How do you know that windows isnt simply notifying the trojan anytime ANY password Edit-box(where your keystrokes turn to *'s) gets keyevents?
It wouldnt be hard for the GOVERNMENT to get the specs the need to setup a WINDOWS HOOK in software. They may not even care if they have to sift through some of your other paswords besides just the PGP one.
Dont underestimate the gov'ts ability to get one weeks worth of sloppy programming done.
And who the hell said you'd need to change encryption schemes? If that were the case why would they *bother* with keyloggers?
Running a client OS is no defense, especially not MacOS- your going to download your email with some closed-source app, and thats when you get trojanned.
On the other hand its possible to build a stripped down linux box running only a command line program like xmail- which you built yourself from source (add openssh and gpg). Plus you'd want a stripped down kernel with only the simplest possible feature set that runs on your hardware.
You could even wrap the box, moniter, peripherals and cables in aluminum foil, if youre super-paranoid:)
Cant do that with windows/macos or any large graphical modern proprietary os, period, because
you cant trust the os, and you cant trust PGP commercial version.
So when I say I dont believe that, I am being honest. All the following rant is based upon what I have experienced "in the trenches", so to speak. Mayhaps there is an more idealized place in the world where i am wrong (but I doubt it).
I've never met a "Software Engineer" who was an "Integrator" who did anything usefull without writing code. Those ones who did not know how to were absolutely useless. Those that did know how but did not implement were continuously running into the impermeable wall of "Reality Check" when they had to be informed that their snooty design couldnt work.
Any decent implementor on the other hand, had to be a designer/integrator almost by definition, becasuse there were never any rigourous enough requirements to be a tunnel visioned "implementor". Getting requirements that fine grained is apparently equivalent to writing the code.
If you are a high-level code "Architect" who thinks that implementing involves solving the same old simple subproblems, then you havent been reusing code very well. Check your abstraction level and start over.
You will find the truth: Software design *is* software implementation. There are no "Software Engineers", there are only Programmers.
Because "software engineering" (I hate that name, its programming gadammit) is not primarily implementation. Building a bridge requires very litte groundbreaking design: you take a typically take a known bridge concept, and specialize it for the terrain. The tough part is getting it implemented on time and in budget, with tons of logistic hurdles, and avoiding material disaster.
Programming on the other hand is a continuous design process. Implementation is a non-problem, its an ongoing architecture process. (Imagine trying to design a 20 mile long building with 7-10 architects, each with their own unique style)
On top of that, its all non-visual. An architect can look at rendered pictures of what he is designing to get an intuitive feel for its correctness, whereas a programmer must form his image without the benefit of evolved human spacial perception.
Requirements analysis for a bridge is so simple a child can grok it: "something i can walk over the river on". For your typical programming job requirements are much more nebulous: the customer doesnt really know what they want half the time (but theyll know it when they see it).
The whole analogy between Contruction Engineering and The Art of Programming is flawed, otherwise a completed contruction project would be a 40 foot high stack of blueprints that are suppossed to solve a problem that nobody fully understands.
Sure, lets enable scripting "just this once", because Microsoft servers have never been infested by worms or trojans right, so we can trust them.
Besides, its much easier to leave the nice dynamic content scripts all over the site than to just provide a basic HTML with the exploit warning and patch link.
They might as well make the whole security notification system an ActiveX control- because those have such good security, much better than a simple text file.
Sarcasm off, one would think that security advisories could avoid using the tools that generate the majority of the security advisories.
The contract eric signed with CRC Press gives them an ongoing print copyright to the current and all future version of MathWorld. Plus he has to pay the company for books that they *dont sell*. All this from a boilerplate publishing contract?
If you thought the GPL was viral, you obviously never tried to publish a book. It looks like MathWorld can no longer be built upon without paying cash and giving privledges to some arbitrary company. Its a sad ending for someone whos goal was to provide unhindered math info to as many people as possible.
The GPL is not the issue
on
Behind the Scenes
·
· Score: 3, Insightful
Despite its being mentioned prominently, the GPL has litte to do with it.
The issue that article is getting at is the fickle "Goodwill" of the Free community.
If one partakes of the pool of Free stuff but gives nothing back, then the community tends to shun you.
As powerless as we sometimes feel in politics and business, the shun of the majority of Free software afficionados (even those undesirables such as the warez crowd and the black hat kiddies who tend to sympathize with the cause) is not something to be underestimated.
(A DeCss like research effort into undermining your fragile restriction scheme, combined with a kiddie's DOS attack on your webserver all the while RMS is giving a speech about why you are "evil", can really make a bad day for anyone.)
Someone who makes an investment in a new direction will typically want to recieve approval and congratulation for it. The goodwill of the community is desirable. So to gain it, they start down the path of sharing. But its a slippery slope, and a GPL violation can land you with some bad press.
Simply going all out open, the studios think they may lose their edge over the competition.
By staying as closed as possible, they risk ostrasization from the community, and a separation from the process that brang them the foundation that they are building on in the first place.
The real technology coming from Linux and friends is a sociological one, not a computing one. Its a new way, and it has ramifications that extend far beyond computer science.
For a quicksort of large objects I use an insertion sort for the compares, and a form of selection to do the moving of the large objects. (best advantages of both)
Even an optimized bubblesort (the combsort) is useless compared to a proper template quicksort.
however being able to ssh into any box and typing export DISPLAY=my_local_box:0.0 and then being able to run all the the remote Xapps on my box is is one of the greatest features on the planet.
Ouch- allthough your command to start the X proggie will be secure, the windowed program itself will be going over an unsecure channel if you use that method. (all your click are belong to them)
You should really look into X-forwarding (read man ssh).
Regardless- I too like the network transparency that is offered from X. If the damn X protocol would support SSL or something like it natively, then it would seriously speed up secure remote graphical logins. (search google for tcp over tcp to see why)
You mant to save money, fix your database
on
Slashdot Updates
·
· Score: 1
Upgrade from mysql to postgres. (be sure to
get a recent version- the older ones were not
so good.)
A site of this size would be able to run its dynamic content without as much cpu power (or be
able to scale larger)
Of course im not counting development costs- time and trouble mostly...
You forget that Raymond was/is both a programmer and a project maintainer. When you read his technical opinions you can tell whether or not he is cluefull.
And none of us needs him to tell us who's clueless, its fairly obvious. Perhaps the people be so labeled may regard such a statement as a flame, where others look upon it as merely accurate.
The reason anybody listens to him is because he's good at explaining what a lot of us already know- especially to people who dont.
The big filesharing networks proved that generosity and the 7 degrees of separation rule are enough to really shave the margin on what your talking about.
The big audio conglomerates would want to charge huge per song fees like $12 per file, or some obnoxiously high rate such as $250+/month for a limited number of downloads.
In reality though- with functioning peer sharing networks as an alternative, no one would subscribe to such a system unless it were really cheap, such as $5/month for unlimited downloads with high quality files, fast transfers, and a comprehensive selection.
Do you see why they havent gone that route? You cannot be a useless fat layer if noone will feed you.
I see no evidence for that- and much evidence to the contrary.
Fundamental architectural things like user accounts that cannot trash the system, files dont become executable solely based upon their names, and unix documents typically dont carry virii.
Would we have even heard of email virii if a unixlike system was the world's desktop- I doubt it.
If we would drop this nanny state-bullshit as early as freshman year highschool, I'm willing to bet that our countries educational performance would skyrocket.
People tend to act like adults once they are treated like adults. They have to feel that the consequences of their actions affect them.
Sadly, even through college we coddle and patronize students, insulting them. This inhibits learning and proper maturation. (Ask foreigners if they think american teens are mature or not)
And I also agree that ~60%-80% of all CS degrees have no merit.
I have to interview people- sometimes people with long job histories and senior positions. Its tough to ask technical questions without seeming to demean.
Part of my interview is just that- questions about how the languages on their resume work.
Ive generally found that a poor programmer is also a poor software engineer, so i really want to ask these question to weed out chobo PHd's who couldnt hack their way out of a bubble sort.
So I have an alternate gambit: I say that there is a technical part of the interview- but since the candidate obviously has so much experience it is unnecessary- unless of course they want to try it.
Invariably they say they'd like to try it anyway, and then the atomsphere is right. I tend to find that 66% of candidates really shouldn't have C++ on their resume, because they dont know the most basic things.
Sadly, a good indicator of this is extensive education, and a job history riddled with positions like "software analyst", and "systems architect".
And I didnt even have the benefit of a college education. I eventually got into an interview with a government contractor, and got my foot in the door. The trick to doing that was having the right magic button words on the resume.
You may find that nobody hires "C++ developer"'s but they do hire "MFC" developers or "CGI" programmers or some such specialty. Having the magic acronym on that resume can get you into an interview.
Once you can get an interview, you can sell yourself. You *have* to seem enthusiastic and optimistic. Ive also found that swagger helps. You should be self confident to just shy of arrogant. And never bullshit- speak your mind.
After that, well you've overcome the old "22" barrier and now find that there are more jobs than ever. (Especially if you can get the job done)
And as for the corny nerf-toy stuff, that was always just superficial.
Slashdot Mirror
You are a trusting person.
How do you know that windows isnt simply notifying the trojan anytime ANY password Edit-box(where your keystrokes turn to *'s) gets keyevents?
It wouldnt be hard for the GOVERNMENT to get the specs the need to setup a WINDOWS HOOK in software. They may not even care if they have to sift through some of your other paswords besides just the PGP one.
Dont underestimate the gov'ts ability to get one weeks worth of sloppy programming done.
And who the hell said you'd need to change encryption schemes? If that were the case why would they *bother* with keyloggers?
Running a client OS is no defense, especially not MacOS- your going to download your email with some closed-source app, and thats when you get trojanned.
On the other hand its possible to build a stripped down linux box running only a command line program like xmail- which you built yourself from source (add openssh and gpg). Plus you'd want a stripped down kernel with only the simplest possible feature set that runs on your hardware.
You could even wrap the box, moniter, peripherals and cables in aluminum foil, if youre super-paranoid
Cant do that with windows/macos or any large graphical modern proprietary os, period, because
you cant trust the os, and you cant trust PGP commercial version.
they need to know how to juggle more then one PC (running Linux with DVORAK keyboards)
Its strange to read that with such a biting sarcastic tone because I'm running Linux with a DVORAK keyboard right now, both at home and at work...
(I popped the keys out and rearranged them about 6 months ago, for fun)
(Work == stack programmer for a satellite isp)
So when I say I dont believe that, I am being honest. All the following rant is based upon what I have experienced "in the trenches", so to speak. Mayhaps there is an more idealized place in the world where i am wrong (but I doubt it).
I've never met a "Software Engineer" who was an "Integrator" who did anything usefull without writing code. Those ones who did not know how to were absolutely useless. Those that did know how but did not implement were continuously running into the impermeable wall of "Reality Check" when they had to be informed that their snooty design couldnt work.
Any decent implementor on the other hand, had to be a designer/integrator almost by definition, becasuse there were never any rigourous enough requirements to be a tunnel visioned "implementor". Getting requirements that fine grained is apparently equivalent to writing the code.
If you are a high-level code "Architect" who thinks that implementing involves solving the same old simple subproblems, then you havent been reusing code very well. Check your abstraction level and start over.
You will find the truth: Software design *is* software implementation. There are no "Software Engineers", there are only Programmers.
Because "software engineering" (I hate that name, its programming gadammit) is not primarily implementation. Building a bridge requires very litte groundbreaking design: you take a typically take a known bridge concept, and specialize it for the terrain. The tough part is getting it implemented on time and in budget, with tons of logistic hurdles, and avoiding material disaster.
Programming on the other hand is a continuous design process. Implementation is a non-problem, its an ongoing architecture process. (Imagine trying to design a 20 mile long building with 7-10 architects, each with their own unique style)
On top of that, its all non-visual. An architect can look at rendered pictures of what he is designing to get an intuitive feel for its correctness, whereas a programmer must form his image without the benefit of evolved human spacial perception.
Requirements analysis for a bridge is so simple a child can grok it: "something i can walk over the river on". For your typical programming job requirements are much more nebulous: the customer doesnt really know what they want half the time (but theyll know it when they see it).
The whole analogy between Contruction Engineering and The Art of Programming is flawed, otherwise a completed contruction project would be a 40 foot high stack of blueprints that are suppossed to solve a problem that nobody fully understands.
Sure, lets enable scripting "just this once", because Microsoft servers have never been infested by worms or trojans right, so we can trust them.
Besides, its much easier to leave the nice dynamic content scripts all over the site than to just provide a basic HTML with the exploit warning and patch link.
They might as well make the whole security notification system an ActiveX control- because those have such good security, much better than a simple text file.
Sarcasm off, one would think that security advisories could avoid using the tools that generate the majority of the security advisories.
The obviously not sharing (violating the GPL) is bad.
Seems so simple to me...
The contract eric signed with CRC Press gives them an ongoing print copyright to the current and all future version of MathWorld. Plus he has to pay the company for books that they *dont sell*. All this from a boilerplate publishing contract?
If you thought the GPL was viral, you obviously never tried to publish a book. It looks like MathWorld can no longer be built upon without paying cash and giving privledges to some arbitrary company. Its a sad ending for someone whos goal was to provide unhindered math info to as many people as possible.
Despite its being mentioned prominently, the GPL has litte to do with it.
The issue that article is getting at is the fickle "Goodwill" of the Free community.
If one partakes of the pool of Free stuff but gives nothing back, then the community tends to shun you.
As powerless as we sometimes feel in politics and business, the shun of the majority of Free software afficionados (even those undesirables such as the warez crowd and the black hat kiddies who tend to sympathize with the cause) is not something to be underestimated.
(A DeCss like research effort into undermining your fragile restriction scheme, combined with a kiddie's DOS attack on your webserver all the while RMS is giving a speech about why you are "evil", can really make a bad day for anyone.)
Someone who makes an investment in a new direction will typically want to recieve approval and congratulation for it. The goodwill of the community is desirable. So to gain it, they start down the path of sharing. But its a slippery slope, and a GPL violation can land you with some bad press.
Simply going all out open, the studios think they may lose their edge over the competition.
By staying as closed as possible, they risk ostrasization from the community, and a separation from the process that brang them the foundation that they are building on in the first place.
The real technology coming from Linux and friends is a sociological one, not a computing one. Its a new way, and it has ramifications that extend far beyond computer science.
For a quicksort of large objects I use an insertion sort for the compares, and a form of selection to do the moving of the large objects. (best advantages of both)
Even an optimized bubblesort (the combsort) is useless compared to a proper template quicksort.
But would you trade 1 gravity well for 2?
however being able to ssh into any box and typing export DISPLAY=my_local_box:0.0 and then being able to run all the the remote Xapps on my box is is one of the greatest features on the planet.
Ouch- allthough your command to start the X proggie will be secure, the windowed program itself will be going over an unsecure channel if you use that method. (all your click are belong to them)
You should really look into X-forwarding (read man ssh).
Regardless- I too like the network transparency that is offered from X. If the damn X protocol would support SSL or something like it natively, then it would seriously speed up secure remote graphical logins. (search google for tcp over tcp to see why)
get a recent version- the older ones were not
so good.)
A site of this size would be able to run its dynamic content without as much cpu power (or be
able to scale larger)
Of course im not counting development costs- time and trouble mostly...
a partial lobotomy to remove your ability to percieve non-rosy colors.
You forget that Raymond was/is both a programmer and a project maintainer. When you read his technical opinions you can tell whether or not he is cluefull.
And none of us needs him to tell us who's clueless, its fairly obvious. Perhaps the people be so labeled may regard such a statement as a flame, where others look upon it as merely accurate.
The reason anybody listens to him is because he's good at explaining what a lot of us already know- especially to people who dont.
The big audio conglomerates would want to charge huge per song fees like $12 per file, or some obnoxiously high rate such as $250+/month for a limited number of downloads.
In reality though- with functioning peer sharing networks as an alternative, no one would subscribe to such a system unless it were really cheap, such as $5/month for unlimited downloads with high quality files, fast transfers, and a comprehensive selection.
Do you see why they havent gone that route? You cannot be a useless fat layer if noone will feed you.
Fundamental architectural things like user accounts that cannot trash the system, files dont become executable solely based upon their names, and unix documents typically dont carry virii.
Would we have even heard of email virii if a unixlike system was the world's desktop- I doubt it.
there is no need for zmodem over ip. heavily redundant, with lots of unneeded features.
ftp, sftp, scp, http(s) etc are more suited.
And Tivo doesnt support the use of their box as a stand alone DVCR, because they wont make money that way.
I'd much prefer a system that I had control over- and wasnt required to subscribe to a directory (read monitoring) service.
Ever heard the old saw that youre only 7 aquaintances removed from anyone on earth?
Its very close to true. Its called the network effect.
Now extrapolate: wiretapping all communication of a few hundred individuals becomes a wiretap of everyone in the entire country.
Would you still aquiesce to it, knowing what it implies?
If we would drop this nanny state-bullshit as early as freshman year highschool, I'm willing to bet that our countries educational performance would skyrocket.
People tend to act like adults once they are treated like adults. They have to feel that the consequences of their actions affect them.
Sadly, even through college we coddle and patronize students, insulting them. This inhibits learning and proper maturation. (Ask foreigners if they think american teens are mature or not)
And I also agree that ~60%-80% of all CS degrees have no merit.
We are worried about it because it's not crime!
In fact- security crackers should be given medals, and heralded as heroes doing an important public service: finding bugs in computer systems.
Now as for people who try to steal money by using other peoples credit card numbers, etc: THERE ARE ALREADY LAWS FOR THAT!
Apache.org was comprimised due to a misconfiguration- not an exploit. Totally different. You could *not* write a nimda to take advantage of that.
Part of my interview is just that- questions about how the languages on their resume work.
Ive generally found that a poor programmer is also a poor software engineer, so i really want to ask these question to weed out chobo PHd's who couldnt hack their way out of a bubble sort.
So I have an alternate gambit: I say that there is a technical part of the interview- but since the candidate obviously has so much experience it is unnecessary- unless of course they want to try it.
Invariably they say they'd like to try it anyway, and then the atomsphere is right. I tend to find that 66% of candidates really shouldn't have C++ on their resume, because they dont know the most basic things.
Sadly, a good indicator of this is extensive education, and a job history riddled with positions like "software analyst", and "systems architect".
You may find that nobody hires "C++ developer"'s but they do hire "MFC" developers or "CGI" programmers or some such specialty. Having the magic acronym on that resume can get you into an interview.
Once you can get an interview, you can sell yourself. You *have* to seem enthusiastic and optimistic. Ive also found that swagger helps. You should be self confident to just shy of arrogant. And never bullshit- speak your mind.
After that, well you've overcome the old "22" barrier and now find that there are more jobs than ever. (Especially if you can get the job done)
And as for the corny nerf-toy stuff, that was always just superficial.