I encountered a fascinating Web site today. The care and love behind its construction are evident. The personal messages from the site’s managers reflect their commitment to exceeding users’ expectations. The idea is novel and the implementation, from what I’ve seen, is first-rate.

So what’s the problem? The problem is that the site fills a need that doesn’t exist, as far as I can tell.

The site is compilr.com. It’s an online IDE and compiler for Python, node.js, PHP, JavaScript, HTML, C, C++, Ruby, Java, C# and VB.NET. Think of it as Google Docs for developers.

compilr.com instantiates a bunch of hot buzzwords. It’s cloud-based. It’s virtual. It’s SaaS. It supports collaboration. All good, right?

Yeah, it’s all good. But I’m left with one question. Who needs it?

If you’re a professional, you want your development environment on your machine, or at least on a local server where you can control the installation. You want to know which patches and revisions have been loaded, and which versions of the libraries are installed. At compilr.com, you don’t know what compiler is running in the back end. If the installed libraries are documented, I can’t find the details. These details matter.

Also lacking are version control and facilities for testing and debugging. Judging from the site’s user forum, these features have been on the back burner for a couple years.

I want to like compilr.com, but I think it’s a solution in search of a problem. It’s easy enough for students and casual developers to download free development environments from the Web. Professionals know where to get their power tools. A Web-based development environment sounds like it ought to be useful, but once you think about it for a few minutes, the usefulness evaporates.

Too bad.

Web recommendation: Here is another alarming article, this one from the good folks at Wired. Little by little, piece by piece, a larger picture is becoming clear, and it’s a disturbing one. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He wishes Aaron Sorkin still had a series on the air.

If you haven’t noticed, software development faces some severe challenges right now. Serious problems face us – not in some hypothetical time-frame, but right now. And I am sorry to say that the tool vendors and thought leaders we count on are letting us down. They’re focusing on other matters entirely.

I don’t mean to pick on Java, but that’s the example that comes to mind. A year from now Java will support lambda expressions. The big brains directing the evolution of what is arguably the industry’s most important language surveyed the computing terrain and decided the best thing they could do for developers was add syntax for lambda expressions.

Are you freaking kidding me?

To be fair, the Java team is also grafting modularity-control features onto Java via the Jigsaw project, and these features could be of real benefit to Java programmers. But still…lambda expressions?

Here are the things we developers ought to be focusing on.

Security

Yes, I know. I’m a broken record on this issue. But we don’t face a bigger challenge, and the days of shrugging off security as an operations concern are over. If you have a wireless router in your company, a bad guy in your parking lot can have access to your network in two or three hours using off-the-shelf tools and a $350 laptop.

You think your firewalls and strong passwords are sufficient protection? You’re dreaming. The U.S. military spends billions defending its servers, and last week it told the Senate Armed Services Committee that these security measures have failed. The military now assumes that hostile forces have network access, and it is shifting its focus from controlling access to protecting data. “[W]e have to go to a model where we assume that the adversary is in our networks,” said Dr. James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. “It’s on our machines, and we’ve got to operate anyway.” Anonymous has demonstrated it can compromise pretty much anyone it targets. If your network hasn’t been compromised yet, it’s because the bad guys haven’t selected you as a target yet. When they do, your security measures will fail.

This isn’t just an operations problem. It’s everyone’s problem.

Development processes

The Agile movement is popular – and why not? It’s a feel-good set of aesthetic principles unencumbered by a development process. XP, Scrum, and Kanban let us throw off the chains of heavyweight development methods and get back to coding.

This is no way to achieve reliable, repeatable results. It’s de-evolution in action, a return to the days of late-night hack attacks and reliance upon the heroic contributions of uncommonly talented superprogrammers. Too many companies are betting their futures on this family of untested, unproven non-methods.

CASE tools and formal methods were no fun – I get that. They sacrificed flexibility and improvisation and even personal fulfillment for reliable, repeatable results. They weren’t the fastest way or the most enjoyable to get from Point A to Point B, but they did guarantee you’d get there. You can’t say that about Scrum.

Platform fragmentation

It was a big deal when we went from building Windows apps to building net-enabled apps that split program logic along the well-established seam between lightweight clients and back-end servers. But that was nothing. In the very near future, we’ll be asked to deliver apps that run properly on arbitrary hardware with dramatically varying specs, all running different operating systems. It’s an unprecedented challenge for the software development community.

The traditional approach has been for IT to set up a list of approved hardware and software platforms, and thereby to limit the demands on application developers. But that discipline has broken down. You can’t keep your company’s workforce from bringing in their new tablets and smartphones, and from demanding that these devices be given access to corporate apps. The security concerns alone are daunting – how do you keep your network secure when the CEO misplaces his iPad in an airport lounge on another continent?

And don’t get me started on cloud computing. The security implications alone should give you serious pause. Rearchitecting your apps may not take as long as you fear, but the split between your resources and your cloud vendor’s servers will remain brittle. I lived in San Francisco long enough to know you don’t build something important on a fault line.

Inadequate tools

If I read the surveys correctly, you probably don’t remember the transition from DOS programming to Windows. I remember it well – I was at the heart of it. The programming tools and languages that had served us well in the single-tasking, character-mode environment were inadequate to the demands of GUI programming. The industry responded with visual programming environments, object-oriented programming languages, application frameworks, and plug-in reusable modules. Eventually these tools allowed us to cut the challenges of Windows programming down to size.

What tools and languages are addressing today’s challenges? Python? Ruby? C#? Honestly, they all seem to be addressing niche problems. It seems to me we’re being sent into this battle empty-handed. Or am I missing something?

Yes, these state-of-the industry rants are supposed to be posted in December or January. I’ve broken one of the unwritten laws of tech bloggers, and the authorities will no doubt crack down on me. But I had to get this off my chest.

Am I the only one who has noticed that we’re in deep, deep trouble?

Web recommendation: The evocative phrase “Internet of Things” always catches my attention. Here’s a rare substantive discussion of what the term refers to, by Google’s Vinton G. Cerf, a U.S. Medal of Technology recipient, ACM Turing Award winner, Japan Award winner, etc., etc. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He has rediscovered the joy of peanut butter.

Here are updates on some of the issues I've been following for the past few weeks.

Infrastructure attack a false alarm – for now. In a series of posts, I have made clear my concern about the ongoing effort to computerize utilities and municipal-infrastructure control systems. While intelligent systems can help us conserve resources and use energy more efficiently, computerization also leaves critical systems vulnerable to hack attacks. A data-point supporting my argument was November 8's widely reported cyber attack against an Illinois water utility's SCADA system. The Illinois Statewide Terrorism and Intelligence Center reported that a hacker with a Russian IP address had caused a pump to burn out. The cyber war had begun! Or maybe not. It turns out the SCADA system was accessed by a utility contractor, Jim Mimlitz, who was on vacation in Russia. While everyone is breathing a little easier, the fact remains that these systems are still vulnerable. It's only a matter of time until they are really hit.

Microsoft bullish on Kinect 2: Microsoft has realized that its Kinect game controller for the Xbox platform is potentially a good solution for a huge range of problems. Beta 2 of the Kinect SDK is available now, and Microsoft promises that a commercialized SDK will be available in early 2012. In the meantime, the Kinect hacker community is running full-tilt at every offbeat and potentially useful application it can imagine. Meanwhile, the Kinect 2 will reported greatly extend the Kinect's abilities. The new device may be able to read lips and even to detect users' emotional states with its facial-recognition algorithms. (If hackers were to install a back door into Kinect-enabled systems, they would essentially have around-the-clock video access to user sites, and the Kinect's voice-recognition routines could monitor speech for key words. What if the government were to install such software?) Check out Kinect Hacks. And if you haven't seen it yet, you might as well look at Microsoft's Kinect Effect video.

Software detects lies with voice analysis. Researchers are using a variety of methods to analyze speech and detect whether speakers are telling the truth. The New York Times has an informative article here: Software that listens for lies. It must be a lot of fun working on applications like these.

Pentagon sponsors hacking contest. A determined team of programmers has won $50,000 in a contest sponsored by the U.S. Department of Defense's Defense Advanced Research Projects Agency, or DARPA. The eight-member team successfully retrieved the contents of seven pages of documents that had been shredded into more than 10,000 fragments. The Pentagon is quite open about its motivation for the contest: “The goal was to identify and assess potential capabilities that could be used by our warfighters operating in war zones, but might also create vulnerabilities to sensitive information that is protected through our own shredding practices throughout the U.S. national security community.” We already knew the government could intercept anything on the Internet. Now it turns out that they're looking to read our shredded documents. Congratulations, in any case, to the winners.

Web recommendation: Perhaps you have noticed that many programmers are also serious about cooking. You may be a good cook yourself, in which case you have no doubt already discovered the new Developer Cookbook section of sdtimes.com. Those recipes look good, but they're positively primitive compared to the cooking-as-rocket-science entries in Modernist Cuisine, a six-volume encyclopedia of cooking ingredients, methods, and technologies dreamed up by former Microsoft CTO Nathan Myhrvold. This lavishly illustrated tome has 2,438 pages and weighs more than 50 pounds. Your status as an amateur cook may not justify the book's $625 purchase price, but you should at least take a look via the authors' beautiful Web site. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He likes raisins and walnuts in his oatmeal cookies.

It's no longer enough to create working code. We must now put serious energy and deliberate thought into securing our code, the data it works on, and the users who rely on it. I'm convinced that we are headed toward a series of crises – in fact, the crises have already begun. And as near as I can tell, there's no solution in sight.

There's more malware out there than ever before. Viruses, worms, trojans, rookits, back doors, intrusions, spyware, botnets, cross-site scripting, proxies, SMTP threats, SQL injection, header splitting, keystroke loggers, screen loggers, e-mail redirectors, IM redirectors, session hijackers, ransomware, transaction generators, dialers, denial-of-service attacks, DNS poisoning, SEO abuse, phishing, pharming, data-mining, man-in-the-middle attacks, pump-and-dump stock scams, social engineering exploits, riskware, pornware, identity theft, social-media character assassination...the list goes on and on. Most of this has been with us for years, of course, growing at a predictable (if alarming) rate. All indications are that the rate of infection has grown dramatically in recent months, and it is about to explode.

Part of the story is that hackers are becoming more sophisticated in their attack methods. There's real money to be made in hijacking user data, and the money has attracted a new breed of for-profit hackers. A quick search of the Internet will convince you that it's simple to download all the software components you need to breach most security systems. The software toolkits are powerful, effective, and widely shared. Globe-spanning hacker syndicates are at work 24 hours a day, devising and sharing techniques for breaking through defenses. It's big business.

At the same time, the number of vulnerable platforms with sufficient installation numbers to attract hackers has grown rapidly. Yes, most attacks are still targeted at Windows PCs and Web servers. But recent months have given us dramatic evidence that new platforms are vulnerable. Smart phones, SCADA installations, embedded systems, utility grids, and smart cities are all coming under attack. Portable systems fall into the wrong hands easily and frequently. Revisions to Windows, iOS, Linux, HTML, Java, Office, and Android promise to fall to new generations of malware. A recent report from Columbia University researchers demonstrates that Web-accessible laser printers can be instructed to make paper smoulder, and perhaps catch fire. Hackers can use your phone to track your location or take photographs under remote control. If your e-mail isn't being intercepted, read, and revised, it's because you haven't been targeted, not because hackers are incapable. If you've got the money, you can install a monitor to intercept data flowing through the fiber-optic cables that route Internet traffic across the ocean floor, SSL or no SSL.

Service providers are collecting terabytes of user data, often without disclosing the fact. Providers know what Web sites we visit, what we buy, where we take our mobile phones, when we read and answer e-mail, what we're reading on our tablets, which files we download to our e-readers, and all the details of our banking relationships. Even if they don't intend abuse, the data is now subject to external attack. It's not enough to secure the systems under our control – our service providers' systems must be secure too.

And it's not just hackers we have to worry about. Government and law-enforcement agencies are increasing their power to access data, shut down Web sites, shutter businesses, and track users without the benefit of trial – or even, in many cases, the minimal protection of a subpoena. Congress is debating legislation that would extend much of this power to corporations.

We haven't even talked about cloud computing. IT shops are increasingly called upon to secure data that isn't stored on-site. Data-transfer channels are vulnerable to eavesdropping. Cloud service providers are vulnerable to attack. Providers may store information on servers in a country whose laws are not strict enough to provide base-level protection. Authentication systems and backup programs may not be sufficient to keep data secure.

As if all of this weren't enough, it is clear that skirmishes have already begun in a new generation of international cyberwar. State-sponsored and state-developed malware has targeted users, corporations, industries, and utility grids across international borders. Nations, including the United States, have gathered tremendous resources to blow through conventional firewalls, encryption routines, and user authentication systems with ease. Except for the Stuxnet trojan that apparently set back Iran's nuclear program a few months or years, most of these attacks have been small-scale efforts so far – proof-of-concept demonstrations, little more. When the real cyber-shooting starts, we will all sit in the crossfire.

My research has convinced me that the security technology we are currently employing to protect ourselves is laughably impotent in the face of current threats – much less the new threats that will arrive over the next 12 to 18 months.

This year saw the death of Robert Morris, a cryptographer and computer scientist who contributed to Unix and did research at AT&T Bell Labs for 26 years before joining the National Security Agency's Computer Security Center as chief scientist – essentially, cryptographer-in-chief of the United States. Morris had three simple rules for computer security: “Do not own a computer; do not power it on; and do not use it.”

Morris's tongue-in-cheek advice seems grimly relevant today.

Web recommendation: Ah, the Internet. What did we ever do before we had such an accommodating home for rants and flame wars? I admit it: I can't resist reading the occasional over-the-top Web post and scrolling through the outraged comments that follow. My new favorite is “Why I’ve finally had it with my Linux server and I’m moving back to Windows” over at ZDNet (right around the corner from us, in Web terms). I don't want to start a flame war here, so I'll simply say that I can relate to what blogger David Gewirtz has to say. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He believes the system he used for writing this column is virus-free. But hey, what are the odds?

What does the future of software development look like? For the first time in decades, it appears that no one knows.

It used to be fairly easy to peek a few years into programming's future. Languages evolved according to a predictable path from lower to higher levels of abstraction. We incorporated objects, then visual development environments, then Web architectures, then managed-code platforms. Development methodologies and project-management philosophies approached with plenty of warning – it took no special insight to see them coming.

My subjective feeling – backed up by a few hours of earnest Googling – is that all of that has changed.

The future? Well, let's see. We have some broad agreement that development methods will become more agile, though we are not entirely sure what agility means. It seems clear that the future will be cloud-oriented, though every definition of “cloud” is different. Our code will need to adapt to the availability of parallel architectures, though we can't say whether the parallelism should or will reside primarily in the code we write, the libraries we incorporate, the tools we use, or the architectures we employ. Security, mobile platforms, portability, interoperability, declarative programming, functional programming...all are likely to be important. One way or another.

As for languages – oh my! At the moment it appears that every nontrivial app will incorporate modules, libraries, frameworks, and custom code written in multiple programming languages. Or maybe we'll resolve that complexity by adopting a new language with the flexibility to address all the challenges we face.

For once, the pundits are quiet. Search the net for predictions about the future of software development and you'll retrieve a list of Web pages that are years out of date and devoted to particular narrow problem or language domains.

We are in need of the same sort of paradigm-buster that object-oriented programming and visual development environments were, back in the Windows era.

Search long enough through all the partisan arguments and language-specific rants, and one name keeps coming up: Anders Hejlsberg.

Hejlsberg has been around the programming world since before the IBM PC. He is the original author of Borland's Turbo Pascal and Delphi, and since he joined Microsoft he has created C# and become director of Microsoft's programming-language strategy.

You can learn more about Hejlsberg and his views in these videos:

• Where are programming languages going?

• Trends and future directions in programming languages

• Tour through computing industry history at the Microsoft Museum

(Disclaimer: Hejlsberg's views are pretty much guaranteed to be the official views of Microsoft. I'm the last person to sign up mindlessly to Microsoft's view of the world. While I don't see the company as a customer-exploiting evil empire, neither do I think it has always acted in the development community's best interests. Although I owned and edited Windows Tech Journal, my relationship with Microsoft was always an arm's-length one – much, as it turns out, to my personal cost. But that's a long story for another day. What I'm trying to say is that you have a responsibility to take Hejlsberg's point of view with a grain of salt.)

I think the Hejlsberg videos have great value. They identify both the challenges facing our community and some of the technologies and approaches that will help us address them. Hejlsberg has proved himself to be a visionary throughout his career, and he is uniquely positioned to see the problems and possible solutions that we will encounter in the next few years.

What's your view of the future? Drop a keyword or two into the comment section below and I'll use your feedback to shape a future post. Because ultimately, the future isn't something that just happens. It's something we create. Together.

Web recommendation: Research for this post brought me for the first time to Microsoft's MSDN Channel 9. This Web site contains hundreds of videos about (Microsoft) technology and how to get the most out of it. There's a predictable amount of corporate flag-waving, of course. But there's also tons of useful content. I have some reservations about video as the medium for dispersing such information – text is more readily searched and recalled, in my view. But there's no denying that there's real value here, for free. And the site has a mission statement you can dance to. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He recently relocated to a small town outside Belgrade – stop by if your travels take you through Serbia.

IBM CIO, Jeanette Horan, was joined by Guru Rao, IBM fellow and chief systems engineer, at a luncheon on Friday to discuss the company's plans to help their clients utilize cloud services. 

Rao and Horan were joined by IBM client, Professor Giuseppe Visaggio of the department of informatics at the University of Bari. IBM helped Visaggio architect a solution that utilizes cloud technologies in order to help an agricultural consortium in the Puglia region in southern Italy. 

Visaggio said these cloud solutions help small to medium size business - as well as several larger, enterprise-like companies - manage their inventory through the Web. Visaggio said the major issue for these experiments is data security, which must be solved incrementally, something Harvey Koeppel, executive director, Center for CIO Leadership, echoed. 

Koeppel compared security in the cloud to security on the World Wide Web -- eventually it became so ubiquitous that companies had to use it and had to figure out how to secure it. He predicts the same will happen eventually with cloud technologies, especially because of the recent economic crisis. 

Security concerns continue to plague customers however, and according to the speakers, it may be attributed to a lack of education. Some CIOs are unaware of the architected environments or the constraints of older systems, which can present issues in cloud migration. Many seem to be most worried about the lack of control that is often associated with a "virtual" server, expecially after the recent Amazon failure which downed several sites for several days. 

Do you think public clouds will become more popular? How is your company leveraging the technologies? What security concerns do you have? 

Ronin developers are nothing new. They wander from project to project, cutting clean code, setting things right, and moving on to the next town in a cloud of mystery. The cloud age has turned these once proud samurai into an amorphous blob of developers, dually catalogued, tagged, and available by the hour via crowdsourcing sites like uTest and CrowdFlower. It's been a long time coming, this comoditization of code.. But these existing sites are just the tip of the iceberg. Herds of developers now compete for the prize of completing tasks online for points, with the winner taking the money and the losers taking nothing. The TopCoder model has been reinvented in CloudSpokes, from Appirio.

It's almost like turning software development into a game. You post up your requirements online, and a few days or weeks later, a number of peer-reviewed solutions are offered and ranked. Thanks to the modern socially-aware Web, it's easier than ever to build processes around the crowdsourcing of code. At the end of the day, it's no different than outsourcing.

Does it actually work in the long run when building enterprise software? It's working quite well for many users already. But there will always be the need for the wandering samurai. These new crowdsourcing systems may just be the new way he or she finds their next job.

As you all well know, Amazon Web Services had some serious problems last week. It all boiled down to a failure in Amazon's Elastic Block Storage system, where replication was broken, and the system attempted to do emergency replication of data, which exacerbated the problem. Basically: fail-over mode made it worse. The lesson is obvious: don't rely on one cloud alone. But rather than prattle on about this, I'll include some links to others who have chimed in on the affair with their sage advice and thoughts.

• Rundown of what exactly happened.
• GoGrid is obviously excited about these outages.
• RightScale's take on lessons learned.
• AWS benchmarks and best practices.
• How SmugMug survived the Amazon Skynet Appocolypse.
• Skynet did not take down Amazon.
• Probably the most terrible data loss of the outage.
• NetFlix on the outage.
• Timelines, and recovery strategy.

Microsoft today announced that its Windows Azure is being made available to developers for free (for a limited time), in the hopes of getting more developers creating applications for the hosted environment. The company is giving away 750 free hours of Windows Azure extra-small instance and 25 hours of the small instance, which will allow developers to test, build and deploy cloud-based applications. A free trial of the software is available here.

Developers get ready, 2011 seems to be ramping up as the year of mobile cloud applications. Just last week, Amazon realeased SDKs for Google's Android and Apple's iOS, giving developers beyond easy access to Amazon's Web Services platform. Before the SDKs became available, developers would have to create their own ways of accessing the platform.

Aside from making things significantly cheaper, having such easy mobile access to cloud-based services really opens up a whole new door on the mobile application development front. Developers now, essentially, have access to an endless vault of computing power and storage, potentially changing the functionality and capabilities that some mobile applications have. I'm excited to see what you developers can and will come up with!