I've often wondered about a variation on that theme - using -1 AC posts to communicate information over slashdot. The specific application I've been thinking of is trojan horses that need to phone home.
Right now, the typical trojan horse phones home by joining some specific channel on some (private or not) irc network. On that network, they announce to whoever's listening their IP address and how to gain remote control of the victim's machine. (Perhaps this announcement is encrypted somehow, or requires that first a message with password be sent to them, or something similar)
The thing is - this is pretty easy for corporate networks to trace (just flag outgoing IRC connections), and places that have a "no outgoing TCP, only outgoing web traffic through this specific proxy" policy in place are clearly protected to some extent.
It also allows law enforcement to start up the trojan in a controlled environment and monitor the connection for clues as to the ultimate controller of these little beasts.
But what if these trojans communicate through follow-ups to the lowest-moderated troll on the first article of each day? Or what if they simply receive their directions by looking for comments with specific subject lines? (Steganography, meet Natalie Portman's hot grits) Of course the person controlling these would work through some random anonymous proxy in Asia - every day, spammers send me hundreds of proxy IP addresses, and there are convenient anti-spam sites that will tell me exactly what those proxies can do.
And it's not just slashdot - many main stream news sites now allow comments posted anonymously with a minimum of fuss, and then there's the idea of looking for certain blog comments, or postings to certain newsgroups on google.
Let me put it to you this way. Ever have.c files in folders below your main root dir? Want those files to still be able to use the.h files without having to refrence them correctly? What if your on a project and those files could end up ANYWHERE but its all relitive to some other dir?
You are confusing putting "." in your $PATH variable with using relative paths in your compiler's include path (-I) or when explicitly giving the path to some executeable.
And yeah, the many of my coworkers put "." in their $PATH despite me telling them not to (how hard is it to type "./myscript" ?) Then, after having something not work the way they expected (because they named their script the same as some obscure binary in/usr/bin), they move "." to the _start_ of their $PATH....
There's this guy I know from college who's written a free (as in beer) game for Windows. (Maybe you've heard of it; he also spends too much time on slashdot). Tens of thousands of windows users have downloaded it (according to webserver logs) and (presumably) run it on their machines, almost all of them (presumably) while logged in as administrator or equivalent. (At one point, it got farked, and is still getting referer hits from there)
Sure, you've found a patch of very trusting FreeBSD users. However, I'll bet that this one stupid windows game is downloaded and run with full privleges with no safety checks at all by a hundred times as many people.
The doomsday scenario that the author presents is this: some third party grabs a bunch of open source software that's out there, puts it all together, slipping in some random exploit, and calls it a distribution. They flaunt the (supposed) open source nature of their software as a benefit, and sell government department X on their wares.
Now, arguing from this scenario to a general denegration of open source depends on several assumptions:
Developers who have poured many hours directly into a code base are less likely to insert an exploit than someone who can get a code base quickly by downloading it. (Maybe, depending on the nature of the exploit)
People who buy a codebase from a bankrupt company are less likely to insert an exploit than someone who can get a code base for free by downloading it. (Think about the kind of people who generally end up with money)
Someone who started from an open source codebase would necessarily sell the result as open source
Governments would decide to go with the latest 0.1 version of k00l d00dz l33t liNeX instead of an established distribution like Debian or Red Hat.
Closed source developers working with closed source third-party components have as much trust and confidence that some component they're using contains no hidden backdoors as open source developers working with open source components do.
I guess the only thing we can conclude from this is that the words "open source" are no more magical than the words "patented". Hucksters for years have slapped "patented" on their technology as a way to make it seem better, and convince people to buy it. That doesn't mean that they're not selling snake oil, or worse. ("Patented million-bit encryption", anyone?)
In a sense, the article is right, "open source" are not magic words that can be slapped on something to make it more secure. That's because open source isn't just a marketing label. It actually means something about the software. The cautionary tale here is about not getting suckered by fast-talking scam artists, but I don't see what connection this has to open source.
Actually, if you look at the doomsday scenario closely, it comes out as an argument for open source - the problem in the doomsday scenario is that the government has been sold code which is different from that running all over the planet (and being inspected by people all over). Therefore, if the government chooses someone who's work they can't verify, they might have trouble.
Therefore, the government should insist on a way to verify the work of consultants who set up computer systems for them. One such method is to require that all source be handed over to the government. Another way is to skip the consultants entirely, and have government employees go get the open source from known good sources. (yes, those employees could sabotage things, but couldn't they do that no matter what?)
Open source doesn't eliminate the fact that at some point, someone less technical has to trust someone more technical. ("Trusting Trust" and all that) That's just the way it is. However, open source lets you dramatically reduce the length of that chain of trust. This is a good thing.
If a letter arrived in your (real life) mailbox with a return address of "Your Secret Admirer" would you not open it? Should you be held liable for "causing" an anthrax outbreak if the letter contained it?
Okay, so what if you got a letter from someone, and inside it was a bag that looks like what the post office uses to return your mail when your mail is demaged in transit. Inside the bag - clearly visible from the outside - is some unknown white powder.
Now, you know that you never sent anyone any white powder. If you've missed news stories about white powder in the mails, you've been living under a rock. Are you negligent if you rip open the bag and spread the anthrax in the air?
This is part of the problem with these analogies - the fit between computer actions and non-computer actions isn't always so clear. So rather than invent analogies, what is it about these two situations that makes them different? I'd argue that the difference is that a reasonable person, being aware of their actions, should know that by opening the plastic bag they are taking a risk, or engaging in risky behavior. This then should attach consequences.
The key here is "being aware of their actions". I see many people who use their computer so much on autopilot that they don't know that they just double-clicked on this icon or that, or that they just instructed the computer to execute BIG_BAD_MALWARE.EXE.
It's one thing to be unaware of what your computer is doing behind the scenes, with no visual or other notification. This is what we expect; I certainly couldn't explain all the physics behind an NPN silicon junction buried deep in the processor's core. However, instantly dismissing a dialog box, without even knowing what it said, or why your computer was trying to tell you "don't do this", or even that you dismissed it, should be a different matter.
To a large extent computer security depends on human actors saying "this action is authorized by me". If the supposedly responsible human is going to explicitly say to the machine "do whatever the hell you want" (or actually, "do whatever the hell some random person said they wanted you to do"), then the human has deliberately subverted the computer's security, and should be held accountable.
Actually, I think that the better comparison is "being sentenced by a British judge for a crime against someone overseas" vs. "being sentenced by an American judge for a crime that embarrassed the judge's golf partner".
I somehow missed the section in bold at the top of the article.
200 hours of community service.
I guess that's better than nothing, and it's not like they caught him controlling a worldwide botnet and so could only charge him with infiltrating one system. Still seems like an amazingly light sentence.
Nothing, aside from the notoriety of this trial, which may not even follow him that far - a google search on his name (Joseph McElroy) doesn't even turn up stuff referring to him in the first page. (That what he gets for sharing his name with a famous author)
The judge decided against jail time because "he had not accessed classified material on the network and had not intended to cause harm". Also, the monetary claim for damages against him was waived on the grounds that he wouldn't be able to pay it.
"not intended to cause harm"? "not intended to cause harm"? Tell me, can I bypass the metal detectors at Heathrow simply because I'm not carrying any weapons, and even if I were, intend to cause no harm with them? What if I just want to drive to the store and back, but would rather hotwire your car instead of walking?
Sure, I understand that the US has some truly brutal criminal trespass laws that are probably way out of proportion to the act they supposedly punish, and that therefore a UK judge might be more lenient in this case than a US one would, but... nothing?
Here's the problem with that - and it goes back to the other issue of letting you take a completed ballot out of the polling place with you - it lets you prove to someone that you voted a certain way. This then leads to people being asked to prove to someone (their boss, church leader, local block bully, etc.) that they voted for candidate X and facing reprisals (or at least, deep suspicion) if they cannot prove that they voted the "correct" way. I'd love it if somehow the state could prove to the public after an election that each of their votes was correctly counted, but I don't know how that's possible to do without creating the situation where someone is able to prove to another party that they voted a certain way.
Also, I'll note that your system provides no way for the public to know that, say, 10% of the numbers on that list (all with votes recorded for candidate X) are made up out of thin air and don't actually represent votes legitimately cast on election day.
What do I do when I want to box up Debian and have to suddenly include three pages of acknowledgements on the outside of the box?
To the response "that's ridiculous; it won't get out of hand", I have to ask: why put it in the license? Is there some reason you need to use the legal force of copyright to bash this over people's heads? Can't you just rely on most people to not be credit-stealing bastards?
The only thing making this clause part of the license does is hurt people who want to be strictly correct in following license rules - but these are the same people who already are giving credit where credit is due. The people who are stealing the credit whole-hog (if, indeed, there are such people) will likely stick the acknowledgement to xfree.org so far down in the secondary appendix to the most unread manual that no one will ever find it unless they already know about xfree's license and go looking.
I have nothing wrong with acknowledging other people's work. The problem is with being forced to do it.
I know this may come as a shock, but there are plenty of careers where computers are a tool, not an end in and of themselves.
And this may come as a shock - although I can't perform basic repairs on my car, and no one expects me to be able to, when I use my car as a tool to get me to and from my job, I am still held responsible for basic user cluefullness. I am expected to pay attention to all of my actions while using this tool, and no one thinks that it should be otherwise.
That's all the poster asked for - he doesn't ask for people to be able to fix a bug in one of their init scripts. He doesn't even ask for the minimum of skills I would expect for a specifically technical job. He just asks that people not step on the accelerator when an interesting brick wall appears in front of them.
Obviously, the consequences of being clueless with your computer are nowhere near the consequences of being similarly clueless with your car. However, the idea that you can be held responsible for paying attention to those actions you do perform is not unthinkable. Simply being aware of what you're doing should not be too much to ask.
Because Microsoft's market share guarantees that a disproportionate amount of viruses and worms will target their OS as opposed to some loser linux freak with an old 486 linux server in his mom's basement. The cost of these things is therefore irrelevant to the actual OS.
And by the same logic, the cost of getting system administrators for Linux systems, or the availability of Linux software for specialized commercial needs, also both things driven purely (or at least largely) by Microsoft's market share, is "irrelevant to the actual OS". What's left then for a TCO study? The price of a boxed OS CD set? The price of necessary hardware?
It's really bending over backwards to include in a TCO study the benefits of going with the same OS most of the desktop world is running while at the same time deliberately excluding the costs of using the same system most virus/worm writers target. Lauding the beneficial network effects while declaring the harmful network effects out of the scope of the study is just dishonest.
C++ really is a huge language, and it's very easy to think that you know C++ because you know both java and C and can sort of mix them together.
Common LISP is, from what I tell, in a similar situation - you may think you "know lisp" because you know scheme and think that that includes knowing CL, but... it doesn't.
For what it's worth, "Effective C++" is an excellent starting point for upgrading your C++.
I did the same thing, with the same language (n/t)
on
Joel Rants About Resumes
·
· Score: 0, Redundant
India will lose the jobs as soon as a cheaper source comes around. India is just being used.
Indeed. Check out http://biz.yahoo.com/bizwk/031231/sb200312313576_1.html
- the gist is that Indian programming prices have risen, and competition from India has made American programming consulting firms lower their prices. The result is that the great Indian programming bargain companies thought they had is vanishing.
Not just the atheist. Announcing that you actually believe in a religion, whatever it may be as long as its not currently fashionable, can lead to a lot of eyebrow-raising too. The only "acceptable" choice right now seems to be to be an agnostic...
I'll disagree mildly, and say that this is highly dependent on exactly where in the country you are, what age group you hang out with, and your socio-economic status.
I'll also note that I'm not catching anywhere near as much flak for my Christianity as I apparently should be. According to some of my fellow Christians, there's a rabidly atheist cabal preparing to feed me to the lions, or harass me out of my job, or spit on me should I set foot on certain college campuses, or something. I have to say that the worst I've ever seen is people talking smack about Christianity who've gone and read one Bible passage, or more often mis-remembered some Bible reference from TV, and have extrapolated on that wildly. That's hardly persecution.
(This isn't to say that I haven't also seen thoughtful, well-researched critiques of Christianity, but rather that the idiots with mouths of bile are worse)
"Never praising anything done by white males"
on
What You Can't Say
·
· Score: 4, Insightful
How about this as something unthinkable: white males aren't being oppressed.
I'm a white male. It rocks to be a white, straight, native-English-speaking male in America. I can wake up in the morning, just pull on whichever pant/shirt combination is handy in the closet, and go to work where no one ever talks trash about me having worn the same color for three days in a row, no one ever gets nervous around me for fear of saying some offensive remark about "my people", and no one ever is worried that I'm secretly stealing office supplies. I can walk around my neighborhood with minimal fear of personal violence, and if, God forbid, something did happen I can have complete confidence in rapid and reasonable response from our local police force. I never have to take a personal day for my religion's holidays; when my religion has a high feast or fast day, the markets close.
If my contribution is ever overlooked on something, I know it's because I didn't speak up loudly enough, or early enough. I know it's never my race. I can walk into any store I want to, look at items, handle those that are out, and security doesn't automatically start tailing me. When I walk into Philadelphia's diamond district, the assumption is that I'm looking for a anniversary present, not that I'm casing the joint.
When I look at the people in power - pretty much anywhere - I see, by and large, men who look like me, albeit usually older. When I pick up any high school or elementary school textbook, and look to see what historical figures they're studying, I see other white males. Sure, I may also see people who weren't white males, but let's face it - George Washington isn't getting written out of American history classrooms any time soon. I know that the child of Mung immigrants going to a public school half-way across the country is going to learn about a winter in 1777 in Valley Forge where some distant ancestor of mine died. My daughter, were she to attend a public school here, would be far from certain of learning of the great service that child's grandparents gave to this country.
White males have it good. Our position is not in any danger. We can stop shouting "help, help, I'm being oppressed" at every imagined slight. (remember when the standard joke was that radical feminists were thin-skinned?)
Political correctness is either dead or, as the trolls say, dying.
I often find that the best way to talk about security practices is by illustrating general points with specific counterexamples. (Actually, this is a helpful technique in general - see, for example, the book "Counterexamples in Topology")
For example, when talking about being aware of \0 characters, you could mention something like this: a friend of mine once wrote a jukebox-like web application that allowed people to queue requests on his machine. There was a certain input parameter that was restricted to being the name of a subdirectory of his music collection. So, here's how he validated the input (more or less, since this is from memory):
my $musicdir = $q->param('musicdir'); if ($musicdir =~ m([/\\])) {return 0;} # Error exit if (!diropen(INPDIR, "$musicbasedir/$musicdir")) {return 0;} map { print QUEUESCRIPT "$playercmd $musicbasedir/$musicdir/$_\n";} <INPDIR>
QUEUESCRIPT was then a shell script that was queued up and ready to go.
to the script are left as an exercise for the reader.
Now talk about the hazardous effects of \0 characters - instead of saying just "system calls aren't fine with \0 characters", you can say "many perl functions that interact with the underlying operating system - such as open, diropen, or the file tests (-r, -x, etc.) - will consider a string only up to the first \0. Therefore, if you are relying on calls to the operating system for validation of any parameter, be certain to strip out \0 characters first. Better yet, allow in only what you expect, and no more. A simple s/[^ -~]//g (assuming only US ascii input is allowed) will go a long way."
A similar example of halting a buffer-overflow exploit might also be a good idea.
Also, having a typo in the "Know the Language" section (= instead of =~) really obscures your point.
You'd think so, right? Unfortunately, some minor sh extensions are still available to bash when you run it as/bin/sh, meaning that you could very easily write what you thought was a portable shell script and discover later that you'd inadvertently used some bashism.
(There used to be occasional flame threads on debian-devel about this)
That works just fine until some update to readline, or ncurses, or any of the other libraries the monster that is bash depends on happens to break your shell. Then, you're off to alternate boot media.
It's fine to have bash as your everyday user shell. It's even ok to have it as your default shell for root, though having a second uid 0 login with some more minimal shell (like ash, for example) is often a good idea. However, I wouldn't make it as absolutely essential for the system as it is when it's/bin/sh.
Personally, I take advantage of the setup provided by the Debian package sash, which provides a statically linked shell for/bin/sh and a secondary root login that uses that shell.
I was just mourning the fact that the internet wayback machine's archives didn't include the collection of VMS.COM files I had set up on our campus's VMS cluster. (Running OSU's webserver for VMS)
Unfortunately, it's almost all left me, though I suppose I could still puzzle out the quoting rules to pass quoted arguments down three levels of @-signing. (Doubling the quotes each time...)
And hey, _I'm_ still under thirty (for two more years...)
My primary platform for business applications is great. I can build the interface or the functionality first. I can expand either at any time, rarely worrying about new stuff interfering with the existing stuff.
Care to share the name of this system, or at least something more about what it is? Or is it too incredibly hush-hush proprietary to tell us?
I'm curious because everywhere I look I see the detritus of RAD platforms that weren't and that left us with stuff we still have to clean up after. What have you found that provides both rapid development and easy maintenance after initial development?
Slashdot Mirror
(Yeah, offtopic, whatever)
I've often wondered about a variation on that theme - using -1 AC posts to communicate information over slashdot. The specific application I've been thinking of is trojan horses that need to phone home.
Right now, the typical trojan horse phones home by joining some specific channel on some (private or not) irc network. On that network, they announce to whoever's listening their IP address and how to gain remote control of the victim's machine. (Perhaps this announcement is encrypted somehow, or requires that first a message with password be sent to them, or something similar)
The thing is - this is pretty easy for corporate networks to trace (just flag outgoing IRC connections), and places that have a "no outgoing TCP, only outgoing web traffic through this specific proxy" policy in place are clearly protected to some extent.
It also allows law enforcement to start up the trojan in a controlled environment and monitor the connection for clues as to the ultimate controller of these little beasts.
But what if these trojans communicate through follow-ups to the lowest-moderated troll on the first article of each day? Or what if they simply receive their directions by looking for comments with specific subject lines? (Steganography, meet Natalie Portman's hot grits) Of course the person controlling these would work through some random anonymous proxy in Asia - every day, spammers send me hundreds of proxy IP addresses, and there are convenient anti-spam sites that will tell me exactly what those proxies can do.
And it's not just slashdot - many main stream news sites now allow comments posted anonymously with a minimum of fuss, and then there's the idea of looking for certain blog comments, or postings to certain newsgroups on google.
And yeah, the many of my coworkers put "." in their $PATH despite me telling them not to (how hard is it to type "./myscript" ?) Then, after having something not work the way they expected (because they named their script the same as some obscure binary in
There's this guy I know from college who's written a free (as in beer) game for Windows. (Maybe you've heard of it; he also spends too much time on slashdot). Tens of thousands of windows users have downloaded it (according to webserver logs) and (presumably) run it on their machines, almost all of them (presumably) while logged in as administrator or equivalent. (At one point, it got farked, and is still getting referer hits from there)
Sure, you've found a patch of very trusting FreeBSD users. However, I'll bet that this one stupid windows game is downloaded and run with full privleges with no safety checks at all by a hundred times as many people.
Now, arguing from this scenario to a general denegration of open source depends on several assumptions:
I guess the only thing we can conclude from this is that the words "open source" are no more magical than the words "patented". Hucksters for years have slapped "patented" on their technology as a way to make it seem better, and convince people to buy it. That doesn't mean that they're not selling snake oil, or worse. ("Patented million-bit encryption", anyone?)
In a sense, the article is right, "open source" are not magic words that can be slapped on something to make it more secure. That's because open source isn't just a marketing label. It actually means something about the software. The cautionary tale here is about not getting suckered by fast-talking scam artists, but I don't see what connection this has to open source.
Actually, if you look at the doomsday scenario closely, it comes out as an argument for open source - the problem in the doomsday scenario is that the government has been sold code which is different from that running all over the planet (and being inspected by people all over). Therefore, if the government chooses someone who's work they can't verify, they might have trouble.
Therefore, the government should insist on a way to verify the work of consultants who set up computer systems for them. One such method is to require that all source be handed over to the government. Another way is to skip the consultants entirely, and have government employees go get the open source from known good sources. (yes, those employees could sabotage things, but couldn't they do that no matter what?)
Open source doesn't eliminate the fact that at some point, someone less technical has to trust someone more technical. ("Trusting Trust" and all that) That's just the way it is. However, open source lets you dramatically reduce the length of that chain of trust. This is a good thing.
Okay, so what if you got a letter from someone, and inside it was a bag that looks like what the post office uses to return your mail when your mail is demaged in transit. Inside the bag - clearly visible from the outside - is some unknown white powder.
Now, you know that you never sent anyone any white powder. If you've missed news stories about white powder in the mails, you've been living under a rock. Are you negligent if you rip open the bag and spread the anthrax in the air?
This is part of the problem with these analogies - the fit between computer actions and non-computer actions isn't always so clear. So rather than invent analogies, what is it about these two situations that makes them different? I'd argue that the difference is that a reasonable person, being aware of their actions, should know that by opening the plastic bag they are taking a risk, or engaging in risky behavior. This then should attach consequences.
The key here is "being aware of their actions". I see many people who use their computer so much on autopilot that they don't know that they just double-clicked on this icon or that, or that they just instructed the computer to execute BIG_BAD_MALWARE.EXE.
It's one thing to be unaware of what your computer is doing behind the scenes, with no visual or other notification. This is what we expect; I certainly couldn't explain all the physics behind an NPN silicon junction buried deep in the processor's core. However, instantly dismissing a dialog box, without even knowing what it said, or why your computer was trying to tell you "don't do this", or even that you dismissed it, should be a different matter.
To a large extent computer security depends on human actors saying "this action is authorized by me". If the supposedly responsible human is going to explicitly say to the machine "do whatever the hell you want" (or actually, "do whatever the hell some random person said they wanted you to do"), then the human has deliberately subverted the computer's security, and should be held accountable.
Actually, I think that the better comparison is "being sentenced by a British judge for a crime against someone overseas" vs. "being sentenced by an American judge for a crime that embarrassed the judge's golf partner".
Tell me more of this universe in which the 3rd of February is followed immediately by the 6th.
I somehow missed the section in bold at the top of the article.
200 hours of community service.
I guess that's better than nothing, and it's not like they caught him controlling a worldwide botnet and so could only charge him with infiltrating one system. Still seems like an amazingly light sentence.
Nothing.
Nothing, aside from the notoriety of this trial, which may not even follow him that far - a google search on his name (Joseph McElroy) doesn't even turn up stuff referring to him in the first page. (That what he gets for sharing his name with a famous author)
The judge decided against jail time because "he had not accessed classified material on the network and had not intended to cause harm". Also, the monetary claim for damages against him was waived on the grounds that he wouldn't be able to pay it.
"not intended to cause harm"? "not intended to cause harm"? Tell me, can I bypass the metal detectors at Heathrow simply because I'm not carrying any weapons, and even if I were, intend to cause no harm with them? What if I just want to drive to the store and back, but would rather hotwire your car instead of walking?
Sure, I understand that the US has some truly brutal criminal trespass laws that are probably way out of proportion to the act they supposedly punish, and that therefore a UK judge might be more lenient in this case than a US one would, but... nothing?
Here's the problem with that - and it goes back to the other issue of letting you take a completed ballot out of the polling place with you - it lets you prove to someone that you voted a certain way. This then leads to people being asked to prove to someone (their boss, church leader, local block bully, etc.) that they voted for candidate X and facing reprisals (or at least, deep suspicion) if they cannot prove that they voted the "correct" way. I'd love it if somehow the state could prove to the public after an election that each of their votes was correctly counted, but I don't know how that's possible to do without creating the situation where someone is able to prove to another party that they voted a certain way.
Also, I'll note that your system provides no way for the public to know that, say, 10% of the numbers on that list (all with votes recorded for candidate X) are made up out of thin air and don't actually represent votes legitimately cast on election day.
But where does it stop?
What do I do when I want to box up Debian and have to suddenly include three pages of acknowledgements on the outside of the box?
To the response "that's ridiculous; it won't get out of hand", I have to ask: why put it in the license? Is there some reason you need to use the legal force of copyright to bash this over people's heads? Can't you just rely on most people to not be credit-stealing bastards?
The only thing making this clause part of the license does is hurt people who want to be strictly correct in following license rules - but these are the same people who already are giving credit where credit is due. The people who are stealing the credit whole-hog (if, indeed, there are such people) will likely stick the acknowledgement to xfree.org so far down in the secondary appendix to the most unread manual that no one will ever find it unless they already know about xfree's license and go looking.
I have nothing wrong with acknowledging other people's work. The problem is with being forced to do it.
Like, for example, this idiot. If he'd just been born with an overly common name like mine he would have learned to get over it ages ago.
But some people just take this bizarre pride in knowing that their name is theirs alone.
That's all the poster asked for - he doesn't ask for people to be able to fix a bug in one of their init scripts. He doesn't even ask for the minimum of skills I would expect for a specifically technical job. He just asks that people not step on the accelerator when an interesting brick wall appears in front of them.
Obviously, the consequences of being clueless with your computer are nowhere near the consequences of being similarly clueless with your car. However, the idea that you can be held responsible for paying attention to those actions you do perform is not unthinkable. Simply being aware of what you're doing should not be too much to ask.
And by the same logic, the cost of getting system administrators for Linux systems, or the availability of Linux software for specialized commercial needs, also both things driven purely (or at least largely) by Microsoft's market share, is "irrelevant to the actual OS". What's left then for a TCO study? The price of a boxed OS CD set? The price of necessary hardware?
It's really bending over backwards to include in a TCO study the benefits of going with the same OS most of the desktop world is running while at the same time deliberately excluding the costs of using the same system most virus/worm writers target. Lauding the beneficial network effects while declaring the harmful network effects out of the scope of the study is just dishonest.
C++ really is a huge language, and it's very easy to think that you know C++ because you know both java and C and can sort of mix them together.
Common LISP is, from what I tell, in a similar situation - you may think you "know lisp" because you know scheme and think that that includes knowing CL, but... it doesn't.
For what it's worth, "Effective C++" is an excellent starting point for upgrading your C++.
(with SQL, that is)
I'll also note that I'm not catching anywhere near as much flak for my Christianity as I apparently should be. According to some of my fellow Christians, there's a rabidly atheist cabal preparing to feed me to the lions, or harass me out of my job, or spit on me should I set foot on certain college campuses, or something. I have to say that the worst I've ever seen is people talking smack about Christianity who've gone and read one Bible passage, or more often mis-remembered some Bible reference from TV, and have extrapolated on that wildly. That's hardly persecution.
(This isn't to say that I haven't also seen thoughtful, well-researched critiques of Christianity, but rather that the idiots with mouths of bile are worse)
How about this as something unthinkable: white males aren't being oppressed.
I'm a white male. It rocks to be a white, straight, native-English-speaking male in America. I can wake up in the morning, just pull on whichever pant/shirt combination is handy in the closet, and go to work where no one ever talks trash about me having worn the same color for three days in a row, no one ever gets nervous around me for fear of saying some offensive remark about "my people", and no one ever is worried that I'm secretly stealing office supplies. I can walk around my neighborhood with minimal fear of personal violence, and if, God forbid, something did happen I can have complete confidence in rapid and reasonable response from our local police force. I never have to take a personal day for my religion's holidays; when my religion has a high feast or fast day, the markets close.
If my contribution is ever overlooked on something, I know it's because I didn't speak up loudly enough, or early enough. I know it's never my race. I can walk into any store I want to, look at items, handle those that are out, and security doesn't automatically start tailing me. When I walk into Philadelphia's diamond district, the assumption is that I'm looking for a anniversary present, not that I'm casing the joint.
When I look at the people in power - pretty much anywhere - I see, by and large, men who look like me, albeit usually older. When I pick up any high school or elementary school textbook, and look to see what historical figures they're studying, I see other white males. Sure, I may also see people who weren't white males, but let's face it - George Washington isn't getting written out of American history classrooms any time soon. I know that the child of Mung immigrants going to a public school half-way across the country is going to learn about a winter in 1777 in Valley Forge where some distant ancestor of mine died. My daughter, were she to attend a public school here, would be far from certain of learning of the great service that child's grandparents gave to this country.
White males have it good. Our position is not in any danger. We can stop shouting "help, help, I'm being oppressed" at every imagined slight. (remember when the standard joke was that radical feminists were thin-skinned?)
Political correctness is either dead or, as the trolls say, dying.
For example, when talking about being aware of \0 characters, you could mention something like this: a friend of mine once wrote a jukebox-like web application that allowed people to queue requests on his machine. There was a certain input parameter that was restricted to being the name of a subdirectory of his music collection. So, here's how he validated the input (more or less, since this is from memory):QUEUESCRIPT was then a shell script that was queued up and ready to go.
The consequences of passingto the script are left as an exercise for the reader.
Now talk about the hazardous effects of \0 characters - instead of saying just "system calls aren't fine with \0 characters", you can say "many perl functions that interact with the underlying operating system - such as open, diropen, or the file tests (-r, -x, etc.) - will consider a string only up to the first \0. Therefore, if you are relying on calls to the operating system for validation of any parameter, be certain to strip out \0 characters first. Better yet, allow in only what you expect, and no more. A simple s/[^ -~]//g (assuming only US ascii input is allowed) will go a long way."
A similar example of halting a buffer-overflow exploit might also be a good idea.
Also, having a typo in the "Know the Language" section (= instead of =~) really obscures your point.
And, after all, the article said that the book focused on /bin/sh, not bash.
/bin/sh. That's why startup scripts are written in /bin/sh - because it's always there.
And every unix system has some sort of
You'd think so, right? Unfortunately, some minor sh extensions are still available to bash when you run it as /bin/sh, meaning that you could very easily write what you thought was a portable shell script and discover later that you'd inadvertently used some bashism.
(There used to be occasional flame threads on debian-devel about this)
That works just fine until some update to readline, or ncurses, or any of the other libraries the monster that is bash depends on happens to break your shell. Then, you're off to alternate boot media.
/bin/sh.
/bin/sh and a secondary root login that uses that shell.
It's fine to have bash as your everyday user shell. It's even ok to have it as your default shell for root, though having a second uid 0 login with some more minimal shell (like ash, for example) is often a good idea. However, I wouldn't make it as absolutely essential for the system as it is when it's
Personally, I take advantage of the setup provided by the Debian package sash, which provides a statically linked shell for
I was just mourning the fact that the internet wayback machine's archives didn't include the collection of VMS .COM files I had set up on our campus's VMS cluster. (Running OSU's webserver for VMS)
Unfortunately, it's almost all left me, though I suppose I could still puzzle out the quoting rules to pass quoted arguments down three levels of @-signing. (Doubling the quotes each time...)
And hey, _I'm_ still under thirty (for two more years...)
I'm curious because everywhere I look I see the detritus of RAD platforms that weren't and that left us with stuff we still have to clean up after. What have you found that provides both rapid development and easy maintenance after initial development?