Adam: Hello, and welcome to CoRecursive. I’m Adam Gordon Bell. Each episode is the story of some piece of software being built. I have a lot of exciting guests lined up for the New Year. Some guests have incredible stories, things you won’t believe. Some guests are just people that I really want to hang out with, people who have really interesting things to say. And so today, I have two of my favorite guests together. Let’s do ladies first. So why don’t you introduce yourself?
Krystal: Hi. My name is Krystal Maughan. I’m a PhD student at the University of Vermont. My journey started off with Haskell, which is a functional programming language, and I found the Corecursive Slack, and the rest is history. So I’m really happy to be here. Happy New Year.
Don: Happy 2022.
Adam: And we got another voice. Who’s that?
Don: My name is Donald McKay. I’ve been working with Adam for a number of years at a couple different companies.
Adam: I describe you as my neighbor, but I feel like you deny the fact that you’re my neighbor.
Don: I don’t know if we’re close enough geographically to be neighbors. I have several neighbors, but none of them are you.
Adam: Well, but we live in the same neighborhood. Wouldn’t you say that?
Don: We live in the same neighborhood, but we are not neighbors.
Adam: If you live in the same neighborhood as somebody, I think you’re a neighbor.
Don: You have to be like two dozen houses away from me.
Adam: I think that I could stand on my roof and see your house. I could throw something and make it partway towards your house.
Don: I don’t think your arm’s that good.
Adam: Okay. So last time, Don, you and I met, we were looking at this list of kind of strange facts about computation from this website called the Cursed Computer Iceberg Meme. It was basically just a giant list of strange things that might show up online in programmer circles on Reddit or some Discord chat or Hacker News, I guess.
So, that’s the plan again today. I’m super pumped about this because, sometimes, I learn something new, and I’m excited about it. And I want to tell people about it. I have Griswold, my cat here. But he doesn’t really get it. And so, I feel like I need some vehicle to let this knowledge out where I can be, “Oh, my God. Did you guys see this?”
Don: I think Griz gets it. I think Griz understands.
Adam: And today, I might even do… I mentioned this one last time. Why Chuck Norris is HTML color.
Don: I did not know that Chuck Norris is an HTML color. Yeah.
Krystal: I didn’t know that either.
Adam: Stay tuned. And today, because we have Krystal, I assume that we can get some stuff from the Ivory Tower. Do they have Ivory Towers in Vermont, Krystal?
Krystal: I’ve never been in one, but maybe they exist.
Adam: Isn’t that the stereotype about academia? You guys are all up in the Ivory Tower.
Krystal: Yeah, pretty much. I think that part of CoRecursive, especially the Slack group has been great because you really get a mix of people. So I think even if you’re part of the Ivory Tower, you still get that engagement from people who use software or think that certain programming languages are terrible or that certain ones are great. And that kind of balances things off, which is really great.
Adam: You want me to go first?
Krystal: What’s the weird one that you’ve seen?
Web Browsers Pretend to be Other Web Browsers
Adam: So all web browsers pretend to be each other. This is a historical lesson about web browsers. Web browsers have user agent strings. When you request a webpage, the browser tells the web server who you are. It says, “Hi, I’m a Windows machine. I’m running Google Chrome. And I would like this web page.”
The website could change how it displayed things to work with the web browser requested. Back in the day, there was a million IE6 workarounds that had to be done this way like detect if it’s IE6 and then do something else.
The story behind all this is interesting because it turns out that all of these browsers lie. If you look at the user agent string of almost every browser that’s in use right now, they’ll all say Mozilla 5, the makers of Firefox Mozilla and version 5 is just like a really old version of Mozilla Firefox.
And so there’s a complicated reason behind it. When Netscape made their first browser in the early 90s, around the time of ACE of Base and MC Hammer-
Krystal: And Hacker is the movie, right, 1995?
Adam: Yeah. So around that time, Netscape was going to create a browser, and they wanted to kill Mosaic, which was the first web browser. So they came up with this name to kill Mosaic, which was Mozilla, Mosaic killer. It was supposed to stand for. So that’s what they put in their user agent string. They put Mozilla version one and then version two and then version three.
Meanwhile, Microsoft saw that Netscape was getting a lot of attention from this browser stuff. So Microsoft started making their web browser, which they launched, which was IE3. I don’t know why it was IE3. I guess, because maybe Netscape had no Netscape 3. So they’re like, “We need three as well.”
Don: We don’t talk about the first two versions.
Adam: Yeah, exactly. When they went to release it, they had this problem. There’s all these web pages out there that check for this user agent string. And they expect it to be Mozilla. Internet Explorer wants to work on all these websites. So they come up with this plan. When we do our user agent string, we’ll just copy Netscape.
And so, IE says that they are also Mozilla version three. So that’s what IE did. We’re Mozilla version three. And that way, all the web pages would return the same content and everything would work fine.
But then, so, Mozilla comes out with Mozilla 4. They call it Mozilla 4 which makes sense. And then IE comes out with IE4. They also call themselves Mozilla 4 in the user agent string. So this pattern of lying just continues.
So meanwhile at Apple, they were developing this web browser called Safari. They had this exact same problem. They wanted to come out with this web browser. And they wanted it to work with all the sites. So they did the same thing. They put their user agent for this new Safari thing as Mozilla 5. Mozilla is working on this new thing, which they call the Gecko rendering engine. So instead of bumping their version, Mozilla is kind of caught in the same trap themselves.
They don’t want to put in a new version, and everything’s expecting Mozilla. So they have to stay with Mozilla. So they call it Mozilla 5 again, but they put in brackets Gecko, which is the rendering engine. But then Safari, they want to say that they have the Gecko rendering engine, but they don’t.
Krystal: That’s a hot mess.
Don: Yeah. It makes me wonder why they want to be Mozilla because that’s not the rendering engine that they have. So, wouldn’t that just lead to a lot of problems?
Adam: They’re testing their web browser before they release it against Mozilla. And they want to make sure it renders exactly the same.
Don: Oh, I see.
Adam: If a website has some CSS rule and it says if Mozilla and then it does something, the only way you can get that to work is to put the exact same thing in.
Don: Yeah. I suppose that if Mozilla do this, but that would only really work in Mozilla-
It gets worse. So when Safari comes up with their version, they don’t just want to be Mozilla. They want to get the same results as Mozilla with the Gecko rendering engine. But it kind of be lying even again, if they put Gecko in there. So they come up with a cheat. They put in brackets
like gecko so that if you’re searching the user agent string for gecko,
like gecko will still work.
It’s like second level of cheating. First, you’re lying and saying it’s Mozilla 5. Then Netscape tries to get around that with the rendering engine. And then you’re like, “Ah, we’re like that rendering engine.” So Chrome comes out, which is based on Safari. Instead of wanting everything to be identical, to Mozilla, they pattern themselves off Safari. So they want everything to render exactly the same as Safari.
So what they put in their user agent string is
like gecko because they need to copy the copy of the copy. And so, it just keeps on going on like this. As far as I can tell, all browsers all say they’re Mozilla version 5. If you look up the user agent string documentation for Mozilla, they say :
Mozilla/5.0is a token that indicates that the browser is Mozilla compatible and is common to every browser.
People just kept saying it so long that they change the meaning of it to mean this isn’t the version. This is just something you have to say. Before you tell us really, what browser you are, you just have to say Mozilla 5. That’s just the thing you do.
Krystal: It’s like Kleenex. Everybody calls tissues Kleenex.
Don: I wonder what that traces back to though. Somebody was making one of the first webpages, and they decided that they wanted to put in some custom code for this new Mozilla browser.
So they had some code in there that said, “If you’re Mozilla, then do this.” And then that just started a cascading effect for anybody making a browser from then on.
Adam: Yeah. And especially the early days of the web, a lot of times, you would just view the source, “Oh, this person did something cool on their website and I’m going to copy it onto mine.” And yeah, it slowly spreads. And then-
Krystal: Or maybe it’s a finite group of people who all make browsers and they all colluded to believe that this is the way they should do it.
Don: Have you ever written anything based on the user agent string? Can’t remember the last time that I’ve had to reference it.
Adam: I think browsers are more standard than they used to be back then. Okay. Who is up next?
Don: I’ve got a quick bit about Null Island.
Krystal: What’s Null Island?
Don: Null Island is not an island, but it is the place on earth where the coordinates zero degrees latitude and zero degrees longitude well point [inaudible 00:09:11]. It’s the 0, 0.. And it’s marked by a buoy. So there’s a buoy that marks 0, 0, but there is no land mass. There’s no island. And I don’t know why they call it Null Island, because zero is a value. So that’s a mystery to me.
Krystal: Where is it?
Don: I believe it’s off the coast of Africa on the West Coast.
Adam: And so does this come up? Do people with the wrong address into Uber and they end up off the African Coast?
Don: I think that certain programs will put 0, 0 if there’s an error. They’ll just return 0, 0, I guess it depends on what program you’re looking for.
Adam: And then what was the illegal number? Is that related?
Don: No. Illegal number is a whole other topic. Do you want me to go into that one?
Adam: Yeah, man. Tell us what is an illegal number.
Don: So as you would guess, an illegal number is any number that the government of that jurisdiction has deemed as illegal. The most static example ties to the early days of content piracy and the American DMCA. If you remember these things that used to watch movies on way back in the day, I think they were called DVDs or something.
Adam: I’m pretty certain there’s a DVD in my house somewhere.
Don: Well, you’re old, Adam. Everything is streaming now, okay? The DVDs at the time were protected from copying by something called the Content Scrambling System or CSS, which is now my new word for cascading style sheets. So they had a piece of software that would make it so that you couldn’t copy the disc because they were very concerned about people just ripping DVDs and selling them to their friends.
They thought about how can we stop this from happening? Let’s make this thing called the Content Scrambling System that led to somebody coming up with a program that de-scrambled it called DCSS, just a very small C program, not very long at all. And it just defeats the scrambling system. So that program was illegal. You’re not allowed to use that. If you Gzipped the code and wrote the Gzip to binary as a number, and then patted it out to the next prime, you could publish it with a primality proof. And I mean, publishing mathematical proofs isn’t illegal.
Adam: That’s awesome.
Don: If you knew what it was padded by, you could take the primality proof, and you could reverse it all the way back to the Gzip binary. And then you could unzip the file, and you get the code and then you could run your DCSS. And so that was an illegal prime number. You’re not allowed to have that.
Adam: I mean, do you figure out if it has to be a certain length what the primes were?
Don: Essentially, it boils down to programs where data. And they were turning the data into numbers. And the government didn’t know how to handle that. So they made numbers illegal-
Krystal: Oh no.
Don: … which is they were trying to obfuscate the thing that they were passing around, because the thing was illegal. So they tried to obfuscate it by transforming it. And I mean, a lot of the ciphers use the same basic premise.
Adam: You could say, “Okay. The program for this is the seven-digit prime and it’s not these 35 of them, but there’s one other one.”
Krystal: A lot of those things you could use entropy, right? So you could probably use some kind of information theoretical thing to find out like what the next one is
Don: And I gather that this isn’t the only way that they used to pass around illegal things. I think there was another incident with the AACS key that was also used for protecting DVD content in the mid-2000s. And they used even more ingenious ways of passing this around. I think there was like a flag, like an actual flag of colors. And the numerical value of all of these would end up being a binary file.
Adam: An actual flag with colors.
Don: Like the image file. You could decode it into binary. And that binary would be the program. Something to do with that. And it was just really kind of neat and interesting ways to try and hide the fact that you’re passing around binary information.
Adam: It makes me think of PGP, the Pretty Good Privacy. At some point, it was illegal in the United States to produce encryption above a certain level. They wanted encryption to be at a level where they could backdoor it.
Don: Yeah. I think it was 128 bit. Wasn’t It?
Adam: And they also had the export rules. So if you couldn’t export encryption outside of the country because then you would be giving foreign nation states the ability to have encrypted stuff, right?
Don: Yeah. That was in the 1990s. I believe that was the Clinton administration.
Adam: Phil Zimmermann who created the PGP, Pretty Good Privacy, what he did is he published the source code of the PGP as a book. He printed it all out and had it published as a book. You’re not allowed to prevent people from publishing books.
Don: That’s awesome.
Guessing Hat Problem
Krystal: This paper on the guessing hat problem, it’s also like a computer science problem where everybody’s wearing a different color hat, and you don’t know what color hat you’re wearing, but you could see your neighbors’ hats. You kind of find like a lower and upper bound for what hat you’re wearing. Two neighbors somewhere in a graph of people to sitting around must have the same color. And it’s just three of us. And I know that you have a red hat, and you have a blue hat. So Don has a blue hat, and Adam has a red hat. And one of my professors is working on this is thinking about it in terms of information theory, like changing it’s a binary. So like blue becomes zero, and red becomes one.
And you can kind of figure out based on the adjacency of the vertices of the nodes in the graph, the probability of guessing correctly or like as close as possible.
Don: Yeah. That’s really neat.
Krystal: Did you see the guy who figured out what the optimal position for the game Plinko was? You know Price is Right. Plinko, you sign with the disc, and you drop it to the bottom and you’re like, “Hey, I won $100,” or I won nothing. Someone figured out. From the bottom up, they calculated that the optimal position is in this center. If you ever go to Price Is Right, stand in this center and throw the dis because you have a chance of winning money.
Don: Lots of people go to the side, I think, remembering from all of the times I watch the old Price is Right.
Adam: All right. Who’s next? Do you want me to go or-
Krystal: Yeah. You’re next.
Adam: Okay. Do you want Timsorts or the problem with time zones?
Don: Do the problem with time zones because I think everybody can relate to that.
The Problem With TimeZones
Adam: It could in fact be that I heard about this particular thing via Krystal. This comes from number file. It’s a video. And it’s by this guy, Tom Scott, who’s a YouTuber.
Krystal: Oh yeah.
Adam: So I can ask you, Don, to build a web app, right? It was very simple. The user gives you a date and time.
Don: It’s not simple. You just said he’s going to give me a date and time. And I immediately know from my previous experience that this is going to be complicated.
Adam: Don’t spoil my rant!
Okay. You’re going to put a text box. The user puts in a date and time. And I want you to return how many seconds ago that was. I’m going to put in a time one hour ago. And then, you will put out 3600 because there’s 3600 seconds in an hour. And it’s been exactly one hour. So you build that for me. You look at the current time. You look at an hour ago. You figure out how many seconds that is.
Obviously, things get more complicated. So I just came theoretically on a flight from England. And I have to take a pill every 24 hours. So I took my pill in Heathrow. And so, I need to know how many seconds ago that was. So we need to add some way to subtract time zones from that. So I tell you about that. You put a dropdown.
Don: Why didn’t you just keep track of your pill taking in UTC?
Adam: Clearly, I didn’t. So you put a dropdown that plus or minus hours. And then, I know I’m now in Eastern Standard Time. I was just in England, which is five before it. So I can put like minus five in the box. And you’ll tell me the time. You solved the problem. But then I say, I stopped in Newfoundland on the way there. And I took a pill there too. Right? Newfoundland has partial time zones.
Don: Yeah. It’s a half-hour time zone.
Adam: You need to adjust this again. So let’s say now you get the idea: “let me get a list of all the time zones. We’ll put those in. Pick from one of the time zones.” And then put in your time. And then, you can tell me how things work.
Don: I know how this is going to get even more complicated: When you landed in Newfoundland, it was daylight savings time day. So everything shifted.
Adam: Because in England, they start daylight savings time on a different day than they do here.
Don: Yes, because it’s regional. Yeah.
Adam: It’s a regional thing. So now, you need to somehow get a list of all the places that have daylight savings time when they start it, when they end it.
Don: And that changes sometimes the United States recently moved their daylight savings time, a number of years ago. And it all switched, used to be in October. And now, it’s in November. Yeah.
Adam: What if I put in a time from Canada, but from back before Canada started observing daylight savings time? When you calculate the seconds forward, you need to figure out how many hours to add or not add based on the daylight savings time.
That’s probably not good enough because, as you said, countries change all the time. And so how are you going to keep this thing up to date as countries decide to change how their daylight savings time works? Right?
And then Samoa in 2011, they skipped the whole day. So Samoa is very close to the International Date Line in the middle of the ocean. They were at something like plus 12 hours. And they wanted to change minus 12 hours. They wanted to switch sides of the line.
Don: Oh I see. Yeah, because they’re on the border.
Adam: Yeah. So one day in 2011, December 30th, they just skipped the 31st. “We’re good now. Right?” So if I put in the Samoan time zone and some date that was before then, you have to know to take away a whole day worth of seconds because that day didn’t actually exist in Samoa.
But then, it gets even harder. Let’s say Krystal wants to look things up to do with space. She has some association with the JPL, and she knows there’s some comet that came 120 years ago. And you want to know when the next time that comet is due. And so you put in your date from 120 years ago, which might work fine. It depends on how far you go back because in the 18th century, England switched from the Julian calendar to the Gregorian calendar.
And so if somebody observed a comet before that switch, when they did the switch, they actually skipped three weeks’ worth of dates. They just moved the calendar forward.
Krystal: What happens to all those people who were born? All those birthdays lost.
Adam: Yeah. I mean Samoans are all one day older, but yeah. So in England, they changed the time calendaring system. They skipped three weeks. So if you need to go that far back, you need to take that into account. It also just depends where you observed this comet that you were looking at because if it was observed in Russia, they switched from the calendar in the 20th century. And they skipped a different number of dates.
Time is just a mess, I guess, is the moral of the story. And that doesn’t even include leap seconds because leap seconds is the fact that the Earth doesn’t turn in exactly 24 hours. So every once in a while, they just throw in some extra seconds. The way that always works is at the end of a day at the very last minute of the last day, they put 61 seconds in.
So the moral of the story is that the time is super complex. It seems like something that’s very simple but much like all programming, when you get into the weeds, there’s just a million special conditions. And-
Krystal: The satellites are probably very complex to keep track of.
Adam: Yes! So my understanding is that UTC has problems if you’re looking at space stuff because of the leap seconds, because the leap seconds are an attribute of the Earth. They have nothing to do if you’re observing some comet or something. Those leap seconds just will throw off your calculations. There’s a whole separate time thing that kind of ignores all those leap seconds. And because of that, it’s slowly drifting out of sync with the UTC time because every leap second pushes it a little bit further apart.
Don: Okay. So the next thing I’ve got is I got speedrunning and cheating. So a speedrun is playing a game to completion in the fastest possible time. And it’s a popular, I would even call it like a sport almost. I mean, people compete in it. And they have rankings. And there are rules around each speedrun. So you pick what game you want, and you pick what type of speedrun you’re going to do.
Krystal: I’ve seen the Mario speedruns.
Don: Yeah, I think it has to be a game that has a completion. Maybe there is games where it’s to a certain score. I’m not sure. The ones that I’m familiar with are ones where they run a game to its completion. And Mario is pretty popular. And there are different categories. There’s a tool-assisted speedrun. You can use outside tools and third party software to manipulate the game. And that’s in its own category.
Adam: They’re still hitting the buttons in Mario Kart, but they’re using a program. They’re pre-programming -
Don: Macros and stuff are acceptable, I guess, and tool assisted. But when people talk about speedruns, they’re usually talking about real time attacks or RTA, which is just people, no tools. They’re just playing the game. Then, the subcategory of that is glitchless or glitch free. So you can play a real-time attack, which is just you playing the game with no outside tools and also glitchless which means you can’t use any exploits or bugs that are in the game to speed yourself up and see how fast you can go.
The example of Dream in its Minecraft run is kind of interesting. He was playing Minecraft and he was doing a glitchless real-time attack. So I wasn’t using any bugs. He wasn’t using any third-party software. And he did the speedrun and submitted it to speedrun.com, which is the defacto authority on speedruns.
Adam: Why do they call it real-time attack?
Don: I think it’s because they stream it when they’re playing it. So it’s like done in real time.
Adam: Because it’s attacking it as a player. It’s not like a security attack.
Krystal: There’s always some degree of randomness. And some of the enemies are like spawned randomly and stuff too.
Don: There’s a element that you can’t account for. So that’s what makes it fun. So he was doing a Minecraft speedrun. And he’s streamed it. He’s pretty big streamer. He’s pretty popular. And he submitted it to speedrun.com to get himself put up on the board because he thought that he broke the record, and they rejected it. And that set off some drama because he said they rejected it because there were some people in speedrun.com that didn’t like him. So they were biased against him. That’s why they rejected this run because he wasn’t using any third-party tools.
But then, it came out that he was actually using third-party tools. He was running a custom built mod that he hired a developer for him. And it was mainly just for branding and stuff so that he could have custom backgrounds in Minecraft that promoted his brand. But the mod did actually modify some variables in the game.
So that disqualified it from being a real-time attack. It was a tool-assisted run then because he was running him on. And that’s why he got rejected. So there was a budget controversy. But in the end, yeah, he actually did cheat unknowingly. I don’t think he did it on purpose.
Adam: So, it didn’t benefit him.
Don: No. It did not benefit him.
Krystal: This is sad.
Don: Well, we don’t know because it did modify some of the variables. So we don’t know how that affected the behavior of the game. And like Krystal was saying, sometimes, there’s random enemies and stuff like that. If some of the variables were monkeyed with, maybe that led to a lower incident rate of a certain enemy or we don’t know. We don’t know what the effect was.
Adam: Is this just what he’s saying?
Don: No. He admitted that he was using that custom mind.
Krystal: I love that which ones are interesting too because they use the pixel. They love that.
Don: There’s so many weird bugs and games that people have figured out how to manipulate to make some crazy things happen.
Mario Flagpole Glitch
Krystal: The flagpole one. That’s the most common one I’ve seen in the Mario one. So most people do the… And they slide down, but it wastes so much time. So in speedrunning, they do this thing. It’s like a one-pixel trick or something where they land at the bottom of the pole. You just jump and aim for the bottom of the pole.
Adam: I don’t know how do these people come up with these things?
Don: A lot of time and-
Krystal: It’s also kind of interesting what you could do with the hit boxes. I mean, it’s interesting because it’s almost counterintuitive for the average player that being big Mario may not be an advantage. It’s like a lot of the speed runners are small Mario. They don’t want to get big because there are a lot of advantages to being small Mario.
Adam: All right. Let me bring this back around.
Krystal: Sorry, but you started it with video games.
Adam: No, it’s awesome.
Adam: All right. I’m going to tell you guys about Timsort. So here’s a problem. You’re tasked with improving a Python program. So the slow part of this program is it’s adding some new items to assorted list, an alphabetical list of names from a telephone book. And then, every once in a while, you get a new chunk of names to add. And the new names are sorted.
So say you have a thousand items. And then, there’s a couple hundred more to add. And both lists are in order. So this kind of sounds like a programming interview question. The way that I would do this to make a new sorted list out of my two older sorted lists, I would look at the first element of each and then just find the one that’s the smallest and take that one out and put it at the beginning of my new list and then kind of repeat.
You take things off the front of the other two lists and add them in. And because they’re all sorted, you end up with a whole new sorted list. You can do it in linear time. So if I have a thousand elements and then I need to add to a hundred to it, it should only take me like 1100 steps to do this. Does that make any sense?
Adam: And if you do that in a Python, you’ll find that maybe it isn’t super-fast and that you might, like me, end up heading to Google, find out, well, what’s the fastest way to merge two sorted lists in Python? And you end up on Stack Overflow. And the answer is that you should just take those two sorted lists. You should throw them together and re-sort the whole list over again. And that’s the fastest way.
So there’s something wrong with that. It makes no sense. If you’re sorting a thousand items, you can’t do that in linear time. It takes N log N time. So in the worst case, it takes 10,000 times to sort a list of a thousand element. But you can run the test in Python, and you can see that doing that is faster. And so the reason is Timsort. So, there’s this guy. His name was Tim Peters.
He was a early contributor to Python. And he, at some point, changed their sort implementation. He put in a new implementation for it. And he put this giant text file with it because it is very complex.
Timsort is a stable, natural merge sort. I’m calling it Timsort because, hey, I earned it. It has supernatural performance on many kinds of partially ordered arrays.
Timsort uses this kind of interesting observation, which is that there’s all this research into sorting and they all look at the worst case – what is the worst case performance? So Tim’s idea was that the real world isn’t the worst case. A lot of times, when you’re sorting things, they’re already in some sort of order. What Timsort does is it tries to find already sorted elements within the sorted list.
Krystal: I was kind of expecting his last name to be sort. I’m sorry.
Adam: “My name’s Sort. So I had to come up with something, right?”
Don: It was his destiny.
But the thing that I think about it is cool is Timsort is a mess. If you look at it, it has a whole bunch of special conditions for various things that might happen like special comparisons for quickly comparing strings or floats or whatever. You learn all these, oh, you can do a sort this way or this way. And there are these little algorithms. But in the real world, the fastest way to do it is just like a pile special conditions-
Sorting Interview Questions
Krystal: And I feel like if you said that in an interview, you’d get the thank you for interviewing with us where you get to inform you that we decided we will not be considering you for candidacy at this time.
Don: Yeah. I don’t like the interview questions that either expect you to regurgitate or revolutionize basic functions that already exist.
Adam: I’m going to play the devil’s advocate and say like… I mean, really, they just want to hear you think about a problem and see how that goes.
Don: Yeah. Then, pick a better problem. Don’t pick one that’s sort of string. Give me a real world example of a problem. And I will give you a solution. But don’t give me a problem that has already been solved a thousand times.
Krystal: I just still always kind of feel kind of like a court jester. Now, dance for me. Dance with code. The most fun interviews are where they give you a scenario, and they want to hear your way of thinking about it more so than like, do you know how to do the jig?
Adam: Yeah. You need to know this dance. You better know how to do this one.
Don: We use Google for that. We’re developers. We Google everything.
Song BMG Rootkit
Don: So the last thing I’ve got is the Sony BMG rootkit, which is still being talked about today. Remember that time when Sony installed rootkits on 22 million devices? Yeah. That happened. So you bought a movie, let’s say, a DVD from Sony.
Adam: So I bought the Hackers movie.
Don: Yeah. You put it in your DVD drive. It auto runs. Popup comes up, says, “Do you this license agreement to watch this movie?” Doesn’t matter if you say yes or no. It then installs a rootkit.
Adam: And so that’s just running on my computer forever?
Adam: What did it do?
Don: It prevents you from copying the disc. So you can’t rip the DVD. So the problem with XCP was that it cloaked itself, but it cloaked itself using a rule that some other more notorious people knew about. If you prefixed your file with $CSS$, XCP would hide that from the machine. So a bunch of people that were developing worms and Trojans, they just started prefixing it because now, you had an install base of 22 million people who had this rootkit, and you knew that this rootkit would cloak anything with the prefix $CSS$ on its file name.
Don: The security experts sounded the alarm. They were saying that real viruses are going to piggyback on this. And it creates holes that can be exploited by malicious software. It constantly runs in the background. Excessively consumes your system resources regardless of whether there’s a CD in the drive or not.
It employs unsafe procedures to start and stop. It could leave to system crashes. It has no uninstaller and is installed in such a way that in expert attempts to uninstall it can lead to the operating system failing to recognize existing drives.
Krystal: Oh no.
Don: It was really bad. It was a bad thing. They had to walk this back obviously. But it kind of leads into another more modern topic that I just wanted to mention as part of this. But there are a lot of anti-cheat software solutions out there now like Ricochet that was released by… I believe it was Activision. And there is Vanguard for Valorant. And there is easy anti-G, which is owned by Epic Games.
They install themselves at the kernel level. And they are made by video game companies. So you are putting the onus of being as secure as an operating system onto a video game company. And I don’t know if that’s wise. Sony with their XCP where they were just trying to stop something like people copying their IP, these people are trying to stop cheaters in online video games.
You can think about how much resources Microsoft spends on operating system security. Are these people spending the same amount of resources because they’re running at the same level as the operating system. They’re at kernel level.
Adam: Game development is notoriously on quick timelines and-
Don: Yeah. They don’t see any other way to stop people from manipulating the game. They’ll be running something that sits between the video card and the software. And it interprets the images, and you can have it look for certain patterns to locate enemies’s heads and be like an aimbot software and snap your cursor to it. Those are aimbots. And they exist outside the program. So it’s hard for something that’s running inside the context of the video game to find these things. So their solution is, well, we’ll install something at kernel level that can look at your whole system. We’ll tell you it will only run when the game’s running. We promise.
Krystal: Oh, what if you had it in a VM? I watch a lot of this YouTuber column, some ordinary gamers. Yeah. He does a lot of everything in a VM. He makes VMs. He’s obsessed with VMs. And he did a really good video on the Respondus LockDown thing, which is what schools use for kids through exams. And he kind of showed you how deep the program goes, like its kernel level deep.
Don: Yeah. So he’s using the VM is a sandbox so he can do this safely. Yeah. So all your video game now have to be played inside a VM.
Adam: And then, you just put your cheating software outside the VM, right?
Don: I think maybe you just defeated the whole thing, Adam.
Adam: I think you’re right though. Yeah. We shouldn’t give up our freedoms of computing so easily just to prevent cheating.
Chuck Norris is an HTML Color
Adam: So are you ready for Chuck Norris is the HTML color?
Don: Yeah. Let’s hear about this. I need to know how this is possible.
Adam: Here’s a question. It came up on Stack Overflow. It said, “Why do certain random strings produce colors when entered as the background color in HTML?” And then, the person has this thing. It says, “Body background color equals Chuck Norris.” And if you run it, then that produces a page with kind of a, I guess, like a blood red background color which is very odd.
The answer is this idea called the robustness principle. So the robustness principle dates back to the original TCP Standards Request for Comments and this person who wrote it, Jon Postel, he said:
“We followed the robustness principle, which is be conservative in what you do and be liberal in what you accept from others.”
So he was thinking of communications on a network. It’s kind of like correspondence. When you write a letter, you try to be very formal and proper. But if somebody else sends you a letter and it’s messy, you just try to interpret what it means. Give them the benefit of the doubt, I guess, in the input you receive. But in what you send out, try to be very formal.
So they did this for TCP so that computers could talk to each other. And then, it continued from there. And so, Netscape Navigator, which I talked about earlier, they had this idea when somebody sets a color which you can set with six hexadecimal values, that they should try to come up with a way, if somebody does something wrong to reinterpret it.
So they came up with a bunch of rules. So they say, “You replace all nonvalid hexadecimal characters with zero.” So if somebody puts in
ZZZZZ it would just change that to the color
00000. And then, so in Chuck Norris’s case, almost all of those letters are invalid. So it keeps the C and then a bunch of zeros. And then, it keeps another C and then a whole bunch of zeros. Right?
Don: I see. Yeah.
Adam: That’s still not a valid color. So they split those into groups of three. And then, they make sure they’re divisible by three. If they’re not divisible by three, they add extra zeros onto the end. And then, they take those three chunks. And they use each of the three chunks as a red, green, and blue values. And so because of that, Chuck Norris ends up as this red color.
Netscape did this back in the day and much like our rule about the user agent strings. Because of that, every browser since has had reproduce this behavior. And because of that, there’s all these weird things about colors in HTML.
So if you put in the
color=crap, then, that produces a brown color. And I guess Pokemon fans have found Squirtle is a blue color apparently. This all relates back to this robustness principle, right? So where this guy had this idea that said, “Well, even if you get me bad input, I should try to figure out what it is.”
And this was supposed to be a good idea. But now, everybody who builds a new browser, they have to put in all these rules. And it turns out, in fact, that when the guy was coming up with his TCP spec, there was another guy named Martin Thomas, who really didn’t like this robustness principle and wrote a lot of comments saying it could be a mess.
In fact, I have a quote for him in. He said:
“The problem with the robustness principle is a flaw can become entrenched as the defacto standard. Any implementation of a protocol is required to replicate the apparent behavior. This is both a consequence of applying the robustness principle and a product of a natural reluctance to avoid fatal air conditions. Ensuring interoperability in this environment is a mess and often is referred to as being bugged for bug compatible.”
If you try to interpret garbage as something valid, everybody’s going to have to interpret garbage the exact same way that you do. Yeah.
Don: So if you’re always interpreting garbage as something valid, it makes garbage valid. And then, people are going to be programming with garbage.
Krystal: That sounds like a good, hard, slow, but for bugs.
Adam: If Netscape in the earliest days had said that Chuck Norris wasn’t a valid color like it’s just done nothing, people would’ve removed it. And then, nobody would’ve had to support it going forward. It’s better to fail fast, I guess, is the opposite of the robustness principle.
And in fact, so somebody at Google named Hyrum years later coined Hyrum’s Law, but he said:
With a sufficient number of users of an API, it doesn’t matter what you promise. Any observable behavior of your system will be dependent upon by somebody
Which is exactly what happened here, right?
Now, people are now depending on Chuck Norris to produce a red color. That’s my overarching theme is like, the world is a mess because now browsers, they have all that user agent messy stuff. And then, they also have to do all these weird rules for interpreting colors. And people are finding weird defects in video games. The world is just a crazy complicated place.
Don: The internet is made out of a duct tape. Everything is very fragile, and it’s a miracle that any of it works. And I tell that to people in my family that aren’t tech savvy, but they know I work in this industry. And they’ll ask me about internet questions inevitably. And my answer is always like, “Oh yeah. No. That can break.” How is this possible?” I said, “Well, the internet has made out of duct tape, and things are very unreliable.”
The World Is a Mess
Adam: But out of all the chaos and fragility, something exists, it keeps on working. If you add enough layers of duct tape and abstractions and crazy rules and stuff, it all seems to work. And part of the fun part of programming is when you come up with a clever solution for the super hairy mess that is the world.
Don: I think that yes, but I think the internet is becoming far more complicated. It’s outpacing our ability to fix it or stabilize it because of the speed at which we want to move is faster than our ability to make it properly.
Adam: But life is a mess, man. You have a kid. You probably understand it more so than I do.
Don: Oh yeah. No. My house is a disaster. There is no clean part of the house anymore.
Krystal: You could kind of find patterns in messes. It reminds me of when my parents came to visit, when I lived in LA, and they cleaned everything, like the way that they wanted it in my apartment. And then when they left, I had to call my mom to find out where my cutlery was, because I just was used to finding things within the chaos.
Adam: We need the chaos. It’s important.
Don: There’s a method to the mess.
Adam: And yeah, thanks to Don and Krystal for being here. I don’t know, is there anything you guys want to kind of plug or say as we wrap?
Krystal: Yeah. Please, if you ever want to reach out and just chat, we have a cool Slack group and feel free to check us out there too. I’m pretty active on there. And I like adding emojis to everything.
Adam: We have the most emojis, dancing sharks.
Don: All the emojis kind of blew me away. I’m like, “Maybe I’m not using Slack properly. Maybe this is how you’re supposed to use it with all these emojis.” And then I got thinking, “Am I old? Am I too old now?” I’m like that old guy who doesn’t know how to use emojis and all the young hip kids are doing it right. Had a little bit of an existential crisis, but I don’t have anything to plug. I’m pretty boring. I will plug the slack community for CoRecursive and Adam’s Patreon.
Adam: Nice. Thank you, guys. All right. So, this seems like a good place to end things. If you’re listening out there, the real world is mess. Krystal doesn’t know where her cutlery is, but one day she’ll find it. So, maybe that code that you’re working on that’s also a mess is just a reflection of the greater world.
I mean, unless you’re working on rootkits for Sony, maybe don’t do that. But if you haven’t already subscribed to the podcast, please do. And if you want to support the show, please check out my Patreon page. I have extra bonus episodes up there. And I think they’re quite good. And it helps me cover the cost of producing this. I’m going to stop here. Thank you, guys.