blog.forgreatjustice.net

It is Ada Lovelace Day, “an international day of blogging to draw attention to women excelling in technology”. There is so much potential and power in the tech sector, and it is therefore imperative that our field is inclusive to all of society.

So, I’d like to talk about a friend of mine, “C”. We both came out of the Computer Science division at Harvard. I don’t want to get into an Ivy League grudge match, but I think it’s fair to say Harvard’s CS was no cakewalk: heavily weighted towards theory, and not a whole lot of hand-holding. We both spent some part of our youth tinkering with code and wading around Usenet. We both came into CS as transfers from our initial majors, later coming to terms with what field truly called to us.

There were differences, of course: for example, I walked away with a B.A., whereas she walked off with her Master’s Degree in hand. That’s a graduate-level work. That’s the choice she made to delve into challenging theory when easier options were available. As a younger man, I did not enjoy theoretical work; only later, having practiced in the real world, did I come to value proper theoretical understanding. Only later did I see how precious and how rare an understanding of theory would be.

And so, we both pursued careers (her in the DC area, and myself in Boston). We both went through cycles of new jobs, new challenges, and constant reinvention. I admire the path she’s taken: once she realized that web development was no longer her passion, she immersed herself in a new challenge – sysadmin work – when she could have found an easier job within her former niche.

Integrity is living by your own set of standards, beyond what the world imposes on you. For technical workers, we are presented with many easy options – and many threats to our integrity.

To hack and fix, or to learn from a problem, solve and actually understand? To hop from gig to gig – or to keep your commitments to a team that relies on your work? To settle for the buzzwords and acronyms of a resume bullet – or to leave the comfortable behind and forge a new set of skills? To code for a paycheck, or to code as excellently as you can, as correctly as you can, because there is simply no other way to do so?

Code with integrity. We can find solutions to the world’s toughest problems – but only when we treat our profession with the pride it deserves. With her as a friend and colleague, I know that I must work to a higher standard.

I’ve made a Rails plugin, sanitize_attributes, and (after some help from jnichols at a recent Boston.rb hackfest) I’m happy to share it. It’s a rather small plugin, adding a light DSL to ActiveRecord models to quickly define pre-save data sanitization.

This came out of some work I was doing to fight cross-site scripting (XSS) attacks. Once the plugin was done, adding sanitization was a snap:

class Comment
  sanitize_attributes :title, :body, lambda{|text| Sanitize.clean(text)}
end

The gem I’m referencing above is rgrove’s Sanitize gem. I prefer it to the built in Rails sanitization because it uses Hpricot (a true C-based parser) in the background. For fighting XSS attacks, if you’re not parsing/rewriting the HTML versus a conservative whitelist, you’re not actually sanitizing anything.

Relatedly, I’m working on lighting-talk about anti-XSS techniques that I could share at Boston.rb. I wouldn’t suggest that I’m a security guru, but there’s definitely some knowledge I want to share, and nobody wants to learn this the hard way.