Evaluate! It's to only way to be sure the product meets your needs completely. Yes, it costs alot of money and time.
I agree that evaluation is the only way to go, because it's the only way you'll know how the product will operate in your environment. I disagree, however, that it will cost a lot of time and money if you are evaluating software. You can download VMWare Server for Windows or Linux from VMWare for free. Create virtual testing labs using distros you also can download for free. Microsoft are also now very generous with their evaluation products, with most durations between 60 and 180 days. All it takes is your time, but again, once you have a basic Windows 2003 Server image, take a copy or snapshot of it, and clone other virtual machines from it rather than sitting through the install every time (just remember to use something like NewSID to change the SID each time, or you can get really weird errors when machines with the same SID are members of the same domain).
A lot of hardware/appliance vendors will also do a free eval, direct or via a channel partner, if you seem like a legitimate opportunity. You'll have to be prepared to deal with the sales people, though, because once a company has done an on-site eval they really, really want to make the sale.
Yes. Especially in the countryside. But with a population of 1.3 billion:
all - most = more than enough to make it viable
Stand on any street corner in a place like Shanghai and you'll see plenty of people getting by on a few dollars a day, but you'll also see plenty of Benzes drive past.
No doubt it will be even cheaper again than the Hong Kong version...
So you want to get a job using Photoshop, but can't afford it? Consider it this way - there are two barriers to overcome here:
(a) Recruiters who won't refer you on without Photoshop experience. (b) The organisation who will sling your ass out the door when they discover you really don't know what you're doing.
To overcome barrier (a), why not try enrolling in some free/cheap courses in a local technical college/night school/U3A etc? These places often have well-equipped labs where you can at least gain some familiarity with the software, so when you put "Photoshop experience" on your resume you ain't lying.
In the meantime, get to know The Gimp really well. Do the tutorials. Practise, practise, practise on your own images. The software may be different, but the principles are similar. Check out the Photoshop articles on Fark. Try to work out how you would achieve the same effects. Do this long enough and you should gain enough confidence to talk yourself into a position where you get to use Photoshop, *and* have enough skill to ensure that you don't get fired after your first day.
Just make sure that you're honest and upfront in the interview about how much real Photoshop experience you have. It won't hurt to also have a portfolio, online and hardcopy, of designs and images you've done to prove that you've got what it takes.
With an established code base and customization for a particular client's business, the one thing that India (or Phillipines or whatever) cannot offer is a detailed, up-close examination of the daily processes that have to be tailored to in order to create that customization. Factor in communications problems and cultural differences and there is an even bigger barrier to moving this kind of thing off-shore.
Ever dealt with an outsourcing company? Almost never have I seen an end customer deal with a programming team off-shore. They buy the app from someone like IBM, who then subcontract to an on-shore branch office, who handle the liaison between on-shore and off-shore teams. That way, cultural differences aren't an issue, and the customer can say "Well we deal with a local company, we can't dictate to them who they employ, your beef is with them not us" if there's any public relations fallout to contend with.
Those that think that their job ends when they deliver compiled code can be and should be replaced by coders in India, the Phillipines, etc.
You really think that it's only the slack-arsed programmers who've lost their jobs through outsourcing? I've seen good guys go too, because it typically affects entire teams, entire departments, entire organisations, not just the odd one or two who couldn't meet their KPI's.
Offer automated backup, off-site storage and an emergency plan...
Yes. This is how to remain competitive. Offer services that are still difficult for an outsourcer to provide. Something localised. Something you can't upload to Mumbai in the evenings, ready to download the next morning with yesterday's changes done.
Software is fast becoming a commodity too - if you're in the US, you're competing with code churned out in India, and pretty soon those guys are going to be undercut by code factories in places like the Philippines, and so on, and so on...
Very few organisations can rely on software for their *only* competitive advantage... Microsoft are making game consoles, Red Hat are branding themselves as a solutions provider and SCO decided to pursue racketeering as a business model.
So compete on service; offer value-adds like training and consulting, facilities management, hosting, colocation, monitoring etc.
"Unless you can actually read C (or whatever language) looking at the binaries is pretty pointless"
No amount of C will help you read binaries. For that you need a disassembler, knowledge of assembly language, and a hell of a lot of spare time.
"Rather then inserting backdoors it would be much easier to just install some buffer overflows."
No.
It would not be easier.
Ever written code to bind a shell to a listening port? Ever coded a buffer overflow exploit? There are orders of magnitude of difficulty separating the two. Say you mess around with some printf() or strcpy() calls and introduce some overflows or format string bugs in an application which binds to a TCP port. What if the victim machine is behind a firewall? How do you take advantage of the BO's then? OK, you tell me, you write a BO which makes an outbound connection which *might* get through the firewall. But this is exactly what a backdoor like the irssi configure script does, but without all the fucking around overflowing the stack to get control of the execution path.
"Since even experienced coders miss buffer overflows, casual checking of code is not going to pick them up."
So projects like OpenBSD and Adamantix should just give up, because according to you code audits are a waste of time?
There's nothing paranoid about it. In fact, it's probably not paranoid enough - ever installed anything from code yourself? Ever thought to check the configure script?
"Such a distro shouldn't install GCC, so I'll need all the software as binaries."
Just get yourself another machine with a toolchain to build the binaries you need from source, particularly if you plan on taking binaries from untrusted sources.
Of course someone could give you dodgy code, but it's a lot less likely to happen, and at least you've got a fighting chance of checking the code for suspicious function calls etc.
If you don't trust them, no e-mail client is going to help. What's to stop them installing a keystroke logger and getting your IMAP credentials/PGP passphrase/shell account details? Running a cracker over the PST encryption? Shoulder surfing your password?
Say you install a more secure, multi-user OS like Linux or FreeBSD or (gasp!) Windows 2000. Even if they can't learn your password, they can boot Knoppix or similar, mount your partitions and crack your box that way.
The bottom line is that if they have physical access to your box, you're pretty much screwed. Either trust them and find some other way to separate work from home, or lock your box away in a cabinet they can't get to, install Linux/BSD, keep them patched against local root exploits, and don't let them get you drunk/stoned/in a state where you might divulge your passwords.
Well if it wasn't broken before, it sure as hell will be now that every bored sysadmin with a Mozilla install is surfing on by to check out how broken it is.
Go and see the world while you can, because let me tell you once wife + kids + career job come along, you won't be able to pursue any of those opportunities even if they do come along, and you don't want to get to 40 with nothing but regrets to show for it.
#1: Learn to love the hourglass icon, 'cos you're going to be seeing a lot of it from now on.
#2: Get used to extension-based file typing, and remember that not everything ending in.scr is a screensaver.
#3: Develop a healthy sense of paranoia - they are out to get you, especially the ones that send e-mail with subjects like "Hello"
#4: Give thanks for the guys who develop Win32 ports of Perl, Python, Apache etc because they are the thin geek line that stands between you and Visual Basic, Windows Scripting Host and (ugh) Internet Information Services.
#5: Get hold of Mozilla, Evolution, and OpenOffice. Man cannot live on IE, Outlook and Office alone.
#6: Head on over to PacketStorm and stock up on some local admin exploits and the excellent Cain&Abel so you can take back the rights these no-good dirt-farming MCSE's are going to try to take away from you.
"Consumer advice helps you decide what you and your family view and play. If you do not like your children to hear swear words then check for consumer advice that refers to coarse language. Perhaps you do not like your children to watch movies that have references to sex or sex scenes. The consumer advice may help you choose films that do not have sexual references or sex scenes."
I have a ten year old son, and I keep an eye on what he sees and hears. But not based on the warnings, they're quite vague and downright misleading at times. I take an interest in the things he does, I play console games with him, I watch movies with him, and we don't have a problem. He has an instinctive understanding of what he is allowed to watch, and what he's not, and he respects that, while I respect his right to access content marked 15+ (like some games) if the content is within the guidelines we have mutually agreed upon.
Maybe it's right, maybe it's wrong, but it's sure as hell better than the way my father tried to impose censorship on me. I wasn't even allowed to watch Doctor Who until I was 15 years old!!!!!!!!
We're on Darl time here, where it's the early 80's, UNIX is still a proprietary monolith, "greed is good" is a morally acceptable values system and a white shirt, red tie and charcoal-grey jacket is a good look.
1. The threat to the U.S information technology industry
"Please legislate to save our industry so we can send it to offshore sweatshops and make gazillions (and those election campaigns ain't cheap hey Mr Congresscritter )."
2. The threat to our international competitive position.
"Forget anthrax - Linux is the real WMD!"
3. The threat to our national security.
"Forget Saddam - Linus is the real enemy of humanity, and you can add Finland to the axis of evil! Those Finns, what have they done for us recently, with their weird language and dinky little phones."
"...we are currently exploring workable methods for becoming big while remaining small...
Well, you could always dredge up some code you wrote years ago, grep through an OSS source tree until you find a partial match and then issue ridiculous demands for outrageously expensive licenses...
Apparently, nobody here is diligently watching out for such ridiculous patents.
When challenged by reporters over the volume of prior art which negates this patent, a Microsoft spokesperson replied "Apparently, everybody here is too patently ridiculous to be diligently watching out."
Go have a look around cotton fields just after harvest. Literally tons of the stuff is left behind at the edges of fields, blown along the roadside, lying on the stubble etc. Sure, you could go along and pick it up but the cost of doing so would outweigh the price you'd get for the extra x bushels you'd collect.
It's the same with e-mail addresses - why should a spammer go to the trouble of modifying their bots to detect obscured addresses, when there are plenty of unobscured ones ready for harvest?
I'm sure some spammers do try to pick up obscured addresses, but until they start running out of unobscured addresses, they'll keep going for the masses of low hanging fruit and not bother with the rest.
Of course, obscurity doesn't save your address from brute forcing...
Slashdot Mirror
I agree that evaluation is the only way to go, because it's the only way you'll know how the product will operate in your environment. I disagree, however, that it will cost a lot of time and money if you are evaluating software. You can download VMWare Server for Windows or Linux from VMWare for free. Create virtual testing labs using distros you also can download for free. Microsoft are also now very generous with their evaluation products, with most durations between 60 and 180 days. All it takes is your time, but again, once you have a basic Windows 2003 Server image, take a copy or snapshot of it, and clone other virtual machines from it rather than sitting through the install every time (just remember to use something like NewSID to change the SID each time, or you can get really weird errors when machines with the same SID are members of the same domain).
A lot of hardware/appliance vendors will also do a free eval, direct or via a channel partner, if you seem like a legitimate opportunity. You'll have to be prepared to deal with the sales people, though, because once a company has done an on-site eval they really, really want to make the sale.
Yes. Especially in the countryside. But with a population of 1.3 billion:
all - most = more than enough to make it viable
Stand on any street corner in a place like Shanghai and you'll see plenty of people getting by on a few dollars a day, but you'll also see plenty of Benzes drive past.
No doubt it will be even cheaper again than the Hong Kong version...
I don't think the North Korean government would accept them. They're still pretty pissed at us after what we did to one of their drug-smuggling vessels...
So you want to get a job using Photoshop, but can't afford it? Consider it this way - there are two barriers to overcome here:
(a) Recruiters who won't refer you on without Photoshop experience.
(b) The organisation who will sling your ass out the door when they discover you really don't know what you're doing.
To overcome barrier (a), why not try enrolling in some free/cheap courses in a local technical college/night school/U3A etc? These places often have well-equipped labs where you can at least gain some familiarity with the software, so when you put "Photoshop experience" on your resume you ain't lying.
In the meantime, get to know The Gimp really well. Do the tutorials. Practise, practise, practise on your own images. The software may be different, but the principles are similar. Check out the Photoshop articles on Fark. Try to work out how you would achieve the same effects. Do this long enough and you should gain enough confidence to talk yourself into a position where you get to use Photoshop, *and* have enough skill to ensure that you don't get fired after your first day.
Just make sure that you're honest and upfront in the interview about how much real Photoshop experience you have. It won't hurt to also have a portfolio, online and hardcopy, of designs and images you've done to prove that you've got what it takes.
With an established code base and customization for a particular client's business, the one thing that India (or Phillipines or whatever) cannot offer is a detailed, up-close examination of the daily processes that have to be tailored to in order to create that customization. Factor in communications problems and cultural differences and there is an even bigger barrier to moving this kind of thing off-shore.
Ever dealt with an outsourcing company? Almost never have I seen an end customer deal with a programming team off-shore. They buy the app from someone like IBM, who then subcontract to an on-shore branch office, who handle the liaison between on-shore and off-shore teams. That way, cultural differences aren't an issue, and the customer can say "Well we deal with a local company, we can't dictate to them who they employ, your beef is with them not us" if there's any public relations fallout to contend with.
Those that think that their job ends when they deliver compiled code can be and should be replaced by coders in India, the Phillipines, etc.
You really think that it's only the slack-arsed programmers who've lost their jobs through outsourcing? I've seen good guys go too, because it typically affects entire teams, entire departments, entire organisations, not just the odd one or two who couldn't meet their KPI's.
Offer automated backup, off-site storage and an emergency plan...
Yes. This is how to remain competitive. Offer services that are still difficult for an outsourcer to provide. Something localised. Something you can't upload to Mumbai in the evenings, ready to download the next morning with yesterday's changes done.
Software is fast becoming a commodity too - if you're in the US, you're competing with code churned out in India, and pretty soon those guys are going to be undercut by code factories in places like the Philippines, and so on, and so on...
Very few organisations can rely on software for their *only* competitive advantage... Microsoft are making game consoles, Red Hat are branding themselves as a solutions provider and SCO decided to pursue racketeering as a business model.
So compete on service; offer value-adds like training and consulting, facilities management, hosting, colocation, monitoring etc.
You are confused.
"Unless you can actually read C (or whatever language) looking at the binaries is pretty pointless"
No amount of C will help you read binaries. For that you need a disassembler, knowledge of assembly language, and a hell of a lot of spare time.
"Rather then inserting backdoors it would be much easier to just install some buffer overflows."
No.
It would not be easier.
Ever written code to bind a shell to a listening port? Ever coded a buffer overflow exploit? There are orders of magnitude of difficulty separating the two. Say you mess around with some printf() or strcpy() calls and introduce some overflows or format string bugs in an application which binds to a TCP port. What if the victim machine is behind a firewall? How do you take advantage of the BO's then? OK, you tell me, you write a BO which makes an outbound connection which *might* get through the firewall. But this is exactly what a backdoor like the irssi configure script does, but without all the fucking around overflowing the stack to get control of the execution path.
"Since even experienced coders miss buffer overflows, casual checking of code is not going to pick them up."
So projects like OpenBSD and Adamantix should just give up, because according to you code audits are a waste of time?
There's nothing paranoid about it. In fact, it's probably not paranoid enough - ever installed anything from code yourself? Ever thought to check the configure script?
irssi 0.8.4 backdoor
If you blindly run stuff you pull from the net, sooner or later you will pull down some malware, and then the fun begins.
"Such a distro shouldn't install GCC, so I'll need all the software as binaries."
Just get yourself another machine with a toolchain to build the binaries you need from source, particularly if you plan on taking binaries from untrusted sources.
Of course someone could give you dodgy code, but it's a lot less likely to happen, and at least you've got a fighting chance of checking the code for suspicious function calls etc.
If you don't trust them, no e-mail client is going to help. What's to stop them installing a keystroke logger and getting your IMAP credentials/PGP passphrase/shell account details? Running a cracker over the PST encryption? Shoulder surfing your password?
Say you install a more secure, multi-user OS like Linux or FreeBSD or (gasp!) Windows 2000. Even if they can't learn your password, they can boot Knoppix or similar, mount your partitions and crack your box that way.
The bottom line is that if they have physical access to your box, you're pretty much screwed. Either trust them and find some other way to separate work from home, or lock your box away in a cabinet they can't get to, install Linux/BSD, keep them patched against local root exploits, and don't let them get you drunk/stoned/in a state where you might divulge your passwords.
"It's the most broken page I've seen all day."
Well if it wasn't broken before, it sure as hell will be now that every bored sysadmin with a Mozilla install is surfing on by to check out how broken it is.
Now I'll have to break out some more aluminium and extend the tinfoil hat into a full-face helmet.
Go and see the world while you can, because let me tell you once wife + kids + career job come along, you won't be able to pursue any of those opportunities even if they do come along, and you don't want to get to 40 with nothing but regrets to show for it.
I speak from bitter experience here man.
Get out and enjoy your talents while you can.
What are some good resources for a web developer to read so that they know how to design secure sites that use RDBMS as a backend?
OWASP is a good start.
...the buying company is iiNet
If they're like every ISP I know, there'll be OSS all over the place, indeed:
# nc www.iinet.net.au 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 25 Feb 2004 04:09:22 GMT
Server: Apache/1.3.26 (Unix) Debian GNU/Linux PHP/4.1.2 mod_perl/1.26
Connection: close
Content-Type: text/html; charset=iso-8859-1
#
If I was you I'd be talking to the guys who look after this stuff, and find out what sort of desktops they have.
Sorry, my mistake.
Evolution is my Linux-based solution to e-mail in a Microsoft environment.
Pegasus is my Win32-based solution to e-mail in a Microsoft environment.
I flit between so many environments it's not funny. Most days I don't know my dir from my ls -al
#1: Learn to love the hourglass icon, 'cos you're going to be seeing a lot of it from now on.
.scr is a screensaver.
#2: Get used to extension-based file typing, and remember that not everything ending in
#3: Develop a healthy sense of paranoia - they are out to get you, especially the ones that send e-mail with subjects like "Hello"
#4: Give thanks for the guys who develop Win32 ports of Perl, Python, Apache etc because they are the thin geek line that stands between you and Visual Basic, Windows Scripting Host and (ugh) Internet Information Services.
#5: Get hold of Mozilla, Evolution, and OpenOffice. Man cannot live on IE, Outlook and Office alone.
#6: Head on over to PacketStorm and stock up on some local admin exploits and the excellent Cain&Abel so you can take back the rights these no-good dirt-farming MCSE's are going to try to take away from you.
That should get you started.
The warnings on videogames are not meant for parents to keep children confined by having them not purchase such games
At least in this country that's not true, our Office of Film and Literature Classification intends the warnings to be used proactively by parents:
From OFLC:
"Consumer advice helps you decide what you and your family view and play. If you do not like your children to hear swear words then check for consumer advice that refers to coarse language. Perhaps you do not like your children to watch movies that have references to sex or sex scenes. The consumer advice may help you choose films that do not have sexual references or sex scenes."
I have a ten year old son, and I keep an eye on what he sees and hears. But not based on the warnings, they're quite vague and downright misleading at times. I take an interest in the things he does, I play console games with him, I watch movies with him, and we don't have a problem. He has an instinctive understanding of what he is allowed to watch, and what he's not, and he respects that, while I respect his right to access content marked 15+ (like some games) if the content is within the guidelines we have mutually agreed upon.
Maybe it's right, maybe it's wrong, but it's sure as hell better than the way my father tried to impose censorship on me. I wasn't even allowed to watch Doctor Who until I was 15 years old!!!!!!!!
Friggin' hillbillies.
It's the shit.
Smetacek and 48 colleagues... will monitor the growth of phytoplankton from a helicopter...for a period of eight to ten weeks.
(49 scientists + boat + chopper) * 10 weeks = enough CO2 to give all these newly spawned (hatched? divided?) planktons serious eating disorders.
Why do you have to come down here and tip all that FeSO4 in my backyard? What, Baltic wasn't big enough? Too shallow? No happy snaps with penguins?
> That's so last year. In 2004 it's "WMDRPA".
We're on Darl time here, where it's the early 80's, UNIX is still a proprietary monolith, "greed is good" is a morally acceptable values system and a white shirt, red tie and charcoal-grey jacket is a good look.
1. The threat to the U.S information technology industry
"Please legislate to save our industry so we can send it to offshore sweatshops and make gazillions (and those election campaigns ain't cheap hey Mr Congresscritter )."
2. The threat to our international competitive position.
"Forget anthrax - Linux is the real WMD!"
3. The threat to our national security.
"Forget Saddam - Linus is the real enemy of humanity, and you can add Finland to the axis of evil! Those Finns, what have they done for us recently, with their weird language and dinky little phones."
From the CyberKnights page:
"...we are currently exploring workable methods for becoming big while remaining small...
Well, you could always dredge up some code you wrote years ago, grep through an OSS source tree until you find a partial match and then issue ridiculous demands for outrageously expensive licenses...
Apparently, nobody here is diligently watching out for such ridiculous patents.
When challenged by reporters over the volume of prior art which negates this patent, a Microsoft spokesperson replied "Apparently, everybody here is too patently ridiculous to be diligently watching out."
Go have a look around cotton fields just after harvest. Literally tons of the stuff is left behind at the edges of fields, blown along the roadside, lying on the stubble etc. Sure, you could go along and pick it up but the cost of doing so would outweigh the price you'd get for the extra x bushels you'd collect.
It's the same with e-mail addresses - why should a spammer go to the trouble of modifying their bots to detect obscured addresses, when there are plenty of unobscured ones ready for harvest?
I'm sure some spammers do try to pick up obscured addresses, but until they start running out of unobscured addresses, they'll keep going for the masses of low hanging fruit and not bother with the rest.
Of course, obscurity doesn't save your address from brute forcing...