I guess I should start by apologizing. I know we have never met and it is weird of a thing to do to start a conversation with someone with a blog post. I also apologize to call you “friend”, because not having discussed at all cannot really make us friend. But I feel that there is some sort of connexion, some way of thinking that we share for which we certainly are already “lazy friends” and I thought I should explain it and share with other people.
The most I have seen of you is your incredible talk entitled The Lazy Programmer’s Guide to Secure Computing. And it blew my mind. See, my blog is entitled “long term laziness” and your talk clearly showed that we’re on the same page when it comes to laziness.
A lot of people are lazy in this word, but very few understand that there are different ways to be lazy and you captured it perfectly by distinguishing what you called “amateur lazy programmer” and “professional lazy programmer”. You describe the state of mind of the latter as:
I know that if I don’t do this right the first time. I can spend an extra half hour now or spend a week of agony tomorrow.
And this is a way of life as far as I’m concerned. We apparently use different terminology. I say “long term”, you say “professional”, but I know we’re on the same page.
Overall, it was very fascinating to see how good practices of object-oriented programming turn out to be security features. I had never thought about object-oriented programming this way.
I have showed your talk to a very good friend of mine and the envelope metaphor blew his mind as much as it did to me the first time I saw it. Then, I thought “oh well, that was the big time of his talk, I won’t learn much from now on.”. And I did kept learning, until the last minute.
I really loved the part when you explain what to say to brainwash programmers so that they’d make programs easier to write viruses against. I wouldn’t have expected “Use C or C++” as the very first rule, but your explanation makes a lot of sense.
Also, I have programmed in CakePHP once and at the time, seeing that they had a security class really did leave me a bad taste in the mouth. I’m glad I was not crazy on this one and that having a “security module” in a program is an aberration to a security guru.
Also, the Buffy Summers quote at the end was brilliant!
When I think about it, it makes a lot of sense that you did this talk. Educating people to do less mistakes is so much more lazy than fixing all of these mistakes! I do thank you to have taught me so much in this one-hour video. I certainly be even more careful than I was before when writing programs.
Keep being lazy and inspire people to be so too!