The original argument Gosling had was how easy it was to produce something "unsafe" from legacy code. zdNet article My argument is Box's take on the original article's title, because it's just fuel for the m$ minions to go Java bashing.
So flag me as troll/flamebait minions! I fart in your general direction.
To use JNI inside of an applet, it needs to be signed with the DLL/shared library pre-installed in lib. So, the topic of "Huge Security Hole in Solaris and JVM" is alarmist and FUD, considering that to get outside of the sandbox, you need to jump through serious configuration hoops.
First, I went to school with John. He's a nice guy who has always had a keen interest in security... lots of interesting people went to U of C at that time... like Theo Deraadt... and they all seemed to have a keen interest in security.
But... all it takes is one bad egg to use this knowledge maliciously, and regardless of whatever indemnity the U of C has with its students, the U of C will get SUED BIG TIME and so will John, including potential jail time with pending Canadian and US legislation.
The credo You need to be a thief to catch a thief! is too much bullshit because there is an ethical and moral disparity between the two. The motivations are completely different. And teaching a course and having them sign a contract will Not prevent someone unscrupulous from doing what they're motivated to do.
For the record, Academic Computer Services has always been very anal about such things as security, and I see this as yet another rift between campus IT and the computer science department... even with a camera and a disconnected net, there is NO way to prevent human error/intent that could cause something to get out.
There is nothing innovative about this as per one writer's comments. Its a really bad idea because of the potential liability, fallout, and repercussion.
Seriously, if you die and forget to turn off the computer and your p2p file sharing, you're asking for it. No wait, you're dead, you don't care anymore.
Life isn't complete without introspection, and this blog shows the blinders with which Microsoft and ex-pats view the world.
One thing interesting [to me anyway] is the difference between Microsoft and IBM in their strategies. IBM was very formal in its development effort. Things typically didn't happen without a plan. IBM prided itself on being professional about everything - including software development.
But in Microsoft, you have a bunch of guys doing skunk works type projects that had the ear of Steve and Bill. Some might go so far as to say Microsoft lacked discipline, letting 'hackers' and 'tinkers' do their magic.
In the end, it wasn't this innovative hacking that really changed the world. Apple was winning points in the GUI and flat memory model 68k style. But evolution is as much driven by negative adaptations as positive. Jobs held to the ridiculous price points, and in the world were everyone in business was buying a 286 to run their DOS apps faster, the hack made the POS intel architecture live just a little bit longer.
Is it really a good thing that this event contributed to the longevity of the intel based platform? That hacking is considered genius? Or the mistakes of other companies don't contribute amazingly to Microsoft success?
How many times do you see the word Microsoft on an XP splash screen? I think the inferiority complex is well deserved.
Anyone who's been on the campus knows what I'm talking about...
On campus, you gotta eat the dog food. Its the only dog food in town. No one else makes dog food. If they did, its five years old.
In the data visualization group, Java was a currio. One member has Java books on his shelf dating back to 1997. That's the last time it was interesting, because its not the company dog food.
So... why is it an issue? Because the blinders are comming off. All that propaganda that the boys and girls are told about the company being the only company, and the only one that does cool things, is starting to look like its passed through a reality distortion filter.
Is there a reason why the bungie guys play golf facing towards the main parking lot?
I remember when Wang had the ad "Wang: the chink in IBM's armor."
Apple seems to drop the ball a lot. SoftwareDispatch was before its time. The Cube was before its time.
Apple seems to be going in Job's direction of consumer appliances. Throwing shit at the wall to see what sticks. The iPod cell phone is next.
Will form factor make any difference? It didn't with the cube, but the cube was mucho expensive.
A sub $600 Mac? Who cares really. Microsoft has more of a chance at digital convergence than Apple... then there is MythTV. (Wait, my Q630 had tv... and that other Mac I had onboard DSP Apple never published specs for...)
After being part of the "mobile work force" for more years than I can remember, the biggest problem encountered in larger companies are people that have been promoted to management based on seniority as opposed to training or skill.
Don't get me wrong, I don't want to start a flame war, because I've worked for some people that have no training that were great, and conversely I've worked from BComms where I wanted to go postal.
Managers who are technical sometimes have the tendency to still poke their fingers in where they can. DO NOT POKE. Delegate. Otherwise you are discounting your minions and taking on more than you can chew.
The best manager is the one that recognizes accomplishment, delegates, and rewards. Micromanagement is a trap many fall into - so remember what it is all about: facilitating people who work under you to feel empowered, and be empowered to do the work. The day you complain some guy is always 5 minutes late, when he is twice as productive as the guy next to him, is the day you need a smack upside the head.
I've worked for so many clueless managers that either have sales backgrounds or technical backgrounds... the sales guys always promise more and the client, not the worker, is their priority. The technical guys usually have stale skillsets and think they can do everything better with PowerBuilder.
Remember - work your people skills. Some people shouldn't be management. Some belong in the trenches.
Food services have high turn over, as well as apple turnovers, so start practicing the mantra "Do you want fries with that?"
Seriously... there is a systemic problem with IT that the glut of individuals and the desire to outsource give middle/upper management the belief that IT workers are totally expendable. So, if you want to be a lifer, find a company that tends to move slow, have tons of cash, and generally will succeed regardless of crappy market conditions. A) Oil & Gas company, B) Bank. Conversely, get back into academia, as Universities are often cradle to grave type environments.
So WHERE IS MY RING? Why didn't I get invited to some masonic Order of the Ring event?
Until recently ABET fought against accrediting software engineering as a real discipline, and I think only a handful of "institutions" are now accredited.
I still meet ASME or AIChE members who scoff at me when I say I'm a software engineer; I worked at a [engineering] company that wouldn't let me have the [bloody] title because "I wasn't a real engineer", and our provincial engineering body went so far as to harass me because my company web page claimed we did "Software Engineering following SEI-CMM and ISO principles"...
True only if the contract states that ownership is retained. Commercial contract law (in north america) pretty much says if you contract someone to do something and pay them, then you own it. Contrarywise, if you do not get paid for something you were comissioned to write, you can claim rights or put lien against whatever your work went into. Unfortunately, if it ever got into court, any dispute usually ends up with the code being put in escrow until the judgement is made, and usually judges will give both parties rights to the date of dispute. I know this from past experience...
I don't know a lot companies that would sign a contract with a third party to develop software where the company would not get all rights.
Copyright is only a consideration inside of contract law.
I feel your pain bro. World economics and outsourcing is a huge issue - but that is the nature of capital right? Human resources are the biggest expense, so screw local economies and think global.
A side point; this is why OpenSource is so popular everywhere but North America. OpenSource is a real solution to leveling the global playing field - and local experts can consult for what's locally reasonable.
A software package that costs $300 USD anywhere in the world means that most of the world can't afford it.
A lot of these comments have whizzed by, but you need to take a page from OTHER engineering on construction fields when you pick a company to outsource to.
1) What is their experience (how many years they been around) and reputation (do you have references)? 2) What is your access to the work and resources? 3) Can you evaluate their work independantly? 4) What contingencies does the contract provide you if work isn't done or doesn't meet your needs? 5) What payment schedule is provided to you? 6) Who can you talk to when you have business as opposed to technical issues (accountability)? 7) What are the deliverables, and who owns them?
ANYONE that takes cash upfront to do work I'd be wary of. The cash is your ONLY bargaining chip unless you are willing to go to court.
If you pay someone to develop something for you, YOU own the code.
You should have secure and free access to anything developed for you, and that includes the right to walk into their offices (homes) and demand materials. You have, after all, paid for it.
In big outsource projects (fixed cost), companies often hold back payment 40-40-20. That means a cost is agreed to, 40 percent is paid up front for the resources, 40 percent during the estimated duration, and 20 percent for completion.
In smaller ones, that are usually time and materials, unless you know the developer/shop is reputable, it is best to work ok similar principles - that is give a retainer to start work (if they accept money to start they are legally bound), and after you figure out the hourly rate - you withhold some portion for completion. The alternative is NOT to pay biweekly or monthly (based on hours), but to pay by function points. That is, they can bill you when they provide you with a deliverable.
Software Engineer? There is no such thing - its not an accredited engineering discipline. It all comes down to the indivual, and thanks to dot com and corporate tenure, most of the monkies typing out code have education in OTHER fields, NOT computer science, not the fringe software engineering, blah blah blah. I compete with monkies that have a 6 week programming course where I have a compsci degree and been programming since I was 12. Job? Programmer. Rate? $30/hr vs $60/hr. Person interviewing? Someone without much experience. Person gets job? $30 code monkey who's never seen a source level debugger.
A violent soap opera with lots of steamy SnM; bring back the Duras sisters...
StarTrek: Empires!
Hell, Michael Dorn could be the lead - make him the captain of a Klingon ship. Give him Tuvok as the Star Fleet rep. And finally do something interesting with the Tholians.
I've been chased by M$ a couple times in my life, and I've collected some pretty interesting things I think I should post... 1) Microsoft Mug circa 1986 - "One company does it all." 2) Microsoft Employment Package circa 1991 - first page bio of Bill touts the fact he was a drop out but succeeded anyway...
I appreciate your thoughts - they are pretty much bang on. However, I was using signed applets to do native work as early as '97, and that was also the time JNI had RNI from M$ when M$ was still on the bandwagon.
I do agree however, the Sun did little to evangelize in the corporate mindspace, but then, who can compete with the dollars and lobster dinners that M$ puts out.
Uh... newsflash. 1) optimizing virtual machines compile to native ops 2) COM/ActiveX means writing (and rewriting) everything yourself (yes, the power to innovate) 3) powerful means what in this context? the power to do everything yourself? the ability to tie directly into the OS? or to exclude those fringe platforms (na na)? Assuming you mean power to tie into the OS, you can do that in Java too using JNI/DLLs/Signed Applets and gosh - there is event a security infrastructure around doing that.
Say you work in an... office... where you write web applications and your users keep wanting to use office automation for everything from word spelling checking to email automation.
Ah, you need to change setting for ActiveX controls not marked as safe, for your intranent, but then you have outside users too, so you figure out ways of letting them fiddle with their internet settings.
Low an behold, everyone in the office seems to have enabled ActiveX sans security, so you are just waiting for someone to visit a rogue site or your IS infrastructure nazis to shut it all down.
Sometimes Disabling security is required to do real work. And it becomes end user education...
NO security in a control (especially signed ones) is a feature.
It would be SOOOOO much easier if you could just pick what controls had access, like installing java stuff in ext locally.
My sites get 'poked' by bots all the time. I don't have the time to automatically block every 'poker'.
What I want to know is Is the claim of extortion valid? They provide no proof or examples of such extortion in the article. And if the extorting party releases, oh, bank account information into which to transfer funds, isn't that like giving INTERPOL everything they need to go make an arrest?
What is more likely is that annoyed persons tired of el gambling spam are fighting back becase el gamgling sites are often off-shore and use dubious means to advertise.
This kinda reminds me hear-say hype. "Oooh, computer virii exist, ergo I must buy virus software, firewall, and the like to protect myself. Oh wait, my computer isn't connected to the internet, and I don't install untrusted software. Rip out the hard drive! I must be in an IBM fearmongering commercial."
For example, I (a Cannuck) can go to FutureShop and blow over $400 on an iPod and get all sorts of propriety stuff with a cutsie UI and industrial design that is just big enough to be awkward.
Alternatively I can go to RadioShack, buy a $100 MP3 played with a few buttons and simple LCD that plugs into my USB port and clips onto my coat.
So... all hail the UI less 3 button MP3 player. Perfect for the child that looses everything.
Slashdot Mirror
The original argument Gosling had was how easy it was to produce something "unsafe" from legacy code. zdNet article My argument is Box's take on the original article's title, because it's just fuel for the m$ minions to go Java bashing.
So flag me as troll/flamebait minions! I fart in your general direction.
To use JNI inside of an applet, it needs to be signed with the DLL/shared library pre-installed in lib. So, the topic of "Huge Security Hole in Solaris and JVM" is alarmist and FUD, considering that to get outside of the sandbox, you need to jump through serious configuration hoops.
First, I went to school with John. He's a nice guy who has always had a keen interest in security... lots of interesting people went to U of C at that time... like Theo Deraadt... and they all seemed to have a keen interest in security.
... all it takes is one bad egg to use this knowledge maliciously, and regardless of whatever indemnity the U of C has with its students, the U of C will get SUED BIG TIME and so will John, including potential jail time with pending Canadian and US legislation.
But
The credo You need to be a thief to catch a thief! is too much bullshit because there is an ethical and moral disparity between the two. The motivations are completely different. And teaching a course and having them sign a contract will Not prevent someone unscrupulous from doing what they're motivated to do.
For the record, Academic Computer Services has always been very anal about such things as security, and I see this as yet another rift between campus IT and the computer science department... even with a camera and a disconnected net, there is NO way to prevent human error/intent that could cause something to get out.
There is nothing innovative about this as per one writer's comments. Its a really bad idea because of the potential liability, fallout, and repercussion.
What's Old, Yellow, and lives off Dead Beattles?
Ans: Yoko Ono
---
Seriously, if you die and forget to turn off the computer and your p2p file sharing, you're asking for it. No wait, you're dead, you don't care anymore.
Life isn't complete without introspection, and this blog shows the blinders with which Microsoft and ex-pats view the world.
One thing interesting [to me anyway] is the difference between Microsoft and IBM in their strategies. IBM was very formal in its development effort. Things typically didn't happen without a plan. IBM prided itself on being professional about everything - including software development.
But in Microsoft, you have a bunch of guys doing skunk works type projects that had the ear of Steve and Bill. Some might go so far as to say Microsoft lacked discipline, letting 'hackers' and 'tinkers' do their magic.
In the end, it wasn't this innovative hacking that really changed the world. Apple was winning points in the GUI and flat memory model 68k style. But evolution is as much driven by negative adaptations as positive. Jobs held to the ridiculous price points, and in the world were everyone in business was buying a 286 to run their DOS apps faster, the hack made the POS intel architecture live just a little bit longer.
Is it really a good thing that this event contributed to the longevity of the intel based platform? That hacking is considered genius? Or the mistakes of other companies don't contribute amazingly to Microsoft success?
How many times do you see the word Microsoft on an XP splash screen? I think the inferiority complex is well deserved.
Note - We don't discriminate [we cut everyone off.]
Anyone who's been on the campus knows what I'm talking about...
On campus, you gotta eat the dog food. Its the only dog food in town. No one else makes dog food. If they did, its five years old.
In the data visualization group, Java was a currio. One member has Java books on his shelf dating back to 1997. That's the last time it was interesting, because its not the company dog food.
So... why is it an issue? Because the blinders are comming off. All that propaganda that the boys and girls are told about the company being the only company, and the only one that does cool things, is starting to look like its passed through a reality distortion filter.
Is there a reason why the bungie guys play golf facing towards the main parking lot?
I remember when Wang had the ad "Wang: the chink in IBM's armor."
How about "Apple: in the ear on Microsoft's eve."
Apple makes MacOS.
Microsoft makes Windows.
Apple makes Pippin.
Microsoft makes X-Box.
Apple makes Newton.
3C makes Palm.
Apple seems to drop the ball a lot.
SoftwareDispatch was before its time.
The Cube was before its time.
Apple seems to be going in Job's direction of consumer appliances. Throwing shit at the wall to see what sticks. The iPod cell phone is next.
Will form factor make any difference? It didn't with the cube, but the cube was mucho expensive.
A sub $600 Mac? Who cares really. Microsoft has more of a chance at digital convergence than Apple... then there is MythTV. (Wait, my Q630 had tv... and that other Mac I had onboard DSP Apple never published specs for...)
And you may hate yourself.
After being part of the "mobile work force" for more years than I can remember, the biggest problem encountered in larger companies are people that have been promoted to management based on seniority as opposed to training or skill.
Don't get me wrong, I don't want to start a flame war, because I've worked for some people that have no training that were great, and conversely I've worked from BComms where I wanted to go postal.
Managers who are technical sometimes have the tendency to still poke their fingers in where they can. DO NOT POKE. Delegate. Otherwise you are discounting your minions and taking on more than you can chew.
The best manager is the one that recognizes accomplishment, delegates, and rewards. Micromanagement is a trap many fall into - so remember what it is all about: facilitating people who work under you to feel empowered, and be empowered to do the work. The day you complain some guy is always 5 minutes late, when he is twice as productive as the guy next to him, is the day you need a smack upside the head.
I've worked for so many clueless managers that either have sales backgrounds or technical backgrounds... the sales guys always promise more and the client, not the worker, is their priority. The technical guys usually have stale skillsets and think they can do everything better with PowerBuilder.
Remember - work your people skills. Some people shouldn't be management. Some belong in the trenches.
Ok... it its binary compat as the letter states, why is a simple recompile required?
Food services have high turn over, as well as apple turnovers, so start practicing the mantra "Do you want fries with that?"
Seriously... there is a systemic problem with IT that the glut of individuals and the desire to outsource give middle/upper management the belief that IT workers are totally expendable. So, if you want to be a lifer, find a company that tends to move slow, have tons of cash, and generally will succeed regardless of crappy market conditions. A) Oil & Gas company, B) Bank. Conversely, get back into academia, as Universities are often cradle to grave type environments.
Ok ok ok...
So WHERE IS MY RING? Why didn't I get invited to some masonic Order of the Ring event?
Until recently ABET fought against accrediting software engineering as a real discipline, and I think only a handful of "institutions" are now accredited.
I still meet ASME or AIChE members who scoff at me when I say I'm a software engineer; I worked at a [engineering] company that wouldn't let me have the [bloody] title because "I wasn't a real engineer", and our provincial engineering body went so far as to harass me because my company web page claimed we did "Software Engineering following SEI-CMM and ISO principles"...
True only if the contract states that ownership is retained. Commercial contract law (in north america) pretty much says if you contract someone to do something and pay them, then you own it. Contrarywise, if you do not get paid for something you were comissioned to write, you can claim rights or put lien against whatever your work went into. Unfortunately, if it ever got into court, any dispute usually ends up with the code being put in escrow until the judgement is made, and usually judges will give both parties rights to the date of dispute. I know this from past experience...
I don't know a lot companies that would sign a contract with a third party to develop software where the company would not get all rights.
Copyright is only a consideration inside of contract law.
I feel your pain bro. World economics and outsourcing is a huge issue - but that is the nature of capital right? Human resources are the biggest expense, so screw local economies and think global.
A side point; this is why OpenSource is so popular everywhere but North America. OpenSource is a real solution to leveling the global playing field - and local experts can consult for what's locally reasonable.
A software package that costs $300 USD anywhere in the world means that most of the world can't afford it.
A lot of these comments have whizzed by, but you need to take a page from OTHER engineering on construction fields when you pick a company to outsource to.
1) What is their experience (how many years they been around) and reputation (do you have references)?
2) What is your access to the work and resources?
3) Can you evaluate their work independantly?
4) What contingencies does the contract provide you if work isn't done or doesn't meet your needs?
5) What payment schedule is provided to you?
6) Who can you talk to when you have business as opposed to technical issues (accountability)?
7) What are the deliverables, and who owns them?
ANYONE that takes cash upfront to do work I'd be wary of. The cash is your ONLY bargaining chip unless you are willing to go to court.
If you pay someone to develop something for you, YOU own the code.
You should have secure and free access to anything developed for you, and that includes the right to walk into their offices (homes) and demand materials. You have, after all, paid for it.
In big outsource projects (fixed cost), companies often hold back payment 40-40-20. That means a cost is agreed to, 40 percent is paid up front for the resources, 40 percent during the estimated duration, and 20 percent for completion.
In smaller ones, that are usually time and materials, unless you know the developer/shop is reputable, it is best to work ok similar principles - that is give a retainer to start work (if they accept money to start they are legally bound), and after you figure out the hourly rate - you withhold some portion for completion. The alternative is NOT to pay biweekly or monthly (based on hours), but to pay by function points. That is, they can bill you when they provide you with a deliverable.
Software Engineer? There is no such thing - its not an accredited engineering discipline. It all comes down to the indivual, and thanks to dot com and corporate tenure, most of the monkies typing out code have education in OTHER fields, NOT computer science, not the fringe software engineering, blah blah blah. I compete with monkies that have a 6 week programming course where I have a compsci degree and been programming since I was 12. Job? Programmer. Rate? $30/hr vs $60/hr. Person interviewing? Someone without much experience. Person gets job? $30 code monkey who's never seen a source level debugger.
All Klingon! Kos!
A violent soap opera with lots of steamy SnM; bring back the Duras sisters...
StarTrek: Empires!
Hell, Michael Dorn could be the lead - make him the captain of a Klingon ship. Give him Tuvok as the Star Fleet rep. And finally do something interesting with the Tholians.
Actually, the power anomaly was due to Minocs chewing through the power cables.
I've been chased by M$ a couple times in my life, and I've collected some pretty interesting things I think I should post...
1) Microsoft Mug circa 1986 - "One company does it all."
2) Microsoft Employment Package circa 1991 - first page bio of Bill touts the fact he was a drop out but succeeded anyway...
I appreciate your thoughts - they are pretty much bang on. However, I was using signed applets to do native work as early as '97, and that was also the time JNI had RNI from M$ when M$ was still on the bandwagon.
I do agree however, the Sun did little to evangelize in the corporate mindspace, but then, who can compete with the dollars and lobster dinners that M$ puts out.
faster and more powerful
Uh... newsflash.
1) optimizing virtual machines compile to native ops
2) COM/ActiveX means writing (and rewriting) everything yourself (yes, the power to innovate)
3) powerful means what in this context? the power to do everything yourself? the ability to tie directly into the OS? or to exclude those fringe platforms (na na)? Assuming you mean power to tie into the OS, you can do that in Java too using JNI/DLLs/Signed Applets and gosh - there is event a security infrastructure around doing that.
I call bullshit.
OK....
... office ... where you write web applications and your users keep wanting to use office automation for everything from word spelling checking to email automation.
Say you work in an
Ah, you need to change setting for ActiveX controls not marked as safe, for your intranent, but then you have outside users too, so you figure out ways of letting them fiddle with their internet settings.
Low an behold, everyone in the office seems to have enabled ActiveX sans security, so you are just waiting for someone to visit a rogue site or your IS infrastructure nazis to shut it all down.
Sometimes Disabling security is required to do real work. And it becomes end user education...
NO security in a control (especially signed ones) is a feature.
It would be SOOOOO much easier if you could just pick what controls had access, like installing java stuff in ext locally.
My sites get 'poked' by bots all the time. I don't have the time to automatically block every 'poker'.
What I want to know is Is the claim of extortion valid? They provide no proof or examples of such extortion in the article. And if the extorting party releases, oh, bank account information into which to transfer funds, isn't that like giving INTERPOL everything they need to go make an arrest?
What is more likely is that annoyed persons tired of el gambling spam are fighting back becase el gamgling sites are often off-shore and use dubious means to advertise.
This kinda reminds me hear-say hype. "Oooh, computer virii exist, ergo I must buy virus software, firewall, and the like to protect myself. Oh wait, my computer isn't connected to the internet, and I don't install untrusted software. Rip out the hard drive! I must be in an IBM fearmongering commercial."
And people refuse to buy Apple for the price.
For example, I (a Cannuck) can go to FutureShop and blow over $400 on an iPod and get all sorts of propriety stuff with a cutsie UI and industrial design that is just big enough to be awkward.
Alternatively I can go to RadioShack, buy a $100 MP3 played with a few buttons and simple LCD that plugs into my USB port and clips onto my coat.
So... all hail the UI less 3 button MP3 player. Perfect for the child that looses everything.
Just wait... when Macintosh has as many dastardly cowards pounding on it as Windowz, you will see just as many security threats and holes.
But wait, wasn't BSD secure before? Yeah, BUT MacOS isn't pure BSD, everything security related is pure Apple.