James Mickens is back with more

James MickensI recently stumbled upon some Essays from the funniest man in Microsoft Research by Raymond (Old New Thing). He is such a funny writer that this article, against convention and like the one before it (Brilliant articles by the funniest guy at Microsoft), will consist mostly of citations rather than an even mix of citations and paraphrasing that I naturally consider to be much more lucid and pithy. I quote at length to do the material justice, for documentation and to ensure that you all download the PDFs to see if there is more where that came from (there is). All emphases have been added.

He has since moved on to teach at Harvard University and is publishing things like The Wisdom of James Mickens there. That one’s about,

“Sometimes, when a professor goes on sabbatical, that professor will create a great book or sculpture, or commence upon a tour of the world to propagate some transcendental vision about the stars or aesthetics or our relationship to the divine. I myself spent my sabbatical writing a heavy metal album called “Ten Times Your Master: A King in Every Corner.” The ostensible conceit behind the album is that I, James Mickens, have gone missing, and the heavy metal community has formed a five-person tribute band called Ten Times Your Master to cover my songs. In reality, I, James Mickens, have not gone missing at all, and in fact am at the height of my powers, having created five distinct musical aliases to record a tribute album to myself, James Mickens.”

Which, you have to admit, is one of the most uniquely funny and interesting things that you’ve read in a while.

The notes below stem from a draft I wrote in 2014 and have only now published 11 years later. I have not altered them in any way because, well, I haven’t gotten any smarter, so who am I to correct my past self?

To Wash It All Away by James Mickens (Microsoft Research) (PDF) discusses the delusions of web programming:

“A modern Web page is a catastrophe. It’s like a scene from one of those apocalyptic medieval paintings that depicts what would happen if Galactus arrived: people are tumbling into fiery crevasses and lament- ing various lamentable things and hanging from playground equipment that would not pass OSHA safety checks. This kind of stuff is exactly what you’ll see if you look at the HTML, CSS, and JavaScript in a modern Web page. Of course, no human can truly “look” at this content, because a Web page is now like V’Ger from the first “Star Trek” movie, a piece of technology that we once understood but can no longer fathom, a thrashing leviathan of code and markup written by people so untrust- worthy that they’re not even third parties, they’re fifth parties who weren’t even INVITED to the party

“In a rational universe, a single uncaught excep- tion would terminate a program, and if a program continued to execute after throwing such an exception, we would know that Ragnarok is here and Odin is not happy. In the browser world, ignoring uncaught exceptions is called “Wednesday, and all days not called ‘Wednesday.’” The JavaScript event loop is quite impervious to conventional notions of software reliabil- ity, so if an event handler throws an exception, the event loop will literally pretend like nothing happened and keep running. This ludicrous momentum continues even if, in the case of the seventh error, the Web page tries to call init() on an object that has no init() method. You should feel uncomfortable that a Web page can disagree with itself about the existence of initialization routines, but the page is still allowed to do things with things. Such a dramatic mismatch of expectations would be unacceptable in any other context.

“it would definitely be horrible if your browser’s scripting lan- guage combined the prototype-based inheritance of Self, a quasi-functional aspect borrowed from LISP, a structured syntax adapted from C, and an aggressively asynchronous I/O model that requires elaborate callback chains that span multiple generations of hard-working Americans. OH NO I’VE JUST DESCRIBED JAVASCRIPT.

“JavaScript is dynamically typed, and its aggressive type co- ercion rules were apparently designed by Monty Python. For example, 12 == “12” because the string is coerced into a num- ber. This is a bit silly, but it kind of makes sense. Now consider the fact that null == undefined. That is completely janky; a reference that points to null is not undefined—IT IS DEFINED AS POINTING TO THE NULL VALUE. And now that you’re warmed up, look at this: “\r\n\t” == false. Here’s why: the browser detects that the two operands have different types, so it converts false to 0 and retries the comparison. The operands still have different types (string and number), so the browser coerces “\r\n\t” into the number 0, because somehow, a non-zero number of characters is equal to 0. Voila—0 equals
0! AWESOME.

“ I obviously get what I deserve if my JavaScript library redefines native prototypes in a way that breaks my own code. However, a single frame in a Web page contains multiple JavaScript libraries from multiple origins, so who knows what kinds of horrendous prototype manipulations those heathen libraries did before my library even got to run. This is just one of the reasons why the phrase “JavaScript secu- rity” causes Bibles to burst into flames.

“Some JavaScript libraries intention- ally begin with an initial semicolon, to ensure that if the library is appended to another one (e.g., to save HTTP roundtrips during download), the JavaScript parser will not try to merge the last statement of the first library and the first statement of the second library into some kind of semicolon-riven statement party. Such an initial semicolon is called a “defensive semico- lon.” That is the saddest programming concept that I’ve ever heard, and I am fluent in C++.

“I could go on and on about the reasons why JavaScript is a cancer upon the world. I know that there are people who like JavaScript, and I hope that these people find the mental health services that they so desperately need. I don’t know all of the answers in life, but I do know all of the things which aren’t
the answers, and JavaScript falls into the same category as Scientology, homeopathic medicine, and making dogs wear tiny sweaters due to a misplaced belief that this is what dogs would do if they had access to looms and opposable thumbs.

“The first log entry says that the browser executed a downloaded file as JavaScript, even though the MIME type of the file was text/html. Here’s a life tip: when you’re confused about what something is, DON’T EXECUTE IT TO DISCOVER MORE CLUES. This is like observing that your next-door neighbor is a creepy, bedraggled man with weird eyes, and then you start falling asleep on his doorstep using a chloroform rag as a pillow, just to make sure that he’s not going to tie you to a radiator and force you to paint tiny figurines. Here’s how your life story ends: YOU ARE A PAINTER OF TINY FIGURINES.”

This World of Ours by James Mickens (Microsoft Research) (PDF) discusses the delusions of passwords, cryptography and security research:

“Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good pass- word and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFI- NITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN’T REAL. When it rains, it pours.”

“Even worse than the PGP acolytes are the folks who claim that we can use online social networks to bootstrap a key infra- structure. Sadly, the people in an online social network are the same confused, ill-equipped blunderhats who inhabit the phys- ical world. Thus, social network people are the same people who install desktop search toolbars, and who try to click on the monkey to win an iPad, and who are willing to at least enter- tain the notion that buying a fortune-telling app for any more money than “no money” is a good idea. These are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails. One time, I was on a plane, and a man asked me why his laptop wasn’t working, and I tried to hit the power button, and I noticed that the power button was sticky, and I said, hey, why is the power button sticky, and he said, oh, IT’S BECAUSE I SPILLED AN ENTIRE SODA ONTO IT BUT THAT’S NOT A PROBLEM RIGHT? I don’t think that this dude is ready to orchestrate cryptographic operations on 2048-bit integers.”

“I realize that, in an ideal world, I would recycle my trash, and contribute 10% of my income to charity, and willingly accept the cognitive overhead of finegrained security labels. However, pragmatists understand that I will spend the bulk of my disposable income on comic books, and instead of recycling, I will throw all of my trash into New Jersey.”

“Similarly, we know that IFC research should not focus on what would happen if I somehow used seventeen types of labels to describe three types of variables. Instead, IFC research should focus on what will happen when I definitely give all my variables The God Label so that my program compiles and I can return to my loved ones.”

This is the enduring problem of security. This is what always happens when the people charged with providing security aren’t well-versed enough to handle the complexity of the chore. Our job as framework developers is to make a system that is as simple as possible, but no simpler. Sometimes, initial efforts miss the mark. Sometimes, there is no way to feasibly bridge the gap between what users’ capabilities and the complexity of the tasks that they have to solve.

“The worst part about growing up is that the world becomes more constrained. As a child, it seems completely reasonable to build a spaceship out of bed sheets, firecrackers, and lawn fur- niture; as you get older, you realize that the S.S. Improbable will not take you to space, but instead a lonely killing field of fire, Child Protective Services, and awkward local news interviews, not necessarily in that order, but with everything showing up eventually.”

“Security research is the continual process of discovering that your spaceship is a deathtrap. However, as John F. Kennedy once said, “SCREW IT WE’RE GOING TO THE MOON.” I cannot live my life in fear because someone named PhreakusMaximus at DefConHat 2014 showed that you can induce peanut allergies at a distance using an SMS message
and a lock of your victim’s hair. If that’s how it is, I accept it and move on. Thinking about security is like thinking about where to ride your motorcycle: the safe places are no fun, and the fun places are not safe.”

A sample from Tenure announcement: April 2019 by James Mickens (Harvard School of Engineering & Applied Sciences):

James Mickens’s Harvard tenure announcement is unorthodox. He’s basically trash-talking to his enemies, who can no longer touch him. Some samples:

“My seventh-favorite enemy is obviously Alan Fontaine of Iowa State University. I know that you’re reading this, Alan, because you keep inviting me to NSF panels even though I mailed you a glitter bomb that was shaped like me mailing you a glitter bomb. Your theories on Muppet physiology are childish and naïve, and I viciously refute them in my upcoming article “Parasitic Infections of Muppet Gastrointestinal Hand Holes.“ I wish you the best when you lose your endowed professorship and are forced to teach at a lower-tier institution that can’t even afford real Muppets and has to use oven mitts with faces drawn on them.”

“On that page, I used my grandfather’s charcoal pencil to draw a picture of myself dunking a basketball over your confused, athletically-incompetent body;”