Kartones Blog

Be the change you wanna see in this world

Taking care of my body when working remotely

Reading a Dilbert's book I found this really funny comic strip about remote work and personal well-being:

Dilbert on remote working

Until half a year ago I didn't do much remote working, mostly because previous jobs didn't allowed me to and I wasn't so eager to try it. But past months things have changed and now I really appreciate it as a way to improve concentration and squeeze more from time the day for other tasks (mostly as I save on commuting). But, there is one thing where at meast I have to be careful now: ergonomic and proper sitting position.

Ergonomic seating basics

I sometimes tend to cross my legs, other times to curve my back, and sometimes I get wrist pain (not strong, but enough to annoy)...  so I've been improving my home working area as now I work an average of two days per week from home. This is the setup I currently have:

An old, grey and white IKEA Fredrik work table with up to two optional shelves above it, plus cable cord "rail" and a keyboard handle. It is wide and big enough for my laptop, monitor, a study area (for books, writing...) and even a PS3. The cable holder rail is so nice to avoid having tons of cables laying under the desk. It is also high, so with a small box below (with drawers to store things inside) I have the monitor at the correct height to always look upfront and not lower the head.

IKEA Fredrik

A decent (but not expensive) chair, with a net-like back so that my body can "breathe", and of course armrests, to keep the arms in proper angle. I modified the keyboard handle of the table to be at the proper height so my arms form a proper 90º angle. A SteelCase or similar brand might be awesome, but they are so expensive that while I can find cheaper alternatives I'll stick to them.

Ergonomic chair similar to mine

A 24" 1920x1200 monitor. People go a bit crazy IMO and maybe for a designer 27" or 30" are nice, but at least I don't need so many inches. I have a 30" monitor but after some daily use I moved it permanently to being my gaming PC screen and instead use something smaller but good enough display for my daily tasks. I'd love to have one that rotates to portait mode (so nice for coding, I had one like that at a previous job) but while this one works I won't change it. 2 Monitors might also be interesting but I'd need a dell docking base and my table is not huge, plus I'm so used to alt-tabbing that I don't need them.

Dell 24 inches monitor

I use an ergonomic keyboard for everything except gaming. I have two Microsoft Natural Keyboard 4000, one at home and one at work, but recently I switched (at home) to the newer and smaller Microsoft Sculpt Ergonomic, because I get more free space from the (separate) numeric keyboard segment and it is great, with soft keypresses and definetly a good improvement. Ah, it is in english, I'd rather learn where are the ñ and accents when I need to write in Spanish but enjoy the quicker code writing of a UK layout (I've never used a US layout but as anyway would be harder to get from Spain, I directly don't care).

Microsoft Sculpt Ergonomic for Business

I recently tried and now use a footrest platform. I bought a Kensington Solemate Plus because is cheap but allows to adjust the inclination and height, plus the feet don't slip.

Kensington Solemate Plus

As I play videogames, ages ago when I bought my gaming PC I did it with a good laser gaming mouse, a Razer Diamondback. After serving me for around 4 years, I decided to buy another one for the gaming rig and I've been using this one for coding for around anoher 4 years. It is very precise and my hand doesn't gets tired of using it, so I'll probably keep it until breaks. Probably any ergonomic mouse will do, but I'd go for a mid-high gaming one as usually are the best ones.

Razer Diamondback

For a distant future, I'd have to test a standing desk, but I don't see where I could setup one at home so for the time being is on hold.

 

Add to the list a good illumination, quiet environment and now that I have air conditioning nice temperature even in the smmer, and the truth is I feel really comfortable working from home. Any additional suggestions, ideas or elements you'd add?

Making Rails CookieStore more secure and sessions expirable

As lately is happening to me a lot, Ruby ecosystem has lots of tutorials and guides that range from beginner to intermediate, but lacks more advanced topics. Recently I had to implement a security feature that surprisingly wasn't present at Rails: Session invalidation when you change your password.

Many sites, CartoDB included, use Rails CookieStore, which is just cookie based session handling: You securely serialize and deserialize session data (usually the user identifier) and avoid storing sessions serverside. Really cool in theory but has a flaw: If there is no serverside session management, how do I signal a password change so the other cookies with my session for example at other browsers become invalid?

Reading the official Ruby on Rails Security Guide I hoped to find the answer, but no, instead it lists lots of security hardening points, but just recommends to make your session expire, use a general secret_key (but changing it would invalidate all sessions, not just a given user ones) and in the end to go for database-based session handling for proper security. Well, I agree it is better, but sometimes you cannot adopt some changes as easy as they seem, so... what about improving CookieStore?

First I went deep, checking CookieStore and its "mixin parent" AbstractStore source codes. They just wrap actual session handling on storing at a cookie, but the parent had an interesting method, generate_sid (session Id). Maybe if I could change the generation of the session would be enough... so I also checked Rack::Session::Abstract::ID, the parent of all stores. I did some tests inheriting from CookieStore (as I don't fancy monkey patching even if Rack's code suggests it) but quickly I found that when you are generating a sid, really you don't have context of "users".. and you shouldn't, because this is really inside. This is for people desiring to modify the session id generation algorithm, or the actual storage of session data.

So, I went up, because over Rails we use Warden to ease all authentication (we have user/pass, API key, OAuth...). Digging into its wiki I found that you can have more session data than just the user id that you deserialize into a full User object upon retrieving an existing session. But that example wasn't enough, as it only worked playing with default session scopes. We use scope-based sessions because our usernames are unique and cannot be repeated, so for example I can have a session cookie with the scope "kartones" and another with the scope "test" (or different roles, or other ideas you might have).

Cheking more about Warden, I found some interesting callbacks, but again the examples were silly and not too useful, so as usually happens with Ruby, it is better to again check the source code to see the internals. And inside hooks.rb I found the answer, in the documentation block of after_set_user. There, I could filter to handling authentications and store additional session data at Warden initializer file... something that if your password changes changes too, e.g.:

Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
  auth.session(opts[:scope])[:sec_token] = Digest::SHA1.hexdigest(user.crypted_password)
end

Now, editing the traditional Rails base ApplicationController I can add some methods to handle this additiona data:

def update_session_security_token(user)
  warden.session(user.username)[:sec_token] = Digest::SHA1.hexdigest(user.crypted_password)
end

def session_security_token_valid?(user)
  warden.session(user.username).key?(:sec_token) &&
  warden.session(user.username)[:sec_token] == Digest::SHA1.hexdigest(user.crypted_password)
end

def validate_session(user = current_user, reset_session_on_error = true)
  if session_security_token_valid?(user)
    true
  else
    reset_session if reset_session_on_error
    false
  end
end

And then just add the new logic to the authentication endpoints, for example:

def login_required
  is_auth = authenticated?(CartoDB.extract_subdomain(request))
  is_auth ? validate_session(current_user) : not_authorized
end

Now it would only remain to call update_session_security_token upon a password change, and all other cookie sessions will become invalid.

 

Why this is not an option either at Rails or Warden, I don't know, but I couldn't find a single tutorial, post or message detailing all this info, so let's hope this post helps fix that.

My dislike for open office spaces

Open office spaces are a logical step when you are a small company, but as you grow, it has become the "first cool thing to do with your office" in software development. I been working in them since 2008, and before intermittently at some clients while consulting. And the truth is that I still don't like them.

I come to the office primary to work. it sounds asocial* and maybe it is, but my main goal is to do my job. I can make friends, I can laugh and tell jokes, but the highest priority is to work, and, at least while coding, concentration is a basic need. It is not that I don't like seeing my colleages faces, in a friendly environment "without walls, all plain". It is more the fact that education and respect become vital, and building a culture of silence is not a trivial task.

Silent hours, public and/or private complaints, forbidding audio/video chats at working areas, listening to music the whole workshift, allowing remote work, clever rearrangement of teams to isolate or at least reduce hearing of noisy ones... I've seen a few approaches, but in the end until everybody learns to keep a "low noise volume", they are just mitigations.

I've also noticed that there are also virtual walls: teams still have to sit together or really near, so changing a team creates a cascade of people changing their things**. It might not always be the case, but I still have to see a fully de-centralized team that works always flawlessly.

So far, the best approach I've seen and the most comfortable working environments I've been at is to have separate rooms or at least physical walls separating teams. You distract and get distracted less, you can talk with the rest of the team, makes much easier being quiet, and there are always common areas like the kitchens (or a bar nearby!) to talk with the rest of the company while having a break.

Making an open space office work correctly is possible... but at Tuenti took years (and trying most if not all of the "hints" mentioned earlier). It seems to require quite some effort regarding education and respect.

 

* Back at my university days, as it was far away from home, if I was going to spend 2 hours per day on a train, I was going to either study or do assignments. That's why I never learned to play Mus or CounterStrike, but I managed to pass more than half of the studies working part-time and then going to the university.

** Up to the point I became a "nomad" at Tuenti by having just my laptop, my chair and a monitor in order to move "everything" quickly with the so frequent "reallocations" we had.

Book Review: The LEGO Mindstorms EV3 Discovery Book

The LEGO Mindstorms EV3 Discovery Book book cover

As lately I'm quite busy between my pretty dog, working, reading articles (of too varied topics to write about them I think) and trying to rest, I've just written another book review I had pending since a while. It's another book about LEGO Mindstorms EV3 (of which I have sadly my Node.js library quite adbandoned), so feel free to check it out if you like the topic.

Fight about the ethics, not about the tools

I've come to "hate" most development languages, sames as I don't really "love" any operating system, but it seems in our current society people must always take sides. You cannot just have a set of tools and choose whatever is best for the job: "Using still SQL? Dude, NoSQL is the future!", "Server-side code, are you from the past? Javascript-all-the-things!", "Scripted languages? Nothing like going down the metal with C++!". No matter what you choose, there will always be an opinion against it. No matter the choice, it will always look wrong to somebody somewhere.

 

There will always be fanatic tech wars, but there is something that I don't see many fights about: Fights about if something is ethical to do.

 

Let me start with a story I directly lived. At one of my previous jobs, one of the things from the company that hooked to join them me was that they had moral values: they donated a yearly % of total earnings to NGOs. Once in, we had the opportunity to work in a project related to image recognition that was related to the Spanish Department of Defense. Instead of saying "yes, show me the money" it was voted internally and rejected for being related to military. We declined a project for being unethical and related with weapons and wars. *

 

I've sometimes had to do things I was not happy with, be it directly building projects I didn't believed in or participating in others I wasn't happy or proud to be a part of due to some of its uses. I had once an internal fight and educated but firm boycott, I've always tried to express concerns and I openly say things I don't like. But I'll definetly avoid to work doing things that do harm instead of good. There's the saying "never say never", but I'd have to be really really desperate to work with the military. At my current job, anybody can install the opensource version and we cannot easily control that, but at least there's people building great things with the product, and that makes me happy enough despite possible "wrong uses".

 

I'd rather sleep well and feel I'm at least not doing any harm to the world rather than earn more money. If to be successful is to suffer the loss of ethics and moral, I'd rather be a mediocre player in the game.

 

* Sadly, years later the same company "was able" to employ a few consultants on the very same Spanish Department of Defense. Money changes people and ideals, but fortunately I had already left.