I hope every single one of them dies lonely, friendless and in extreme and prolonged pain.

A while back I'd purchased a relatively simple domain that nobody wanted... How do I know nobody wanted it? Because nobody had registered it. It cost me about $20. Great! And I set up a little site that never got very much traffic (as far as I know)... just a handful of computer programmers checking out some tools. Websites for engineers never see huge amounts of traffic, that's just the nature of the beast...

And then after a while I went through a period of depression and I let the domain lapse... and a scalper bought it... I discovered this last week actually... And I'm absolutely certain they paid the same $20 for it that I did originally... They replaced my small programming site with the typical domain scalper's one-page "this is supposed to look like a legit search engine site while actually being a scummy attempt to generate revenue on advertising while I wait for the original domain owner to pay me my exorbitant extortion rates" site.

But I was looking at the Network Solutions site to see what the options might be for making an offer to buy it back, since there wasn't any contact information on their pretend site. Apparently it costs $20 to make the offer ... and then the offer (separate) has to be at least $100... Okay... unpleasant, but still within the realm of reality...

And then I noticed this:

Hmm... Y'know, I really don't know what kind of offer they're going to expect...

Apparently they're not expecting that a human will assess the value of that domain.

Years ago it was considered if not horribly important at least a popular notion that software should include "help" documentation that was ... well... helpful...

What happened to this notion? Why is it no longer possible to get helpful help from the help feature in an application?

It used to be that in Microsoft's Enterprise manager I could open help, search for a keyword and if I didn't find it immediately at least I was directed to a copy of the Books Online (BOL) that had been installed on my machine with the client tools. And don't get me wrong, I'm all for "livedocs" and central wikis, they're awesome for centralizing knowledge for a given technology. The ColdBox wiki is pretty thorough, as is the Transfer wiki -- the community is doing a good job of banding together and making information generally available.

No, I'm talking about the efforts of companies like Microsoft in particular (I'm sure I've seen others), where attempts to centralize documentation end up just making things worse than they were before. Take for example, the management tools for SQL Server I mentioned before. I used to be able to hit the "help" menu and get help. NOT ANYMORE! Microsoft has decided to step up into a bold new horizon of tomorrow's software, where requesting help from within an application sends you to a central repository of information for EVERYTHING!

So I hit the "help" menu and first I'm accosted with a dialog box with a series of 3 radio buttons to choose from, only... wait... TWO of the THREE options available to me have been DISABLED! So I'm being asked to make a selection - I can go to their central repository or I can go to their central repository! Wow! So many options! I think I'll go to their central repository. There I'm given a set of frames that do vaguely resemble the old-style help application, just minus the help. In the upper left corner where I'm hoping to see a "search" option or some way to enter a phrase or keywords I see "Filtered by" with a drop-down. I open the drop down and notice ther'es only 1 option labeled "unfiltered". Wow! I can choose between unfiltered help and unfiltered help! So many options! I think I'll get unfiltered help. Below this is a tree of items regarding "help on help (Microsoft Document Explorer Help)" ... umm... What happened to help applications being intuitive? Why do I need help to use the help application?

So finding no help there I move on to the panel on the right where I find they've opened a browser window for me... There's a URL at the top showing me that I'm on an ASPX page. At the top of this page it says "How DO I (SQL Server)". Okay that's good. I appear to be at least in an area related to what I want to know. In this section "SQL Server Database Services (How Do I)", "SQL Server Analysis Services (How Do I)", etc. you get the idea. None of them really what I want to know, which is how to open an/the object explorer.

Oh hey! There at the top! It says "Ask a Question". Have I suddenly found the mythical search feature?! Nope... Takes me to MSDN Search where if I type in "open the object explorer" or even "object explorer" (WITH QUOTES) I get the first 1-10 of over FOUR THOUSAND results, almost none of them having anything to do with SQL Server. So I go back (which in itself is a challenge), and finally as I'm writing this article I see "Search" at the top. Which even once I've found it, still doesn't seem to produce any results that explain how to open the object explorer...

::SIGH::

It's such an awesome tool... I've worked with a handful of version control systems over the years. I've worked with Visual Source Safe (VSS), I've worked with Perfoce that supposedly was the kernel for VSS years ago (Microsoft licensed the code for their branch like they did with Sybase when they made SQL Server), I worked with Starteam briefly many years ago, I've obviously worked with Subversion and now I'm working with another version control tool from Seapine called Surround SCM.

I so miss SVN...

Of the at least 4-5 version control packages I've worked with, SVN is the only one I actually want to work with. Surround SCM is GARBAGE. So were VSS and Perfoce and probably Starteam though I don't remember it very well. I can't speak for CVS because not being a unix guy I haven't used it, but if it's anything like these others, it sucks too.

I can't just look at a file anymore to see what's in it... if I just have a casual curiosity, without having any intention of editing the file, I just want to see what it does, when I click to open it in Dreamweaver now I'm ACCOSTED by a complicated dialog box DEMANDING that I CHECK OUT the file and inquiring what my purposes are for doing so... I don't want or need to check out the file and I certainly don't need to be bonked over the head with a librarian's desk reference every time I want to see what's in it. Just looking at a file is like being in high-school again and having to undergo an interrogation from my prom date's father. "Ding-Dong! Who are you?! What are your intentions with this file?! Quick, speak up!" It makes me not want to open files honestly -- and therefore, makes me not want to work.

There's also as far as I can tell no way for me to see what files I have checked out! I've been all over both their help files and Google looking for a way to just get a list of files I have checked out and nada! Great, so here I have this project with HUNDREDS of directories and yeah, truthfully I'm not really editing in all of those directories, but I am editing in a lot of them... and it'd be frickin' nice, if the software that controls my versioning and MUST by its very nature know what I have checked out, tell me which files and in which directories are checked out so I can check them in. I have a couple of options. I can check in an assload of files all at once, INCLUDING somehow mostly files that I didn't check out in the first place! Or I can weed through 20+ directories opening each one to see if any of the files are marked and hoping that the flakey engine that marks them is actually working.

At least with TortoiseSVN when the marking engine wasn't working very well (it's improved with recent versions), when I asked it to commit a directory it would scan the subdirectories and tell me what I had checked out and what wasn't in the repository correctly, irrespective of the marks. Surround has no such common courtesy. And it's only made worse by the fact that when I commit, I'm being asked to commit to "change logs"?! First of all, committing something to a version repository IS A CHANGE LOG. If it was out and it changed and then it went back in with changes, that's a change log! There is no need to separate them. It's like separating dogs into "dogs" and "more dogs". And then to make matters worse, once I've committed the files to a change log, I then am forced to COMMIT THE CHANGE LOG! As a wholly separate action that can't be performed in Dreamweaver, forcing me to keep the Surround SCM client open constantly. And god forbid I accidentally try change and commit a file (that I AM ALLOWED TO CHECK OUT) that's already in an existing change log that hasn't been committed.

Why do we demand that everything that is simple and good be complicated until it SUCKS and makes you want to jump off a bridge?

I had actually not heard the term ... or maybe I had and just didn't take any notice... but I just read this article on Ben Nadel's blog about an experience he had in January, working with Hal Helms down in Florida. I was actually rather surprised to see Ben saying that as late as January this year (just 5 months ago) he was still struggling with the philosophy of OO. And moreover, from reading the article, it looks (at least at first blush) like what he's saying is not only that he learned that the way I tend to do things is more in-tune with the fundamental philosophy of OO, but more importantly that as ironic as it may sound this way of thinking about objects that is "more OO-pure" is precisely the kind of thinking that "OO-purists" tend to say they don't like about my solutions (preferring the "anemic domain model" approach).

So okay... let me give an example...

Ben talks about the "Where's George Dollar". Where's George is a website that lets you see all the places one of your bills has been, based on its serial number. This is where the conversation gets really interesting. My tendency with most stuff like this would be to create a Dollar.cfc with methods for getting, setting and generally managing or navigating its history. In my experience at least in the ColdFusion community, most "OO-Purists" don't like that idea because they perceive it as being "too coupled" and would prefer to have a Dollar.cfc bean (like Ben describes) with just getters and setters (and nothing else) for basic, atomic values which is then passed into a DollarHistoryManager.cfc or similar.

Ben's first instinct:

My first instinct:

Ben's first instinct is even the way that I perceive is generally encouraged by the 2 ColdFusion frameworks that present themselves as being like more traditional OO development (Mach-II and Model-Glue), where doing anything with the data in an "event" requires the creation of a "listener" or "controller" CFC that has as its sole purpose the job of passing the dollar bean to the other objects that will perform any actual actions with the information.

What is generally cited as the reason not to do things the way I'm naturally inclined to do them (my first instinct) is the notion that it's somehow "more coupled"... which to me just seems odd... it's "more coupled" because it assumes the object will have and connect to a database... Okay, fine... So it works in 98% of cases... why is the 2% edge case a problem, when you can simply subclass the Dollar object to make it fetch its data in some other way for those edge cases?

If anything I perceive what is my first instinct as less coupled because it doesn't require the extra external objects to manipulate the data. Your controller then doesn't have to care at all what objects connect to which services -- all it has to know or care about is that the object has that getHistory() method. Hence the controller is actually less coupled since it only has to worry about the interface to the Dollar and not about the interface to both the Dollar and various service objects that might need or want to use that Dollar.

Hal describes my first instinct as an "idealized model" - creating objects which behave the way we wish real-world objects behaved, rather than the way they actually do behave. In Ben's approach, the Dollar behaves the way a real-world dollar behaves - the only info you can get from it is what is printed directly on it. If you want to know where it's been, you have to go to an external resources like the Where's George site and enter its data to get your history. And the objects in Ben's design would be the same way -- the only thing you can get from the Dollar object would be its atomic data (values that can be printed on its surface), requiring the system to find some external resource if it wants any other information about that Dollar. In my approach, what Hal describes as an "idealized model", the "idealized Dollar" doesn't force you to go find some external resource. It's like having a magical bill that talks and saying "hey you, where have you been" and having the bill itself rattle off a list of places.

It's where the Dollar meets the cell phone. Years ago if you wanted to make a call, you had to go find a phone. Now you just carry a phone with you. But if you want to know the history of a bill, you're still stuck going and finding a computer with internet access, even though you carry bills all the time. So in an ideal world, since we already carry bills, it would be great for "smart money" to be able to give us that information while we're standing on the corner. This is perhaps a bad example simply because getting the history of a bill, while interesting, usually isn't very useful (if at all).

Ben makes one last comment that the Anemic Domain model generally gives you all the overhead of OO without the benefits. It's interesting if not downright frustrating to me because at least I personally perceive that a preference for anemic domain models as being "the way things are done in OO" or "the way things are done in Java" is one of the larger reasons why more people haven't either tried or used the onTap framework.

Am I way off-base? What do you think?

Caught this comment Sean left on Ben Nadel's blog:

This is very timely. I've found myself increasingly using regex lately to elegantly solve problems we're addressing in our Broadchoice Web Platform! Hardly a day goes by now without me concocting a regex to paste into a Trac ticket to show our offshore team how to perform complex matches or replacements on text, especially related to URL patterns. I always used to think regex was a bit of a hammer and that regex fans thought all problems were nails but as I've become more fluent with it, I've seen the light :)

I had that same experience with XSLT.

And then later I found this one on Ray Camden's blog:

I'm an idiot for not using ColdSpring and Transfer.

That's it. Nothing meaningful here. Just a big, giant, virtual slap to my own face for avoiding these tools for so long. They are in use at my current contract and I can't believe I avoided learning them for so long. It's like I've been using my hands to drink for all my life and just discovered the amazing invention known as "cups". Not just useful - but kinda stupid to avoid using.

It's possible you might see me saying something like these about IoC (ColdSpring / Lightwire) in the not too distant future... maybe... ;)

We work with a lot of programming languages that both suck and blow.

It's fitting that SQL has a lot of 007s, a gear gozinta regex and any software for the web is better with pretzels...

But have you ever wondered about the relationship between pig pens and double-glitches in ColdFusion?

Or more to the point, do hunchbacks eat cabbage?

Yeah yeah, I know. I'm being a weenie.

A guy calls a plumber because the plumbing in his house is backed up. The plumber answers the phone, says "My name's Joe, I'll be over in a few minutes".

A plumber arrives at the door a few minutes later, the homeowner answers the door, "you're Joe, I presume?" The plumber answers "ahh, no my name's Jimmy. Joe had an emergency, so he sent me over instead. Funny 'cause Joe's a competitor of mine."

The homeowner gets his shorts in a knot and sends Jimmy away saying "I called Joe because I know he's a certified plumber! If you're name's not Joe, then I don't want to see you on my property!" He then calls and reschedules a later appointment with Joe...

What the homeowner won't discover is that Jimmy

1. does better work than Joe
2. costs 20% less.

I guess people are starting to notice my little blog... I got my first spam today. A guy named "fsd" at "fsds.com" posted a link to shooope.com.

My little project is growing up... getting out on its own... I'm getting a little misty. ;P

Three guys are sharing a hotel room at a conference. Each pays $10 for their share of the room ($30 total). Later the desk clerk realizes the room price was only $25 (I know, where are these guys staying?) and sends the bellhop to their room with the extra $5. Not knowing how to divide $5 amongst three people, the bellhop gives them each $1 and pockets the remaining $2. So if each guest paid $9 ($27 total) and the bellhop kept $2, that adds up to $29. But the guys originally paid $30.

$29 < $30

Where's the extra buck?

p.s. This isn't a math problem... but here's some ColdFusion code that might help you see where the problem does lie.

I was just reading an article about a new kind of cross-site scripting attack called "Session Fixation Vulnerability" in which a malicious user is able to get access to the sessionid (jsessionid or cfid/cftoken as examples) of a user on your site.

This is something I talked about in Javascript and the Art of Motorcycle Maintenance, in which I contended that Adobe can and imo should, but probably won't do anything more to improve the security of ColdFusion from these XSS attacks in the upcoming ColdFusion 9 release.

Now I've never considered myself a "hacker" (at least not in the modern sense), but perhaps the only reason it never occurred to me to do this before is because I wasn't really all that terribly interested in breaking anyone else's sites or applications. I'm not a generally malicious person so those sorts of things don't really cross my mind. It's only upon reading this article that I realized how easily I myself, not being malicious, could probably hack some 80% to 90% of ColdFusion sites in the wild today. How? A relatively simple XSS attack against something potentially as innocuous as a blog comment entry.

Maybe not most blogs -- maybe most blogs don't really use JavaScript to display comments... but I'm not limited to blogs of course, I could for example write a script of my own that sits around and randomly spiders different ColdFusion powered sites, looking for form fields where I could enter my XSS attack which easily fires off an AJAX request to my own server and hands off to me all the cookie information that's available to JavaScript, because my attack was able to execute within the browser's "safe" security sandbox. The browser doesn't know that script tag is malicious. As far as the browser knows, the site owner created that script tag, so it's the browser's job to do what it says and fire off that Ajax request to my server. The user wouldn't know either. All the user would see is another JavaScript error, which they're probably pretty accustomed to seeing (even if they don't understand them).

I considered the possibility of posting code in this article, showing exactly how that XSS attack would be performed... and then I reconsidered. If you're really interested in protecting yourself, read my previous article and if you're smart, you should be able to see just what I'm talking about...

This merely underscores my point in the previous article. Most of the time the web is a decent place -- because people are mostly decent. That one bad apple however can be a real bitch sometimes, and if they're getting your sessionid from a web application, who knows what sensitive information they might be able to glean from that. As a matter of fact, case-in-point I'd be willing to bet that there are hundreds of places in my last employer's website where I could execute this very XSS attack I'm talking about -- and the only thing stopping me is that I'm not a malicious person (and don't have anything against the guys I worked with there, in spite of the fact that I was fired again).

The reason why most applications have this vulnerability in the first place is actually because most people are like me, good folks with good intentions, not looking to cause any trouble, just getting through their day. And so particularly with ColdFusion because it is such an easy language to learn, most of the people working with it (many of whom don't have programming as their first interest), aren't compelled to spend much (if any) time reading articles like this one I'm reading now that talk about this vulnerability. They are by and large blissfully unaware of the problem. And not even the most devout campaign of developer education in the world is going to reach them all. Hell, most of the ColdFusion programmers I've worked with directly over the years refuse to use CFQUERYPARAM because "it's too much work!" Try convincing those same guys they need to update every JSStringFormat() function in their application to protect themselves against XSS attacks, when they're already refusing to protect themselves against SQL injection because it's tedious.

As long as the system (JSStringFormat) stays in its current state, the best we can hope for is to reach maybe 50% of the developers out there (and that's a pretty liberal estimate). And even then, they're liable not to find or fix every instance of the vulnerability, even in their own applications. What they're liable to do is evaluate each on a case by case basis and fix some and leave the others. For example they might see a number being output and think "oh that's a number, it's safe" -- which it absolutely isn't, but it doesn't matter because we're in the habit of thinking of numbers as being safe. (And not everyone will -- or wants to -- use the server's ScriptProtect feature. I don't.)

So here we have a ubiquitous security risk that happens in just about every ColdFusion application in the world. Certainly not all, but most of them. And yet the ColdFusion community at large, especially one of the most well-known and vocal experts Dave Watts of Figleaf Software, say that not only is it not a problem, according to them having this security threat is better than the the alternative of the Adobe ColdFusion team modifying the JSStringFormat() function just very slightly to make it behave the same way as the new SerializeJSON() function, a change that very few of us would even notice. Their argument for the security risk being better than the alternative ultimately boils down to being concerned that a change might (although it probably won't) cause new programming challenges which they can't articulate because they don't know what those challenges might be. In other words, a phantom menace.

Adobe probably should make that change... they also probably will not make that change, because of the widespread vocal response from people like Dave Watts and others who agree with him in his claim that the status quo is the best solution. I thought this was important before I read this article, when I thought all that was at stake was a "fender bender" (to stay with the metaphor) -- but now I realize it's much more serious than that. Now it's, "oh and by the way, 20% of the cars on the road will burst into flames like the Ford Pinto, the barbecue that seats four."

You ever wonder what your legacy will be? When you die, will anyone outside your family and friends remember you? And if so, how will they remember you? I'm not asking these things out of conceit, it's actually somewhat troubling to me. As a person with (likely) Asperger Syndrome, I find communicating with others often challenging and am frequently disturbed by the notion that perhaps I'm acquiring or have acquired a reputation for things that I'd personally much rather live down.

So it's actually a rather nice feeling for me to know that so many people seem interested in my Galleon Forums ports project. Of course that also has the potential to leave people thinking of me as being conceited, since the project does offer me the opportunity to brag on my own framework project (and brag I will). ;)

But given my druthers, I'd much rather people perceive me as being conceited than certain other things, like for example being gratuitously rude or blatantly derogatory. Until a couple days ago the most popular entry on this blog was titled "How NOT to design a toolbar (Winamp browser extensions)". And actually if you search google for "Winamp browser extensions" (plural), that blog entry is the first result, perhaps largely because it's the only exact match. If you drop the s it gets relegated to page 5.

And I got a comment on that entry from one of the guys who actually worked as a programmer on the Winamp toolbar who I'm sure had to bite his tongue to offer an apology for my feeling it was "craptastic". Yeah, I actually said that. It just hadn't occurred to me that any of them might actually read that article. Doh! Though as bad as I thought the design of it was, the article really wasn't designed as a pejorative. It wasn't my intent to lay blame or "stick it to them". I really had just seen it as an opportunity to learn from others mistakes -- and it's okay that they probably disagree that much of what I had to say about it constituted mistakes on their part. When I said "craptastic" I really was just trying to emphasize it in a comical way -- to get a laugh. I didn't realize (although you might say I should have) that the laugh was at someone's expense.

And several of the other more popular articles on this blog are somewhat similar in tone, like JavaScript and the Art of Motorcycle Maintenance or Mind Your P's and Q's. Honestly I end up feeling a bit neurotic about it, hoping that I don't have a reputation for being caustic, egotistical or judgmental.

Of course, it would be nice to have a reputation for being incredibly smart. Wouldn't anyone love to have that reputation? But that's not really what I'm "going for". I hope when everything is said and done that when people think of me, they mostly remember not only that I love programming, but that I love helping people. The accolades -- having been on Team Macromedia or Adobe Community Experts or having articles published in magazines are nice ways to stroke my ego, but they're a distant second to my desire to try and make the world a little better place.

So in the past couple days, the article announcing the Galleon Forums project has become the most viewed article on my blog, even over the winamp extension article which had been up here for many months before. So I know that people are genuinely interested in the project and I'm working on making the best report I can for everyone to read. We'll see in a few days probably how well I've done. :)