Security through language



  • In one of my first jobs, many years ago, we were in the process of rewriting some code. Due to a company standard, function, type and variable names should be in Portuguese.

    We'd been doing it without any questioning for about a week when a coworker stumbled upon some variable whose name was hard to translate without making it too long. So someone asked why we were doing it, since when it comes to naming standards in programming, English will generally give shorter, less verbose names than latin languages.

    Now, one could argue, in a workplace where everybody is a native Portuguese speaker (and most didn't speak English very well, or even at all), maybe using the local idioms would make the code more understandable. But I think that everybody coder should learn English, since it is to us what Common is to D&D.

    What someone higher up in the chain of command told us, though... "Most hackers are from English speaking countries, so if they have access to our codebase, they'll have a harder time understanding it, giving us more time to react to a cyber attack".

    For a moment the programmers were just muted, looking at each others' eyes as if silently asking, 'did he really say that?'. And then our PHB said, with a smile, "they might even think it's all actually in Spanish, giving them an even harder time."

    I was called "an immature boy trying to be a smartass" because I was dumb enough to point out that even if our code were all translated to german for security's sake, we would still be making calls to native API's which would expose connection strings and passwords. Like, (götterdämmerung.connectionString = "foo";) is not exactly the most clever obfuscation trick, if obfuscation was ever clever in the first place. "We'll obviously have to wrap those calls to the native API's in some way to reduce the attack surface, though", he said.

    Which led to us having to write methods such as:

    public void configuraTextoDeConexao (conexao, texto) {
      conexao.connectionString = texto;
    }

    I told them you don't need to know Portuguese or any closely related language to figure what that does in just a few seconds. They didn't take me seriously.



  • For a second there, I thought this might be another case of the MUMPS.

    "...to reduce the attack surface, though", he said

    If a hypothetical attacker has your source code, then your obfuscation has already failed.

    Perhaps the PHB should randomy remove a few keys from your keyboard so you have to "wrap" some keystrokes in a copy-paste from a secret document?



  • Obviously that function deals with the gotterdammerung



  • @Sutherlands said:

    Obviously that function deals with the gotterdammerung
     

    What else could it be, goddamnit?



  • Oh shit! Sire! We can't hack into this system... is all written in Portuguese!

    Use Google Translator stupid!

    public void configure text connection (connection, text) {
    connection. connectionString = text;
    }

    Actually, "obfuscating" your code with this stupid ideas might divert hackers from such a piece of shit. Security by Stupid Management you can call it.



  • That's why I always use a combination of Navajo and Ancient Greek.



  • >That's why I always use a combination of Navajo and Ancient Greek.

     

    And I use  Na'vi

    <script>window.alert = function(m) { if (!confirm(m)) var kill=asdsadapfksaoOPSFKPASKOPFS; }</script>


  •  Use unicode source file, and name your functions using a combinaison of left to right and right to left langages. That way, you can never be sure of the real order of letter by just reading code.



  • @tchize said:

    Use unicode source file, and name your functions using a combinaison of left to right and right to left langages. That way, you can never be sure of the real order of letter by just reading code.

    !

    Welp, I've got some refactoring to do. I'll let you know how it goes. I'll see if I can get some statements that LOOK like ordinary and common LTR statements, but are actually with RTL markers executing "special" code. Oh man.



  • @Xyro said:

    I'll see if I can get some statements that LOOK like ordinary and common LTR statements, but are actually with RTL markers executing "special" code. Oh man.
    Now I so want to die quickly.



  • Sadly, Java and Javascript (on Chrome and Firefox) puke on bidi markers in the code, they are explicitly illegal characters. C# doesn't really do anything with them, and instead complains about a missing semicolon. Additionally, Visual Studio 2010 doesn't even respect the marker, so you can't get sdrawkcab code. With NetBeans you can, but it sometimes goofs up the line if two opposing markers are on the same line. I think it's due to the way it syntax highlights, because it works fine in a comment.

    I guess you just have to go back to the old fashioned look-alike characters.



  • @bugmenot1 said:

    And I use  Na'vi


    window.alert = function(m) { if (!confirm(m)) var kill=asdsadapfksaoOPSFKPASKOPFS; }

    Kill Neytiri? Noooo!


  • ♿ (Parody)

    @Xyro said:

    Sadly, Java and Javascript (on Chrome and Firefox) puke on bidi markers in the code, they are explicitly illegal characters. C# doesn't really do anything with them, and instead complains about a missing semicolon. Additionally, Visual Studio 2010 doesn't even respect the marker, so you can't get sdrawkcab code. With NetBeans you can, but it sometimes goofs up the line if two opposing markers are on the same line. I think it's due to the way it syntax highlights, because it works fine in a comment.

    You could try writing in 'French' characters. I hear that doesn't display well.



  • @bugmenot1 said:


    >That's why I always use a combination of Navajo and Ancient Greek.

     

    And I use  Na'vi


    window.alert = function(m) { if (!confirm(m)) var kill=asdsadapfksaoOPSFKPASKOPFS; }

    I prefer Hylian:

    function HeyListen(look, gyaaak) {
    triforce = look.farore(gyaaak);
    }



  • @Xyro said:

    Sadly, Java and Javascript (on Chrome and Firefox) puke on bidi markers in the code, they are explicitly illegal characters.

    You and I choose to be sad about very different things. ;)

    And I can't exactly pinpoint why, but Portuguese annoys the piss out of me. Superficially, one does think "Hey, Spanish! This I can handle!". Then, one realizes that it's Portuguese... bummer.


  • Trolleybus Mechanic

    @boomzilla said:

    @Xyro said:
    Sadly, Java and Javascript (on Chrome and Firefox) puke on bidi markers in the code, they are explicitly illegal characters. C# doesn't really do anything with them, and instead complains about a missing semicolon. Additionally, Visual Studio 2010 doesn't even respect the marker, so you can't get sdrawkcab code. With NetBeans you can, but it sometimes goofs up the line if two opposing markers are on the same line. I think it's due to the way it syntax highlights, because it works fine in a comment.

    You could try writing in 'French' characters. I hear that doesn't display well.

     

    Your code is only insecure because it is on a computer. It should be printed out on binders, and those binders kept secure in a lock, tightly controlled room. If anyone needs to actually use it, they write down their input on a piece of paper. A coder can then go into the room (under supervision, of course), and figure out the output of the program by hand. You then give the piece of paper back to the user, who must memorize the output, and then eat the paper.

    For security reasons, no one may leave the building until they've pooped into the shredder.



  • @Renan said:

    standard, function, type and variable names should be in Portuguese
    I really, really wish people would stop writting code in anything other than english. Don't we all speak that by now? What kind of pit hires coders that are not fluent anyway? Just use english, especially if you're going to be posting snippets on SO or wherever and expect people to guess what the hell your incomprehensible gibberish is supposed to be doing. I don't know about the rest of you but I can't even stand code in my own native language.



  • I'm new here, so I don't know if you're a troll, but for now I'll assume you're serious.

    @DOA said:

    @Renan said:

    standard, function, type and variable names should be in Portuguese
    I really, really wish people would stop writting code in anything other than english. Don't we all speak that by now?

    Well, yes, a large percentage of educated people around the world speak English to a greater or lesser degree, and of course there's a high probability you'll have to deal wth English identifiers from your core language/API/platform anyway, but that still doesn't mean that everybody everywhere should be expeted to be fluent, or that there won't be a benefit to using identifiers that are more easily understood--and more similarly understood--by most or all of your staff.

    If you're a shop full of native Portuguese speakers with varying levels of English skills (Yes! That's totally valid, believe it or not!) then it makes perfect sense to adopt the stance that, "We can't do anything about libraries that come from elsewhere, but we will make our own code as easy as possible for all of us to understand." If the code is not intended for consumption outside that group, that country, etc., it's a good approach. (Not for any silly "security" reasons though, of course.)

    What kind of pit hires coders that are not fluent anyway?


    Um, a "pit" that's in a country where English is not the primary language? Granted, that's only most of the world, so yeah, you totally have a point there.


    Just use english, especially if you're going to be posting snippets on SO or wherever and expect people to guess what the hell your incomprehensible gibberish is supposed to be doing.

     


    Yeah, and use real money too, ya damn savages!  :rolleyes:

     



  • நீ எப்போதும் அது மிகவும் கடினமாக உள்ளே குறியீட்டை வைக்கும் என்று ஏதாவது உபயோகிக்க முடியும்



  • @Quango said:

    நீ எப்போதும் அது மிகவும் கடினமாக உள்ளே குறியீட்டை வைக்கும் என்று ஏதாவது உபயோகிக்க முடியும்

    I certainly can't argue with that!



  • @jverd said:

    English identifiers from your core language

    Needs moar preprocessor!

    #define função function
    // or is it funcionar? I'll have to ask the other person I know from Fortaleza



  • @jverd said:

    @Quango said:
    நீ எப்போதும் அது மிகவும் கடினமாக உள்ளே குறியீட்டை வைக்கும் என்று ஏதாவது உபயோகிக்க முடியும்

    I certainly can't argue with that!

     

    You will always be something that would make it very difficult to code as possible inside?

     

    Wat is dit ik snap zelfs niet



  • @ekolis said:

    @bugmenot1 said:

    >That's why I always use a combination of Navajo and Ancient Greek.

     

    And I use  Na'vi

    window.alert = function(m) { if (!confirm(m)) var kill=asdsadapfksaoOPSFKPASKOPFS; }

    I prefer Hylian:

    function HeyListen(look, gyaaak) {
    triforce = look.farore(gyaaak);
    }

     

     

    Klingon.

    [code]while(.) { ...[/code]

    ......what? Doesn't your screen font support that character range?

     



  • @jverd said:

    (...)but that still doesn't mean that everybody everywhere should be expected to be fluent(...)

    If you can't speak English fluently, you also can't understand most of the literature on coding that there is, so I consider it a prerequisite for any coding-related job.



  • @Renan said:

    @jverd said:

    (...)but that still doesn't mean that everybody everywhere should be expected to be fluent(...)

    If you can't speak English fluently, you also can't understand most of the literature on coding that there is, so I consider it a prerequisite for any coding-related job.

    That is simply not true, reading, writing, speaking and listening are different skills, what is needed to read is reading skill and people when learning another language tend to have different level for each skill (listening and speaking are usally the harder ones while reading is the easier one).

    So I would say that what everybody needs is a high level on english reading skills (most tech books are easy to read as they use simpler language than novels and such) and maybe midlevel writing skills, unless you work for or with english speaking persons.



  • @Renan said:

    @jverd said:

    (...)but that still doesn't mean that everybody everywhere should be expected to be fluent(...)

    If you can't speak English fluently, you also can't understand most of the literature on coding that there is, so I consider it a prerequisite for any coding-related job.

    That's flawed for at least two reasons:

    1) For at least some people, it's a easier to understand something that somebody else produced in a foreign language than to produce something correct and "fluent" in that language. That is, understanding the literature is a lot easier than speaking the language fluently. This is especially true of understanding technical writings, which tend to be straightforward, with little nuance or subtlety, and which comprise a limited (albeit specialized) vocabulary.

    2) You may be able to find sufficient literature in your native language, or in a secondary language (either authored in that language or translated it to it from English) you're more skilled at than English, that you don't need a lot of the literature that's in English, or that you can supplement it with stuff in a language in which you are fluent, to fill in any gaps that are left as a result of your limited English.

    While fluency in English is a significant plus, it is absolutely NOT a prerequisite.



  • @Renan said:

    public void configuraTextoDeConexao (conexao, texto) {
      conexao.connectionString = texto;
    }

    I told them you don't need to know Portuguese or any closely related language to figure what that does in just a few seconds. They didn't take me seriously.

    I... I actually had to think for a second there, despite being a native Portuguese speaker.

    I always call strings "strings" (I use the English term, like most people around here). And I usually think of them as "chains of characters" (that's why they're called "strings"), rather than as text.

    At the least, I don't really think of them as text when they're not meant for public consumption.

    So it actually took me a couple of moments to figure out what "texto de conexão" meant. Maybe I'm just being slow today.

    @Zemm said:

    #define função function
    // or is it funcionar? I'll have to ask the other person I know from Fortaleza
    "Função" is a noun, "funcionar" is a verb. You're correct.

     



  • @Watson said:

    @ekolis said:

    @bugmenot1 said:

    >That's why I always use a combination of Navajo and Ancient Greek.

     

    And I use  Na'vi

    window.alert = function(m) { if (!confirm(m)) var kill=asdsadapfksaoOPSFKPASKOPFS; }

    I prefer Hylian:

    function HeyListen(look, gyaaak) {
    triforce = look.farore(gyaaak);
    }

     

     

    Klingon.

    <font face="Lucida Console" size="2">while(.) { ...</font>

    ......what? Doesn't your screen font support that character range?

     

    Yeah, that's quite deliberate actually ....

     



  • @jverd said:

    What kind of pit hires coders that are not fluent anyway?
    Um, a "pit" that's in a country where English is not the primary language? Granted, that's only most of the world, so yeah, you totally have a point there.
    I happen to live in a country where English is not the primary language and when it comes to getting a job, fluency in english is a requisite as much as fluency in the coding language used at that shop. Obviously they don't expect you to be able to speak like a native, but you should be able to read/write fluently and you sure as hell should be able to name a variable, especially if your native language uses a non-latin alphabet and you have to either alt-shift 10 times per line of code or write a bastardized version of the word in the latin charset.

     



  • @DOA said:

    @jverd said:

    What kind of pit hires coders that are not fluent anyway?
    Um, a "pit" that's in a country where English is not the primary language? Granted, that's only most of the world, so yeah, you totally have a point there.
    I happen to live in a country where English is not the primary language and when it comes to getting a job, fluency in english is a requisite as much as fluency in the coding language used at that shop.

    That's the case for your particular market. Doesn't make it universal, and doesn't mean that English fluency is required for the technical aspects of performing the job, which is what you previous posts seemed to imply. Perhaps I misunderstood your point.

    Obviously they don't expect you to be able to speak like a native, but you should be able to read/write fluently and you sure as hell should be able to name a variable, especially if your native language uses a non-latin alphabet and you have to either alt-shift 10 times per line of code or write a bastardized version of the word in the latin charset.

     

    Well, yes, identifiers in kanji are a major PITA, and so their romanized equivalents (harder to read than the kanji, even with only moderate knowledge of Japanese), as I learned firsthand. But again, depending on the specific language/charset, job market, and individual shop, non-English variable names can be just fine, even preferable. I would expect those cases are in the minority overall, but your previous posts had a strong air of absoluteness that just doesn't hold.



  • @jverd said:

    @Renan said:
    @jverd said:

    (...)but that still doesn't mean that everybody everywhere should be expected to be fluent(...)

    If you can't speak English fluently, you also can't understand most of the literature on coding that there is, so I consider it a prerequisite for any coding-related job.

    That's flawed for at least two reasons:

    1) For at least some people, it's a easier to understand something that somebody else produced in a foreign language than to produce something correct and "fluent" in that language. That is, understanding the literature is a lot easier than speaking the language fluently. This is especially true of understanding technical writings, which tend to be straightforward, with little nuance or subtlety, and which comprise a limited (albeit specialized) vocabulary.

    2) You may be able to find sufficient literature in your native language, or in a secondary language (either authored in that language or translated it to it from English) you're more skilled at than English, that you don't need a lot of the literature that's in English, or that you can supplement it with stuff in a language in which you are fluent, to fill in any gaps that are left as a result of your limited English.

    While fluency in English is a significant plus, it is absolutely NOT a prerequisite.

    I get your point. I should've said "if you aren't fluent in English, you also can't understand...". I agree that reading skills are easier and more important in this case.

    Now, about point 2), trust me, I've been working in this field since the middle of the past dedade and I still can't find much literature in Portuguese. Last year I was browsing through the biggest bookstore in a few dozen miles, and the best they had to offer in pt-BR was 'C for Dummies' and 'The Mangá Guide to Databases'.


Log in to reply