Start on the first draft of the DeveloperExecuSpeak.md post

content/posts/DeveloperExecuSpeak.md

@@ -0,0 +1,57 @@
+---
+Title: Phrases in Programming That Irk Me
+Lead: The Software Developer's Equivalent to 'Execu-speak'
+date: 2023-10-28
+draft: false
+ShowToc: false
+Tags:
+
+- Lexicon
+- Programming
+- Rants
+- Software Development
+---
+
+## Irksome Lingo
+
+It is common amongst the non-executive types to deride so-called 'execu-speak'.  That is, words and phrases which sound trite, stupid or (sometimes) like disingenuous euphemisms.  While there can sometimes be some justification for such criticism, quite a lot of that vocabulary is simply, in essence, the jargon of that field.  Software developers are actually at least as equally guilty of overusing sayings, re-using lexicon from somewhere else such that it makes little sense in the original context,[^agileeverything] and just plain using words and phrases that irritate me.  I present below an incomplete list of said words and phrases in alphabetical order, with a brief description of why each one irritates me.  I imagine that you find some of them perfectly fine or useful terms of art, and probably some things I say would irritate you.
+
+[^agileeverything]:  So very many terms that were seemingly first used in Agile have fallen victim to this.  Perhaps, because like almost everything that was labelled Agile (but usually specifically meant Scrum), people got so indoctrinated that they don't understand there's other ways of saying and doing things.
+
+Also, I'm likely to keep updating this over time, so you if you like some of this, you might be interested in coming back periodically.
+
+### R
+
+#### Rich
+
+Everything seems to be "rich" lately.  Type systems, core libraries, user interfaces, the small group of people that tech firms actually give a hoot about.  In some circumstances, using the word does somewhat make sense, but it's another one that has been overused to the point of meaninglessness.  Much like when you keep repeating the same word over and over until it just sounds weird (I _think_ that is referred to as 'semantic satiation').
+
+### S
+
+#### Single Pane of Glass
+
+I get why this one was originally coined.  It was possibly meant to refer to the actual panes of glass used in old CRT monitors, or just the idea that you have one window onto a situation through which you looked for everything.  It's just that this one has been used _ad nauseam_, so it bugs me.
+
+#### Story
+
+I remember reading a rant many years ago from a then-software developer complaining that absolutely everything was being described as a "solution", even when that made basically no sense.  I vaguely recall the phrase "a paperclip is not a solution."  The word "story" seems to have replaced "solution" for this purpose.  Everything now either is a story, or has a story.  "What's the story around 'X' concept in 'Y' programming language?"  "Does 'P' have a good story for 'Q'?"  No, it reads and sounds like Rushdie's 'The Satanic Verses'—incoherent and incredibly dull.[^satanicverses]  Pretty much every time I hear someone use story in this sort of fashion it bugs me intensely.
+
+[^satanicverses]:  Yes, I really have read 'The Satanic Verses' by Salman Rushdie.  I wouldn't recommend it.  It is incredibly obtuse and boring.  I wonder that muslims weren't so stirred up by it because it's such a waste of one's time, rather than because of the thinly-veiled blasphemy.  If you're thinking about reading it, go read the dictionary instead.  It's no more dull, can be shorter depending on which version you have, and at least you'll learn something.
+
+I think this is one of those misused words that came straight out of Agile (or one of the things it kinda sorta amalgamated) with user stories.  Which, while I find horrendously overused in some ways (not every single task description needs some inane, tortuous, imagined novella from the perspective of a nonsensical character), does in and of itself make sense.  Somehow, though, the use of the word story leaked out and spread its smelly, greasy oil slick over our pristine beach, but celebrities have cleaned all the cute animals in media-friendly photo opportunities, and I'm left metaphorically scrubbing mucky rock after mucky rock of people misuing the word "story" with only a toothbrush.
+
+Honestly, this is probably the one which bugs me the most of anything, because MOST OF THE TIME WHEN SOMEONE SAYS "STORY" IN SOFTWARE DEVELOPMENT THESE DAYS IT MAKES NO FREAKING SENSE.
+
+## Some Things That You Might Think Would Bug Me, But Actually Don't
+
+### B
+
+#### Bikeshedding
+
+Ok, this one does kinda irritate me because I hate people turning other types of words into verbs like that.  I would prefer something like "discussing the colour of the bike sheds to death" instead, but that's rather more of a mouthful, so I can appreciate why it ended up that way.  The idea behind the phrase is good, though, because it does communicate well something that happens in meetings and discussions the world over.  Namely, that people really do have a tendency to fixate on trivial details and speculate on irrelevant matters when they should be focusing on much weightier, but less straightforward, issues.  I don't have any better way to describe the idea than this, yet I observe it frequently in practice.
+
+### Y
+
+#### Yak Shaving
+
+This phrase actually sounds pretty stupid, and doesn't really give you any concept of its meaning when you first read it.  It actually does (kinda) make sense, however – sitting there trying to shave a yak does seem like it would be awfully tedious and maybe feel a bit pointless – and it covers something that there isn't really another phrase for.  Plus, it gets a bit of a free pass from me since it's a Ren & Stimpy reference.

content/posts/PasskeysIffy.md

@@ -6,38 +6,35 @@ draft: false
 ShowToc: false
 Tags:
 
+- Cybersecurity
+- Information security
+- Passkeys
+- Passwords
+- Password Managers
 - Rants
 - Security
-    -- Cybersecurity
-    -- Information security
-    -- Passkeys
-    -- Passwords
-    -- Password Managers
 ---
 
 # I'm a little iffy on Passkeys
 
-In case you haven't heard, [passkeys](https://www.passkeys.com/) are the new saviour of the security world (yes, I do say that with a tinge of sarcasm).  In fact, Google apparently just recently switched their default credential system for Gmail over to passkeys from regular-old usernames & passwords.  Passkeys are so strongly considered to be the way of the future that both 1password and BitWarden seemingly bought passkeys-focused startups so that they could add the capability to their products (I didn't manage to track down any announcements or old news articles confirming that, though).  I assume all the others in the password manager game will also try to do the same.
-
-As I understand, passkeys basically implement public-private key systems for just about every device with some sort of hardware support for cryptographic procedures.  It seems that when setting up a new passkey, your device generates a public and private key and passes the public key to the remote authentication system.  At login time, the authenticating system uses that public key to issue a challenge, which can only be solved by someone possessing the private key.  I may have the exact workings of this wrong; I'm no expert.
+In case you haven't heard, [passkeys](https://www.passkeys.com/) are the new saviour of the security world (yes, I do say that with a tinge of sarcasm).  In fact, Google apparently just recently switched their default credential system for Gmail over to passkeys from regular-old usernames & passwords.  Passkeys are so strongly considered to be the way of the future that both 1Password and BitWarden seemingly bought passkeys-focused startups so that they could add the capability to their products (I didn't manage to track down any announcements or old news articles confirming that, though).  I assume all the others in the password manager game will also try to do the same.
 
 Just the other day, when I had 1Password open at work, and it happened to be on the entry for my work GitHub account, it was telling me to go set up a passkey and store it in 1Password.  Given that passkeys are supposed to be specific to a given device, though, I am forced to wonder what the point of keeping it in a cloud-syncing system like 1Password is actually supposed to be.  Moreover, why can't I simply rely on the operating system's in-built support?  (This was on my work-issued device, which is still on Windows 10, so maybe there isn't such great support for passkeys there.)
 
-I seem to recall having heard somewhere that passkeys are just an implementation of the same standard used for hardware MFA keys, but I'm uncertain how true that is.
+As I understand, passkeys basically introduce device-hosted public-private key systems, for just about every device with some sort of hardware support for cryptographic procedures.  It seems that when setting up a new passkey, your device generates a public and private key and passes the public key to the remote authentication system.  At login time, the authenticating system uses that public key to issue a challenge, which can only be solved by someone possessing the private key.  I may have the exact workings of this wrong; I'm no expert.  I seem to recall having heard somewhere that passkeys are just an implementation of the same standard used for hardware MFA keys, but I'm uncertain how true that is.
 
 ## The Good Bits
 
 There is indeed a lot to like about passkeys.  For one thing, they're supposed to be highly phishing-resistant.[^phishing-resistant]  In theory, they also can be managed by the OS transparently to the user.  As in, the user never sees anything happen or even needs to remember anything, but their device authenticates to the remote service automatically.  They're also random and should be cryptographically secure.  Thus, it should be pretty much impossible for anybody merely to do some sort of brute force attack and get anywhere.  Dictionary attacks and password spraying would become nearly impotent.  I presume rainbow tables would also no longer be of any use since the number of solutions that would need to be precomputed would be mind-bogglingly huge, and even then, there is likely an enormous list of possibilities that would need to be tested via brute-force since there's an extra unknown secret that complicates things.  Kind of like password salting, but perhaps on a _vastly_ greater level of effectiveness.
 
 [^phishing-resistant]:  I'm not totally clear on how that is the case, but I presume it is because the secret – the device's private key – is never transmitted elsewhere, thus meaning that the phishers only get a valid solution to their specific challenge, not something they can re-use anywhere else.
+
 So, all up, they should be more secure than many passwords and substantially more convenient for users in the case that everything is going well.  To the extent that users don't necessarily even notice an authentication process occurring, but it all happens appropriately in the background, nevertheless.
 
 ## The Bad Bits
 
 First and foremost, my main issue with passkeys is that the people pushing for them seem to assume that everybody always has an up-to-date, powered smartphone with them at all times.  That will often be true for many in relatively wealthy countries, but it is not guaranteed even there.  There will still be plenty of people who can't afford them or want to choose not to use a smartphone for whatever reason.  Moreover, people lose their phones every day, never mind that batteries can run flat.  And what if, for whatever reason, you want to log into an account of yours on a device not owned and controlled by you when you don't happen to have on hand one of your devices with access already set up?
 
-The other month, I was talking to [Yuriy Ackermann](https://github.com/herrjemand), who has long had a lot to do with the FIDO Alliance and passkeys.  He told me that some of my concerns here might not be as significant as I suspect and that the passkeys standard isn't as restricted to smartphones as it appears.  Instead, he suggested, the information security media have essentially just repeated the marketing talk from the big tech firms such as Google and Apple, who have been pretty focused on their respective smartphone systems.  I don't know if that's true, but Yuriy is (to the best of my knowledge and understanding) an expert in this area, so I'm inclined to listen carefully to him.
-
 I also don't see that they're nearly as needed as ten or so years ago.  The whole thing about getting rid of passwords basically assumes that everyone still uses the same low-quality passwords everywhere.  While that's probably true for some, plenty don't do that now.  Password managers present another good solution to the problem.  Heck, just dreaming up passphrases and writing them down in a notebook can avoid many of the same weaknesses that passkeys try to avert.  Plus, I have the impression it's _much_ easier to reset a password than a passkey.
 
 Another thing I'm a bit uncertain about is how passkeys appear to reduce multi-factor authentication down to single-factor.  Basically, if you have control of a device, then it seems to me that you have control of the credentials, whereas, with a password, someone still has to remember something.  If possession is equivalent to authentication, then so-called "rubber-hose cryptography" would seem to become more effective, not less.  I mean, when it's a password, you need the victim to remain conscious.  You don't need them awake or even alive if the digital key is merely something in their possession.  In theory, this is stopped by most devices requiring some approval process on the device itself, but if all that is required is a fingerprint scan (which seems to be the usual thing mentioned, along with facial recognition), then I'm unconvinced you need to keep someone conscious to exploit their device.
@@ -48,6 +45,8 @@ I could write more on this topic, but I'm too lazy right now to bother to track
 
 When you get down to it, I suppose my concerns with passkeys aren't with passkeys themselves so much as taking password systems away and forcing people to try to use passkeys only.  While passwords certainly aren't perfect, they're pretty well-understood, we have a solution to doing them relatively well (password managers), and they have one enormous advantage over passkeys in that people _can_ memorise them.  Sometimes, knowing a secret is exactly what we want.
 
-I'm also iffy on the dual elements that passkeys (or perhaps more, their champions) seem to expect a certain level of wealth and technical sophistication on the part of users.  Just about everyone can get their head around a passphrase, and in certain circumstances, it can be a very good thing that those can be given to someone else.  Neither of these seem to be true necessarily for passkeys.  In their rush to make things more convenient for some, it may be the case that the big tech firms are further widening the digital divide.  Not that I actually expect any of them to care.  They've made it plainly obvious many times over already that they don't.
+I'm also iffy about how passkeys (or perhaps more, their champions) seem to expect a certain level of wealth and technical sophistication on the part of users.  Just about everyone can get their head around a passphrase, and in certain circumstances, it can be a very good thing that those can be given to someone else.  Neither of these seem to be true necessarily for passkeys.  In their rush to make things more convenient for some, it may be the case that the big tech firms are further widening the digital divide.  Not that I actually expect any of them to care.  They've made it plainly obvious many times over already that they don't.
+
+The other month, I was talking to [Yuriy Ackermann](https://github.com/herrjemand), who has long had a lot to do with the FIDO Alliance and passkeys.  He told me that some of my concerns here might not be as significant as I suspect and that the passkeys standard isn't as restricted to smartphones as it appears.  Instead, he suggested, the information security media have essentially just repeated the marketing talk from the big tech firms such as Google and Apple, who have been pretty focused on their respective smartphone systems.  I don't know if that's true, but Yuriy is (to the best of my knowledge and understanding) an expert in this area, so I'm inclined to listen carefully to him.
 
 I guess we'll have to wait and see how things shake out.  Hopefully, my scepticism proves unfounded.  I imagine there are going to end up being a few people locked out of their Google accounts, however, when something goes pear-shaped with the passkey(s) for their account and they have no way to reset things—after all, Google is notorious for not having any functional customer support from real people.