into small tangible subsets; things that you are more comfortable working with (say a problem with million users telephone directory, think of a 50 or 10 users telephone directory or say a problem on a variation of tower of hanoi, think of the implementation of simple tower of hanoi and then move towards the special treatment) or things that are more do-able.
• think aloud; most interviewers love loud thinking
• think out of box when you cannot remember (or you do not know) a standard solution (which you are sure exists although). Everyone loves innovative ideas and believe me, they do come.
• do not make an obvious mistake while writing code. code defensively. check success of every memory allocation or file read.
• make sure you understand the Big-O notation for algorithmic time-space metric. I’ve seen that computer scientists’ are happy when you come up with more accurate O-notation understanding.
• think of design issues like portability of code, reentrancy of the code, bottleneck portions of the code (and any trade offs) etc. and discuss these with the interviewer
• if you can think of more than one solution for a problem, tell them.

Write a program to implement a binary search for generic array whose elements are sorted.

Problem is to write n implementation of binary search algorithm and twist is “generic”. The term generic itself is enough for giving you a clue into the direction of thoughts. Without the “generic” requirement, suppose a binary search algorithm is to be implemented for an array of integers, then signature is:

int binsearch(int a[], int x, int n)

If you are going to implement the algorithm in C, think “void *” and if you are going to implement the algorithm in C++, think templates. Now I discuss here an implementation in C. Well my function should have an array (which will be a ‘void *’ to accommodate an array of any data type), the item to search for (again a void *), the number of elements in the array. What else?

• We do not have an idea of how to dereference the pointer available to us.
• we do not have a way to base our comparison on (e.g. this may be an array of structures sorted on an element of the structure (which obviously our algorithm is blind to)).

So we require two more arguments, size of the data structure so that we can do a typecast of ‘void * arr’ to ‘char *’ and for an index ‘i’, jump using the expression ((char*)arr + i*size) to get to the item of interest and a pointer to a function, compare, which will take two ‘void *’ and return -1, 0, 1 just like any compare function. so signature is:

int binsearch(void *arr, void *x, int n, size_t size, int (*func)(void *, void*));

Algorithm itself is not much a problem I think. It works like calculating the “mid” (for 0 to n), and then comparing the mid value with x by:

int p = compare(((char *)arr + mid*size), x);

If p == 1, search in [mid+1, n], if p == -1, search in [0, mid-1] and if p == 0, you happy, go lucky got it!

You can actually edo away with the argument “size” if you make the function signature a bit uglier by pushing the responsibility of dereferencing the arr (void *) to the user. so now your function signature code will be -

int compare(void * /* arr */, int index /* index */, void * /* tosearch */);

But this is dirtier since humans normally are in habit of a ‘compare’ with two parameters. In this new avatar your binsearch becomes -

int binsearch(void *arr, void *x, int n, int (*func)(void *, int i, void*) );

Happy implementation!

Power of plain text, the power of being simple

As we see the convergence of technologies through web, I think plain text is going to play a crucial role in delivering a standard cross platform solution for communication. It has already taken the center stage in form of XML. Debate on simplicity (or human side of technology) and performance will, I think, have a positive shift towards the former (people love faster development and simpler use more these days I think.. Rubyist view)

why plain text?

pragmatic programmers answer it with bullets - insurance against obsolescence, leverage (lot of tools available for talking to plain text) and easier testing. and I as always agree.

The concern is there although. Concern is that in addition to being human readable, the text should be human understandable as well. Using names which are semantically correct and contextually relevant is going to act as a substantial catalyst in helping dealing with these plain text files (whether it is a database or configuration file or data-transfer format).

Being always biased towards keeping configuration and databases (good old unix way) I am going to take care of this as a specification in almost all (not everything is driven by me!) development I do. You should also do the same so that your database outlasts your application!

Orthogonality and its importance in software development

I’ve been lately reading The Pragmatic Programmer by Andrew Hunt & David Thomas. Been onto a chapter about decoupling requirement in the development of software, I thought of putting few lines on the weblog. Orthogonality is derived originally from Geometry where it is meant to illustrate two lines which meet at right angles and hence are mutually independent moving in all directions. In software, orthogonality refers to the independence between the modules of the software. e.g. user interface of a software should not have any dependence on Database schema. Decoupling, if not met properly while designing software, can lead to disaster in code maintenance. A decoupled code is better for maintenance because of numerous reasons -

1. Changes are localized and hence development and testing time (and cost) are reduced. Quality also improves since better division of work is possible.

2. Problems are also localized. An issue in one module does not affect other modules and hence fix requires to be done their only (or whole module can be replaced by another implementation altogether).

3. There is more possibility of smaller independent teams (which is ideal for a better coordination)

An interesting introduction into orthogonality is the advent of Aspect Oriented Programming (AOP), a research project at Xerox Parc. As Object oriented programming focusses on the objects and their interaction, Aspect oriented programming focusses on aspects (concerns). AOP lets you express a behavior which would otherwise be distributed throughout the source code. The most obvious example would be logging. Log messages are normally generated by sprinkling explicit calls to some log function throughout the code. With AOP, you implement logging orthogonally to the things being logged. Using the AOP for Java, you could write a log message while entering any method of Class Fred by coding the aspect -

aspect Trace {
advise * Fred.*(..) {
static before {
Log.write(” -> Entering ” + thisJointPoint.methodname);
}
}
}

If you weave this aspect in your code then log messages will be generated and if you don’t, they won’t. Either way, your original source is unchanged.

Towards the end of the discussion is a challenge: Consider large GUI-oriented tools typically available on Windows and small but combinable command line tools used on shell prompts. Which do you think are more orthogonal in design?

What do you think?

Building Strings in Ruby

If efficiency is important to you, don’t build a new string when you can append items onto an existing string. Constructs like str << ‘a’ + ‘b’ or  str << “#{var1} #{var2}” create new strings that are immediately subsumed into the larger string. This is exactly the thing to avoid. Use str << var1 << ” ” << var2; instead.

Starting on the formal journey into Ruby!

I’ll be starting with Ruby Cookbook today (it’s evening right now..). I will be discussing Ruby code, Constructs, Positives and Negatives as I encounter them. So expect lot of Ruby (and may be rails) here.

Association with the language: Why I fell in Love with Ruby

Adobe AIR, taking RIAs to Desktops

I’m pretty much sure that you must have heard (and talked) a lot about how the next big thing (after desktop.. and Micro$oft’s humongous success in that arena) would be taking desktop applications to web (and many of you would be in a queue to purchase Google shares for too-too-too-much price) and there are tangible examples to quote, for example, Google docs (formerly Writely, acquired by Google), Google Spreadsheets, Google Presentation etcetera.

No, no. Don’t think that I mistyped the title. It’s alright.

What am I upto?

A pathbreaking technology from Adobe, AIR (Adobe Integrated Runtime) is all about taking Rich Internet Applications (RIA) to Desktops i.e. having a desktop application which will communicate with web and deliver rich content right there. Adobe website says:

Adobe® AIR™ lets developers use their existing web development skills in HTML, AJAX, Flash and Flex to build and deploy rich Internet applications to the desktop.

This is a cross platform technology and an application written for MS Windows will work with Linux platform. No migration (read porting) required. Don’t see any released development support for Linux though. I will keep posted.

What do you need to get started?

• Install Adobe Integrated Runtime (AIR) on your machine
• Install AIR SDK
• Install Flex Builder for your platform (if development is going to be in Flex i.e. MXML and Action Script).
• Read tutorials on how to develope RIAs for desktops in your favorite language (HTML (using Ajax), Flash, Flex etcetera)

I’ve started with AIR application development and am hooked to it (as I’m to most technologies I try out), you should also get your hands wet once with it and I’m sure you gonna love it. (Affiliation: I’m employed with Adobe Systems).

AIR Showcase. Adobe Labs. Adobe Flex

_

IT Security unclothed by “a nerdy hacker”

 

Robert Moore, a 23 year old hacker would be starting his imprisonment in federal prison today (Thursday, 27th Sep) for breaking into 15 telecommunications companies and hundreds of businesses (and individuals) worldwide. He spoke about “how easy it was”. Moore, who describes himself as a “mega geek” is more upset about being banned from using a computer than actually going to prison. Here are few things from his interview which may help IT vendors, users (including the huge IT departments whose “sole” job is to secure the company network and provide the staff with a better service) to know how insecure they are.

 

 

How easy it is?

“It’s so easy. It’s so easy a caveman can do it,” Moore told InformationWeek, laughing. “When you’ve got that many computers at your fingertips, you’d be surprised how many are insecure.”

“what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords”

 

“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0′ as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. … We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I’d write a scanner for Mera boxes and we’d run the password against it to try to log in, and basically we could get in almost every time. Then we’d have all sorts of information, basically the whole database, right at our fingertips.”

How he used to work (hack)?

 

He explained that he would first scan the network looking mainly for the Cisco and Quintum boxes. If he found them, he would then scan to see what models they were and then he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn’t find default passwords or easily exploitable bugs, he’d run brute-force or dictionary attacks to try to break the passwords.”We would go to telecom forums and other telecom sites that list company names and where they’re from,” he explained. “We’d look at foreign countries first. We’d take the name and IP range and then dump it into the scanner. … Some of the Cisco versions, like IOS, were old and easier to get into.”

Tips from the hacker?

Moore said it would have been easy for IT and security managers to detect him in their companies’ systems … if they’d been looking. The problem was that, generally, no one was paying attention.

“If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there,” he said, adding that IT could have run its own scans, checking to see logged-in users. “If they had an intrusion detection system set up, they could have easily seen that these weren’t their calls.”

The hacker said IT technicians also could have set up access lists, telling the network to only allow their own IP addresses to get in. “We came across only two or three boxes that actually had access lists in place,” he added. “The telecoms we couldn’t get into had access lists or boxes we couldn’t get into because of strong passwords.”

 

I have myself seen that even in huge operations, this policy of keeping a company wide (as if that is safe) default password for their servers.

 

Ludicrously this incident has divided the IT industry into two and Enterprises have started a blame war against the vendors for making it a policy that default password is changed before things work. But my question — who will save you when you are attacked with a brute-force dictionary attack ? There is only one fact that there is no one-push-button for security and you have to keep a part of the department busy into logs analysis, password updation and knowledge updation of what is happening around (and this too will make you just ‘more’ secure).

I remember Henry Keller’s say — Security is mostly a superstition. I add “More so for worldwide interconnected computers”. I hope that you too learn from it and atleast personalize your passwords now. Be a Paranoid!

 

to switch-case or not to !

A friend (and colleague) in an attempt to have a long discussion asked me about my preference between cascaded if-else and switch-case statements and which one is better. I could get away (because was caught into some work I didn’t want to lose attention from) by saying that I will certainly be getting back with facts you want to know and my personal preference is switch-case.

Later in the evening (now) I am in front of firefox with almost seventeen tabs open with
links relating to the comparison between if-else and switch-case statements. I think I should share some statements here (sources are documents and forums available on internet).

The switch-case can only used with integral types, and the case values need to be compile-time constants. An if/else cascade is likely to be slower than switch/case.

switch/case is often implemented using a jump table with the case values as index into the table. The if/else is usually implemented using a cascade of conditional jumps. Hence switch/case often will win on time efficiency.

The best construct to use is the one that is the easiest to understand to the reader (and not the more efficient) (obviously, if it is not killing the program).

For the curious,

A jump table is either a table of addresses (pointers) or jump instructions. An index is used to access the appropriate location, then an action is taken. This can be implemented in C++ using an std::map of <key, function_pointer> or an array of similar structures.

Epigrams on Programming

Read the Epigrams on Programming. One big difference between an expert programmer (and designer) and a naive is the level of idiomization of experience. So my dear programmer - standardize, idiomize. As they say

The only difference (!) between Shakespeare and you was the size of his idiom list - not the size of his vocabulary.