We Keep Reinventing Injection Attacks

Web programmers can cause security problems if they embed data into HTML and render the result. For example, if I have a simple form that asks for your name and then output a page with that name in it, I’ll open myself up to an “injection” attack if the user types in some Javascript, and I don’t carefully escape it. I’ll end up running that Javascript.

The same is true if we take user data and try to create queries by concatenating it with SQL, as lampooned by XKCD.

We invented encoding and string interpolation techniques to solve this. But nothing forces you to use those features, so we still mess it up, which is why security bounties are frequently paid for injection attacks.

But, those issues are with legacy languages like HTML and SQL where we send strings that mix code and data over the network and run them. We should have designed them in a way that separated the code and the data. Surely, we learned from that for new things that we invented since then.

We did not.

An LLM chatbot is also a service that we send strings over a network to. The prompt you send is “code” in natural language and the LLM “runs it”. The problem is that there is a kind of meta-language that controls the chatbot itself, which can be sent before your normal prompts. Using these “jailbreaking” prompts, you can trick the LLM into dropping its safety net and produce hate speech or help you code malware.

These prompts are essentially the same idea that Bobby’s mom is using in the comic, and the solution is likely going to be a prompt version of what encoding and string interpolation is doing.

It would be better if the system was designed such that user chat requests weren’t treated like a program that could change the chatbot itself.

Announcing: Morning Pages Journal with Prompts

I’ve been experimenting with creating books for Amazon KDP using Page-o-Mat. My first book is a journal for writing prompted morning pages [amazon affiliate link].

Cover for the Morning Pages Journal with Prompts book

There are 4 volumes of the journal, each offering a different 30 prompts.

If you don’t know what morning pages are, I covered them in two episodes of my podcast:

I have written about them in these posts:

The journal has two pages per prompt. At 8.5 x 11, it takes me 20-30 minutes to fill them, which is about the right length of time for morning pages. I set them up so that they are the front and back of the same page, so you could remove the page if you wanted.

I also encourage you to read and highlight past pages. At the back of the book is an index where you can harvest your favorite parts.

Using Recruiters for Entry Level Developers

I graduated in 1992 and got my first job using a tech recruiter. It was for a small company in FinTech with less than 20 people when I joined. While I was there we hired a lot of entry-level developers, mostly from college recruiting, but we did use recruiters too.

30 years later, I think it’s rare to use a recruiter to hire entry-level developers. There is a lot of supply. There is certainly as aspect to recruiting in what the code bootcamp schools are doing, but from the hiring end, I haven’t been at a place that used recruiters for junior developers for quite a while.

But, one exception I noticed is in FinTech. John Easton, who got me my first job, and who is one of the best recruiters in NYC, seems to frequently have entry-level FinTech jobs. Here’s one he posted today.

If you are in the market for this kind of work, especially if you are in NYC, I’d follow his account.

More Page-o-Mat Updates

I am working on making some books for Amazon KDP using Page-o-Mat, so that’s driving feature development right now.

I decided to create cover art using vector drawings, so I added the ability to add a list of drawing objects to a page. I currently support rectangles, ellipses, lines, text, and QR codes. Each object has keys to set stroke, fill, alpha, and other parameters.

A cover in KDP needs to be big enough to support the trim, bleed, and spine, so it ends up that page size is an arbitrary number. I had only supported standard sizes, like A5, Letter, etc. Now Page-o-Mat supports custom sizes and orientation.

I uploaded some books to KDP today. When they are approved, I’ll announce them here.

Write While True Episode 35: Zombie Nouns

Podcast: Play in new window | Download

I recently came across the phrase zombie nouns, which was coined by Helen Sword. She’s an author and currently runs a private consultancy to help writers. Back in 2012, she was teaching at the University of Auckland in New Zealand, and she wrote an article for the New York Times called Zombie Nouns.

Transcript

“What do you do?”

Just heard this template from The Art of Charm ep. 782 for how to answer “What do you do?” when you are meeting someone in a business context.

The idea is that you want to tell them something they can remember and repeat to the right person. So, you lead off with the kind of people you help, and then you say how you help them.

For me that’s something like: “I help B2B software companies by advising them on their product engineering.” I would somewhat alter that based on who exactly I was talking to (maybe niching down to fintech or mobile). It’s intentionally not very detailed to either invite questions or to let the conversation move on.

Later, if that person meets someone who works at a B2B software company that says something like “I wish I could get a handle on our developer productivity”, they might think of me.

Page-o-Mat Minor Update

I made a minor update to Page-o-Mat to add a few features I need for a journal I want to make.

New keys

  • subtitle: for adding a subtitle to a page. There are also the font, color, and alignment variants
  • show-title: a boolean that controls whether or not to show the title. You can use a string expression based on the page/section/variant indexes. This allows you to have a title that might only be on the first page of a section. (there is also show-subtitle)
  • footer-space: For lined journals, this allows you to have some blank space at the bottom. I also renamed heading to header-space, but support both for backwards compatibility (I believe that New Versions Should be Substitutable)

My plan is to use this to make a writing practice / morning pages journal with prompts (see my podcast episode Write While True Episode 19: Prompt Your Morning Pages for the rationale behind this).

1960’s GE Trained Programmers

This is the third installment of a series I didn’t know I was writing

Today, I met Tom, who got his start working for a cotton mill owned by his father-in-law. In 1964, the mill was buying a mainframe, and his FIL convinced him to apply to GE to become a programmer: “He told me it was like putting railroad tracks together”. It wasn’t.

GE hired him and then trained him to write COBOL in a few weeks. They placed him on other cotton mills to code order taking software.

That led to a lifetime in programming. He started a company that automated letter writing for members of congress (writing “customized” form letters back to constituents based on their interests). Al Gore was a customer.

Today, he still runs a company that advises mainframe programmers on performance and other matters.

But, it all started because GE was willing to hire and train someone with no experience. It’s a lesson that I continue to hope will be relearned.

How to Signal That You Are Open to Work on Linked In

If you do not currently have a job and want one, you can mark yourself with an Open to Work badge on Linked In. If you have a job, but are open to opportunities, there are ways to signal that without saying it outright.

The first thing you should do is make sure your current job and relevant ones are up-to-date. To show that this was a recent update, perhaps work in the month and year of a recent accomplishment. Generally, updating your resume is a signal that you are open to opportunities. I recommend customized resumes when applying to jobs, but that’s not possible on your Linked In profile, so customize it for the job you wish someone would approach you about.

Make sure your settings are set up so that you are accepting contacts, and that you are open to being contacted. This isn’t as visible as the green Open to Work badge, so it won’t draw attention from your current job, but it lets people know that you are ok with messages.

To draw some attention to your profile, you should have some activity. Reposts and comments are probably good enough.

Finally, it doesn’t hurt to expand your network. Visit profiles of people that might be interesting to work with and try to connect to them. You might find a chance to build a positive association with them over time. If you have people in your network that would write a recommendation, ask them for it.

Every time I talk to people that don’t use Linked In, they assume that you have to become a LI Influencer to get any attention, but for software developers, it’s enough to just be on it with a filled out profile, a decent network, and some light, but consistent activity. There are lots of people looking for you, and so you just need to make it look like you want to be contacted (if you do).

Job Seekers Should Have Some Linked In Activity

If you are looking for a job, and have a Linked In account, it helps to have some activity in your account.

You don’t need to be a Linked-in influencer, but if there is no activity (or the last thing is very old), then I would assume that person doesn’t even use Linked In. When I’m looking for developers, I skip those profiles because it doesn’t look to me like they want to be contacted. If you are open to being contacted, create some activity—all you need is a few comments and reposts.

If you are looking for something to post, just post that you are looking for a job and what specifically you are looking for. Be specific. Build a Job Statement, and then use that.

I suspect that Linked-in will put you higher in search results as well.