Your library is nice, it is portable C with tons of algorithms implemented. Test vectors. Most algorithms even have decently optimized implementations which is a plus.
But you lack protocols which are necessary to securely implement applications.
Using 3DES or AES is stupid if the application developer uses ECB (Electronic Code Book) mode of operation because it's faster and simpler. The application developer doesn't know that you need a HMAC to ensure intergity. What about replay attacks? Cut-and-paste attack?
I don't think you even have secure message padding for RSA implementation.
You have an interesting library of algorithms, but its is AFAIK lacking the "glue" to make it more useful than OpenSSL (which is ported and tested on many platforms, and heavily optimized assembly).
So to develop secure applications I will continue to use OpenSSL rather than LibTomCrypt. It is less work for me, simple as that. If you expand your work, that will end my complaints, and we'll both be happy.
Encrypting a tightly packed transaction on a 16 MHz ARM processor won't take very long.
I think a 16 MHz ARM processor would only be in a "high end" smart phone, or a PDA and not your mass market average cell phone.
ECC makes a big difference for low cost mass market microprocessors. Think 8 or 16 bit, less than 12 MHz on average. 1024 bit RSA encryption can take up to 1 minute in such environments.
I know the keys used for ECC are generally smaller, but that seems like a fairly minor consideration even for PDAs
ECC uses smaller keys, which is suitable for very small networked devices like network appliances, that use cheap (<$1) 8-bit microprocessors with very small amounts of NVRAM.
Is eliptic curve cryptography actually faster than RSA?
Yes, which is the major advantage over RSA, more important in most applications than the storage of smaller keys. I don't know exactly but I estimate in the area of 10 to 100 times faster for "equal" level of confidence in security.
And if it IS faster, wouldn't it be much more useful for web servers than for PDAs?
Think mobile phones, or cheap network household appliances with 8 and 16-bit microprocessors with clock speeds less than 12MHz. It also means lower power comsumption which is important for most battery powered devices.
'elliptic curve' encryption technology, (developed by Whitfield Diffie of Diffie-Hellman public key fame)
Elliptic curve cryptography was indepentantly invented by Neal Koblitz, Professor of Mathematics at the University of Washington and Victor Miller who was then at IBM. (Source)
Whitfield Diffie is Sun's chief security officer, and co-invented public-key cryptography.
Sorry, Ellipitic curve cryptography was invented independantly by Neal Koblitz, Professor of Mathematics at the University of Washington and Victor Miller who was then at IBM. (Source)
OpenSSL is maintained by OpenSSL core members: Ralf S. Engelschall, Ben Laurie, Mark J. Cox, Dr. Stephen Henson, and others developers.
OpenSSH was written by OpenBSD members (Theo de Raadt, Niels Provos, Markus Friedl, Dug Song, and others). OpenSSH uses OpenSSL as a cryptographic library source (it is highly optimized for many processors).
Doesn't most hand-helds have more than enough processing power for encryption?
Most high end PDAs do for file encryption, but as increased demand for WTLS (Wireless TLS), "wireless speed" encryption for high speed GPRS/Bluetooth/802.11/1X networking applications. Applications like online wireless betting or online wireless reservations need better (read: quick) security in PDAs and mobile phones, which have less powerful processors.
but since they are modular, we could also use them for traditional pgp style encryption, no? instead of symmetric keys, you could use a public key.
SSL and PGP (or preferrably the newer OpenPGP) standard both use a hybrid scheme which uses both asymmetric and symmetric encryption algorithms.
If you mean could elliptic curves schemes (ECDLP, ECDSA, ECDH) be used in OpenPGP as well as SSL/TLS; then yes as long as it was added to the OpenPGP standards which I don't think includes ECC yet but has spaces reserved for future ECC use.
could this be used in SSL acceleration cards to improve the effiency of the SSL 'processor'
Unlikely in presently deployed accelerator cards, since AFAIK most (Rainbow CryptoSwift and nCipher) are based on custom hardware chips (FPGA and the likes) which do mainly RSA key setup which is the really slow part of establishing a SSL session. I believe several of the cards do not even do any symmetric (i.e. RC4, 3DES) acceleration because it isn't worth it.
This isn't the encryption scheme mentioned previously, when Slashdot reported that a distributed project has almost "broken" the scheme, is it?
If you mean the recent article in the last week. No.
The recent/. article was a pointer to Schneier's Sept 2002 Crypto-gram about an academic weakness in AES. It's academic in that it is not possible to break (at present time, and oh the next hundred years) in real-life.
So the question is, why don't you use the secure medium in the first place?
Because I only get to see my brother once a year in Cuba. And he has a problem carrying back CD-Rs of random pad material through customs.
verify your PGP (or GPG if you please) fingerprint (assuming you're not being wiretapped as well),
Passive evesdropping (aka wiretapping) does not interefere while verifing a public key fingerprint. So you can verify fingerprints of a public key in a public place.
OTP has other problems, beyond the typical key distribution problem. If a non-random source is used for generating the key material, or if the key pad is accidential reused, then trouble stikes, like it did with Venoma.
OTP also lacks message integerity, so if an attack could cut and paste blocks of encrypted ciphertext, Bob would not be able to detect the altered message if the decrypted text make sense (deposit $1000 to account #1233335632 rather than the modified message of deposit $4950292.95 to #1233335632)
encryptions based on elliptic integrals (which by theorem can't be solved analytically, but I suppose there could be approximations).
Now what methods are you referring to here? Elliptic Curve Cryptography normally is used as a faster version of the Discrete Logarithm Problem (DLP) where it is faster and easier to Exponentiate (x^y) than it is to calculate its discrete logarithm (x such that g^x = h) which is the inverse operation and is much harder to calculate.
So I would be interested in this method of using elliptic integrals.
Quantum computing changes the games of cryptography, but it does not end the struggle of cryptographer vs. cryptanalysis. AES when used with a 256-bit key is expected to withstand a bruce force key search using quantum computing within the near future (less than 10-20 years). Of course quantum computing being a young field there is a chance that a radical discovery may ruin our present best estimates for future capabilitities.
I am surprized that I haven't seen others mention this, but make sure you are getting the right education for you. People learn different, and you may of had a problem with the learning / study methods used at university.
There is a difference between difference schools, state vs. private universities, two and four colleges, polytechs, and distance education vs. correspondence. Research the options, and pick the right one for you.
In this day and age you do not need to attend classes in person to earn a meaniful degree, in UK, the Open University leads the way, and in Canada there is Athabasca University, I am not as familiar with US schools, but there is the University of Phoenix as well as many others.
Define your goal(s) of attending a post-secondary school. Also an idea for your career goals might be useful, but you need specific education goals. Write them down. I said, write them down. This is how you will evaluate schools, programme and course choices.
Is it just to have a degree? Do you want more a fundamential understanding (i.e. theoric) of computing? Do you want business skills? To become a better rounded software engineer? Understand business, so you can grow your own business? Get a MBA? Meet women? For technical training? To earn more money? Continue doing what you already do, or so you can do something new? Certification?
An university degree is suppose to be based upon a theorical understanding, which while being less specific (i.e. more abstract), is more lasting and will not be outdated every 3 years. That is the #1 source of frustration and confusion I see from young computer science students. An university degree is not a career training programme. You get to do the career training in your own time.
Make use of your electives, do not choose courses because you think they will be easy like "Rocks for Jocks" and "Clap for Credit", find introductary courses you will be interested in, and will benefit you either personally or professionally.
Most schools have some means of providing tours of their facilities, especially in the summer. Since this is an investment that will cost approx. $40,000, you should research this investment as being right for you. If possible, arrange a talk with someone from the department that you are looking at majoring in.
Bone up on time management and planning skills, and study skills if you find studying difficult. University is about learning, but unfortunately very little is taught about how best to learn (for you). Read Stephen R. Covey's The 7 Habits of Highly Effective People it will help in setting your priorities, and planning. To help learn about learning, John L. Adams book Conceptual Blockbusting: Care and Feeding of Ideas, and George Polya's How to Solve It.
Practice reading, seriously if you do not do a lot of non-fiction book reading, start doing some more. A list of books any/.er should enjoy is Steven C. McConnell's Top 10 Reading List.
But until someone successfully sues they can keep doing it. Don't like it? They can just fire you.
Actually being in the EU, you do not need an expensive civil lawsuit, you can go to the EU Human Rights Comission, at no cost. Firing someone because of a complaint/investigation is illegal to the best of my knowledge.
And I'd bet the non competition clauses are okay in most circumstances--just in some cases they aren't.
No, there are still written into contracts in the hopes that the employee will not be well informed, and keep them from leaving for another software house/telecommunication firm/game maker. The employer is hoping that the employee is ignorant of the law, and there is no penlty AFAIK for unenforceable clauses in a contract. AFAIK in most cases the non-competition clause is not enforcable. The employer may threaten, but it is a idle (or ignorant) threat because it won't stand up.
As I said before, I'm not a solicitor in the UK, so this isn't legal advice.
The law, at least in the UK (and we only have it because of the Working Time Directive that we must implement, being a Member State), is that you cannot be forced to work more than 48 hours per week averaged over a 13 week period.
Of course, my contract contains a clause saying that I waive that right, and I'd be very surprised if there were many IT firms in the UK that didn't have that sort of contract.
I'm not a solicitor in the UK, but I think you'll find that there is a lot of unforceable garbage in contracts. The non-competition clause is a standard one that is actually defeated repeatly in UK courts, if it interferes with your ability to be gainfully employed.
I expect that you cannot waive your rights to a safe work place, and more than 48 hours per week averaged over a 13 week period may be constructed as an unsafe work environment due to increase likeliness of injury (e.g. RSI, stress, nervious breakdown, depression), and adversely affect your quality of life (increased possibility of divorce).
The productivitiy will go down. I don't know about quality, but after unrealistic, and sexist and illegal demands, from management your co-workers will be spending their days going to interviews, and submitting their resume to job boards and handing cvs to anyone on the street in a suit.
Let the managers pay for their own mismanagement. Get a job elsewhere.
The ads for BBC programmes are between shows not ever 10-15 minutes, so you can watch a show without interruptions. Which is very nice when the BBC runs movies on BBC1 or BBC2. I can't watch a movie with ad breaks, it ruins the experience. So I pay for premium movie channels like HBO.
I use to get a kick out of American shows on BBC, they would insert "signs" like "end of part 1", "end of part 2" so that the pause in the footage, designed for commercial break, still worked. I think it also helps timing, but that is secondary to the viewer.
CBC in Canada use to be commercial free, but without a TV license, their budget was too small. So now their budget is still too small and they have commercial. Mainly to afford to buy cheap American sitcoms and movies.
I watch less and less "commercial" television. When I can, I prefer to go to an independent cinema, and watch an independent film. On average, I am fall less disappointed with indie films, see a broader range of cultural material (not just sitcoms from LA and NYC), better stories, and save money. I mean I would far rather see Amelié or 8 1/2 again than Blue Crush.
I've never met a female I'd consider to be even an acceptable programmer.
I did not mean the drunk girl at the party.:-)
I have found my female colleagues naturally better system analysts, quality conscience, far better at working within a team, and more willing to forego "gold-plating" of the deliverables.
There are fewer assembly or OS level system programmers that I've meant, and I think it is because they are not obsessive about minuta that assembly programming requires. I also find they are not willing to participate in "death march" style of project management. Which should be considered a good thing, because "death march" is a not good software engineering practise.
In any case, I think companies should hire people to be software developers (or software engineers) not code monkeys if they want them to stay as long term employee .
Real programmers aren't working in fields that require "business logic". Business computing just isn't an intellectual challenge.
I did not mean macho programmers. Perhaps I should of called them programmers in real-life, or programmers with a job.
Real programmers are the ones that take home a pay cheque. I am talking about information system programming (in C, Visual Basic, Delphi, whatever), working on 2 or 3-tiered systems, depending on a database system, and provide business critical systems. Based on employment figures, most programmers do do business logic.
While it's not sexy, geeky, or macho it is the bulk of "programming" in IT today. Who do you think writes all those lines of COBOL? Which is still the estimated most popular language by the LOC in use.
You're hiring a human being not a code monkey to interact with your existing team, your non-technical staff (customer support, management, marketing, payroll), and to solve problems. Unless you are in that 2% of programming that need strong algorithmic skills on the job, the more productive programmer will be the one that uses already written, tested and documented library routines. Most real programmers spend their time understanding requirements and implementing "business logic."
So hire the female that looks good in a short skirt. If she is not the best programmer, so what, educate her.
I am only half joking. Women on average tend to be better at listening, empathic to the needs of others, less likely to hide behind jargon, willing to admit to not having all the answers and ask questions, and will work very hard to prove that they deserve their job and are not just a pretty face.
So you'll be getting someone who is willing to work with the team, can listen, less likely to be a smelly offensive troll to non-technical colleagues, and you'll be helping to combat the inbalance of the sexes in computing.
Oh, and hire someone happy to work for your company. Most of my employment partings involve not being able to stomach my employer or the (mind numbing) work I did for them any longer.
I have to agree that a bit (a lot?) of what Spafford wrote was a bit over the top. My favorite could have been written by somebody on/.
"The next generation of Navy aircraft carriers is going to have all weapons systems, propulsion, and command and control run by the very same system that you use at home to browse the Internet and play computer games. This is the same one that keeps coming up with "blue screens of death," which take on new, grim meaning in a military environment."
If Spafford had been a bit more toned down, he could have still made the same points without introducing vulnerabilies in his arguments that would make one cringe
Well, he isn't really over the top, the difference between say Windows XP and Windows NT/2000 is minor. Perhaps you should read about the USS Yorktown. RISKS digest 19.88 (1998): USS Yorktown dead in water after divide by zero.
Slashdot Mirror
... this elipse has come full circle.
Groan. Elliptic Curves are not an ellipse (similar to a deformed circle), but elliptic curve.
E.g. y^2 + y = x^3 - x^2
Tom,
Your library is nice, it is portable C with tons of algorithms implemented. Test vectors. Most algorithms even have decently optimized implementations which is a plus.
But you lack protocols which are necessary to securely implement applications.
Using 3DES or AES is stupid if the application developer uses ECB (Electronic Code Book) mode of operation because it's faster and simpler. The application developer doesn't know that you need a HMAC to ensure intergity. What about replay attacks? Cut-and-paste attack?
I don't think you even have secure message padding for RSA implementation.
You have an interesting library of algorithms, but its is AFAIK lacking the "glue" to make it more useful than OpenSSL (which is ported and tested on many platforms, and heavily optimized assembly).
So to develop secure applications I will continue to use OpenSSL rather than LibTomCrypt. It is less work for me, simple as that. If you expand your work, that will end my complaints, and we'll both be happy.
Peace.
Encrypting a tightly packed transaction on a 16 MHz ARM processor won't take very long.
I think a 16 MHz ARM processor would only be in a "high end" smart phone, or a PDA and not your mass market average cell phone.
ECC makes a big difference for low cost mass market microprocessors. Think 8 or 16 bit, less than 12 MHz on average. 1024 bit RSA encryption can take up to 1 minute in such environments.
I know the keys used for ECC are generally smaller, but that seems like a fairly minor consideration even for PDAs
ECC uses smaller keys, which is suitable for very small networked devices like network appliances, that use cheap (<$1) 8-bit microprocessors with very small amounts of NVRAM.
Is eliptic curve cryptography actually faster than RSA?
Yes, which is the major advantage over RSA, more important in most applications than the storage of smaller keys. I don't know exactly but I estimate in the area of 10 to 100 times faster for "equal" level of confidence in security.
And if it IS faster, wouldn't it be much more useful for web servers than for PDAs?
Think mobile phones, or cheap network household appliances with 8 and 16-bit microprocessors with clock speeds less than 12MHz. It also means lower power comsumption which is important for most battery powered devices.
'elliptic curve' encryption technology, (developed by Whitfield Diffie of Diffie-Hellman public key fame)
Elliptic curve cryptography was indepentantly
invented by Neal Koblitz, Professor of Mathematics at the University of Washington and Victor Miller who was then at IBM.
(Source)
Whitfield Diffie is Sun's chief security officer, and co-invented public-key cryptography.
...given that it was invented by NeXT?
Sorry, Ellipitic curve cryptography was invented independantly by Neal Koblitz, Professor of Mathematics at the University of Washington and Victor Miller who was then at IBM.
(Source)
OpenSSL is written by the OpenBSD people
Not quite.
OpenSSL is maintained by OpenSSL core members: Ralf S. Engelschall, Ben Laurie, Mark J. Cox, Dr. Stephen Henson, and others developers.
OpenSSH was written by OpenBSD members (Theo de Raadt, Niels Provos, Markus Friedl, Dug Song, and others). OpenSSH uses OpenSSL as a cryptographic library source (it is highly optimized for many processors).
Doesn't most hand-helds have more than enough processing power for encryption?
Most high end PDAs do for file encryption, but as increased demand for WTLS (Wireless TLS), "wireless speed" encryption for high speed GPRS/Bluetooth/802.11/1X networking applications. Applications like online wireless betting or online wireless reservations need better (read: quick) security in PDAs and mobile phones, which have less powerful processors.
but since they are modular, we could also use them for traditional pgp style encryption, no? instead of symmetric keys, you could use a public key.
SSL and PGP (or preferrably the newer OpenPGP) standard both use a hybrid scheme which uses both asymmetric and symmetric encryption algorithms.
If you mean could elliptic curves schemes (ECDLP, ECDSA, ECDH) be used in OpenPGP as well as SSL/TLS; then yes as long as it was added to the OpenPGP standards which I don't think includes ECC yet but has spaces reserved for future ECC use.
could this be used in SSL acceleration cards to improve the effiency of the SSL 'processor'
Unlikely in presently deployed accelerator cards, since AFAIK most (Rainbow CryptoSwift and nCipher) are based on custom hardware chips (FPGA and the likes) which do mainly RSA key setup which is the really slow part of establishing a SSL session. I believe several of the cards do not even do any symmetric (i.e. RC4, 3DES) acceleration because it isn't worth it.
This isn't the encryption scheme mentioned previously, when Slashdot reported that a distributed project has almost "broken" the scheme, is it?
/. article was a pointer to Schneier's Sept 2002 Crypto-gram about an academic weakness in AES.
If you mean the recent article in the last week. No.
The recent
It's academic in that it is not possible to break (at present time, and oh the next hundred years) in real-life.
So the question is, why don't you use the secure medium in the first place?
Because I only get to see my brother once a year in Cuba. And he has a problem carrying back CD-Rs of random pad material through customs.
verify your PGP (or GPG if you please) fingerprint (assuming you're not being wiretapped as well),
Passive evesdropping (aka wiretapping) does not interefere while verifing a public key fingerprint. So you can verify fingerprints of a public key in a public place.
OTP has other problems, beyond the typical key distribution problem. If a non-random source is used for generating the key material, or if the key pad is accidential reused, then trouble stikes, like it did with Venoma.
OTP also lacks message integerity, so if an attack could cut and paste blocks of encrypted ciphertext, Bob would not be able to detect the altered message if the decrypted text make sense (deposit $1000 to account #1233335632 rather than the modified message of deposit $4950292.95 to #1233335632)
encryptions based on elliptic integrals (which by theorem can't be solved analytically, but I suppose there could be approximations).
Now what methods are you referring to here? Elliptic Curve Cryptography normally is used as a faster version of the Discrete Logarithm Problem (DLP) where it is faster and easier to Exponentiate (x^y) than it is to calculate its discrete logarithm (x such that g^x = h) which is the inverse operation and is much harder to calculate.
So I would be interested in this method of using elliptic integrals.
Quantum computing changes the games of cryptography, but it does not end the struggle of cryptographer vs. cryptanalysis. AES when used with a 256-bit key is expected to withstand a bruce force key search using quantum computing within the near future (less than 10-20 years). Of course quantum computing being a young field there is a chance that a radical discovery may ruin our present best estimates for future capabilitities.
DES is symmetric, and I'm pretty sure AES (Rijindael) and Serpent are, as well.
Yes, AES and Serpent are symmetric. They use a single secret key for both encryption and decryption.
I am surprized that I haven't seen others mention this, but make sure you are getting the right education for you. People learn different, and you may of had a problem with the learning / study methods used at university.
/.er should enjoy is Steven C. McConnell's Top 10 Reading List.
There is a difference between difference schools, state vs. private universities, two and four colleges, polytechs, and distance education vs. correspondence. Research the options, and pick the right one for you.
In this day and age you do not need to attend classes in person to earn a meaniful degree, in UK, the Open University leads the way, and in Canada there is Athabasca University, I am not as familiar with US schools, but there is the University of Phoenix as well as many others.
Define your goal(s) of attending a post-secondary school. Also an idea for your career goals might be useful, but you need specific education goals. Write them down. I said, write them down. This is how you will evaluate schools, programme and course choices.
Is it just to have a degree? Do you want more a fundamential understanding (i.e. theoric) of computing? Do you want business skills? To become a better rounded software engineer? Understand business, so you can grow your own business? Get a MBA? Meet women? For technical training? To earn more money? Continue doing what you already do, or so you can do something new? Certification?
An university degree is suppose to be based upon a theorical understanding, which while being less specific (i.e. more abstract), is more lasting and will not be outdated every 3 years. That is the #1 source of frustration and confusion I see from young computer science students. An university degree is not a career training programme. You get to do the career training in your own time.
Make use of your electives, do not choose courses because you think they will be easy like "Rocks for Jocks" and "Clap for Credit", find introductary courses you will be interested in, and will benefit you either personally or professionally.
Most schools have some means of providing tours of their facilities, especially in the summer. Since this is an investment that will cost approx. $40,000, you should research this investment as being right for you. If possible, arrange a talk with someone from the department that you are looking at majoring in.
Bone up on time management and planning skills, and study skills if you find studying difficult. University is about learning, but unfortunately very little is taught about how best to learn (for you). Read Stephen R. Covey's The 7 Habits of Highly Effective People it will help in setting your priorities, and planning. To help learn about learning, John L. Adams book Conceptual Blockbusting: Care and Feeding of Ideas, and George Polya's How to Solve It.
Practice reading, seriously if you do not do a lot of non-fiction book reading, start doing some more. A list of books any
Actually being in the EU, you do not need an expensive civil lawsuit, you can go to the EU Human Rights Comission, at no cost. Firing someone because of a complaint/investigation is illegal to the best of my knowledge.
And I'd bet the non competition clauses are okay in most circumstances--just in some cases they aren't.
No, there are still written into contracts in the hopes that the employee will not be well informed, and keep them from leaving for another software house/telecommunication firm/game maker. The employer is hoping that the employee is ignorant of the law, and there is no penlty AFAIK for unenforceable clauses in a contract. AFAIK in most cases the non-competition clause is not enforcable. The employer may threaten, but it is a idle (or ignorant) threat because it won't stand up.
As I said before, I'm not a solicitor in the UK, so this isn't legal advice.
We all know that "3G" and "4G" are such important, well defined engineering terms.
3G is shorthand for "3rd Generation Partnership Project (3GPP)"
The law, at least in the UK (and we only have it because of the Working Time Directive that we must implement, being a Member State), is that you cannot be forced to work more than 48 hours per week averaged over a 13 week period.
Of course, my contract contains a clause saying that I waive that right, and I'd be very surprised if there were many IT firms in the UK that didn't have that sort of contract.
I'm not a solicitor in the UK, but I think you'll find that there is a lot of unforceable garbage in contracts. The non-competition clause is a standard one that is actually defeated repeatly in UK courts, if it interferes with your ability to be gainfully employed.
I expect that you cannot waive your rights to a safe work place, and more than 48 hours per week averaged over a 13 week period may be constructed as an unsafe work environment due to increase likeliness of injury (e.g. RSI, stress, nervious breakdown, depression), and adversely affect your quality of life (increased possibility of divorce).
The productivitiy will go down. I don't know about quality, but after unrealistic, and sexist and illegal demands, from management your co-workers will be spending their days going to interviews, and submitting their resume to job boards and handing cvs to anyone on the street in a suit.
Let the managers pay for their own mismanagement. Get a job elsewhere.
Good luck.
The ads for BBC programmes are between shows not ever 10-15 minutes, so you can watch a show without interruptions. Which is very nice when the BBC runs movies on BBC1 or BBC2. I can't watch a movie with ad breaks, it ruins the experience. So I pay for premium movie channels like HBO.
I use to get a kick out of American shows on BBC, they would insert "signs" like "end of part 1", "end of part 2" so that the pause in the footage, designed for commercial break, still worked. I think it also helps timing, but that is secondary to the viewer.
CBC in Canada use to be commercial free, but without a TV license, their budget was too small. So now their budget is still too small and they have commercial. Mainly to afford to buy cheap American sitcoms and movies.
I watch less and less "commercial" television. When I can, I prefer to go to an independent cinema, and watch an independent film. On average, I am fall less disappointed with indie films, see a broader range of cultural material (not just sitcoms from LA and NYC), better stories, and save money. I mean I would far rather see Amelié or 8 1/2 again than Blue Crush.
I did not mean the drunk girl at the party.
I have found my female colleagues naturally better system analysts, quality conscience, far better at working within a team, and more willing to forego "gold-plating" of the deliverables.
There are fewer assembly or OS level system programmers that I've meant, and I think it is because they are not obsessive about minuta that assembly programming requires. I also find they are not willing to participate in "death march" style of project management. Which should be considered a good thing, because "death march" is a not good software engineering practise.
In any case, I think companies should hire people to be software developers (or software engineers) not code monkeys if they want them to stay as long term employee .
I did not mean macho programmers. Perhaps I should of called them programmers in real-life, or programmers with a job.
Real programmers are the ones that take home a pay cheque. I am talking about information system programming (in C, Visual Basic, Delphi, whatever), working on 2 or 3-tiered systems, depending on a database system, and provide business critical systems. Based on employment figures, most programmers do do business logic.
While it's not sexy, geeky, or macho it is the bulk of "programming" in IT today. Who do you think writes all those lines of COBOL? Which is still the estimated most popular language by the LOC in use.
So hire the female that looks good in a short skirt. If she is not the best programmer, so what, educate her.
I am only half joking. Women on average tend to be better at listening, empathic to the needs of others, less likely to hide behind jargon, willing to admit to not having all the answers and ask questions, and will work very hard to prove that they deserve their job and are not just a pretty face.
So you'll be getting someone who is willing to work with the team, can listen, less likely to be a smelly offensive troll to non-technical colleagues, and you'll be helping to combat the inbalance of the sexes in computing.
Oh, and hire someone happy to work for your company. Most of my employment partings involve not being able to stomach my employer or the (mind numbing) work I did for them any longer.
RISKS digest 19.88 (1998): USS Yorktown dead in water after divide by zero.