Early this year I was reading a couple of books about Typescript and got really annoyed by basic technical errors and poorly conceived books structures. Python is a strongly typed programming language and if the intended reader is expected to already have mastered Typescript’s basics, then they probably don’t need a chapter on how to install it. I wanted to vent about decline in quality of technical books in recent years, but I am glad now that I didn’t get around writing about it.

This summer I decided to use some of my downtime during treks to update and improve my knowledge of functional programming by reading 3 books on this topic and I could hear my inner voice screaming, again: “Who is this book for?” Too much effort was spent on technical minutiae and none whatsoever on how to actually design and develop programs of non-trivial length, which in my experience is one of the main stumbling blocks for inexperienced developers.

None of these books was new with the oldest coming out in 2012. All three were published by O’Reilly which at least back then was considered a respected source of technical content. So, quality erosion started sooner than I noticed, but still seems to be getting worse with publishers cutting corners everywhere while trying to compete with self-published authors whose books often seem overstuffed with marginally useful information to fatten them to book length, probably to raise their perceived value so they can become a source of passive income and/or improving author’s resume.

Of course some books, self-published or not, are good, but it is becoming increasingly difficult to find them between so many bad ones. Especially since number of online reviewers have not scaled nearly as much and hence most books have few if any reviews.

This is a problem for people like me, who like to learn about a new topic through books, but I think the effects may be larger. Books can be a good way to coalesce and distill knowledge to a package that could serve as a good introduction to topic’s novices. Modern web development has become a complicated affair with surprising and often depressingly short turnaround of technologies used and while it is useful to have someone explain in detail a tool that will likely be largely abandoned in two years time, I find there are not enough of them aiming for longer shelf life by teaching foundational knowledge.

This spring I threw out more than a meter of old, mostly computer-related books that were now completely obsolete and I could certainly do the same with most electronic books that I have, if I could be bothered. While I was doing this, weighing on each book if it still has something valuable to say, a question kept coming up. If I was starting my career today, as many are, how would I even go about it?

We like to travel, but I avoid reading travel pieces unless we are researching for an upcoming trip as we currently are. Too much of this semi-fictional genre is snobbishly prescriptive or laughably overconfident (and sometimes both).

The most annoying example of former is almost a sub-genre of writing describing the right way to travel while scolding “detractors” where right usually means backpacking for months with a small backpack and on cheap trying to meet locals. I find it especially annoying because not only do we not all travel for the same reasons, for most of us how we travel is a compromise between our wishes and abilities including available time and money. What every traveller should strive for is to minimise their negative impact on environment and visited cultures and apart from cruises there are few travel approaches that I would describe as a priori wrong.

The other grating notion is the idea that spending a few months in a foreign society will result in your understanding of it. This is not true even if you are an anthropologist. More exposure rarely hurts, but I wish more people stayed humble in their interpretations of observed events. I understand English pretty well, have spent cumulatively almost two years in England, have friends there and have spent decades consuming British culture through media, books, TV, movies and music. An investment I am unlikely to be able to repeat with any culture and yet I am still not completely fluent in it. There are bits I don’t understand and frankly not all British do either as is likewise true for me and Slovenian culture.

However, I find an interesting advice or insight can salvage almost anything. With this hope, here’s mine. Try watching local TV at least a bit during your travels, especially commercials. I find advertisement provides a skewed, but interesting lens on how society wants to see itself and what it finds important and profitable. Also, asking for opinions instead of facts is more likely to elicit richer answers and repeating previously answered questions to newly met people can be illuminating.

(Photo) gear

Like I said, I read articles about travel rarely except when doing research, which mostly is looking for information about specific locations and travel gear.

Over the years we’ve developed check lists for all types of trips we do and got pretty good at packing, but the need to tweak our gear never goes away if for no other reason to replace worn out stuff.

Few items I am almost obsessed about. Backpacks are one of them. Their designs have immensely improved over the years and I have also accepted that we need several, but I think philosophical differences between me, and backpack designers make it unlikely I will find a perfect one for multi-day treks.

Trekking trousers are another. Men trousers are usually serviceable, but women’s are generally awful because of creators seemingly almost phobic fear of external pockets. If one needs to wear a jacket or take off their backpack to have access to a map or one’s phone, then they are not fit for use and most aren’t.

But since we are both keen photographers, I especially try to optimise photo equipment we lug around. Last decade brought a lot of changes to gear I see used on our trips. Most casual shooters have switched to using smartphones and mirrorless cameras are replacing DSLRs among photo enthusiasts although later group may carry as much as it used to since new space and weight are now often taken by drones. Everyone uses whatever device makes desired shot the easiest (e.g. wide panoramas tend to be taken with smartphones).

Our trips usually include up to a weeklong off grid treks. It took me way too long to figure out that the best way to handle those is carry a high-capacity power bank and making sure every electrical device can be powered through USB connection. This makes everything easier also when we are back as it reduces number of cables, is generally easier to fix if something goes wrong and reduces the need to find free electrical sockets. We don’t use solar cells because they would rarely if ever be practical to us.

On our last trip I tried to see how well I can do with smartphone as my only camera. Generally, I was pleased with the results but found phone’s lack of zoom too limiting. Which is why I have switched to iPhone X with its 2x optical zoom. Still, while better than before this is often not enough and cannot be compensated with cropping because significant crop of a 12M image does not leave many pixels even when change of perspective is not an issue.

It seems new phones will add even wider lenses that are fairly useless to me as stitched panoramas are excellent and have better resolutions. I have experimented with switchable lenses from ShiftCam. I still love their design, but lenses themselves are of poor quality, a problem also plaguing their competitors based on published online images. Would gladly pay more for an easy to use quality zoom lens if I could find one.

On the other hand, apps available for tweaking photos are often phenomenal. As an iOS user I mostly rely on built-in tools, SKRWT for perspective corrections and TouchRetouch for removing unwanted items. It can feel almost magical how easy it can be to shape up a photo. I am sure equivalent tools exist also on Android platform.

Nevertheless, the technical quality of these photos is still noticeably worse than those taken by our Nikon so we will continue carrying all that stuff. If only I could now find a compact travel tripod that would be easier to attach to our backpacks.

I recently finished working on a project with stricter security requirements than I am used to. While my work on the project is done and I am deciding on what to do next, I keep thinking about what I did and what I could do better next time beyond following established good implementation practices. This is my attempt to jot down my (unpolished) thinking, which will be light on technical details as I am not allowed to divulge them.

First thing I did was to create a threat model for the app’s frontend. It is not something I would see done on every project, but it really should be a standard practice even if it is simplified to a “living” list of assets to protect, identified threats and planned countermeasures.

An under-appreciated part of web frontend development using client-side frameworks is that practically speaking, it is not possible to secure the app you are building on your own. Every major framework depends on and installs hundreds of packages (usually more than a thousand) and it is not feasible to audit all of them and their updates. Even a smaller problem of tracking license compliance is a nightmare. Therefore, managing risk also involves managing trust in external parties.

When using such frameworks is beneficial enough, I favour libraries built and in use by major tech companies such as Google and Facebook, especially if their documentation does not ignore security. They may not be better in all aspects I might care about but will have both more resources invested in their development and more likely to be properly audited as those companies present a much bigger and valuable target than companies I work with. I avoid adding 3rd party libraries as much as economically possible and when not, prefer to copy parts actually used (with license and reference to original) when only small bit of that library is needed.

Loading 3rd party code directly in browser should be frowned upon. Even with modern toolbox for avoiding/limiting abuse (iframe sandboxing, CSP…) nothing is remotely as safe as not loading unknown resources in the first place. Since this is not always possible or desirable it is best to treat them as an existing exploit of unknown severity and decide where they must be avoided and how to best manage their risk elsewhere.

Similar risk is posed by browser extensions. User fingerprinting is a very good reason for trying to prevent discovery of loaded extensions, but I would still find it useful to at least know if there is any extension loaded that has access to my app’s contents without explicit user request. It seems this is not possible. Admittedly this is not a wide-spread desire and most applications would not change their behaviour based on this information, but few should (e.g. banking web apps).

In simpler, more naïve times we used to discuss if DOM is a good place to store state of a page. Clearly this is not a good idea for anything beyond storing state of UI controls and even then, every change should be reflected on screen with an appropriate user notification (change transition, alert…). I remain undecided on how much uni-directional data flow helps with security, but it does some, similarly to how private class properties do and I find it easier to track possible attack points, if interface is a rendered reflection of application’s state and I can focus my attention on interactive parts with which user changes it.

Protecting code and data from nosy scripts with Javascript closures is already effectively done by frameworks and rarely requires manual intervention. This is mostly enough, but an unsolved problem for me was to keep data private and survive a browser window reload as I can only do one with any kind of certainty. I am reasonably sure this is not possible since every available storage is also available to other scripts as is requesting data from server without authentication.

sessionStorage is preferred to localStorage. Any personal data should be removed with sessions that shouldn’t be long either.

It would be nice, if all my research and effort provided me with more comfort than they do. Maybe fear is just the price paid for remaining vigilant.