- People heed the advice of this author, and soon all passwords are abolished, replaced with email auth.
- Of course, emails still have a password, as you can't email auth an email.
- Heartbleed 2 happens, hackers focus on Heartbleeding email services.
- For every email password you get, now you have complete control over this person's life, as all services are linked to it for auth.
- Security experts start proposing that you have a separate email for every email auth service, and every email has a separate password, so you can isolate damage.
- Result: previously you had N passwords for N services and 1 email. Now you have N passwords for N services and N emails.
The problem is that getting email or SMS and having to type that code in every time, then deleting that email/SMS, manually is less convenient that using a password manager.
You can have an "authentication email manager" just like password managers, but then what have we solved exactly? Nothing.
Except that emails, when used as mass-authentication device, will become an even more attractive target to hackers. In most cases accounts are exploited namely via their email password recovery, not via their password.
Email/SMS are an ok layer when used as a second factor, but on their own, they are less secure than a strong password. While logins are HTTPS, email is plain text, so is SMS.
Heartbleed is an exception. Dropping passwords over Heartbleed is precisely the same type of overreaction we had after 9/11 when suddenly flying became a nightmare (and still is).
The proper reaction here is: Heartbleed is fixed, and we better put some resources towards vetting and fixing OpenSSL so this doesn't happen again.
No need to build towers of nonsense that assume it'll be Heartbleed every week now for the next 20 years.
You're underestimating the work that's been done in secure password managers in the last few years.
Check the whitepaper Apple published regarding their iCloud Keychain mechanism.
It generates secure passwords, locks them with a passphrase, but also makes them available on all your devices, not just one (which, if it breaks, you're locked out of all your services).
Using hardware for tokens is secure and simple, but it shows a severe lack of imagination. I only see hardware tokens as useful for very high security logins, like bank accounts, where the apparent inconvenience is at least justified.
You actually said it, which is funny, but the right word for this is "validating".
Here's the chain:
1. Get raw input.
2. Validate it (number, not number, in range, not in range?)
3. Optionally format it to canonical format (i.e. trim whitespace etc.)
... later....
4. Encode it for where you want to use it (SQL, HTML etc.).
Sometimes steps 2 and 3 are done in the opposite order, or as an atomic single operation, but point is, we have perfectly reasonable words for all that: validating, formatting, encoding.
He is perfectly following his own advice. Apparently, his form field takes HTML syntax with a subset of HTML tags. Your input does not conform to that. So, instead of silently altering what you wrote, it tells you about the validation failure and asks you to correct your input instead of silently changing what you wrote. The input field takes HTML, so you have to write "<script>" (I suppose, haven't tested it) in order to display "<script>" - that is perfectly consistent.
No form should accept just "HTML" if you don't want just any "HTML" in your form.
I was actively trying to talk about his script example and instead I had to second-guess his parser to get past the validator (I eventually resigned and replaced < and > with [ and ]).
If you want to support some tags, have your parser be an HTML-like DSL language with those tags supported. Don't disallow perfectly good input.
I don't really understand what point you are trying to make, but in any case, he has a particular input format for that form field, your input did not conform to it, so it was rejected, nothing particularly surprising or wrong there.
Now, I haven't tried it, but I suppose his form field expects HTML syntax? Have you tried entering your text in HTML syntax? Was that rejected?
This guy seems uneasy with Actors. His example is wrong and then he tries to solve it with a solution that's worse than the problem he thinks he has.
Let's untangle that stuff. Actors are about conversations between folks organized, like you would find in a good company. So let's use the conversation metaphor.
His example of "classical" actors:
- PaymentActor (to herself): Someone told me to process a payment from this order. I'm done.
- PaymentActor: Hey, FraudCheckActor, check if this order I'm giving you is a fraud.
- FraudCheckActor (to herself): Damn, this is a fraud.
- FraudCheckActor: Hey, CancelOrderActor, cancel that order I'm giving you!
- CancelOrderActor (to himself): I canceled the order.
Now I see an immediate problem here. This is anarchy. No one is in charge of the whole process, everyone runs to talk to someone else, and passing around that order data and there's no conversation happening here. Would someone in a real company organize things this way? Not in a good company, for sure!
Let's see what his solution is:
- PaymentActor (to herself): Someone told me to process a payment for this order.
- PaymentActor (screaming): Everyone! Payment is complete for this order! (screams the order info to everyone)
- FraudCheckActor (to herself): I heard that, I'll check it. Damn, this is a fraud.
- FraudCheckActor (screaming): Everyone! This order is a fraud! (screams the order info to everyone)
- CancelOrderActor (to himself): I heard that, I'll cancel that order.
- CancelOrderActor (to himself): I cancelled it.
Now I see an even bigger problem here. It's still a god damn anarchy, but now also everyone is screaming at everyone, including the entire order data, or talking to themselves. How is this better again?
Plus notice, there's still state in the system - the subscription setup. The only thing achieved here is that it'll be nearly impossible to reason about how this thing works once it becomes more like a real-world scenario.
Here's how you design it with Actors, once you have some experience:
- OrderActor: Hey, PaymentActor, process this payment and tell me what happened.
- PaymentActor: Hey, OrderActor, I processed it. It's good!
- OrderActor: Hey, FraudCheckActor, check this order for fraud and tell me what you found.
- FraudCheckActor: Hey, OrderActor, damn! This is a fraud!
- OrderActor: Hey, CancelOrderActor, cancel that order and tell me when done.
- CancelOrderActor: Hey, OrderActor, I canceled it!
Now what do we see here? We see structure. We see clear responsibilities. We see teamwork. No screaming and no chaos. Only OrderActor has the entire order data. He's passing along only the needed bits to each actor according to their responsibilities.
And best of all, PaymentActor, FraudCheckActor and CancelOrderActor are not coupled to each other. They just respond to their events, limited to their own responsibilities.
Good job OrderActor & co.
OrderActor is a supervising actor (that's an actual term). In my example, he's managing the workflow and he is stateful and as you see it's not that scary and out-of-order as the author is telling you. After all, he needs to know the payment went through, and then remember to ask for a fraud check and know what to do after that.
(Note: technically the supervisor in this example doesn't have to have state, he can just react to the events by Payment, FraudCheck, and Cancel, but this only works in this very simple example. Real world scenarios never fit into a completely stateless world. We're talking about the order state here!)
The other actors have no state (that is seen in this example). So proper design isolates concerns, and may have stateless actors, but stateful actors are essential to the model.
Of course, the linked article demonstrates how you can shoot yourself in the foot even with the best model out there. I find it ironic that the author was unhappy with over-complications and coupling, yet coupled everything in a complicated way with his "subscriptions" model, instead of simply using a supervisor.
There's nothing particularly wrong with his design, except for appropriating the terminology from the Actor model for what is basically CQRS.
You're just advocating for an imperative solution which may or may not be asynchronous. Nothing particularly wrong with that, but its not the only "right" way to do it. In point of fact, the underpinning of languages like Haskell is that state is conveyed by the arguments to functions (i.e. events), and the terminal "state" of a process is just the integration of those events over time or composition of functions. State is useful as a convenience. Its not essential.
Also, not for nothing, but oversimplified metaphors like shouting in an office are just obnoxious, and also irrelevant. Shouting might be a problem in an office. Software, it turns out, is capable of paying attention to whatever it wants to pay attention to and ignoring the rest.
Actually, shouting in the office means you coupled the FraudCheckActor to a PaymentCompleteEvent, and you coupled CancelOrderActor to FraudDetectedEvent.
Your lower level actors are still coupled with each other, through quite specific events, and on top of that, dependent on a subscriber setup.
Instead of declaring your own protocol and accepting messages in that protocol, now you need to understand everyone else's protocol (in the form of their event types) and react to it if you're subscribed to it.
It's the worst of both worlds.
Now, sure, you're right. Actors aren't like people in an office. Actors can't complain when you entangle them in a hot mess, they just carry on with whatever they're told to do.
But the more experience I gain, the more I see the systems of the "real world" are in fact exactly like the systems of the "computer world". If something makes no sense in an organization made of people, then almost inevitably it'll make developers cry when having to figure out the sequence of events when implementing the same organization as a set of actors.
Take it as a useful heuristic and humor my analogies. You might find a nugget of gold there.
Also, there's nothing blasphemous if my supervisor can be implemented as synchronous imperative code. When people hear about a new paradigm, they believe they have to abandon everything and do things differently for no reason. No. Find some balance, what you knew still works, don't throw it out, just add the new benefits Actor offers to you.
I.e. while Actors mean we can have objects that do things that you can't do in imperative/synchronous fashion, this doesn't mean we should never use actors for something that might be done in imperative/synchronous fashion. 90% of the interactions between actors still look like a request/response pattern. But those 10% when things don't look like a request/response really matter when you need that ability.
Also keep in mind Actors don't care how far its subordinates are. In synchronous programming things have to happen fast, or the thread blocks. With actors a request may be sent this week, and you may get an answer next month. Things can happen very fast, or very slow, the model is not biased. How fast is fast enough is now entirely up to your app's domain logic.
Also, some Actors implement persistence (which is far more trivial than trying to persist the callback graph or call stack in "normal" code), so they don't even care if the system shuts down and it has to start over from its last state.
Imagine OrderActor sends a call to FraudCheckActor and then the system crashes, or (if it's a business workflow process) it's just powered down for the night. When the system is restarted, OrderActor is already waiting for that answer from FraudCheckActor.
Yep, all of that sounds great. And almost all of it applies to CQRS with event sourcing (which IME is the typical implementation). Using events, the events ARE the protocol, and because the events are publishable by any unit, the coupling is no greater that that offered by a method call, in knowing the name and parameters required by the method.
Moreover, modeling with events offers me a lot of flexibility in how I translate the real world domain into code.
I think I agree that if you're going to use actors, what you're saying makes more sense, but I honestly don't have enough production experience with that model to say yay or nay. But with the exception of event storage (which addresses your issue of figuring out what happened in what sequence) and terminology aside, the OP is proposing something which is isomorphic to CQRS, and that I have plenty of experience with, and it works just fine.
Imperative style means that A has to know about B. In needs to know what is the next step. With reactive it does not. This creates the decoupling. And also not everyone else's protocol. An event is an important business milestones for an order which has nothing to do with the implementation, and if you look, almost all of them are as such.
Everyone has to know about the business process logic to me is the opposite of decoupling.
I'd rather limit coupling to a single actor, and let the other actors be reusable.
You can't avoid someone being in charge. It's an argument as old as the universe. Do companies need a CEO? Do we need a government?
Well, someone with an imperative role always emerges sooner or later. Even in nature, only the simplest of animals don't have a centralized nervous system. The subscription model described in the article won't survive complexity, because it's an anarchy. As nature and business shows, imperative is not a bad thing. It allows concern separation.
It's not CancelOrderActor's concern why the order is canceled. The reasons for this may be hundreds. CancelOrderActor's concern is how to cancel the order. And sure, if CancelOrderActor was A.I. we could chat about why OrderActor's practice is good, but until that changes, CancelOrderActor just takes orders. It doesn't decide what's good for the order, as it's not its job.
Someone once said to me "good software design is about separating things that change a lot, from the things that don't change a lot".
Business process changes a lot. Would you rather update all actors' bindings when this happens, or just one supervisor?
Well I might be naive, but I prefer things this way: the business process changes? I change the business process actor. The payment method changes? I change the payment actor.
And not... The business process changes? Change all the things! Because it's not just a matter of whether CancelOrderActor is bound to the FraudEvent by subscription.
It's what the CancelOrderActor does as a result of that event, and that's still defined inside that actor. And in the real world, the options are many, because no one creates an actor for just the purpose of canceling an order anyway. It's mindless boilerplate. An actor has a domain. And how that domain changes in reaction to unrelated events depends on a lot of things.
They're equally coupled. In one system, the coupling flows outward from the business process—the business process must know about the other services. In the other, the business process is domain-driven and knows nothing about processes that are driven by the events that happen within that space. The outer processes (e.g. the fraud service) know about things that happen in the domain (or rather, what messages the domain contract will send).
I've actually written a fraud detection system this way. Worked beautifully. Within the service boundary I suppose you could say it was driven imperatively, but I don't think that's what you're talking about.
> Business process changes a lot. Would you rather update all actors' bindings when this happens, or just one supervisor?
In point of fact, a lot of business processes never, ever change. The way they're handled may change, and at that point, I'd prefer for that concern to be nicely packaged into a service or actor or listener or whatever you want to want to model it with where my domain logic isn't concerned with it at all. And if my domain does change? I shouldn't have to change a fraud detection service at all. And in neither your model nor the OP's would I have to.
> And not... The business process changes? Change all the things! Because it's not just a matter of whether CancelOrderActor is bound to the FraudEvent by subscription.
I fail to see how his process has this problem and yours magically doesn't. You're making a lot of hay out of whether his "reactive" events or your "imperative" messages are better or worse, but they're the same thing: sending messages. The only difference is whether broadcast is better than a direct message sent to a unit.
> I fail to see how his process has this problem and yours magically doesn't. You're making a lot of hay out of whether his "reactive" events or your "imperative" messages are better or worse, but they're the same thing: sending messages. The only difference is whether broadcast is better than a direct message sent to a unit.
No, that's not the only difference. Notice that I have 4 actors, only one is burdened with knowing how the process works. Here's what the other 3 actors see from their PoV:
- PaymentActor gets "process payment" event.
- FraudCheckActor gets "check for fraud" event.
- CancelOrderActor gets "cancel order" event.
This is what I call decoupling. 3/4 of your system is completely isolated from each other and reusable in different business processes. And the one actor who is "burdened" with knowing about the process (OrderActor) is in fact, responsible for the process (and you can open its code in one place, read it, reason about it, and change it in one place, not all over the graph).
Those 3 processes are coupled with each other, as they need to interpret each other's events.
If you want to move to another system where the fraud check doesn't happen right after the payment, you need to edit the FraudCheckActor's "reaction" to that event.
In my case FraudCheckActor is only reacting to the "check for fraud" event and so it doesn't have to have its reaction code edited.
There's nothing "magical" about it, just better concern isolation. If you still see this as the same, that's all I could do to explain things :)
I feel like this would be a much better discussion somewhere else—i have no idea whether you're still reading this thread. :)
I get what you're saying. The way I write my systems when doing evented/reactive logic is that there is a layer between the event and the message to, say, the FraudActor, responsible for mediating between domain events from different bounded contexts (to appropriate a term from DDD) and the system in question.
The main criticism I have about your methodology is that I reject the notion that the OrderActor should be responsible for sending messages to the fraud system. An order's responsibility should be maintaining information about the order and its status—not validating whether its fraudulent, which (if the fraud detector was worth its salt) would involve a lot of historical information about the ordering party, payment information, etc—none of which should bleed into the order system, and which is the kind of thing the fraud system assembles by listening to events from all over the place. In that scenario, were the fraud system's interface to change, there would likely be changes that have to cascade to every system that touches it (regardless of whether its developed with an actor model.)
I realize you probably wouldn't, in reality and given realistic requirements, architect the system entirely the way you've outlined before this. But given the constraints of a blog post, I think the OP can be forgiven the oversimplification of the example, and you (I think) should also be able to see that his implementation has merit in real-world scenarios.
This is pretty much exactly how AWS SWF handles it.
The java implementation of the workflow "decider" (supervising actor) is somewhat interesting as well. It actually creates a bunch of future/promise objects and replays the workflow from the top as the promises are delivered (which of course has the implication that workflow decider processes must be deterministic!).
I suspect, but don't know, that AMZN has been dogfooding this product in a big way for quite some time.
(full disclosure: just spent some time with the swf guys in seattle)
On the other hand, It seems like the long way around to inventing Erlang ;)
While I'm not sure if you're joking about mining as theft, if you're not, what you're saying makes perfect sense. Non ASIC based cryptocurrencies provide one of the greatest botnet monetization schemes I can imagine. Low-risk, hard to trace.
- People heed the advice of this author, and soon all passwords are abolished, replaced with email auth.
- Of course, emails still have a password, as you can't email auth an email.
- Heartbleed 2 happens, hackers focus on Heartbleeding email services.
- For every email password you get, now you have complete control over this person's life, as all services are linked to it for auth.
- Security experts start proposing that you have a separate email for every email auth service, and every email has a separate password, so you can isolate damage.
- Result: previously you had N passwords for N services and 1 email. Now you have N passwords for N services and N emails.
Yay for "improvement"!