Slashdot Mirror

Sorry, but you're wrong. A typical Win32 application has maximum address space of 2GB, regardless of available swap. This is by far the most common scenario. Another poster mentioned that you must also consider the largest available chunk of contiguous memory, which is almost always smaller. In practice, I haven't seen most real-world applications successfully allocate more than 1GB of contiguous memory after they've been running for a little while.

The next thing you need to understand is how to get a value larger than the allocation cap. Many applications simply accept an unbounded length for some fields, which presents no barrier. If there is a bound, there are still a variety of ways to cause a failure. For example, in a browser you can use JavaScript operations to fragment the memory until the target size is no longer available. You also need to look at how a value is used after it's accepted. In the case of this particular vulnerability, the bound is defeated by later operations that result in a large integer. If you're not familiar with these types of arithmetic vulnerabilities I suggest you take a look at the sample chapter from Dowd's book: http://www.awprofessional.com/content/images/0321444426/samplechapter/Dowd_ch06.pdf

Regardless, it's often quite easy to force an allocation failure.

Seriously. Such a suggestion is a clear illustration of a security threat to be concerned about and guarded against.

It also makes for a realistic discussion of the risk with a non-technical user.

I don't want to lose sleep over the possibility, do you?

Except, how would you prevent it from happening? I'm not sure you can, but I'll bet the answer is in this book called Extrusion Detection. I haven't (yet) read it, however I have read its sister book (Network Security Monitoring) by the same outstanding expert author, a former US Air Force captain who should know, and that's why I think the answer to prevent such an internal 'exploit' is in that particular book.

here, go read these lovely tales from the Windows Compatibility Team. when you're done, come back and try to tell us with a straight face that windows' backward compatibility is anything more than an overflowing toilet of misguided kludges.

I love that site. If you didn't read this when it was linked from the OMGWTF contest winner announcement (Raymond Chen was one of the judges), you might be interested. It's a bonus chapter from Chen's book The Old New Thing (collected from his blog and expanded) called Tales Of Application Compatibility. Some of the stories are pretty hilarious. I got a lot of new appreciation for the extent to which MS tries to maintain compatibility too... I had no idea they would go to the extents that they do for some of the things there.

Another, more serious pitfall is the failure to consolidate. Although immature code may work fine and be completely acceptable to the customer, excess quantities will make a program unmasterable, leading to extreme specialization of programmers and finally an inflexible product. Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. Objects make the cost of this transaction tolerable. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt. Entire engineering organizations can be brought to a stand-still under the debt load of an unconsolidated implementation, object- oriented or otherwise.

There is little doubt that Wyatt Software will continue to employ object technology. Thoroughly versed in the leading object-oriented languages, our only decision is how best to employ their advantages. The traditional waterfall development cycle has endeavored to avoid programming catastrophy by working out a program in detail before programming begins. We watch with some interest as the community attempts to apply these techniques to objects. However, using our debt analogy, we recognize this amounts to preserving the concept of payment up-front and in-full. The modularity offered by objects and the practice of consolidation make the alternative, incremental growth, both feasible and desirable (but not always comfortable) in the competitive financial software market.

Apparently he's extended the metaphor over time, and used it to close a conference in 2001. Some wiki pages by others call Design Debt a type of Technical Debt. A small group of us where I work are trying to get the concept recognized -- we have a LOT of legacy code toting a US treasury sized debt around, but "it works".

I'm not 100% sure if cruft is a layman's term for Design Debt, or if Design Debt is just one type of cruft, but they're definitely related.

> Installing Ruby on an Apache web server and getting it to work properly.

The trick here is using Apache 2.2 + mod_proxy + Mongrel. The Mongrel book is well worth the $15, too.

Critically though, and as pointed out in some other posts:

• Writing off the end of an allocated piece of memory is underfined. Just because it might work now, doesn't mean it'll work later.
• More importantly, these were allocated off the stack, not using malloc/new. The stack is usually DWORD aligned. Thus accessing Head[0xffff] could well actually be accessing Tail[0].

This has nothing to do with being sociable or being a hermit. This has to do with inability to concentrate when frequently interrupted.

In an open plan office, I can look over and have a good idea of whether you're head down and busy or whether you're interruptible. If you're in a private office, I have to go over there and interrupt you just to find out whether you're busy.

There's some good discussion of this topic in the "Agile Software Development" book - the relevant chapter is even online:

Forming Teams that Communicate and Cooperate

Also, remember that you may lose productivity when you are interrupted, but the people that interrupt you gain productivity, because they're not stalled all day trying to figure something out that you knew all along. It's important for the office to be productive as a whole - not just for you to be productive on your own.

Except they're not the same thing. Related, but not directly descended. One is a programming language, the other a file format. Go read down at the bottom.

Marcus J. Ranum .. is recognized as the inventor of the proxy firewall, and the implementor of the first commercial firewall product.

He also co-authored the best CORBA book I ever used.

But let's also be honest about where it isn't. For instance, it uses two rings of protection rather than the four available, which translates into more possibilities for errant drivers and such to bring down the kernel.

Also, it was designed for a single-user environment, and although improved over the years, lacks certain security facilities that other operating systems such as OpenVMS have.

...what it amounts to is little more than a list, each item on the list referring to the other items like bloggers hawking each others' hyperlinks.

There are an increasing number of books on design patterns being published, all trying to ride piggy back on the success of the gang of four, and each taking more liberties on what a design pattern is. The result is a profusion of 'faux patterns' that obscure real ones. Most of these newer books are catalogs of the obvious. The fact that the original patterns book was published in 1994 and has not had a newer addition should tell you something. It is a timeless trove of good ideas that are independant of the programming subject matter or the OO language du jour. New patterns are pretty rare.

On the producer/consumer gap, companies like Amazon aren't as useless as you make them out to be. What Amazon is is an aggregator. Amazon buys in bulk from the authors/publishers. That lets the author deal with one buyer rather than having to maintain a full-blown e-commerce site for the relatively low volume of books that any one author sells. Then Amazon turns around and runs a full-blown e-commerce site for all the authors/publishers they stock, which lets them spread the fixed costs out over a much larger volume than any one author/publisher could manage.

They provide another value: they allow me to browse titles from many different publishers - and compare and contrast them, and review comments on them - at one central, easily searchable location. Eg, I got to Amazon.com and search for 'Java' and get a big list of java books, as opposed to going to www.awprofessional.com, www.samspublishing.com, www.mkp.com, www.wiley.com, etc., etc. and doing many different searches, etc.

I don't mind buying direct from the publisher, but in practice I rarely do, for that exact reason. Often I don't know - ahead of time - *who* publishes the book I'm looking for, because I often don't even know the title of the book I'm looking for.

What if we encrypted our virus with a random encryption, and only the decrypter could be scanned for? Well, if we did that, we'd be doing what viruswriters were doing late eighties/early nineties. What ever came of it? Anti-virus writers outsmarted the viruswriters, by actually scanning for the decoding pieces or patterns in the code that indicated certain types of encryption.

Now we're slightly further down the road, and we moved from encrypted to oligomorphic (weak polymorphism) to polymorhpic to metamorphic code. Metamorphic code is code that completely changes from generation to generation (read up on the MetaPHOR virus and metamorphism for more details). And yet..anti-virus writers still manage to detect these (with great difficulty however), and have been for quite a while. Metamorphic viruses are incredibly complex however, so you won't see them in the wild often because they're hard to create, and there's hardly any niche for viruses any more. Either your malware is a worm that understands open ports and/or mailing itself to others, or it's a internet-unaware virus that remains stuck on the hard disk.

Grand-grand-parent's post thus adds little to the discussion. What he speaks of is 1.5 decennia old, and has NOTHING to do with the current article: a well-known anti-virus vendor allowing malicious code-execution through a buffer-overflow. Mods: please mod his pointlessly bolded post 'overrated'. A '5' is dissapointingly high for this geek crowd.

Advanced Programming In The Unix Environment, 2nd Ed: http://www.awprofessional.com/title/0201433079

Sometime this seems to work out well, sometimes not. I thought that the Pattern Languages of Program Design editors did a nice job on making that work, and the same goes for the excellent Game Programming Gems series.

On the other hand, sometime you can really tell that one author wrote a book and was interested in the topic - i.e., Component Development for the Java Platform by Stuart Halloway comes to mind. This was an excellent book for intermediate to advanced Java programmers and Stuart's interest in how things really work in Java serialization, classloaders, and so forth shines through.

And hopefully the same goes for PMD Applied :-)

Try before you buy and check out the book's sample chapter, Leave No Trace now!

• Requests for a dead tree version of the pdf. I have invested the possibility of self publishing. The problem is that these companies are not set up for high page counts (1,616) and an A4'ish page size (ok, and self-publishers are currently offering a less than stunning deal; the ROI is small).

  People could try ordering from Amazon, the ISBN number is 0201709171. Perhaps Addison Wesley will change their mind if enough order are received.

• Information on typos. Please keep sending these to me. I am keeping a log of these so that writers of grammar checkers have some real world data.

Among the results are this one.

Now, in all fairness, it relies on generating error messages that include prime numbers in the output (and gcc produces a bunch of warnings that pollute the output), but it's still a neat hack.

First, for those that like small tidbits of info, useless for anything but Jeopardy, CMM is old and has been replaced with CMMI [Capability Maturity Model Integration]. This was done mostly to incorporate projects involving things other than systems and their hardware, things like software. CMMI also addressed "legacy" systems, old systems that the old people were used to. CMM didn't account for legacy systems.
Second, for those who care for my opinion, though I've only worked shortly with CMMI, much of the processes seem inhibitive. This is just an opinion of course. However, to me it seems that this just slaps on another layer of bureaucracy to certain government companies. Sure, this model ensures shit companies do their job, but to a solid company, enforcing this standard only slows things down. Oh yeah, and it's boring as hell to learn all about it.
So if you're bored and you want to sleep, here ya go. CMMI Intro

OSI copied IP, according to Dr Radia Perlman in Interconnections: Bridges, Routers, Switches, and Internetworking Protocols, 2nd Edition. And if you don't know who she is, I'd suggest you spend some time finding out.

(and the breakdown thereof)...
I have seen some other suggestions here re books that are standard software dev. fodder at Barnes and Noble but I have found these to be more insightful about the process dynamics:
Beyond Chaos Chapter 7 is a PM Primer, which should be helpful.
If It's Broken, You Can Fix It: Overcoming Dysfunction in the Workplace
and finally, read the Appendix of The Dilbert Principle about his management principle - OA5 which is unimplementable in any company which you don't own, because the first bullet point "Get rid of all the assholes" is impossible.

Take heart in the fact no matter what you do, in the end, you will be a reviled peon from the POV of those above you and the incompetent tool of oppression from the POV of those below you and bitter, sullen, spiteful and venomous towards both groups. Later when the project is a smoldering crater, you might get to RIF most of your team.

Project Management is a snowmobile racing across the tundra and then suddenly it flips over, pinning you... At night, the ice weasels come. - Apologies to Matt.

There actually is a Standard SQL server-side, procedural language. It's called PSM (Persistant Stored Modules). It looks fairly similar to Oracle's PL/SQL, but seems to be more deliberately designed. It's an addendum to SQL-92 and standard in SLQ-3. Some information here. Unfortunately, the only database I've personally used that implements it is Frontbase. Frontbase is an interesting creature, since it offers no syntax or language manual itself. According to them, the appropriate manual is simply the "Guide to SQL Standard, 4th edition", available here, for example. They document a few differences between the standard and their database on their web site, and anything else that doesn't match is considered a bug. I find something very appealing about that design philosophy.

Not to start a flame war or something, but when I was looking into SOAP and XML-RPC, I came across this newsgroup post by Michi Henning (co-author of Advanced CORBA Programming in C++) that makes me really, really think about using XML as an RPC mechanism.

I like using XML and all, but reverting back to a "binary" XML format for RPC is like going back to CORBA and COM. It just does not make sense! XML has it's uses and I really do not think RPC is one of them, IMHO.

I was thrown for a loop when I saw the code snippets in this book all done in Times Italic, but I quickly got used to it, and I find it very natural now. Obviously I don't use proportional width and/or italic fonts in my editor, but in a book it works well.

Oh well, resubmitted with proper formatting...

Frank Mittelbach, Michel Goossens et al., The LaTeX Companion, 2nd edition.

This book, launched in June 2004, is a major rewrite of the old book and for every LaTeX user its worth its price in gold. I have a dog-eared copy at my desk and I can attest to it.

Frank Mittelbach, Michel Goossens et al.,
This book, launched in June 2004, is a <em>major</em> rewrite of the old book and for every LaTeX user its worth its price in gold. I have a dog-eared copy at my desk and I can attest to it.

...and I'd have to say that the review was pretty thorough. I couldn't put the book down when I first got it (which would probably be true for any other self described nerd on here). Here's the link to the book's web site if you want to read anything about it. There is a sample chapter there as I'm sure there probably is on amazon or bn.com.

From what I understand (I'm not an expert but I've read a little), the people who these scammers appeal to often aren't the people who are simply greedy. They're the people who've been told that they need a $100,000 payment on their home within a month or they and their kids will be kicked out of the home that's been in their family for generations

Let's see then. Here are some victims found by a Google search (top links chosen)

• awprofessional.com wrote: In July 2001, the Times of London reported that a former mayor of Northampton fell for the 419 scam, and ended up in Johannesburg, South Africa with a gun to his head.. Not certain, but more likely to be greed than desperation.
• In the same URL, And in 1999, a Romanian businessman, Danut Mircea Tetrescu, was kidnapped and held for a half-million dollar ransom.. Hmm, "Romanian businessman". More likely greed?
• In the same URL we also have Kjetil Moe, a Norwegian millionaire who had fallen for the 419 scam. Definitely greed.
• El Reg writes of a woman who stole $2.1m from the law firm of which she was an employee (a bookkeeper). The Reg analyses it for us: greed and stupidity in equal measure.
• Wired wrote 2+ years ago of two losses of $78k and $74k, but no actual explanation of the motives of the victims.
• This dude writes that he was taken in out of folly.
• Finally a more professional website offers a summary,

  From earlier sections you might have picked up the impression that only seniors are deceived by offers of instant wealth. Nothing could be further from the truth. While it is true that seniors are targeted for sweepstakes offers the mechanics of telemarketing and investment fraud are simply enhanced and modified for attacking various targets of opportunity.

  This particular scam targets middle class, middle age, business and professional men who would never be as easily deceived by a lottery scam. Estimates put the losses from these "Nigerian Advance Fee" operations at over $1 million "every single day" in the U.S. alone.

Here's a sample chapter about process management.

How does it compare to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak

If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, "What's next" If so, this book is for you.

How does it compare to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak

If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, "What's next" If so, this book is for you.

What the hell are you talking about? Copyright infringement is a FEDERAL matter. Ever notice the FBI warnings on the beginnings of videos? As in FEDERAL Bureau of Investigation?

Sigh, I know, you won't just put two and two together, so here is some more stuff for you to read, to exercise that "brain" between your ears:

http://www.awprofessional.com/articles/article.asp ?p=169520&seqNum=3

Guess what? They can arrest you for violating federal law!

Did you pay attention in history class? Or are our high schools failing us...?

The NET Act was passed in 1997 to criminalize warez trading. I do not think that the act distinguishes between software and other copyrighted materials like movies and music. Sixty people have be convicted under the NET Act, with 20 sentenced to jail.

See Warez Trading and Criminal Copyright Infringement for the details.

A EULA is not a contract, it is a license. It sez so right in the frickin' acronym for crying out loud: End User LICENSE Agreement. Grrrrr...

Oh, and IANAL, but I read about them once on TV.

I have read The Design and Implementation of the 4.4 BSD Operating System and it is a very good way to learn the inner workings of an OS. This is an older book than the one mentioned in the article and I'm sure the new book has some more up to date information. But I would expect it to be just as good as the one I mentioned.

The authors of the book helped in writing BSD and they give the impression of knowing what they are writing about.

Well, the point is not SQL, but the relational model. In fact, I think SQL itself often distracts from the relational model, because of it's complexity and inconsistency (See presentations by Hugh Darwen at www.thethirdmanifesto.com).

I'm not saying that "flat tables with keyed relationships" is wrong, but that it is only one part of the relational model (for example, my applications almost never talk to the base tables, but to views and set-returning functions). Really, there is no way to confer this 'Tao' on anyone with a quick sentence or two (there is no one 'aha' moment). It is all about set-oriented and predicate-oriented thinking, rather than object-oriented or procedural thinking. Used properly, this allows you to handle an incredible amount of business logic declaratively rather than procedurally. To grok it any further, I would heartily recommend you spend some time reading C.J. Date's book Foundation for Future Database Systems, as well as the material at www.thethirdmanifesto.com, and www.dbdebunk.com (yes, Fabian Pascal can be abrasive, but the discussions on the site are real eye-openers, especially some of the older material).

Well, i'm not sure how sun is making a ton of money off of java now.

They give the virtual machine as well as the web client away as it is.

It is unfortunate - I keep a copy on my desk (actually had two copies before I realized one order was just really late!).

But he (Stevens) wrote Advanced Programming in the Unix Environment (APUE), not Advanced Unix Programming...I can see buying AUP and getting myself thouroughly confused..."Hand me that copy of APUE, er, AUP, um, the one with the RED stripe on the cover!!!"

I find it strange Addison-Wesley doesn't include Unix Network Programming Vol 2 (IPC) in its "Professional Computing Series"...APUE, UNP Vol 1 AND 2 are rarely far away.

The Unified Modeling Language.

Start Here, then try google for more introductory articles that are out there.

If you want books on the topic, I recommend UML Distilled by Martin Fowler for a quick intro, then branch out from there. (There's hte Object Technology series from Addison-Wesley, which are usually very good, but they're not the only UML books out there) I also recommend you download a UML tool (there are a bunch out there - free as in beer, Open Source, or try a commercial trial version)

As for flowcharting, there are several model types in UML to handle it. Activity diagrams come immediately to mind (these are very close to the classic flowcharting techniques), but state charts and sequence diagrams are useful also to supplement an activity chart. Also look into the structural models - class diagrams, deployment charts, etc. when assembling/designing your program.

UML is language independent - meaning it's not explicitly tied down to one specific language. Although, it is useful to keep in mind what language you plan on using when authoring in UML.

I found the first half of the book to be simply horrible. A supposed introduction to actually using Eclipse this section concentrates more on the "Agile" toolset that all competent, well-informed Java developers that care about the quality of their code, products and development process should already be using. Well, that's what all the books say anyway.

If you read and work through the first six chapters, you will

• Quickly and easily set up eclipse on your favorite platforms
• In a couple days be competent enough to move your day to day work to eclipse with few or no hassles
• Set up CVS on windows or linux
• Point all of your eclipse installations to the CVS repositories you created, and use CVS as your repository via eclipse menu commands
• Integrate ant, log4j, and junit with eclipse

Some problems with this review:

1. Where's the basic information about this book? Author, publisher, ISBN, list price, etc. None of these are mentioned in the review (yes, there's a link to B&N, but, c'mon).

2. Sequencing is an essential aspect of a technical book review. In what order does the author address the topics? Are there many forward references? Does the author march through the topics one at a time or is the subject matter gradually explored, step-wise? A Table of Contents listing (instead of the simplistic 6 parts) would be nice, at a minimum.

Some problems with this book:

1. Having found the TOC on O'Reilly's website (http://www.oreilly.com/catalog/cplus2/toc.html), it's clear that this book features the Bad Old Style of C++ pedagogy: namely, teach C first. The author tackles arrays before std::vector, structs (and unions!) before classes, C-style linked lists before std::list, switch statements before virtual functions, and macros before templates. The new approach to teaching C++ is to give the user familiarity with the powerful utilities of the standard library, so that useful programs can be written right off the bat, and then to explore the dizzying array of language constructs which make the standard library what it is. I encourage those new to C++ to check out Accelerated C++ as an alternative introduction to C++.

2. The reviewer points out that there are many code errors in the book. This is unacceptable, especially for a beginning book. A small number of obvious typos can be forgiven, but anything more than that should consign a tech book -- again, especially an introductory book, where the audience has little experience for dealing with errors -- to the circular file.

While I love many of O'Reilly's offerings, their coverage of C++ has always seemed spotty and outdated. I encourage anyone trying to learn C++ to check out the C++ In Depth series published by Addison-Wesley, starting with Accelerated C++ and Essential C++.

Jon

Oops, Java Design Patterns is an Addison-Wesley book, not an O'Reilly book.

I read that one through O'Reilly's Safari service (which is great by the way), and hence the point of confusion =)

ISBN: 0-201-48539-7
publisher link: Java Design Patterns

I am still looking for a good, up to date tutorial on CSS (recommendations welcome).

Bzzt... You fail!

This is actually a classic example of how people screw up exceptions in C++. Aside from a not using unknown() to handle errant exceptions, the bigger problem is the notion that try/catch blocks are how you avoid memory leaks in C++. Take a look at this old problem to give yourself an idea of some of the complexities with exceptions. While the problem does not create a resource leak (indeed, it effectively LOSES resources), it demonstrates how it can go wrong in the most surprising ways.

While it is conceivable to get everything working right using try/catch blocks, you have to write a ton of insanely structured code, and it's very error prone.

What you want to use is the "resource acquisition is initialization" idiom. Here's some info on it here. It's all about the stack and destructors man.

The main thing is to validate user input so you don't allow your SQL code to be manipulated. Using parameterized SQL is also a good practice.

I don't have a good book to recommend. I just ordered this one, which looked good from the description, but I haven't received it yet.

Quality Web Systems: Performance, Security, and Usability

If you have to have X people run tests at cost Y, then adding more tests makes it more expensive! What kind of screwed-up logic is that, when a computer can do better at 4am while you sleep?

Any tester worth his salt is not a button-pusher/bug-report-writer. A real QA person writes automated tests and checks them into the code base so that it runs automatically when building. Flame to death anyone who checks in code that breaks a test. The optimum situation is that all developers are testers: they write tests and code and check them both in simultaneously.

If you're finding that tests are showing up lots of bugs, you're finding the symptom. It might be you're finding bugs and fixing them will reduce the amount. However, if you find that your development team creates bugs faster than it can fix them, then it means your organization doesn't know to code it's way out of a paper bag and shouldn't be programming. No amount of tests will fix it. The only thing that will work is refactoring, and most managers in such places erroneously think refactoring is the devil.

Not all software is equally testable. You have to write to so that is testable. If you want to read a great book on how to test your software, I recommend John Lakos' Large Scale C++ Software Design. Testing techniques apply to most other languages, not just C++. Personally, I've unscientifically found that every hour writing automated tests pays back at least 10 in saved future effort. YMMV will vary on the complexity of your project.

Actually, "antipattern" is an accepted term in the pattern commnunity for describing a bad process or design that on the surface looks like a good idea. If a Pattern is a good practice distilled from the experiences of many good develoeprs, then an antipattern is a "gotcha" thathas been distilled from experience common to many good developers. This book describes it, but
the name really has nothing to do with Sun's practice of describing things in terms of patterns.

That's right. The AntiPattern is a well established idea, even marked by the publication of an AntiPatterns book just a few years after the publication of Design Patterns by the gang of four.