It's not that the patterns themselves have failed, just that their use has fizzled due to failure to live up to the claimed benefits of using them. I've never actually even read the book, but I took a gander at the "antipatterns" book (only thing in category available at the library at that time) and it immediately struck me as "middle management trying to program", or something in a similar vein.

Now, there's indubitably a lot of "code grinders" Out There for whom this sort of thing is actually a boon. The best and brightest among us tend to scoff at such people, or more specifically at their stumbling and crutches, with all sorts of plausible-sounding but not actually helpful counters like "good people know what their code does", conveniently forgetting that most programmers aren't very good at all. So perhaps "patterns" are a useful crutch to keeping a lid on the damage from the inevitable Dunning-Kruger effects in business programming. I don't know, maybe.

But it was only until very much later that I found this writeup and my take-away is that this sort of thing, I think including touting lists of "patterns" as fix-alls for programming trouble, are attempts at taking an inherently mapping mode thing into something suitable for packers to use. The better approach is to knock such people into mapping mode, but that's much harder to sustain. And could well count as cruel and unusual.

I haven't looked but probably all you get is the layouts. You still have to bring the hardware. And making chips is possibly the pinnacle of humanity's technological achievements. It certainly depends on a veritable mountain of other tech. Replicating that is actually a science of its own. I'm with you though. Yes, we should have the blueprints to the machines too. We really should have auditable backdoor-free computing devices.

I've for a long time thought exactly that, what if we have to start from stone knives again and how do we get to chip fabs quickly? How can we do it at home, or at the small community level? I just never was (and still am not) in a position to map all the tech and come up with viable low-tech paths to do high-tech stuff like make chips. (Anybody spare a couple billion for a long term tech robustness research institute? Tim Cook maybe? I'm game to steer it.) Maybe^WCertainly not the latest process nodes, but for some things you really don't need that. In fact, if you can live with say mutt and troff (how I do my emails and letters) then a 68k is starting to look like overkill. It's because we want clickibunti that we need massive computing power just to emulate a shitty desktop. We are wasting a lot of resources just for the visual trappings.

For the rest, well, we don't actually need toasters or induction cooking or much of anything. We can get the creature comforts in other ways too. If we have to go back or start over, it'll be wood fires (and prompt extinction of forests given our current population levels). The prudent thing to do there is to work out something simpler, like the "hobo stove" or other high-efficiency cooking devices that you can fuel from non-fossil fuel sources that are themselves nicely simple, like paper-and-sawdust bricks or something. Cook a meal for four with just a few sticks. Boil water for a cup of tea with a single sheet of newsprint. That sort of thing.

There is quite a body of work on "appropriate technology", much of it gathered in the 1970s. It could probably do with an update or two. The real challenge is in the high-tech stuff, and for that you need some serious researching.

Did this just occur to you now?

Nope, it isn't. It seems great but that's only up until you realise that you've been deluding yourself. For some, this never happens, which stands to reason because it'd make them ashamed of that fat paycheck.

It starts way before this, but yes, that should have told you that javascript is not great, because no staying power. It's fairly natural for a programmer to try and build higher abstractions on the building blocks available, and that's fine. What would not be fine, and happens to be everything "frameworks" inside javascript is trying to do, is to fix deficiencies that seep through "from below".

Those deficiencies aren't just inside javascript, but also inside the modeling inside the browser (ever seen a non-leaky one?), html, the assumptions on which websites are "programmed", and so on, and so forth. Consider, for one very fundamental issue, that originally, the same text differently rendered on different devices was not a bug, but a feature.

Or that websites ought not to need to be "programmed" but should be simply a collection of easily served documents for sharing and collaborative work. That was the idea, not the million monkeys adding code to content that ought to need no further programming to function as originally envisioned.

See how deep the rabbit hole reaches before we even get to the meat of your complaint?

Yep, maintainability of your current framework goes right out the window here. Long-term viability of the content already left the building long before that, though.

The rest is just follow-on damage that we're forcibly trying to power through. Won't work, but lots of paychecks for people involved in the tech industry somehow. Nevermind that they're not actually programmers, as you point out. Programming is a rare talent.

Who was it again that noted that in a few short years influx into the CS department had gone up to tenfold, but the absolute number of people with actual talent, always less than the total student population, had stayed about the same? Meaning that the more you clamour for "IT talent", the more monkeys you'll get.

Which in turn gets us the problems you describe. Among other things.

This went out the window as soon as "running code from this here website in my browser" entered the picture. The rest is just secondary damage; imortant only to individual websites that care about public outcries, but about as sensible as "due diligence" in the finance industry. It helps the browser user nothing at all.

Consider that the lastest security scare, that with speculative execution and cache effects allowing peeking through the security in hardware is exploitable from javascript, which is how many layers up in software? This is a leaky bucket. You cannot plug the holes by adding more water.

That's because you're looking at the problems from the wrong level.

The fix as the end-user is to not run javascript in your browser. So the only real option for website owners is to make sure your website will function properly with a javascript-free browser. There is no middle way on this. It certainly cannot be fixed by adding more javascript, whether in "framework" form or not.

You are wishing for a silver bullet (HA HA HA HA) and that the W3C --built on the premise that standardisation does not require competence, dixit Naggum-- will suddenly turn competent (idem). Nay, you're hoping the W3C will suddenly become way more than competent and recast reality to fix the unfixable. Syeah, that'll happen.

No more bleeping apparatus complaining about this or that, refusing to work at all (up and dies, maybe bluescreen, maybe give up the magic smoke), deciding on the spot it needs to do something different and you, stupid luser, can just bloody well wait until it is done (*cough* updates *cough*), or simply make all your well-trodden "I do this in this way" paths up and vanish into something Shiny! and New! so you never again can get the same result (ribbons, or any other of a long list of "updates", "improvements", "upgrades", "new versions", or what have you). No more VoIP phones suddenly refusing to register. No more email that just up and vanishes into thin air, or simply doesn't get noticed between all the spam, or is flat-out unreadable because the addition of electrons made the other^W^Wboth parties to the conversation a gibbering idiot.

Bliss!

You might also get some actual work done.

I notice that a lot of "process" in business, but moreso in government, is only very thinly "computerised" in the sense that it requires a computer, but not in the sense that this allows more work to be done, work happens more efficiently (au contraire), work comes through faster, the function becomes more dependable (bwahahaha), and so on.

And then there's that this computerisation automation digitalisation transformation revolution ringy dingy thingy itself caused a lot more work that "needs" to be done, that we could do perfectly well forego if only we'd do away with the machinery and deign to write a letter by hand again.

IOW, we might require the apparatus to be present and in use, but we aren't actually reaping much of any improvements it was supposed to bring to the table.

This is well-meaning but actually a mistake, for it reinforces this power imbalance between two types of actors, (big) "companies" and (small) "consumers" where you could work on balancing the imbalance instead.

How? By working on systems that allow for everyone to be a first-class citizen within the system, having different capabilities arise from the relationships between actors rather than from their entry point to the system. As an example, classic big corp "identity" systems provide for exactly one identity per actor and moreover know two classes of citizen: Those that "provide identitiy", and those that get identified. This is wrong.

A proper system only provides for, essentially, transporting actors' identity claims that can then be backed by any other actor, making everyone a first-class actor. The truth of such claims then depends on the veracity of the backing to the claims.

Meaning that a passport's identity claim is only valid when backed by a recognised government (rather its avatar, if you will, within such a system), but that you only get access to Auntie Bee's party if your identity claim is backed by someone she recognises. To the system, it makes no difference. To its users, it makes quite a lot of difference. Moreover, the system only says that the claims aren't forged, whether they're any good otherwise is up to the users. And that's exactly how the division of labour for using such a system should be.

This is entirely different from the usual way, and also why, say, something like NSTIC is really a government control vehicle: It makes most ordinary users second-class citizens, and doesn't allow for multiple identities, quite unlike how most people live their daily lives. That last bit might surprise you, but it is true. You have multiple identities for all that they quite often share names. Your identity toward your spouse is quite different from your identity toward your workplace, at least for most of us, for example. Or if you're in school, your identity toward your teachers is different from your identity toward your friends. In some cases the differences can become extreme enough that you really don't want one group to even know about your identity toward another. If we're allowing the one identity per person model to become dominant, you'll get to learn the hard way just how oppressive having (to have) a facebook profile can become.

The thing is that the internet allows us to build such first-class-citizen-only systems, and moreover that we can put "zero-knowledge proofs" right at the hearts of such systems, thereby providing systems with reasonable to good privacy yet that are hard to abuse. That way, even the smallest party can deal with the largest parties on a virtually (oh the meta) equal footing. This means you don't have to fool around with laws that then need enforcement. The protection is built right into the system.

We could have this. Now that I told you, all we need is to build it.

How about supporting open source besides fifty shades of the same thing? Like, porting one or more *BSDs to POWER 8?

There really is more to open source OSes than just "linux", you know.

Set policy. Like, you have a list of recommended software. I'd say at least two browsers and a bunch of utility software. You support those, and beyond that it's best-effort. Curate the collection. With a clear idea of what's in use, you can even start to assemble the whole thing from FOSS and eventually move to a non-proprietary OS to underpin the tools. But that really is but a side-effect of having a good grasp of the needs of your shop. See the LiMux project.

Communicate. Not just this one thing, your entire policy, FAQs, tips and tricks, what-have-you. An internal website will do. A wiki is great for this*, even if you're not opening up editing to others. But you could do that for selected parts too. Make sure everybody knows where the fount of (IT) wisdom is to be found. You don't have to be pushy about getting people to use it; even helpdeskers reading ready-made solutions to panicked people is better than having them making up answers on the spot, though this is only true if the ready-made stuff is of good quality. And if it applies to the situation, but that's the helpdesker's job to workout. So make a point of both having helpdeskers add questions and of curating the material, so you both know what's popular and that they have decent answers.

Most of all, don't get condescending; write *for* the reader, not *at* them, or worse, refer to them as "the user", like so many programmers do. Who're they writing their software for, anyway?

Once that's going you can even expand into short tutorials**, book reviews to help pick up more skills, and so on. But let's get the basics going first.

Notice that if you have your shop organised with ready-made software and information answers, people will have a well-known point to look at in case of panic. So with that in hand, in case of big trouble you can send out word with a recommendation to review the latest news in the usual places where all the details can be found, with a short abstract with enough information --accessible to them-- to let them make a "should I spend time on this now? can it wait until later?" decision.

Don't try to force people's hands until and unless absolutely necessary. Give them the tools and the right information on the right time to let them make meaningful decisions. This requires not so much serious writing skill (though it helps), but putting yourself in their perspective. "I don't understand all this, why do I need to bother?"

* Plenty wiki software available. I like dokuwiki and dislike mediawiki because syntax, which I think is important as it is a tool to express and so convey the message. At minimum go for CREOLE support.
** A tutorial isn't a tutorial unless it also tells how to recover from mishaps. Most "tutorial" blogposts fail at this and as such are not worthy of the name.

If he's honest, he'd say exactly that. If he's dishonest, he'd either waffle or again say exactly that. If he's planting for some secret service he'd also say exactly that. Only one of the cases I'd take my hat off for. Worse, this guy made his academic career out of "security" protocols but gets blind-sided by a "honest mistake", and only one casual reviewer didn't spot it either. That really isn't good enough, neither for him nor for the openssl project, or any widely-used security-heavy piece of software.

Perhaps more importantly, it shows the dangers of poor protocol design. I'm not too versed in the intricacies of this one, but I can't help but wonder why it needed two length fields, and why you even have one if you're not going to check them.

The trick is to only look at the input once it's assumption-free, ie all necessary assumptions are known and have been checked to hold. That way you don't have to juggle one (or two, or N) length fields and hope you have the right one.

I think our dear honestly mistaken holder of a PhD in computer security has a bit more soul searching to do. As does the openssl team.

No, I'm not advocating more layers upon layers of software, I'm advocating better design in protocol and software*, better code review and code acceptance practices, and understanding things like line coding before tinkering with any protocol, much less a security-sensitive one. Like, oh, openssl.

* There's also Theo's (of TheoBSD fame) observation that openssl bypasses security measures available in certain malloc/free implementations by dint of defaulting on all platforms to their own allocator without such features because on some (other) platforms malloc is "slow". Worse, turning that "feature" off breaks openssl because the team hasn't tested without it. Looks like there's room for improvement with the unit testing practices too.

The efficacy of community building by reinforcing your shared hate of a common enemy notwithstanding, I don't think that's what creationists are doing.

Rather, they've picked up on something that's been happening for a while: The (ab)use of "science"(-y sauce) as underpinning and justification of policy by a loose group of people that have not too much truck with democracy but are well-moneyed and well-positioned for lobbying. You can see it, for example, in the doings of and influence that certain large advertisement and "social networking" companies have with the current USA administration.

It has been going on for a while, and it's supplanting the influence a different group had, that're now mounting a counter-campaign with an "updated" variation of their own ideology. And, evidently, with success.

It doesn't help that the "publish or perish" rat race has caused plenty of "science" to, often invisibly for many years, hopelessly derail into cherry-picking outcomes, even making up data, and writing, massaging, and otherwise manipulating towards a desirable result or at least away from an undesirable result. This too opened the door for creationists making up fantasy and writing their way toward their desired conclusions "scientifically". This isn't how science is supposed to work, but as long as it does, it has very little counter against creationism.

The kicker here is to realise that in their eyes it's the science-ists that are over-reaching into their turf and so they strike back, however opaquely and convolutedly. In that sense, the FSM is a nice satire but one that misses the underlying raison d'etre for creationism entirely.

Personally I think both the abuse of science for justifying your personal agenda and the christianity-flavoured counter are deeply flawed and undesirable drivers of policy, though I'll still happily wear a colander for my passport photos. And at the same time I don't have a ready-made "better" ideology to shove into the fray to cool everyone down a bit. I do say that if it needs belief to function, it's not science. This is evidently hard on many people.

All I can do for now is point out what's happening, and that it is very counter-productive for the progress of human achievement to, effectively, try and worship science. Science shouldn't be used as a "shut up you I'm right" argument and so a counter with "no my ideology is better than yours, really" shouldn't even be possible. So this underdog play for "equal airtime" should be immediately laughable on its face. The apparent fact that it isn't, means they're not losing.

Kudos for staying under budget, Estonia. But let's look at what we have here. An easy-to-use, ubiquitous identity solution that's easily integrated everywhere?

Sounds cool, right? But only if you trust your government, and every government thereafter. With small countries (Estonia, Iceland) this is much easier than with bigger countries. And I'm not even talking Russia or the US, but, say, the supposedly benign and enlightened folks in the UK. First there was the anti-child porn filter, that wasn't to be used for anything else, honest. Then there's that every internet connection is now to be filtered by default for the children's well-being and safety from porn; you have to ring up and admit you're a pervert and prove your identity to "opt-in to porn" (notice dishonest wordgame tactic, that "opt-in" is in the law itself). Let's take the logging and snooping by GCHQ on behalf of the NSA as a given and move on. For next up: The rightsholders mafia have figured out that a few simple lawsuits can make ISPs filter their client's internet connections on their behalf, too.

This sort of thing would be that much easier with an electronic identity card. Staying with the example, the UK already had identity cards, due to world war two, and only got rid of them in the fifties. During that time, the number of "functions" associated with the card rose from three (3) to thirty-five (35). That's quite a bit of function creep, well before the computer became mainstream.

There are many more examples. A canonical example would be the 100 flowers campaign. But now with the internet and ubiquitous electronic surveillance and handy dandy electronic identity cards attached. I don't think I want to live in such a country.

"It could never happen here" is not a valid excuse, even if you can prove that to be true in all cases in your country. So simply rolling out electronic identity cards is not something I want to happen. Exactly because they're so easy to use, they are a direct threat to my privacy.

The fix, by the by, is not to make them hard to use. It's to figure out how to make zero-knowledge identification work, to support multiple identities in a sensible way, and so on. Because we do need electronic identities, but the standard translation of one state issued identity per person is no longer good enough. Hasn't been for a while. Just count the number of times you've used a throwaway email address.

So if Estonia wants to keep on being a leader in this field, they will have to learn how to do this.

Not give information out. Keep it to yourself. With or without technological aid.

The individual trying this out either has to lie a lot (give false information) or risk standing out. That is, in the current environment.

To make this possible we need our systems (in the broadest sense of the word, so a government keeping records is a "system") to change the working assumptions. For many things you still "need" to give your name when in fact there is no need intrinsic to the function, only convenience, usually for somebody else, like law enforcement. This "convenience" carries risks itself, so it is long term all around better to get rid of it.

How you'd do this? Well, change the assumptions, change the laws, change how we organise things. Only after that does technology come into play.

And that technology? Authentication systems that aren't inevitably tied to just one possible identity per person and certainly not systems depending on some selection out of a small number of possible passwords per person with no redress possible, and also not systems that depend on a limited subset of "identity providers", reducing everyone else in the system to second class citizens.

Come up with designs that address those, and more shortcomings, that empower instead of subjugate. You might even consider deploying DRM around packed-up identity information, giving control back to the owner. Better yet, don't give the information away at all, for example using zero knowledge proofs. There are plenty of tricks ("technologies") and we are employing far too few of them.

Even the simple act of not requiring everyone to use the same database key for completely unrelated databases is, so far, too hard, and that needs to change. I could go on, but this ought to suffice for now.

While there is no single silver bullet, there is a clear general direction how we need to change our current systems, how we need to change our very thoughts and assumptions to keep a tenable society. Notice that everything so far governments and corporations have produced and are producing, fail at the very first of assumptions. A good case in point is "NSTIC", who were warned of these issues yet, as is evident in the design, chose to ignore the warnings.

Possibly, but then within the confines of a corporatist view, where a few centralised "identity providers" essentially own everybody else's identity and can do things others cannot, making everybody else second class citizens within the system. At least NSTIC was warned about this, but apparently nobody saw fit to heed the warning. Because, large corporate or (possibly and) governmental organisations owning other people's identities, eh, those in power just say they're "trusted" and thus they are. Reality? What's that?

So if your credit rating is shot...? Perfectly alright, just make sure you always have perfect credit, citizen. And it doesn't stop there, of course.

What mathematical proofs do they have to back up that rule? I won't settle for anything else, sorry. And even so, it won't be enough; it's just the beginning.

Within the limits of their understanding and their influence filtered through the rules of the procurement process. Which both isn't very much at all, for various reasons. The old lowest bidder and all that, but it goes beyond that, far beyond.

Simpler, yes. Desirable, no. It easily means that everything you do in any context is now easily linked. A state-mandated and -enforced real name policy. This is problematic for the same reasons that facebook or google forcing this on everyone is problematic. There are serious privacy problems with this.

For example, simply knowing what key a message is encrypted to --and this is generally listed on the outside of a message and thus public-- means that you can do traffic analysis. And so you know which parties are talking to which other parties. Someone getting a lot of messages from the taxman or the state-run fine collector means what, do you think? Or maybe a bank you're trying to get a loan from saw your message stream and now knows that you're also talking to a few other banks, or repo men, or what-have-you. Hmmm.... So even with confidentiality of the contents, you're still leaking information.

As such, this sort of card is only half the solution, especially since the state mandates that you have to use it, and it is so easy. What we really need is a single system that would support a single card (or multiple cards, if you'd like) with multiple identities.

I don't strictly mean birth certificate-backed identities, but at least so that you can separate out the loyalty cards and bus passes so that they can sit on the same card yet not tattle on each other. Because each such a card is an "identity" too, carrying a history, and I for one do not want them to be state-enforced on the same identity. In fact, this is the same reason why companies cannot be allowed to gather SSNs without clear law-prescribed purpose, and curiously, that is enshrined in law. Bit of an oversight that this is not.

No, simply saying "you can't mix that information!" is not enough, because it's unenforcable. You need a system where the holder of the identities can control who gets to see what. If the card doesn't support that, it is deficient, and a danger to its holder.

The problem with encryption is that it is bothesome, cumbersome, easily broken or circumvented by silly goofs and oversights, and generally impedes communication. The great enabling power of the internet is that it lets anybody talk to anybody. Encryption is not a good fit for that model.

Another approach would be global mesh routing, you know, mesh together every AP on the planet and hope no spots get left out. But mesh routing, while a nice idea, has scale problems, and we'll probably start to miss the really fat backbone pipes in a hurry.

The appropriate approach here is "government-technical", as in international law.

We have to get governments to agree to keep their hands off of the data that isn't theirs and they don't need for law enforcement and thus is obtained using a warrant issued for a specific investigation. To make this stick people must understand that data collected "just in case" is a liability for everyone involved and thus that not gathering data, while hard, is the right thing to do. Too bad it's hard to enforce. There'll always be some government transgressing, instituting star chambers, and so on.

It may be easier to get governments to agree to keep their hands off of the parts of the internet that aren't theirs. This probably implies some sort of intergovernmental oversight. But I wouldn't pick the ITU, nor the UN in general. They're too much clubs for governments, as if they knew what was good for the people. They clearly don't. Not even the USA, oh whooshing irony. So ICANN is out too, since it is really an US government subsidiary, regardless of what the both of them claim.

Do note that the USA clearly, literally claimed to be the only one country worthy of safeguarding the internet against wrongdoing governments, only to be shown a pathological liar about such things.

Since we cannot trust any one existing government nor any of the existing bodies, the internet will probably have to become its own country. Including datacentres that no longer stand in the country where they're built, but are now in "internet country", and thus entering the datacentre means crossing an international border. With extradition treaties and everything, but so that not one state can impose its law on all of the internet, as, say, Kentucky and iirc Utah did not too long ago.

The effects needed here are that both you can't be held answerable to the laws in any random country other than the one you're in (or do business with, or have some other clear relationship with), regardless of where the hosts involved physically are hosted, and that being held answerable to the laws of your own country (or do business with) becomes easier.

That, or we could try and get a benevolent global, planetary, government, but literally everyone with any shot at that has so far blown it, to the point that I wouldn't trust anybody else claiming to be that good either. So a separate country for the internet it will have to be. It is the simpler solution.

We're full of "universal" rights and whatnot... but fail to live up to them. Or rather, our politicians. The bureaucrats... play their little games. Or not so little, as the case may be.

If we don't want them to run rampant, we as the world's peoples need to take a stance. Do we want ubiquitous surveillance? Then do nothing. Do we want to have something of a private live left? Well, there's work to do. And some very unpalatable questions to find suitable answers to.

Our technology is so powerful that "because we can" is no longer a valid reason. We must choose what we want our technology to do. And to choose, we must understand the consequences of what our technology can do, and what it means to willingly forego some or all of the things it might have done. In extreme cases you can even portray this as trading saved lives, caught terrorists, convicted child pornographers, agains having some privacy left.

And so we must come up with answers to questions like, how many lives is privacy for all worth? How many abducted little girls may be allowed to die for not having to justify every step you take? Because, again, that is how the snoopers will portray it. And so we must answer, or find more reasonable ways to frame the same question. That, or lose the fight before it started. In a sense, we already lost while we were ignorant and we must now claw back what was once rightfully ours. From the jaws of those who claim to protect us (from privacy and liberty, but I digress). How much is it worth to you?