Assorted Essays on Code and Other Stuff


Encryption is not necessary user-friendly

It has been a famous topic lately, it has become somehow common to read about attacks in websites and how the information could have been stolen and been used by attackers.

Let's assume1 you have a document that is being stored in a cloud service. - say that the service encrypted the file with your password, so to access the document the password is required. In this case you may note that the service company won't have a way2 to access the file without your help. This is important because if there is a way to them to access, then an attacker who compromised the service could do it too.

Now, what do we lose in this scenario? What if you lose your password, given that the file was encrypted with your forgotten one, there is no way to access it3, not by you or by the service, so it's basically lost. The service could have other kind of security measures on top of the file, so the provider may be reluctant to just give you the encrypted file. So, if the files are encrypted by the service then a Forgot Password feature is almost irrelevant.

So, what if you want to share the file with another user? Then for the other user to have access also requires the password, so both of you need to use the same one. If not, it gets really complicated. Let's say that both of you use different passwords that can't be stored in the service, when you want to share your file, both passwords should be loaded in the system so the document will be encrypted for each one, that probably requires to both users to be logged at the same time. If you update the file, it then requires to have both passwords again loaded in the system so both users should be logged at the same time again. You could probably store the other user password encrypted with yours which then could be subtracted later if needed, but so many things could go wrong from there.

At the end it doesn't matter, for a general purpose service the extra security belongs to a particular market, and for the rest of all, the provider ends up explaining about why people can't just freely share their document.

What now? Well, you can encrypt your data at home before you upload it, if that is the problem, but in general it's not so. Except if you have launch codes for nuclear rockets, probably the common mechanisms are good enough. Note that not all info need to be treated the same way, I would prefer my credit card information to be encrypted, if lost I could just provide it again. Let's just say there are several use cases that needs to be treated accordingly.


[1] Take note that I am not a security researcher.
[2] Of course they could log your password somewhere if needed, in fact there is a lot of things that could be wrong in the process.
[3] Again, you could use a password-cracking tool. And so could the service company. And the attacker.

Nova, yet another programming language

The term yet another probably falls short. It has been commonly said that great programmers have built their own languages sometime in their life, I’m not sure if I’m that great, but there is nothing wrong with trying. In this case, I’m writing my own, and will be released with great fanfare! … Once it’s done, probably.

The language is being developed as open source interpreter in a GitHub repository, it’s written in C++, with a few scripts in Python. There are several goals that I want to meet with the project. First of all, separate both engines and the proper compiler. Given that the engine is independent of the compiler, the latter would just produce some kind of byte-code instructions for the engine to execute, this allows a better distribution of development tasks between the components.

And the second one is try to implement some experimental ideas that I have for the language. Note that it is a script language in a sense, however it’s strongly typed. These carries its own consequences that I would be describing in another post.

Other than that, there is a script I developed that may be useful for some, substitute.py, which can, well, substitute, some variables in a file with the value defined in a configuration file, good enough for lightweight tasks.

Welcome to my blog

This is, I think, my third or fourth attempt to make a blog, depending on how you count it. I'm pretty sure that almost no one has seen the other two anyway, however I will try to write more generic content than the previous blogs, so I won't limit myself in topics. Probably it will be about software development mostly, and occasionally music.

I have several software projects that I would be describing, my current goal is to learn discipline, terminate such projects would be a way to identify the fulfilment of that goal.

What about me? My name is Luis Garcia, I am a developer from Venezuela, and I hope you enjoy my blog.

Why do I need to create my own blog engine?

Because I'm stubborn. Not anymore.