By this logic, we should all supply our own implementation of printf, because every program that calls the one distributed with the C runtime is a new "point of entry" and thus more vulnerability.
The other way to approach this issue is that if common functions are implemented in common code, then fixes are quicker to implement and deploy. If all those services validate a path and play a file over various protocols, then to the extent you can reuse the path-validation and file-playing code, you improve your ability to fix problems, and as the code matures, you reduce your risk of new bugs by reusing mature code.
Usually, Bruce Schnier writes good stuff, and I enjoy reading it. This time, though, the piece is riddled with misinformation and poor advice. I'm surprised.
SOAP isn't just a Microsoft protocol, for one, but the main problem with that paragraph is that SOAP was not designed to elude firewalls, any more than RPC was. SOAP is just an RPC mechanism that happens to flow over HTTP, mostly because Dave Winer only knows one protocol -- HTTP. Mr. Winer didn't try to evade protocols, he just couldn't conceive of creating a different protocol for this application -- an error of omission, not commission.
In terms of file and media distribution, the function of a HTTP server, FTP server and gopher server are very similar, so there's actually some sense in bundling the three together (and MS isn't the only group to do this). The security problems come when dynamic execution is added to the mix in HTTP. Mssrs. Schnier and Shostack desperately want to undo this, but they don't have the right answer -- the problem isn't stocking the three protocols together; it's that the Internet gave us three ways to do the same thing. To really address the security issue here, we should probably go back and redo the protocols so that dynamic content and media content flow over separate protocols, but there's no chance of this happening -- HTTP didn't kill FTP, and even gopher is making a mild comeback, so we're stuck with this mess for a long time.
There's some good advice regarding security in that article, but the authors' notions of product design are off-target, and contrary to the direction a lot of folks (even those beyond MS) are taking.
The States Attorney in Maryland has asked for roving wiretap authority, too. Our excuse is to fight drug dealers. The SA's office said that the state law enforcement bodies haven't been able to keep up with technology.
So how effective are wiretaps in prosecutions? In how many convictions were wiretaps essential evidence?
OS X has something called a Remote Operation API (apparently only documented in header files), that allows you to remotely display an OS X desktop, and to inject input device events. It's more like VNC than the X Window System, but it's use is transparent to applications. There's an OS X VNC port that uses it.
In 1994 I was working for a big company where an SGI salesman came in and gave us exactly this pitch. He said that if they had enough I/O bandwidth to animate dinosaurs (referring to the original Jurassic Park), they had plenty of bandwidth for DB apps, and claimed Yahoo! as an early company who had bought in to the idea (at one time, Yahoo! and Netscape were big SGI shops).
It's bizarre to hear that your friend was behind the curve of what the salesfolk were pitching.
Cyrus IMAPd has single-instance store. Mail is stored in files, but metadata is stored in a DB, so you can back it up with normal backup tools. There's nothing about deleted item retention time, but the mailing list is active, and the source isn't bad to work with -- I'm sure someone else is interested in the deleted item retention time feature, and you could cooperate on getting it done.
Also, it's a sealed environment, so you don't have to have OS-level user accounts for mail users -- a security bonus.
(God I hate having to defend Microsoft!) Properly configured, IIS runs as a user other than the administrator, and scripts under IIS run as yet-another-non-administrator user. This is one step ahead of how most Apache installations are run.
When printing strings in sprintf, use "%.*s" to enforce a maximum size on the output. snprintf does the same thing, but you actually get to be a little sloppier, because you don't have to worry about the individual pieces.
The point of a left-handed mouse, and for reversing the sense of the buttons in a multi-button mouse is to keep the index finger (typically the strongest and most accurate finger) as the most-frequently used. Reversing the keyboard layout wouldn't necessarily help keep the strongest fingers busiest. If that were the goal, the Dvorak keyboard is one purported solution, but it's not clear that it actually works better in practice across a broad population (Economist article here)
A biggie is storage management. Enterprise-class databases layer table storage on top of logical storage, which is then mapped into units of physical storage, which allows your database to span, for example, multiple physical drives, or to put the indices on different spindles from the tables.
Intellectual property agreements are written by lawyers to protect the intellectual property of a company. Intellectual property is defined as patents, copyrights and trade secrets. This agreement was about patents. Patents protect inventions or improvements to inventions, and were created to deal with hardware, not software. When the company writes about an invention, they really mean something you can patent or something you have patented. Invention specifically does not mean any idea that came into your pretty little head. Just because you created a program to manage a linked list doesn't qualify it as an invention unless your implementation was sufficiently novel that you could patent it (and then demand license fees from others to use it).
Since programming is all about organizing ideas, most programmers tend to view all of their work as invention, but that's really just a figment of our egos. In the context of an intellectual property agreement, invention has a very specific meaning, which is actually good news, because most of your inventions really, probably, aren't inventions -- they qualify as general knowledge of the industry, which is not subject to IP agreements because you need it to ply your trade (which an IP agreement cannot prevent you from doing).
With respect to making an improvement to an invention, granting the company ownership of the improvement does not grant them any rights to the invention. The thing is, the patented improvements usually are things that you can't live without, so the invention becomes useless without the rights to the improvements. (This is called building a patent fence around an invention, and is a common tactic for circumventing the 17-year life of the monopoly of a patent.)
Finally, about whether the employer can own your ideas invented outside of work, there are several states in which that's not allowed by law, but in all the rest, it's part of the voluntary nature of the agreement -- the law says that if you don't like the agreement, don't take the job, because nobody's holding a gun to your head forcing you to work there. (Contrast this with your rights if drafted into military service -- because you have no choice in the matter, you have some extra rights as compared to those you might have as an employee.) The bad news is that you end up with an uncomfortable choice -- feed your family, or sign an odious agreement. The legal terms are something like you are given compensation in consideration for your ideas. This language was originally meant to apply to guys like Thomas Edison, who were prolific inventors (again, software, for the most part, doesn't count as invention), so the company wanted to be able to have the benefit of all the person's ideas, and in exchange, the company would pay a salary, rather than an hourly rate (you have a much stronger argument that your off-work ideas are your own if you are paid by the hour; everything else is considered work for hire, and is considered property of the person hiring you for the job). What I wonder about is, since almost everyone has IP agreements like this, isn't it a collusion among the companies to prevent you from having a choice, so it would be subject to the Sherman Act, but I don't really think anyone would ever be willing to take that case.
If you're really concerned about your IP, your best bet is to be an independent contractor, where you will explicitly transfer your IP to the person hiring you for the term of the contract, and where you explictly license your existing IP to them.
Youngsters tend to be recognized for enthusiasm, hard work, and proficency, but not for people skills.
Oldsters tend to be recognized for proficiency and people skills, but are given lower status than youngsters when it comes to knowing who can pull the all-nighter. (Ask any 40-year-old programmer how secure they feel in their job.)
There is stuff to learn, even from people whom you are sure have nothing to contribute. If nothing else, you can learn how not to treat those around you.
The other important point is to realize that people skills have nothing to do with technical skills. Sometimes those managers are recognizing underdeveloped people skills, rather than failing to recognize technical proficiency.
Run Sorenson Broadcaster on a Mac to capture and encode the stream, and then stream it using the Darwin Streaming Server (from Apple) on Linux, Solaris or Mac OS X, and maybe others.
...that was the only thing we actually needed to pay for
If you did this before RSA released the patent into the public domain, then you should have paid for your SSL library -- your failure to do so gives RSA the right to sue you for denying them license fees.
As I understand it, we still don't have a clear answer on whether it's legal to use SSL without paying RSA a license. It's just that everyone is assuming it's so. I won't be surprised if RSA lawyers start calling everyone up and demanding license fees because of some other patent that SSL requires.
Way back in the late 70s, Byte Magazine (and maybe Dr. Dobb's) started publishing code in machine readable form on paper strips. I can't remember much more than that. Any chance some clever soul out there can dig up more and possibly use it as prior art to help prevent DC's patent from issuin?
Material protected by trade secret status is property, and disclosure of that property is considered theft (as long as the owner takes vigorous measures to reclaim the property), so disclosure by anyone (not just the NDA holder) is material for suit.
Saying only the NDA-signer is liable is like saying that a fence for stolen property isn't committing any crime since the fence didn't steal the item. You might think it makes sense, but US law does not treat it that way.
Slashdot Mirror
By this logic, we should all supply our own implementation of printf, because every program that calls the one distributed with the C runtime is a new "point of entry" and thus more vulnerability.
The other way to approach this issue is that if common functions are implemented in common code, then fixes are quicker to implement and deploy. If all those services validate a path and play a file over various protocols, then to the extent you can reuse the path-validation and file-playing code, you improve your ability to fix problems, and as the code matures, you reduce your risk of new bugs by reusing mature code.
Usually, Bruce Schnier writes good stuff, and I enjoy reading it. This time, though, the piece is riddled with misinformation and poor advice. I'm surprised.
SOAP isn't just a Microsoft protocol, for one, but the main problem with that paragraph is that SOAP was not designed to elude firewalls, any more than RPC was. SOAP is just an RPC mechanism that happens to flow over HTTP, mostly because Dave Winer only knows one protocol -- HTTP. Mr. Winer didn't try to evade protocols, he just couldn't conceive of creating a different protocol for this application -- an error of omission, not commission.
In terms of file and media distribution, the function of a HTTP server, FTP server and gopher server are very similar, so there's actually some sense in bundling the three together (and MS isn't the only group to do this). The security problems come when dynamic execution is added to the mix in HTTP. Mssrs. Schnier and Shostack desperately want to undo this, but they don't have the right answer -- the problem isn't stocking the three protocols together; it's that the Internet gave us three ways to do the same thing. To really address the security issue here, we should probably go back and redo the protocols so that dynamic content and media content flow over separate protocols, but there's no chance of this happening -- HTTP didn't kill FTP, and even gopher is making a mild comeback, so we're stuck with this mess for a long time.
There's some good advice regarding security in that article, but the authors' notions of product design are off-target, and contrary to the direction a lot of folks (even those beyond MS) are taking.
"Hello, Miss Cleo? My name is Eliza."
The States Attorney in Maryland has asked for roving wiretap authority, too. Our excuse is to fight drug dealers. The SA's office said that the state law enforcement bodies haven't been able to keep up with technology.
So how effective are wiretaps in prosecutions? In how many convictions were wiretaps essential evidence?
Of course it survived a /.ing; it's running AOLserver.
Indy didn't have a 64-bit CPU; you had to move up the SGI line for that. It did have direct binary compatibility with the 64-bit version, though.
OS X has something called a Remote Operation API (apparently only documented in header files), that allows you to remotely display an OS X desktop, and to inject input device events. It's more like VNC than the X Window System, but it's use is transparent to applications. There's an OS X VNC port that uses it.
In 1994 I was working for a big company where an SGI salesman came in and gave us exactly this pitch. He said that if they had enough I/O bandwidth to animate dinosaurs (referring to the original Jurassic Park), they had plenty of bandwidth for DB apps, and claimed Yahoo! as an early company who had bought in to the idea (at one time, Yahoo! and Netscape were big SGI shops).
It's bizarre to hear that your friend was behind the curve of what the salesfolk were pitching.
Also, it's a sealed environment, so you don't have to have OS-level user accounts for mail users -- a security bonus.
The tennis player?
Of course. Who among us could forget Mary Jo's idolent first husband from Designing Women?
(God I hate having to defend Microsoft!) Properly configured, IIS runs as a user other than the administrator, and scripts under IIS run as yet-another-non-administrator user. This is one step ahead of how most Apache installations are run.
Still, I'd rather run AOLserver.
When printing strings in sprintf, use "%.*s" to enforce a maximum size on the output. snprintf does the same thing, but you actually get to be a little sloppier, because you don't have to worry about the individual pieces.
Is this the tape where Armstrong says "Good luck, Mr. Gorsky"?
Seen a network tabloid like 20/20 or Dateline lately? Houses are built like crap. We should aspire to something better.
There was this article in the Baltimore Sun.
It's true.
The point of a left-handed mouse, and for reversing the sense of the buttons in a multi-button mouse is to keep the index finger (typically the strongest and most accurate finger) as the most-frequently used. Reversing the keyboard layout wouldn't necessarily help keep the strongest fingers busiest. If that were the goal, the Dvorak keyboard is one purported solution, but it's not clear that it actually works better in practice across a broad population (Economist article here)
A biggie is storage management. Enterprise-class databases layer table storage on top of logical storage, which is then mapped into units of physical storage, which allows your database to span, for example, multiple physical drives, or to put the indices on different spindles from the tables.
I am not a lawyer. Not yet, anyway.
Intellectual property agreements are written by lawyers to protect the intellectual property of a company. Intellectual property is defined as patents, copyrights and trade secrets. This agreement was about patents. Patents protect inventions or improvements to inventions, and were created to deal with hardware, not software. When the company writes about an invention, they really mean something you can patent or something you have patented. Invention specifically does not mean any idea that came into your pretty little head. Just because you created a program to manage a linked list doesn't qualify it as an invention unless your implementation was sufficiently novel that you could patent it (and then demand license fees from others to use it).
Since programming is all about organizing ideas, most programmers tend to view all of their work as invention, but that's really just a figment of our egos. In the context of an intellectual property agreement, invention has a very specific meaning, which is actually good news, because most of your inventions really, probably, aren't inventions -- they qualify as general knowledge of the industry, which is not subject to IP agreements because you need it to ply your trade (which an IP agreement cannot prevent you from doing).
With respect to making an improvement to an invention, granting the company ownership of the improvement does not grant them any rights to the invention. The thing is, the patented improvements usually are things that you can't live without, so the invention becomes useless without the rights to the improvements. (This is called building a patent fence around an invention, and is a common tactic for circumventing the 17-year life of the monopoly of a patent.)
Finally, about whether the employer can own your ideas invented outside of work, there are several states in which that's not allowed by law, but in all the rest, it's part of the voluntary nature of the agreement -- the law says that if you don't like the agreement, don't take the job, because nobody's holding a gun to your head forcing you to work there. (Contrast this with your rights if drafted into military service -- because you have no choice in the matter, you have some extra rights as compared to those you might have as an employee.) The bad news is that you end up with an uncomfortable choice -- feed your family, or sign an odious agreement. The legal terms are something like you are given compensation in consideration for your ideas. This language was originally meant to apply to guys like Thomas Edison, who were prolific inventors (again, software, for the most part, doesn't count as invention), so the company wanted to be able to have the benefit of all the person's ideas, and in exchange, the company would pay a salary, rather than an hourly rate (you have a much stronger argument that your off-work ideas are your own if you are paid by the hour; everything else is considered work for hire, and is considered property of the person hiring you for the job). What I wonder about is, since almost everyone has IP agreements like this, isn't it a collusion among the companies to prevent you from having a choice, so it would be subject to the Sherman Act, but I don't really think anyone would ever be willing to take that case.
If you're really concerned about your IP, your best bet is to be an independent contractor, where you will explicitly transfer your IP to the person hiring you for the term of the contract, and where you explictly license your existing IP to them.
Youngsters tend to be recognized for enthusiasm, hard work, and proficency, but not for people skills.
Oldsters tend to be recognized for proficiency and people skills, but are given lower status than youngsters when it comes to knowing who can pull the all-nighter. (Ask any 40-year-old programmer how secure they feel in their job.)
There is stuff to learn, even from people whom you are sure have nothing to contribute. If nothing else, you can learn how not to treat those around you.
The other important point is to realize that people skills have nothing to do with technical skills. Sometimes those managers are recognizing underdeveloped people skills, rather than failing to recognize technical proficiency.
Run Sorenson Broadcaster on a Mac to capture and encode the stream, and then stream it using the Darwin Streaming Server (from Apple) on Linux, Solaris or Mac OS X, and maybe others.
No, they released the one patent into, but not this one. How many others are there like this, and do they affect SSL?
If you did this before RSA released the patent into the public domain, then you should have paid for your SSL library -- your failure to do so gives RSA the right to sue you for denying them license fees.
As I understand it, we still don't have a clear answer on whether it's legal to use SSL without paying RSA a license. It's just that everyone is assuming it's so. I won't be surprised if RSA lawyers start calling everyone up and demanding license fees because of some other patent that SSL requires.
Way back in the late 70s, Byte Magazine (and maybe Dr. Dobb's) started publishing code in machine readable form on paper strips. I can't remember much more than that. Any chance some clever soul out there can dig up more and possibly use it as prior art to help prevent DC's patent from issuin?
Material protected by trade secret status is property, and disclosure of that property is considered theft (as long as the owner takes vigorous measures to reclaim the property), so disclosure by anyone (not just the NDA holder) is material for suit.
Saying only the NDA-signer is liable is like saying that a fence for stolen property isn't committing any crime since the fence didn't steal the item. You might think it makes sense, but US law does not treat it that way.