First, let’s establish how much of an expert Tim thinks he is, and what he’s advising you, my reader to do:

“Recently, I came across an e-book written by Zed A. Shaw entitled Learn C The Hard Way, and while I can commend the author for spending the time and energy to write it, I would NOT recomend (sic) it to anyone seriously interested in learning the C programming language. In fact, if you were one of the unlucky souls who happened to have purchased it. Go right now and at least try to get your money back!”

That’s a very serious condemnation of my book, especially from someone who has never taught C, never written a book, can’t even spell “recommend”, and later demonstrates that he doesn’t have a clue about security defects inherent in C. So what are Tim’s complaints about my book?

Tim Has No Teaching Experience

The majority of his complaints about my book, Learn C The Hard Way stem from a lack of understanding in my (very successful) teaching method. To Tim, and most old school programmers, the way to teach something is to teach all of the topic at once in one huge chunk. You teach Make by writing a chapter on Make that tells the reader every single little thing about Make possible, and then demonstrate with some code. Here’s Tim’s statement to that effect:

“At this point, the only thing I can think is, “I’d just love for you to show me a damn working Makefile!” A novice will be thinking, “What the hell’s a Makefile?” as the concept of a Makefile has not yet been introduced.”

Then later he says:

“I don’t know how to set-up my environment, this “Makefile” thing pulled a Jimmy Hoffa, and now I have to use this Valgrind thing, after I go download it and build it from source. Great…”

The problem is, Tim didn’t read far enough to where I do explain how to make an environment, and misunderstood my purpose at that point in my book. I’m not teaching the reader to write a Makefile and start a project. I’m teaching them to quickly get their very simple C code to compile. My target readers are people who have a language like Python or Ruby but haven’t dealt with a compiled language before. But to Tim, this is insufficient because he thinks a beginner is like him and needs to know all of the Make to be able to use it.

This lack of understanding of an actual beginner is exactly why so many programmers are so terrible at teaching, or even writing basic software for non-developers. It’s not that a programmer is somehow emotionless or a “robot” like obnoxious nerd haters say. It’s that the majority of programmers have a far more advanced understanding of computing, and specifically the software they create. Through their path to that understanding have forgotten what it was like to be a beginner. This leads them to assume many things that just aren’t true. Such as, “Unless a beginner is taught every single aspect of Makefile construction they cannot use Make’s implicit build rules to build a basic C file.”

This means that Tim’s statements about how I teach are mostly invalid because he doesn’t understand how people learn to code. He’s never had to teach someone who’s just starting out so he thinks blasting them with a treatise on Makefiles is what they need 4 exercises into a course of study. By contrast, I actually sit with real people and have them go through my books, and then adapt the exercises based on where they get stuck. I also used to have comment sections on every page to gather information on how to improve exercises. Tim basically read K&R and wrote some crappy C code, which we’ll see shortly.

However, Tim’s rabid and obnoxious condemnation of my book isn’t his actual opinion. In private emails he says this:

“I don’t doubt the seriousness of your offer. In fact, one of my colleagues also read my article, and he and I were discussing it this evening, and he told me that he’s a fan of your writing style, and would love to see you write a really good book on C.”

Tim doesn’t believe my book is entirely irreparable and a failure as he states, and in private he says there’s only a few problems with it. He even offered to help me make it better despite his lack of experience writing or teaching. What he actually thinks is I should write it the way he would write it, then it’d be a good book for you to buy. Despite Tim’s complete lack of qualifications in programming, writing, education, or anything other than having a blog, he thinks that his opinion is so superior that I should rewrite my book to fit his ideas of education, not a student’s model of learning based on actually sitting with readers and helping them.

This kind of arrogance and hubris leads me Tim’s largest failing in his post, this code right here:

void copy(char from[], char to[], size_t n)
{
    size_t i = 0;

    if (!from || !to) return;
    while (i < n && (to[i] = from[i]) != '\0')
        i++;

    to[n] = '\0';
}

Tim’s claim is that this function here is superior to a function I had written called “safercopy”, but it has a critical buffer overflow that he actually attempts to defend in the most laughable way.

To understand Tim’s failure you need to see my original “safercopy”:

int safercopy(int from_len, char *from, int to_len, char *to)
{
    int i = 0;
    int max = from_len > to_len - 1 ? to_len - 1 : from_len;

    // to_len must have at least 1 byte
    if(from_len < 0 || to_len <= 0) return -1;

    for(i = 0; i < max; i++) {
        to[i] = from[i];
    }

    to[to_len - 1] = '\0';
    return i;
}

What sends most C coders into a tizzy about this code is it came from a thought experiment I was doing where I did code analysis on the K&R C book (the book by the authors of C). Many programmers took this as an offense to them (so rational), and so they would focus on how I said this function here (safercopy) was better than a similar string copy function in the K&R C book. The problem is, to discredit my claims that mine is better, they would play this little semantic shell game:

1. “Your function is vulnerable to Undefined Behavior (UB) just like the K&R function.”
2. They then write some example that uses a totally different UB from the hundreds available, not the buffer overflow UB from a malformed C string.
3. Then proclaim that, since both functions are vulnerable to UB, my claim of mine being safe (notice, not safER), are invalid.

This is a lot like you buying a new lock for your front door that’s really great, so you tell your friend about it. Your friend goes, “Pfft, your lock is no better than leaving your door open, I could totally break into it.” Your friend then shows up with a SWAT team battering ram and smashes the door in like butter and says, “See? Your lock is pointless. Just leave your door open.” You, and I, aren’t saying a better lock is completely foolproof and perfect. We are saying it is safer, not totally safe. Doors are easily bashed in using countless methods, right down to setting your house on fire. When we talk safety of the lock, we mean against lock picking compared to the other lock. To say I should leave my door open because there’s a thousand ways to get into my house is insane.

However, my function is more resistant to a common externally accessible vulnerability. This is something I would love to research, but UB has different levels of exploit surface that is accessible to an attacker from outside the running process. A C string is fairly trivial to clobber so that it is missing the ‘\0’ terminator. It’s a bit more difficult to make random pointers go wherever you want, but still possible. It’s nearly impossible to rewrite the C code for a running process to cause a math error and make a compiler skipped a portion that was considered UB. When studying the security of C code we tend to just assume all UB is the same and don’t make this distinction of accessibility to an attacker. Bad C coders then use this UB to simultaneously defend bad code (“All code is breakable with UB”) and condemn other’s code (“Haha, you’re triggering UB”).

When I say my function is safER, I do not mean it is totally invincible. That is impossible in C, and one of the reasons I tell people to not use C anymore. I now firmly believe that C is impossible to write securely and is designed with flaws that are irreparable, mostly because of the huge number of UB that can easily be triggered externally.

I mean that the code in this simple function protects against this one buffer overflow that is often externally exploited, while the original K&R code does not. That’s all.

Which leads me to Tim’s lack of understanding of his own code. Clearly, he thinks his code is even safer than mine, but if you look at it again:

void copy(char from[], char to[], size_t n)
{
    size_t i = 0;

    if (!from || !to) return;
    while (i < n && (to[i] = from[i]) != '\0')
        i++;

    to[n] = '\0';
}

You’ll see that he only has one size, so if that size is invalid for the to variable then you get a buffer overflow. Here’s a trivial demonstration of it:

#include <stdio.h>

void copy(char from[], char to[], size_t n) { 
    size_t i = 0;

    if (!from || !to) return;
    while (i < n && (to[i] = from[i]) != '\0') {
        printf("to[i]=%c, i=%zu\n", to[i], i);
        i++;
    }

    printf("i=%zu, n=%zu\n", i, n);
    to[n] = '\0';
}

int main(int argc, char *argv[])
{
    // thanks to @mistahzip for pointing out this 
    // is a better demonstration code
    char to[] = {'A','A','A','A'};
    char from[] = "XXXXXX";

    copy(to, from, 6);

    printf("Final byte is: %x\n", to[3]);
}

UPDATE: I had my original analysis wrong and I apologize for that. This is a better demonstration of the problem, and a new analysis showing the buffer overflow.  Thanks for @mistahzip for setting me straight and putting up with me being an asshole.  Just goes to show you, this shit is hard.

Tim’s code works as long as the strings are valid, however it’s incredibly common for C strings to be invalid, and that’s how you get the buffer overflows from C strings.  In this example, I’ve added printing so you can see what’s going on.  I use a malformed to array so that you can see, if it’s wrong then it gets overwritten with garbage.  In addition, he does to[n] which will always set the wrong byte if from is larger than to. Any C coder worth their salt would realize this, and in many ways this is worse than even the K&R version since it is more complicated.

When you do this on many systems you just get a bus error of some sort, but not all. Many times you’ll have the end of one string still be inside a valid region of memory, and operating systems aren’t even close to foolproof on protecting buffer overflows. If you’re using a system that allocates stacks on the heap (such as in greenthreads), then you’ll typically blast right past this variable and into another function’s code. That’s very dangerous and creates remote code execution vulnerabilities.

You may be thinking, “Yeah but I could write code that breaks your safercopy too!” Yes, like I said, C has so much UB it’s an entirely unsafe language and you can destroy anything. The point though is that this is an insanely common and trivial programming error that is just bad math for one parameter. Mine you have the size for both so you don’t make this error as easily. You can still make the error, but it’s harder than with Tim’s. With Tim’s you’ll make this error all the time.

Arrogance and Hubris

I told Tim about this really silly error in his blog post and did he do the right thing and at least admit publicly that I demonstrated a trivial error in his code? Nope, not only has he not updated his code, further demonstrating that he doesn’t know what he’s talking about at all, but he proceeded to defend his code with the most asinine of defenses:

“That’s why strncpy() / strlcpy() were written, but of course with all such things, there’s a performance penalty to pay. Even with length checking, it’s still possible to trigger UB, for example via integer promotion (i.e. strncpy() with a negative length, which I did point out) or having dest and src overlap. … It’s much harder to carry out a buffer overflow attack with SSP, DEP, and ASLR these days. Although there are always ways around the best intentioned restrictions.”

His function, in his own words, isn’t wrong because, again, you can use a totally different set of UB to cause problems so this easily externally accessible one isn’t a problem. And there’s also strncpy/strlcpy, so his function is still valid (what?). Oh, and also there’s, like, uhhh oh SSP and DEP that totally protect against these problems (even though they don’t and we see it all the time). These are the words of someone stumbling to still be right to protect their ego, and demonstrates Tim’s lack of intellectual honesty and integrity.

Tim Is An Unqualified Beginner

This is your classic defense from an arrogant programmer who refuses to admit that he actually doesn’t know what he’s talking about. When I receive complaints that my code isn’t working, even if it’s been run through the ringer over and over, I still go and double and triple check that it’s working. If Tim had sent me this kind of trivial defect I would have fixed my code and worked to find out why I caused the error. To programmers like Tim, who think they know C but are totally clueless about computer security, it’s inconceivable that his code could be wrong.

This is a sign of a beginner. A beginning programmer assumes his code is right even in the face of all evidence to the contrary, like Tim does here. They defend it to the end, because they are personally attached to their creation and not objective. An expert assumes his code could be wrong at any moment and adds as many defenses as possible. This shows that you should not listen to Tim about C coding, and definitely not learn anything from him. He is entirely unqualified and should be ignored.

Conclusion

Tim Hentenaar wrote a confused screed about my book being terrible and claiming nobody should buy it. However, his expertise is completely lacking to make that determination, his code has defects in it, and he arrogantly refused to admit that it had problems. He also defends his security defects with confused logic about UB and the existence of other functions that have nothing to do with his own code. Listening to Tim about how to learn C is therefore a dangerous thing to do. No book is perfect, and let me tell you that first printing of mine had loads of problems, but until Tim writes a better C book you’d do well to ignore his advice and him.

In fact, this is the problem with the majority of the detractors from my book. None of them have written books, and many of them don’t even code C or have C in production. Writing books and teaching people is incredibly difficult, much more difficult than hanging out in IRC yelling at beginners about Undefined Behavior or writing blog posts. Over this next week I’m going to systematically take down more of my detractors as I’ve collected a large amount of information on them, their actual skill levels, and how they treat beginners. Stay tuned for more.

Wordnik acts as a kind of inspiration engine for me because it has so many relational features. From one word, such as allocate, I can see all of this:

•  The definition from several sources.
• Examples of the usage in the popular press.
• Currently known etymologies, which is very important to me since I like using old weird words like “octothorpe” to mess with people.
• Related words in every form you can think of, which is essential when you’re doing creative writing or naming something.
• Images related to the word, which I’ve used in exploring painting ideas.
• Hear official and user created pronunciations of the word.

So if you’re wondering how in the hell I come up with such awesome names for my projects, cram complex ideas into a tweet, and turn the phrase, then Wordnik is my main word tool.

One thing I do, almost every day, is something called object writing, and I use Wordnik’s “I always feel lucky” button to do that. I just roll over to there, click the button, and work for 10 minutes on that word. Today’s word is entropy and I’ll do a 10 minute piece of writing that explores all of my senses through that word, but Wordnik makes this even better because if I don’t like that word I use the Relate feature to find another word, or sometimes I’ll setup an extra level of difficulty where I use two related words.

If you want to improve your writing then start doing this every day. It takes 10 minutes and will dramatically change your writing.

One Million Words

Wordnik right now is trying to do an ambitious dictionary project where they want to add one million missing words to their online dictionary. The philosophy of Wordnik is to make the dictionary a description of what’s being used, not a proscription of what should be valid English. Uptight weirdos will yell at you that “Ain’t is not a word!” Well, those uptight assholes are wrong. English is a language that steals words from every language it touches and makes it easy to invent new ones.

With that in mind, Wordnik has spawned a Kickstart to add a million missing words to their online, free, collaborative, and easy to use dictionary. If you love words like I do, then this is a great project to back. I mean, you probably backed a stupid watch that will do everything your phone does and probably fail to even talk to your phone. You’ve probably backed a bunch of really crappy comic books, oh and let’s not forget that really terrible card game you never play. And let’s face it, some of you have put money into Wikipedia just so the deletionists can continue to make sure that the only knowledge left is of wealthy assholes, politicians, and Linux distros.

I mean come on, you gave money to Wikipedia, the organization that thinks I, a three time published author is not notable enough to have a page, but gives GNewSense Linux a fucking page. A total of 3 people probably used that distro, and you donated money to keep that pointless piece of information around.

Wordnik is way better. Help them help everyone catalog all of English by clicking this link.

This amounts to extortion. If Facebook is claiming to require real names and identities on its platform, and requiring people to signup for Facebook to eliminate impostors, then they are extorting signups out of people. Your only choice is to become a Facebook member and reserve your spot in their ad driven world even if you don’t want to use their platform at all (which I don’t).

However, this gets worse. Here is their reply when I submitted the only kind of ticket I could figure out how to submit to correct the impostor:

And the impostor is accepting Happy Birthday messages (on a day that’s not my birthday):

This is proof the impostor is actually impersonating me, and Facebook chose to do nothing about it.

Rather than solve my problem they’re playing the typical bureaucratic game of telling me that I haven’t properly filled out the correct forms and submitted to the proper department to resolve this issue, please try again. For a company that is claiming to create a safe space for everyone, even creating an anti-bullying hub, this is unbelievable. I should not have to navigate Facebook’s problem reporting system to have this resolved.

In my case this could get potentially worse for Facebook. I’m a published author with an actual business reason to not have impostors on a platform like Facebook. Imagine if this person decided to start contacting potential readers and slandering me. Or posting offensive messages pretending to be me so that readers of my books found them. Well honestly I doubt this guy could do that better than me, but the point is, they could invent some form of slander that would ruin my book sales. This person could also ruin my relationships with friends who are currently following the impostor account. Since Facebook refuses to take the account down and transfer control to me, and they claim to enforce identity giving visitors a false sense of security in trusting this impostor, then Facebook is actually the one causing the slander.

I believe that their actions could fall under both the Safe Harbor laws for sites and possibly the spam laws, but it’s vague. In the case of the safe harbor laws, they are exerting editorial control on identities and failing to enforce that means that allowing impostors makes them liable for any slander. In the case of the spam laws (much less possible) they are requiring people to sign up for Facebook to report problems, and also making the process onerous and difficult. The laws against spam require that people can unsubscribe from all contact with a company without logging in, and I believe you should be able to report abuse of a profile in the same way. Much like a DMCA takedown or spam unsubscribe, I shouldn’t have to be a member of a social platform to report an abusive account on that platform.

Right now I’ve contacted the impostor and asked them to give up the account, since Facebook can’t, but I should not have to contact an abuser to have this resolved. The entire point of having a system to report problems from abusive people is that I don’t want to talk to the abusive person. I want their impostor account wiped out and all the messages they’ve sent to my real actual friends given to me so that I can make sure I was not maligned. There should be one page that I go to report an account for abuse, and that’s it. This extorting my eyeballs into viewing their shitty ads just to get an abusive asshole off my name is entirely wrong.

You sit down to do these mindless, boring, stupid, pointless, annoying, exercises with no immediate value and all you see before you is a massive plate of arsenic. You want to do it now! How can playing the same scale over and over possibly help?! Now now now! Ugh, this is so boring. And then you stop before the arsenic kills you, but when you try to do what you really want you fail. You stop playing scales and then sit down to play your favorite song and can’t, then you get frustrated and give up. Fuck the guitar! It’s stupid!

Many people who react this way to practice end up only ever attempting the things they can do naturally, which is really not many things for most humans. If you can’t get immediate results without practice you give up and come up with crazy excuses about why it’s stupid. Even worse, maybe you’re the kind of person who sets insanely unrealistic goals (like learning all of Steve Vai’s repertoire in one month) so that when you fail at it you can save face and say it was just too hard. Well of course it is, if you’re incredibly unrealistic and don’t want to practice.

In my books I have exercises that are like this. Things like making a deck of flash cards to memorize all the keywords in a language are exactly the kind of arsenic infected repetition that drives people nuts. Typing the cd command 20 times to learn how to use it also seems useless and repetitive. The reason I have these exercises is they’re a quicker way to get language proficiency than if you just banged your head on coding samples for hours on end. A little bit of rote memorization has this magical quality of removing a main blocker to learning to use a language: symbol and word recognition. Rather than write code and constantly have to stop to know what a word is, you already have that word primed in your memory and simply need to learn to apply it.

However, enjoying arsenic activities is not normal. It’s a myth that there’s a small percentage of people who just can’t sit still and the rest of the world are perfect little angels who can do exactly as told and mindlessly write their names a million times to learn penmanship. It’s bullshit. Everyone has some tolerance level for boring shit, it’s just yours is probably lower than others, but nobody except a few people with some forms of atypical neurology can sit for 12 hours and do the same thing for no reason. Not at first anyway. This takes training.

I believe that the root of this belief in mindless repetition being a good character trait comes from America’s puritanical history. You got into heaven by getting up early and working hard in the fields until you died of tuberculosis or famine. If you worked hard enough you’d have enough money to buy your way into heaven, so lazy people just went to hell. This interesting bit of history is also why bohemians seem to think that memorization creates boring robots who will never have a creative actualized soul. Bohemians are simply reacting to the puritanical bullshit, but in the process inventing their own bullshit.

It’s important for learning and personal growth that you learn to tolerate rote education, but that only learning with rote methods will also hold you back. The killer combination in education is when you use rote training for basic building block skills, and then apply them to creative problems to learn how to use them. The world of programming is loaded with people who have memorized every square inch of manuals and standards, but who couldn’t code their way out of a lego castle, never producing a single piece of software of any substance. There’s also a crazy number of painters who do nothing but conceptualize all day and have no idea why their paintings keep cracking and can’t make a cup look like a cup. What you want is to be neither of those people by being both of them at the same time.

For me this is just second nature by now. I can sit down and play scales on the guitar for hours, or draw the same thing over and over to prefect a technique, or do flash cards to learn a new language. But, I’ve trained myself to turn off the heaving desperate anguish that flares up when I do them. I didn’t naturally have this ability to practice basic skills for hours. I built my tolerance to it just like arsenic.

I’m going to call this practice Educational Mithridatism, after the king Mithridates VI who was famous for having slowly increased the amount of poison he could tolerate so he couldn’t be poisoned. Apparently his mother poisoned his father, which is definitely going to make someone crazy enough to eat poison every day. Whether it’s true or not, there is some evidence that humans can build a tolerance to arsenic and other natural poisons. For this essay, let’s just assume that you can do it, and I’m using it as an analogy.

The reason I like this analogy for doing things you must, but dread, is it frames the activity correctly. It is perfectly normal for you to hate boring repetitive things. People who like doing boring shit are not magically better moral individuals than you are. They are just different, and I bet if you asked them they’d say they wish they were more “creative” (which has it’s own self-defeating attitude I’ll write about next). If you have a hard time sitting down and practicing, then don’t beat yourself up. Admit that you hate it, that it feels like poison, it’s going to kill you, and take the challenge and build your tolerance.

How To Do It

You now want to train your tolerance for arsenic. Arsenic isn’t really the best word since it’s not clear you can actually build a tolerance to it, so I’ll say you want to practice Educational Mithridatism (EM). This will require you exposing yourself to what you hate, and slowly and methodically build a tolerance to it. This will require exposure and effort, but I have a way that may help you do it.

Purpose: The very first thing is you have to figure out what benefit you will get out of this activity if you can tolerate it. The core of the problem is people who sit down to practice something seem to have no ability to see how it will benefit them. Even worse they don’t believe others when told what the purpose is. To begin, you need to clearly write down what the point is, and what you’ll get out of it. Practicing scales will make it easier to play the music you like. Learning to draw spheres makes it possible to render other spherical objects. Learning the keywords to a language makes it easier to read and write code. Before you begin the activity, review the benefits and hold that fixed in your mind.

Baseline Tolerance: Next you’ll want to have some way to track how long you’re able to tolerate this activity. Get a stopwatch or use your phone, sit down to do the activity, and the second you feel your rage rise up in your chest, stop. Even if it’s just 2 seconds. Stop the watch, and write that down in some kind of log book. Just a little moleskin will work for this log book, but I also like the Uncalendar, but whatever you do keep it simple.

Building Tolerance: Once you have your baseline, even if it’s just 2 seconds, you can then start to build your tolerance. Set a timer for that amount of time, plus “a little more”. I say that vaguely because if it really is 2 seconds then you’ll need to probably try for 10 seconds or more. If it’s 5 minutes then shoot for 6 minutes. The purpose is to set the timer, then do the activity and not pay attention to the timer until it goes off. Then tell yourself if you really made it or if you need to attempt that time again. Keep trying to reach this time limit until you can do it successfully, recording each time you attempted. Once you can reach that time, then kick up a bit more, again maybe 10% or a bit more.

Take Breaks: Take a break for about 5-10 minutes between each attempt. If you don’t take a break then you won’t be recharging your resolve for the next attempt. Force yourself to take a break no matter what.

Make A Leap: Once you’re slowly inching your tolerance up in very measured ways you’ll want to attempt a leap. You may be ready to double your time or more without realizing it. Either switch to a stop watch and just go for as long as you can then record how long it was, or set the timer for double or triple what you can handle. Track how long you really did it during these leaps and then try to set that as your new level. If you fail at a leap, don’t worry, just go back to slowly building it up.

Test Your Goal: After you do these sessions for a while you’ll want to apply your training and see if it’s working. It most likely won’t have any impact for a while, but one day you’ll try your goal activity and suddenly it’s way easier. At a certain point you may even be able to just stop doing your tolerance building training and switch to simply doing your goal activity as your training. For example, if you’re forcing yourself to memorize C language keywords, and one day reading C code is suddenly very easy, then you probably don’t need to memorize the keywords anymore. Just start coding in C as much as possible. Goal accomplished.

Don’t Over Do It: The last note is to actually treat this like arsenic and don’t over do it. You can easily push yourself too hard and burn yourself out, or if it’s a physical activity, harm your body. The reason is you start tracking yourself and then you get excited that it’s working, so you decide to go for it and actually you are totally not ready. Instead, build it in small doses, and when doing the arsenic activity feels natural you know you’re ready to try something challenging.

Hopefully this little essay helps out people who wish they could just sit down and practice something they despise but know they need. The key is that you aren’t a less moral or stupid person because you can’t focus. You’re just someone who never learned how to do it and need to train yourself. It could take years, but if it’s important to you, then this is how you do it.

I propose that I meet up with a designer who really wants to learn to code at least 1-2 times a week, and I spend one hour coaching you through programming problems and training. I’ll give you copies of my books, talk with you on IM and email, check out your code, and meet you in person to help you through it. I make bad ass coders, but you’d have to be ready to work and really try. Every day. I’ll feed you books, online classes, and anything else to get you to trained.

What I want is the same for you but with design. You’d tell me what books to buy (or just give me your hand-me-downs), and I’d work through them, do designs, websites, packaging, whatever it takes. You then critique them and tell me how to improve it, and what to read next to understand what you’re teaching. My goals is to finally be able to do my own designs and also to understand how design is taught.

I will warn you that I have a pretty strong opinion that most designers can’t draw for shit, don’t know a damn thing about the basics of color, and most of the “science” of design is complete bullshit mythology. I’m really good at being open minded when I’m a student and forgetting what I know, so don’t worry that I’ll be ungrateful or not do what you say I need to do. However, I may press you on things you claim but can’t back up. In a way it might be a good way for you to find out if what you know is legit or not.

Think of this as a research project. I’d love for a designer who has a similar opinion about programming. I can definitely tell you all of the bullshit surface area and tricks of the trade that programmers use, and I welcome a designer who’s able to look at programming as an intelligent outsider. If you’re up to the challenge, then this could be a good collaboration between two experts.

If you’re interested and can meet the time requirements, then please email me at help@learncodethehardway.org with a link to your portfolio and tell me about your education. For my qualifications I wrote this book, this book, and soon this book will be published as well. I can also give you personal references of people I’ve taught so you can check me out and confirm that I’m not a creepy weirdo (ok, just not creepy, I am kind of a weirdo).

Thank you for your time.

Painting is another skill that you can either do or you can’t. Again, this doesn’t mean the people who can paint are magical special beings who repel thetans with cadmium coated auras. I’ve found, just like programmers, some of the dumbest fucking people in the universe are painters. Hell, I can paint, which says a lot about how good you have to be to be able to “paint”. It is a difficult skill to fake, and if I sat someone down and told them to paint I could spot a fake immediately. The faker wouldn’t know how to mix, what colors do what, how much to put out, what brush to use, and other simple mechanics.

There are a great many skills where you can either do them or you can’t, and that’s where the concept of meritocracy comes from. In a meritocracy it’s supposed to be that the only thing that matters is you can do the thing, and then competition is based on how well people do that thing. In these environments you frequently hear of people who are just awesome at something getting tenure track positions at universities to teach it without any other formal education. In art I know of two professors who did this, mostly because they were just crazy bad ass at drawing or painting. Didn’t matter that they had zero degrees in art. All that mattered was they could do the thing, and they were awesome at it.

The appeal of a meritocracy for weirdos like me and many of my friends is that we’re frequently judged for things that have absolutely nothing to do with who we are. People have all sorts of disabilities, socioeconomic backgrounds, appearances, strange interests, and personality quirks that make them the targets of slick talking douchebags with angelic faces. These pretty motherfuckers get away with literal murder while a weirdo like me gets death threats because I don’t like Haskell. In my ideal environment, it wouldn’t matter what you look like, only that you can do the job and how well you do it. That’s a meritocracy.

Obviously part of “doing the job” is being able to work with others, but that cuts both ways. I have to shower and not invade people’s personal space, and you have to not comment on my fucking clothes or make fun of how I talk. I have to be polite and say thank you and not hit people, and you have to stay off my computer and not walk around the office with an 8” hunting knife. I have to work with people on a team and help folks out, and you have to not assume I’m gay because I like to paint.

In general, things in a business work better if you follow Zed’s #1 Rule Of Business:
Don’t shit where you eat.

You like hunting knives and guns? That’s your personal shit. Do it at home or a gun range. You like weekends full of BDSM sex with guys dressed in unicorn costumes? Shit in your own mouth at home. You like to smoke weed and think the girl in accounting would be a great addition to your bi-sexual poly relationship? Super fecal. Definitely do it at home. You’re a super religious Christian who has a mandate from God to convert the masses? Yup, turds galore. Do it at Union Square. You can totally be into these things, and tell people about it, and be yourself, but if you want the work environment and the meritocracy to function then you have to vanilla up to a point and reduce the drama. That way everyone has a nice drama free day and can just work their damn job without worrying about being harassed because you’re a freak (and they leave you alone even though you’re a freak).

Incidentally all of these things have happened to me at places I’ve worked, and that’s your first clue about why the meritocracy is such bullshit. Everyone who claims they have a meritocracy then uses this to act like total fucking assholes because if you extend the concept of meritocracy too far you can excuse any obnoxious ass behavior. The real result of a meritocracy is to craft a character I like to call Mr. Teflon. When you read those words you probably had a specific individual pop into your mind, but let me explain Mr. Teflon to you.

Mr. Teflon is that guy who is a complete total fucking asshole and a fuck up, but for some reason he never gets fired. Maybe he did something heroic in the past, or maybe he has pictures of the CEO giving goats rim jobs. Who knows, but this is the kind of guy who can cost the company $500k through his own incompetence, grab the ass of random women, never show up to work, yell and scream at managers, walk around with a knife, hack other people’s computers, and be an insulting prick to everyone and still keep his fucking job. Nothing sticks to him ‘cause he’s coated in teflon.

My favorite Mr. Teflon was Rajiv, who would troll people’s accounts looking for nude pictures, kept crashing the fucking site because he hand edited servers as root, kept the network architecture a secret so everyone had to depend on him, clearly was doing coke at work, demanded that employees he just didn’t like be fired, and would incite near violence against anyone who tried to manage him. In one incident he spent weeks on IM with the team undermining a product manager until finally the CEO had to fire the product manager because this Mr. Teflon managed to make everyone hate the product manager. This guy was a total fucking asshole, but one time back in the day he managed to figure out a hack on OS X that nobody else did so he gained a position of power and nobody would fire him. He later would cost the company insane amounts of money, but hey meritocracy right? Gotta keep motherfuckers around who did a good job once way back in the day because it’s all about who does the best job!

Another great Mr. Teflon was Chris. My first encounter with Chris was walking into the office after I’d been there 3 days to him screaming at the VP of Engineering, “Fuck you! Fuck you! Leave me alone you fucking asshole! You better shut the fuck up!” Why? The VP of Engineering was trying to get him to write unit tests. Chris was a short loser little asshole who had saved the company once, so nobody would fire him. Eventually he walked up to me and asked, “Do you know Thomas?” Thomas was a guy who hated me online, and I thought it was weird Chris would ask me about him. I said I did and then Chris started typing quickly on his laptop with a weird grin on his face. I strolled by casually and shoulder surfed him talking to Thomas on IRC telling him about me. He actually hunted down one of my enemies and violated my privacy to inform on me! That’s fucking crazy. But, he was Mr. Teflon there so I couldn’t get rid of him.

Over the months this asshole Chris would constantly ask me what I thought of Thomas. Since I knew that he knew Thomas I fed him huge lines of bullshit and misinformation, but one day Chris walks up and asks, “How do you store your passwords?” He was really freaked out asking me this, like he knew he was doing something wrong. He stammered and didn’t look me in the eyes, and I realized, holy shit, this guy is going on my computer and giving Thomas my password database, if he hasn’t done so already. I immediately started taking my computer home and changed all my passwords, and then other weird shit started happening. One day all SSL certificates to gchat and gmail stopped working, and when I started yelling about it Chris ran to his computer really quick in a panic. I started bringing my own WiFi hotspot to work. He came to work one day carrying a massive hunting knife, ‘cause, you know, that’s totally appropriate in an office.

Chris was an insulting, obnoxious, stupid fucking loser who probably violated my privacy and handed who knows what information to an enemy of mine online while walking around with knives, screaming at leadership and doing no work, but did he get fired? Nope, because, meritocracy, and Chris had done like, one thing 2 years prior that meant he could be the absolute worst most abusive employee ever and never be fired.

I’m done with meritocracy after encountering Mr. Teflon assholes in every supposed meritocracy and seeing how that word ends up doing nothing more than keep barely capable losers who get lucky once in jobs despite their insanely fucked up behavior. The failure of a meritocracy is that it has become a way to abuse people. Originally it was so that people who were different could keep their jobs in the face of mediocre losers who felt everyone should be just like them to have a job. Now it’s used by mediocre losers to keep other mediocre losers in jobs just because they’re all alike.

The problem with throwing the meritocracy completely out is programming is a skills based job, and like I said you can either do it or you can’t. Nobody wants the inverse situation where some mediocre asshole from HR denies promotions to people because they don’t have the right education. The inverse of a meritocracy is organizations that are obsessed with certification and not on results where HR controls who gets promoted and rewarded. These environments breed idiots who can fake their way through jobs until they’re in a position of power because they got a degree from Haavaaad and have a pretty smile. The inverse of meritocracy is just as abusive and rewards people for their socioeconomic backgrounds rather than giving them a chance to shine despite where they come from.

The upside to HR run bureacratic companies is they don’t put up with Mr. Teflon. These places have procedures and policies that you have to follow. They have sexual harassment training and dress codes. They may be vanilla, but if I’d told HR that Chris was walking around with a fucking hunting knife, going on my laptop and not working he’d have been fired quick. I don’t advocate the bureaucracy of HR run companies, but fuck me if that’s the only way to get rid of Mr. Teflon then let’s do this! I was in the Army. I’ve worked for the government. I can fill out some forms in triplicate to get rid of that complete loser. I can put on a suit. Hell yeah.

Actually, I’ll just work for myself since that’s the ultimate meritocracy.

Reading poetry is like explaining jokes, except the person reading poetry is deeply attached to what he’s doing. This is him baring his soul to an audience and since the poem is about his failing business, lost wife, dead father, forlorn lovers, and other personal tragedies nobody can say anything. He can totally suck and everyone just grins and says, “Oh man Joe, that song was great!” Even though that song was exactly the same as the last one he “sang” without any accompaniment or any form of musical skill. By attaching a personal emotional connection to what he’s created he has shielded himself from criticism.

I see this in art classes too. We’re looking at a stupid video installation, and lord man do I hate video installation. But this one looked like it was making fun of video installation, not really attempting to make anything meaningful but just being random to be random. We secretly know that most abstract contemporary artists just do random shit until someone buys it, but apparently verbalizing this truth into the world was a cardinal sin of art education. My teacher (who I admire very much) admonished me since this video screen with a dinosaur bone in front and coated with birthday wrapping paper could be an expression of the time the artist was raped by a gang of roving oompa loompas one fateful night by the Salton Sea.

I doubt this artist actually thought that way, but there’s no way to know. Because abstract creative works are open to interpretation, an artist can crank out total randomness and then back into the deep personal meaning to shield it from criticism and sell it. If you craft a sculpture out of hunks of random metal from a ’57 Chevy because you’re a white dude who likes cars then you can be ripped to shreds by an art critic for being a typical dude. If you cut apart a ’57 Chevy as a statement on rape, race, religion, sexuality or anything deeply personal then you have the perfect shield. What critic wants to be the guy who ripped into a poor artist who was raped by his father’s religion’s sexualty?

We all know that most of this contemporary art is created simply because it sells and most of the artists have zero actual real emotional attachment to what they make. They have emotional attachment to the fucking money. What these artists want is to be able to put their works out there and sell them while at the same time avoiding any criticism which might suggest they aren’t as genuine as they claim, or that their art isn’t very good. This is unfair to the audience because it removes our power to react to the art in a genuine way, even if that reaction is, “Fuck that sucks.”

I see this same defense of the personal among open source authors. I love it when people make things and publish what they make, but I’m a firm believer in living and dying by the sword, and if you’re publishing your work, well people are going to comment on it. If you don’t want that then don’t put your shit out there. Go find a little group that will keep it quiet until you can handle it. Then when you’re ready put it out there and be ready to eat some shit, because if there’s one thing I’ve learned from putting myself out there over and over it’s that people who publish frequently are easy targets for total fucking assholes. My rule is, learn to fight the assholes on the merits of your work or their personal agendas, and then listen and adapt to everyone else’s thoughts as part of the public expression experience.

With open source they have this perverse defense where they put their software out there, which is just a tool, nothing personal about it. Art or poetry I can see being inspired by tragedy and hardship. Software? Shit, the only hardship that inspires my software is another project sucking so bad I craft something better in a fit of rage. You think I hate poetry? You should see my rage at shitty software. What these authors do is claim their open source project is a labor of love and that they poured their lives into this project! It’s their baby! How dare you say it has bugs or that it sucks! Who cares if it’s full of turd cookies they did it for free! You have no right to criticize it! My daughter is dying! I have cancer!

The same thing you were probably saying about these self-absorb pretentious artists and poets defending their art from criticism with the mantel of personal tragedy applies to open source. You can’t go around saying that simply having invested your time in it means that nobody can get pissed at you for writing buggy shitty code. You can definitely get angry at someone exploiting you, that’s for sure. Some company abusing your good will to further their goals is wrong.

But if someone finds a bug in your shit, and it ruins their fucking day, then it’s your fault and you should apologize and fucking fix it. That’s what I do. I handled 330 tickets for all of my books last month, pro-bono, and apologized to everyone that found something stupid I did. One person was an asshole to me, being abusive and insulting to programmers (while at the same time trying to become one) so I refunded his money and told him to go fuck himself. Life’s too short to put up with one of those assholes. Everyone else I helped out as best I could and actually apologized when I fucked up bad. I didn’t take it personally when people were having a hard time because it was my fault they were having a hard time. I felt sorry for them and did my best to make it better.

This defense of the personal in open source is so bad that twice I’ve had project leaders tell me strangely personal tragic shit about them to keep me from commenting publicly about their projects. One told me he was dying of cancer, and another told me that his daughter was dying. Yes, they told me this so that I wouldn’t say their project sucked. That’s how fucking nuts defense of the personal is. I would never tell a total stranger something like that just to protect my business, but these two idiots did. Interestingly enough, neither of them died, and I believe both of them were lying, but I still stopped saying something because I didn’t want to be a dick. But seriously, what kind of an asshole uses a kid with cancer to avoid fixing a fucking bug?

1. Write the skeleton of the function.
2. Write comments in English describing what that function should do.
3. Under each comment fill in the code necessary to make it work.

This procedure works for early programmers because they typically know how to write code, and know what they want it to do, but the gap between what they want and what to write is fairly large. They don’t have enough experience to close the gap, but since they can describe what they want the function to do then that’s their start.

I find that starting with desired results works best for beginners and early coders. Everyone uses a computer these days and know how software should work. They can describe what they want their software to do much more easily than they can write code, so starting there gets them going. Eventually after coding for a while they switch to thinking entirely in code, but even to this day when I can’t quite think of the code to write, I start with the comments and fill them in.

If I throw in testing into the teaching (usually when they’re more capable), then the procedure becomes a little more complex:

1. Write the skeleton of the function.
2. Write the test and first call of the function making it fail.
3. Write the comments in the function for what it should do.
4. Fill in the comments with code and keep expanding and running the test.

Yet, the process is still the same and focuses on describing what I want and then filling in the blanks. In writing this is the same process I tell beginning writers. Just talk out loud and say what you want to say, writing those as little notes, then fill in the paragraphs. Or, create an outline then fill it in. Same for painting, where I tell people to make a rough outline of what they want to paint, then figure out each piece of the outline.

In general, the way you can solve a complex problem that’s difficult to visualize in any medium (code, words, paint, music, etc.) is to convert the problem to a paint-by-numbers problem. Instead of just trying to do it all at once right in your head and get it right, you break it down into tiny problems, then solve each one.

What if code editors helped with this process specifically? What I mean is, imagine your process becomes this:

1. Write the test or the function skeleton, doesn’t matter, and the editor makes the other one.
2. Go into the function, and start writing comments.
3. Editor guesses at what should go there and puts it under your comment, and it keeps running the test as you type.
4. You then edit the code as it pops in, or maybe alternate through what comes up, and it keeps running and working the test to bust your function.
5. Eventually the test passes and it knows to move on to the next comment.

It’s difficult to describe, but a way to think of it is a hyper embedded version of what programmers seem to do these days anyway, which is just search through Stack Overflow, documentation, APIs, and github using most of the words you’d put into a comment to find code. Why not have the editor use fancy machine learning algorithms and a vast catalog of existing curated code to do this for you?

In addition to that, it seems possible to auto-generate enough test code to fuzz through most of what you write, especially if the language is more modern. Maybe it’s something like AFL generating tests that hammer your function finding things, and since it’s generating the code in the function it’s possible it could be smarter at this.

Just a random idea, but could be an interesting thing to research. Call it “Comment Driven Coding” for lack of a better name.

DON’T PUT SHIT IN COOKIES, ASSHOLES.

Z: “There, can I get some cookies that don’t have turds in them now?”
FB: “Oh see now you’re just being rude. You have to show some respect. I mean, I just gave you free cookies and this is how you treat me? What an asshole.”
Z: “Oh, ok how about this fuckface:”

TAKE SHIT OUT OF COOKIES, PLEASE ASSHOLES.

FB: “Sir, that is not being constructive.”
Z: “Oh you want constructive:”

USE MORE SUGAR INSTEAD OF SHIT, WEIRD LOSER MORON.

Z: “Fuck you and your fucking turd cookies FLOSS Bro. I’m going to go start a restaurant that doesn’t put turds in their cookies and put you out of fucking business.”
FB: “Fine! You go do that! It’ll fail because you’re not positive and constructive and supportive of my work! I do this in my spare time you know!”
Z: “Probably because you suck so bad nobody would pay you to do it for real.”
FB: “Fuck you! You don’t get the entire concept of free cookies! If I give you free cookies you have to worship me! Worship me for my free cookies asshole!”
Z: “I see! The truth comes out! I have to worship you and it’s not about having the best cookies in town. It’s about you being recognized by giant sentient flies and nobody else. Fuck off!” Slams door.
Fly: Walks up chewing on turd cookies. “That guy’s such an asshole. These cookies rock.”
FB: “Thank you Larry. I’m glad you’re happy.” Looks out at empty restaurant.

Yes, to get paid by Pearson, I have to fax two pieces of paper to the royalty department so that they can look in the royalty department database and fix the record I can see on their website but that they can’t see.

This apparently only happens to me, and it’s fairly consistent. You want to find out if your software works well? Have me try to use it. I tried out Blogo for about two minutes and ran into errors all over the place. Images not being put in the right spot, bold text not working, just loads of little things that only I encountered doing crazy things like adding images and making stuff bold. They fixed them up and I’m still using it now. It’s actually really nice. I’m just cursed with a weird devil hand that drives software insane is all.

Google is another one that has been fighting me all week. I am apparently the only person who cannot use Kubernetes. Nearly everything I try ends in disaster. Not a single getting started guide has worked, not even on their GKE platform. Firewalls don’t work. Compute nodes don’t work. My account does weird things here and there. No idea what I could be doing wrong, and I follow along with 4 of their documents with the same results. Running Kubernetes myself is the same results. Doesn’t run here. Doesn’t run there. Needs this. Needs that. Needs docker to build dockers that have dockers that build Kubernetes that only runs in dockers on core OS from boot to docker that is a container in a container that has OS X running Kubernetes with….

Yep, I’m just cursed to trigger nearly every bug you have. You changed an option? That’s the one I’ll run. You got a race condition that only happens in one version of Vagrant and one version of Linux? That’s the one I’ll try first. And I’m not being weird when I make these choices since most of the time I’m trying to write a book so I stay fairly vanilla. I just seem to trigger bugs along the way is all.

Another time my bank couldn’t connect my business credit card to my business bank account. I’d asked them repeatedly for months to do this with no success. This was mostly over their dumb internal email thing, but finally calling them on the phone led to a 40 minute call center threesome with me and two other people who then had to bring in a fourth guy who worked in “databases”. For some reason, I just had one wrong bit set in one wrong place and there was no explanation. I just didn’t have it, and it was a major deal to fix my account. But why? “No idea sir, you just had the wrong setting.”

That devil hand at work again. Computers crash on me. Every Mac I’ve owned has tanked in the first week and needed repairs or replacing. Hard drives freeze up. It happens so often friends don’t believe me. There’s no way anyone has those problems. I do. All the time.

I’ve also found that if I tell people about these bugs they tend to lose it, even if I’m nice about it. I constantly have to double login at Paypal. I complained about it and holy fucking jeebus did those dudes lose their shit. Assholes from eBay emailed me like they were going to kick my ass because I pointed out the fucking obvious that making someone log in twice to a financial website means customers can be phished on the first login. After random eBay assholes harass me I just stopped being nice. I went from saying Paypal is broken to saying they’re fucking terrible programmers. I mean fuck, if I’ve been using Paypal for years and I’m still having to log in twice every time then it’s not me it’s you jackasses. Fix your shit. Nobody else with authentication has this problem but fucking Paypal.

Oh, and I don’t fucking work for you. I’m not going to waste 15-30 minutes navigating your bullshit bug tracker, filling out every random Jira/Bugzilla/Confluence/AgileXPHardon12000 tracking data point just so you can ignore me. You fill out the damn ticket and ask me if it’s right. That’s what I do. I don’t make other people fill out bug reports. That’s just rude.

I’m convinced that this is what made me good at writing software. I bring computational disaster upon myself so frequently that I just assume everything I touch is tainted and write software that protects against it as best I can. I’m like the coder from Salusa Secondus who had no idea things weren’t supposed to be this broken and ended up just making things solid to avoid it. It is fun at times, but after two decades of constantly have to anticipate I’m getting tired of it.

If you want to find out how good your software is get me to use it. I’ve brought systems to their knees just casually clicking around. When that doesn’t work I do “crazy” things like, change my photo, or update my DNS records. Things you totally didn’t anticipate someone doing? Yup, I’ll end up doing it and then you’ll sigh and tell me nobody does that and I’ll just shrug and move on to the next product until one stops crapping out on me.

P.S. Blogo still fucks up bold. Sigh.