> They are making to many decisions that really should be mine not there's. A lot of us use chosen DNS servers
Like you, I would turn it off. I also recognize that 99.9% of users don't know what DNS is. So that goes to the question of "they [Firefox] are making too many decisions that should be mine, not theirs". I would say the *defaults* should be selected based on what is best for the 99% of users who can't and won't make a choice. Settings should be available for the 0.1% who will use them.
That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about. That's an entirely separate question.
This is an example of different people having different values and preferences. I very much encourage my co-workers to call me, for a number of reasons.
At my job, we each have our own area of expertise and responsibility. Especially with my 20 years of both experience and constant study, there are certain things which are very much in my domain and either I care very much how it's done, or I have significantly more knowledge or experience about a certain thing (such as about code that I wrote).
I very much value efficiency, getting a good value, more bang for the buck. Therefore it bugs me when I find out that someone spent 8 hours trying to figure out something I could have told them in four minutes. I'd much rather answer their call - I'm probably driving (Bluetooth) or sitting at some social gathering I don't care about anyway, so their call is a welcome break from the boredom. It's just far more efficient to ask me, sometimes.
Other times, I've come back from being gone, or just from concentrating on other work, and found that a co-worker has made a big mess which could have been avoided with a five-minute conversation, because they were stretching too far outside their limits*.
Sometimes I have to clean up their mess. Other times the situation doesn't allow me to clean it up, so I have to live with their mess. I'd rather take the phone call.
I'm ALSO able to say "I'm a bit busy right now, but I can call you back in two hours", or even "I'm going to have to work with you on that when I get back to the office. There are some traps there that might bite you, so it might be a good idea to wait."
I can totally understand people not wanting you be disturbed though!
* In my experience there is a "right" amount of stretching one's abilities. Just like with physical fitness, fitness experts tell us to stretch our muscles, but don't stretch so far that it hurts - pain indicates damage. I'm not saying people should never do more than they've done before. Studies in education indicate learning happens when people go just a little beyond what they know well - not when they are in deep over their head.
Also, suppose there is a 95% chance that one will get away with X. Typically, the criminal, upen getting away with it the first time, does it again. They still don't get caught, so they do it again. Keep doing it until they get caught.
Certainly some people will commit a violation once and never again, but they account for a rather small proportion of crime, so I'm not all too concerned about them.
So you want time off at the right seasons for traveling to each destination? How do you feel about getting work calls while traveling with your family? How about working 40 hours while traveling, as many people do?
Do you like to travel in a van, or in first-class on airliners? Do you enjoy spending time around other travelers, rather than homebodies?
I dare say your work can have quite an effect on your travel.
As it happens, we got lucky. It turns out you CAN have privacy, and still catch criminals.
It just so happens that felons tend to be stupid, and therefore fairly easily caught. Perhaps that's because generally, committing serious crimes is stupid, so typically stupid people do so. The rest of us can have our privacy, while the dumb crooks get themselves caught by being dumb.
That's the one part that stuck out to me as well. I would think that for anyone who "gets" normalization, who understands why it's done, seeing redundant data because it's not in 4NF would be at least "icky".
Even if one doesn't remember exactly what each of the normal forms are, the gist of 2-5 is "duplicating the same data over and over again is a bad idea". Some of my co-workers likely don't even know/remember the phrase "normal form", but if you showed them a table that wasn't 4NF, when they saw the duplication they would know it should be improved.
Fifth normal is the one that seems a bit silly to me, in actual practice. It gives IP a lot of the utility of the model, for very little gain. 5NF may be useful as a CS concept for developing theory.
If the only thing in life you can see any value in is money, I feel sorry for you, because you'll never be satisfied. Money is only a means to an end. If you chase money as though it were the end until itself, you'll be forever chasing, trying to get more money in order to finally be satisfied. But no amount of money is ever enough, because it doesn't provide satisfaction, contentment.
Just look at all the multi-millionaire stars of stage and screen who have committed suicide, or otherwise ruined their lives. They've had tons of money, yet life was so empty death seemed the only way out.
Or perhaps you didn't notice the summary says people value non-monetary things TOO. Nobody said money isn't useful, and even important. They said it's not the only thing that is important.
I could switch jobs and earn probably 50% more, at least 35% more easily. I don't do that because money isn't the only thing important to me. Time with my family is important. My job provides me important time with my family in multiple ways. They let me work from home, so I can have breakfast with my daughter instead of sitting in traffic. They give me time off no questions ask whenever I need it. Actually last week I tried to ask my boss if it was cool for me to take the next day off and he couldn't even understand how that was a question. If I wanted to take a day to go to the water park with my family, that was 100% up to me - I just needed to tell him, not ask him. They respect my work hours vs home hours and don't expect me to be working at 8PM.
My boss and my company treat me with respect. They ask me "are you okay with doing it this way?", or even "how do you think we should it?", rather than dictating from on high.
Our company had a conversation about what we want to do to improve the world. We don't want to sell just another product like the others, that doesn't really benefit anyone. We want to do something different, something we can believe in as our work doing a little something to make the world a slightly better place.
A year ago I thought I might have to switch jobs because I wasn't sure I could trust my new boss. I don't want to work for someone I don't trust. That matters to me. It turns out he has earned some trust, so I'm still there. Trust and honestly matters.
For many years I ran my own businesses, with a few employees. I work for a much larger, much more stable, company now, because stability matters. It gives me peace of mind. (For further peace of mind, I also have a backup, another large, stable company I could switch to if needed).
My job let's me learn and grow, working on different things, and gives me some flexibility in what I want to work on. Learning and growing are important to me.
Nope, rhis isn't a buffer overflow, which doesn't happen in Rust, Perl, PHP, JavaScript, C++, or most other languages.
Rust fanbois touting that is like if Ford touted having a spare tire like it's a big deal. Few languages have bugger overflows. Like most languages, Rust doesn't - just like most cars come with a spare tire.
Sounds like the author is completely unaware that software engineering and systems engineering are fields, and people get degrees in each. He thinks computer science is the degree for programming. Realizing that computer science teaches a lot that isn't programming, he suggests hiring a physicist who learned a little programming.
Maybe an analogy will help him:
If you want to design and build a physical thing, such as an engine, you get an engineer to design it. The *science* of how an engine works is physics, applying that science is engineering, not physics. Specifically, you want a mechanical engineer.
Similarly, applying knowledge to design computer-based systems is the job of an engineer as well, a different type of engineer. Either a software engineer or a systems engineer. The difference is that while an engine needs to be designed in detail, blueprints made, before it is built, for software the detailed blueprint *is* the software. You don't need the extra step of machinists physically constructing it after the blueprints are made.
Computer science is to programming as physics is to engine design.
Computer engineering, like mechanical engineering, is a degree that teaches you how to design robust, cost-effective things. Programs in the former, machines in the he latter.
He sounds to me like he recommended hiring physicists for an engineering role, because he's unaware that software engineering and systems engineering exist. He thinks computer science is supposed to be programming.
> Next question: how much does it cost to live in Shanghai? Here we go: ¥4,327.53 That's about USD $633 we.
You're using the number for basic living expenses per person other than rent, and that's your cost of living you're comparing to household income? I'm not sure why you are ignoring the $996.52 per bedroom for rent.
We were looking at median household income, so figure 2.5 people. Rent $633-1266, of plus according the page you linked, $1582.50 / month basic living expenses.
About $2300 / month to cover your basic bills doesn't sound like 1/5th of the US cost to me. Again, I pay about that while living in a 3,500 square foot, 4-6 bedroom house in Dallas.
Funny you mention WordPress. Scheduled for the next sprint, we'll be programming detection for over 800 known vulnerabilities in WordPress plugins, and 300-400 in WordPress itself. If WordPress plugins are your example of programming by non-experts...
Their on-paper policy was "thirteen strikes and you're out", if you have thirteen or more separate complaints filed against you, they were supposed to take action. They decided not to actually do that. Following that policy would have saved their ass. Thirteen strikes seems pretty generous to me.
> don't think your solution of hiring just "a professional" works.
I specifically said hiring just a "professional", someone hired as a programmer, is not sufficient. In my other post I mentioned that I still study several hours per week, because new vulnerabilities and attacks arise every week.
I also insisted on establishing code review / peer review at my job, where other people trained in security review all of my code before it's deployed. We have weekly sessions where someone on the team presents something related to security for the all of us to learn - continuing education every week. Those things are part of actual professionalism. Now, I'm learning more about how one of the best companies does security with software designed for top secret software. I'll apply what I learn, where appropriate. Lockheed Martin seems to take security very seriously, and do a pretty good job. If anyone reading this has worked for Lockheed, I'd enjoy talking to you.
Something in the style Hypercard or OS macfos, or Excel macros can be very helpful to partially automate your job. Rather than clicking the same thing over and over, you can script your task. That doesn't always require a lot of expertise.
Contrast that with code exposed on the internet, which potentially connects to your company's critical databases. Being on the web, that code will be attacked hundreds or thousands of times per day. Sometimes, attacked by very skilled attackers. These are two VERY different situations.
On your desktop, sure go ahead and script autoreplies to common emails. For code on web, being attacked thousands and thousands of times, which can result in multi-million dollar losses, that's best done by someone who really knows what they are doing.
That does NOT mean a "professional programmer" who was hired as a programmer because he "knows a lot about computers". That means someone who has actually studied how to architect and author secure systems to be robust while under attack, and continues to study. Twenty years into my career, I still study several hours per week, because the black hat hackers keep learning new ways to attack us.
> There are so many javascript web frameworks that let incredibly poor programmers produce useful tools. They may be horridly inefficient and buggy but they work.
Yes, they seem to pretty much work, when they receive the expected inputs. Since the person who wrote it doesn't know what they're doing, inputs they didn't anticipate result in yet another $20 million breach.
There is a place for something like Hypercard, macros, etc - on your own desktop, to make your job easier. Programming that's going to be exposed to hundreds or thousands of attacks per day, programming on the web, needs to be done right.
"Done right" doesn't just mean "a professional", an English major given the title "Programmer". It means someone who actually knows what they are doing.
To qualify for safe harbor under the the DMCA, an isp must implement a reasonable policy regarding repeat offenders. Quoting from the complaint:
--
Specifically, the Court concluded: Cox did not implement its repeat infringer policy. Instead, Cox publicly purported to comply with its policy, while privately disparaging and intentionally circumventing the DMCAâ(TM)s requirements. Cox employees followed an unwritten policy put in place by senior members of Coxâ(TM)s buse group by which accounts used to repeatedly infringe copyrights would be nominally terminated, only to be reactivated upon request. Once these accounts were reactivated, customers were given clean slates.
5. The Court further found that starting in September 2012, Cox abandoned its tacit policy of temporarily suspending and reactivating repeat infringersâ(TM) accounts, and instead stopped terminating accounts altogether. Id. at 655-58. 7. The Fourth Circuit affirmed this Courtâ(TM)s holding, explaining that although âoeCox formally adopted a repeat infringer âpolicy,â(TM) . . . both before and after September 2012, [Cox] made every effort to avoid reasonably implementing that policy. Indeed, in carrying out its thirteen-strike process, Cox very clearly determined not to terminate subscribers who in fact repeatedly violated the policy.â 881 F.3d at 303. The former head of Coxâ(TM)s Abuse Group, Jason Zabek, summed up Coxâ(TM)s sentiment toward its DMCA obligations best in an email exclaiming: âoef the dmca!!!" --
According to the complaint, Cox chose not to follow the DMCA requirements for safe harbor, and literally wrote "f the dmca!!!"
I'm sure Cox has their side of the story, but they already told the side of the story in court and after hearing thier side the judge already ruled that they did not in fact implement a reasonable policy.
Windows has what they call Mandatory Integrity Control, which is very different from MAC.
The concept behind MIC is useful for systems with tens of thousands of people. Well, it would be useful, except Microsoft forgot to implement half of it. It's not very useful on a personal computer, and hence rarely used. The idea, borrowed from DoD, is that people and files are assigned security levels. Low security, medium, high, top secret. Low security people can't read high security files. That's cool - of you have tens of thousands of people who need different security LEVELS to maybe access millions of files.
The second half of that system, uses by DoD and others serious about security, is that high-level people can't write low security files. If you have top-secret information, anything you save could contain top secret information, so by default it I treated as top secret until it's cleared. Windows doesn't do that. On Windows, the admin's Keepass keyring may be a low-security file, and therefore readable by JavaScript.
Even if they had implemented MIC, both halves, that in no way replaces MAC. The two are orthogonal. It's like the CIA saying "we don't need locks on the doors because we stamped the document 'top secret'".
Different expectations indeed. It would be rare to find anything smaller than 650sq feet in Texas. In many cities, anything below 200 is ILLEGAL, and there are legal limits on how many can be built under 600 or 650.
My bedroom suite is about 400 square feet. 300 for the bedroom proper, plus the walk in closet and attached bathroom. My four year old daughter's bedroom is about 300. We have two other bedrooms we don't use, plus my office and another room I use for hobbies. I'm not at all rich by American standards.
Which just goes to show again how affluent Americans are compared to most of the world.
Microsoft made a very smart decision, which was exactly the right thing to do at the time. Then the world changed and what had been a good decision became a huge problem. Not because Microsoft was dumb, but because of a fundamental change in computing.
> It's also had proper security measures for ages (UAC is basically Sudo)
Yes, it is basically sudo, which was considered proper security... in the 1970s. Windows has had it for ten years, so only 30 years behind. That model is called discretionary access control, or DAC.
In the 1970s and 1980s, very secure systems had a much more secure model, called mandatory access control. That's more security than needed for a personal home computer which runs from a local disk, as opposed to a mainframe exposed on a network. A personal home computer only needed to be worried about virsuses on disks, because they used Disk Operating System, not a network operating system such as Unix.
Then the world wide web happened. What had been your personal home computer was suddenly exposed to hackers around the world. The level of security needed, the way one thinks about security, had to change radically. That's why Linux got Mandatory Access Control in the 1990s, first as an optional module, then as a built-in part of the kernel, called SELinux. Since the late 1990s, MAC has been "proper security". Windows may get it in about ten more years - they recently got the *nix userland.
I said Microsoft ended up in this situation by doing something smart. In the 1970s, computers cost as much as a house (particularly with important accessories like hard drives). Microsoft wanted a system people could run at home, on affordable hardware. That meant a few kilobytes of memory, and a 360KB drive. A drive that can store 360KB isn't much. To make that work, Microsoft would have to delete 80% of the OS compared to mainframes. It made perfect sense to delete stuff home users wouldn't have any need for. Before the web, they had no need for any of that security stuff, so Microsoft didn't include any in their OS.
Microsoft spent 190-1994 (and a billion dollars) developing a new future of computing. The key underlying technology was called COM. Their vision of the future was finally ready for beta testing when it got it's name, Windows 95. But something crazy happened. In 1995, the world wide web became a phenomenon. There was a whole new future of computing completely different from what Microsoft had spent years developing. At first they tried to stop the web, then tried to turn it into a bunch of COM programs (by renaming COM to ActiveX) which would run only in Internet Explorer. That didn't work, of course. HTML was too good of an idea to be stopped.
Microsoft starting fighting. Trying to save their vision of computing. Mobile showed up and Microsoft tried, but missed. Tried again and missed. They fought against Linux, they fought against the open internet, and they fought against the government potentially breaking the company into pieces. They fought for 20 years and in all this fighting they didn't accept the reality, the new needs, and build a solid, secure operating system - they improved some things, but didn't catch up on security. Remember they started off about 30 years behind on security, which was actually the smart thing to do at the time.
A few years ago Microsoft leadership really accepted they had lost the fight. They have started embracing Linux and open source. They now know they and their systems are just one more player in a huge global network - one full of dangers. It takes a few years to reverse the culture all through a behemoth the size of Microsoft, so pockets of old-school Gates and Balmer-style thinking remain. They are improving on many fronts.
Of course their new thing is Windows as a service, paid for in part through the Facebook model of giving up all your privacy and control. We'll see how that works out. Facebook is an enormously successful company, so maybe the same model will work for Microsoft.
I was distracted by my daughter while I typed that, so please excuse the typos. Also, an error because I combined two sentences into one:
A *typical* new-ish house in the area that that price would be about 2,350 square feet. MY house, at that price, is a tad over 3,500 SQ feet for $240K in 2016, but I got a good deal.
You may recall the China Post page I linked to reported salaries from a site similar to Monster.com, so tech jobs and such. That number was $17K and change.
Compare $58K as I recall in D/FW (Texas), while a 1,000 SQ foot apartment in Shanghai can be $750,000, and I got a 2,350 square foot house for $240K. So real estate per square foot is far more expensive in Shanghai, while even tech salaries are about 70% less.
I think if I were selling expensive toys, I'd want to sell to the people who a) make three or four times as much money and b) have thousands of dollars more left over each month after paying for housing.
Slashdot Mirror
Yep
> They are making to many decisions that really should be mine not there's. A lot of us use chosen DNS servers
Like you, I would turn it off. I also recognize that 99.9% of users don't know what DNS is. So that goes to the question of "they [Firefox] are making too many decisions that should be mine, not theirs". I would say the *defaults* should be selected based on what is best for the 99% of users who can't and won't make a choice. Settings should be available for the 0.1% who will use them.
That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about. That's an entirely separate question.
This is an example of different people having different values and preferences. I very much encourage my co-workers to call me, for a number of reasons.
At my job, we each have our own area of expertise and responsibility. Especially with my 20 years of both experience and constant study, there are certain things which are very much in my domain and either I care very much how it's done, or I have significantly more knowledge or experience about a certain thing (such as about code that I wrote).
I very much value efficiency, getting a good value, more bang for the buck. Therefore it bugs me when I find out that someone spent 8 hours trying to figure out something I could have told them in four minutes. I'd much rather answer their call - I'm probably driving (Bluetooth) or sitting at some social gathering I don't care about anyway, so their call is a welcome break from the boredom. It's just far more efficient to ask me, sometimes.
Other times, I've come back from being gone, or just from concentrating on other work, and found that a co-worker has made a big mess which could have been avoided with a five-minute conversation, because they were stretching too far outside their limits*.
Sometimes I have to clean up their mess. Other times the situation doesn't allow me to clean it up, so I have to live with their mess. I'd rather take the phone call.
I'm ALSO able to say "I'm a bit busy right now, but I can call you back in two hours", or even "I'm going to have to work with you on that when I get back to the office. There are some traps there that might bite you, so it might be a good idea to wait."
I can totally understand people not wanting you be disturbed though!
* In my experience there is a "right" amount of stretching one's abilities. Just like with physical fitness, fitness experts tell us to stretch our muscles, but don't stretch so far that it hurts - pain indicates damage. I'm not saying people should never do more than they've done before. Studies in education indicate learning happens when people go just a little beyond what they know well - not when they are in deep over their head.
Also, suppose there is a 95% chance that one will get away with X. Typically, the criminal, upen getting away with it the first time, does it again. They still don't get caught, so they do it again. Keep doing it until they get caught.
Certainly some people will commit a violation once and never again, but they account for a rather small proportion of crime, so I'm not all too concerned about them.
So you want time off at the right seasons for traveling to each destination? How do you feel about getting work calls while traveling with your family? How about working 40 hours while traveling, as many people do?
Do you like to travel in a van, or in first-class on airliners? Do you enjoy spending time around other travelers, rather than homebodies?
I dare say your work can have quite an effect on your travel.
As it happens, we got lucky. It turns out you CAN have privacy, and still catch criminals.
It just so happens that felons tend to be stupid, and therefore fairly easily caught. Perhaps that's because generally, committing serious crimes is stupid, so typically stupid people do so. The rest of us can have our privacy, while the dumb crooks get themselves caught by being dumb.
That's the one part that stuck out to me as well. I would think that for anyone who "gets" normalization, who understands why it's done, seeing redundant data because it's not in 4NF would be at least "icky".
Even if one doesn't remember exactly what each of the normal forms are, the gist of 2-5 is "duplicating the same data over and over again is a bad idea". Some of my co-workers likely don't even know/remember the phrase "normal form", but if you showed them a table that wasn't 4NF, when they saw the duplication they would know it should be improved.
Fifth normal is the one that seems a bit silly to me, in actual practice. It gives IP a lot of the utility of the model, for very little gain. 5NF may be useful as a CS concept for developing theory.
If the only thing in life you can see any value in is money, I feel sorry for you, because you'll never be satisfied. Money is only a means to an end. If you chase money as though it were the end until itself, you'll be forever chasing, trying to get more money in order to finally be satisfied. But no amount of money is ever enough, because it doesn't provide satisfaction, contentment.
Just look at all the multi-millionaire stars of stage and screen who have committed suicide, or otherwise ruined their lives. They've had tons of money, yet life was so empty death seemed the only way out.
Or perhaps you didn't notice the summary says people value non-monetary things TOO. Nobody said money isn't useful, and even important. They said it's not the only thing that is important.
I could switch jobs and earn probably 50% more, at least 35% more easily. I don't do that because money isn't the only thing important to me. Time with my family is important. My job provides me important time with my family in multiple ways. They let me work from home, so I can have breakfast with my daughter instead of sitting in traffic. They give me time off no questions ask whenever I need it. Actually last week I tried to ask my boss if it was cool for me to take the next day off and he couldn't even understand how that was a question. If I wanted to take a day to go to the water park with my family, that was 100% up to me - I just needed to tell him, not ask him. They respect my work hours vs home hours and don't expect me to be working at 8PM.
My boss and my company treat me with respect. They ask me "are you okay with doing it this way?", or even "how do you think we should it?", rather than dictating from on high.
Our company had a conversation about what we want to do to improve the world. We don't want to sell just another product like the others, that doesn't really benefit anyone. We want to do something different, something we can believe in as our work doing a little something to make the world a slightly better place.
A year ago I thought I might have to switch jobs because I wasn't sure I could trust my new boss. I don't want to work for someone I don't trust. That matters to me. It turns out he has earned some trust, so I'm still there. Trust and honestly matters.
For many years I ran my own businesses, with a few employees. I work for a much larger, much more stable, company now, because stability matters. It gives me peace of mind. (For further peace of mind, I also have a backup, another large, stable company I could switch to if needed).
My job let's me learn and grow, working on different things, and gives me some flexibility in what I want to work on. Learning and growing are important to me.
I could go on and on, but you get the gist.
Nope, rhis isn't a buffer overflow, which doesn't happen in Rust, Perl, PHP, JavaScript, C++, or most other languages.
Rust fanbois touting that is like if Ford touted having a spare tire like it's a big deal. Few languages have bugger overflows. Like most languages, Rust doesn't - just like most cars come with a spare tire.
Sounds like the author is completely unaware that software engineering and systems engineering are fields, and people get degrees in each. He thinks computer science is the degree for programming. Realizing that computer science teaches a lot that isn't programming, he suggests hiring a physicist who learned a little programming.
Maybe an analogy will help him:
If you want to design and build a physical thing, such as an engine, you get an engineer to design it. The *science* of how an engine works is physics, applying that science is engineering, not physics. Specifically, you want a mechanical engineer.
Similarly, applying knowledge to design computer-based systems is the job of an engineer as well, a different type of engineer. Either a software engineer or a systems engineer. The difference is that while an engine needs to be designed in detail, blueprints made, before it is built, for software the detailed blueprint *is* the software. You don't need the extra step of machinists physically constructing it after the blueprints are made.
Computer science is to programming as physics is to engine design.
Computer engineering, like mechanical engineering, is a degree that teaches you how to design robust, cost-effective things. Programs in the former, machines in the he latter.
He sounds to me like he recommended hiring physicists for an engineering role, because he's unaware that software engineering and systems engineering exist. He thinks computer science is supposed to be programming.
> Next question: how much does it cost to live in Shanghai? Here we go: ¥4,327.53 That's about USD $633 we.
You're using the number for basic living expenses per person other than rent, and that's your cost of living you're comparing to household income? I'm not sure why you are ignoring the $996.52 per bedroom for rent.
We were looking at median household income, so figure 2.5 people. Rent $633-1266, of plus according the page you linked, $1582.50 / month basic living expenses.
About $2300 / month to cover your basic bills doesn't sound like 1/5th of the US cost to me. Again, I pay about that while living in a 3,500 square foot, 4-6 bedroom house in Dallas.
Funny you mention WordPress. Scheduled for the next sprint, we'll be programming detection for over 800 known vulnerabilities in WordPress plugins, and 300-400 in WordPress itself. If WordPress plugins are your example of programming by non-experts ...
Cox should certainly bring that up in court.
Of course, that was part of the reason for the "thirteen strikes" rule that Cox was supposed to implement, but didn't.
Their on-paper policy was "thirteen strikes and you're out", if you have thirteen or more separate complaints filed against you, they were supposed to take action. They decided not to actually do that. Following that policy would have saved their ass. Thirteen strikes seems pretty generous to me.
> don't think your solution of hiring just "a professional" works.
I specifically said hiring just a "professional", someone hired as a programmer, is not sufficient. In my other post I mentioned that I still study several hours per week, because new vulnerabilities and attacks arise every week.
I also insisted on establishing code review / peer review at my job, where other people trained in security review all of my code before it's deployed. We have weekly sessions where someone on the team presents something related to security for the all of us to learn - continuing education every week. Those things are part of actual professionalism. Now, I'm learning more about how one of the best companies does security with software designed for top secret software. I'll apply what I learn, where appropriate. Lockheed Martin seems to take security very seriously, and do a pretty good job. If anyone reading this has worked for Lockheed, I'd enjoy talking to you.
Something in the style Hypercard or OS macfos, or Excel macros can be very helpful to partially automate your job. Rather than clicking the same thing over and over, you can script your task. That doesn't always require a lot of expertise.
Contrast that with code exposed on the internet, which potentially connects to your company's critical databases. Being on the web, that code will be attacked hundreds or thousands of times per day. Sometimes, attacked by very skilled attackers. These are two VERY different situations.
On your desktop, sure go ahead and script autoreplies to common emails. For code on web, being attacked thousands and thousands of times, which can result in multi-million dollar losses, that's best done by someone who really knows what they are doing.
That does NOT mean a "professional programmer" who was hired as a programmer because he "knows a lot about computers". That means someone who has actually studied how to architect and author secure systems to be robust while under attack, and continues to study. Twenty years into my career, I still study several hours per week, because the black hat hackers keep learning new ways to attack us.
> There are so many javascript web frameworks that let incredibly poor programmers produce useful tools. They may be horridly inefficient and buggy but they work.
Yes, they seem to pretty much work, when they receive the expected inputs. Since the person who wrote it doesn't know what they're doing, inputs they didn't anticipate result in yet another $20 million breach.
There is a place for something like Hypercard, macros, etc - on your own desktop, to make your job easier. Programming that's going to be exposed to hundreds or thousands of attacks per day, programming on the web, needs to be done right.
"Done right" doesn't just mean "a professional", an English major given the title "Programmer". It means someone who actually knows what they are doing.
To qualify for safe harbor under the the DMCA, an isp must implement a reasonable policy regarding repeat offenders. Quoting from the complaint:
--
Specifically, the Court concluded:
Cox did not implement its repeat infringer policy. Instead, Cox publicly purported to comply with its policy, while privately disparaging and intentionally circumventing the DMCAâ(TM)s requirements. Cox employees followed an unwritten policy put in place by senior members of Coxâ(TM)s buse group by which accounts used to repeatedly infringe copyrights would be nominally terminated, only to be reactivated upon request. Once these accounts were reactivated, customers were given clean slates.
5. The Court further found that starting in September 2012, Cox abandoned its tacit policy of temporarily suspending and reactivating repeat infringersâ(TM) accounts, and instead stopped terminating accounts altogether. Id. at 655-58.
7. The Fourth Circuit affirmed this Courtâ(TM)s holding, explaining that although âoeCox formally adopted a repeat infringer âpolicy,â(TM) . . . both before and after September 2012, [Cox] made every effort to avoid reasonably implementing that policy. Indeed, in carrying out its
thirteen-strike process, Cox very clearly determined not to terminate subscribers who in fact
repeatedly violated the policy.â 881 F.3d at 303. The former head of Coxâ(TM)s Abuse Group,
Jason Zabek, summed up Coxâ(TM)s sentiment toward its DMCA obligations best in an email
exclaiming: âoef the dmca!!!"
--
According to the complaint, Cox chose not to follow the DMCA requirements for safe harbor, and literally wrote "f the dmca!!!"
I'm sure Cox has their side of the story, but they already told the side of the story in court and after hearing thier side the judge already ruled that they did not in fact implement a reasonable policy.
Windows has what they call Mandatory Integrity Control, which is very different from MAC.
The concept behind MIC is useful for systems with tens of thousands of people. Well, it would be useful, except Microsoft forgot to implement half of it. It's not very useful on a personal computer, and hence rarely used. The idea, borrowed from DoD, is that people and files are assigned security levels. Low security, medium, high, top secret. Low security people can't read high security files. That's cool - of you have tens of thousands of people who need different security LEVELS to maybe access millions of files.
The second half of that system, uses by DoD and others serious about security, is that high-level people can't write low security files. If you have top-secret information, anything you save could contain top secret information, so by default it I treated as top secret until it's cleared. Windows doesn't do that. On Windows, the admin's Keepass keyring may be a low-security file, and therefore readable by JavaScript.
Even if they had implemented MIC, both halves, that in no way replaces MAC. The two are orthogonal. It's like the CIA saying "we don't need locks on the doors because we stamped the document 'top secret'".
"Get a 200 sq ft one "
Different expectations indeed. It would be rare to find anything smaller than 650sq feet in Texas. In many cities, anything below 200 is ILLEGAL, and there are legal limits on how many can be built under 600 or 650.
My bedroom suite is about 400 square feet. 300 for the bedroom proper, plus the walk in closet and attached bathroom. My four year old daughter's bedroom is about 300. We have two other bedrooms we don't use, plus my office and another room I use for hobbies. I'm not at all rich by American standards.
Which just goes to show again how affluent Americans are compared to most of the world.
I should have known something wasn't right about that 80% number. This percentile chart looks more correct:
https://dqydj.com/household-in...
That puts 30% making over 90K. As you said, we would expect that 50% make over $59K, so ...
I'm not sure now where I got that number. I suspect it might have been an individual income of $90K puts you in the 80th percentile, maybe.
Microsoft made a very smart decision, which was exactly the right thing to do at the time. Then the world changed and what had been a good decision became a huge problem. Not because Microsoft was dumb, but because of a fundamental change in computing.
> It's also had proper security measures for ages (UAC is basically Sudo)
Yes, it is basically sudo, which was considered proper security ... in the 1970s. Windows has had it for ten years, so only 30 years behind. That model is called discretionary access control, or DAC.
In the 1970s and 1980s, very secure systems had a much more secure model, called mandatory access control. That's more security than needed for a personal home computer which runs from a local disk, as opposed to a mainframe exposed on a network. A personal home computer only needed to be worried about virsuses on disks, because they used Disk Operating System, not a network operating system such as Unix.
Then the world wide web happened. What had been your personal home computer was suddenly exposed to hackers around the world. The level of security needed, the way one thinks about security, had to change radically. That's why Linux got Mandatory Access Control in the 1990s, first as an optional module, then as a built-in part of the kernel, called SELinux. Since the late 1990s, MAC has been "proper security". Windows may get it in about ten more years - they recently got the *nix userland.
I said Microsoft ended up in this situation by doing something smart. In the 1970s, computers cost as much as a house (particularly with important accessories like hard drives). Microsoft wanted a system people could run at home, on affordable hardware. That meant a few kilobytes of memory, and a 360KB drive. A drive that can store 360KB isn't much. To make that work, Microsoft would have to delete 80% of the OS compared to mainframes. It made perfect sense to delete stuff home users wouldn't have any need for. Before the web, they had no need for any of that security stuff, so Microsoft didn't include any in their OS.
Microsoft spent 190-1994 (and a billion dollars) developing a new future of computing. The key underlying technology was called COM. Their vision of the future was finally ready for beta testing when it got it's name, Windows 95. But something crazy happened. In 1995, the world wide web became a phenomenon. There was a whole new future of computing completely different from what Microsoft had spent years developing. At first they tried to stop the web, then tried to turn it into a bunch of COM programs (by renaming COM to ActiveX) which would run only in Internet Explorer. That didn't work, of course. HTML was too good of an idea to be stopped.
Microsoft starting fighting. Trying to save their vision of computing. Mobile showed up and Microsoft tried, but missed. Tried again and missed. They fought against Linux, they fought against the open internet, and they fought against the government potentially breaking the company into pieces. They fought for 20 years and in all this fighting they didn't accept the reality, the new needs, and build a solid, secure operating system - they improved some things, but didn't catch up on security. Remember they started off about 30 years behind on security, which was actually the smart thing to do at the time.
A few years ago Microsoft leadership really accepted they had lost the fight. They have started embracing Linux and open source. They now know they and their systems are just one more player in a huge global network - one full of dangers. It takes a few years to reverse the culture all through a behemoth the size of Microsoft, so pockets of old-school Gates and Balmer-style thinking remain. They are improving on many fronts.
Of course their new thing is Windows as a service, paid for in part through the Facebook model of giving up all your privacy and control. We'll see how that works out. Facebook is an enormously successful company, so maybe the same model will work for Microsoft.
I was distracted by my daughter while I typed that, so please excuse the typos. Also, an error because I combined two sentences into one:
A *typical* new-ish house in the area that that price would be about 2,350 square feet. MY house, at that price, is a tad over 3,500 SQ feet for $240K in 2016, but I got a good deal.
You may recall the China Post page I linked to reported salaries from a site similar to Monster.com, so tech jobs and such. That number was $17K and change.
Compare $58K as I recall in D/FW (Texas), while a 1,000 SQ foot apartment in Shanghai can be $750,000, and I got a 2,350 square foot house for $240K. So real estate per square foot is far more expensive in Shanghai, while even tech salaries are about 70% less.
I think if I were selling expensive toys, I'd want to sell to the people who a) make three or four times as much money and b) have thousands of dollars more left over each month after paying for housing.