An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests.
Alternatives to wearing bullet-proof vests:
1. Get your own fucking gun and shoot the SOB. 2. Armored vehicle. 3. Stay home.
Your analogy doesn't make sense. Finding a root-exploitable weakness in v1 isn't the same as developing an armor-piercing bullet.
You're on crack if you seriously believe that $1.2m can keep a site the size of/. going for a full year. A headcount of a dozen full-time people will cost that much. Don't bother adding in server and bandwidth costs.
The same thing has been (apparently) working quite well for google. They too have highly targeted, self-service, text-only ads that don't get in the way.
The difference is that your next job probably won't rely on you driving a Porsche in the past or not. However, Photoshop skills are marketable, and could land you a job. It's the old catch 22; you can't get a job without knowing the software, and you can't afford the software without a job.
Stop your whining. If you want to talk about photoshop as a tool and "photoshop skills" as a marketable job skill, make an applicable analogy -- a high-powered car doesn't cut it.
Instead, think about getting a job as a carpenter. You have to know how to use the tools, but you can't afford to go out and get yourself a top-of-the-line DeWalt table saw for $1300. Instead all you can afford is a crappy used $200 table saw. Will the skills you acquire using the crappy saw transfer to the DeWalt? You betcha.
Like another poster mentioned, acquiring skills is an *investment*. Defer and/or neglect self-investment at your own peril.
From a business perspective, Adobe has positioned Photoshop as the "Cadillac" in their category. This is a pricing strategy. There are other pricing strategies available, but Adobe has chosen this one. If you're in the store with money to burn and a desire for quality, you're most likely going to pick the product that is higher priced -- this is generally associated with higher quality. This is the behavior that those who use this pricing strategy (eg Adobe) are counting on.
Further complicating Mundie's argument is that the FEDERAL GOVERNMENT does not collect taxes on software. If he's trying to say that providing services (something that the feds do tax via corporate and personal income taxes) will result in lower tax revenues, he's on crack.
And you're telling me that if we take all the free software away from universities, it will STIMULATE research? Yeah, because everyone will either have to a) reinvent the wheel every time a new project is launched or b) pay through the nose for someone else's wheel.
It's FUD, but not very good FUD. C'mon Mundie, this is getting pretty weak.
What a crappy press release. How many different ways can you spell Charley Pride's first name? How many different ways can you spell "cloquing"? (what the hell is that supposed to mean? "Cloaking"?) Makes me wonder whether the boycott-riaa people know their asses from their elbows. Good thing they have lawyers or nobody would take them seriously at all.
Same here. If managers realized that they didn't exist to be the boss, but to serve the development group, then you have a situation that works well. I've been there. It's nice. What Joel Spolsky would call "managers that move furniture out of the way" or something like that.
This has been done and was news maybe two years ago. The web is about 18 links deep (at least two years ago it was). I want to say it was some guy at CMU, but I really don't remember the details.
You are reading them all wrong. Microsoft has shifted focus several times in its history. From the DOS-type environment to Windows. To the LAN. To the Internet. And now Security. Yup, Security with a capital S because it will, of course, be MS-style security. They have played the games differently with everything else (LAN, Internet, all kinds of standards), and they will set the rules here as well.
Realize that it will take them three or four tries to get this Security thing down though. It has with everything else:
- How many incarnations has MSN had?
- Do you even remember Windows 1 or 2 -- or even 3.0? (I'm sure someone will reply in the affirmative, but most of you haven't)
- those stupid e-book tablets (haven't won here yet) or palm computing (same here)
- What was the first version of IE that didn't completely suck? (You want to say that IE is different, but it isn't. They basically play all their games this way.)
And with $20b in the bank, they can afford to have an army of coders comb through existing libraries looking for defects. They can afford to have scores of UI designers and HCI evaluators to see exactly how much security people are willing to deal with. Better yet, they can afford to screw up two, three, maybe even four or five times before they finally get it right. And the world will just have to live with it.
They will screw up someday. It might be Security that does it. It might be something else that brings them down. But don't just dismiss the new Security focus as FUD. Pay attention.
Cheatfinder is smart enough to realize that (1) is unlikely, and so considers the duplicated structures to be innocent. So if the entire class cheated and turned in the same exact assignment, the cheatfinder would not report it.
Certainly unlikely in a class of 600 students. However, in a class of 40 students (especially back in the day when we were all in the lab pounding in our programs on VT220s the night before the program was due), I can tell you that there was a lot of "information sharing" going on. I wouldn't necessarily call it cheating, but there is probably a grey area in between "helping" and "cheating".
Of course, even among all that "sharing", my program designs still managed to be errr.... somewhat unique...
At my place of business, we develop VB applications... we've decided to start converting our software over to Linux, writing in pure C, and using MySQL for databases.
Even more OT: but you instead of moving from VB to C, you might think about staying with a higher level language. Have you considered Python/Ruby/etc? You retain portability but still allow yourself MUCH faster development cycles.
My wife works for a large investment house. And they have not bought into this scheme. They are now thinking about deploying LINUX.
Don't dismiss this as a troll, I have a few legitimate questions about this strategy. So the corporate stuffed-shirts decide they don't want to pay for a subscription based scheme.
1. Isn't that what they've been doing anyway for the past 10+ years? Sure, maybe you skipped the 3.11 "upgrade", or maybe you went from 95 straight to NT4 or whatever. But you've likely been paying a yearly fee for a) support and b) upgrades already.
2. What will happen when the suits realize that open source isn't really free (beer). In a corporate setting, there is quite a bit of support that has to go into the software. I wonder how many IT departments are really going to want to put programmers on their staffs to do bugfixing in deployed apps; especially for apps that are deemed mission critical and where the developers might not be able to produce bugfix turnarounds that are needed.
3. Will the sticker shock of retraining hold these guys back? I hope not. They should realize that their people have had to constantly retrain with the constant stream of "upgrades" which generally include large changes that users have to retrain to be able to fully take advantage of.
With that said, I think there are several opportunities. Companies like CoSource and SourceXchange (I may be screwing up these names) haven't really fared so well, but the concept may gain strength. As I mentioned above, companies deploying open source across a large corporate network may want to place programmers that are familiar with the internals of various apps on retainer to be available for making bugfixes to those apps. Hell, some may even be willing to underwrite certain pieces of the project like webhosting/cvs/bugzilla/etc. There's also an opportunity for trainers as noted above. Finally, they might realize that they can get a greater deal of customization out of using open source, especially if they're already underwriting portions of the development.
Of course, quality often *has* to be creative. I was only talking about discipline; all those comments were meant in a good way. You can be disciplined but still creative. Also, just because the software is trivial doesn't mean you can't screw it up!! Been there, seen that done...
I've found, as a general rule, that people with some military training and background are generaly better engineers than your typical CS grad, as they have a real understanding of what mission critical means.
I agree, but for a different reason: military personnel have more discipline. That is the key. You don't find discipline in young "code monkeys". You'll find it more often in those who have either a) been brainwashed by the military or b) been brainwashed through several years of training as a professional engineer working in a high-quality ("mission critical") environment.
I thought the same thing. I'm also an embedded programmer. And while I don't design PLDs and probably won't write a line of Verilog during my career, I have had cause to peek at the code and I've found Verilog to be very readable. (After, of course, a quick 5-minute-or-less introduction to the language by one of the EEs.)
No kidding. How hard would it really be to put up a page somewhere else that sends a vote for the opposite choice instead of the right choice? Not very hard, it would seem...
While everyone is posting about how to make a super-secure infrastructure, I'm reminded of an old story:
Two guys are out camping. In the early morning, just past dawn, they hear noises near the campsite. Peeking out the front flap of the tent, they see a grizzly bear sniffing around the perimeter of the campsite. The first guy takes off running. The second guy yells, "Hey, you can't outrun a bear!" The first guy yells, "I don't have to, I just have to outrun you!"
Of course, if your site isn't perfectly secure, someone might break in and steal a bunch of CC numbers. But they're a lot less likely if your site is mostly secure and the insecure pieces involve a lot of resources (e.g. effort, money, planning, knowledge). Remember, neither the NSA nor the CIA is interested in stealing CC numbers...
IMO, I wouldn't back up the server except for a hard drive image you can use to reinstall everything to a known state. Were I joe online shopper, I'd much rather re-enter cc info than worry that tapes were floating around the country with my data on it.
Most of the time this simply won't be an option. You have to keep backups. And not just so that Joe Shopper has the convenience of having his CC remembered. For starters, another poster noted that this information will be needed to correlate to chargebacks from the CC companies. Secondly, you might not just be storing CC numbers on such a server. What if you were storing other "personal information" that you wanted to ensure was secure? Depends on what you're selling, but purchase history might be one of these. That history and other data is of real value to merchants and can't be exposed to risk of loss due to hard drive failure (which is a high-probability event, relatively speaking).
In my opinion, if you can secure the machine, you can secure the backups. Hire an armored car if you think it is necessary, but storing backup tapes in a safety deposit box or other secure (off-site) location is pretty secure, especially if the information on the backup is encrypted.
The information on a job application is useless. Don't think law enforcement can't find this without going through your employer. Seriously, anyone with enough desire and resources would be able to get your name, last few addresses, SSN, employment history, place of birth, drivers license number, mother's maiden name, and other similar stuff. And it wouldn't take all that much time (you could gather all of the above within a week or so).
There are no Constitutional protections in the kind of transfer of information you're talking about. If the company wants to hand over the info, you can't stop them. If the company doesn't want to hand over the info, it will take a court order/subpoena/search warrant to get it. If you work for a company like that, they're crazy.
You say: I need the answer to this question: If Excite can't reach an agreement, and discontinues its service Friday, will my Internet access also be discontinued. I'd like a solid answer, please.
In-Max Marcus says: No.your services will not be affected at all and we wil reprovisoin all the settings needed.
Translation: We'll keep billing you. But you won't have any bandwidth flowing to or from your house.
This works both ways. Sure, you can find a route that avoids security cameras. But if you're the "bad guys" you now know where you need to install more security cameras. And -- at least if it was me -- you'd install those cameras in such a way that people don't know they're there and everyone still thinks they're on a "safe" route.
This is just for the paranoid, though. And I'm not paranoid. They really are out to get me.
Maybe *you* don't, but I certainly do! When I'm interviewing somewhere, I want to make sure that the guys I'm talking to seem like people I can get along with. Maybe we won't be chums, but I want to work in a pleasant environment. Same goes when I'm interviewing candidates.
Not to mention that I'd be much more likely to hire (qualified) friends from previous companies into the company that I'm working for.
I've seen people use both theories (don't make any friends vs. make all kinds of friends all over the company). Sure, you get stabbed in the back occasionally by someone you trusted a little too much. That's going to happen. But the gains that you get by having friends more than offset the losses from backstabbing. And that's just a cold mathematical attempt at quantifying the benefits. There's also the intangible benefit of having friends, a social life, people you can count on in an emergency. It works both ways: people depend on you for friendship, you depend on them. And you always *know* those guys that will come through for you when it really counts.
Slashdot Mirror
An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests.
Alternatives to wearing bullet-proof vests:
1. Get your own fucking gun and shoot the SOB.
2. Armored vehicle.
3. Stay home.
Your analogy doesn't make sense. Finding a root-exploitable weakness in v1 isn't the same as developing an armor-piercing bullet.
You're on crack if you seriously believe that $1.2m can keep a site the size of /. going for a full year. A headcount of a dozen full-time people will cost that much. Don't bother adding in server and bandwidth costs.
The same thing has been (apparently) working quite well for google. They too have highly targeted, self-service, text-only ads that don't get in the way.
I absolutely hate advertising, and block it every chance I get. I've been blocking ads on slashdot for over a year now.
WHAT!!! Slashdot has ads??!?
(another satisfied junkbuster user)
The difference is that your next job probably won't rely on you driving a Porsche in the past or not. However, Photoshop skills are marketable, and could land you a job. It's the old catch 22; you can't get a job without knowing the software, and you can't afford the software without a job.
Stop your whining. If you want to talk about photoshop as a tool and "photoshop skills" as a marketable job skill, make an applicable analogy -- a high-powered car doesn't cut it.
Instead, think about getting a job as a carpenter. You have to know how to use the tools, but you can't afford to go out and get yourself a top-of-the-line DeWalt table saw for $1300. Instead all you can afford is a crappy used $200 table saw. Will the skills you acquire using the crappy saw transfer to the DeWalt? You betcha.
Like another poster mentioned, acquiring skills is an *investment*. Defer and/or neglect self-investment at your own peril.
From a business perspective, Adobe has positioned Photoshop as the "Cadillac" in their category. This is a pricing strategy. There are other pricing strategies available, but Adobe has chosen this one. If you're in the store with money to burn and a desire for quality, you're most likely going to pick the product that is higher priced -- this is generally associated with higher quality. This is the behavior that those who use this pricing strategy (eg Adobe) are counting on.
Further complicating Mundie's argument is that the FEDERAL GOVERNMENT does not collect taxes on software. If he's trying to say that providing services (something that the feds do tax via corporate and personal income taxes) will result in lower tax revenues, he's on crack.
And you're telling me that if we take all the free software away from universities, it will STIMULATE research? Yeah, because everyone will either have to a) reinvent the wheel every time a new project is launched or b) pay through the nose for someone else's wheel.
It's FUD, but not very good FUD. C'mon Mundie, this is getting pretty weak.
What a crappy press release. How many different ways can you spell Charley Pride's first name? How many different ways can you spell "cloquing"? (what the hell is that supposed to mean? "Cloaking"?) Makes me wonder whether the boycott-riaa people know their asses from their elbows. Good thing they have lawyers or nobody would take them seriously at all.
Same here. If managers realized that they didn't exist to be the boss, but to serve the development group, then you have a situation that works well. I've been there. It's nice. What Joel Spolsky would call "managers that move furniture out of the way" or something like that.
This has been done and was news maybe two years ago. The web is about 18 links deep (at least two years ago it was). I want to say it was some guy at CMU, but I really don't remember the details.
Then again I trade grocery discount cards......
Heh. I have four. None in my real name. One used a real address, but I've moved twice since then. No need to trade...
You are reading them all wrong. Microsoft has shifted focus several times in its history. From the DOS-type environment to Windows. To the LAN. To the Internet. And now Security. Yup, Security with a capital S because it will, of course, be MS-style security. They have played the games differently with everything else (LAN, Internet, all kinds of standards), and they will set the rules here as well.
Realize that it will take them three or four tries to get this Security thing down though. It has with everything else:
- How many incarnations has MSN had?
- Do you even remember Windows 1 or 2 -- or even 3.0? (I'm sure someone will reply in the affirmative, but most of you haven't)
- those stupid e-book tablets (haven't won here yet) or palm computing (same here)
- What was the first version of IE that didn't completely suck? (You want to say that IE is different, but it isn't. They basically play all their games this way.)
And with $20b in the bank, they can afford to have an army of coders comb through existing libraries looking for defects. They can afford to have scores of UI designers and HCI evaluators to see exactly how much security people are willing to deal with. Better yet, they can afford to screw up two, three, maybe even four or five times before they finally get it right. And the world will just have to live with it.
They will screw up someday. It might be Security that does it. It might be something else that brings them down. But don't just dismiss the new Security focus as FUD. Pay attention.
Cheatfinder is smart enough to realize that (1) is unlikely, and so considers the duplicated structures to be innocent. So if the entire class cheated and turned in the same exact assignment, the cheatfinder would not report it.
Certainly unlikely in a class of 600 students. However, in a class of 40 students (especially back in the day when we were all in the lab pounding in our programs on VT220s the night before the program was due), I can tell you that there was a lot of "information sharing" going on. I wouldn't necessarily call it cheating, but there is probably a grey area in between "helping" and "cheating".
Of course, even among all that "sharing", my program designs still managed to be errr.... somewhat unique...
At my place of business, we develop VB applications ... we've decided to start converting our software over to Linux, writing in pure C, and using MySQL for databases.
Even more OT: but you instead of moving from VB to C, you might think about staying with a higher level language. Have you considered Python/Ruby/etc? You retain portability but still allow yourself MUCH faster development cycles.
My wife works for a large investment house. And they have not bought into this scheme. They are now thinking about deploying LINUX.
Don't dismiss this as a troll, I have a few legitimate questions about this strategy. So the corporate stuffed-shirts decide they don't want to pay for a subscription based scheme.
1. Isn't that what they've been doing anyway for the past 10+ years? Sure, maybe you skipped the 3.11 "upgrade", or maybe you went from 95 straight to NT4 or whatever. But you've likely been paying a yearly fee for a) support and b) upgrades already.
2. What will happen when the suits realize that open source isn't really free (beer). In a corporate setting, there is quite a bit of support that has to go into the software. I wonder how many IT departments are really going to want to put programmers on their staffs to do bugfixing in deployed apps; especially for apps that are deemed mission critical and where the developers might not be able to produce bugfix turnarounds that are needed.
3. Will the sticker shock of retraining hold these guys back? I hope not. They should realize that their people have had to constantly retrain with the constant stream of "upgrades" which generally include large changes that users have to retrain to be able to fully take advantage of.
With that said, I think there are several opportunities. Companies like CoSource and SourceXchange (I may be screwing up these names) haven't really fared so well, but the concept may gain strength. As I mentioned above, companies deploying open source across a large corporate network may want to place programmers that are familiar with the internals of various apps on retainer to be available for making bugfixes to those apps. Hell, some may even be willing to underwrite certain pieces of the project like webhosting/cvs/bugzilla/etc. There's also an opportunity for trainers as noted above. Finally, they might realize that they can get a greater deal of customization out of using open source, especially if they're already underwriting portions of the development.
Thoughts?
Of course, quality often *has* to be creative. I was only talking about discipline; all those comments were meant in a good way. You can be disciplined but still creative. Also, just because the software is trivial doesn't mean you can't screw it up!! Been there, seen that done...
I've found, as a general rule, that people with some military training and background are generaly better engineers than your typical CS grad, as they have a real understanding of what mission critical means.
I agree, but for a different reason: military personnel have more discipline. That is the key. You don't find discipline in young "code monkeys". You'll find it more often in those who have either a) been brainwashed by the military or b) been brainwashed through several years of training as a professional engineer working in a high-quality ("mission critical") environment.
I'm surprised you didn't mention Verilog
I thought the same thing. I'm also an embedded programmer. And while I don't design PLDs and probably won't write a line of Verilog during my career, I have had cause to peek at the code and I've found Verilog to be very readable. (After, of course, a quick 5-minute-or-less introduction to the language by one of the EEs.)
No kidding. How hard would it really be to put up a page somewhere else that sends a vote for the opposite choice instead of the right choice? Not very hard, it would seem...
While everyone is posting about how to make a super-secure infrastructure, I'm reminded of an old story:
Two guys are out camping. In the early morning, just past dawn, they hear noises near the campsite. Peeking out the front flap of the tent, they see a grizzly bear sniffing around the perimeter of the campsite. The first guy takes off running. The second guy yells, "Hey, you can't outrun a bear!" The first guy yells, "I don't have to, I just have to outrun you!"
Of course, if your site isn't perfectly secure, someone might break in and steal a bunch of CC numbers. But they're a lot less likely if your site is mostly secure and the insecure pieces involve a lot of resources (e.g. effort, money, planning, knowledge). Remember, neither the NSA nor the CIA is interested in stealing CC numbers...
IMO, I wouldn't back up the server except for a hard drive image you can use to reinstall everything to a known state. Were I joe online shopper, I'd much rather re-enter cc info than worry that tapes were floating around the country with my data on it.
Most of the time this simply won't be an option. You have to keep backups. And not just so that Joe Shopper has the convenience of having his CC remembered. For starters, another poster noted that this information will be needed to correlate to chargebacks from the CC companies. Secondly, you might not just be storing CC numbers on such a server. What if you were storing other "personal information" that you wanted to ensure was secure? Depends on what you're selling, but purchase history might be one of these. That history and other data is of real value to merchants and can't be exposed to risk of loss due to hard drive failure (which is a high-probability event, relatively speaking).
In my opinion, if you can secure the machine, you can secure the backups. Hire an armored car if you think it is necessary, but storing backup tapes in a safety deposit box or other secure (off-site) location is pretty secure, especially if the information on the backup is encrypted.
The information on a job application is useless. Don't think law enforcement can't find this without going through your employer. Seriously, anyone with enough desire and resources would be able to get your name, last few addresses, SSN, employment history, place of birth, drivers license number, mother's maiden name, and other similar stuff. And it wouldn't take all that much time (you could gather all of the above within a week or so).
There are no Constitutional protections in the kind of transfer of information you're talking about. If the company wants to hand over the info, you can't stop them. If the company doesn't want to hand over the info, it will take a court order/subpoena/search warrant to get it. If you work for a company like that, they're crazy.
You say: I need the answer to this question: If Excite can't reach an agreement, and discontinues its service Friday, will my Internet access also be discontinued. I'd like a solid answer, please.
In-Max Marcus says: No.your services will not be affected at all and we wil reprovisoin all the settings needed.
Translation: We'll keep billing you. But you won't have any bandwidth flowing to or from your house.
This works both ways. Sure, you can find a route that avoids security cameras. But if you're the "bad guys" you now know where you need to install more security cameras. And -- at least if it was me -- you'd install those cameras in such a way that people don't know they're there and everyone still thinks they're on a "safe" route.
This is just for the paranoid, though. And I'm not paranoid. They really are out to get me.
Looks like the pr0n sites have figured this out: /password' at "expensive babes" and "britney video" are among the top 10...
'index of
You dont choose the people you work with
Maybe *you* don't, but I certainly do! When I'm interviewing somewhere, I want to make sure that the guys I'm talking to seem like people I can get along with. Maybe we won't be chums, but I want to work in a pleasant environment. Same goes when I'm interviewing candidates.
Not to mention that I'd be much more likely to hire (qualified) friends from previous companies into the company that I'm working for.
I've seen people use both theories (don't make any friends vs. make all kinds of friends all over the company). Sure, you get stabbed in the back occasionally by someone you trusted a little too much. That's going to happen. But the gains that you get by having friends more than offset the losses from backstabbing. And that's just a cold mathematical attempt at quantifying the benefits. There's also the intangible benefit of having friends, a social life, people you can count on in an emergency. It works both ways: people depend on you for friendship, you depend on them. And you always *know* those guys that will come through for you when it really counts.