Not everyone. There weren't many at AusCERT this year after I made complaints to the organizers in previous years. I also made it really clear to the vendors too.
And that's exactly my point. Why would women who might model to get through university consider a career in IT once they experience the leering and perving?
Think about WHO is posting the post before modding down on an opinion you don't share. How many posts have I made? Look at my low user ID, I've been here for longer than some of you have been alive. I don't troll/. nor do I post deliberately inflammatory comments.
So if you are the moron that clicked Flamebait moderation on my post, I expect you to be a lonely virgin living in the basement with your mum. Now, that's flamebait. I wouldn't normally post that, but I am literally white hot angry with whomever did it because you, sir, are a misogynist and should be ashamed of yourself.
If you have a daughter, I expect you'll want her to be a geekgrrl. If you want that outcome, you will join me in boycotting booth babes. There's few enough women in IT today without ugly impediments such booth babes.
I am deadly earnest in how I've acted for the last decade or more. I have directed at least a million dollars in direct recommendations away from vendors that have used booth babes. I will continue to do this.
It is our industry's shame that it thinks that this is in any way acceptable.
I usually avoid the booths in question, but if I have a specific need to find something out, I ignore the booth babe as they know nothing about the products or services.
I feel terrible for the women as they could easily be in our industry if they wanted, but instead all they do day in day out is be leered at by men who should know better. Why would they enter our industry if their only experience of it is to be objectified?
I don't do business with any firm that thinks so lowly of women in our industry. I make it absolutely clear to vendors that I do not buy from them if they have booth babes at conferences I attend. I will also strongly recommend against them to my clients. I am not the only one who does this.
I have several co-workers, some who work in an semi-open plan office (essentially a bench against a wall with a few tiny airless offices that no one uses), and three remote home workers, including myself.
Without a doubt, the amount of usefulhigh quality work that the remote workers pull off is amazing. The boss noticed, and got two of the guys to do a time and motion study using a 5 minute interval to record what they were working on. The office guys struggle to do 90 minutes a day in billable work, and their work suffers for it. I can easily put in an eight hour day, and produce higher quality work than my on-site co-workers can in a week. Sometimes I trade this for a/. session, but most of the time I do high quality work.
For collaboration, we use Skype.
There are downsides. I get cabin fever regularly. I am somewhat distant to many of my friends, and not seeing them is a hassle. My boss doesn't see my efforts, and thus I tend to get more work than many of co-workers, primarily because I can deliver. Family time often disturb me, even though I've made it perfectly clear that if I was working in an office, I couldn't run down the shops or look after baby girl for an hour or so. This leads to working after hours to catch up occasionally. I'm still to work out this issue despite coming up on two years of working from home.
If you decide to abandon the cubicle rat race, here's my tips:
* Your home office has to be away from distractions. You're not going to win if you're in front of folks watching Dr Phil. I have a separate office with about 200 square feet of space. * Your own music all the time at whatever volume you want is the birth right of the home worker. Get a good amp and speakers and crank it up baby! * Communicate at least a few times every day with your boss. No surprises is the best policy. They buy in to your work and deliverable rather than demanding results and wondering where they are. * Set up your home office properly. Sitting at a kitchen table or coffee shop sounds nice until you've been hunched over your laptop for three hours on a crappy chair. * Get a big ass monitor even if you have a 17" laptop screen. Your eyes will thank you. Ditto high quality external keyboard and mouse. * I bought a fax / printer. Waste of money. Do not want. * Reliable communications is all. Have a backup plan such as a 3G dongle in case your primary net access goes down.
I think I'm broken of the cubicle habit now. It's going to be tricky to stay home for the next 25 years of my working life, but I want to do so. Cubicle life - good riddance.
The Acorn Archimedes, circa 1984, had a image animation demo in the default software package which had a rendered page turning effect similar to the one described.
The ARM chip was the only processor in a desktop machine at the time powerful enough to do this by CPU alone. It would be years before an Intel chip would be powerful enough to do the same thing.
Don't worry about the language snobs - ANY language and ANY framework can be secured as long as you do the right thing in terms of design. Where you can go wrong is trusting untrustable data - such as that obtained from the browser without first canonicalizing, validating and ensuring that it meets business logic requirements (such as not being able to pass through walls, or avoiding object collision algorithms, asset or stat manipulation, or score manipulation. The client is completely untrustworthy, and you should be writing your code with that in mind 100% of the time.
I lean towards publishing the code. The only secrets you really need to protect are master authentication tokens in (say) config.php and authorization tokens in flight. So don't publish the master config.php secrets in SVN or similar, but everything else should be completely open.
Google does not use Microsoft Money to manage a multi-national. It would have to be a major ERP package.
There's two major ERP players out there - and SAP or Oracle Financials are the most likely candidates.
These run on pretty much every server OS out there, including Linux and Windows. Most of the ERPs have web based front ends as well as traditional thick clients. In some cases, the click clients would be Java based, so in theory run on Linux or MacOS X.
However, given that it's Google, wouldn't be surprised if they wrote their own.
Every state has its own Electoral Commission. ECs are a retirement grounds for out to pasture politicians who want / still need a salary - but not much work - and very hard working and independent minded public servants. I was fascinated by the process that creates new electoral boundaries and trust it a lot more now.
The AEC and the state ECs compete to run the local council elections. Local councils run elections not for democracy (for which most don't care about), but instead as a method of making quite a lot money, as most folks don't bother to vote and thus get a fine. There is precisely one correct answer to getting out of the fine, but don't use it too often as you won't be believed on your second or third attempt.
The computers are in the back room. Trust me, there's lots of machinery counting your votes. They count about 90-95% of the votes electronically by OCR as a first pass. Some of these batches are also counted manually to make sure that the machines are working properly, but the majority of votes are electronically read. If you scrawl or otherwise waste your vote, it'll be scrunintized by hand and entered manually by temp staff working for a DRO. This is about 2% of all votes.
Don't write offensive crap on your ballot as the community-minded volunteers counting the votes don't work for the parties (in fact, they're not even allowed to be party members) and they are doing it for not much money or no money at all. They've seen it all before.
If a ward / seat vote is close enough to warrant a recount, party goons will watch temp staff re-count the votes by hand. If there's a discrepancy from the machine count, it might be counted again, but this is really rare. Most electorates and wards vote strongly for one party, so they rarely get counted by hand on the night.
If you vote below the line in senate elections (and it sounds like you do), good - you've wasted your vote. Such votes are not germaine to figuring out who the last seat goes to in a Federal election, and thus your vote is simply wasted. If you really want to make your vote count, vote above the line in a party grouping. But be aware that most of the single issue parties, like the Gun Nut party are fronts for (and paid for) by the majors. Your vote will end up in their hands based upon the two party preferred system.
The good news is that our voting system is voter verifiable, has a strong paper trail, and difficult to tamper with. That's why I like it - it's a mix of old and new.
Converting to Linux for voting machines is a big shift from the VEC of old. Color me impressed.
I remember many years ago (1998-1999) working at the VEC. I was a system admin in my first security consultant job.
DEC/Microsoft was helping the VEC create a Microsoft-only COM+ based voting system called EMS 2000. Previously, it had taken 3+ months to organize an election, despite laws allowing the Premier to call an election within a month at any time. So they had to be prepared a long way out, which was costly. EMS 2000 was essentially a way to roll out an election within three weeks. I believe it was used in at least a few elections. I wouldn't be surprised if EMS 2000 has been maintained and is still in use - it was a lot of $$$$$$ to spend on a project.
EMS 2000 used every single part of the Microsoft stack. One thing I remember was how slowly Outlook 98 opened when it had 4000 tasks. EMS 2000 created Outlook tasks using COM+ custom queuing components over very slow modem and ISDN lines to all parts of the state. Surprisingly, this was still better than the previous system, which was primarily a manual system.
It was a full MS stack with basically every single possible MS product at the time (NT, COM+, Exchange, SQL, queuing components using pre-release NT 5.0 / Win2K, and lots of custom VB code), it hung together well and ran fairly reliably considering the shaky comms at the time.
Australia has led technology trends and adoption for so long, and the Government is prepared to kill it and our children's future for a single lousy vote of a Senator who has the support of exactly no one.
The Government is terribly misguided on this one. Conroy might be pushing this as a wedge policy, he might be doing it for Fielding's support, but this issue alone will lose the ALP the next election, as well as many for years to come.
All of Gen i, Y and X will remember this and vote accordingly for years to come. The ALP will be in the wilderness for many elections, and struggle to form a strong government in their own right without doing the independent / Greens coalition tango that is working soooo well for them right now.
Seriously, I could see the Greens take this to the election and coupled with effective climate change policies and no internet censoring, they could become the balance of power for years.
Conroy is Public Enemy #1. He has committed electoral suicide for himself and his Government. I really do think they have no idea exactly how unpopular this policy will be.
In short - how to fight this thing:
* Ring your politicians tomorrow. All of them. Make the phones run hot. * Write them letters. * Ask to see them. Talk to them about this issue, and only this issue. * Write letters to the news sites * Blog and Twitter and Facebook away. * Attend rallies. Publish photos and write ups about same. * Join the EFA. * Sign up to Get Up if you feel inclined * Use #nocleanfeed religiously. * Do not do work for Conroy's department. Resign or transfer if you work there. * Support ISPs that are against this idea. Leave ISPs that support it or who have no position.
If it becomes law, mass civil disobedience is required. I will be blogging about how to get around the filtering.
Don't blame the workers - they made the best of a bad situation,. and if the car makers weren't so completely incompetent in the world's largest car market, they would justify their conditions and wages as a small fraction of the overall cost of a new vehicle (it's about 1/4 of the car's cost, if you're interested).
The automakers failed in several ways:
a) To this day, they produce crap cars no one wants, with awful quality compared to their peers. Compare a VW door shutline on the next Jetta (produced in Mexico) you see with a shutline of your average US made SUV. VW's shutlines are 4 mm wide at the top and bottom of the openings, and less than 1 mm wide for non-openings such plastic mouldings to body panels. The Dodge Nitro I hired a while ago had a gap between the rear bumper and the tail gate I could see through, and don't get me started on how much that Nitro sucked - it nearly killed me five times with its terrible road manners.
b) Once they realized that no one wanted their shit products, they moved into SUVs as the other manufacturers were producing cars folks actually bought. I am still surprised that folks bought such agricultural SUVs, but...
c) They made so much money from these crap boxes that they cut back on designing any other type of car and really scaled back investment in cars the US used to be leaders in (large sedans like the 50's Chevy's and Cadillacs). No US maker has a small fuel efficient car in their domestic line up (say 40 mpg+, which nearly ALL EU cars can manage without difficulty)
d) They forced the US govt to implement effective protectionism, under the guise of safety standards, which prevents cars from outside the US from being imported. This is now biting them really hard because no matter how much Ford or GM WANT to bring in *profitable*, *well made*, *extremely safe* and *desirable* cars from Europe, they can't.
e) they lobbied hard against any form of fuel efficiency standards, and got CAFE. They fought extremely hard to keep CAFE standards low, even to the extent that the SUVs are not subject to safety standards or fleet average fuel consumption figures that slug sports cars and some of their elderly models like the Crown Victoria. CAFE does not address consumption or demand when fuel costs are low. Thus you have the most wildly inefficient country fleet in the world and no domestic models that can manage 30 mpg combined (only the Cobalt comes close, and the Focus is a Euro car). The same manufactures in EU have average fuel consumption figures in the high 30's / low 40's. They addressed the bottom line - CO2 emissions and heavy taxation of fuel to make it artificially expensive. They have efficient cars.
f) Those huge profits they made on SUV's? Wasted on a binge of consolidation, wasteful depreciation inducing inducements ($5k on the hood of perfectly good cars, employee pricing scams, etc), and all sorts of other shenanigans. They failed to invest these bumper profits in new products consumers actually want, saving up for a rainy day or diversifying their range to cope with all buyers, not just guys with exceptionally small penises (Hummer, anyone?) Women buy and / or approve more than 50% of all the cars on the road. Makers and advertising do not target women - at all, which is a huge mistake.
Car makers have royally hung themselves by their own petard. I'd love it if I wasn't a car guy.
But it's not all the car maker's fault. They are burdened with the dumbest idea since dumb idea were invented. No national health care plan.
The US fails all its citizens and burdens its companies unnecessarily because it has no national health care plan like every other first world country. The US pays three times the amount for medical costs compared to Japan or Australia for worse health outcomes and a shorter lifespan.
If the US had a national health plan and decent medical costs, some of the costs now forced on the UAW by the last deal (or other auto makers without the UAW deal) wouldn't be holding them
You should research software security in the agile setting.
The primary thing missing from today's software is safety, accountability, robustness, and resilience. Modern software is disgustingly weak when it comes to meeting core non-functional requirements.
The agile mindset - deliberately - has no place for non-functional requirements, and in fact often calls them "constraints".
This is exactly like saying the engineers who designed Tacoma Narrows bridge built a successful bridge. Which fell down in moderate winds due to harmonics brought on by winds not unusual for the site. Therefore, designing bridges after then to take into account seismic activity, load, winds and harmonics - truly non-functional elements - are "constraints" !!
Security is not a constraint - it's an enabler that allows secure business. Imagine if the user stories for Amazon went like this:
Allow an anonymous buyer to add an item to their cart (this is true today) Allow a buyer to checkout their cart by obtaining their address Ship item(s) to that address
Amazon would be out of business in a matter of hours. A solid security architecture is a fundamental requirement, and in fact, the ONLY requirement shared by ALL applications.
Make sure your employer will help with relocation costs. It cost us at least $25k AUD to move from Melbourne to just outside of Baltimore, MD. I expect the move to Canada will be a bit more than we paid as cars are more expensive in Canada than in the US. The move back will be less as we still have our furniture, but honestly, the costs can be horrific.
We started out in a furnished apartment. Don't. Ikea is cheap and cheerful, but take my advice and buy a nice bed from a good bedding store. We furnished our second place for about $5k, which is less than we paid for the 8 months of "furnishings" at our old place. Oh, and get a power drill with an Allen bit. Takes about 10 - 15 minutes to put up a desk that would take hours with the key in the box.
We got VicRoads to do an extract of our driving history. Waste of time.
We bought RACV international driver's licenses. Don't. Just schedule some time to go for your CA province's driver's license within the first month and you'll be fine with your Victorian license until then.
Buying a car. It's way more expensive in Canada than across the border, but the import tax situation is messy. Be careful if you want to buy something in the US and bring it back across the border. The Honda Fit is a roomy economical car for not much money, but you may struggle to find a lender to fiance the car, which leads to:
Credit cards and loans. You will have zero finance history in Canada, and in our experience, a good credit history in Australia is not counted at all. We had our (good) credit history from the NAB. Meant NOTHING. I still don't have a credit card, and we had to pay out our car loan (at the top loan rate) in 12 months. If you can pay money for a car, do so. Otherwise, VW Finance has an expat / internation finance loan, which is what we ended up with. No one else would touch us. Make sure that when applying for credit that you only in writing authorize them for the loans or CC's you ask for. If they go away and try 20 folks and you get turned down 20 times, the 21st time you apply, your previously blank but okay credit history is now trashed. We've been told how to fix up our credit history now, (take out a margin loan for some C/Ds and pay the margin loan out on time automatically, get a small CC), but I don't care now that we have some decent savings. I was sort of hoping for a nice credit history at the end as it may help us get a house loan when we return to Australia, but I doubt we'll take any credit out here in the USA now.
Insurance. Driving history and lack of accidents mean nothing to insurers over here. Expect to pay $1800 per year and be treated like a 16 year old learner until at least 12 months after you have your Canadian driver's license, so get that licence as quickly as you can. Normally, a 30+ year old person with 12 years of perfect driving will pay $400-500 odd per year. You will be screwed. Budget for it.
Buying a house. I don't know the deal in Canada, but buying a house makes a lot of sense. The market is utterly trashed and you can get a lot of house for peanuts compared to two years ago. If you can qualify for a loan, buy a house. However, expect not to qualify - we can't as our visa is renewed every two years, and thus folks will not lend to us. If you can't qualify for a loan, oh well join the millions of folks here in the same basket. You'll need like an awesome income or a spotless credit history and a long term visa to qualify. Good luck.
Essentials (Vegemite etc). Whole Foods have an international aisle. You can usually get Vegemite there. Otherwise, getting it from Simply Oz will do the trick - at a price. A 150 gm jar is about $5 US shipped all told. We get our Ribena from an English expat online store as it's closer than Simply Oz.
Flying there. Go Air New Zealand. The comfy premium economy seats are upstairs, the width and pitch are fantastic, the food good (the lamb is awesome), and the privacy and quiet is worth the extra coin. The flight crew don't hate their jobs (or you) unlike t
Fair point - my list is not a scientific survey and was never intended to be.
It is skewed towards high value applications - those apps my customers are prepared to pay me to review over a large number of years. There's a significant difference between that set and the total set of applications I *could* review.
There's plenty types of apps I rarely see, such as open source apps (although I am working on one right now) or scientific apps.
Some folks in my field specialize in embedded platforms (usually written in assembler, C or Ada). I have reviewed such apps last couple of years, including EFTPOS terminals as used by about 1/4 of Australian businesses (written in C with some concurrent extensions), and power meter readers used by plenty of US utilities (Windows CE based, written in C++). These two reviews are such a tiny minority of my work, they barely rate in my list.
Although I am able to do code reviews in pretty much any language, I have specialized in high end financial and logistics applications, those that power the world economy. Some of the apps I've reviewed process literally a couple of trillion dollars per day in transactions. These apps are written primarily in Java and COBOL with a smattering of stored procedures (PL/SQL ~= Ada or DB2's stored procedures, generally written in a DB2's SQL dialect).
If you want a scientific survey, SourceForge used to have a project statistics page detailing what languages are in use. This would be a good metric for open source projects. It would be a terrible metric for closed source / proprietary apps.
It's not about the platform, language or the framework that makes an application safe, it's the security engineering that does. If you don't do any, your app WILL be insecure by design and there's no way you can't fix such code.
However, you have a point to a degree - I am initially more productive reviewing frameworks I am familiar with. But that doesn't mean I would be ineffective at reviewing Python or Ruby. It would take me about half a day to spin up in any language or framework as I found things that are missing. And that's the important thing:
I hate reviewing apps with zero security engineering. It's exactly like shooting fish in a barrel, but hopeless as you're not going to get a nice fish stew at the end.
What I look for are meta-issues found in all languages and frameworks. Syntax and functions can be found in online references - if you need them.
There is nothing special about any language as few protect against the security artifacts we look for.
For example, if your code has an access control mechanism, I look at it in situ on a live test app, deciding how best I might attack it, and then research using the code how I can obviate it at different levels:
* Coarse grained - is this feature access controlled at all? This is definitely a problem for J2EE apps that use servlets as folks think presentation level security is adequate. It's not * Medium grained - does this feature offer different levels of access based upon your role? If so, how does this mechanism work? What do I do to get around it and steal stuff? * Fine grained - does this feature restrict access to secured resources (direct object references)? If so, how does this mechanism work?
Each of the things we look at are verifying security mechanisms. Knowledge of the language or framework is simply not necessary. If you know what you're doing, you can prove the lack of security engineering by testing the app in situ and then research why it fails. Once I find a weakness, I look at the code to see why the weakness exists. Once I've found the issue, I look further afield for the pattern and then I document the issue. Rarely does an app or framework have just one weakness - they are usually patterns.
Picking up a new language or grammar and framework, like going from Struts to Spring MVC takes about half a day for someone like me who knows multiple languages, both functional like Haskell, or OO languages like Smalltalk or Ada, or scripting dynamic languages like PHP, Ruby or Python, or declarative languages like C or Java. We do not write the app, we are reviewing the app.
Security mechanisms are usually fairly clear if they exist. If they do not make themselves immediately obvious, they are usually missing.
Folks who have the hubris to think their code is somehow safe, like the COBOL folks on the mainframe or your example of not reviewing code if you don't know it well. That's why I turned down the Haskell review as I didn't know it well enough in the time available. If it was a longer review, I would have taken it as I love to learn new languages.
However, fyi, if you paid me to be a developer, I could be immediately productive in the following languages:
J2EE - Since Java was first released. Major frameworks include Struts, type 1 JSP with JSTL, Spring MVC, Struts 2.0, and JSF PHP - Since PHP 3.NET (C# and VB.NET) since.NET 1.0
Could code if absolutely required:
COBOL - 12 months review only experience RPG - 12 months review only experience Perl - 15 years experience Shell scripts - 15 years experience Ruby with RoR - tested it out for a new version of my forum (UltimaBB/XMB) but it was too slow C - since 1985. Co-wrote the Matrox millennium driver for XFree86 back in the day C++ - since CFront was a bastard child Ada - since 1990. Still have fond memories Pascal - since 1985, haven't used it for a while
Languages that I don't suck at but wouldn't claim any particular skills:
I review code for security flaws for a living. I am a pioneer in this field and have literally written the book on it (the OWASP Guide and the OWASP Top 10 2007). I've been doing secure code reviews for the last 10 years.
I've reviewed 400-500 applications (it's unclear to the total number, but I usually do a review every other week, some shorter, some longer).
I've never reviewed a Ruby application or been asked to review code written in that language. I have been asked to review a Haskell application.
I have reviewed:
* 85-90% Java, usually with shell and ant scripts and occasionally some Perl. Some *years*, this is the only language I am asked to review. * 5-10%.NET. I haven't reviewed a.NET application this year. * 5% COBOL. Primarily as a side line - there's a lot of old code to review, but most folks never do.
I've reviewed three PHP applications professionally, all in the last year, even though this is my preferred language to write stuff.
Java is overwhelmingly used in large commercial settings for high value applications, with.NET a very distant second.
I don't get to review that many COBOL or other mainframe apps. I've been doing ground breaking research in this area as there's no advice today. There is a false belief that this code is somehow "safe" as it resides on the mainframe. Nothing could be more wrong.
Ruby and Python, although interesting langauges, has zero commercial penetration, even for worthless brochureware or community apps.
What they do have is an extremely loud fan base. These languages will not kill COBOL or Java any time in the next forty years or so as the fan base is fickle and will move on to the next big thing when it comes along.
I've been coding off and on since the early 1980's. The idea that open source coincided with a big conference that supposedly kicked everything off is nuts. Conferences require people interested in the same topic to be profitable. Conferences therefore are thought followers, not leaders.
When I first got on the Internet some 19 years ago, there was already a healthy community of free and semi-free projects. There was a lot of code sharing, particularly in Unix sources on newsgroups.
I ported more than my fair share of things to run on A/UX, and I helped GNU for a short while with a port of stty back in the day when they wanted their own operating system (this is back circa 1990).
I was writing device drivers for Matrox cards back in 1996, and by then the Linux kernel was a heady and healthy open source project with thousands of contributors.
Honestly, either this guy was incredibly insular or his Internet connection was broken. O'Reilly didn't create open source any more than the Muppets did.
Leeches are a oozing pustule on society and should be sent back in time to when a 300 baud modem was a luxury.
I like the fact when I get home, I can access/. at 400-500 kB/s, and east coast sites at around 600 kB/s with low latency.
If P2P users did more legal sharing and it helped reduce overall traffic so everyone benefits, then great. But instead, we have spotty anti-social retards thinking that this is about censorship or infringing their rights whilst in fact they are infringing massive quantities copyrighted works, so much so, they'll only ever view or listen to a tiny fraction of the crap they leech.
It has nothing to do with censorship, it's all about Comcast managing their network - which has a finite bandwidth for their level of profitability - for the good of all the commons, not just those 1-5% who are abusing relatively cheap bandwidth. If they had paid for a dedicated 1 Gbps fibre link to their home and can only manage a small fraction of that, I can sympathize. But they're paying SFA for access to best efforts shared networking. And they're sharing it with me.
They can get stuffed. There are other networks who don't "manage" (block) P2P. Go there, see if I care. I just wish Comcast would block port 25 outbound.
John Carmack used finger to blog way back when. Before that, we used news to do stuff like what Twitter does today.
I kept an online diary older than this "date". Was it called a blog? No, it was collected ramblings, pretty much the same as today. Was it a blog? I have not really changed since I started writing my occasional entries in ~ 95 or so, so yes, it's blogging.
(Mods: My last comment on Spamhaus was sent to "troll" land - my first ever negative comment on Slashdot in 10 years. Being pro-Spamhaus != good netcitizen and vice-versa. I am a good netcitizen, working extensively on Australian internet governance issues, such as being the technical dude who worked on auDA when we moved from monopoly to a regulated DNS environment, and secured Australia's second largest ISP and helped build and secure the alternative massive backbone, which carries all academic traffic as well as most ISP traffic. I was once the SAGE-AU President, and I still abide by their code of ethics. Therefore, if you mark me a troll or flamebait, you are a working against the best interests of the Internet. Read and decide for yourselves, but be v. careful when you hit the moderation button.)
This is happening to me right now. Spamhaus are acting like a wild west sheriff, but have no responsibility.
I host a number of websites, one of which has 5500 car nuts. I suffer *actual* financial loss directly because of Spamhaus' illegal blocking of my hoster's entire netblock. The spammer is gone, and yet we are still blacklisted. There is no way to get off this virtual death penalty.
New folks wanting to talk about VWs on my forum can't, and they leave, frustrated. I don't even know that they're stuck as my mail from the system is broken. Those few I do hear about - via the users being very persistent, cause me to spend 10-15 minutes per new registrant to get them on. If they lose their password, I can't help them. I spend an extra hour or two every night working on problems, and although I get a nice Google check once a quarter which generally comes close to paying the hoster, I'm suffering growth problems now - we moved from 2500 to 4000 members in no time, but our last 1500 members have dribbled in over the last 18 months. In the 18 months I've known about this problem, Spamhaus have cost me at least $4500 in lost wages at McDonald's rate (far lower than my actual hourly rate), and at least (and this is EXTREMELY conservative) $1500 in lost advertising revenue. I run my site out of a love for Volkswagens and as close to being a non-profit as I can whilst allowing for growth (we will eventually need more servers), but it's still coming out of my pocket. The loss to me is significant in time and money, but the loss of community is immense. Spamhaus are destroying my community, and many thousands of others with their negligence.
Spamhaus must:
* Provide a way to get unaffected netblocks off their list. This "block the lot" collateral damage is like mowing down an entire kindergarten of kids to get at the pedo jerking off at the fence.
* Acknowledge the financial harm they cause when they block domains that have NOTHING to do with spam. Even the spammer who used the netblock (before being kicked off) used it for pr0n, not spam. Netblocking the entire 64 odd class C's (in my hoster's case), blocking thousands of innocent customers just because one of them hosted pr0n for a short while before moving on did not in ANY way reduce the world's spam problem. I'm certain we are not the only site suffering this.
Totally unacceptable.
Do NOT mark me down as a troll - Spamhaus are not the protectors you think they are. I once thought they were, but they are not our friends, merely falliable people who see everything as black and white. I do not want them working for us any more. They must be put out of their misery. Hopefully, a replacement RBL will arise who aren't so arrogant, take some responsibility, carve out netblocks and/32s which make sense, and preferably be in the form of actual law enforcement. Spam is illegal in most countries, and citizens MUST not and indeed are NOT allowed to take the law into their own hands. Spamhaus are not the solution, and never have been.
Spamhaus incorrectly labels my netblock as being owned by a known spammer. The dude they reference has used IPs in the range near mine in the past - but not for spam but pr0n sites. They don't send spam from the pr0n sites, so blocking this particular netblock has zero nada zilch effect on spam today or in the past.
The spammer doesn't control my netblock, nor his own. I *cannot* get off the Spamhaus list. This means that my mail doesn't work to about 20-30% of all sites through no fault of my own. When I joined, the spammer was not there. This is creating virtual wastelands as the spammers jump from hoster to hoster and Spamhaus has no method of rectifying or desire to fix their mess.
There's no "get off this list now". My ISP has had no success in getting only a particular netblock listed instead of the entire netblock. There's no right of appeal in the twisted Spamhaus universe. There's nobody willing to put their cock on the block and take responsibility for their actions.
Spamhaus are arrogant bastards, and if this action stops them, then I am all for it.
I've had T22 since 2002, and now a T42 since November last year.
I hate these things. They suck in every way, and they're much more expensive than a far, far more capable Macbook Pro.
I hate the nipple. I've removed it, but it still sticks there, like a stupid nipple thing in the middle of my home row. The keyboard is excellent otherwise. If you could order a Stinkpad without the nipple and the three additional useless buttons, I'd be partially on the way to liking the damn thing. Except it has no Windows key. IBM's solution? You can download some key remapping software from them and make the right alt key your windows key. No! I want a Windows key. In the right position. I press FN about half a dozen times a day when I'm on the road because FN is in the WRONG position. FN is used about once every chicken sacrifice, so it should be up near "Access IBM".
The ATI drivers drive me nuts. They're slow and crappy. I had to download a presentation tray doohickey from IBM to allow it to dual screen properly between the various combos I have (docking - DVI, non-docking VGA out), setup a profile for each location... and here's the kicker - I have to change it to that profile manually - it is TOO stupid to do it by itself even though the special driver software sucks RAM like no tomorrow. If I can - often you can't see the display it thinks you're still using. On my Mac - you just plug the damn thing in and it does it for you. It even remembers LCD projectors and puts up a nice safe background - automatically.
The DVD burner is a joke. I'm pretty sure it's connected to the system by unreliable wet string technology. You can't eject the DVD drive from the drive bay if you boot with it. Not that I have the floppy drive to stick in the bay, but you know, it does have an eject button and it SHOULD work.
The laden weight when you're on the road is well over 3 kg, which is unacceptable when you've only got 8 kg in cabin baggage allowance. My Mac and its adapter weighs in at just under 3 kg.
Sleeping the computer is an exercise in gambling with my data. I don't trust it. Not only does it not manage to get to sleep, often it fails to wake up, just blinks.
Tried running Vista? No. No network support, and ATI's crappy chipset doesn't work. There are five year old Linux distros that can run better than the next version of Windows. I shudder to think what will happen when they come around and try to re-image us with Vista in a few months time.
To top it off, I blinked when I saw the invoice price from IBM. We have a "special" deal with IBM. They rip out Bluetooth and wireless, put in a 40 GB drive (I didn't know they still made them that small) and charge us an additional $4k for these "special" features. I could have bought two Macbook Pros and a lovely 23" widescreen monitor for the price work paid for this single, crappy laptop.
Slashdot Mirror
Not everyone. There weren't many at AusCERT this year after I made complaints to the organizers in previous years. I also made it really clear to the vendors too.
And that's exactly my point. Why would women who might model to get through university consider a career in IT once they experience the leering and perving?
Think about WHO is posting the post before modding down on an opinion you don't share. How many posts have I made? Look at my low user ID, I've been here for longer than some of you have been alive. I don't troll /. nor do I post deliberately inflammatory comments.
So if you are the moron that clicked Flamebait moderation on my post, I expect you to be a lonely virgin living in the basement with your mum. Now, that's flamebait. I wouldn't normally post that, but I am literally white hot angry with whomever did it because you, sir, are a misogynist and should be ashamed of yourself.
If you have a daughter, I expect you'll want her to be a geekgrrl. If you want that outcome, you will join me in boycotting booth babes. There's few enough women in IT today without ugly impediments such booth babes.
I am deadly earnest in how I've acted for the last decade or more. I have directed at least a million dollars in direct recommendations away from vendors that have used booth babes. I will continue to do this.
It is our industry's shame that it thinks that this is in any way acceptable.
I usually avoid the booths in question, but if I have a specific need to find something out, I ignore the booth babe as they know nothing about the products or services.
I feel terrible for the women as they could easily be in our industry if they wanted, but instead all they do day in day out is be leered at by men who should know better. Why would they enter our industry if their only experience of it is to be objectified?
I don't do business with any firm that thinks so lowly of women in our industry. I make it absolutely clear to vendors that I do not buy from them if they have booth babes at conferences I attend. I will also strongly recommend against them to my clients. I am not the only one who does this.
It's 2012, not 1962. It's time to grow up.
I have several co-workers, some who work in an semi-open plan office (essentially a bench against a wall with a few tiny airless offices that no one uses), and three remote home workers, including myself.
Without a doubt, the amount of usefulhigh quality work that the remote workers pull off is amazing. The boss noticed, and got two of the guys to do a time and motion study using a 5 minute interval to record what they were working on. The office guys struggle to do 90 minutes a day in billable work, and their work suffers for it. I can easily put in an eight hour day, and produce higher quality work than my on-site co-workers can in a week. Sometimes I trade this for a /. session, but most of the time I do high quality work.
For collaboration, we use Skype.
There are downsides. I get cabin fever regularly. I am somewhat distant to many of my friends, and not seeing them is a hassle. My boss doesn't see my efforts, and thus I tend to get more work than many of co-workers, primarily because I can deliver. Family time often disturb me, even though I've made it perfectly clear that if I was working in an office, I couldn't run down the shops or look after baby girl for an hour or so. This leads to working after hours to catch up occasionally. I'm still to work out this issue despite coming up on two years of working from home.
If you decide to abandon the cubicle rat race, here's my tips:
* Your home office has to be away from distractions. You're not going to win if you're in front of folks watching Dr Phil. I have a separate office with about 200 square feet of space.
* Your own music all the time at whatever volume you want is the birth right of the home worker. Get a good amp and speakers and crank it up baby!
* Communicate at least a few times every day with your boss. No surprises is the best policy. They buy in to your work and deliverable rather than demanding results and wondering where they are.
* Set up your home office properly. Sitting at a kitchen table or coffee shop sounds nice until you've been hunched over your laptop for three hours on a crappy chair.
* Get a big ass monitor even if you have a 17" laptop screen. Your eyes will thank you. Ditto high quality external keyboard and mouse.
* I bought a fax / printer. Waste of money. Do not want.
* Reliable communications is all. Have a backup plan such as a 3G dongle in case your primary net access goes down.
I think I'm broken of the cubicle habit now. It's going to be tricky to stay home for the next 25 years of my working life, but I want to do so. Cubicle life - good riddance.
The Acorn Archimedes, circa 1984, had a image animation demo in the default software package which had a rendered page turning effect similar to the one described.
The ARM chip was the only processor in a desktop machine at the time powerful enough to do this by CPU alone. It would be years before an Intel chip would be powerful enough to do the same thing.
Yawn. LSA secrets aren't particularly.
Why not write stories about those who build things rather than give valuable Slashdot electrons to breaking stuff? Boring.
Use the OWASP Application Verification Standard - this gives you an insight to the controls you need to work on first. A game should be at Level 2B.
http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Don't worry about the language snobs - ANY language and ANY framework can be secured as long as you do the right thing in terms of design. Where you can go wrong is trusting untrustable data - such as that obtained from the browser without first canonicalizing, validating and ensuring that it meets business logic requirements (such as not being able to pass through walls, or avoiding object collision algorithms, asset or stat manipulation, or score manipulation. The client is completely untrustworthy, and you should be writing your code with that in mind 100% of the time.
I lean towards publishing the code. The only secrets you really need to protect are master authentication tokens in (say) config.php and authorization tokens in flight. So don't publish the master config.php secrets in SVN or similar, but everything else should be completely open.
Google does not use Microsoft Money to manage a multi-national. It would have to be a major ERP package.
There's two major ERP players out there - and SAP or Oracle Financials are the most likely candidates.
These run on pretty much every server OS out there, including Linux and Windows. Most of the ERPs have web based front ends as well as traditional thick clients. In some cases, the click clients would be Java based, so in theory run on Linux or MacOS X.
However, given that it's Google, wouldn't be surprised if they wrote their own.
Every state has its own Electoral Commission. ECs are a retirement grounds for out to pasture politicians who want / still need a salary - but not much work - and very hard working and independent minded public servants. I was fascinated by the process that creates new electoral boundaries and trust it a lot more now.
The AEC and the state ECs compete to run the local council elections. Local councils run elections not for democracy (for which most don't care about), but instead as a method of making quite a lot money, as most folks don't bother to vote and thus get a fine. There is precisely one correct answer to getting out of the fine, but don't use it too often as you won't be believed on your second or third attempt.
The computers are in the back room. Trust me, there's lots of machinery counting your votes. They count about 90-95% of the votes electronically by OCR as a first pass. Some of these batches are also counted manually to make sure that the machines are working properly, but the majority of votes are electronically read. If you scrawl or otherwise waste your vote, it'll be scrunintized by hand and entered manually by temp staff working for a DRO. This is about 2% of all votes.
Don't write offensive crap on your ballot as the community-minded volunteers counting the votes don't work for the parties (in fact, they're not even allowed to be party members) and they are doing it for not much money or no money at all. They've seen it all before.
If a ward / seat vote is close enough to warrant a recount, party goons will watch temp staff re-count the votes by hand. If there's a discrepancy from the machine count, it might be counted again, but this is really rare. Most electorates and wards vote strongly for one party, so they rarely get counted by hand on the night.
If you vote below the line in senate elections (and it sounds like you do), good - you've wasted your vote. Such votes are not germaine to figuring out who the last seat goes to in a Federal election, and thus your vote is simply wasted. If you really want to make your vote count, vote above the line in a party grouping. But be aware that most of the single issue parties, like the Gun Nut party are fronts for (and paid for) by the majors. Your vote will end up in their hands based upon the two party preferred system.
The good news is that our voting system is voter verifiable, has a strong paper trail, and difficult to tamper with. That's why I like it - it's a mix of old and new.
Converting to Linux for voting machines is a big shift from the VEC of old. Color me impressed.
I remember many years ago (1998-1999) working at the VEC. I was a system admin in my first security consultant job.
DEC/Microsoft was helping the VEC create a Microsoft-only COM+ based voting system called EMS 2000. Previously, it had taken 3+ months to organize an election, despite laws allowing the Premier to call an election within a month at any time. So they had to be prepared a long way out, which was costly. EMS 2000 was essentially a way to roll out an election within three weeks. I believe it was used in at least a few elections. I wouldn't be surprised if EMS 2000 has been maintained and is still in use - it was a lot of $$$$$$ to spend on a project.
EMS 2000 used every single part of the Microsoft stack. One thing I remember was how slowly Outlook 98 opened when it had 4000 tasks. EMS 2000 created Outlook tasks using COM+ custom queuing components over very slow modem and ISDN lines to all parts of the state. Surprisingly, this was still better than the previous system, which was primarily a manual system.
It was a full MS stack with basically every single possible MS product at the time (NT, COM+, Exchange, SQL, queuing components using pre-release NT 5.0 / Win2K, and lots of custom VB code), it hung together well and ran fairly reliably considering the shaky comms at the time.
This is an EPIC FAIL.
Australia has led technology trends and adoption for so long, and the Government is prepared to kill it and our children's future for a single lousy vote of a Senator who has the support of exactly no one.
The Government is terribly misguided on this one. Conroy might be pushing this as a wedge policy, he might be doing it for Fielding's support, but this issue alone will lose the ALP the next election, as well as many for years to come.
All of Gen i, Y and X will remember this and vote accordingly for years to come. The ALP will be in the wilderness for many elections, and struggle to form a strong government in their own right without doing the independent / Greens coalition tango that is working soooo well for them right now.
Seriously, I could see the Greens take this to the election and coupled with effective climate change policies and no internet censoring, they could become the balance of power for years.
Conroy is Public Enemy #1. He has committed electoral suicide for himself and his Government. I really do think they have no idea exactly how unpopular this policy will be.
In short - how to fight this thing:
* Ring your politicians tomorrow. All of them. Make the phones run hot.
* Write them letters.
* Ask to see them. Talk to them about this issue, and only this issue.
* Write letters to the news sites
* Blog and Twitter and Facebook away.
* Attend rallies. Publish photos and write ups about same.
* Join the EFA.
* Sign up to Get Up if you feel inclined
* Use #nocleanfeed religiously.
* Do not do work for Conroy's department. Resign or transfer if you work there.
* Support ISPs that are against this idea. Leave ISPs that support it or who have no position.
If it becomes law, mass civil disobedience is required. I will be blogging about how to get around the filtering.
Don't blame the workers - they made the best of a bad situation,. and if the car makers weren't so completely incompetent in the world's largest car market, they would justify their conditions and wages as a small fraction of the overall cost of a new vehicle (it's about 1/4 of the car's cost, if you're interested).
The automakers failed in several ways:
a) To this day, they produce crap cars no one wants, with awful quality compared to their peers. Compare a VW door shutline on the next Jetta (produced in Mexico) you see with a shutline of your average US made SUV. VW's shutlines are 4 mm wide at the top and bottom of the openings, and less than 1 mm wide for non-openings such plastic mouldings to body panels. The Dodge Nitro I hired a while ago had a gap between the rear bumper and the tail gate I could see through, and don't get me started on how much that Nitro sucked - it nearly killed me five times with its terrible road manners.
b) Once they realized that no one wanted their shit products, they moved into SUVs as the other manufacturers were producing cars folks actually bought. I am still surprised that folks bought such agricultural SUVs, but ...
c) They made so much money from these crap boxes that they cut back on designing any other type of car and really scaled back investment in cars the US used to be leaders in (large sedans like the 50's Chevy's and Cadillacs). No US maker has a small fuel efficient car in their domestic line up (say 40 mpg+, which nearly ALL EU cars can manage without difficulty)
d) They forced the US govt to implement effective protectionism, under the guise of safety standards, which prevents cars from outside the US from being imported. This is now biting them really hard because no matter how much Ford or GM WANT to bring in *profitable*, *well made*, *extremely safe* and *desirable* cars from Europe, they can't.
e) they lobbied hard against any form of fuel efficiency standards, and got CAFE. They fought extremely hard to keep CAFE standards low, even to the extent that the SUVs are not subject to safety standards or fleet average fuel consumption figures that slug sports cars and some of their elderly models like the Crown Victoria. CAFE does not address consumption or demand when fuel costs are low. Thus you have the most wildly inefficient country fleet in the world and no domestic models that can manage 30 mpg combined (only the Cobalt comes close, and the Focus is a Euro car). The same manufactures in EU have average fuel consumption figures in the high 30's / low 40's. They addressed the bottom line - CO2 emissions and heavy taxation of fuel to make it artificially expensive. They have efficient cars.
f) Those huge profits they made on SUV's? Wasted on a binge of consolidation, wasteful depreciation inducing inducements ($5k on the hood of perfectly good cars, employee pricing scams, etc), and all sorts of other shenanigans. They failed to invest these bumper profits in new products consumers actually want, saving up for a rainy day or diversifying their range to cope with all buyers, not just guys with exceptionally small penises (Hummer, anyone?) Women buy and / or approve more than 50% of all the cars on the road. Makers and advertising do not target women - at all, which is a huge mistake.
Car makers have royally hung themselves by their own petard. I'd love it if I wasn't a car guy.
But it's not all the car maker's fault. They are burdened with the dumbest idea since dumb idea were invented. No national health care plan.
The US fails all its citizens and burdens its companies unnecessarily because it has no national health care plan like every other first world country. The US pays three times the amount for medical costs compared to Japan or Australia for worse health outcomes and a shorter lifespan.
If the US had a national health plan and decent medical costs, some of the costs now forced on the UAW by the last deal (or other auto makers without the UAW deal) wouldn't be holding them
ALL programs share one requirement: security.
Learn about it (http://www.owasp.org), practice it, and do it well.
Application security is also a very lucrative career path right at the moment.
You should research software security in the agile setting.
The primary thing missing from today's software is safety, accountability, robustness, and resilience. Modern software is disgustingly weak when it comes to meeting core non-functional requirements.
The agile mindset - deliberately - has no place for non-functional requirements, and in fact often calls them "constraints".
This is exactly like saying the engineers who designed Tacoma Narrows bridge built a successful bridge. Which fell down in moderate winds due to harmonics brought on by winds not unusual for the site. Therefore, designing bridges after then to take into account seismic activity, load, winds and harmonics - truly non-functional elements - are "constraints" !!
Security is not a constraint - it's an enabler that allows secure business. Imagine if the user stories for Amazon went like this:
Allow an anonymous buyer to add an item to their cart (this is true today)
Allow a buyer to checkout their cart by obtaining their address
Ship item(s) to that address
Amazon would be out of business in a matter of hours. A solid security architecture is a fundamental requirement, and in fact, the ONLY requirement shared by ALL applications.
Make sure your employer will help with relocation costs. It cost us at least $25k AUD to move from Melbourne to just outside of Baltimore, MD. I expect the move to Canada will be a bit more than we paid as cars are more expensive in Canada than in the US. The move back will be less as we still have our furniture, but honestly, the costs can be horrific.
We started out in a furnished apartment. Don't. Ikea is cheap and cheerful, but take my advice and buy a nice bed from a good bedding store. We furnished our second place for about $5k, which is less than we paid for the 8 months of "furnishings" at our old place. Oh, and get a power drill with an Allen bit. Takes about 10 - 15 minutes to put up a desk that would take hours with the key in the box.
We got VicRoads to do an extract of our driving history. Waste of time.
We bought RACV international driver's licenses. Don't. Just schedule some time to go for your CA province's driver's license within the first month and you'll be fine with your Victorian license until then.
Buying a car. It's way more expensive in Canada than across the border, but the import tax situation is messy. Be careful if you want to buy something in the US and bring it back across the border. The Honda Fit is a roomy economical car for not much money, but you may struggle to find a lender to fiance the car, which leads to:
Credit cards and loans. You will have zero finance history in Canada, and in our experience, a good credit history in Australia is not counted at all. We had our (good) credit history from the NAB. Meant NOTHING. I still don't have a credit card, and we had to pay out our car loan (at the top loan rate) in 12 months. If you can pay money for a car, do so. Otherwise, VW Finance has an expat / internation finance loan, which is what we ended up with. No one else would touch us. Make sure that when applying for credit that you only in writing authorize them for the loans or CC's you ask for. If they go away and try 20 folks and you get turned down 20 times, the 21st time you apply, your previously blank but okay credit history is now trashed. We've been told how to fix up our credit history now, (take out a margin loan for some C/Ds and pay the margin loan out on time automatically, get a small CC), but I don't care now that we have some decent savings. I was sort of hoping for a nice credit history at the end as it may help us get a house loan when we return to Australia, but I doubt we'll take any credit out here in the USA now.
Insurance. Driving history and lack of accidents mean nothing to insurers over here. Expect to pay $1800 per year and be treated like a 16 year old learner until at least 12 months after you have your Canadian driver's license, so get that licence as quickly as you can. Normally, a 30+ year old person with 12 years of perfect driving will pay $400-500 odd per year. You will be screwed. Budget for it.
Buying a house. I don't know the deal in Canada, but buying a house makes a lot of sense. The market is utterly trashed and you can get a lot of house for peanuts compared to two years ago. If you can qualify for a loan, buy a house. However, expect not to qualify - we can't as our visa is renewed every two years, and thus folks will not lend to us. If you can't qualify for a loan, oh well join the millions of folks here in the same basket. You'll need like an awesome income or a spotless credit history and a long term visa to qualify. Good luck.
Essentials (Vegemite etc). Whole Foods have an international aisle. You can usually get Vegemite there. Otherwise, getting it from Simply Oz will do the trick - at a price. A 150 gm jar is about $5 US shipped all told. We get our Ribena from an English expat online store as it's closer than Simply Oz.
Flying there. Go Air New Zealand. The comfy premium economy seats are upstairs, the width and pitch are fantastic, the food good (the lamb is awesome), and the privacy and quiet is worth the extra coin. The flight crew don't hate their jobs (or you) unlike t
Fair point - my list is not a scientific survey and was never intended to be.
It is skewed towards high value applications - those apps my customers are prepared to pay me to review over a large number of years. There's a significant difference between that set and the total set of applications I *could* review.
There's plenty types of apps I rarely see, such as open source apps (although I am working on one right now) or scientific apps.
Some folks in my field specialize in embedded platforms (usually written in assembler, C or Ada). I have reviewed such apps last couple of years, including EFTPOS terminals as used by about 1/4 of Australian businesses (written in C with some concurrent extensions), and power meter readers used by plenty of US utilities (Windows CE based, written in C++). These two reviews are such a tiny minority of my work, they barely rate in my list.
Although I am able to do code reviews in pretty much any language, I have specialized in high end financial and logistics applications, those that power the world economy. Some of the apps I've reviewed process literally a couple of trillion dollars per day in transactions. These apps are written primarily in Java and COBOL with a smattering of stored procedures (PL/SQL ~= Ada or DB2's stored procedures, generally written in a DB2's SQL dialect).
If you want a scientific survey, SourceForge used to have a project statistics page detailing what languages are in use. This would be a good metric for open source projects. It would be a terrible metric for closed source / proprietary apps.
It's not about the platform, language or the framework that makes an application safe, it's the security engineering that does. If you don't do any, your app WILL be insecure by design and there's no way you can't fix such code.
.NET (C# and VB.NET) since .NET 1.0
However, you have a point to a degree - I am initially more productive reviewing frameworks I am familiar with. But that doesn't mean I would be ineffective at reviewing Python or Ruby. It would take me about half a day to spin up in any language or framework as I found things that are missing. And that's the important thing:
I hate reviewing apps with zero security engineering. It's exactly like shooting fish in a barrel, but hopeless as you're not going to get a nice fish stew at the end.
What I look for are meta-issues found in all languages and frameworks. Syntax and functions can be found in online references - if you need them.
There is nothing special about any language as few protect against the security artifacts we look for.
For example, if your code has an access control mechanism, I look at it in situ on a live test app, deciding how best I might attack it, and then research using the code how I can obviate it at different levels:
* Coarse grained - is this feature access controlled at all? This is definitely a problem for J2EE apps that use servlets as folks think presentation level security is adequate. It's not
* Medium grained - does this feature offer different levels of access based upon your role? If so, how does this mechanism work? What do I do to get around it and steal stuff?
* Fine grained - does this feature restrict access to secured resources (direct object references)? If so, how does this mechanism work?
Each of the things we look at are verifying security mechanisms. Knowledge of the language or framework is simply not necessary. If you know what you're doing, you can prove the lack of security engineering by testing the app in situ and then research why it fails. Once I find a weakness, I look at the code to see why the weakness exists. Once I've found the issue, I look further afield for the pattern and then I document the issue. Rarely does an app or framework have just one weakness - they are usually patterns.
Picking up a new language or grammar and framework, like going from Struts to Spring MVC takes about half a day for someone like me who knows multiple languages, both functional like Haskell, or OO languages like Smalltalk or Ada, or scripting dynamic languages like PHP, Ruby or Python, or declarative languages like C or Java. We do not write the app, we are reviewing the app.
Security mechanisms are usually fairly clear if they exist. If they do not make themselves immediately obvious, they are usually missing.
Folks who have the hubris to think their code is somehow safe, like the COBOL folks on the mainframe or your example of not reviewing code if you don't know it well. That's why I turned down the Haskell review as I didn't know it well enough in the time available. If it was a longer review, I would have taken it as I love to learn new languages.
However, fyi, if you paid me to be a developer, I could be immediately productive in the following languages:
J2EE - Since Java was first released. Major frameworks include Struts, type 1 JSP with JSTL, Spring MVC, Struts 2.0, and JSF
PHP - Since PHP 3
Could code if absolutely required:
COBOL - 12 months review only experience
RPG - 12 months review only experience
Perl - 15 years experience
Shell scripts - 15 years experience
Ruby with RoR - tested it out for a new version of my forum (UltimaBB/XMB) but it was too slow
C - since 1985. Co-wrote the Matrox millennium driver for XFree86 back in the day
C++ - since CFront was a bastard child
Ada - since 1990. Still have fond memories
Pascal - since 1985, haven't used it for a while
Languages that I don't suck at but wouldn't claim any particular skills:
I review code for security flaws for a living. I am a pioneer in this field and have literally written the book on it (the OWASP Guide and the OWASP Top 10 2007). I've been doing secure code reviews for the last 10 years.
.NET. I haven't reviewed a .NET application this year.
.NET a very distant second.
I've reviewed 400-500 applications (it's unclear to the total number, but I usually do a review every other week, some shorter, some longer).
I've never reviewed a Ruby application or been asked to review code written in that language. I have been asked to review a Haskell application.
I have reviewed:
* 85-90% Java, usually with shell and ant scripts and occasionally some Perl. Some *years*, this is the only language I am asked to review.
* 5-10%
* 5% COBOL. Primarily as a side line - there's a lot of old code to review, but most folks never do.
I've reviewed three PHP applications professionally, all in the last year, even though this is my preferred language to write stuff.
Java is overwhelmingly used in large commercial settings for high value applications, with
I don't get to review that many COBOL or other mainframe apps. I've been doing ground breaking research in this area as there's no advice today. There is a false belief that this code is somehow "safe" as it resides on the mainframe. Nothing could be more wrong.
Ruby and Python, although interesting langauges, has zero commercial penetration, even for worthless brochureware or community apps.
What they do have is an extremely loud fan base. These languages will not kill COBOL or Java any time in the next forty years or so as the fan base is fickle and will move on to the next big thing when it comes along.
I've been coding off and on since the early 1980's. The idea that open source coincided with a big conference that supposedly kicked everything off is nuts. Conferences require people interested in the same topic to be profitable. Conferences therefore are thought followers, not leaders.
When I first got on the Internet some 19 years ago, there was already a healthy community of free and semi-free projects. There was a lot of code sharing, particularly in Unix sources on newsgroups.
I ported more than my fair share of things to run on A/UX, and I helped GNU for a short while with a port of stty back in the day when they wanted their own operating system (this is back circa 1990).
I was writing device drivers for Matrox cards back in 1996, and by then the Linux kernel was a heady and healthy open source project with thousands of contributors.
Honestly, either this guy was incredibly insular or his Internet connection was broken. O'Reilly didn't create open source any more than the Muppets did.
Leeches are a oozing pustule on society and should be sent back in time to when a 300 baud modem was a luxury.
/. at 400-500 kB/s, and east coast sites at around 600 kB/s with low latency.
I like the fact when I get home, I can access
If P2P users did more legal sharing and it helped reduce overall traffic so everyone benefits, then great. But instead, we have spotty anti-social retards thinking that this is about censorship or infringing their rights whilst in fact they are infringing massive quantities copyrighted works, so much so, they'll only ever view or listen to a tiny fraction of the crap they leech.
It has nothing to do with censorship, it's all about Comcast managing their network - which has a finite bandwidth for their level of profitability - for the good of all the commons, not just those 1-5% who are abusing relatively cheap bandwidth. If they had paid for a dedicated 1 Gbps fibre link to their home and can only manage a small fraction of that, I can sympathize. But they're paying SFA for access to best efforts shared networking. And they're sharing it with me.
They can get stuffed. There are other networks who don't "manage" (block) P2P. Go there, see if I care. I just wish Comcast would block port 25 outbound.
John Carmack used finger to blog way back when. Before that, we used news to do stuff like what Twitter does today.
I kept an online diary older than this "date". Was it called a blog? No, it was collected ramblings, pretty much the same as today. Was it a blog? I have not really changed since I started writing my occasional entries in ~ 95 or so, so yes, it's blogging.
Andrew
(Mods: My last comment on Spamhaus was sent to "troll" land - my first ever negative comment on Slashdot in 10 years. Being pro-Spamhaus != good netcitizen and vice-versa. I am a good netcitizen, working extensively on Australian internet governance issues, such as being the technical dude who worked on auDA when we moved from monopoly to a regulated DNS environment, and secured Australia's second largest ISP and helped build and secure the alternative massive backbone, which carries all academic traffic as well as most ISP traffic. I was once the SAGE-AU President, and I still abide by their code of ethics. Therefore, if you mark me a troll or flamebait, you are a working against the best interests of the Internet. Read and decide for yourselves, but be v. careful when you hit the moderation button.)
/32s which make sense, and preferably be in the form of actual law enforcement. Spam is illegal in most countries, and citizens MUST not and indeed are NOT allowed to take the law into their own hands. Spamhaus are not the solution, and never have been.
This is happening to me right now. Spamhaus are acting like a wild west sheriff, but have no responsibility.
I host a number of websites, one of which has 5500 car nuts. I suffer *actual* financial loss directly because of Spamhaus' illegal blocking of my hoster's entire netblock. The spammer is gone, and yet we are still blacklisted. There is no way to get off this virtual death penalty.
New folks wanting to talk about VWs on my forum can't, and they leave, frustrated. I don't even know that they're stuck as my mail from the system is broken. Those few I do hear about - via the users being very persistent, cause me to spend 10-15 minutes per new registrant to get them on. If they lose their password, I can't help them. I spend an extra hour or two every night working on problems, and although I get a nice Google check once a quarter which generally comes close to paying the hoster, I'm suffering growth problems now - we moved from 2500 to 4000 members in no time, but our last 1500 members have dribbled in over the last 18 months. In the 18 months I've known about this problem, Spamhaus have cost me at least $4500 in lost wages at McDonald's rate (far lower than my actual hourly rate), and at least (and this is EXTREMELY conservative) $1500 in lost advertising revenue. I run my site out of a love for Volkswagens and as close to being a non-profit as I can whilst allowing for growth (we will eventually need more servers), but it's still coming out of my pocket. The loss to me is significant in time and money, but the loss of community is immense. Spamhaus are destroying my community, and many thousands of others with their negligence.
Spamhaus must:
* Provide a way to get unaffected netblocks off their list. This "block the lot" collateral damage is like mowing down an entire kindergarten of kids to get at the pedo jerking off at the fence.
* Acknowledge the financial harm they cause when they block domains that have NOTHING to do with spam. Even the spammer who used the netblock (before being kicked off) used it for pr0n, not spam. Netblocking the entire 64 odd class C's (in my hoster's case), blocking thousands of innocent customers just because one of them hosted pr0n for a short while before moving on did not in ANY way reduce the world's spam problem. I'm certain we are not the only site suffering this.
Totally unacceptable.
Do NOT mark me down as a troll - Spamhaus are not the protectors you think they are. I once thought they were, but they are not our friends, merely falliable people who see everything as black and white. I do not want them working for us any more. They must be put out of their misery. Hopefully, a replacement RBL will arise who aren't so arrogant, take some responsibility, carve out netblocks and
Couldn't happen to a nicer bunch of arseholes.
Spamhaus incorrectly labels my netblock as being owned by a known spammer. The dude they reference has used IPs in the range near mine in the past - but not for spam but pr0n sites. They don't send spam from the pr0n sites, so blocking this particular netblock has zero nada zilch effect on spam today or in the past.
The spammer doesn't control my netblock, nor his own. I *cannot* get off the Spamhaus list. This means that my mail doesn't work to about 20-30% of all sites through no fault of my own. When I joined, the spammer was not there. This is creating virtual wastelands as the spammers jump from hoster to hoster and Spamhaus has no method of rectifying or desire to fix their mess.
There's no "get off this list now". My ISP has had no success in getting only a particular netblock listed instead of the entire netblock. There's no right of appeal in the twisted Spamhaus universe. There's nobody willing to put their cock on the block and take responsibility for their actions.
Spamhaus are arrogant bastards, and if this action stops them, then I am all for it.
I've had T22 since 2002, and now a T42 since November last year.
I hate these things. They suck in every way, and they're much more expensive than a far, far more capable Macbook Pro.
I hate the nipple. I've removed it, but it still sticks there, like a stupid nipple thing in the middle of my home row. The keyboard is excellent otherwise. If you could order a Stinkpad without the nipple and the three additional useless buttons, I'd be partially on the way to liking the damn thing. Except it has no Windows key. IBM's solution? You can download some key remapping software from them and make the right alt key your windows key. No! I want a Windows key. In the right position. I press FN about half a dozen times a day when I'm on the road because FN is in the WRONG position. FN is used about once every chicken sacrifice, so it should be up near "Access IBM".
The ATI drivers drive me nuts. They're slow and crappy. I had to download a presentation tray doohickey from IBM to allow it to dual screen properly between the various combos I have (docking - DVI, non-docking VGA out), setup a profile for each location... and here's the kicker - I have to change it to that profile manually - it is TOO stupid to do it by itself even though the special driver software sucks RAM like no tomorrow. If I can - often you can't see the display it thinks you're still using. On my Mac - you just plug the damn thing in and it does it for you. It even remembers LCD projectors and puts up a nice safe background - automatically.
The DVD burner is a joke. I'm pretty sure it's connected to the system by unreliable wet string technology. You can't eject the DVD drive from the drive bay if you boot with it. Not that I have the floppy drive to stick in the bay, but you know, it does have an eject button and it SHOULD work.
The laden weight when you're on the road is well over 3 kg, which is unacceptable when you've only got 8 kg in cabin baggage allowance. My Mac and its adapter weighs in at just under 3 kg.
Sleeping the computer is an exercise in gambling with my data. I don't trust it. Not only does it not manage to get to sleep, often it fails to wake up, just blinks.
Tried running Vista? No. No network support, and ATI's crappy chipset doesn't work. There are five year old Linux distros that can run better than the next version of Windows. I shudder to think what will happen when they come around and try to re-image us with Vista in a few months time.
To top it off, I blinked when I saw the invoice price from IBM. We have a "special" deal with IBM. They rip out Bluetooth and wireless, put in a 40 GB drive (I didn't know they still made them that small) and charge us an additional $4k for these "special" features. I could have bought two Macbook Pros and a lovely 23" widescreen monitor for the price work paid for this single, crappy laptop.