blog

The secure inconvenience of security

People always tell me that software updates are meant to make them better. If there was a graph for betterness in software, the "wow-this-is-good/second" axis would be proportional to the "number-of-updates". This makes sense, right? When we release a software, it is definitely not perfect, so we release patches to make it more and more perfect. Every once in a while, however, I am reminded that "good software" is really a subjective thing. It was a fatidic morning of January 27th (also called "today" back then), I was drinking my morning tea and eating my morning food, doing my morning work, when I received an email asking to answer some questions and send some source code to an institution. Simple enough. I quickly answered the questions and now it was time to send the code. Just an observation: they do not want Git repositories, cloud hosting, smoke signals, just a plain *zip* file with the source code. "The source code is attached to this email" - I typed confidently, just before being reminded by Gmail to actually attach my file. What a world we live in. I happily attached the file, and innocently pressed the "Send" button. Immediately, my pure soul was bombarded with error messages, saying that my message violated security rules from Gmail; after a quick research, I learned that my zip file contained a *.js* file, which cannot be sent by email. My JavaScript dropdown menu likely sounded several horns and aircraft sirens at Google for being a menace to mankind. Well, I can understand why this would be a security concern: Gmail is just trying to prevent grandmas from being scammed by Nigerian princes. How could I blame them? Well, it turns out that I *kinda* need to send my source code, so I tried to outsmart the engineers at Google by: 1. Using a different extension for my zip file 2. Using a password to encrypt my zip file 3. Pressing the **Send** button several times and hoping for it to work this time Surprisingly, none of these alternatives worked. Google was one step ahead!
Even with encryption, zip files still keep the filenames!
"It's ok. I will just google for a solution!" - I tweeted to myself mentally, while I was already googling it. Now, if there is something that the Internet is really good at, is providing you impractical solutions and reminding you what a terrible person you are because they are impractical. If my research could be explained with an overly-dramatic narrative, this is what it would look like:
Me: Hi. I would like to know how I can send a Zip file with gmail.
Internet: Why do you want to send a Zip file with Gmail? This is insecure!
Me: Yeah, but I need to send some source code to a previous employer and...
Internet: This is not a good way to share source code! You should use version control!
Me: I am using version control for development. But the institution doesn't want my repository. They just want to send a copy of the current master branch and that's it.
Internet: How dare you not to use version control to share some files with them? This is a terrible practice! You should be ashamed of being such a terrible professional! Clearly the easiest way here is for you to tell them to change their business model, create an account on GitHub or similar, share the project with them, and then tell the to download the .zip file from the repository!
Me: Is there another way?
Internet: If you don't want to use version control, host it somewhere!
Me: If I just send it by email, all they have to do to keep it there is NOT delete the email and it will be secure. If I host the file, I will have to be responsible for keeping it.
Internet: Find a good place to host the file, upload it, protect it with a password, send them the link, wait for 3 days until they finally download the file and put it somewhere secure, and then you can delete the hosted file! Easy!
Sometimes I miss the simplicity of the old days. I could send ".bat" files to anybody via email. In fact, I could send anything I wanted. True: it was limited to around 4Mb, but this many megabytes back then was not something I would have enough internets to send anyway. I remember one day when I spent around 4 hours with my dial-up connection to download an 8Mb mod for my TheSims (hopefully I am not breaking any laws by saying this) - the download file was corrupted and my father wasn't pleased with me. Nowadays I have an upload speed large enough to basically send anything I want - as long as it is plain text and does not contain the letter "T". So, after about 30 minutes of wasted time, that was my situation: the guy with a degree in computer sciences wanted to send a 400kb .zip file over the internet, but he didn't know how. I ended up hosting it somewhere in the cloud and sending them the link. Someday I hope I will be able to delete the file and not having to care about it anymore. Dang. Only if there was a way to send small files to another person instantly in 2018... Maybe an app like this could be the next "big thing". In conclusion: I am bitter.