ncl.ac.uk · Domains · Slashdot Mirror

Meanwhile... by Observer · 2001-08-27 18:24 · Score: 1 · on Finally, A Solution To The DMCA

For those /.ers who are interested enough about DMCA to want to write to their representatives in Congress about it, there is a note in the latest Risks Digest from another person who has concluded that he cannot take the risk of continuing to work in the encryption field either commercially or academically. Tracing the back links in that story gives other instances.

Some interesting history and points about voting.. by jgrumbles · 2001-08-16 14:03 · Score: 1 · on Florida County Asks Students To Crack Elections

Visit this site, and learn some more information about voting, as well as some interesting con points about computerized voting.

Re:The word Fad is bad, as is the whole premise by Mr.+Slippery · 2001-08-15 16:26 · Score: 1 · on Mob Software

The whole premise of the article is that the current system(s) in place don't work well. This is just plain false.

You think current development methodologies work well?

I want you to remember that statement the next time your machine crashes. The next time you get an e-mail containing a virus. The next time you can't get to a website because the server's down.

Go read the RISKS forum. Then tell me that current software methodologies work.

Warhol Worm proposed: 15 minutes to total infectio by molo · 2001-08-11 04:32 · Score: 5, Interesting · on Code Red: the Aftermath

2001-08-11 13:18:46 Warhol Worm proposed: 15 minutes to total infection! (articles,bug) (rejected)

Since /. rejected this story, I posted it to the K5 Queue (only visible if you have a K5 acocunt).

Here's the scoop (more meat at K5):

According to an article in the latest issue of the RISKS digest, Nicholas Weaver of UC Berkeley has written a description of a new type of worm, the Warhol Worm. He believes that using a divide-and-conquer method, all vulnerable machines over the entire IPv4 addressspace could be compromised in only 15 minutes!
`In the future, everybody will have 15 minutes of fame' -Andy Warhol

Warhol Worm proposed: 15 minutes to total infectio by molo · 2001-08-11 04:32 · Score: 5, Interesting · on Code Red: the Aftermath

2001-08-11 13:18:46 Warhol Worm proposed: 15 minutes to total infection! (articles,bug) (rejected)

Since /. rejected this story, I posted it to the K5 Queue (only visible if you have a K5 acocunt).

Here's the scoop (more meat at K5):

According to an article in the latest issue of the RISKS digest, Nicholas Weaver of UC Berkeley has written a description of a new type of worm, the Warhol Worm. He believes that using a divide-and-conquer method, all vulnerable machines over the entire IPv4 addressspace could be compromised in only 15 minutes!
`In the future, everybody will have 15 minutes of fame' -Andy Warhol

Re:Postscript virus by mmontour · 2001-08-08 02:42 · Score: 4, Insightful · on PDF Virus Spotted

About ten years ago there was a postscript virus that Did Things to printers

There's some info about it here. Was apparantly quite nasty on some hardware, as it changed a password that required an EPROM replacement to correct. This might have been more a "trojan" than a "virus", as I didn't find any references to it spreading itself (just that it could be a payload in clipart or other EPS files).

http://catless.ncl.ac.uk/Risks/10.32.html#subj1
ftp://ftp.minolta-qms.com/pub/cts/out_going/dos/po stv.txt
http://www.sevenlocks.com/password/pspass.txt

I thought that there was also something a few years ago where viewing a postscript file could alter files on your local machine (buffer overflow in a particular viewer program, unsafe default security settings, or something). However I couldn't find any information, so I might be mis-remembering.

Be Careful What You Send Over that 802.11 by Greyfox · 2001-08-01 23:44 · Score: 4 · on Testdrive A Linux iPAQ

According to a Recent Risks Digest it's pretty damn easy to break even a 2048 bit WEP key.

Postol has done good work by geoswan · 2001-07-30 21:19 · Score: 1 · on Physicist says Defense Dept. Trying to Silence Him

Here are links to a few articles from the RISKS archive that refer to Postol's work on the Patriot fraud.

Risks13-19.3
Risks13-32.1
Risks13-37.2
Risks13-46.4

Postol has done good work by geoswan · 2001-07-30 21:19 · Score: 1 · on Physicist says Defense Dept. Trying to Silence Him

Here are links to a few articles from the RISKS archive that refer to Postol's work on the Patriot fraud.

Risks13-19.3
Risks13-32.1
Risks13-37.2
Risks13-46.4

Postol has done good work by geoswan · 2001-07-30 21:19 · Score: 1 · on Physicist says Defense Dept. Trying to Silence Him

Here are links to a few articles from the RISKS archive that refer to Postol's work on the Patriot fraud.

Risks13-19.3
Risks13-32.1
Risks13-37.2
Risks13-46.4

Postol has done good work by geoswan · 2001-07-30 21:19 · Score: 1 · on Physicist says Defense Dept. Trying to Silence Him

Here are links to a few articles from the RISKS archive that refer to Postol's work on the Patriot fraud.

Risks13-19.3
Risks13-32.1
Risks13-37.2
Risks13-46.4

Re:The way I heard it by DNS-and-BIND · 2001-07-30 05:14 · Score: 1 · on Distributed Checksum Clearinghouse vs Spam

Yup, it's true. It didn't just happen one time...

Reference here with the priceless quote, "There was only one person programming the code for this system and he largely did all the testing". A chilling excerpt from the URL:

"A month later at the same hospital, with the same technician another fatal dosage was given. The technician made the same error of quickly changing the mode from X-ray mode to Electron mode using the 'cursor up' key. This again caused "Malfunction 54". The patient this time was receiving treatment on his face. When the overdose was administered he yelled and then began to moan. The audio equipment was working this time but the initial dose was too much for the man. He received severe neurological damage, fell into a coma and died only 3 weeks later.

Another reference here.

Re:Interesting banner ad... by The+Larch · 2001-07-26 00:31 · Score: 1 · on All The World Over, Your Stolen I.D.

What an excellent idea, having all your identities conveniently managed by Windows. No more having to log out of Hotmail to check another mailbox, or forgetting to delete your signature from an anonymous posting.

It'll save time when propagating worms, too -- you just have to receive the worm once on your work email account and it can forward itself using your work identity, your home identity, any of the pseudonymous identities you use to post on the not-quite-mainstream newsgroups and discussion forums, etc. It can even mix and match the contact lists for an amusing effect!

Seriously, who would bet Windows will not leak information between your identities? Microsoft's C compilers insert arbitrary chunks of your disk into compiled binaries!

Re:Listen to the users! by Fjord · 2001-07-20 12:58 · Score: 2 · on GNOME Usability Study Report

This is an Urban Legend.

Another excellent site about electronic voting by plcurechax · 2001-07-17 16:32 · Score: 5 · on Caltech & MIT Urge Wait On Net Voting

Rebecca Mercuri is an authory on electronic voting, and her site is an excellent source of information on the subject.

The usual good source of thoughful and insightful comments, is RISKS / comp.risks, and in particular Vol 21 Issue 14.

Another excellent site about electronic voting by plcurechax · 2001-07-17 16:32 · Score: 5 · on Caltech & MIT Urge Wait On Net Voting

Rebecca Mercuri is an authory on electronic voting, and her site is an excellent source of information on the subject.

The usual good source of thoughful and insightful comments, is RISKS / comp.risks, and in particular Vol 21 Issue 14.

Re:More Writeups Needed by plcurechax · 2001-06-26 23:38 · Score: 5 · on Blow-by-Blow Account of the OSDN Outage

If you haven't heard of it before, get your browser over to RISKS digest or comp.risks. Forum On Risks To The Public In Computers And Related Systems

I discovered the RISKS digest when reading the about software engineering, and it has certainly helped me think about failures and recovery when designing and building systems.

There is also the underlying thesis in the article about how complexity, whether in a bungled redundant network connection or just a large poorly documented, poorly tested, and poor configured system is your enemy in building reliable systems. A lot of systems were built like Slashdot during the dot.com IPO craze, I wonder how many of us rely on such poorly built systems?

Building complex, reliable networks is hard, and expensive. About 3 times what your estimate is, which is about 2 times what you boss expects to spend.

Re:Slashdot Decline by acoopersmith · 2001-06-25 13:02 · Score: 3 · on Jordan Hubbard (of FreeBSD Fame) Hired by Apple

Of course not - everyone should remember when he rwall'ed the entire ARPAnet and in doing so single-handedly forced the invention of the firewall...

SETI@Home and denial of service by alispguru · 2001-06-18 08:28 · Score: 3 · on SETI@Home A Security Threat, Says TVA

There might be a legitimate reason for keeping SETI@Home (or any random application) off of a major organization's computers. Go look at this issue of Risks digest. The problem described here is not a security issue, but a feature of the SETI software that can cause a few copies of it to wedge a net connection if it can't reliably get to its server.

Here's the article I was talking about by Delrin · 2001-06-04 05:49 · Score: 2 · on Calendar: Code, Free Speech, Or Mathematics?

I found some more info here. Apparently it was 620,000$ CDN that he won. They been the odds of "1 in 6 billion" 3 times in a row. Here are some excerpts

- Corriveau used an "antique 286" computer to analyse 7,000 combinations from the keno game, [which uses an electronic pseudo-random number generator].
- The Casino managers shut the game down and called the police.
- The Surete du Quebec [provincial police] fraud squad investigated; Corriveau and his family even took polygraph tests.
Might want to look on yahoo or somewhere to find the details of the actual judgement. Though I am pretty sure he was let off completely.

Re:Technophobes? no, legalphobes by anticypher · 2001-05-30 18:24 · Score: 4 · on Hailstorm: Open Web Services Controlled by Microsoft

... and start saying "What Microsoft is trying to do is cool, but what we can do is *better*."

You are missing the point. micro~1.oft has realised they can't compete with OSS on a technical playing field, because the OSS community will eventually win. So M$ is changing the playing field while they still have a monopoly.

The new playing field is using the law (copyrights and patents) to give them exclusive control over who gets to play with their authentication schema. The open source community can come up with a working alternative, but in doing so will become a criminal group, breaking copyright laws and violating patents. M$, and many of the leading IT/computer/software/networking/services companies have realised that playing in a free and open commodity market spreads the profits too thin. So there has been a major push for the last 5-8 years to craft laws to support the new playing field, where free and open competitors are outlawed.

You've no doubt heard of the american UCITA laws, passed in some states, proposed in all the rest. There are initiatives here in Europe to provide the same protections to large companies, but the progress is slower due to socialist leaning countries. Years ago companies who saw the service model and copyright as a potential new area to limit free and open competition created the WIPO, and neatly folded it under the protection of the UN. /. readers regularly complain about these restrictive laws, but are mostly powerless to do anything about them. Money buys votes, so most western democracies are for sale, which is why large crowds protest in Davos and Seattle and any place else. The protests are getting so costly, the world banque is meeting in cyberspace to avoid physical risks.

a protocol (http) which was just plain better ... the OSS community was already there.

For the next 5 to 10 years, M$ and a handful of other companies are going to completely dominate all the greatness the OSS community created. The GPL isn't going to stop them, free and open isn't going to stop them either. Many smart people getting paid large salaries have looked at many ways to continue to earn money when there is a free product running your industry. They know, now, how to defeat the advantages of OSS and free and open. That is what the article is about. The best hope for the Next Great Thing lies where it has always lain, in academia and government assisted research. That is why M$ bought MIT and dozens of other universities in the US and Europe, and why they just bought the UK government.

The OSS community creates free software. I agree with RMS, software should be free. But the big and steady money is in services, always has been, always will be(until the trek universe occurs) There are no free alternatives to services. Maybe there should be an Open Services Alliance :-) I'd love to get 24/7/365 support services for free, but then I'd be out of a job. :-(

the AC

GSM Encryption by alexburke · 2001-05-30 13:38 · Score: 1 · on German Crypto Mobile Announced

I'm a bit of a cellphone nut, and have already done quite a bit of reading on the subject.

The data streaming between the phones and towers of a GSM network is already encrypted with one of two algorithms, A5/1 and A5/2. A5/1, the "stronger" variant, is in use in virtually every GSM network currently operating.

Neither algorithm has been broken. However, the private key (Ki) stored in every subscriber's SIM (subscriber identity module) card (unique to each SIM card) has successfully been compromised by researchers for a university, I believe. This was reported in the news a while (18 months?) ago, but it can't be done over the air. As far as I know, you have to interface the SIM card with a PC and ask the SIM card to identify itself, using a slightly different salt each time. By doing this about 150,000 times (which takes about 8 hours), the private key can be computed.

If this stuff turns your crank, here are a few links to get you started:

--

Re:Just for the sake of the past by lent · 2001-04-04 21:37 · Score: 1 · on MS Passport Privacy Policy Revised

Try Risks Digest Volume 21:Issue 32

Re:Don't sound the Death knell yet by neothdoeuni · 2001-03-07 07:57 · Score: 1 · on Death of the General Purpose PC

A PC is basically never the cheapest or best way to do the single thing you want to do right now. But most people look at it and go - it does this ok, and that ok, and twenty other things ok, and the four hundred gadgets that I'd need to replace all the things I use it for would cost a lot more, as well as filling up my garage.

I tried to get my (computer illiterate) sister a couple of gadgets to to word processing and email on, but it was cheaper to buy a low end PC. And even factoring in the support costs ("all my text has gone green") it's cheaper and easier to have the PC sitting there. For $20 they even bought a "fax machine" (software) that uses no power or space (that wasn't already used). Can't beat that in dedicated hardware.

For true joy, read risks digest about the guy who couldn't connect his PDA to anything, then one day... oopsie, no more data. Imagine that when you own a network appliance, a smart phone, a pda, a smartass fridge-freezer that talks to the microwave but not the toaster oven, yadda yadda, then one day you sync (of course, they all have to sync together, otherwise what's the point), and get multilateral data destruction. All your data are belong to us!

More helpful tips for you by goingware · 2001-02-21 11:17 · Score: 2 · on Making Software Suck Less, Pt. II

While I was out for a while I thought of a few more things to post that should have been included in the above.

While I don't think either of them were really overtly trying to mentor me, I owe a lot of credit for what I know and what I can do to a couple of brilliant programmers that I've had the privilege to work with. Both of these fellows are very kind, pleasant people and went out of their way to help me. They also both go out of their way to write correct code, as opposed to, say, just screwing around with it until it sort of works.

I met Haim Zamir at Live Picture (now MGI Software) in 1997 where I really began my C++ effort in a serious way (I tried it in 1990 to write test tools at Apple but didn't really enjoy the experience). Have a look at Haim's Resume, particularly under "Skills" where he lists:

Well grounded in disciplines of software engineering for correctness, robustness, performance, and longevity

Haim can write the most difficult code, and it doesn't just work right, it is unquestionable.

Another brilliant programmer is my friend Andrew Green. Andy spares no amount of effort to get his code just right - he devoted nine years to developing the ZooLib cross-platform application framework before releasing under the MIT License. (Not five years as I say on the page.)

If you think being correct, as opposed to merely working ok isn't important, imagine trying to get platform-independent reference counted smart pointers to work in a multithreaded application framework. Andy did.

For an archive of anecdotes of interesting, funny and sometimes tragic technology quality problems, please read:

The Forum on Risks to the Public in Computers and Related Systems, with such anecdotes as:
- The Sinking of the USS Gitarro (because of either poor training, poor UI, or both)
- The scary MSWord residue feature - exchange Word documents during legal negotiations?
- Also see the book Computer Related Risks by Risks moderator Peter Neumann

Reading Risks for many years is what has made me such a zealot for software quality. It has also made me tend to avoid using software for anything of real importance in my life, and to feel uneasy while flying aboard modern aircraft - even though, with a B.A. in Physics, I am very comfortable with the aerodynamic principles that hold airplanes up and used to enjoy flying as a kid.

If you write software, another good investment (more important than your hardware investment), is buying and reading good books. As a software consultant I keep the canceled checks and receipts for my technical book purchases; in 1999 I deducted about $750 worth of technical books from my taxes and about $250 in 1998.

But there are a lot of bad software books out there; much as there was a gold rush due to the Internet, there was a smaller-scale gold rush for technical book authors over the last couple years. A really good source of straight-talking book reviews by people who have good reason to know what they're talking about is maintainted by the Association of C and C++ Users at:

The ACCU Book Reviews Section

The ACCU is interested in more than just C and C++ these days, if you program in those languages, Java or (dare I say it) C-sharp you should join. The mailing lists is pretty low traffic and has some of the best signal-to-noise ratio of any list I've seen (except Risks). The ACCU's technical journals, with articles written by the members, are a valuable source of information on such things as how to write exception-safe code.

(Note to CowboyNeal - writing C-sharp with the pound sign set off the lameness filter, driving me damn near out of my skull. How about adding something to the preview to let us know which characters are lame, exactly?).

And good news for those of you across the pond (but bad news for me), it's a British organization and holds regular technical conferences. I believe they also send observers to the ISO standards bodies.

If you program in C++ you should read these two books by Scott Meyers and put them to practice in your code. Read each item one at a time and then go through your code from beginning to end to see how you can apply it:

Effective C++ - ACCU Review - be sure to get the 2nd Edition
More Effective C++ - ACCU Review

After reading Effective C++ and More Effective C++, if you're programming with g++ (or using gcc to compile ".cpp" files) then you should use the -Weffc++ option to g++ to warn you about style problems. From the GCC Online Manual:

-Weffc++ (C++ only)
Warn about violations of various style guidelines from Scott Meyers' Effective C++ books. If you use this option, you should be aware that the standard library headers do not obey all of these guidelines; you can use `grep -v' to filter out those warnings.

Importantly, in any language, make sure your code compiles cleanly without warnings with all the warnings enabled in the compiler - use the -pedantic option in gcc.

C++ is not the problem language it's often said to be if you follow Meyers' advice, but if you prefer C you certainly can have problems there too - and note that the preferred language for Gnome is C (while KDE is an extended C++), for C programmers you should read:

C Traps and Pitfalls - ACCU Review

People who write in any programming language, from assembler on through C and way out to prolog, really should go back to our roots and read the early book:

The Elements of Programming Style

Sadly, this book is out of print, but see the "E" Titles Section at ACCU for other Elements of Style books.

Back to the topic of compiler warnings, remember reading about lint in Kernighan and Ritchey's The C Programming Language? When I started out in my first real programming job, doing Sun system administration and writing image processing software back in the late '80's, I learned to write "lint" targets in my Makefiles, and I'd type "make lint" after editing but before compiling to actual machine code. This made my code much easier to debug and quicker to develop.

Much of lint's function is now available in the warnings of GCC (but I don't think all of it), but there are some proprietary products that will do extremely rigorous statis analysis of your source code. I haven't yet used either (although I plan to) but the two I know about are:

Looks like I missed one when I spoke about Bounded Pointers for GCC, Spotlight, etc. in my previous post. Parasoft offers:

Insure

But note that these products use patented algorithms - number 5,581,696 and 5,860,011.

You can search by patent number here.

And speaking of web programming, many Slashdot readers write web applications (Linux being a "server OS" as they say). How many of you validate the HTML that's generated by the web applications you write?

Your HTML should work well in any browser and it should be well designed for easy usability. I don't mean attractive graphics. I mean it shouldn't suck. Two links on design:

Finally, to make sure your HTML is valid, test it with the W3C HTML validation service. You have two choices of how to get your documents processed:

By uploading static files from your browser - most convenient during hand composition
By entering its URL in a form - best for dynamic pages and final tuning of static pages

Try this link for an example of running a popular web application through the W3C validator.

Mike

More helpful tips for you by goingware · 2001-02-21 11:17 · Score: 2 · on Making Software Suck Less, Pt. II

While I was out for a while I thought of a few more things to post that should have been included in the above.

While I don't think either of them were really overtly trying to mentor me, I owe a lot of credit for what I know and what I can do to a couple of brilliant programmers that I've had the privilege to work with. Both of these fellows are very kind, pleasant people and went out of their way to help me. They also both go out of their way to write correct code, as opposed to, say, just screwing around with it until it sort of works.

I met Haim Zamir at Live Picture (now MGI Software) in 1997 where I really began my C++ effort in a serious way (I tried it in 1990 to write test tools at Apple but didn't really enjoy the experience). Have a look at Haim's Resume, particularly under "Skills" where he lists:

Well grounded in disciplines of software engineering for correctness, robustness, performance, and longevity

Haim can write the most difficult code, and it doesn't just work right, it is unquestionable.

Another brilliant programmer is my friend Andrew Green. Andy spares no amount of effort to get his code just right - he devoted nine years to developing the ZooLib cross-platform application framework before releasing under the MIT License. (Not five years as I say on the page.)

If you think being correct, as opposed to merely working ok isn't important, imagine trying to get platform-independent reference counted smart pointers to work in a multithreaded application framework. Andy did.

For an archive of anecdotes of interesting, funny and sometimes tragic technology quality problems, please read:

The Forum on Risks to the Public in Computers and Related Systems, with such anecdotes as:
- The Sinking of the USS Gitarro (because of either poor training, poor UI, or both)
- The scary MSWord residue feature - exchange Word documents during legal negotiations?
- Also see the book Computer Related Risks by Risks moderator Peter Neumann

Reading Risks for many years is what has made me such a zealot for software quality. It has also made me tend to avoid using software for anything of real importance in my life, and to feel uneasy while flying aboard modern aircraft - even though, with a B.A. in Physics, I am very comfortable with the aerodynamic principles that hold airplanes up and used to enjoy flying as a kid.

If you write software, another good investment (more important than your hardware investment), is buying and reading good books. As a software consultant I keep the canceled checks and receipts for my technical book purchases; in 1999 I deducted about $750 worth of technical books from my taxes and about $250 in 1998.

But there are a lot of bad software books out there; much as there was a gold rush due to the Internet, there was a smaller-scale gold rush for technical book authors over the last couple years. A really good source of straight-talking book reviews by people who have good reason to know what they're talking about is maintainted by the Association of C and C++ Users at:

The ACCU Book Reviews Section

The ACCU is interested in more than just C and C++ these days, if you program in those languages, Java or (dare I say it) C-sharp you should join. The mailing lists is pretty low traffic and has some of the best signal-to-noise ratio of any list I've seen (except Risks). The ACCU's technical journals, with articles written by the members, are a valuable source of information on such things as how to write exception-safe code.

(Note to CowboyNeal - writing C-sharp with the pound sign set off the lameness filter, driving me damn near out of my skull. How about adding something to the preview to let us know which characters are lame, exactly?).

And good news for those of you across the pond (but bad news for me), it's a British organization and holds regular technical conferences. I believe they also send observers to the ISO standards bodies.

If you program in C++ you should read these two books by Scott Meyers and put them to practice in your code. Read each item one at a time and then go through your code from beginning to end to see how you can apply it:

Effective C++ - ACCU Review - be sure to get the 2nd Edition
More Effective C++ - ACCU Review

After reading Effective C++ and More Effective C++, if you're programming with g++ (or using gcc to compile ".cpp" files) then you should use the -Weffc++ option to g++ to warn you about style problems. From the GCC Online Manual:

-Weffc++ (C++ only)
Warn about violations of various style guidelines from Scott Meyers' Effective C++ books. If you use this option, you should be aware that the standard library headers do not obey all of these guidelines; you can use `grep -v' to filter out those warnings.

Importantly, in any language, make sure your code compiles cleanly without warnings with all the warnings enabled in the compiler - use the -pedantic option in gcc.

C++ is not the problem language it's often said to be if you follow Meyers' advice, but if you prefer C you certainly can have problems there too - and note that the preferred language for Gnome is C (while KDE is an extended C++), for C programmers you should read:

C Traps and Pitfalls - ACCU Review

People who write in any programming language, from assembler on through C and way out to prolog, really should go back to our roots and read the early book:

The Elements of Programming Style

Sadly, this book is out of print, but see the "E" Titles Section at ACCU for other Elements of Style books.

Back to the topic of compiler warnings, remember reading about lint in Kernighan and Ritchey's The C Programming Language? When I started out in my first real programming job, doing Sun system administration and writing image processing software back in the late '80's, I learned to write "lint" targets in my Makefiles, and I'd type "make lint" after editing but before compiling to actual machine code. This made my code much easier to debug and quicker to develop.

Much of lint's function is now available in the warnings of GCC (but I don't think all of it), but there are some proprietary products that will do extremely rigorous statis analysis of your source code. I haven't yet used either (although I plan to) but the two I know about are:

Looks like I missed one when I spoke about Bounded Pointers for GCC, Spotlight, etc. in my previous post. Parasoft offers:

Insure

But note that these products use patented algorithms - number 5,581,696 and 5,860,011.

You can search by patent number here.

And speaking of web programming, many Slashdot readers write web applications (Linux being a "server OS" as they say). How many of you validate the HTML that's generated by the web applications you write?

Your HTML should work well in any browser and it should be well designed for easy usability. I don't mean attractive graphics. I mean it shouldn't suck. Two links on design:

Finally, to make sure your HTML is valid, test it with the W3C HTML validation service. You have two choices of how to get your documents processed:

By uploading static files from your browser - most convenient during hand composition
By entering its URL in a form - best for dynamic pages and final tuning of static pages

Try this link for an example of running a popular web application through the W3C validator.

Mike

More helpful tips for you by goingware · 2001-02-21 11:17 · Score: 2 · on Making Software Suck Less, Pt. II

While I was out for a while I thought of a few more things to post that should have been included in the above.

While I don't think either of them were really overtly trying to mentor me, I owe a lot of credit for what I know and what I can do to a couple of brilliant programmers that I've had the privilege to work with. Both of these fellows are very kind, pleasant people and went out of their way to help me. They also both go out of their way to write correct code, as opposed to, say, just screwing around with it until it sort of works.

I met Haim Zamir at Live Picture (now MGI Software) in 1997 where I really began my C++ effort in a serious way (I tried it in 1990 to write test tools at Apple but didn't really enjoy the experience). Have a look at Haim's Resume, particularly under "Skills" where he lists:

Well grounded in disciplines of software engineering for correctness, robustness, performance, and longevity

Haim can write the most difficult code, and it doesn't just work right, it is unquestionable.

Another brilliant programmer is my friend Andrew Green. Andy spares no amount of effort to get his code just right - he devoted nine years to developing the ZooLib cross-platform application framework before releasing under the MIT License. (Not five years as I say on the page.)

If you think being correct, as opposed to merely working ok isn't important, imagine trying to get platform-independent reference counted smart pointers to work in a multithreaded application framework. Andy did.

For an archive of anecdotes of interesting, funny and sometimes tragic technology quality problems, please read:

The Forum on Risks to the Public in Computers and Related Systems, with such anecdotes as:
- The Sinking of the USS Gitarro (because of either poor training, poor UI, or both)
- The scary MSWord residue feature - exchange Word documents during legal negotiations?
- Also see the book Computer Related Risks by Risks moderator Peter Neumann

Reading Risks for many years is what has made me such a zealot for software quality. It has also made me tend to avoid using software for anything of real importance in my life, and to feel uneasy while flying aboard modern aircraft - even though, with a B.A. in Physics, I am very comfortable with the aerodynamic principles that hold airplanes up and used to enjoy flying as a kid.

If you write software, another good investment (more important than your hardware investment), is buying and reading good books. As a software consultant I keep the canceled checks and receipts for my technical book purchases; in 1999 I deducted about $750 worth of technical books from my taxes and about $250 in 1998.

But there are a lot of bad software books out there; much as there was a gold rush due to the Internet, there was a smaller-scale gold rush for technical book authors over the last couple years. A really good source of straight-talking book reviews by people who have good reason to know what they're talking about is maintainted by the Association of C and C++ Users at:

The ACCU Book Reviews Section

The ACCU is interested in more than just C and C++ these days, if you program in those languages, Java or (dare I say it) C-sharp you should join. The mailing lists is pretty low traffic and has some of the best signal-to-noise ratio of any list I've seen (except Risks). The ACCU's technical journals, with articles written by the members, are a valuable source of information on such things as how to write exception-safe code.

(Note to CowboyNeal - writing C-sharp with the pound sign set off the lameness filter, driving me damn near out of my skull. How about adding something to the preview to let us know which characters are lame, exactly?).

And good news for those of you across the pond (but bad news for me), it's a British organization and holds regular technical conferences. I believe they also send observers to the ISO standards bodies.

If you program in C++ you should read these two books by Scott Meyers and put them to practice in your code. Read each item one at a time and then go through your code from beginning to end to see how you can apply it:

Effective C++ - ACCU Review - be sure to get the 2nd Edition
More Effective C++ - ACCU Review

After reading Effective C++ and More Effective C++, if you're programming with g++ (or using gcc to compile ".cpp" files) then you should use the -Weffc++ option to g++ to warn you about style problems. From the GCC Online Manual:

-Weffc++ (C++ only)
Warn about violations of various style guidelines from Scott Meyers' Effective C++ books. If you use this option, you should be aware that the standard library headers do not obey all of these guidelines; you can use `grep -v' to filter out those warnings.

Importantly, in any language, make sure your code compiles cleanly without warnings with all the warnings enabled in the compiler - use the -pedantic option in gcc.

C++ is not the problem language it's often said to be if you follow Meyers' advice, but if you prefer C you certainly can have problems there too - and note that the preferred language for Gnome is C (while KDE is an extended C++), for C programmers you should read:

C Traps and Pitfalls - ACCU Review

People who write in any programming language, from assembler on through C and way out to prolog, really should go back to our roots and read the early book:

The Elements of Programming Style

Sadly, this book is out of print, but see the "E" Titles Section at ACCU for other Elements of Style books.

Back to the topic of compiler warnings, remember reading about lint in Kernighan and Ritchey's The C Programming Language? When I started out in my first real programming job, doing Sun system administration and writing image processing software back in the late '80's, I learned to write "lint" targets in my Makefiles, and I'd type "make lint" after editing but before compiling to actual machine code. This made my code much easier to debug and quicker to develop.

Much of lint's function is now available in the warnings of GCC (but I don't think all of it), but there are some proprietary products that will do extremely rigorous statis analysis of your source code. I haven't yet used either (although I plan to) but the two I know about are:

Looks like I missed one when I spoke about Bounded Pointers for GCC, Spotlight, etc. in my previous post. Parasoft offers:

Insure

But note that these products use patented algorithms - number 5,581,696 and 5,860,011.

You can search by patent number here.

And speaking of web programming, many Slashdot readers write web applications (Linux being a "server OS" as they say). How many of you validate the HTML that's generated by the web applications you write?

Your HTML should work well in any browser and it should be well designed for easy usability. I don't mean attractive graphics. I mean it shouldn't suck. Two links on design:

Finally, to make sure your HTML is valid, test it with the W3C HTML validation service. You have two choices of how to get your documents processed:

By uploading static files from your browser - most convenient during hand composition
By entering its URL in a form - best for dynamic pages and final tuning of static pages

Try this link for an example of running a popular web application through the W3C validator.

Mike

Open Source and the Military by goingware · 2001-02-16 05:52 · Score: 2 · on Red Hat CTO Responds To Allchin's Comments

SRI researcher and computer reliability and security expert Peter Neumann is promoting open source to the in various fora, including to an IEEE meeting and the military. His general thesis is that "open box" software promotes reliability because you can both inspect the source code and fix it.

Go to Neumann's page above and search for "Robust" using the "Find in Page" function of your browser.

Neumann is the moderator of The Forum on Risks to the Public in Computers and Related Systems and the author of the book Computer Related Risks, so he should know whereof he speaks.

Please also read Open Source and These United States.

In the previous article, someone suggested the problem of how to compose a letter to congressional representatives to promote open source - perhaps simply printing out that paper and mailing it to them with a brief cover letter explaining how you've found a way the U.S. Government and Military can achieve substantial savings in its software purchases, along with gains in reliability, would be helpful.

Mike

Risks Responses by maggard · 2001-02-02 09:02 · Score: 4 · on Speeding To Become Impossible In UK?

I think it would be appropriate to also link to the responses already generated on Risks:

http://catless.ncl.ac.uk/Risks/21.23.html#subj14

Lots of good comments involving previous such experiments and some of the implementation dangers by folks who generally know what they're talking about.

proprietary security system means... by localroger · 2001-01-15 07:50 · Score: 4 · on Playing an FPS for Money?

...that it isn't secure. This is a running theme on comp.risks

RISKs of electronic elections by Pseudonymus+Bosch · 2001-01-11 21:00 · Score: 2 · on Microsoft, Unisys & Dell To Make New Voting System

Peter G Neumann, the moderator of the RISKS forum, has collected information and recommendations on electronic and Internet elections.
__

More information about why this is BAD... by RMGiroux · 2001-01-11 19:48 · Score: 1 · on Microsoft, Unisys & Dell To Make New Voting System

...can be found at Rebecca Mercuri's site, http://www.notablesoftware.com/evote.html.

Quoting from her site: (Read the rest, it's worth it!)

I am adamantly opposed to the use of fully electronic systems for use
in anonymous balloting and vote tabulation applications. The reasons
for my opposition are manyfold, and are expressed in my writings as well
as those of other computer security experts (many papers are linked below).
To briefly summarize my opinion (based on a decade of research) on this
matter I state the following:

Fully electronic systems do not provide any way that the voter can truly
verify that the ballot cast corresponds to that being recorded, transmitted,
or tabulated. Any programmer can write code that displays one thing
on a screen, records something else, and prints yet another result.
There is no known way to ensure that this is not happening inside of a
voting system.
Electronic balloting systems without individual print-outs for examination
by the voters, do not provide an independent audit trail (despite manufacturer
claims to the contrary). As all systems (especially electronic) are
prone to error, the ability to also perform a manual hand-count of the
ballots is essential.
No electronic voting system has been certified to even the lowest level
of the U.S. government or international computer security standards, nor
has any been required to comply with such. Hence, no electronic voting
system can be called secure (despite manufacturer claims).
There are no required standards for voting displays, so computer ballots
can be constructed to be as confusing (or more) than the butterfly used
in Florida, giving advantage to some candidates over others.
Electronic balloting and tabulation makes the tasks performed by poll workers,
challengers, and election officials purely procedural, and removes any
opportunity to perform bipartisan checks. The election process is
entrusted to a small group of individuals who program and construct the
machines.
Internet voting provides avenues of system attack to the entire planet.
If the major software manufacturer in the USA could not protect their own
company from an Internet attack, one must understand that voting systems
will be no better (and probably worse) in terms of vulnerability.
Off-site Internet voting creates unresolvable problems with authentication,
leading to possible loss of voter privacy, vote-selling, and coersion.
These systems should not be used for any government election.

Also, the RISKS Digest has several articles in recent issues about this; it's archived at http://catless.ncl.ac.uk/Risks

Re:Schneier on voting systems by Ronin441 · 2001-01-11 16:57 · Score: 1 · on Microsoft, Unisys & Dell To Make New Voting System

... and also look at the last few volumes of Risks; all the ones since the US election, basically. Much detailed analysis, mostly with the conclusion that it can't be done well.