Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
Book Review: The Clean Coder
CoryFoy writes "As someone who has been closely involved in both the 'agile software' movement as well as the 'Software Craftsmanship' movement, I have been following the work of Robert Martin for some time. So I was quite interested when I got my copy of his latest book Clean Coder where he 'introduces the disciplines, techniques, tools and practices of true software craftsmanship.' Would his book live up to being a guide for the next generation of developers, or would it go on my shelf as another interesting book that I had read, once?" Read below for the rest of Cory's review. The Clean Coder: A Code of Conduct for Professional Programmers author Robert C. Martin pages 256 publisher Prentice Hall rating 5 Nebulous Rating Units reviewer Cory Foy ISBN 978-0137081073 summary A good overview of the current agile practices for software developers Before even getting into the book, it is good to know the style of Robert Martin, affectionately known as "Uncle Bob" to many people. Bob is a former preacher who comes at life — and topics he teaches — with a no-holds-bar approach. So when he approaches topics such as "Professionalism" and the software industry, I come expecting passionate discussion and serious assertions. The Clean Coder is no exception.
The book starts off with an overview of the Challenger space shuttle disaster. As a native Floridian who could see shuttle launches from my house (and, in fact, saw the Challenger explode just as it crested the trees from where we lived) this really resonated with me. The accident was a result of engineers saying no, but management overriding the decision. With this introduction, Bob makes it quite clear that when we choose not to stand up for that which we believe, it can have dire consequences.
We then dive right in, starting with the topic of Professionalism. The assertion is made that the key to professionalism is responsibility — "You can't take pride and honor is something you can't be held accountable for". But how do we take and achieve responsibility? Chapter one lays out two ways. To start, it looks at the Hippocratic Oath, specifically the rule of "First, Do No Harm". The book maps this to software by saying to do no harm to function or structure, ensure that QA doesn't find anything, know that your software works, and have automated QA. In fact, when I work with teams, I teach them that if your testing "phase" finds bugs, it's a problem with your process that needs to be addressed immediately, so the concept of ensuing that QA doesn't find anything is a great concept to bring out.
Then we move on to Work Ethic — specifically around knowing your field. This means continuous learning, practice (through things like Katas and Dojos), collaboration, mentoring, identifying with your employer/customer, and practicing humility. To help with that, Chapters 2 and 3 talk specifically about saying "No" and "Yes". When we say no, and when we want to say no, we should mean it. Saying, "We'll try" means that you, or your team, isn't already giving it their best, and that through some extraordinary effort you'll pull it off. Say no and stick to it. But, when you say Yes, mean it. People are counting on you to be truthful with them.
Chapters 4, 5, and 6 begin to talk about the specific practices of coding. Chapter 4 talks about the coding process itself. One of the hardest statements the book makes here is to stay out of "the zone" when coding. Bob asserts that you lose parts of the big picture when you go down to that level. While I may struggle with that assertion, I do agree with his next statement that debugging time is expensive, so you should avoid having to do debugger-driven development whenever possible. He finishes the chapter with examples of pacing yourself (walking away, taking a shower) and how to deal with being late on your projects (remembering that hope is not a plan, and being clear about the impact of overtime) along with a reminder that it is good to both give and receive help, whether it be small questions or mentoring others.
Chapters 5 and 6 cover Test-Driven Development and Practicing. The long and short is that TDD is becoming a wide-spread adopted practice, in that you don't get as many funny looks from people when you mention TDD as you once did. And that coding at work doesn't equal practicing your tools and techniques — instead you should set aside specific time to become better through coding exercises, reading and researching other areas (languages, tools, approaches), and attending events and conferences.
Chapters 7 and 8 cover testing practices. In Chapter 7 the book looks at Acceptance Tests and the cycle of writing them — specifically at what point the customer is involved (hint: continuously) and how to ensure they stay involved. Chapter 8 goes to more of the unit testing level, and defines some strategies and models for looking at unit testing, including an interesting "Test Automation Pyramid"
Now that we've covered the developer herself, coding and testing, the book moves on to discussing time. Chapter 9 covers Time Management strategies — staying out of "bogs" and "blind alleys", using techniques like the "Pomodoro" technique to create focus, and the law of two-feet — if you are in a meeting and aren't getting value out of it, you should feel free to (respectively) leave, or otherwise modify the meeting to get value from it.
Chapter 10 covers several different methods of estimation. In the teams I work with, estimation is perhaps one of the hardest things — not because estimating can be hard (which it can be) but because either they are held so tightly to the estimates that they are afraid to make them, or, worse, they are told what the estimates are going to be. The book really only skims the surface here, covering several techniques from Planning Poker, to PERT, to "Flying Fingers", but gives a decent overview of how to do those techniques.
Rounding out the discussions of time comes Chapter 11 and talking about Pressure. The key of this chapter is that because you have committed to your principles, practices and disciplines, you should be able to stay calm under pressure. I can certainly say from experience that the worst experiences in my career are when people weren't able to stay calm, and the way the book is laid out, if you are following the practices outlines so far, you should be able to be the voice of reason and calmness.
The last three chapters cover teams and collaboration. Chapter 12 talks about important practices such as shared code ownership, pairing, and respect for other team members. Chapter 13 covers teams and the importance of having teams that gel together. The book finishes with Chapter 14 and discussions of the importance of apprenticeship, mentorship and craftsmanship.
As I mentioned earlier, I've been involved in the "agile" movement for quite some time, and have spoken with Bob on many occasions, so many of the practices in the book weren't new. I did quite appreciate the stories he had to tell about his experiences. However, I think that some people may be turned off by the hard line around "professionalism". Sometimes you do need to say no, and I think it is good to have encouragement from a book to do that. But sometimes things are more complex, and I think that you would have a harder time looking to this particular book for help with the edge cases.
In conclusion, I think this is a book which provides worthwhile information and an interesting look at how people are looking at software development as a profession. If you read between some of the hard lines made, there are some great nuggets to be gleaned from the book for software developers of any level.
You can purchase The Clean Coder: A Code of Conduct for Professional Programmers from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: The Clean Coder
CoryFoy writes "As someone who has been closely involved in both the 'agile software' movement as well as the 'Software Craftsmanship' movement, I have been following the work of Robert Martin for some time. So I was quite interested when I got my copy of his latest book Clean Coder where he 'introduces the disciplines, techniques, tools and practices of true software craftsmanship.' Would his book live up to being a guide for the next generation of developers, or would it go on my shelf as another interesting book that I had read, once?" Read below for the rest of Cory's review. The Clean Coder: A Code of Conduct for Professional Programmers author Robert C. Martin pages 256 publisher Prentice Hall rating 5 Nebulous Rating Units reviewer Cory Foy ISBN 978-0137081073 summary A good overview of the current agile practices for software developers Before even getting into the book, it is good to know the style of Robert Martin, affectionately known as "Uncle Bob" to many people. Bob is a former preacher who comes at life — and topics he teaches — with a no-holds-bar approach. So when he approaches topics such as "Professionalism" and the software industry, I come expecting passionate discussion and serious assertions. The Clean Coder is no exception.
The book starts off with an overview of the Challenger space shuttle disaster. As a native Floridian who could see shuttle launches from my house (and, in fact, saw the Challenger explode just as it crested the trees from where we lived) this really resonated with me. The accident was a result of engineers saying no, but management overriding the decision. With this introduction, Bob makes it quite clear that when we choose not to stand up for that which we believe, it can have dire consequences.
We then dive right in, starting with the topic of Professionalism. The assertion is made that the key to professionalism is responsibility — "You can't take pride and honor is something you can't be held accountable for". But how do we take and achieve responsibility? Chapter one lays out two ways. To start, it looks at the Hippocratic Oath, specifically the rule of "First, Do No Harm". The book maps this to software by saying to do no harm to function or structure, ensure that QA doesn't find anything, know that your software works, and have automated QA. In fact, when I work with teams, I teach them that if your testing "phase" finds bugs, it's a problem with your process that needs to be addressed immediately, so the concept of ensuing that QA doesn't find anything is a great concept to bring out.
Then we move on to Work Ethic — specifically around knowing your field. This means continuous learning, practice (through things like Katas and Dojos), collaboration, mentoring, identifying with your employer/customer, and practicing humility. To help with that, Chapters 2 and 3 talk specifically about saying "No" and "Yes". When we say no, and when we want to say no, we should mean it. Saying, "We'll try" means that you, or your team, isn't already giving it their best, and that through some extraordinary effort you'll pull it off. Say no and stick to it. But, when you say Yes, mean it. People are counting on you to be truthful with them.
Chapters 4, 5, and 6 begin to talk about the specific practices of coding. Chapter 4 talks about the coding process itself. One of the hardest statements the book makes here is to stay out of "the zone" when coding. Bob asserts that you lose parts of the big picture when you go down to that level. While I may struggle with that assertion, I do agree with his next statement that debugging time is expensive, so you should avoid having to do debugger-driven development whenever possible. He finishes the chapter with examples of pacing yourself (walking away, taking a shower) and how to deal with being late on your projects (remembering that hope is not a plan, and being clear about the impact of overtime) along with a reminder that it is good to both give and receive help, whether it be small questions or mentoring others.
Chapters 5 and 6 cover Test-Driven Development and Practicing. The long and short is that TDD is becoming a wide-spread adopted practice, in that you don't get as many funny looks from people when you mention TDD as you once did. And that coding at work doesn't equal practicing your tools and techniques — instead you should set aside specific time to become better through coding exercises, reading and researching other areas (languages, tools, approaches), and attending events and conferences.
Chapters 7 and 8 cover testing practices. In Chapter 7 the book looks at Acceptance Tests and the cycle of writing them — specifically at what point the customer is involved (hint: continuously) and how to ensure they stay involved. Chapter 8 goes to more of the unit testing level, and defines some strategies and models for looking at unit testing, including an interesting "Test Automation Pyramid"
Now that we've covered the developer herself, coding and testing, the book moves on to discussing time. Chapter 9 covers Time Management strategies — staying out of "bogs" and "blind alleys", using techniques like the "Pomodoro" technique to create focus, and the law of two-feet — if you are in a meeting and aren't getting value out of it, you should feel free to (respectively) leave, or otherwise modify the meeting to get value from it.
Chapter 10 covers several different methods of estimation. In the teams I work with, estimation is perhaps one of the hardest things — not because estimating can be hard (which it can be) but because either they are held so tightly to the estimates that they are afraid to make them, or, worse, they are told what the estimates are going to be. The book really only skims the surface here, covering several techniques from Planning Poker, to PERT, to "Flying Fingers", but gives a decent overview of how to do those techniques.
Rounding out the discussions of time comes Chapter 11 and talking about Pressure. The key of this chapter is that because you have committed to your principles, practices and disciplines, you should be able to stay calm under pressure. I can certainly say from experience that the worst experiences in my career are when people weren't able to stay calm, and the way the book is laid out, if you are following the practices outlines so far, you should be able to be the voice of reason and calmness.
The last three chapters cover teams and collaboration. Chapter 12 talks about important practices such as shared code ownership, pairing, and respect for other team members. Chapter 13 covers teams and the importance of having teams that gel together. The book finishes with Chapter 14 and discussions of the importance of apprenticeship, mentorship and craftsmanship.
As I mentioned earlier, I've been involved in the "agile" movement for quite some time, and have spoken with Bob on many occasions, so many of the practices in the book weren't new. I did quite appreciate the stories he had to tell about his experiences. However, I think that some people may be turned off by the hard line around "professionalism". Sometimes you do need to say no, and I think it is good to have encouragement from a book to do that. But sometimes things are more complex, and I think that you would have a harder time looking to this particular book for help with the edge cases.
In conclusion, I think this is a book which provides worthwhile information and an interesting look at how people are looking at software development as a profession. If you read between some of the hard lines made, there are some great nuggets to be gleaned from the book for software developers of any level.
You can purchase The Clean Coder: A Code of Conduct for Professional Programmers from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Fermi Lab's New Particle Discovery in Question
"Back in April physicists at Fermilab speculated that they may have discovered a new force or particle. But now another team has analyzed data from the collider and come to the exact opposite conclusion. From the article: 'But now, a rival team performing an independent analysis of Tevatron data has turned up no sign of the bump. It is using the same amount of data as CDF reported in April, but this data was collected at a different detector at the collider called DZero. "Nope, nothing here – sorry," says Dmitri Denisov, a spokesman for DZero.'" -
Turkish Police Nab 32 Suspects Tied To Anonymous
wiredmikey writes "Following the arrest of three alleged 'Anonymous' members by Spanish authorities on Friday, Turkey's state-run news agency has reported that police have detained 32 individuals allegedly linked to the hacktivist group. The Anatolia news agency said today that the suspects were taken into custody after conducting raids in a dozen cities for suspected ties to Anonymous. The group recently targeted Web sites of the country's telecommunications watchdog, the prime minister's office and parliament as a protest to Turkey's plans to introduce Internet filters." -
A Deep-Dive Look At Samsung's Galaxy Tab 10.1
MojoKid writes "Samsung's Galaxy Tab 10.1 was announced way back in February this year just prior to Apple's iPad 2 launch. Shortly after, a Samsung VP noted the company was re-evaluating their Galaxy Tab line in the wake of Apple's strong iPad 2 showing in early March. Since then, the Galaxy Tab 10.1 has begun shipping and early reports show the Android 3.1 driven device to be slightly thinner than the iPad 2, lighter and with NVIDIA's 1GHz dual-core Tegra 2 processor under the hood, every bit as capable. With recent Honeycomb entrants in the 10-inch Android tablet market, like the Asus Transformer, Motorola Xoom and Samsung Galaxy Tab 10.1, the iPad 2 finally has solid competition in terms of both hardware and OS performance." -
Crowdsourcing Analysis of the Palin Email Trove
itwbennett writes "Surely you've got better things to do this weekend than read 24,000 pages of Sarah Palin's email. But just in case you don't, the NY Times is looking for volunteers to help 'identify interesting and newsworthy e-mails, people and events that we may want to highlight.' And, for your easy reference, MSNBC has posted the complete collection online." -
Friday's Big Swings, Mostly Down, Illustrate Bitcoin Value Volatility
An anonymous reader writes "As cool as Bitcoin is, it looks like it lost 1/3 of its value in the last 24 hours. Lots of big sells, complaints of liquidity, and pissed off nerds." The linked article goes on to explain that the value rose again, so the aggregate loss was considerably less. The author also helps defuse claims that Bitcoin is untraceable or otherwise especially well suited to nefarious activities. -
Mexican Cartels Build Mad Max Narco Tanks
Hugh Pickens writes "Not content with building their own submarines, using bazookas, rocket-propelled grenades or land mines, drug cartels are now building armored assault vehicles, complete with gun turrets, inch-thick armor plates, firing ports and bulletproof glass. The monsters look like a cross between a handmade assault vehicle used by a Somali warlord and something out of a post-apocalyptic Mad Max movie, and have already appeared in several confrontations with Mexican authorities. A look inside a captured 'monster' truck (YouTube video) reveals that in addition to swiveling turrets to shoot in any direction, they have hatches and peepholes for snipers, their spacious interiors can fit as many as 20 armed men, and they are coated with polyurethane for insulation and to reduce noise. Still Patrick Corcoran writes that the armored vehicles are not a game changer. 'While the "narco-tanks," as the vehicles are often called, make for great blog fodder and provide entertaining videos, seeing their rise as a significant escalation in Mexico's drug war would be wrongheaded,' writes Corcoran. 'In the end, the "tanks" are a sexy narrative, but these mistaken notions about the criminals' "military might" not only inflate the power of Mexico's groups far beyond any reasonable assessment, they also obscure the problem, and its potential solutions.'" -
Siemens Fixes SCADA Flaws
itwbennett writes "Siemens has fixed a pair of bugs in its S7-1200 controller, which is used to control machines on factory floors, power stations and chemical plants. The bugs were discovered earlier this year by NSS researcher Dillon Beresford, who planned to disclose the bugs at Black Hat in August. The US Department of Homeland Security said that Siemens' patches fix 'a portion' of the problems Beresford has discovered and that it 'continues to work with Siemens and Mr. Beresford on the other reported problems.'" -
English City Council "Not Ready" for Zombie Attack
Unlike the CDC, a freedom of information request submitted to the Leicester City Council has revealed that the council is not prepared for an unexpected zombie invasion. From the article: "'We've had a few wacky ones before but this one did make us laugh,' said Lynn Wyeth, head of information governance. The Freedom of Information Act allows a right of access to recorded information held by public authorities. Ms Wyeth said she was unaware of any specific reference to a zombie attack in the council's emergency plan, however some elements of it could be applied if the situation arose." -
Chinese Tianhe-1A Supercomputer Starts Churning Out the Science
gupg writes "When China built the world's fastest supercomputer based on NVIDIA GPUs last year, a lot of naysayers said this was just a stunt machine. Well, guess what — here comes the science! They are working on better material for solar panels and they ran the world's fastest simulation ever. NVIDIA (whose GPUs accelerate these applications as a co-processor) blogged on this a while ago, where they talk about how the US really needs to up its investment in high performance computing." -
Apple Eases Rules For Subscription Apps
pjfontillas writes "Apple has quietly reversed their decision that required publishers who sell content and subscriptions in their iPhone and iPad apps to go through iTunes, with Apple taking a 30% cut. It's not so quiet in the workplace, however, as this news has a pretty big influence on developer workloads. Here at The New York Times our developers breathed a sigh of relief once we realized we don't have try and work around that requirement like The Financial Times did. Apple seems to have been doing much better with their community (consumers and developers alike) recently." Reader imamac notes that Apple has also filed a motion to intervene in the Lodsys patent suit against several iOS app developers that we've been following. -
Apple Eases Rules For Subscription Apps
pjfontillas writes "Apple has quietly reversed their decision that required publishers who sell content and subscriptions in their iPhone and iPad apps to go through iTunes, with Apple taking a 30% cut. It's not so quiet in the workplace, however, as this news has a pretty big influence on developer workloads. Here at The New York Times our developers breathed a sigh of relief once we realized we don't have try and work around that requirement like The Financial Times did. Apple seems to have been doing much better with their community (consumers and developers alike) recently." Reader imamac notes that Apple has also filed a motion to intervene in the Lodsys patent suit against several iOS app developers that we've been following. -
Data Review Brings Major Setback In Higgs Boson Hunt
Velcroman1 writes "The quest for the elusive Higgs boson seemed over in April, when an unexpected result from an atom smasher seemed to herald the discovery of the famous particle — the last unproven piece of the physics puzzle and one of the great mysteries scientists face today. Scientists with the Tevatron particle accelerator at Chicago's Fermilab facility just released the results of a months-long effort by the lab's brightest minds to confirm the finding. What did they find? Nothing. 'We do not see the signal,' said Dmitri Denisov, staff scientist at Fermilab. 'If it existed, we would see it. But when we look at our data, we basically see nothing.'" -
Stack Exchange Website Profiler Now Open Source
ScuttleMonkey writes "Joel Spolsky sent out smoke signals this morning about the recent release of the Stack Exchange Website Profiler as open source. Sam Saffron expounds on why this profiler is perhaps 'best and most comprehensive production web page profiler out there for any web platform.' The project is available via Google Code or NuGet." -
Supreme Court Rules Against Microsoft In i4i Case
CWmike writes "The US Supreme Court has let stand a $300 million patent infringement ruling against Microsoft, granting a victory Thursday to i4i (PDF), which filed the lawsuit back in 2007. The legal battle already forced Microsoft to modify certain functionality in its Word application in 2009, when the US District Court for the Eastern District of Texas ruled in favor of Toronto-based i4i and told Microsoft to stop selling Word in the US. At issue was an i4i patent that covers technology that lets users manipulate the architecture and content of a document, which i4i alleged Microsoft infringed upon by letting Word users create custom XML documents. Microsoft removed the feature. 'This case raised an important issue of law which the Supreme Court itself had questioned in an earlier decision and which we believed needed resolution. While the outcome is not what we had hoped for, we will continue to advocate for changes to the law that will prevent abuse of the patent system and protect inventors who hold patents representing true innovation,' Microsoft said in a statement." -
Supreme Court Rules Against Microsoft In i4i Case
CWmike writes "The US Supreme Court has let stand a $300 million patent infringement ruling against Microsoft, granting a victory Thursday to i4i (PDF), which filed the lawsuit back in 2007. The legal battle already forced Microsoft to modify certain functionality in its Word application in 2009, when the US District Court for the Eastern District of Texas ruled in favor of Toronto-based i4i and told Microsoft to stop selling Word in the US. At issue was an i4i patent that covers technology that lets users manipulate the architecture and content of a document, which i4i alleged Microsoft infringed upon by letting Word users create custom XML documents. Microsoft removed the feature. 'This case raised an important issue of law which the Supreme Court itself had questioned in an earlier decision and which we believed needed resolution. While the outcome is not what we had hoped for, we will continue to advocate for changes to the law that will prevent abuse of the patent system and protect inventors who hold patents representing true innovation,' Microsoft said in a statement." -
Could the US Phase Out Nuclear Power?
mdsolar writes "In the wake of the Fukushima nuclear disaster in Japan, [German Chancellor] Merkel announced that her country would close all of its 17 existing reactors by 2022. Other nations, including Japan, Italy, and Switzerland, have announced plans to pare back nuclear power, but none have gone as far as Germany, the world's fourth-largest economy. Merkel vows to replace nuclear power with alternatives that do not increase greenhouse gases or shackle the economic growth. Could the US do the same? An increasing number of reports suggest it is not beyond the realm of possibility, and Germany could provide a road map." -
Cloud-Based, Ray-Traced Games On Intel Tablets
An anonymous reader writes "After Intel showed a ray traced version of Wolfenstein last year running cloud-based streamed to a laptop the company that has just recently announced its shift to the mobile market shows now their research project Lalso running on various x86-tablets with 5 to 10 inch screens. The heavy calculations are performed by a cloud consisting of a machine with a Knights Ferry card (32 cores) inside. The achieved frame rates are around 20-30 fps." -
Cloud-Based, Ray-Traced Games On Intel Tablets
An anonymous reader writes "After Intel showed a ray traced version of Wolfenstein last year running cloud-based streamed to a laptop the company that has just recently announced its shift to the mobile market shows now their research project Lalso running on various x86-tablets with 5 to 10 inch screens. The heavy calculations are performed by a cloud consisting of a machine with a Knights Ferry card (32 cores) inside. The achieved frame rates are around 20-30 fps." -
Sony's Solution To Split-Screen Multiplayer
We discussed Sony's E3 announcement of the pricing and details of the Vita portable console (hands-on report), but they also made a stronger push into the 3D space, revealing a 24" display specifically designed for 3D gaming. Most notable about this display is that two players wearing 3D glasses can use it to view separate images on screen. This means that when playing with a friend, you need not sacrifice 50% of screen real estate to accommodate the other player. The Guardian has a good run-down of Sony's other E3 announcements. -
Is There a New Geek Anti-Intellectualism?
Larry Sanger writes "Geeks are supposed to be, if anything, intellectual. But it recently occurred to me that a lot of Internet geeks and digerati have sounded many puzzlingly anti-intellectual notes over the past decade, and especially lately. The Peter Thiel-inspired claim that college is a waste of time is just the latest example. I have encountered (and argued against) five common opinions, widely held by geeks, that seem headed down a slippery slope. J'accuse: 'At the bottom of the slippery slope, you seem to be opposed to knowledge wherever it occurs, in books, in experts, in institutions, even in your own mind.' So, am I right? Is there a new geek anti-intellectualism?" -
RSA Admits SecurID Tokens Have Been Compromised
A few months ago, RSA Servers were hacked, and a few weeks ago Duped tokens were used to hack Lockheed-Martin. Well today Orome1 writes "RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman — one of them confirmed by the company, others hinted at by internal warnings and unusual domain name and password reset process." -
RSA Admits SecurID Tokens Have Been Compromised
A few months ago, RSA Servers were hacked, and a few weeks ago Duped tokens were used to hack Lockheed-Martin. Well today Orome1 writes "RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman — one of them confirmed by the company, others hinted at by internal warnings and unusual domain name and password reset process." -
Siemens SCADA Flaws To Be Disclosed At Black Hat
itwbennett writes "In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. Now NSS Labs CEO Rick Moy says Beresford is rescheduled to deliver his talk at Black Hat, which runs Aug. 2-3. Beresford has discovered six vulnerabilities in the S7 that 'allow an attacker to have complete control of the device,' Moy said. Devices like the S7 do things such as control how fast a turbine spins or open gates on dams." -
GPL'd Driver and Linux Support For New H.264 Capture Card
azop writes "Almost a year ago Slashdot covered the story of a MPEG-4 multiple input capture card with a GPL Video4Linux licensed driver. Earlier this year, Ben Collins added H.264 support into the solo6x10 Video4Linux2 GPL driver. The H.264 PCIe cards are finally released and shipping to customers. The new cards support faster frame rates and sport a PCIe interface. The driver is available for forkin' on Github." -
Two Elements Added To Periodic Table
smitty777 writes "Two new elements have been added to the periodic table of the elements. Elements 114 and 116 are the weightiest known, with atomic weights of 289 and 292 respectively. The discoverers are proposing flerovium and moscovium as names for these two new discoveries. There are also arguments being made to add in three more as well: 113, 115 and 118." We've noted element 114 in the past, but this is more official. -
Syria Reportedly Back On the Internet
angry tapir writes "The Internet in Syria was back on Saturday, a day after it was reported that two-thirds of Syrian networks had been cut off from the rest of the world in the wake of civil unrest in the country." -
Skype Is Working To Defeat the Reverse Engineering
ndogg writes "Michael Larabel of Phoronix was emailed a response to the reverse engineering of the Skype protocol from the VP of Skype's PR company, who said that the reverse engineering was done for the use of spam/phishing, and that it's an infringement of their IP, and that they are working to defeat it." -
Hacker Group LulzSec Challenges FBI
Tiek00n writes "Hacker Group 'LulzSec' has gained some attention recently for their hacks of PBS and Sony. Their most recent target: FBI affiliate Infragard. The group claims, 'It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it...'" -
Hacker Group LulzSec Challenges FBI
Tiek00n writes "Hacker Group 'LulzSec' has gained some attention recently for their hacks of PBS and Sony. Their most recent target: FBI affiliate Infragard. The group claims, 'It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it...'" -
Brain Cancer Worries? Look Up Your Phone's SAR
CWmike writes "With recent news of a possible link between cell phone radiation and risk of brain cancer, you may have a new-found interest in knowing how much radiation your mobile handset is giving off — or, more importantly, how much your body might be absorbing. The FCC's legal limit for mobile phones is 1.6 Watts of radiofrequency energy per kilogram, using a measure called Specific Absorption Rate (SAR). The Environmental Working Group, which tracks SAR data for more than 1,300 cell phone and smartphone models, notes that several factors besides your handset affect your actual level of exposure. Look up your phone's SAR; or see a full chart of phones." And relax — have a coffee. -
Brain Cancer Worries? Look Up Your Phone's SAR
CWmike writes "With recent news of a possible link between cell phone radiation and risk of brain cancer, you may have a new-found interest in knowing how much radiation your mobile handset is giving off — or, more importantly, how much your body might be absorbing. The FCC's legal limit for mobile phones is 1.6 Watts of radiofrequency energy per kilogram, using a measure called Specific Absorption Rate (SAR). The Environmental Working Group, which tracks SAR data for more than 1,300 cell phone and smartphone models, notes that several factors besides your handset affect your actual level of exposure. Look up your phone's SAR; or see a full chart of phones." And relax — have a coffee. -
Tornado Risk Seen For Social Security Data Center
1sockchuck writes "Despite the recent outbreak of powerful tornadoes, the Social Security Administration has decided to engineer its new data center to withstand winds of just 90 miles per hour. Data center experts say mission-critical facilities should be built to withstand winds of 120 to 180 miles per hour to protect against tornado and hurricane risks. It's the latest in a series of challenges for the $800 million project, which will replace a creaky 30-year old facility." -
The Future of OpenOffice.org
snydeq writes "Oracle's decision to spin OpenOffice.org into an Apache incubation podling raises several questions regarding the future of the code, not the least of which is how it will co-exist with LibreOffice. Also of note are the business implications of Oracle's decision, which some see opening up commercial opportunities for OpenOffice.org support, as well as a likely push from Google and IBM to woo current OpenOffice.org customers to Google Docs and Lotus Symphony." -
The Future of OpenOffice.org
snydeq writes "Oracle's decision to spin OpenOffice.org into an Apache incubation podling raises several questions regarding the future of the code, not the least of which is how it will co-exist with LibreOffice. Also of note are the business implications of Oracle's decision, which some see opening up commercial opportunities for OpenOffice.org support, as well as a likely push from Google and IBM to woo current OpenOffice.org customers to Google Docs and Lotus Symphony." -
China Calls US Culprit In Global 'Internet War'
On Wednesday we discussed news of Google's accusation that sources originating in China were interfering with Gmail using malware and phishing techniques, targeting Chinese political activists, US government officials, military personnel, and others. In response to the accusations, a Chinese official denied government involvement in the attacks, while the US government indicated they would investigate the matter. The attacks were more sophisticated than a typical phishing attempt, they involved Yahoo and Hotmail as well, and they have likely been going on for months. Now, according to a CBS report, "The Chinese military accused the US on Friday of launching a global 'Internet war' to bring down Arab and other governments, redirecting the spotlight away from allegations of major online attacks on Western targets originating in China." -
EFF Publishes Study On Browser Fingerprinting
Rubinstien writes "The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to 'device fingerprinting' via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we've discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far." -
Judge Finds Cisco, US Authorities Deceived Canadian Courts
djmurdoch writes "The Vancouver Sun reports that 'The giant computer company Cisco and US prosecutors deceived Canadian authorities and courts in a massive abuse of process to have a former executive thrown in jail, says a B.C. Supreme Court judge.' Peter Adelkeye was arrested last year as he was testifying in a special hearing in Vancouver. It turns out he was there because US authorities would not grant him permission to enter the US to testify in a civil case between him and Cisco. The Canadian judge said that almost nothing in the US Attorney's letter was true, and has overturned his extradition order. Slashdot discussed this case in April." -
Linux Video Tutorials From 1995
An anonymous reader writes "Given that this year marks the 20th Anniversary of the Linux kernel, it is hardly surprising that anyone digging into their media collection might pull out something interesting, such as video tutorials on how to install early version of now popular distributions, like Slackware or Red Hat" -
Book Review -- JavaScript: the Definitive Guide, 6th Edition
Michael J. Ross writes "Released during the early days of the Web, in 1995, JavaScript has come a long way: Initially a client-side scripting language typically (mis)used for decorative effects, it is now an essential part of countless major websites. Its increasing capabilities and popularity are due to several factors, including the development of libraries that resolve earlier stumbling blocks that held the language back (such as inconsistencies among the implementations in different vendors' browsers). JavaScript: The Definitive Guide, authored by David Flanagan, was first published just one year later, in 1996, with several significant updates made since then." Read below for the rest of Michael's review JavaScript: The Definitive Guide, 6th Edition author David Flanagan pages 1100 pages publisher O'Reilly Media rating 9/10 reviewer Michael J. Ross ISBN 978-0596805524 summary The most comprehensive treatment of JavaScript yet published. The book is now in its sixth edition, under the ISBN 978-0596805524, and was published on 10 May 2011 by O'Reilly Media (who kindly provided me with a review copy). At 1100 pages, it certainly feels heavier than its advertised 2.6 pounds — but that may only be a side effect of the thought of wading through over a thousand pages of technical explanations and example code. Yet one could argue that the size is justified, considering the amount of information the book conveys, and its obvious aim to be a comprehensive treatment of the language. The material is organized into four parts, including 22 chapters. On the publisher's Web page, visitors will find a brief description, the complete table of contents, a few consumer reviews, reported errata (seven as of this writing, and none confirmed), the example code used in the book, some free content (the first chapter), and links to purchase the print and e-book versions.
The book commences with a multipart introduction, which begins with the sentence "JavaScript is the programming language of the Web." Even though that statement is not true — since there are many other Web programming languages — it does hint at the importance of the language in the mind of the author, and his willingness to put so much effort into creating such a detailed monograph. The introduction is also the first point in the book where one sees the clear demarcation made by the author between core JavaScript (i.e., the language definition, regardless of its runtime environment) and client-side JavaScript (i.e., usage of the language within Web browsers, including the use of libraries). Both areas are covered in great detail in the first two parts of the book, in quasi-tutorial format, while the last two parts cover the same areas, but in a purely reference format.
Specifically, the first part of the book, "Core JavaScript," offers almost a dozen chapters that explicate the basics of the language: its lexical structure; types, values, and variables; expressions and operators; statements; objects; arrays; functions; classes and modules; regular expressions; JavaScript subsets and extensions; and server-side JavaScript. At almost 300 pages, this part alone could form its own volume. The manner in which the author dives into the technical details, and the amount of example code, immediately make it evident that the book is intended for readers who have experience programming, although not necessarily in JavaScript. In fact, some readers — especially newbie programmers — may become frustrated with those places in the narrative where the explanation is not entirely clear. For instance, on page 7, the "points array from above" refers not to any code on that page, but instead refers to an array defined two pages earlier. Fortunately, such stumbling blocks are infrequent. For experienced JavaScript programmers, these chapters could provide a comprehensive review. For readers new to JavaScript, the material may seem overly dry, but the illustrative code should be quite helpful.
The ten chapters that compose the second part of the book, "Client-Side JavaScript," show how to work with the language within a Web browser. This includes learning how to embed JavaScript code in HTML files; differences among browsers and the versions thereof; the security of JavaScript code; the Window object; how to access and manage the elements within the Document Object Model (DOM); scripting CSS styles; events, and methods of handling them; scripting HTTP, and its use in Ajax (reflected in this edition's subtitle, "Activate Your Web Pages"); the jQuery library; techniques for storing data on the user's computer; how to use JavaScript to dynamically create and manipulate graphics, audio, and video content, as well as charts and drawings; and, lastly, the use of several HTML5 APIs. Speaking of that last topic, probably the most significant changes in this edition, versus the previous one, is the coverage of ECMAScript 5, as well as the new objects and methods introduced with HTML5. Naturally, some of these enhancements do not work in any version of Internet Explorer but the most recent, so the author discusses workarounds, if available.
As noted earlier, the third and fourth parts of the book constitute the purely reference material, with the first part focusing on core JavaScript, and the latter on the client-side aspects of the language. Every chapter is organized into a series of entries, each devoted to a particular class or object, ordered alphabetically. For each entry, the reader is given a brief synopsis, description, and in some cases example code and references to other entries. Each class entry also includes information on its properties and methods, where applicable. Each single method entry includes information on its arguments and any return value. The book concludes with what is arguably the longest and possibly most valuable index I have ever seen in a computer book.
There are only a few immediately-evident weaknesses of this book: Firstly, there are some phrases that may be clear to the author, but likely will prove baffling to the typical reader — e.g., "nonlinear cross-reference problem" (page 8) and "the jQuery gives a synopsis of each method" (page 523). Secondly, some of the example HTML code could have been written better, such as the use of an HTML table for defining the layout of a simple form, with labels and fields (page 13). Finally, despite the claims of the marketing copy that this title is suitable as both "an example-driven programmer's guide or a complete desk reference," it would serve better as the latter, and not as a tutorial for learning the language. Clearly, the more comfortable one feels with computer programming — especially JavaScript itself — the more that one could get out of this book.
On the other hand, there are far more pluses than minuses. One of the real strengths of the book is how the author does not hesitate to use (sometimes lengthy) blocks of code, with explanatory comments for almost every line, to clarify the language — as opposed to paragraphs of text, which could have easily doubled the length of the first two parts (which comprise roughly the first two thirds of the book). Also, in conjunction with the narrative and code fragments, the author makes effective use of figures whenever needed — particularly in Chapter 21, in demonstrating how to work with graphics and multimedia content.
Evolving with the language itself, and again brought up to date, JavaScript: The Definitive Guide still retains its crown as the ultimate reference resource for JavaScript programmers.
Michael J. Ross is a freelance website developer and writer.
You can purchase JavaScript: The Definitive Guide, 6th Edition from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review -- JavaScript: the Definitive Guide, 6th Edition
Michael J. Ross writes "Released during the early days of the Web, in 1995, JavaScript has come a long way: Initially a client-side scripting language typically (mis)used for decorative effects, it is now an essential part of countless major websites. Its increasing capabilities and popularity are due to several factors, including the development of libraries that resolve earlier stumbling blocks that held the language back (such as inconsistencies among the implementations in different vendors' browsers). JavaScript: The Definitive Guide, authored by David Flanagan, was first published just one year later, in 1996, with several significant updates made since then." Read below for the rest of Michael's review JavaScript: The Definitive Guide, 6th Edition author David Flanagan pages 1100 pages publisher O'Reilly Media rating 9/10 reviewer Michael J. Ross ISBN 978-0596805524 summary The most comprehensive treatment of JavaScript yet published. The book is now in its sixth edition, under the ISBN 978-0596805524, and was published on 10 May 2011 by O'Reilly Media (who kindly provided me with a review copy). At 1100 pages, it certainly feels heavier than its advertised 2.6 pounds — but that may only be a side effect of the thought of wading through over a thousand pages of technical explanations and example code. Yet one could argue that the size is justified, considering the amount of information the book conveys, and its obvious aim to be a comprehensive treatment of the language. The material is organized into four parts, including 22 chapters. On the publisher's Web page, visitors will find a brief description, the complete table of contents, a few consumer reviews, reported errata (seven as of this writing, and none confirmed), the example code used in the book, some free content (the first chapter), and links to purchase the print and e-book versions.
The book commences with a multipart introduction, which begins with the sentence "JavaScript is the programming language of the Web." Even though that statement is not true — since there are many other Web programming languages — it does hint at the importance of the language in the mind of the author, and his willingness to put so much effort into creating such a detailed monograph. The introduction is also the first point in the book where one sees the clear demarcation made by the author between core JavaScript (i.e., the language definition, regardless of its runtime environment) and client-side JavaScript (i.e., usage of the language within Web browsers, including the use of libraries). Both areas are covered in great detail in the first two parts of the book, in quasi-tutorial format, while the last two parts cover the same areas, but in a purely reference format.
Specifically, the first part of the book, "Core JavaScript," offers almost a dozen chapters that explicate the basics of the language: its lexical structure; types, values, and variables; expressions and operators; statements; objects; arrays; functions; classes and modules; regular expressions; JavaScript subsets and extensions; and server-side JavaScript. At almost 300 pages, this part alone could form its own volume. The manner in which the author dives into the technical details, and the amount of example code, immediately make it evident that the book is intended for readers who have experience programming, although not necessarily in JavaScript. In fact, some readers — especially newbie programmers — may become frustrated with those places in the narrative where the explanation is not entirely clear. For instance, on page 7, the "points array from above" refers not to any code on that page, but instead refers to an array defined two pages earlier. Fortunately, such stumbling blocks are infrequent. For experienced JavaScript programmers, these chapters could provide a comprehensive review. For readers new to JavaScript, the material may seem overly dry, but the illustrative code should be quite helpful.
The ten chapters that compose the second part of the book, "Client-Side JavaScript," show how to work with the language within a Web browser. This includes learning how to embed JavaScript code in HTML files; differences among browsers and the versions thereof; the security of JavaScript code; the Window object; how to access and manage the elements within the Document Object Model (DOM); scripting CSS styles; events, and methods of handling them; scripting HTTP, and its use in Ajax (reflected in this edition's subtitle, "Activate Your Web Pages"); the jQuery library; techniques for storing data on the user's computer; how to use JavaScript to dynamically create and manipulate graphics, audio, and video content, as well as charts and drawings; and, lastly, the use of several HTML5 APIs. Speaking of that last topic, probably the most significant changes in this edition, versus the previous one, is the coverage of ECMAScript 5, as well as the new objects and methods introduced with HTML5. Naturally, some of these enhancements do not work in any version of Internet Explorer but the most recent, so the author discusses workarounds, if available.
As noted earlier, the third and fourth parts of the book constitute the purely reference material, with the first part focusing on core JavaScript, and the latter on the client-side aspects of the language. Every chapter is organized into a series of entries, each devoted to a particular class or object, ordered alphabetically. For each entry, the reader is given a brief synopsis, description, and in some cases example code and references to other entries. Each class entry also includes information on its properties and methods, where applicable. Each single method entry includes information on its arguments and any return value. The book concludes with what is arguably the longest and possibly most valuable index I have ever seen in a computer book.
There are only a few immediately-evident weaknesses of this book: Firstly, there are some phrases that may be clear to the author, but likely will prove baffling to the typical reader — e.g., "nonlinear cross-reference problem" (page 8) and "the jQuery gives a synopsis of each method" (page 523). Secondly, some of the example HTML code could have been written better, such as the use of an HTML table for defining the layout of a simple form, with labels and fields (page 13). Finally, despite the claims of the marketing copy that this title is suitable as both "an example-driven programmer's guide or a complete desk reference," it would serve better as the latter, and not as a tutorial for learning the language. Clearly, the more comfortable one feels with computer programming — especially JavaScript itself — the more that one could get out of this book.
On the other hand, there are far more pluses than minuses. One of the real strengths of the book is how the author does not hesitate to use (sometimes lengthy) blocks of code, with explanatory comments for almost every line, to clarify the language — as opposed to paragraphs of text, which could have easily doubled the length of the first two parts (which comprise roughly the first two thirds of the book). Also, in conjunction with the narrative and code fragments, the author makes effective use of figures whenever needed — particularly in Chapter 21, in demonstrating how to work with graphics and multimedia content.
Evolving with the language itself, and again brought up to date, JavaScript: The Definitive Guide still retains its crown as the ultimate reference resource for JavaScript programmers.
Michael J. Ross is a freelance website developer and writer.
You can purchase JavaScript: The Definitive Guide, 6th Edition from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Embed a Video, Go To Jail?
An anonymous reader writes "A few weeks ago, Slashdot had a post about the new bill in Congress to make streaming infringing videos a felony, punishable by up to 5 years in jail if just 10 people watch the video. As more details come out, the bill keeps looking worse and worse, as it appears that the definitions used in the bill would mean that merely embedding or linking to an infringing YouTube video could put you on the hook for jail time. Obviously, supporters of the bill insist that's not who will be targeted with this bill, but just the fact that they could be should be worrisome enough. We've seen other laws 'misused' in the past." -
North Korea Training "Cyberwarriors" Abroad
jfruhlinger writes "A North Korean defector claims that the secretive totalitarian state is nurturing a team of "cyberwarriors," identifying young people with computer skills and sending them abroad to learn the latest hacking techniques, while lavishing privileges on their families at home to keep them loyal. This could lead to an escalation in tensions, especially given that the US military believes that cyberattacks from foreign countries constitute acts of war." -
New MacDefender Defeats Apple Security Update
XxtraLarGe writes "Apple released a security update yesterday designed to rid Macs of the menacing MacDefender malware that has plagued users for nearly a month. But mere hours after the update, cyber-criminals released a new variant of the malware that easily defeated Apple's belated security efforts. That didn't take long." -
Book Review: CERT Resilience Management Model (RMM)
brothke writes "If Gartner were to have created the CERT-RMM framework like what is detailed in the book CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience; it likely would be offered to their clients for at least $15,000. With a list price of $79.99, the book is clearly a bargain. Besides being inexpensive, it details an invaluable model that should be seriously considered by nearly every organization." Keep reading for the rest of Ben's review. CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience author Richard Caralli, Julia Allen, David White pages 1056 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 0321712439 summary Book details a superb method to tame the out of control world of IT operations The CERT-RMM is a capability model for operational resilience management. Put more simply; it is a method to tame the out of control world of IT operations.
CERT notes that the model has two primary objectives: to establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model. And to apply a process improvement approach to operational resilience management through the definition and application of a capability level scale that expresses increasing levels of process improvement.
In plain English, the model creates a formal method in which to execute IT tasks. Given the reality that most IT tasks are executed in an ad-hoc manner, the CERT-RMM should be a welcome relief to most organizations.
The CERT-RMM is a relatively new framework, with version 1.0 being issued in May 2010. Version 1.1 was made available via this book in December 2010. CERT also has a really good CERT-RMM Overview presentation available.
CERT-RMM v1.1 comprises 26 process areas that cover four areas of operations resilience management: enterprise management, engineering, operations and process management.
In chapter 1, the authors astutely note that technology can be very effective in managing risk, but technology cannot always substitute for skilled peoples and resources, procedures and methods that define and connect tasks and activities, and processes to provide structure and stability towards the achievement of common objectives and goals.
The problem is that most companies will spend huge amounts of money on these myriad technologies and seemingly expect the install routine to magically integrate the numerous processes. CERT-RMM is a comprehensive solution to a broad set of problems.
But for those that are looking to CERT-RMM for a quick fix to a decades old problem, the authors also note in chapter 1 that CERT-RMM must be embedded within the culture and practices of an organization. The CERT-RMM practices will only make an organization more resilient to the degree to which they have been institutionalized via its processes.
At just over 1,000 pages, the book is a treasure-trove of invaluable information. While the amount of information may be overwhelming, it is manageable if used in a serious fashion. But just to reiterate, CERT-RMM should not be seen as a quick-fix solution.
The main textual part of the book covers 2 parts and 7 chapters which make up the first 120 pages. These 2 parts provide a comprehensive overview of the CERT-RMM and provides an overview of the various concepts used within the model. The authors do a superb job of showing how structure and processes need to be an integral part of enterprise operations, and note the challenges of not having such an approach.
Focusing on information security, the authors intelligently observe in chapter 2 that historically information was viewed as a technology problem and relegated to the IT department. The problem though with such an approach is that when an incident or disruption occurs, the response is generally localized and discrete; not orchestrated across all affected lines of business and organizational units. That problem is precisely what CERT-RMM comes to fix. If implemented effectively, the processes enable organizations to respond in a more formal manner, with integrated processes; resulting in operations that are quicker, cheaper, and ultimately, more resilient.
In chapter 4, the authors tell you what seems to be obvious: that the CERT-RMM in its entirety looks ominous. They note the reason is that operational resilience management encompasses many disciplines and practices. The challenge though is for the organization to be able to understand the relationships in the CERT-RMM model and connect them to their own organization. CERT-RMM is certainly not for the fainthearted. But for those that are serious about operational efficiency and resilience, CERT-RMM is certainly a godsend.
The reality is that not only does the CERT-RMM look ominous, it is. The reason is that CERT-RMM will most likely be used to retrofit an organization that has used decades of ad-hoc approaches to its IT processes. Trying to fix so much is indeed ominous. But even with that ominous cloud, it is something that must be done.
In chapter 5, the authors make an important point in that CERT-RMM is not a prescriptive model. This means that there is no guidance provided to adopt the model in any specific sequence or prescriptive path. Rather, process improvements are unique to each organization, to which the CERT-RMM provides the basic structure to enable enterprises to chart their own specific improvements paths uses the model as a guide.
Chapter 6 on Using CERT-RMM notes that the model has a strong enterprise undercurrent, due to the fact that effective operational resilience management requires capabilities that often have enterprise-wide significant. But the enterprise–wide nature of the model does not mean that it can't be adopted at more discrete levels.
Part 3 of the book is a complete listing of the 26 CERT-RMM process areas. Part 3 is where the heart of the CERT-RMM is. Each of the 26 sections has a complete set of descriptions of goals and practices and real-world examples.
Think of part 3 as The Checklist Manifesto: How to Get Things Right, but on steroids. In that book, author Atul Gawande uses the notion of a checklist as a quality-control device. He noticed that the high-pressure complexities in place today can overwhelm even the best-trained professional and that only a disciplined adherence to essential procedures can fix things. Gawande would likely be enamored by the CERT-RMM.
When the reader goes through the over 800 pages of part 3, they will see them as a set of standard operating procedures (SOP). Industries such as aviation, manufacturing and pharmaceuticals have SOP deeply embedded in their processes. The SOP in part 3 are far from rocket science. They are simply a comprehensive approach and attention to detail. Given that resilience is all about the details, part 3 can be used to take an organization to a mature state of resilience.
If nothing else, part 3 should give the reader an appreciation for the need for effective process around IT initiatives. The exacting level of detail described in part 3 displays a rigorous set of processes that if deployed, can ensure an all-embracing approach to systems management and control.
Often books with numerous authors lack a sense of style and symmetry. With 3 authors, the book suffers none of that and is completely integrated into a single unit with no disconnects. Each of the authors are CERT veterans that bring considerable experience which is pervasive throughout the book.
But as good as the CERT-RMM, we all know that it is likely to have minimal adoption. Most organizations are far too short-sighted to use a model that requires such discipline and long-term approach asCERT-RMM.
But for those organizations that are truly serious about resiliency, serious about security, serious about saving money and being more efficient, this book and the CERT-RMM is a model they will embrace warmly. This book is an important first step that can be the gateway to resiliency.
For all the others, they should at least use the CERT-RMM incident management and controlprocess area to deal with the many security incidents and breaches they will inevitably have to contend with.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: CERT Resilience Management Model (RMM)
brothke writes "If Gartner were to have created the CERT-RMM framework like what is detailed in the book CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience; it likely would be offered to their clients for at least $15,000. With a list price of $79.99, the book is clearly a bargain. Besides being inexpensive, it details an invaluable model that should be seriously considered by nearly every organization." Keep reading for the rest of Ben's review. CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience author Richard Caralli, Julia Allen, David White pages 1056 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 0321712439 summary Book details a superb method to tame the out of control world of IT operations The CERT-RMM is a capability model for operational resilience management. Put more simply; it is a method to tame the out of control world of IT operations.
CERT notes that the model has two primary objectives: to establish the convergence of operational risk and resilience management activities such as security, business continuity, and aspects of IT operations management into a single model. And to apply a process improvement approach to operational resilience management through the definition and application of a capability level scale that expresses increasing levels of process improvement.
In plain English, the model creates a formal method in which to execute IT tasks. Given the reality that most IT tasks are executed in an ad-hoc manner, the CERT-RMM should be a welcome relief to most organizations.
The CERT-RMM is a relatively new framework, with version 1.0 being issued in May 2010. Version 1.1 was made available via this book in December 2010. CERT also has a really good CERT-RMM Overview presentation available.
CERT-RMM v1.1 comprises 26 process areas that cover four areas of operations resilience management: enterprise management, engineering, operations and process management.
In chapter 1, the authors astutely note that technology can be very effective in managing risk, but technology cannot always substitute for skilled peoples and resources, procedures and methods that define and connect tasks and activities, and processes to provide structure and stability towards the achievement of common objectives and goals.
The problem is that most companies will spend huge amounts of money on these myriad technologies and seemingly expect the install routine to magically integrate the numerous processes. CERT-RMM is a comprehensive solution to a broad set of problems.
But for those that are looking to CERT-RMM for a quick fix to a decades old problem, the authors also note in chapter 1 that CERT-RMM must be embedded within the culture and practices of an organization. The CERT-RMM practices will only make an organization more resilient to the degree to which they have been institutionalized via its processes.
At just over 1,000 pages, the book is a treasure-trove of invaluable information. While the amount of information may be overwhelming, it is manageable if used in a serious fashion. But just to reiterate, CERT-RMM should not be seen as a quick-fix solution.
The main textual part of the book covers 2 parts and 7 chapters which make up the first 120 pages. These 2 parts provide a comprehensive overview of the CERT-RMM and provides an overview of the various concepts used within the model. The authors do a superb job of showing how structure and processes need to be an integral part of enterprise operations, and note the challenges of not having such an approach.
Focusing on information security, the authors intelligently observe in chapter 2 that historically information was viewed as a technology problem and relegated to the IT department. The problem though with such an approach is that when an incident or disruption occurs, the response is generally localized and discrete; not orchestrated across all affected lines of business and organizational units. That problem is precisely what CERT-RMM comes to fix. If implemented effectively, the processes enable organizations to respond in a more formal manner, with integrated processes; resulting in operations that are quicker, cheaper, and ultimately, more resilient.
In chapter 4, the authors tell you what seems to be obvious: that the CERT-RMM in its entirety looks ominous. They note the reason is that operational resilience management encompasses many disciplines and practices. The challenge though is for the organization to be able to understand the relationships in the CERT-RMM model and connect them to their own organization. CERT-RMM is certainly not for the fainthearted. But for those that are serious about operational efficiency and resilience, CERT-RMM is certainly a godsend.
The reality is that not only does the CERT-RMM look ominous, it is. The reason is that CERT-RMM will most likely be used to retrofit an organization that has used decades of ad-hoc approaches to its IT processes. Trying to fix so much is indeed ominous. But even with that ominous cloud, it is something that must be done.
In chapter 5, the authors make an important point in that CERT-RMM is not a prescriptive model. This means that there is no guidance provided to adopt the model in any specific sequence or prescriptive path. Rather, process improvements are unique to each organization, to which the CERT-RMM provides the basic structure to enable enterprises to chart their own specific improvements paths uses the model as a guide.
Chapter 6 on Using CERT-RMM notes that the model has a strong enterprise undercurrent, due to the fact that effective operational resilience management requires capabilities that often have enterprise-wide significant. But the enterprise–wide nature of the model does not mean that it can't be adopted at more discrete levels.
Part 3 of the book is a complete listing of the 26 CERT-RMM process areas. Part 3 is where the heart of the CERT-RMM is. Each of the 26 sections has a complete set of descriptions of goals and practices and real-world examples.
Think of part 3 as The Checklist Manifesto: How to Get Things Right, but on steroids. In that book, author Atul Gawande uses the notion of a checklist as a quality-control device. He noticed that the high-pressure complexities in place today can overwhelm even the best-trained professional and that only a disciplined adherence to essential procedures can fix things. Gawande would likely be enamored by the CERT-RMM.
When the reader goes through the over 800 pages of part 3, they will see them as a set of standard operating procedures (SOP). Industries such as aviation, manufacturing and pharmaceuticals have SOP deeply embedded in their processes. The SOP in part 3 are far from rocket science. They are simply a comprehensive approach and attention to detail. Given that resilience is all about the details, part 3 can be used to take an organization to a mature state of resilience.
If nothing else, part 3 should give the reader an appreciation for the need for effective process around IT initiatives. The exacting level of detail described in part 3 displays a rigorous set of processes that if deployed, can ensure an all-embracing approach to systems management and control.
Often books with numerous authors lack a sense of style and symmetry. With 3 authors, the book suffers none of that and is completely integrated into a single unit with no disconnects. Each of the authors are CERT veterans that bring considerable experience which is pervasive throughout the book.
But as good as the CERT-RMM, we all know that it is likely to have minimal adoption. Most organizations are far too short-sighted to use a model that requires such discipline and long-term approach asCERT-RMM.
But for those organizations that are truly serious about resiliency, serious about security, serious about saving money and being more efficient, this book and the CERT-RMM is a model they will embrace warmly. This book is an important first step that can be the gateway to resiliency.
For all the others, they should at least use the CERT-RMM incident management and controlprocess area to deal with the many security incidents and breaches they will inevitably have to contend with.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Using Flywheels to Meet Peak Power Grid Demands
hackertourist writes "A novel type of electricity storage was recently added to the New York power grid. The unit, supplied by Beacon Power, uses flywheels to store energy. This system is intended to replace gas turbines in supplying short-term peaks in power demand (also known as frequency regulation). It can supply up to 20 MW, using 200 flywheels." If you can't afford a 200-flywheel system, you can always get a racetrack-ready Porsche 911 GT3 R Hybrid, which has a single energy-storage flywheel that can give you a 160 HP burst of power when you need a little extra oomph. -
Kororaa 14 Released; Think of it as Linux Mint for Fedora
An anonymous reader writes "Kororaa is based on Fedora 14. Users have a choice between a KDE 4.6.3 or GNOME 2.32 Live DVD in 32-bit and 64-bit versions." The original Kororaa, back in 2006 and earlier, was based on Gentoo. Development stopped for several years, but has resumed -- but with Fedora, not Gentoo, as the base distribution. -
World Health Organization Says Mobile Phones May Cause Cancer
Schiphol writes "A new study by the World Health Organization (WHO) concludes that mobile phone radiation presents a carcinogenic hazard. Are cell phones going to be the new tobacco, then?" This seems to be a new interpretation of a long-tern WHO study of possible cellphone health risks that had "inconclusive results" last May.