ladieswhocode 20130508: adventures in paranoia with sinatra+sequel, and networking

ladieswhocode is an informal meeting that takes place every month in London (and I understand other cities too, but I haven't been there so I can't tell!). At the beginning I was a bit skeptical as I'm not a big proponent of gender division--I'd rather prefer everyone, no matter the gender, to be able to sit in the same room and listen to speakers of any gender as well. But after attending a few meetings I can understand why some women rather not go to the usual, 99% male, technical meetings. There's quite a bit of fear about not being good enough, and it's quite interesting to listen to more female developers share experiences that I thought were unique and isolated to my case... but apparently are not. And it's madly knowledgeable people like Eleanor McHugh that can inspire potentially amazing female developers to shed all fear and show their true skills. At the latest ladieswhocode meeting, Eleanor gave a "half talk", as she shamelessly admitted it to be. See--it's OK to be wrong, and it's even better to admit it. She hadn't been able to completely prepare the talk, but stepped forward to do it anyway, and filled the missing slides by drawing on a whiteboard (although I think it's better when speakers don't use slides at all, anyway).

I first heard about Eleanor many years ago, when I was subscribed to the ruby user group mailing list in London. She was there too, and whenever she posted I was like: well! she knows what she's doing! But our paths never crossed, so to speak. She would go to one meeting, I went to another. She would give a talk at a conference, I wasn't able to attend. And so on...

Fast forward several years. A couple of months ago, I was back in London and Belen is updating me on all the recent developments on the London scene. And she tells me she has met Eleanor at one of the ladieswhocode meetings! So I thought, well, that is interesting, I must attend too--even though, as I said already, I wasn't too keen on the segregation idea.

Since it was my holidays week before starting work at my new place, I decided I wouldn't bring my laptop to this month's meeting. I would just show up, and network with people, or help anyone who needed help with web stuff. That seemed way more helpful than bringing a laptop to work on something, and not being able to either work at all (because of the constant chit-chatting) or help anyone (because I was supposed to be doing my own stuff). And then I discovered that Eleanor was going to be there and give a talk! Yay! Perfect plan!

Her talk had a quite misleading title: "Adventures in paranoia with Sinatra and Sequel". Then she opened it by saying that she was going to talk about encrypting a database, which was even more confusing. I thought she would be encrypting and decrypting the entire database file and it just seemed overkill to me.

But I was quite wrong. In fact, she provided us with quite a lot of interesting ideas that, if implemented, could alleviate many of the issues we face as back-end developers, and that pretty much boil down to: what to do when the data in our site gets compromised?

Because it's not a question of "if" but a question of "when", if we are truly paranoid. A proper developer should have a good amount of paranoia if she's responsible for the data gathered by a website, and should think "of the worst" more often than we usually do.

So Eleanor's talk was basically about how to use a mix of symmetric and public-key cryptography in order to obscure in a computationally intense way some fields in the database. Discussions and name dropping of techniques on how to do this with Ruby ensued, including quite a lot of metaprogramming, and using the SecureRandom library that I learnt about while building our Hackday app! I felt really proud of knowing about that little piece of paranoid programming! :-D

Some interesting ideas that were discussed:

  • encrypt with public/private key the most sensitive fields in the database. E.g. the email addresses
  • hash the encrypted fields you want to do a search on, so you can still search on them (of course add an INDEX too!)
  • expire keys frequently--say, a 10 minutes interval. So if something is insecure for a while, it's only for a small window of time.

I haven't done much new back-end programming for a while (mostly maintenance and extending with mini functionality), but I have a few new projects in mind and I'd like to build them with Javascript using node.js for a change (yeah, call the hipster brigade). So since it's something built from scratch, it could be a good opportunity to apply these techniques and see how they perform. According to Eleanor, they are feasible with Ruby. But will Javascript's metaprogramming capabilities be on par with Ruby's? That's something that I'll have to investigate. More reporting on this will follow in due time.

Apart from Eleanor's talk, I also had the opportunity to chat with Angie Maguire, co-organiser of the event, for a few minutes before she ran to welcome some newcomers. But I think I'd rather let her announce whatever she had in mind (just in case she told me some privileged information!).

I also talked with some regulars and non-regulars I hadn't talked to before, and it was really nice to discuss new ideas and approaches from them--so my plan of not bringing the laptop and network instead worked really well, and I'm quite tempted to continue doing so in the future.

So here's a call to any lady/woman/girl interested in getting to grips with programming but slightly scared to do so for whatever the reason: come to the meetings! Hopefully more of you will lose the fear and get into IT, and at some moment in the future there won't be any reason for holding ladieswhocode meetings (unless it's for remembering old glories, that is!)

NOTE: this post was supposed to be finished and posted past week, but a sudden surge in my socialising activities and a week away from London in sunny Mountain View meant my thoughts were elsewhere. Please excuse any date inconsistencies!