The Stack Overflow Podcast

Can't Pay Your Taxes if The Website Won't Load

Episode Summary

Paul walks us through a classic legacy systems breakdown. We break down the finer pint of programmer humor. Ben tries to understand how Apple will bring Face and Touch ID to the web. And for dessert, a deep dive into the weirdest trade magazines on the web.

Episode Notes

You can read about the IRS and its Sisyphean efforts to modernize its computer systems here.

Ben's Twitter thread on amazing and obscure trade periodicals you can find online is here.

You can read more about what Apple is doing with biometric identity on the web here.

Episode Transcription

PF The web is a very spirited discussion about a relatively small number of changes between Apple, Google, and Firefox.

BP Yeah.


BP Satisfy the protection of your continuous integration and deployment workflows with Cloud Native application security, part of Trend Micro Cloud One. Get automated defense early in your pipeline and across cloud environments for visibility and protection. Discover more at 

BP Hello, and good morning to you, Paul. It's just you and me again. What can we do?

PF Well, you know why it went pretty well last time. Why don't we do another Q&A?

BP Oh yeah, that was great.

PF We'll just have... [Paul & Ben laugh] Bum, bum!

BP Now first let's talk about the IRS because my wife told me that they're thinking about delaying taxes once again. And I realized that if you can print money, meaning like you can just make up money, then maybe by the same logic, you could just cancel taxes. And so if we get to this point where like taxes are delayed and then the delayed again, I worry we'll never convince people to pay them again.

PF I mean, people already are not the biggest tax fans and they don't, uh, yeah, no, no. We're going to delay, you know, IRS has a hard job. That's all I can think.

BP They have a hard job. Yeah. It's like, if you could just make up an amount of money, out of thin air that's equivalent to what we pay you. Or if you always said you needed this money for the roads and the schools and the firefighters, but now I'm not paying it and you're still paying them somehow... what's happening? [yeah] Anyway. Money is a funny thing, but tell me a story about the IRS and programming. Cause that's what we're here to talk about.


BP Oh, it just sort of floated out on, uh, on Twitter and it's just a classic. We'll put the link in the show notes, but it's on and someone named Samuel Hammond who goes as ham and cheese on Twitter, [Ben laughs] who linked it out. And so it's, you know, the title is wonderful. It's IRS... And actually I have to say like federal news network is a website. I have visited many times. It's really worth seeing, like, I love reading magazines about industries like beverage news. There's just, it's such a world. So Tom Temin wrote an article called IRS programming, mystery continues and look at it. It's just, the IRS is trying to modernize and has been for decades because all of, a lot of their code is still written in assembler for legacy architectures that processes all the taxes.

BP The IRS is modernizing and always will be. How does that, how does that expression go?

PF Yeah, exactly. Exactly. So there's just this, there's this story in the background, that's kind of amazing, which is that there was one engineer at the IRS who led an effort for a couple million dollars, right. To transform all the assembly code to Java and sensible thing to go to go from the old enterprise to the new enterprise. And he got apparently 90% of the way there. And then there was just some trouble with budgeting paying for a patent application and he's like, yeah, I'm going to go somewhere else. And that was it. That was, it was, that was the end of that effort. And then now it's back to $180 million business systems modernization over the next two years. And this is a very familiar story. It's just sort of a fascinating story because you know, and it what's happening is that as tech becomes more and more part of the mainstream conversation, the first time I ever saw this, I think we talked about it once on the show before was during the, when that came out and it was kind of a debacle. And at one point, you know, they, they had a congressional hearing and I watched it because I was fascinated to see what was going to happen with when Congress sort of dug its teeth into software and it was a rough one, they put like HTML comments up on the big board behind them and were like, what is this? And the comment was abandoned all hope who enter here, like just...

BP Programming humor 101 does not go over well at a Senate hearing. [Ben laughs]


PF The, the policy I, I, I try to live by and always fail is that irony doesn't scale. [yeah] The minute irony jumps anywhere. Uh, everybody loses their stuff. So anyway, it's just like, it's just another example of we're still living in a legacy world. We don't believe it. Cause we look at the web and, and we're creating tomorrow's legacy.

BP I mean, you talked about this before. Like there should be a major, a CS major for a particular kind of person, which is legacy systems engineering and you get paid three times as much as the average person to go back in and work in old unpopular coding languages or to pick up a project that was 90% done and then abandoned. You are like the excavator of like a collapsed building that you then go in and somehow keep standing.

PF No, pair that major with an English major. [yeah] So it's just like, I'm a double major in legacy systems improvement [Ben laughs] and creative writing. Like I should done that. I spent 10 years trying to turn my English degree into an understanding of technology. [that's right] I should just doubled. If I could have doubled up in college, I would have had a safe career.

BP [Ben laughs] There will always be a broken legacy system somewhere. And you can work on your novel and the other four hours of the day.

PF Well, this is the thing with the broken legacy systems is the pace is not like it's been running for 20, 30 years, right? It's not, it's not this startup, right? It's a salary.

BP No, no. They come in. They're like, ''Hmm, could you, uh, maybe by a Friday, see if you could, uh, untick these three tick boxes'' and you're like, ''yup. But I'll get back to ya Tuesday of next week and I'll have on tick two boxes and then it just slowly, slowly.''

PF That's right. Your job is to break it into pieces and then over a decade. [yeah] You know what I love, you'll talk to people in this world and they'll be like, Oh yeah, I was in charge of the single sign on effort for giant company X. [right] And it'll be a big company with lots of pieces. And you'll be like, ''how long did that take?'' And they'll go, ''well, you know, I mean, you know, 48 months'' [Ben laughs] and you gotta, and then, you know, in your head you do the division. You're, that's a funny way to say 4 years, right. But they're just trying to hold on. Those are horrible problems. [yeah] They take a long time and you can't like no one can crunch for four years except in the games industry where we just apparently want to really hurt all the employees.


BP So this all got started, right? Reading one of those things. I have a thread going from when I used to work at DJI, the drone operator, and we used to have to monitor the press clippings. And so I have a long thread called today and amazing trade periodicals. Codings Pro Magazine was excellent. No Till Farmer Online. And then here it is, Federal Computer Week Online had an excellent article. 

PF Fed Week! Yeah! Yeah!

BP And they even have advertising. I mean, this is a good looking site, like a clean fast, but yeah. The business of federal technology and Oh boy, big business. 

PF I know this. Every now and then you'll see a 3000 word article on like FCW or one of these sites where you go, ''ohhhh, that's what's happening'' right? Like it's yeah. There it is. Lawmakers skeptical of seaborne drone fleet. That's the news you can use.

BP That's the news you can use. I think my favorite of all was 

PF Oh my goodness. Just like, things made from rocks?

BP Things made from rocks, ways to break rocks, ways to move rocks. If you need to know about rocks, I got you covered.

PF Oh, you know, I loved this. I just hit the website. It's now incorporating aggregates manager.

BP [Ben laughs] Yeah. It's a big tent there's room for everybody. 

PF Yep. It's so old school too. I mean, you're going back about 45,000 years of human rock related.

BP That's right. 


PF Alright. What questions do you have?


BP In terms of questions, well, we could walk through something here that, you know, like has been bothering sort of me personally and see if you can help me out. [mhm] So for a long time, I have had touch ID on my phone and I love using touch ID to sign into things like my bank account. I don't actually know if it's more secure, but I've been told there's a secure element and there's hardware and software and cryptography involved. [mhm] Also it's faster than putting in my password, but I have a touch ID on my Mac and I could never do that. I can never sign in that way. And so Apple said at the latest at WWC, Hey, we're bringing touch ID to the web, which is interesting to me. Cause it's like the web is this place where notoriously, you have to be careful with your passwords and people are trying to phish you. And I was thinking, Oh, maybe this could be like a great solution where like, you know, in the future, most computers have touch ID. And then my mom doesn't have to write down her list of passwords and you know, lose it on the bus. She can just use her finger, but it's Safari only at least to start. And then I started with, I was like, Hmm, is that necessary? Like, what's the, what's the point of being like on the web, if you're, if you're gated to one browser that feels wrong, but talk me through a little bit of like, what is it? 

PF What's going on there.

BP Yeah. What's going on there? Can we talk through that? 

PF Yeah, of course. So first of all, don't think of your fingerprint or even your face at... your face and your finger pinner are like a consistent source of random... of randomness. Like no one else has them. No one else is able to get the exact same like pattern, [right] without actually using your face or your fingerprint. 

BP Right. Face Off. 

PF [Ben & Paul laugh] No, people may not remember that amazing film, but that is an amazing film. Alright. So Apple has you rubbed your fingerprint all across the little sensor, right. And in doing so it does like kind of, it makes a little picture of your fingerprint and then we've talked a little bit about encryption and hashing and things like that on the show before. That, it doesn't send your fingerprint all over the place, because that would be also be kind of like, that's a big sloppy thing. What it does is it says when the fingerprint looks kind of like this, meaning like pretty accurately, when you put your finger on, it goes, Oh, okay, I'm going to use my special algorithm to hash that. And I'll compare it to the other fingerprint that I have in memory. And if those numbers, if, you know, if your fingerprint reduces to 7A, and the one in memory also reduces to 7A, then you're going to be in good place and we can let you in because that would be really, really hard to do otherwise, we don't really know any way you could, which also means that if somebody hacked in, they wouldn't get your fingerprint, they would get your magic ID that the computer made for you from your fingerprints.

BP Right, right, right.


PF And presumably if I do it on one computer versus another, because that is keyed to your computer, your system, even with the exact same fingerprint inputs, I'd have different numbers. So it's pretty secure. It's pretty thought through, and that's me working it back a little from first principles. I'm far from an expert here.

BP And so, yeah, I mean, I think one of the interesting things that I sort of remember, and we may be getting this wrong, so, you know, hate mail, bring it on. But I feel like the secure element on the phone or in the computer basically does what you're talking about. It says like, does your finger smudge, you know, match this one to a certain degree? And then we approve that. But Apple just then says to whoever needs approval, Hey, approved. It doesn't actually send anything in terms of right. The finger data at all. Right. It's just, it does that locally in the secure element, that's where it says like finger smudge approved.

PF I mean, basically things go up and down to the server and it depends on how they implemented it. But yeah, essentially it shouldn't, you know, when you're logging into something with touch ID on your computer, on your computer, your phone, your fingerprint is not going to the server. 

BP Right. Right. Exactly. And so I feel like that helps me a lot because one of the things that I'm struggling to understand about programming is, you know, like I understand it now syntactically a little bit better. Like  these are, you know, functions and these are strings and these are integers and you might make a call to a database and you'd have to let it know what it is. But where I get lost is like the client side server side runtime, like the, where, the stuff where like things actually have to be where the commands have to operate with the machinery and in a certain sequence, that's when like my brand just starts to poop out. 

PF It's really muddy. It's really hard to understand. There are the best forums I've seen for explaining it. There's an MIT document explaining I think the Kerberos protocol from the eighties where it's just done as a Socratic dialogue, like, Hey, what if I, you know, now I would like to talk to the printer, [Ben laughs] but I would like it to be so, you know, and it's just like, and really, cause then you're talking, well, I need a secret key. And I, the other person has to have the other secret key and just sort of, it's hard. This is hard. This is hard. The mental models are not clear. And it, it's not something that we have thought to ourselves as a culture ''Boy, everybody needs to understand this starting in middle school.''


BP Yeah. That's what we want. We want the like, here's how an airplane flies because of Bernoulli's principle version of computer science and hardware for everybody. Cause you're going to, everybody uses these devices. It's like 85% of our lives are spent with these things now. We should at least be able to, well maybe you can't go under the hood and fix it, but at least like get the basic operating principles.

PF No, I mean, I remember, you know, seventh grade science class and you know, where you learn about, I don't know Avogadro's number or the momentum of a car or Bernoulli's principle. It's just like those really basic principles of, of physics and science. We probably are going to need to do the around encryption, security, privacy. 

BP Yeah. Or not because the kids are learning it all on YouTube and TikTok on they're way ahead of us.

PF No, they're being radicalized by QAnon. So we actually doubly need to get in there and do it. So, okay. So back now, now you're talking about something different when you're talking. So you're talking about the web, the web, Safari and Apple have said, boy, it'd be great if we could integrate the touch ID, that's on the local operating system. [right] So that when people want access to a website, they could touch their center and that the website would go cool. I got, I can give you access. [yeah] So first thing to know is there's actually lots of web standards that talk to the hardware of the computer that didn't use to be the case. It used to be like, here's a page. Want to look at it? Cool. [Ben laughs] You get some stuff off the internet. The web is kind of inherently sandbox. And increasingly the web is this interface to the computer. And the most pure example of that is, you know, Chrome OS and Chromebooks, right? So like, you know, we're going to put a thin shim over Linux and let the browser do the work.


BP I mean, I'm familiar a little bit with this from my digital media days, because we had to go through this endless exercise of will this display right on this device. How do we know what device you're using? How do we know what mode you're using it in portrait or vertical? And so like, right. You start to get all these hardware signals that will then make sure your content displays in a way that's, you know, enjoyable enough that people won't click away after three seconds, right?

PF That's where it starts. That's where it starts. Right. So it gets to it, it starts with the screen because that's your display medium. And everybody goes, Oh, that's cool. The content is adapting to the screen. It's responsive, very good for the content. [Ben laughs] But then it's like, what if I want to make music software in my browser, I have an audio API so I could play play songs. But what if I want to like put music in, well now I have to hook up to different devices like synthesizers, if I really want to do this stuff. And that, that means I need MIDI and I need a USB hookup because I can't like, there's nothing to get that information out of the operating system. I need to understand where it's coming from and how it works. So then you get web USB and web MIDI and sort of all these different standards. So here, you're talking about another one. So in general, what happens? So Apple, Safari is based on WebKit, which is a large open source project. You know, Chrome is a fork of WebKit Mozilla's Firefox uses its own rendering engine called gecko. And so, but for the most part WebKit is, is the big one. Everyone is, you know, on your mobile and on your desktop is using WebKit. So what Apple is saying is we have decided the touch ID is very important, right? And we would like it, the interface to the touch ID library, in our operating system. We're going to make that work with Safari. Now here's where it gets interesting. Is that, does that then work, and I don't know, cause I haven't researched this yet. Are they just saying Safari is going to work with the way that Apple has implemented touch ID or are they saying Safari is going to work with the way that the, an open touch related authentication standard and we will contribute. We're going to do this in Safari, have a working example. And then we will update the overall set of web standards with our suggestion, which then would go to the world wide web consortium as an industry group. And multiple people would literally sit in a room and be on a mailing list in order to add touch to the, the web standard. So that other browsers implement.


BP It's just so crazy that we met somehow this whole thing manages to hold together. The consortium of people on the mailing list can agree and then all it, it just ripples out. And somehow we all keep moving forward and using the internet to find cat videos. I mean, I just...

PF Well, it's a process.

BP It feels so Illuminati when people say, yeah, like it just is like, there's a consortium of, you know...

PF Oh, it's really not. If you've got, I mean, it is incredibly what you'd expect. I mean, when you talk to Sara about open source governance, that is this world. It's just that, it's just, we're going to talk about the standards. We're going to talk about the community. If you go to, there are all these standards listed. So it used to be in the early days of the web, you'd literally read them to understand what was going on with the different things happen.

BP I guess my question, maybe, maybe I phrased it wrong. Maybe it's like, you'd think, or I would assume that something huge that has so much impact that deals with the web at the scale of all the world's most valuable companies would inevitably could become evil, like the World Bank, but it's not, it's still kind of dorky and open and just like doing the good work because why like, why do those people do that? 


PF Well, first of all, I mean, humans do love open culture, right? [yeah] Like there's, there's a lot of us who do, it's all very complicated there. I mean, you know, one of the big conflicts in the last couple of years that stuck out is that the web consortium started to endure strategies for digital rights management. And the argument there was that because places like Netflix are, they can either use proprietary technology or they can use open standardized technology that does DRM. Uh, it would be better for them to be better for this to be standardized so that, you know, browser builders can et cetera, et cetera. So like you can see this argument and then you can understand very quickly where like the electronic frontier foundation is going to come down on that, right? Like people are going to go like, this is a, this is open is for everyone. But to me, that argument kind of falls away when you have the idea that someone could pay for access to a website anyway. So it's very, and then, and then you can counter argue that like, well, you know, but then they can still cut and paste that text that they paid for and you go like, well, okay, I can't do that video on Netflix, et cetera, et cetera. Like it kind of, this is a, it gets really big and muddy. And so these organizations that exist to work problems like this out, and then they sometimes make decisions that piss a lot of people off, but you need something or otherwise you just have like Apple decides what the web is.

BP This from two years ago, ''how to programmatically check support of face ID and touch ID. I have integrated local authentication for my app security, which has been supporting touch, but now they added face. How do I check? Which type of authentication is supported by which device?'' This has going on 31,000 views. So yeah, people care about this stuff. And here it is written out ''Case none. Now biometry type is supported case type face ID. This device supports face ID.'' There it is.

PF So what you're, what you're looking at, there is a big reason why we talk about a lot, like frameworks, like react native or, or just ways to wrap the web with phone interfaces. [yeah] That's what you get. Like you can make a pretty good experience as long as you're not doing something really visually intense just using the web, but you can't talk to the native interfaces. So these wrapper layers, let you talk to the SDK while mostly doing web programming. That's something like react native and it gives you other benefits too. But, but that's the only way to get access to that stuff that you can't get to it straight from the web.


BP I like reading this. ''Static function, biometric type, let authorization context equals LA context. If available then, you know, case none return, not case touch ID, return touch.'' I get it, a little. I get it a little.

PF No that's right. I mean, you know what that used to be. It used to be that you would be checking. I had a very different way of interpreting the CSS than other browsers. And so you were always checking, you know, what browser you were in and then you would change, change the CSS accordingly.

BP Right, right, right, right. Does this browser support this cool, like interactive Java applet or not?

PF Well, it wasn't just that it was that like, they just had a different sense of geometry. So you'd be, you know, things would just look totally different between the two.

BP Things would bleed over and like get off the page. Yeah, yeah, yeah.

PF That's right. That's right.


BP Alright, my friend. I've learned a lot.

PF Oh we did it! 

BP We did it. Let's read a lifeboat and say our goodbyes. 

PF Good. Sarah will be back. Don't worry.

BP Sara willl be back soon. No, it's not going to be, it's not going to be like this forever. We promise. Alright. Awarded 13 hours ago to Kunal Chaola: asked permission for push notification. And the question is I'm working on an application and I need to use a push notification. I know that they are normal permission. So I can't ask it at runtime, but I want to insert it. And the answer is as answered here, you don't need permissions for push notifications. Dang. I wish you did. 

PF There you go. There you go.

BP Kinda wish you did though. 

PF Yeah, no, me too. Good lifeboatin'. 

BP Great lifeboatin'. Thanks for listening. Thanks for contributing your knowledge. And yeah. If you were in a similar situation to the one Paul and I were describing at the beginning with the IRS, let's say you're working on a big old software project and someone who's been doing it for five or 10 years, and they're going to move on. How do you make sure all that knowledge is retained, Paul? How do you make sure that the documentation is good and people can find the answers they need to, the questions they have?

PF You want to know the terrible answer? 

BP Stack Overflow for Teams!

PF Oh, that's the good answer. Yeah, it's actually, it's a good one. 

BP What's your answer? 

PF Well, no. I mean, it's human beings, corralling documentation and helping with the knowledge management, but that's completely compatible with Stack Overflow for Teams.

BP Your organic answer is compatible with my product plug. Excellent.


PF That is exactly right. I'm Paul Ford. I'm the cofounder of Postlight. We bring strategy, design and engineering to deliver platforms and experiences that drive digital transformation. Woo!

BP Alright, everybody. I'm Ben Popper, director of content here at Stack Overflow. And you can find me on Twitter @BenPopper. Thanks for listening. 

PF Thanks!