DEV Community: Ryan

How can I volunteer my extra time while self-isolating due to COVID-19?

Ryan — Thu, 12 Mar 2020 23:05:34 +0000

My place of work has made the decision to implement working from home starting tomorrow. And most of the country, if now the world is likely to do the same.

Skipping the daily commute by working from home will unlock a bunch of free time for most of us.

I'm wondering if anybody has any interesting or creative suggestions for how to volunteer or time online.

Contributing to your favourite open source project seems like a nobrainer.

How about for non-developers?

I've heard people suggest editing Wikipedia.

What other ideas can we come up with?

Services Should Help Us Remember

Ryan — Wed, 01 Jan 2020 19:22:12 +0000

With the beginning of a new ~~year~~ decade everybody is posting retrospectives on anything and everything. For the most part, these retrospectives have to be complied manually by compiling data from different sources. I’d argue that our lives would be more interesting if more services give us easier ways to reflect on the content we’ve posted over the decades.

In fact, services could probably get away with collecting more sensitive data if they surfaced it for us in interesting ways. For instance (despite my better judgement) I’ve had Google’s location tracking fully enabled for the past 3 years. The Google Maps timeline generates this map of everywhere I’ve been that is just totally fascinating to me. I can’t bring myself to turn if off.

Everywhere I’ve been in the past 3 years according to Google. It’s actually missing some data and I’ve never been near Detroit. So that’s somewhat comforting in a way.

An Experiment

This week, I started an experiment where I will be logging every single interesting link I come across online in a public twitter feed.

// Detect dark theme var iframe = document.getElementById('tweet-1212077954072637440-183'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1212077954072637440&theme=dark" }

It would be cool to see what happened if browsers tried to include a feature like this using your local browser history. (I’m getting deja vu, was there a web 2.0 era browser that did something like this?)

WordPress Historical Posts

A few years back I created a WordPress plugin that surfaces old posts in dashboard and sidebar widgets (you can see it in the footer of my blog if you scroll down). IMHO any blogger with more than a couple of years of content could benefit from this plugin. I love seeing what I posted a decade ago. Occasionally it spawns new or update post ideas.

The plugin is called Historian, you can download it from the plugin repository.

Other Services

I know the photo services have started adding “on this day” and “then and now” features to their main products. I personally enjoy those quite a bit. Seeing my kids grow up is an acceptable of inherently anti-piracy facial recognition.

I mentioned Google Maps Timelines as another acceptable reasons to leak private data. But I actually think Google could do more with this data, especially on Android. It would be cool to automatically see all the times I’ve been at my current location and any photos or related data that I’ve logged there. Google Health could have workout data (and analysis) automatically available when I’m at the gym. Stuff like that.

Are there other services that have interesting retrospective features?

Would you be more open to giving up private data if services gave you interesting or useful data and analysis based on you private data?

Do you delete Git branches?

Ryan — Thu, 28 Nov 2019 20:33:04 +0000

At my place of employment we use Jira ticket numbers in our git branches so that we can take advantage of the ticket-to-code-linking magic.

But as a projects grows, the number of remote branches gets kind of insane. I suppose this doesn't affect performance or anything. It's just a little unsightly and makes it difficult when you need to go hunting for remote branches.

What are best practices here?

Delete local branches and keep the remotes?

Delete remote branches and lose the Jira link on historical tickets?

My Coding Origin Story

Ryan — Fri, 15 Nov 2019 04:25:05 +0000

Earlier today Ben Halpern posted a bit about his coding origin story on dev.to. I thought it might be interesting to share how I got my start.

Growing my family was not an early computer adopter. Computers were expensive and my parents were endlessly frugal. So I don’t share the common origin story for a lot of nerds of my generation, I never noodled around with a Commodore 64 or anything of that era.

My first exposure to computer programming was writing simple routines in Logoon an Apple IIe in grade 6. Logo was very simple, but super valuable as a fundamental building block. My experience taught me the basics of looping and the idea of printing things to the screen and it certainly piqued my interest in programming at an early age.

The next code adjacent thing I remember doing was mucking around with the Windows 3.1 autoexec.bat file on my grandfather’s 386 laptop (which he had left with me for some reason), probably circa 1993. Pre-Internet I have no idea how I knew this was a file I could edit, what it did or what to do with it. Perhaps I read the MS-DOS help files. One thing I did learn quickly is that this file had the power to stop Windows from booting. And this actually taught me the important lesson of remaining calm in the face of utter, self-inflicted code disasters.

My coding memory is a huge one. It happened when my family finally got our first PC, a Compaq Presario 486, probably around 1994/95. Again, I don’t recall exactly how, but I soon discovered BBSesand door games. My favourite game by far was Legend of the Red Dragon (playable here). At this same time, I’d started to dive in to qBASIC. I poured through the source code of the demo programs and read through the included documentation. For some reason I decided to attempt to recreate a local version of LORD in qBASIC — except Star Trek: The Next Generation Themed (of course). I built an ASCII interface, ASCII procedural map generator, random encounters and a rudimentary combat system, a town with shops (armour, weapons and potions), system for tracking progress (goal, xp and levels) and that sort of thing. I retrospect, this seems like a monumental task, something I’d never even think to attempt now. With this experience, I had essentially taught myself all the fundamentals of programing I still use today: procedures, variables, control structures, logic, etc.

My first experience with HTML is probably a little more similar to other developers of my generator — Geocities and Netscape circa 1997. I distinctly remember the first website I built on geocities.com, a Star Wars: CCG “bad trader” list — basically a blacklist of people who’d screwed my friend Jon out of cards online — an HTML table on a repeating star background (groundbreaking stuff!). Having worked with the pre-written example programs source code that shipped with qBASIC years prior, the leap to view source on every single website came naturally. And by this time there were already well developed resources for learning HTML online.

I’m actually a little less certain about my introduction to PHP. I think it may have been Movable Type of my first domain (leggomyeggo.net).

Sprinkled here and there is some formal education and the rest — as they say — is history.

The post My Coding Origin Story appeared first on ohryan.ca.

What are your thoughts on functional programming? In PHP?

Ryan — Tue, 15 Oct 2019 00:24:24 +0000

A friend of mine introduced me to the concept of functional programming this weekend. As someone who's been writing procedural PHP since before PHP supported objects and then gradually transitioned to an OOP-based mindset, the concept of functional programming is kind of blowing my mind.

For those of you unfamiliar with functional programming in PHP...

@davidbhayes ' video on banishing loops with functional programming is a good primary on the basic concept.

If you are more familiar with functional programming in PHP...

I have some question:

what are some of the main benefits?
is it mostly about simplifying loops?
any examples of projects that make good use of functional programming? github links?
what are the main drawbacks? gotchas?
Is OOP on its way out?

I haven't been this intrigued by a programming concept in a while. Super curiosu what the dev.to community thinks!

SQRL Poised To Save Us From Password Hell

Ryan — Wed, 09 Oct 2019 04:23:43 +0000

A few times every decade we get to witness the emergence of a truly revolutionary back-end technology breakthrough. I recall following OpenID in the mid-00’s, reading some of the early discussion groups and blog posts, eventually watching it become supplanted by OAuth. Which would go on to drastically simplify the way most people log in to websites. I wonder if we’re witness a moment like that right now with the Simple, Quick, Reliable Login (SQRL) protocol.

SQRL is a decentralized website login and authentication protocol released last week after over half a decade of work, by security researcher Steve Gibson. It is a protocol that functions like a combination of OAuth and a password manager. Like OAuth, it enables a 1 button (or QR code) login process, simply click an “authenticate with sqrl” link and you’re in. Like a password manager, it is an app that lives on your phone, desktop or a browser extension.

Unlike either of those solutions, the process that occurs in the background after you hit “authenticate” and before you’re logged in is where _ really groundbreaking stuff _ happens.

SQRL is client-side authentication, meaning an SQRL client (on your phone, as desktop app or maybe a system service in future) negotiates with the server to validate your authentication. Let that sink in for a second… you don’t tell the server who you are or what your password is, the server ostensibly communicates with your phone to figure out who you are. The nuts and bolts of this system are complicated/technical and I’m not actually sure I fully grasp it at this point. But I do know this has the potential to be huge.

A Short List of Benefits

The client-side approach has several unique advantages and eliminates many of the problems with the current username/password schema:

The server does not store your password (zero-proof)

Not only does it not store your password, the server never interacts with your password in any way. We all know websites really suck at keeping your passwords safe and secret and reusing passwords in 2019 is extremely dangerous. With SQRL only the client app has a password (and it’s highly encrypted).

The server does not know who you are

As far as the technical spec goes, the server does not need a username, email address, facebook id, google account, etc to identify you. It only needs are random public key.

In practice, it a website my ask you to provide a username, but because of the pseudonymous nature of SQRL, the site would have no way of knowing that “ohryan” means “guy who write on ohryan.ca” who is also @ohryan on Twitter.

You can’t be tracked

Because SQRL generates unique public keys on a per domain basis, the protocol does not enable cross-site tracking in the same way as something like OAuth does.

Your identity can’t be hacked

A centralized system like a password manager or an OAuth provider lives in the cloud, so there is always a remote possibility of a massive breach exposing your master password on any given service. With SQRL, your identity stays in the client which is in hardware in your pocket, not one central source that every hacker in the universe can target.

It’s open

SQRL is an open standard. Anybody can create a client, with any additional bells, whistles and improvement they want (including addressing some of the security concerns I talk about below). Apple/Windows/Google could add native OS support. The world’s smartest security researcher can all contribute to the project, write server-side implementations, etc, etc.

Some Concerns

In my opinion, based on my understanding of the protocol today, SQRL has one really big problem and a few smaller problems.

Major Concern: No Deauthorization Mechanism

Simply put, if you lose control of your SQRL identity (say your phone is stolen) the protocol has no way to invalidate the authorizations you’ve given to websites with the stolen identity. It has no way to block an attacker from accessing those sites with your stolen identity (assuming the attacker also has access to your phone password and your SQRL client password). The protocol does have a really robust set of mechanisms to retrieve your identity (including something like the bitcoin paper key system), so you will ultimately not lose access to those sites. But the way the protocol is setup, it is only once you access the site with your recovered identity that the site will learn to distrust your old identity.

Unlike Oauth, where a password reset triggers deauthentication across all previously authorized site. With SQRL, you would have to manually visit each authorized site to deauthorize that stolen identity.

So in this way, SQRL actually behaves somewhat like a password manager. If you lose a device that contains access to a 1password library you’d be similarly screwed. To be 100% secure, you would have to manually reset the passwords on all the hundreds of sites you’d stored in your password manager. Fortunately, in both the cases a thief is unlikely to knowledge of your master password. I just feel like this is a real concern that the Gibson dismisses or doesn’t take as seriously as he should.

Minor Concerns

Phishing is sorta trivial

Since SQRL depends on the user being able to scan arbitrary QR codes to gain access to a site. It’s conceivable to imagine a scenario in which a bad actor could impersonate your bank, create a fake SQRL QR code at www.mybankk.com, hope you don’t notice the misspelling and then subsequently ask for your banking info and steal all your money once you’re in.

The thing is, OAuth is vulnerable to this same type of phishing attempt. A creative bad actor could spoof the entire “sign in with google” process and if the user is not paying close attention to domain name, then the user would be clueless about the spoof.

Hell, I bet there are chat logs between me and notiandiscussing this very thing when OpenID first started bubbling up.

To my knowledge these types of phishing attempts never materialized against OpenID or OAuth (though I could be wrong).

At worst SQRL is no worse than the status quo. At best SQRL clients may be in a unique position to improve this situation (though there idea to harden SQRL against this attack by using IP addresses is a non-starter IMHO, but I won’t get in to that here).

Malicious Clients

Since SQRL is an open standard any random bad actor could create a malicious client to do malicious things, like stealing your password.

The best solution to this problem is to make the “official” the best possible app, such that the poor quality, slapped-together nature of malicious apps will be obvious. Unfortunately, I’m afraid this will require a real development investment and it’s not clear anyone is willing to pick up the tab.

The project has a long way to go to get there, but then again, it’s essentially day one.

New paradigm

This final concern isn’t really a problem with SQRL as a protocol. It’s more that… We’ve had decades of trying to teach mom & pop how to use usernames and passwords safely and it’s really not going very well. Getting them to adopt a brand new paradigm is going to be hard.

Final Thoughts

First of all, if you’re read this far and you haven’t tried it out. Do it now. Grab on of the apps and try logging in to the official forms at https://sqrl.grc.com/. It will blow your mind.

SQRL seems to be the password solution I’ve always wanted. The concept of decentralization seems inherently right and good, it feels like the natural state of the internet. Decentralization by way of having an on your phone store the sensitive data and do the hard computation, just makes, so, much, sense.

It’s hard to say where this technology will end up. I know Gibson is seen as a bit of a fringe wonk in some circles. I’m very interested to see what real security experts have to say, both about the implementation as well as the underlying crypto.

If it’s as good as it seems, this could be huge.

Further Viewing/Reading

Steve Gibson presenting the concept in 2014 (44mins) A good, relatively short overview of the concept, though some of the details have changed in the intervening years.
Steve Gibson’s release presentation, Sept 2019 (140mins) Much of the same material as above, just with more nitty-gritty technical detail
Could SQRL really be as secure as they say? – stackoverflow 2013 A good critique of the concept. A few of the problems have been address in draft version of the protocol out now.
SQRL Forums
Wikipedia

The post SQRL Poised To Save Us From Password Hell appeared first on ohryan.ca.

Cycling, Javascript and Saving the Planet

Ryan — Sun, 08 Sep 2019 22:20:51 +0000

A few weeks ago I bought a basic road bike with the intention of cycling to work. And I’m totally hooked! Addicted maybe? I think I finally get it.

My primary reason for biking to work is to level up the amount of exercise I get in every week, but I’m aware that leaving the car at home has some obvious side effects. By burning less gasoline I’m obviously saving some money and I’m keeping some amount of carbon out of the air.

Meanwhile, I’ve been looking for a good practical way to level up my vue.js skills. So I challenged myself to build a simple tool in vue.js to help me quantify just how much CO2 I’m leaving in the tank and how much money I’m leaving in my wallet.

The result biketoworkcalculator.com

It’s a dead simple tool that allows you to roughly calculate CO2 and dollars you save by riding a bike. Check it out for yourself.

I was actually quite surprised that biking only one day per week would save me around $10 in gasoline over the course of a month.

If you’d like to look at the code or correct my math or whatever, it’s up on github: https://github.com/ohryan/biketoworkcalculator

Oh and if you’re in to cycling, follow me on Strava.

The post Cycling, Javascript and Saving the Planet appeared first on ohryan.ca.

Three of the greatest things of all time… this week…

Ryan — Thu, 15 Aug 2019 00:53:30 +0000

This past week I’ve made three minor tech-adjacent discoveries that have the potential to change my life in small but important ways.

None of these are groundbreaking on their own, but together they’re actually making me a little excited about “tech” again. In sort of a strange way.

Stoop

I’ve always had two related problems with email newsletters. They clutter up my inbox and I never end up reading any of them. Because of this I actively avoid subscribing to newsletters and often unsubscribe to newsletters randomly. Stoop solves this problem in the best way possible.

Stoop in an app for reading newsletter. Like a podcatcher but for text.

Stoop gives you an @stoopinbox.com email address, which you’ll use to sign up for newsletters. It then receives in them like any other email services, except with a UI tailor to newsletter consumption.

It goes a long way to de-clutter your inbox and gives you a distraction free newsletter reading experience.

Get it here →

Kindle Fire Tablet 7th Edition

A couple of years ago my two boys each received Kindle fire tablets as Christmas gifts. As kids do, they promptly forgot them and abandoned them in a pile of clutter.

I’ve been meaning to read more, for years and year. I’ve only been meaning to read more books proper; but also all those Pocket links I stow away and forget about; and those cool newletters everyone is always recommending

Digital reading has always been a bit of a Goldilocks problem for me. Desktop computer screens are too big; iPads are a little big (great for magazines though) and too heavy to hold up in bed for an hour; phone screens are too small and distracting.

Then I remembered the Fire Tablets.

They’re prefect! Roughly the same height, width and most importantly weight as a paperback novel. Battery life is great and screen resolution is acceptable. You can side-load the Google play store and get most apps. But I’m keeping mine limited to reading apps to maintain a distraction free, reading-focused environment.

I’ve been making a conscious effort to pick up the Fire instead of my phone whenever I want to read Google News or that sort of thing.

Its only (minor) shortcoming is speed. The hardware is old and sluggish. Web browsing is a pain, changing context is slow. But flipping and scroll pages is fast enough. And you could almost spin the sluggishness as a positive, since it discourages you from change contexts and helps focus on what you’re currently reading.

Apparently you can still but the Fire 7 →

KOHO

I can assure you this is not an ad! But I do have a referral code ZL5RTDVQ if you end up using this.

I feel a little weird talking about a financial product, so I’m going to keep this a short as possible.

I was chatting with Internet Good Guy Levisan around the time the Apple Card “unboxing” videos started popping out, commenting on how r/latestagecapitalism they were. He mentioned KOHO, on account of it also having a metal card.

KOHO is an app-based prepaid VISA that offers 0.05% cashback on all purchases (2% on some purchases if you pay for “premium”) and has none of the lame fees that you’d expect from a one time used pre-paid visa you might buy as a “gift card.”

It also offers a “virtual” card in the app for online payments. One that you can turn off if your accounts get pwn’d. AFAIK virtual cards have been rare in the Canadian market before now.

Also you can feed the card with Interac E-transfers.

KOHO feels like it might be a way to get some of the benefits of Apple’s Credit card, without burring yourself even deeper into Apple’s ecosystem.

It’s early days but I’m optimistic that this will improve my financial health. Especially since it’s pre-paid only and there is no way to carry a negative balance.

Get it here →

There you have it. Three things that are blowing my mind this week.

What’s exciting you right now?

The post Three of the greatest things of all time… this week… appeared first on ohryan.ca.

How to receive email in 2019?

Ryan — Tue, 06 Aug 2019 22:38:51 +0000

I have an idea for a project which has a component that involves receiving and processing email.

I'm largely a PHP dev and I know PHP is probably a bad choice for this task, plus I'd like to broaden my knowledge-base anyways.

Any suggestions for a modern way to handle receiving email?

Dev.to: The most Pleasant Online Community.

Ryan — Sun, 28 Jul 2019 22:58:47 +0000

Earlier this year, the developer centric social network DEV started popping up regularly in the portions of The Internet I frequent. And for the past month or so, I’ve been loading up the home page almost as frequently as Reddit.

The site itself is like some sort of impossible hybrid combination of Twitter, Stackoverflow and Livejournal. They describe themselves as:

Where programmers share ideas and help each other grow. It is an online community for sharing and discovering great ideas, having debates, and making friends.

In function , it’s a blogging platform much like every blogging platform that is come before LiveJournal, blogspot, tumblr, medium, etc. With a markdown-based editor which I assuming is intentionally “programmy” to make developers feel at home.

Unlike blogging platforms that have come before, dev.to allows creators to easily repost via RSS, maintaining a canonical link to you original post! They have no desire to own the intellectual properly.

In substance , it’s much like stackoverflow, crossed with r/programming or hacker news. Somewhat like stackoverflow, developers post questions relevant to every aspect of development (programming, work, metal health, whatever). But also, developers post tutorials, idea, projects, etc like a reddit or hacker news.

Unlike other developer communities, the entire site is an open source project that anybody can contribute to!.

In form , it’s much like Twitter. The homepage is a reverse-chronological-algorithm-sorted feed (based on your interests) of posts, with headlines, hash tags, hearts and cute little avatars of everybody’s faces.

Unlike Twitter, you’re not limited to hearting a post, you can also unicorn it (I don’t know why).

As a whole , DEV manages to be the most diverse and positive communities I’ve been a part member of in a long long time. By diverse, I mean in every way! By positive, I just mean, people are generally nice and pleasant. You can ask a question and not be told “you asked it wrong” (like they would be on stackoverflow), receive 100 snarky sarcastic replies (like Twitter), or “your dum” (like reddit).

Frankly, I’m not sure how they’re pulling it off. Perhaps it’s because the site is so niche. Or maybe it’s because it’s so small (< 200,000 members at the moment, which is tiny), maybe they haven’t reached the tipping point where toxic individuals are able to dominate the conversation. The fact that the founder Ben Halpern seems to be one of the nicest people on The Internet can’t hurt either.

With all the negative press surrounding the big social networks, I’ve been expecting a some venture capital funded behemoth to replace them any day now. In the same way that Facebook killed MySpace or Reddit killed Digg, I assumed there would be a bigger player that destroys Facebook or Twitter.

But now I’m wondering if niche networks like DEV are the way of the future and it will be more of a death by a thousand cuts for the likes of Facebook.

Whatever might be the case, DEV is a welcome return to a kinder, simpler internet and I love it.

I wonder if there are other niche social networks like that I’m missing out on?

The post Dev.to: The most Pleasant Online Community. appeared first on ohryan.ca.

Teaching Kids to Code

Ryan — Wed, 24 Jul 2019 17:28:07 +0000

My oldest kid (currently age 11) has expressed an interest in learning to code for a while. I've tried working through HTML basics and simple "hello world" type stuff in PHP and Javascript, but it's not really hooking him.

The most fun code-adjecent thing we've done together was modify Donald Trump's tweets with Inspector and send around the manipulated screenshots 🤣🤣🤣

In any case, I've had a lot of trouble finding resources for kids in his age group.

Does anybody have any suggestions?

Do performance reviews have to suck?

Ryan — Wed, 17 Jul 2019 14:02:27 +0000

Most developers universally agree that performance reviews (and the related salary negotiations) suck!

Do you have an example of a performance review process that does not suck? Personal anecdote? Links to blog posts/articles?