People here are very critical of Jeff Atwood. I realize that he has some shortcomings, and is sometimes flat-out wrong about things, but I'd like to point out a couple of things in his defense:
1. His blog and podcasts are pretty entertaining, even if he is wrong sometimes.
2. He created Stack Overflow, which is a pretty nice site. At least, I like it.
3. He admitted and blogged about an extremely embarrassing oversight on his part today. Which takes some backbone.
That being said, I don't think we need a link to him on every single blog entry. This particular entry is more interesting from a Hacker News perspective though.
I'm one of those who is often critical of Atwood, and the point is not that he is "wrong sometimes", but rather, that a) he tends to carelessly dismiss those things he doesn't understand, and b) this includes much of the discipline of computer science.
As Dennis Forbes so aptly put it, "Be careful diving in [to CodingHorror] headfirst, though, as the technical depth is generally so shallow you'll be hitting the bottom before you've even broken through the surface tension."
Interesting. I was about to impulse-comment on a previous comment, but then say yours.
Makes me wonder about the ways of being wrong, and who do people here think tend to be wrong in a good or valuable way?
E.g., making conjectures that at least posit novel interaction of events and ideas, or are wrong due to lack of current knowledge and over-optimistic conjecture, not because of willful ignorance or bias.
(I suppose that describes any good sci-fi writer; I'm thinking more of bloggers or essayists.)
1. Entertaining but often wrong in subtle ways that could confuse a novice programmer. As an example see his opinion the need to know C.
2. Yes, much better then experts exchange.
3. He does that often, make mistakes and then boldly admit to them. The last one I remember was his article on password salting. Yes, that's good but then again what choice does he have, you can't erase your past from the internet.
That being said, this particular entry is a tease to the NEXT entry where we might learn something valuable about security.
I'd prefer if we saw many, many fewer coding horror articles here because I do believe the interests of his fans and those of elite hackers are mutually exclusive.
People are very critical of Jeff because it's very easy to be critical of him. Not that it's necessarily justifiable; it's just that "everyone else is doing it". It's kind of like the old maxim about how nobody every got fired for going with IBM / Microsoft.
He's done some good things, and some stupid things; I think a lot of people have probably gotten started reading up online on their own because of Coding Horror, and anything that gets the 9-to-5 set doing some extracurricular reading can't be all bad.
Its totally the other way around, Jeff coded most of the StackOverflow site, sometimes in the podcast you can notice Jeff knows more about their codebase than Joel.
I'm also an Atwood fan. And he may have been pretentious in this particular post, but I find that for the most part he is quick to admit when he's wrong or lacking knowledge on a topic. He seems eager to learn.
Really? Like when? When he blames Wikipedia for his misunderstanding of P=NP? When complains like a little school girl that it's not his fault he doesn't know what "begging the question" means? Is he that eager to learn when he constantly bemoans how pointless it is to learn C or know anything about how computers actually work, save for when he fawns over a select few Turing award winners for whom he doesn't even understand the work of? Maybe you're right.
Well, someone keeps posting these things on HN! This is always a weak criticism: "How can you criticize something you know a lot about." It's actually kind of silly.
just stop reading him if it bother you a lot... for me you're not seeing all his articles objectively, since you criticize pretty much all codinghorror articles.
ALL of his blog posts are about extremely embarrassing oversights on his part -- they're all about what an idiot he is. The punchline is always "the first third of this post was hopelessly stupid".
They all have an implied "why the fuck do you listen to me anyway?" tone in the final paragraph. Jeff Atwood knows, deep in his heart, just how much of a pretender he is.
Maybe Joel interrupted him when he was talking about it once and he forgot about it and hence forgot to implement whatever important security practice he overlooked for stackoverflow.
Good thing stackoverflow is a tech help site and not porn/gambling, eh?
Funny, I had a similar incident on Friday. I had an error on my web server from a bug (fixed now of course). I was curious about the IP that generated the error because I had just attended a networking event and wanted to know which contact I talked to now had a bad impression of my site.
I put the source IP in my browser and came up with a XAMPP administration page which had a link to phpMyAdmin, which gave me admin access to all the databases on that server.
I poked around long enough to get a contact email for the server admin and sent him a polite email explaining everything. He was grateful for the email and explained that he never thought anyone would try to access his raw IP. I don't think he checks his logs much. ;)
My favourite Atwood screw-up of all time was on the recent stack overflow podcast. Joel referred to a digital clock on the wall, which Jeff corrected him, and said it was an analog clock. Joel did his customary 'Jeff said what?' pause, and then pointed out "I'm pretty sure I can see digits on that clock, so it's digital." Jeff was still not immediately convinced.
That said, I enjoy listening to the podcast, even if sometimes because I get to laugh at the things Jeff said. But as someone else said here, it's hard to be too down on someone who was a key factor in making a site like Stack Overflow. He also makes some good points. Sometimes.
But objectively, about 90% of the time I agree with Joel when the two have a disagreement. Guess that means I shouldn't apply for a job at Fog Creek :-).
Yeah, the podcast has a lot of that. It's very ironic. It's quite common for Jeff to say something wrong, Joel to correctly correct him, and Jeff a) not be convinced and b) yield in the sort of "I know more than you do about this but I'm just going to be nice" way. I think it's delightfully, if not irritatingly, ironic.
Isn't 1Password a solid way of avoiding the whole one-password-multiple-logins problem? Most of my logins are 8 or more randomly generated characters. The best passwords I end up memorizing anyway, but I don't use the same PW twice anywhere on the internet. Am I secure?
I've been using 1Password, but I've noticed it's "auto fill" and "auto save" options get confused easily, especially if I have multiple logins for one site (for example I set up a new gmail account for every project I run, and tie in any third party services to that gmail). This means that I could have 10-20 gmail logins saved. 1Password often tries to save passwords that it already has saved. Make sense? Anyone else run into this problem? I've started to migrate over to using Wallet.
He is so pretentious. He goes on about how great Open ID is and yet talks about how he has all these different passwords and uses a "throwaway" password for admin access to his application. Great. Then he posts something about how "brute for is for dummies" when using bad passwords is really what's for dummies.
I think he even had a post about how passphrase is better than a password. But I may be mistaken and I am just to lazy at the moment to search for it :(
I'd like to jump all over Jeff for having a weak password, but somehow that seems like blaming the victim. Sure, he's supposed to be an elite hacker programmer blogger authority something-or-other, but is everyone in the world supposed to become an authority on choosing strong passwords?
Stepping back for a moment, why are we using passwords for authentication and security in 2009?
Because there are not better alternatives? Unless you'd like to trust some company with biometric details about yourself. But biometrics aren't notably better than passwords anyway.
And in answer to your question, yes. Everyone is supposed to become an authority on choosing strong passwords. I fail to see why this is unreasonable.
> Everyone is supposed to become an authority on choosing strong passwords. I fail to see why this is unreasonable.
peopel have been saying this for decades, that users should get with it and learn how to create passwords like "as723HASD-23", to change it every month, to use a different one for each system, to never write it down, and so on and so on.
And for decades users haven't been doing this.
So. Are we to blame the rest of the universe for not doing what we tell it? Or decide for ourselves that This doesn't work and we as programmers must think of something else?
If none of the alternatives appeal to you, think up a new one and get some YC funding going :-)
The point is that there are no alternatives. This isn't a design problem that as programmers we can fix. There are plenty of existing security systems that fit the bill. It's a human problem.
For example, one technical fix is a widely deployed public key authentication system. It would take a company as large as Google to force people to adopt it, however. Plus operating systems would have to start shipping the software to make the average user understand it. Private key creation would need to be integrated into the create user process of Windows and Mac OS X. That's not realistic because there is little profit for the companies involved.
How many non-technical people are actually using OpenID? (For that matter, how many _technical_ people are using it?) Actually using it, not having some OpenID thing that they don't know about...
Sure, he's supposed to be an elite hacker programmer
No, he is not. He is at best average.
A while back Joel published an article in Inc, about his experience of run and gun with stackoverflow. He was surprised how well it went. In fact it merely appeared to have gone smoothly. I'm guessing more subtle long term problems will continue to appear as time goes on.
And yet still, I think stackoverflow is much much better then experts exchange.
I agree, but he is perceived as being some elite coder by a large portion of pretty fresh web-devs, probably mostly because of the prevalence of his blog, and the readers lack of technical skill/knowledge.
I know that I thought that he must have known what he was talking about a while ago. That is, before I knew what I was talking about.
from another perspective, i wonder how much time is wasted by the average person choosing, memorizing, and resetting random passwords that no one will ever try to crack.
i wonder if the value saved by well-protecting a user's data is a net gain or loss on the whole... http://qzip.in/nX
"If you're a moderator or administrator it is especially negligent to have such an easily guessed password."
Actually, I find just the apparent fact that he uses a 3rd party openid provider (whichever one it is) for his StackOverflow admin account disturbing. The OpenID provider has the credentials - they can therefore log in as him any time they like. Only their integrity / reputation prevents them from doing that. I think it's fine for individuals using the system to trust a 3rd party like that but I don't think it's fine for someone with admin powers to do so.
* Ignore this whole comment if he runs his own OpenID provider :-)
When you run a site with many users, you have a responsibility to safeguard your users' data. Part of this is having reasonable security, and part of that is having a reasonable admin password.
As far as not "really" needing to post this, that's true of any breach of security with no obvious user-observable consequences, regardless of the kind or degree of the breach.
edit: Besides, as is the case with the softcore porn in a technical presentation, I'm more worried about the fact he says it's no big deal than the actual security problem. I think "I screwed up totally and apologize for having failed you, this will not happen again" would have been more appropriate than (paraphrase) "I screwed up but this is pretty inconsequential."
It's better to modify your site to accept only modified usernames/email adresses (e.g you must always login by adding a - to your username) for the user accounts that are more important (has more rights) then normal accounts.
A hacker will have problems bruteforcing these accounts..
how do you think this person discovered my password?
Well this may be a stab in the dark, but I'm guessing it has something to with the fact that you are NOT a great programmer. Learn some C you average coder!
1. His blog and podcasts are pretty entertaining, even if he is wrong sometimes.
2. He created Stack Overflow, which is a pretty nice site. At least, I like it.
3. He admitted and blogged about an extremely embarrassing oversight on his part today. Which takes some backbone.
That being said, I don't think we need a link to him on every single blog entry. This particular entry is more interesting from a Hacker News perspective though.