Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
The Little Bomb-Detecting Device That Couldn't
theodp writes "Widely deployed in Iraq and promoted by military leaders, BusinessWeek reports the ADE 651 bomb-detecting device had one little problem: it wouldn't detect explosives (earlier Slashdot story). 'The ADE 651,' reports Adam Higginbotham, 'was modeled on a novelty trinket conceived decades before by a former used-car salesman from South Carolina, which was purported to detect golf balls. It wasn't even good at that.' One thing the ADE 651 did excel at, however, was making money — estimates suggest that the authorities in Baghdad bought more than 6,000 useless bomb detectors, at a cost of at least $38 million. Even though ADE 651 manufacturer James McCormick was found guilty of three counts of fraud and sentenced to 10 years in prison in May, the ADE 651 is still being used at thousands of checkpoints across Baghdad. Elsewhere, authorities have never stopped believing in the detectors. Why? According to Sandia Labs' Dale Murray, the ideomotor effect is so persuasive that for anyone who wants or needs to believe in it, even conclusive scientific evidence undermining the technology it exploits has little power." -
The Little Bomb-Detecting Device That Couldn't
theodp writes "Widely deployed in Iraq and promoted by military leaders, BusinessWeek reports the ADE 651 bomb-detecting device had one little problem: it wouldn't detect explosives (earlier Slashdot story). 'The ADE 651,' reports Adam Higginbotham, 'was modeled on a novelty trinket conceived decades before by a former used-car salesman from South Carolina, which was purported to detect golf balls. It wasn't even good at that.' One thing the ADE 651 did excel at, however, was making money — estimates suggest that the authorities in Baghdad bought more than 6,000 useless bomb detectors, at a cost of at least $38 million. Even though ADE 651 manufacturer James McCormick was found guilty of three counts of fraud and sentenced to 10 years in prison in May, the ADE 651 is still being used at thousands of checkpoints across Baghdad. Elsewhere, authorities have never stopped believing in the detectors. Why? According to Sandia Labs' Dale Murray, the ideomotor effect is so persuasive that for anyone who wants or needs to believe in it, even conclusive scientific evidence undermining the technology it exploits has little power." -
Hulu Not For Sale, Time Warner May Join
HighOrbit writes "Engadget reports that the consortium behind Hulu have issued a press release and have taken Hulu off the market. The current owners will maintain their joint ownership of the video streaming service. Hulu is currently a joint project of Fox, Disney (ABC), and Comcast (NBC-Universal). Instead of selling off Hulu, the consortium will inject $750 Million to grow the streaming service. Slashdot previously reported possible buyers rumored to be Yahoo, DirecTV, Time Warner Cable, and Chernin Group/AT&T. Additionally Bloomberg reports that Time Warner Cable is still interested and seeks to join the current consortium by acquiring a 25% stake." -
Casting a Jaundiced Eye On AnTuTu Benchmark Claims Favoring Intel
MojoKid writes "Recently, industry analysts came forward with the dubious claim that Intel's Clover Trail+ low power processor for mobile devices had somehow seized a massive lead over ARM's products, though there were suspicious discrepancies in the popular AnTuTu benchmark that was utilized to showcase performance. It turns out that the situation is far shadier than initially thought. The version used in testing with the benchmark isn't just tilted to favor Intel — it seems to flat-out cheat to accomplish it. The new 3.3 version of AnTuTu was compiled using Intel's C++ Compiler, while GCC was used for the ARM variants. The Intel code was auto-vectorized, the ARM code wasn't — there are no NEON instructions in the ARM version of the application. Granted, GCC isn't currently very good at auto-vectorization, but NEON is now standard on every Cortex-A9 and Cortex-A15 SoC — and these are the parts people will be benchmarking. But compiler optimizations are just the beginning. Apparently the Intel code deliberately breaks the benchmark's function. At a certain point, it runs a loop that's meant to be performed 32x just once, then reports to the benchmark that the task completed successfully. Now, the optimization in question is part of ICC (the Intel C++ compiler), but was only added recently. It's not the kind of procedure you'd call by accident. AnTuTu has released an updated "new" version of the benchmark in which Intel performance drops back down 20-50%. Systems based on high-end ARM devices again win the benchmark overall, as they did previously." -
Say What? Wading Through the Nonsense In Microsoft's Re-Org Memo
curtwoodward writes "Steve Ballmer's attempt to reorganize Microsoft into a more focused company will define his legacy as CEO. So you'd think the wordsmiths in Redmond would take a little time ensuring their message was crystal-clear, right? Not exactly. Ballmer's big, gung-ho memo to Microsofties, posted on the company's website, is chock full of nonsense and corporate executive doublespeak — or, as Ballmer might say, `high-value experiences' that will `involve repartitioning the work' and `drive partners across our integrated strategy and its execution.' Huh?" Honest language in corporate communications is a rare quality. I suspect there's a special language-butchering training course that most C-level executives enthusiastically complete. -
Say What? Wading Through the Nonsense In Microsoft's Re-Org Memo
curtwoodward writes "Steve Ballmer's attempt to reorganize Microsoft into a more focused company will define his legacy as CEO. So you'd think the wordsmiths in Redmond would take a little time ensuring their message was crystal-clear, right? Not exactly. Ballmer's big, gung-ho memo to Microsofties, posted on the company's website, is chock full of nonsense and corporate executive doublespeak — or, as Ballmer might say, `high-value experiences' that will `involve repartitioning the work' and `drive partners across our integrated strategy and its execution.' Huh?" Honest language in corporate communications is a rare quality. I suspect there's a special language-butchering training course that most C-level executives enthusiastically complete. -
Are Amazon Vine Reviews of Technical Books a Joke?
First time accepted submitter jasax writes "As an Amazon frequent buyer, I rely quite a lot on reviews of the books I want. However, some caution is in order: the (bad) quality of Amazon's reviews and reviewers under the Amazon Vine program has already been news in Slashdot. Today I was shocked by a practical result of that program. This second edition (published in 2012) of a very specialized system identification book has 12 reviews: the oldest (dated 2007) certainly targets the first edition. The remaining 11 reviews are all from 'Vine Reviewers' (VRs). All seem to be ignorant of what 'System Identification in the Frequency Domain' really is. None of the reviews is tagged with a 'Verified Amazon Purchase'; most (if not all) are 'small talk reviews' peppered with technical phrases cloning the publisher's book description, and some of the reviews are ridiculous, to say the least. If this sample of reviewing by VRs really is the norm, then the bottom line is that the Vine program is totally irrelevant and unreliable — at least for technical books." -
Maybe Steve Ballmer Doesn't Deserve the Hate
Nerval's Lobster writes "Who could forget Steve Ballmer's defining moment, that infamous 'Developers! Developers! Developers!' rant that became a YouTube hit? Or the reports of frighteningly accurate chair-throwing? Who could miss the tech media and investors blaming him for everything from Microsoft's largely stagnant stock price over the past decade to its inability to get in front of trends such as mobile devices? But tech columnist (and Kernel editor-in-chief) Milo Yiannopoulos talked to a bunch of Ballmer's friends and colleagues, picked through Microsoft's history, and came away with the argument that the man deserves a second look as an effective leader. 'He stands accused of running one of the greatest companies in American history into the ground, even as its stock price remains remarkably resilient and the company continues to turn a healthy profit,' he writes. 'The mature verdict on Steve Ballmer is that he has made only one major strategic error: not combining his own brilliance for sales and detail with a visionary product leader who has the authority to create bold new revenue streams for the company.' Do you agree? Or does Ballmer deserve his reputation as a bad CEO?" -
Gladwell's Culture & Air Crashes Analysis Badly Flawed
Koreantoast writes "As a recent Slashdot article showed, interest in Malcolm Gladwell's theory on the impact of culture on airline crashes has come up again following the tragic accident of Asiana Flight 214. Yet how good was Gladwell's analysis of the Korean Air Flight 801 accident which is the basis of his theory? A recent analysis by the popular Ask a Korean! blog shows serious flaws in Gladwell's presentation: ignorance of the power dynamics amongst the flight crew, mischaracterizations of Korean Air's flight accident record (three of the seven deadly incidents characterized as 'accidents' were actually military attacks or terrorism) and manipulative omissions in the pilot transcripts to falsely portray the situation. 'Even under the most kindly light, Gladwell is guilty of reckless and gross negligence. Under a harsher light, Gladwell's work on the connection between culture and plane crashes is a shoddy fraud.' Perhaps Gladwell should have asked a Korean before writing the chapter." -
HP Keeps Installing Secret Backdoors In Enterprise Storage
Nerval's Lobster writes "For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products. The admission, in a security bulletin posted July 9, confirms reports from the blogger Technion, who flagged the security issue in HP's StoreOnce systems in June, before finding more backdoors in other HP storage and SAN products. The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules—not a limitation built in to limit use of backdoors. The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP's StoreVirtual and HP P4000 products. Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would 'cripple the cluster,' according to information provided to The Register by an unnamed source. The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it's not hard to find: 'Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn't know existed,' according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public." -
Researchers Now Pulling Out of DEF CON In Response To Anti-Fed Position
darthcamaro writes "Earlier today it, Slashdot had a story about DEF CON's position on not allowing U.S. Federal agents to attend the annual hacking conference. We're now starting to see the backlash from the hacker community itself with at least two well respected hackers pulling out of the DEF CON speaking sessions so far: "'The issue we are struggling with, and the basis of our decision, is that we feel strongly that DEF CON has always presented a neutral ground that encouraged open communication among the community, despite the industry background and diversity of motives to attend,' security researcher Kevin Johnson wrote. 'We believe the exclusion of the "feds" this year does the exact opposite at a critical time.'" Meanwhile, Black Hat welcomes Federal attendees; this year's conference will feature as a speaker former NSA head Keith Alexander. -
Interviews: Ask James Gosling About Java and Ocean Exploring Robots
James Gosling is probably best known for creating the Java programming language while working at Sun Microsystems. Currently, he is the chief software architect at Liquid Robotics. Among other projects, Liquid Robotics makes the Wave Glider, an autonomous, environmentally powered marine robot. James has agreed to take a little time from the oceangoing robots and answer any questions you have. As usual, ask as many as you'd like, but please, one question per post. -
Interviews: Ask James Gosling About Java and Ocean Exploring Robots
James Gosling is probably best known for creating the Java programming language while working at Sun Microsystems. Currently, he is the chief software architect at Liquid Robotics. Among other projects, Liquid Robotics makes the Wave Glider, an autonomous, environmentally powered marine robot. James has agreed to take a little time from the oceangoing robots and answer any questions you have. As usual, ask as many as you'd like, but please, one question per post. -
Aerovelo's Human-Powered Helicopter Wins $250,000 Sikorsky Prize
First time accepted submitter oritonic1 writes "Since 1980, several teams have tried (and failed) to build a human-powered helicopter that could win the elusive $250,000 Sikorsky prize. But a Canadian start-up, Aerovelo, has finally taken the crown with Atlas, a human-powered craft that managed to stay at least 10 feet in the air, for 60 seconds, within a 30'x30' area." -
Steve Ballmer Reorganizing Microsoft
Nerval's Lobster writes "Microsoft's big reorganization has begun. Rumors had persisted for weeks that Microsoft CEO Steve Ballmer was planning a massive, once-in-a-lifetime reorganization of the company he's been running for quite some time. Now the plan is out in the open, and things are going to change in huge ways. Microsoft will coalesce around 'a single strategy as one company,' CEO Steve Ballmer wrote in a really lengthy memo posted on Microsoft's Website, 'not a collection of division strategies.' The company's product portfolio — from Windows and Xbox to enterprise applications — will be regarded and operated upon in a holistic manner. Ballmer wants this 'one company' approach to extend how Microsoft handles its advertising, marketing and consumer-service operations. Ballmer also wants to knock down the walls that have slowly grown between Microsoft's various divisions, at least as far as engineering's concerned. The new 'engineering culture' will apparently facilitate collaboration 'across the company,' with an emphasis on cross-group contributions (and maintaining secrecy, of course, for the giant projects). Read on for much more on how Microsoft is reorganizing all its internal groups, as well as a rundown of who's in and who's out on the executive level." -
Android Master Key Vulnerability Checker Now Live
darthcamaro writes "Last week, Rain Forrest Puppy (aka Jeff Forristal) first disclosed the initial public report about an Android Master Key flaw. Code was released earlier this week for attackers to exploit the flaw — but what about users? Google has claimed that it has patched the issue but how do you know if your phone/carrier is safe? Forristal's company now has an app for that. But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play. 'The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application. "It all comes down to where you get your applications from," Forristal said.'" -
Android Master Key Vulnerability Checker Now Live
darthcamaro writes "Last week, Rain Forrest Puppy (aka Jeff Forristal) first disclosed the initial public report about an Android Master Key flaw. Code was released earlier this week for attackers to exploit the flaw — but what about users? Google has claimed that it has patched the issue but how do you know if your phone/carrier is safe? Forristal's company now has an app for that. But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play. 'The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application. "It all comes down to where you get your applications from," Forristal said.'" -
Data Storage That Could Outlast the Human Race
Nerval's Lobster writes "Just in case you haven't been keeping up with the latest in five-dimensional digital data storage using femtocell-laser inscription, here's an update: it works. A team of researchers at the University of Southampton have demonstrated a way to record and retrieve as much as 360 terabytes of digital data onto a single disk of quartz glass in a way that can withstand temperatures of up to 1000 C and should keep the data stable and readable for up to a million years. 'It is thrilling to think that we have created the first document which will likely survive the human race,' said Peter Kazansky, professor of physical optoelectronics at the Univ. of Southampton's Optical Research Centre. 'This technology can secure the last evidence of civilization: all we've learnt will not be forgotten.' Leaving aside the question of how many Twitter posts and Facebook updates really need to be preserved longer than the human species, the technology appears to have tremendous potential for low-cost, long-term, high-volume archiving of enormous databanks. The quartz-glass technique relies on lasers pulsing one quadrillion times per second though a modulator that splits each pulse into 256 beams, generating a holographic image that is recorded on self-assembled nanostructures within a disk of fused-quartz glass. The data are stored in a five-dimensional matrix—the size and directional orientation of each nanostructured dot becomes dimensions four and five, in addition to the usual X, Y and Z axes that describe physical location. Files are written in three layers of dots, separated by five micrometers within a disk of quartz glass nicknamed 'Superman memory crystal' by researchers. (Hitachi has also been researching something similar.)" -
Data Storage That Could Outlast the Human Race
Nerval's Lobster writes "Just in case you haven't been keeping up with the latest in five-dimensional digital data storage using femtocell-laser inscription, here's an update: it works. A team of researchers at the University of Southampton have demonstrated a way to record and retrieve as much as 360 terabytes of digital data onto a single disk of quartz glass in a way that can withstand temperatures of up to 1000 C and should keep the data stable and readable for up to a million years. 'It is thrilling to think that we have created the first document which will likely survive the human race,' said Peter Kazansky, professor of physical optoelectronics at the Univ. of Southampton's Optical Research Centre. 'This technology can secure the last evidence of civilization: all we've learnt will not be forgotten.' Leaving aside the question of how many Twitter posts and Facebook updates really need to be preserved longer than the human species, the technology appears to have tremendous potential for low-cost, long-term, high-volume archiving of enormous databanks. The quartz-glass technique relies on lasers pulsing one quadrillion times per second though a modulator that splits each pulse into 256 beams, generating a holographic image that is recorded on self-assembled nanostructures within a disk of fused-quartz glass. The data are stored in a five-dimensional matrix—the size and directional orientation of each nanostructured dot becomes dimensions four and five, in addition to the usual X, Y and Z axes that describe physical location. Files are written in three layers of dots, separated by five micrometers within a disk of quartz glass nicknamed 'Superman memory crystal' by researchers. (Hitachi has also been researching something similar.)" -
Android Co-Founder: Fragmentation "an Overblown Issue"
curtwoodward writes "Sure, developers might pull their hair out trying to keep track of all the versions of the Android operating system scattered across hundreds of millions of mobile devices worldwide. But a co-founder of Android says the OS's fragmentation problem is being blown out of proportion. At an event this week in Boston, Rich Miner — now a partner at Google Ventures — said some level of fragmentation is inevitable with Android's reach and the number of partners in the ecosystem. But things are getting better, he said, and in any case most consumers don't notice the difference: `This is a bit of an overblown issue, frankly.'" -
How DRM Won
Nerval's Lobster writes "In 2009, when Apple dropped the Digital Rights Management (DRM) restrictions from songs sold through the iTunes Store, it seemed like a huge victory for consumers, one that would usher in a more customer-friendly economy for digital media. But four years later, DRM is still alive and well — it just lives in the cloud now. Streaming media services are the ultimate form of copy protection — you never actually control the media files, which are encrypted before delivery, and your ability to access the content can be revoked if you disagree with updated terms of service; you're also subject to arbitrary changes in subscription prices. This should be a nightmare scenario to lovers of music, film, and television, but it's somehow being hailed by many as a technical revolution. Unfortunately, what's often being lost in the hype over the admittedly remarkable convenience of streaming media services is the simple fact that meaningfully relating to the creative arts as a fan or consumer depends on being able to access the material in the first place. In other words, where your media collection is stored (and can be remotely disabled at a whim) is not something to be taken lightly. In this essay, developer Vijith Assar talks about how the popularity of streaming content could result in a future that isn't all that great. 'Ultimately, regardless of the delivery mechanism, the question is not one of streaming versus downloads,' he writes. 'It's about whether you want to have your own media library or request access to somebody else's. Be careful.'" -
Book Review: Assessing Vendors
benrothke writes "Every organization has external software, hardware and 3rd-party vendors they have to deal with. In many cases, these vendors will have direct access to the corporate networks, confidential and proprietary data and more. Often the software and hardware solutions are critical to the infrastructure and security of the organization. If the vendors don't have effective information security and privacy controls in place, your data is at risk. In addition, when selecting a product to secure your organization, how do you ensure that you are selecting the correct product? All of this is critical in the event of a breach. When the lawyers start circling, they will be serving subpoenas to your company, not your 3rd-party vendors." Keep reading for Ben's review. Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors author Josh More pages 94 publisher Syngress rating 8/10 reviewer Ben Rothke ISBN 978-0124096073 summary Good intro to use to start a vendor assessment program With that, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendorsis a valuable resource for those looking for a basic introduction on of how to understand the risks involved when sharing data with 3rd-parties, in addition to selecting the appropriate products for your organization.
Many large organizations have formal programs and processes to evaluate the vendors they interact with, in addition to software and hardware procurement. For those that don't, this 80 page reference is a good place to start.
The book shows you how to find the right balance between performing a superficial assessment and one that is way too deep.
While the book has a healthy dose of checklists, it is not about simply filling out the checklists and adding up the totals. Author Josh More writes that robust information assurance processes and regulations aside; successful vendor management involves a wide range of skills; from technical assessment to business communications, to negotiation and much more.
An effective aspect of the book is that it has many questions that you should ask the vendor as part of the assessment process. Too many organizations simply take the vendors word, without performing effective due diligence. Rarely will one find a company where too many questions were asked to the vendor.
Given that the book is only 80 pages, More writes that it focuses mainly on the initial assessment process, with a goal to select a vendor to solve a specific problem that your organization is experiencing, improving an existing process or adding new capabilities. Given its short length, the book does not delve very deeply into the continued operation of a formal vendor management program.
The main thrust of the first chapter is around preliminary vendor research. It shows how to identify vendors for specific products and build criteria for effective vendor selection.
An important point in chapter 1 is that the primary rule in vendor assessment and selection is to always keep your needs first in mind. Far too many organizations let the vendors drive the process, and in turn, the vendor will ensure that their needs are made primary.
One of the topics in chapter 3 is testing confidentiality. When comparing vendors, they will often swear that their product is secure; but will often not provide any details attesting to how secure it really is. The chapter shows how you can perform internal hands-on testing to ensure all of the promised security features do in truth work.
The book provides a lot of common sense advice that may not be intuitive to many people. One bit of invaluable advice to taking the steps to confirm that the vendor you are considering is not selling you gray or black market products. This is especially true for products from Cisco, Check Point and Juniper, which are rampant on the gray and black markets. While buying gray market products may initially be cheaper, they can be much more expensive in the long run when you find out that the warranties you paid for are worthless.
In chapter 4, the book does a good job of showing how to score vendors. It details how you can create questionnaires and use the data to assist in your selection. The chapter stresses that after all of the data is scored, weighted and sorted; you should not expect to find a vendor with a normalized score of 100%. More writes that if you do a good job of creating the right questions on the questionnaire, you will seldom see a vendor higher than the 80-90% range.
A good point the book makes in chapter 5 on testing, is that when a vendor requires you to sign an NDA prior to testing; such a request is a fundamental mark of mistrust. If the vendor is unwilling to negotiate the NDA, it may be worth replacing them with a vendor who is more willing to work with you.
After you have done all of the dirty work of a vendor selection, the book closes with a few pages on how to avoid vendor manipulation. It is not unusual for vendor to fudge the information they provide you with, which will skew the results in their favor.
Another point to consider in the vendor selection process is that vendors benefit greatly from lock-in. The harder they can make it for you to move to another vendor, the more likely they are to get annual renewals.
Selecting a vendor is not a trivial process, and it not intuitive to many organizations. Given the breadth of the topic, the book is a great place to start your work on this important process.
The book doesn't claim to be an all-inclusive resource for the topic. And at 80 pages, one should not expect it to be.
But for those looking to a highly tactical guide to start them on the road to vendor assessments, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a most helpful book to start with.
Reviewed by Ben Rothke.
You can purchase Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: Assessing Vendors
benrothke writes "Every organization has external software, hardware and 3rd-party vendors they have to deal with. In many cases, these vendors will have direct access to the corporate networks, confidential and proprietary data and more. Often the software and hardware solutions are critical to the infrastructure and security of the organization. If the vendors don't have effective information security and privacy controls in place, your data is at risk. In addition, when selecting a product to secure your organization, how do you ensure that you are selecting the correct product? All of this is critical in the event of a breach. When the lawyers start circling, they will be serving subpoenas to your company, not your 3rd-party vendors." Keep reading for Ben's review. Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors author Josh More pages 94 publisher Syngress rating 8/10 reviewer Ben Rothke ISBN 978-0124096073 summary Good intro to use to start a vendor assessment program With that, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendorsis a valuable resource for those looking for a basic introduction on of how to understand the risks involved when sharing data with 3rd-parties, in addition to selecting the appropriate products for your organization.
Many large organizations have formal programs and processes to evaluate the vendors they interact with, in addition to software and hardware procurement. For those that don't, this 80 page reference is a good place to start.
The book shows you how to find the right balance between performing a superficial assessment and one that is way too deep.
While the book has a healthy dose of checklists, it is not about simply filling out the checklists and adding up the totals. Author Josh More writes that robust information assurance processes and regulations aside; successful vendor management involves a wide range of skills; from technical assessment to business communications, to negotiation and much more.
An effective aspect of the book is that it has many questions that you should ask the vendor as part of the assessment process. Too many organizations simply take the vendors word, without performing effective due diligence. Rarely will one find a company where too many questions were asked to the vendor.
Given that the book is only 80 pages, More writes that it focuses mainly on the initial assessment process, with a goal to select a vendor to solve a specific problem that your organization is experiencing, improving an existing process or adding new capabilities. Given its short length, the book does not delve very deeply into the continued operation of a formal vendor management program.
The main thrust of the first chapter is around preliminary vendor research. It shows how to identify vendors for specific products and build criteria for effective vendor selection.
An important point in chapter 1 is that the primary rule in vendor assessment and selection is to always keep your needs first in mind. Far too many organizations let the vendors drive the process, and in turn, the vendor will ensure that their needs are made primary.
One of the topics in chapter 3 is testing confidentiality. When comparing vendors, they will often swear that their product is secure; but will often not provide any details attesting to how secure it really is. The chapter shows how you can perform internal hands-on testing to ensure all of the promised security features do in truth work.
The book provides a lot of common sense advice that may not be intuitive to many people. One bit of invaluable advice to taking the steps to confirm that the vendor you are considering is not selling you gray or black market products. This is especially true for products from Cisco, Check Point and Juniper, which are rampant on the gray and black markets. While buying gray market products may initially be cheaper, they can be much more expensive in the long run when you find out that the warranties you paid for are worthless.
In chapter 4, the book does a good job of showing how to score vendors. It details how you can create questionnaires and use the data to assist in your selection. The chapter stresses that after all of the data is scored, weighted and sorted; you should not expect to find a vendor with a normalized score of 100%. More writes that if you do a good job of creating the right questions on the questionnaire, you will seldom see a vendor higher than the 80-90% range.
A good point the book makes in chapter 5 on testing, is that when a vendor requires you to sign an NDA prior to testing; such a request is a fundamental mark of mistrust. If the vendor is unwilling to negotiate the NDA, it may be worth replacing them with a vendor who is more willing to work with you.
After you have done all of the dirty work of a vendor selection, the book closes with a few pages on how to avoid vendor manipulation. It is not unusual for vendor to fudge the information they provide you with, which will skew the results in their favor.
Another point to consider in the vendor selection process is that vendors benefit greatly from lock-in. The harder they can make it for you to move to another vendor, the more likely they are to get annual renewals.
Selecting a vendor is not a trivial process, and it not intuitive to many organizations. Given the breadth of the topic, the book is a great place to start your work on this important process.
The book doesn't claim to be an all-inclusive resource for the topic. And at 80 pages, one should not expect it to be.
But for those looking to a highly tactical guide to start them on the road to vendor assessments, Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors is a most helpful book to start with.
Reviewed by Ben Rothke.
You can purchase Assessing Vendors: A Hands-On Guide to Assessing Infosec and IT Vendors from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Google Updates Maps, Makes First Stable Chrome Release Using WebKit Fork
Two bits of Google news from today/yesterday. This morning, Google started rolling out a major update to mobile Maps. They've created a new tablet interface, improved integration with local places, integrated the Zagat guide, and enhanced navigation to automatically route you around traffic incidents. As usual lately, Google also removed a few features: Latitude and Check-ins. If you used those you'll have to use the Google+ application now. They also made a strange change to offline maps: instead of a menu option, you now access the area you want to make available offline and search for "OK Maps." On the Chrome front, Google released Chrome 28 yesterday, the first release featuring the WebKit fork Blink. The under-the-hood changes look promising, quoting the H: "The developers say that the increased speed is also thanks to the new threaded HTML parser, which frees up the JavaScript thread, allowing DOM content to be displayed faster. The HTML parser also takes fewer breaks, which is said to result in time savings of up to 40 per cent." -
Upside-Down Sensors Caused Proton-M Rocket Crash
Michi writes "According to Anatoly Zak, the crash of the Russion Proton rocket on 1 July was apparently caused by several angular velocity sensors having been installed upside down. From the source: 'Each of those sensors had an arrow that was supposed to point toward the top of the vehicle, however multiple sensors on the failed rocket were pointing downward instead.' It seems amazing that something as fundamental as this was not caught during quality control. Even more amazing is that the design of the sensors permits them to be installed in the wrong orientation in the first place. Even the simplest of mechanical interlocks (such as a notch at one end that must be matched with a corresponding projection) could have prevented the accident." A review of the quality control procedures used by the contractors responsible is underway. -
Judge Rules Apple Colluded With Publishers to Fix Ebook Prices
Despite many publishers themselves settling with the DOJ over allegations of price fixing ebooks, Apple held firm and recently went to trial. And now the verdict is in: Apple conspired with major publishers to control ebook prices in violation of anti-trust laws. A trial for damages has been ordered. Quoting Reuters: "The decision by U.S. District Judge Denise Cote in Manhattan is a victory for the U.S. government and various states, which the judge said are entitled to injunctive relief. ... Cote said the conspiracy resulted in prices for some e-books rising to $12.99 or $14.99, when Amazon had sold for $9.99. 'The plaintiffs have shown that the publisher defendants conspired with each other to eliminate retail price competition in order to raise e-book prices, and that Apple played a central role in facilitating and executing that conspiracy,' Cote said. 'Without Apple's orchestration of this conspiracy, it would not have succeeded as it did in the spring of 2010,' she added." Update: 07/10 16:36 GMT by U L : The ruling is now available (160 page PDF). -
Judge Rules Apple Colluded With Publishers to Fix Ebook Prices
Despite many publishers themselves settling with the DOJ over allegations of price fixing ebooks, Apple held firm and recently went to trial. And now the verdict is in: Apple conspired with major publishers to control ebook prices in violation of anti-trust laws. A trial for damages has been ordered. Quoting Reuters: "The decision by U.S. District Judge Denise Cote in Manhattan is a victory for the U.S. government and various states, which the judge said are entitled to injunctive relief. ... Cote said the conspiracy resulted in prices for some e-books rising to $12.99 or $14.99, when Amazon had sold for $9.99. 'The plaintiffs have shown that the publisher defendants conspired with each other to eliminate retail price competition in order to raise e-book prices, and that Apple played a central role in facilitating and executing that conspiracy,' Cote said. 'Without Apple's orchestration of this conspiracy, it would not have succeeded as it did in the spring of 2010,' she added." Update: 07/10 16:36 GMT by U L : The ruling is now available (160 page PDF). -
big.LITTLE: ARM's Strategy For Efficient Computing
MojoKid writes "big.LITTLE is ARM's solution to a particularly nasty problem: smaller and smaller process nodes no longer deliver the kind of overall power consumption improvements they did years ago. Before 90nm technology, semiconductor firms could count on new chips being smaller, faster, and drawing less power at a given frequency. Eventually, that stopped being true. Tighter process geometries still pack more transistors per square millimeter, but the improvements to power consumption and maximum frequency have been falling with each smaller node. Rising defect densities have created a situation where — for the first time ever — 20nm wafers won't be cheaper than the 28nm processors they're supposed to replace. This is a critical problem for the mobile market, where low power consumption is absolutely vital. big.LITTLE is ARM's answer to this problem. The strategy requires manufacturers to implement two sets of cores — the Cortex-A7 and Cortex-A15 are the current match-up. The idea is for the little cores to handle the bulk of the device's work, with the big cores used for occasional heavy lifting. ARM's argument is that this approach is superior to dynamic voltage and frequency scaling (DVFS) because it's impossible for a single CPU architecture to retain a linear performance/power curve across its entire frequency range. This is the same argument Nvidia made when it built the Companion Core in Tegra 3." -
Florida Law May Accidentally Ban Computers and Smartphones
GrueMaster writes "Did Florida ban computers and smartphones? They tried banning Internet Cafes, but the wording in the law is overly broad. '... it's the wording that's problematic, as it defines a slot machine as "any machine or device or system or network of devices" that can be used in games of chance. Turns out the Internet is full of gambling sites, which is where the definition runs into some problems. Consuelo Zapata, owner of the Miami-Dade county Internet cafe Incredible Investments, LLC, is suing the state (PDF) to overturn the ban, saying that definition is too broad and could be applied to any number of electronic devices. " -
Deus Ex Creator On How a Video-Game Academy Could Fix the Industry
Nerval's Lobster writes "In the fall of 2014, 20 promising video game developers will begin a yearlong (and free) program at the University of Texas at Austin, where they will study under some of the gaming industry's most successful executives. 'The idea is to get the best of the best of the best, run them through a Navy Seals boot camp of sorts and not force them to worry about "how do I pay the rent and buy groceries,"' said program leader Warren Spector, who is responsible for creating well-known games such as Deus Ex. 'Fingers crossed, when we start delivering graduates who can contribute in major ways to the development of future games, that philanthropy will continue.' In a wide-ranging interview, Spector also talked about how his future students will be graduating into an industry in which 'every business model is broken, which is either terrifying or an opportunity depending on how you look at it.' Focus groups, analysis of historical trends, and aggregated game review scores may be comforting to number crunchers, but the majority of game projects still end up as commercial failures. Spector ultimately believes the people who actually make the games are going to make better decisions than the number crunchers. 'We've got to be looking forward and any time you start bringing data into it, you're not," Spector said. "I pitched a Lego construction game in 1989, and guess what: Minecraft is basically a Lego construction game. But at the time I was told "no, that won't work." I pitched a western game and the response was "westerns don't sell." And then Red Dead Redemption came out. Stuff doesn't sell until someone makes one that sells, and no amount of data can reveal what new thing is going to sell. The metrics and data guys, and the publishing guys will never come up with the next big thing.'"" -
Federal Judge Rejects State Secrets Claims: EFF Case To Proceed
The EFF has been attempting to sue the government over illegal surveillance since the Bush administration, and, despite repeated attempts to have the case dismissed because of State Secrets, a federal judge has now ruled that the case must go forward in public court, throwing out the government's State Secrets argument. From the order: Having thoroughly considered the parties' papers, Defendants' public and classified declarations, the relevant legal authority and the parties' arguments, the Court GRANTS the Jewel Plaintiffs' motion for partial summary adjudication by rejecting the state secrets defense as having been displaced by the statutory procedure prescribed in 50 U.S.C. 1806(f) of FISA. In both related cases, the Court GRANTS Defendants' motions to dismiss Plaintiffs' statutory claims on the basis of sovereign immunity. The Court further finds that the parties have not addressed the viability of the only potentially remaining claims, the Jewel Plaintiffs' constitutional claims under the Fourth and First Amendments and the claim for violation of separation of powers and the Shubert Plaintiffs' fourth cause of action for violation of the Fourth Amendment. Accordingly, the Court RESERVES ruling on Defendants' motion for summary judgment on the remaining, non-statutory claims." Although some statutory claims were dismissed, the core Constitutional questions will be litigated. -
Federal Judge Rejects State Secrets Claims: EFF Case To Proceed
The EFF has been attempting to sue the government over illegal surveillance since the Bush administration, and, despite repeated attempts to have the case dismissed because of State Secrets, a federal judge has now ruled that the case must go forward in public court, throwing out the government's State Secrets argument. From the order: Having thoroughly considered the parties' papers, Defendants' public and classified declarations, the relevant legal authority and the parties' arguments, the Court GRANTS the Jewel Plaintiffs' motion for partial summary adjudication by rejecting the state secrets defense as having been displaced by the statutory procedure prescribed in 50 U.S.C. 1806(f) of FISA. In both related cases, the Court GRANTS Defendants' motions to dismiss Plaintiffs' statutory claims on the basis of sovereign immunity. The Court further finds that the parties have not addressed the viability of the only potentially remaining claims, the Jewel Plaintiffs' constitutional claims under the Fourth and First Amendments and the claim for violation of separation of powers and the Shubert Plaintiffs' fourth cause of action for violation of the Fourth Amendment. Accordingly, the Court RESERVES ruling on Defendants' motion for summary judgment on the remaining, non-statutory claims." Although some statutory claims were dismissed, the core Constitutional questions will be litigated. -
Federal Judge Rejects State Secrets Claims: EFF Case To Proceed
The EFF has been attempting to sue the government over illegal surveillance since the Bush administration, and, despite repeated attempts to have the case dismissed because of State Secrets, a federal judge has now ruled that the case must go forward in public court, throwing out the government's State Secrets argument. From the order: Having thoroughly considered the parties' papers, Defendants' public and classified declarations, the relevant legal authority and the parties' arguments, the Court GRANTS the Jewel Plaintiffs' motion for partial summary adjudication by rejecting the state secrets defense as having been displaced by the statutory procedure prescribed in 50 U.S.C. 1806(f) of FISA. In both related cases, the Court GRANTS Defendants' motions to dismiss Plaintiffs' statutory claims on the basis of sovereign immunity. The Court further finds that the parties have not addressed the viability of the only potentially remaining claims, the Jewel Plaintiffs' constitutional claims under the Fourth and First Amendments and the claim for violation of separation of powers and the Shubert Plaintiffs' fourth cause of action for violation of the Fourth Amendment. Accordingly, the Court RESERVES ruling on Defendants' motion for summary judgment on the remaining, non-statutory claims." Although some statutory claims were dismissed, the core Constitutional questions will be litigated. -
Federal Judge Rejects State Secrets Claims: EFF Case To Proceed
The EFF has been attempting to sue the government over illegal surveillance since the Bush administration, and, despite repeated attempts to have the case dismissed because of State Secrets, a federal judge has now ruled that the case must go forward in public court, throwing out the government's State Secrets argument. From the order: Having thoroughly considered the parties' papers, Defendants' public and classified declarations, the relevant legal authority and the parties' arguments, the Court GRANTS the Jewel Plaintiffs' motion for partial summary adjudication by rejecting the state secrets defense as having been displaced by the statutory procedure prescribed in 50 U.S.C. 1806(f) of FISA. In both related cases, the Court GRANTS Defendants' motions to dismiss Plaintiffs' statutory claims on the basis of sovereign immunity. The Court further finds that the parties have not addressed the viability of the only potentially remaining claims, the Jewel Plaintiffs' constitutional claims under the Fourth and First Amendments and the claim for violation of separation of powers and the Shubert Plaintiffs' fourth cause of action for violation of the Fourth Amendment. Accordingly, the Court RESERVES ruling on Defendants' motion for summary judgment on the remaining, non-statutory claims." Although some statutory claims were dismissed, the core Constitutional questions will be litigated. -
Code Released To Exploit Android App Signature Vulnerability
chicksdaddy writes with news of a Proof-of-Concept exploit for the recent Android APK signature vulnerability. From the article: "Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module on GitHub that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. ... The simple program leverages APKTool, an open source tool for reverse engineering Android applications — decompiling and then recompiling their contents. His script allows a user to select and then decompile a legitimate Android application and then recompile it, creating an altered, 'malicious' APK that will have the same, cryptographic signature as the original file. In an e-mail statement, Google said that a patch for Forristal's vulnerability was provided to Google's OEM and carrier partners in March, and that some (Samsung) have already shipping a patched version of Android to customers. However, that response hasn't been universal — a reflection of Android's fragmented install base." -
The Dangers of Beating Your Kickstarter Goal
jfruh writes "In March of 2012 legendary game designers Tim Schafer and Ron Gilbert ran a Kickstarter to design a new adventure game, asked for $400,000, and came away with more than $3.3 million. Their promised delivery date was October 2012. Now it's July 2013, and the project still needs cash, which they plan to raise by selling an 'early release' version on Steam in January 2014. One possible lesson: radically overshooting your crowdfunding goal can cause you to wildly expand your ambitions, leading to a project that can't be tamed." -
Ask Slashdot: Preventing Snowden-Style Security Breaches?
Nerval's Lobster writes "The topic of dealing with insider threats has entered the spotlight in a big way recently thanks to Edward Snowden. A former contractor who worked as an IT administrator for the National Security Agency via Booz Allen Hamilton, Snowden rocked the public with his controversial (and unauthorized) disclosure of top secret documents describing the NSA's telecommunications and Internet surveillance programs to The Guardian. Achieving a layer of solid protection from insiders is a complex issue; when it comes to protecting a business's data, organizations more often focus on threats from the outside. But when a trusted employee or contractor uses privileged access to take company data, the aftermath can be as catastrophic to the business or organization as an outside attack. An administrator can block removal of sensitive data via removable media (Snowden apparently lifted sensitive NSA data using a USB device) by disabling USB slots or controlling them via access or profile, or relying on DLP (which has its own issues). They can install software that monitors systems and does its best to detect unusual employee behavior, but many offerings in this category don't go quite far enough. They can track data as it moves through the network. But all of these security practices come with vulnerabilities. What do you think the best way is to lock down a system against malicious insiders?" -
Book Review: Programming PHP 3rd Edition
Michael Ross writes "As a hugely popular scripting language with an 18-year history, PHP has been the topic of countless computer language books. One of the most comprehensive offerings has been Programming PHP, published by O'Reilly Media. The first edition appeared in March 2002, and was written by Rasmus Lerdorf (the original developer of PHP) and Kevin Tatroe. A second edition was released in May 2006, and saw the addition of another co-author, Peter MacIntyre. With the many changes to the language during the past seven years, the book has again been updated, to cover all of the major new features made available in version 5 of PHP." Keep reading for the rest of Michael's review. Programming PHP, 3rd Edition author Kevin Tatroe, Peter MacIntyre and Rasmus Lerdorf pages 540 publisher O'Reilly Media rating 8/10 reviewer Michael Ross ISBN 978-1449392772 summary An extensive tutorial of the PHP web programming language. This third edition was published on 22 February 2013, under the ISBN 978-1449392772, with the same three authors at the helm. At a substantial 540 pages, the information is organized into 17 chapters, each focusing on a particular area of the language and its usage. This material precedes an appendix of almost 130 pages, which serves as a reference for all of the language's built-in functions. In fact, not only could this book suffice as a reference guide, it could also serve as a tutorial, because it is accessible to programmers of all levels, including beginners who have never before worked with PHP. The preface notes that the material assumes only "a working knowledge of HTML." However, the example code seems to also assume that the reader is comfortable with fundamental programming concepts, such as conditionals and loops.
To learn more about the book, prospective readers and buyers may wish to visit the publisher's website, where they will find a description of the book, its table of contents, a free copy of its first chapter, and the example code for ten of the chapters. Speaking of formats, the book is available in print and electronic media. (This review is based upon a copy of the print version kindly provided by the publisher.)
The first three chapters explain the bedrock fundamentals of the language, including its lexical structure, data types, variables, expressions, operators, flow-control statements, code inclusion methods, and functions. All of the information appears to be valid, aside from several technical blemishes: In Example 1-1, most of the lines of code are duplicated. Example 1-5, which supposedly creates a PNG file, does not seem to work. The section on constants (page 21) should have mentioned the core predefined constants and also distinguished those from magic ones. The binary literal 0b01100000 is 96, not 1 (page 23). It is claimed that an object is evaluated as false if it contains no values or functions (page 25), and yet: "class C{} assert( new C );." The closure example code (page 29) fails because it includes a function name and no terminating semicolon. The example code in the middle of page 66 contradicts the claim that an inner function "cannot be called from code parsed after the outer function." The example code starting at the end of that page fails because $a in foo() is undefined. Nonetheless, even experienced PHP programmers could pick up knowledge not encountered before, or at least refresh what was learned years ago and since forgotten due to disuse.
The next two chapters explore in detail further essential components of PHP: strings, regular expressions, and arrays. As with the earlier chapters, readers will encounter example code that does not appear to have been tested. For instance, the print_r() output of an object is missing the class name (page 84). On the same page, print_r() and var_dump() of $GLOBALS do indicate "*RECURSION*," but do not loop infinitely or three times, respectively, as claimed. The $record on page 86 is missing its trailing tab character. For these errors and others, it is not clear whether the authors or the technical reviewers are ultimately responsible. Regardless, readers should find useful the tables summarizing regular expression character classes, anchors, quantifiers, and options. On the other hand, the treatment of conditional expressions is sorely in need of examples. Also, readers will be baffled when told that "The preg_match() function takes the same arguments and gives the same return value as the preg_match() function []" (page 112). Lastly, the callback example code is faulty (pages 131, 133, and 141). The sixth chapter, covering object-oriented programming is well-written, aside from the confusing phrase "including it to a different name" (page 160) and the anti-Nietzschean "this will fatal" (page 161).
With Chapter 7, the book shifts gears from the basic underpinnings of PHP to more applied topics, in this case, web techniques — specifically HTTP, global variables, server information, web form processing, sessions, and more. The narrative is quite clear, except when the reader is told that periods in field names are converted to underscores because periods are illegal in PHP variable names (page 178); the connection is not explained. The next chapter looks at server-side data storage, including the topics of PDO, MySQLi, SQLite, and MongoDB. Confusingly, readers are told that the sample SQL database code is available in a file, but they are not told where to find it (http://examples.oreilly.com/0636920012443/).
Chapters 9 through 11 address PHP's support for three specialized file types: graphics, PDF, and XML. The explanations are excellent, and the authors provide numerous examples. The only obvious flaws are in Example 11-1 (page 269), where the echo statement is missing the "<?" and two of the lines have mismatched single and double quotes.
The remaining half dozen chapters cover critical aspects of PHP development. The chapter on security does not attempt to be exhaustive, but instead explains the most common attack vectors and how to block them. The chapter on application techniques discusses code libraries, templating, output buffering and compression, error handling, and performance tuning. Any programmer intrigued by the idea of replacing clunky VBA code with PHP, should be interested in Chapter 14, which explores the differences in running PHP on Windows vs. other platforms, with a brief look at manipulating the contents of Microsoft Word and Excel files using PHP. RESTful web services and XML-RPC are the topics of the next chapter, whose only apparent blemish is that json_encode() does not add spaces between the array values (page 339). The penultimate chapter addresses multiple environments, manual debugging, and the use of an IDE. The last chapter briefly covers PHP support for dates and times, and thus should have been located much earlier in the book, with the other material on fundamental concepts.
Overall, this book is quite approachable. Throughout, one will find programming style recommendations, However, as with any technical work of this size, there are passages that could be made more complete or clear. Occasionally the authors will mention something explained only later — e.g., "short echo tag" (page 60) — which can be frustrating to anyone new to a language.
The concepts of PHP being taught are extensively illustrated with example code. Some of it is concise enough so as not to distract from the narrative flow, but far too many examples involve much more code than necessary. This at first glance might seem to be an advantage, but it actually makes it more difficult for the reader to see the parts of the code relevant to the topic at hand. Also, the authors underutilize whitespace in the code, instead jamming tokens and parentheses together.
In a book of this size, we should not be astonished to find some errata: "Wordpress" (page xv), "try and" (same page; should read "try to"), "tick function registered when register_tick_function()" (55; should read "with" not "when"), "eXtensible" (59), "super-global" (67; should read "superglobal"), "display_classes() function" (vs. "function displayClasses()"; 164), "$var" (294 and 295; should read "$value"), "functions of blocks" (323; should read "functions or blocks"), "retried" (337; should read "retrieved"), and "a.k.a." (350; should read "e.g.").
In terms of the production of the book, like most other O'Reilly titles, this one is nicely put together, with readable font. But sometimes words are jammed together so much that lines appear to be a single word, e.g., "codeitselfbutplentifulenoughthatyoucanusethecommentstotellwhat'shappening" (page 17). Also, the publisher should avoid splitting the function names as if they were English words, e.g., "addc" and "slashes()" on separate lines (page 91). The index is missing some obvious entries, e.g., "closures." Many code snippets are missing the "Example" numbers and captions. This may be fine if the authors do not reference those snippets, but makes it problematic for anyone else to reference them.
Even though this is arguably one of the most comprehensive PHP books on the market, it does not cover all aspects of the language. On page 1, readers learn that PHP can be utilized in three major ways — server-side scripting, command-line scripting, and client-side GUI applications; but only the first is covered in the book. The appendix consumes over 120 pages, and comprises information easily available online in the PHP manual's function reference. Those pages could instead have been devoted to at least introducing command-line scripting and GUI applications. In fact, there are two major changes the authors could take in bringing this book much closer to perfection: Firstly, retest all of the code and root out any technical snafus. Secondly, replace the lengthy appendix with full coverage of the topics of command-line scripting and client-side GUI applications.
Regardless, Programming PHP is both a tutorial and a reference resource packed with information and example code. Benefiting from the author's deep expertise in the language and its usage, the book is the most promising single source for anyone who wishes to learn this ubiquitous web scripting language.
Michael Ross is a freelance web developer and writer.
You can purchase Programming PHP, 3rd Edition from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: Programming PHP 3rd Edition
Michael Ross writes "As a hugely popular scripting language with an 18-year history, PHP has been the topic of countless computer language books. One of the most comprehensive offerings has been Programming PHP, published by O'Reilly Media. The first edition appeared in March 2002, and was written by Rasmus Lerdorf (the original developer of PHP) and Kevin Tatroe. A second edition was released in May 2006, and saw the addition of another co-author, Peter MacIntyre. With the many changes to the language during the past seven years, the book has again been updated, to cover all of the major new features made available in version 5 of PHP." Keep reading for the rest of Michael's review. Programming PHP, 3rd Edition author Kevin Tatroe, Peter MacIntyre and Rasmus Lerdorf pages 540 publisher O'Reilly Media rating 8/10 reviewer Michael Ross ISBN 978-1449392772 summary An extensive tutorial of the PHP web programming language. This third edition was published on 22 February 2013, under the ISBN 978-1449392772, with the same three authors at the helm. At a substantial 540 pages, the information is organized into 17 chapters, each focusing on a particular area of the language and its usage. This material precedes an appendix of almost 130 pages, which serves as a reference for all of the language's built-in functions. In fact, not only could this book suffice as a reference guide, it could also serve as a tutorial, because it is accessible to programmers of all levels, including beginners who have never before worked with PHP. The preface notes that the material assumes only "a working knowledge of HTML." However, the example code seems to also assume that the reader is comfortable with fundamental programming concepts, such as conditionals and loops.
To learn more about the book, prospective readers and buyers may wish to visit the publisher's website, where they will find a description of the book, its table of contents, a free copy of its first chapter, and the example code for ten of the chapters. Speaking of formats, the book is available in print and electronic media. (This review is based upon a copy of the print version kindly provided by the publisher.)
The first three chapters explain the bedrock fundamentals of the language, including its lexical structure, data types, variables, expressions, operators, flow-control statements, code inclusion methods, and functions. All of the information appears to be valid, aside from several technical blemishes: In Example 1-1, most of the lines of code are duplicated. Example 1-5, which supposedly creates a PNG file, does not seem to work. The section on constants (page 21) should have mentioned the core predefined constants and also distinguished those from magic ones. The binary literal 0b01100000 is 96, not 1 (page 23). It is claimed that an object is evaluated as false if it contains no values or functions (page 25), and yet: "class C{} assert( new C );." The closure example code (page 29) fails because it includes a function name and no terminating semicolon. The example code in the middle of page 66 contradicts the claim that an inner function "cannot be called from code parsed after the outer function." The example code starting at the end of that page fails because $a in foo() is undefined. Nonetheless, even experienced PHP programmers could pick up knowledge not encountered before, or at least refresh what was learned years ago and since forgotten due to disuse.
The next two chapters explore in detail further essential components of PHP: strings, regular expressions, and arrays. As with the earlier chapters, readers will encounter example code that does not appear to have been tested. For instance, the print_r() output of an object is missing the class name (page 84). On the same page, print_r() and var_dump() of $GLOBALS do indicate "*RECURSION*," but do not loop infinitely or three times, respectively, as claimed. The $record on page 86 is missing its trailing tab character. For these errors and others, it is not clear whether the authors or the technical reviewers are ultimately responsible. Regardless, readers should find useful the tables summarizing regular expression character classes, anchors, quantifiers, and options. On the other hand, the treatment of conditional expressions is sorely in need of examples. Also, readers will be baffled when told that "The preg_match() function takes the same arguments and gives the same return value as the preg_match() function []" (page 112). Lastly, the callback example code is faulty (pages 131, 133, and 141). The sixth chapter, covering object-oriented programming is well-written, aside from the confusing phrase "including it to a different name" (page 160) and the anti-Nietzschean "this will fatal" (page 161).
With Chapter 7, the book shifts gears from the basic underpinnings of PHP to more applied topics, in this case, web techniques — specifically HTTP, global variables, server information, web form processing, sessions, and more. The narrative is quite clear, except when the reader is told that periods in field names are converted to underscores because periods are illegal in PHP variable names (page 178); the connection is not explained. The next chapter looks at server-side data storage, including the topics of PDO, MySQLi, SQLite, and MongoDB. Confusingly, readers are told that the sample SQL database code is available in a file, but they are not told where to find it (http://examples.oreilly.com/0636920012443/).
Chapters 9 through 11 address PHP's support for three specialized file types: graphics, PDF, and XML. The explanations are excellent, and the authors provide numerous examples. The only obvious flaws are in Example 11-1 (page 269), where the echo statement is missing the "<?" and two of the lines have mismatched single and double quotes.
The remaining half dozen chapters cover critical aspects of PHP development. The chapter on security does not attempt to be exhaustive, but instead explains the most common attack vectors and how to block them. The chapter on application techniques discusses code libraries, templating, output buffering and compression, error handling, and performance tuning. Any programmer intrigued by the idea of replacing clunky VBA code with PHP, should be interested in Chapter 14, which explores the differences in running PHP on Windows vs. other platforms, with a brief look at manipulating the contents of Microsoft Word and Excel files using PHP. RESTful web services and XML-RPC are the topics of the next chapter, whose only apparent blemish is that json_encode() does not add spaces between the array values (page 339). The penultimate chapter addresses multiple environments, manual debugging, and the use of an IDE. The last chapter briefly covers PHP support for dates and times, and thus should have been located much earlier in the book, with the other material on fundamental concepts.
Overall, this book is quite approachable. Throughout, one will find programming style recommendations, However, as with any technical work of this size, there are passages that could be made more complete or clear. Occasionally the authors will mention something explained only later — e.g., "short echo tag" (page 60) — which can be frustrating to anyone new to a language.
The concepts of PHP being taught are extensively illustrated with example code. Some of it is concise enough so as not to distract from the narrative flow, but far too many examples involve much more code than necessary. This at first glance might seem to be an advantage, but it actually makes it more difficult for the reader to see the parts of the code relevant to the topic at hand. Also, the authors underutilize whitespace in the code, instead jamming tokens and parentheses together.
In a book of this size, we should not be astonished to find some errata: "Wordpress" (page xv), "try and" (same page; should read "try to"), "tick function registered when register_tick_function()" (55; should read "with" not "when"), "eXtensible" (59), "super-global" (67; should read "superglobal"), "display_classes() function" (vs. "function displayClasses()"; 164), "$var" (294 and 295; should read "$value"), "functions of blocks" (323; should read "functions or blocks"), "retried" (337; should read "retrieved"), and "a.k.a." (350; should read "e.g.").
In terms of the production of the book, like most other O'Reilly titles, this one is nicely put together, with readable font. But sometimes words are jammed together so much that lines appear to be a single word, e.g., "codeitselfbutplentifulenoughthatyoucanusethecommentstotellwhat'shappening" (page 17). Also, the publisher should avoid splitting the function names as if they were English words, e.g., "addc" and "slashes()" on separate lines (page 91). The index is missing some obvious entries, e.g., "closures." Many code snippets are missing the "Example" numbers and captions. This may be fine if the authors do not reference those snippets, but makes it problematic for anyone else to reference them.
Even though this is arguably one of the most comprehensive PHP books on the market, it does not cover all aspects of the language. On page 1, readers learn that PHP can be utilized in three major ways — server-side scripting, command-line scripting, and client-side GUI applications; but only the first is covered in the book. The appendix consumes over 120 pages, and comprises information easily available online in the PHP manual's function reference. Those pages could instead have been devoted to at least introducing command-line scripting and GUI applications. In fact, there are two major changes the authors could take in bringing this book much closer to perfection: Firstly, retest all of the code and root out any technical snafus. Secondly, replace the lengthy appendix with full coverage of the topics of command-line scripting and client-side GUI applications.
Regardless, Programming PHP is both a tutorial and a reference resource packed with information and example code. Benefiting from the author's deep expertise in the language and its usage, the book is the most promising single source for anyone who wishes to learn this ubiquitous web scripting language.
Michael Ross is a freelance web developer and writer.
You can purchase Programming PHP, 3rd Edition from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Meet the Stampede Supercomputing Cluster's Administrator (Video)
UT Austin tends not to do things by half measures, as illustrated by the Texas Advanced Computing Center, which has been home to an evolving family of supercomputing clusters. The latest of these, Stampede, was first mentioned here back in 2011, before it was actually constructed. In the time since, Stampede has been not only completed, but upgraded; it's just successfully completed a successful six months since its last major update — the labor-intensive installation of Xeon Phi processors throughout 106 densely packed racks. I visited TACC, camera in hand, to take a look at this megawatt-eating electronic hive (well, herd) and talk with director of high-performance computing Bill Barth, who has insight into what it's like both as an end-user (both commercial and academic projects get to use Stampede) and as an administrator on such a big system. -
Security Researchers Submit Brief For Andrew "Weev" Auernheimer
USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well." -
Critical Security Updates Coming To Windows XP, 8, RT & Server
SmartAboutThings writes "On the upcoming Patch Tuesday on July 9, Microsoft is going to bring some notable security updates, that will mostly deal with fixing issues in remote code execution vulnerabilities, which allow attackers to breach in. The security updates will be applied to all Windows versions Microsoft is still supporting (from XP to Windows 8.1)" -
According To YouGov Poll, Snowden Support Declining Among Americans
eldavojohn writes "A recent poll from the YouGov consisting of one thousand responses shows that Snowden's support among Americans has shifted. Now, according to the poll, more Americans think he did the wrong thing rather than the right thing when asked: 'Based on what you've heard, do think Snowden's leak of top-secret information about government surveillance programs to the media was the right thing to do or the wrong thing to do?' The results and breakdown are available online (PDF). Without getting into racial or political breakdowns, the results now show that 38% say he did the wrong thing, 33% say he did the right thing and 29% remain undecided about the results of his actions. Instead of charging the populace into action Snowden may be facing apathy at best and public disapproval at worst." -
The Price of Amazon
An anonymous reader writes "As physical book stores continue to struggle and disappear, the NY Times puts the changing book industry into perspective as a cost of the existence of Amazon. Further, it's a cost that hasn't been fully paid, as other effects of Amazon's ascendancy have yet to be felt. Quoting: 'One consequence of this shift is that soon no one will know what a book's "real" price is. Price will be determined by demand and perhaps by whim. The first seeds of this can be seen in the Justice Department's suit against the leading publishers, who felt that Amazon was pricing their e-books so low that it threatened their viability. The government accused the publishers of colluding to raise prices in an anti-consumer move. Amazon was not a party to the case, but it emerged the big winner.' Economists, publishers, and readers no longer have confidence that a book will cost the same amount this week as it did the last." -
The Price of Amazon
An anonymous reader writes "As physical book stores continue to struggle and disappear, the NY Times puts the changing book industry into perspective as a cost of the existence of Amazon. Further, it's a cost that hasn't been fully paid, as other effects of Amazon's ascendancy have yet to be felt. Quoting: 'One consequence of this shift is that soon no one will know what a book's "real" price is. Price will be determined by demand and perhaps by whim. The first seeds of this can be seen in the Justice Department's suit against the leading publishers, who felt that Amazon was pricing their e-books so low that it threatened their viability. The government accused the publishers of colluding to raise prices in an anti-consumer move. Amazon was not a party to the case, but it emerged the big winner.' Economists, publishers, and readers no longer have confidence that a book will cost the same amount this week as it did the last." -
Ask Slashdot: Will the NSA Controversy Drive People To Use Privacy Software?
Nerval's Lobster writes "As the U.S. government continues to pursue former NSA contractor Edward Snowden for leaking some of the country's most sensitive intelligence secrets, the debate over federal surveillance seems to have abated somewhat — despite Snowden's stated wish for his revelations to spark transformative and wide-ranging debate, it doesn't seem as if anyone's taking to the streets to protest the NSA's reported monitoring of Americans' emails and phone-call metadata. Even so, will the recent revelations about the NSA cause a spike in demand for sophisticated privacy software, leading to a glut of new apps that vaporize or encrypt data? While there are quite a number of tools already on the market (SpiderOak, Silent Circle, and many more), is their presence enough to get people interested enough to install them? Or do you think the majority of people simply don't care? Despite some polling data that suggests people are concerned about their privacy, software for securing it is just not an exciting topic for most folks, who will rush to download the latest iteration of Instagram or Plants vs. Zombies, but who often throw up their hands and profess ignorance when asked about how they lock down their data." -
Progress On the Open Laptop
An anonymous reader writes "Last October, we discussed Andrew 'bunnie' Huang's effort to build a complete open hardware laptop, called the Novena. bunnie has now posted a progress report on the laptop's design and construction, showing the latest revision of the board, the display, and a hack to use it as a secure router. bunnie says, 'At the end of the day, we're having fun building the laptop we always wanted — it's now somewhere between a python-scriptable oscilloscope, logic analyzer, and a laptop. I think it will be an indispensable tool for hacking, particularly for doing signal analysis which requires coordination across multiple protocol layers, complex trigger conditions and/or feedback stimulus loops. As for the inevitable question about if these will be sold, and for how muchonce we're done building the system (and, "done" is a moving target — really, the whole idea is this is continuously under development and improving) I'll make it available to qualified buyers. Because it's open-source and a bit quirky, I'm shy on the idea of just selling it to anyone who comes along wanting a laptop. I'm worried about buyers who don't understand that "open" also means a bit of DIY hacking to get things working, and that things are continuously under development." -
Microsoft Integrating Xbox One Advertising With Kinect To Profile Users For Ads
MojoKid writes "When Microsoft reversed its Xbox One DRM policies a few weeks back, there was momentary hope that the company has listened to its customers and understood the features they were asking for. Granted, this was brief. However, with Mattrick gone, there was some hope that maybe the company would reintroduce plans like Family Sharing and put the console back on track. Apparently not. Microsoft's big new feature with Kinect? Advertising. Microsoft plans to use Kinect to make advertisements even more engaging than their current counterparts. In the future, Kinect may offer you a 'Choose Your Own Adventure' style narrative in which you speak commands or give orders to an ad as it's playing to change the final outcome. The other way Microsoft wants to use Kinect is to monitor what's going on in the living room to serve you group-appropriate content, rather than resorting to the plain old method of bombarding you with non-interactive advertising for things you don't care about. Microsoft will likely learn that telling gamers that the Xbox One is an ad-centric experience and attempting to spin it like a positive doesn't actually work." -
Tech Companies Looking Into Sarcasm Detection
Nerval's Lobster writes "Now here's the greatest thing ever: French tech firm Spotter has apparently devised an analytics platform capable of identifying sarcastic comments, according to the BBC. Spotter's platform scans social media and other sources to create reputation reports for clients such as the EU Commission and Air France. As with most analytics packages that determine popular sentiment, the software parses semantics, heuristics and linguistics. However, automated data-analytics systems often have a difficult time with some of the more nuanced elements of human speech, such as sarcasm and irony — an issue that Spotter has apparently overcome to some degree, although company executives admit that their solution isn't perfect. (Duh.) Spotter isn't alone: IBM, Salesforce, and other IT vendors are hard at work on analytics software that can more perfectly determine when you're mouthing off, you little punks. In theory, sarcasm detection can help with customer service, and judging how well products are doing on the open market... and we all know it's going to work perfectly, right? Nothing could possibly go wrong with automated platforms built to assess the nuances of human speech." -
EU Parliament Supports Suspending US Data Sharing
New submitter egladil writes "As seen previously here on Slashdot, the European Parliament was to vote on 'whether existing data sharing agreements between the two continents should be suspended, following allegations that U.S. intelligence spied on E.U. citizens.' With the votes now having been cast, the result is 483 in favor of the resolution and 98 against, while 65 abstained. The resolution in question in part called for the U.S. 'to suspend and review any laws and surveillance programs that "violate the fundamental right of E.U. citizens to privacy and data protection," as well as Europe's "sovereignty and jurisdiction."' It also decided that the E.U. should investigate the surveillance of E.U. citizens, and finally gave backing to the European Commision in case they should decide to suspend the data sharing deals currently in place with the U.S., such as the Passenger Name Record and Terrorist Finance Tracking Program agreements. The question now is whether the E.U. commision will go through with suspending these deals or not."