The Software Survival Guide by Steve McVonnell already mentioned several times. You might also try Code Complete but that's longer and you just need the pointy head boss version now.
Also do some reading on software methadologies - I reccomend checking out Crystal clear http://www.agilekiwi.com/crystal_clear.htm or Scrum or Extreme Programing, even the old waterfall method. You don't have to drink the cool aid but comparing the different methodologies will hilight the challenges of your new position and getting you asking the right questions.
I especially like how Crystal Clear distills down the objectives (but don't necessarily like how they manage them).
Your main challenges are:
Managing Change in the Project - it's going to happen, do it gracefully with the least developer thrashing (context switching)
Protecting your Developers from Internal and External Distractions
Increasing communication amoung your team and between your team and users. - A lot of developers are very introverted and you need to coax them to help each other out and get them to communicate with users, business experts to make sure they are coding things the right way.
Representing your project to the rest of your organization. - Huge issue which involves estimates, timelines, progress reports, feature/functionality issues, selling the benefits of the project, etc. Play the politics/personalities well enough so the developers can ship something good. Unfortunatly this depends on your organization
Anyway read the books not slashdot as I'm pretty shure I just missed something major. you also need deep understanding as to what is important for your company and how the higher ups see things.
I live in Tyler and yes there is a larger than average percentage of bumkins around here.
I can also attest that there is no interest in Intellectual Property Rights as mentioning IP is a great conversation stopper (as opposed more interesting topics such as hunting, fishing, trucks, or weather).
But the real reason has to do with the expidited and cheap legal process set up in neighboring Marshall, TX (frequently and well covered in slashdot) that gives patent trolls the most bang for their buck.
The plantiff can raise suit anywhere Sony sells their PSP's so naturally they don't want to do it on Sony's home turf.
You can still do hidden posts with javascript. Just hook up the post to fire on onload or onclick of anything on the malicious site. The form response can be targeted to a hidden iframe so it's invisible to the user.
Most people have already turned off their browsers post warning and even if they didn't they don't have any reason to think it's posting to their bank's website or firewall device instead of the malicious site.
The problem is these security appliances use firmware that's not updated frequently so the format is very predictable.
Hopefully they use a dynamic id and include it on url's and form requests, instead of just relying on a cookie. But a lot of us web developers have just used cookies cause their cleaner and easier.
Expiring the Session in a short time frame like 15 minutes does limit the damage, but doesn't eliminate the threat. The above example said Checkpoint was only vunerable when both were open at the same time.
The IP address doesn't work because the initial exploit is from the orignal user on the same computer, same ip address. Just a different tab or window of the same browser that carries the same cookie/http-auth as the original, but comes from a seperate malicious webpage.
I can think of 2 general fixes but both would require changes to the browser.
1) Allow Users/Webservers to determine that a cookie should be bound to a particular window, so that a request originating from a different window containing the malicious site does not include the cookie.
2) Add an extension to the cookie protocol where the cookie always sends the url and ipaddress that is the source of the request (I haven't thought out what the source is with confusing external js scripts which may be controled by js in the main html) - this would allow sites to weed out requests generated from malicious sources.
Both of these would still allow the exploit to be used in XSS situations, but could plug the hole in the more general cases.
Without a change to the browsers your best off generating some type of session token and passing it back and forth on the url and using that and a cookie as two part authentication. The malicious site shouldn't be able to read or guess the url's. A lot messier than simple cookie based authentication.
As someone who is about to take the plunge into fatherhood here is my perspective. There is something spiritually rejuvinating about having children. We get old and cranky and worn out. Through the eyes of a child we get to experience life fresh once more and enjoy life again. The flip side is it's the biggest sacrifice - the most selfless thing you'll ever do (much more so than an OSS project). But the good news is living for yourself has never been the key to happiness.
As the richest person in the world controlling one of the most influential companies everyone is gunning for you out of a combination of envy or fear. (I myself usually fall into the fear catagory against the windows monopoply.)
Bill has way too much money for 1 person, what's wrong with him donating a few million here and a few million there. It's the equivalent to us putting a few dollars into the salvation army bucket as we go by.
Except for us part time sysadmin's that are wanting for php5 support on a stable server os and would rather just browse through slashdot rather than hitting a dozen other vendor sites for info.
They are just script-kiddie posers, who was the incompetent clod who programmed this last? What was the admin thinking when he installed anti-virus on exchange. Only morons use windows.
Let's face it geek arrogance is bar none. What ever our specialty, we trash everyone without that knowledge (why do you think some of us stay employed with our childish attitudes).
For Congressmen we expect them to be experts in every field, and unfortunately they "should" be to get their job done. Peggy noonan has a great article on it and how this unrealistic demand causes either extreme arrogance (I "created" the internet) or ignorance (Internet is a series of "tubes", I downloaded an internet the other night).
I must be an outlier. I did classic ASP and then ASP.NET development and have now switched to PHP..NET while great forces you onto the Microsoft platform and ties you to expensive per processor SQL licenses.
PHP is simplier, more like classic ASP only updated and supported by a huge community. Plus if you can live with the GPL there is an opensource project for every concievable thing you want to do that you can rip code off of.
Tools like phpEclipse fill in the gap of the integrated IDE and find parsing and the bain of weak typing script languages - mis-typed variable names.
Personally I prefer dynamic typed languages like classic ASP, PHP, and Ruby for web development vs. the strong typed JAVA and.NET (note if your development team gets over 12 you MUST have a strong typed language.)
Ruby may be the next big thing but I'm going to wait to see if it survives.
>True. If ANY company says ANY product is uncrackable, they are full >of it and/or marketing is having too much of a say in thier message.
Unless of course they are using a one time pad - http://en.wikipedia.org/wiki/One-time_pad in which case the question is not whether it is uncrackable, but if the key generation and distribution is practical.
As I'm sure others will point out the security of the complete system will never be perfect, at least open to social engineering and the like.
Good for you I have trouble getting past the 20% mark.
Imagine how much better things would be if we got past blaiming all the problems on religion and government and actually tried being selfless and giving.
O I'm sorry that's begginging to sound like that Jesus guy that all good slashdotters know is the root of all evil and is cousin to the spaghetti noodle monster.
Sorry, I'm sure I'm going to get modded troll. But I just get irritated how open-minded everyone is to everything but Christianity and then they instantly get dogmatic and hostile.
Let's face it - religion does a lot of good and our society would be in a much worse place if many of the beliefs of Jesus weren't incorparated into our western cultural understanding of law and morality.
Both Google and Yahoo have been getting a lot of bad press lately so they need to do something. It's good to see yahoo follow Googles "high ground" even if Google's straying a bit. This is much better PR than re-running analysis on turning people over to oppressive foreign governments (Yahoo) or collaborating with governments to cover up and control information and make sure the truthspeech gets out (Google).
>In other words, 39% chose creationism, as there is no discernable >difference between creationism and ID. Score another victory for ID, for >once again successfully obfuscating the issue
The difference is easily discernable.
Evolution - Once life started those organisms that survived reproduced, while those that didn't didn't. This natural breeding program produced the organisms that we see today.
Creationism - God created the world because the Bible says so.
Intelligent Design - Something created life because the organisms we see today are different and more varied from what we would have through the evolutionary processes. Their similarities are often due to a consistent 'design' rather than heredity.
As such Intelligent Design is just as palatable, studyable, arguable, and researchable as Evolution to your average agnostic. It starts with observations and stops where it can go no futher.
The problem is no one stops and thinks about the theories and tries to determine which one is more likely. Rather they start in the Athiest or God camp and then call each other stupid for believing in Intelligent Design. Or Dangerously arrogant and foolish for thinking you were created by accident and believing that the law of the jungle is the path to life and beauty.
P.s. I am not an accident, and you are not either. You have more dignity than that.
Since I used to work at another company that ponied up the money for the license and spyglass source I can say that the original mosaic code was total crap and was rewritten by both IE and Netscape.
Most cryptome people are so paranoid and anti-government that the monitoring of them would easily be enough to scare them off (or make them go to great links of misdirection to anonymously surf the web). Now if the government is singling them out because of their paranoia and anti-government beleifs then you have a self fulfilling prophesy.
Hopefully, but not necessarily there is a statement or posting that relates more directly to the case.
help help I am being repressed! Now you see the violence inherent in the system!
I would argue that we should fight to make sure that life is considered special and that human life is more special.
Even if you don't by into the dogma that God created man in his image and therefore human life should be treated differently than other things. You have to at least appreciate the more practical aspects of cultural distinctions between lunch and cannibalism. Mutual respect for other humans keeps civilization going, along with our authority over (and responsibility to) lesser life forms.
As for this particular experiment safety considerations are important, but I don't see it differing substantially from eating, breeding, processing, etc other life. Nor do I think it gives us diety status any more than landing on the moon and "touching the heavens". Now when we start doing genetic experiements on/with humans, we cross the moral line and have to carefully consider the consequences and rights of those involved.
"Then the issue can be handled elegantly in Equation(2). Game A happens to be the always-exciting "Work Game of Earth," where you go to the office and face the challenges, denoted C, presented by you boss, your co-workers, and your competitors, and where overcoming those challenges garners you rewards, denoted R, in the form of wages, perks, fring benefits, and assorted entertainments involving the office copy machine."
The benefits of this are enourmous in a place like Papua New Guinea where subsitance farmers don't really have a true cash economy and as such don't have any way to adequately pay for kerosene or "zoom" - motorboat fuel as I like to call it. Solar is to expensive, but fruits and vegitables are really cheap and plentiful.
You're exactly right about being unbreakable. But unfortunately people just don't care. I worked for a start-up that had a commerical One-Time PAD encryption solution that was quite workable for basic email.
Everyone is still sending their email around in cleartext because ANY crypto system is too complicated to futz with day-to-day. OTP while more secure has more complicated key distrubution issues than other systems.
More legal cases and hacker attempts may change peoples opinions but right now PHB doesn't want to spend the money.
So we have the hobbiest who have annoying PGP sigs attached and everyone else waiting for someone to do all the work for them and make it free.
Slashdot Mirror
I would do some reading -
The Software Survival Guide by Steve McVonnell already mentioned several times. You might also try Code Complete but that's longer and you just need the pointy head boss version now.
Also do some reading on software methadologies - I reccomend checking out
Crystal clear http://www.agilekiwi.com/crystal_clear.htm or Scrum or Extreme Programing, even the old waterfall method. You don't have to drink the cool aid but comparing the different methodologies will hilight the challenges of your new position and getting you asking the right questions.
I especially like how Crystal Clear distills down the objectives (but don't necessarily like how they manage them).
Your main challenges are:
Managing Change in the Project - it's going to happen, do it gracefully with the least developer thrashing (context switching)
Protecting your Developers from Internal and External Distractions
Increasing communication amoung your team and between your team and users. - A lot of developers are very introverted and you need to coax them to help each other out and get them to communicate with users, business experts to make sure they are coding things the right way.
Representing your project to the rest of your organization. - Huge issue which involves estimates, timelines, progress reports, feature/functionality issues, selling the benefits of the project, etc. Play the politics/personalities well enough so the developers can ship something good. Unfortunatly this depends on your organization
Anyway read the books not slashdot as I'm pretty shure I just missed something major. you also need deep understanding as to what is important for your company and how the higher ups see things.
From the article - "a study paid for by Microsoft, Verizon, and News Corp". So the owner of MySpace is pro social networks. Slow news day?
If you go to the School Board Associations and look through their press releases there is no mention of the study.
No the filters/blockers will be up for a while longer.
I thought the original version of Hebrews was in Greek.
t le=91#_Toc439066025
http://www.religion-online.org/showarticle.asp?ti
I live in Tyler and yes there is a larger than average percentage of bumkins around here.
I can also attest that there is no interest in Intellectual Property Rights as mentioning IP is a great conversation stopper (as opposed more interesting topics such as hunting, fishing, trucks, or weather).
But the real reason has to do with the expidited and cheap legal process set up in neighboring Marshall, TX (frequently and well covered in slashdot) that gives patent trolls the most bang for their buck.
The plantiff can raise suit anywhere Sony sells their PSP's so naturally they don't want to do it on Sony's home turf.
POST doesn't help onclick=form.submit()
You can still do hidden posts with javascript. Just hook up the post to fire on onload or onclick of anything on the malicious site. The form response can be targeted to a hidden iframe so it's invisible to the user.
Most people have already turned off their browsers post warning and even if they didn't they don't have any reason to think it's posting to their bank's website or firewall device instead of the malicious site.
The problem is these security appliances use firmware that's not updated frequently so the format is very predictable.
Hopefully they use a dynamic id and include it on url's and form requests, instead of just relying on a cookie. But a lot of us web developers have just used cookies cause their cleaner and easier.
Maybe Checkpoint added the id with their patch.
You're right I just thought of this. I generally do referrer filters, but didn't really think through why.
What happens in the case of https? Does the referrer come through blank?
Is there anyway you can think of around this outside of XSS?
Expiring the Session in a short time frame like 15 minutes does limit the damage, but doesn't eliminate the threat. The above example said Checkpoint was only vunerable when both were open at the same time.
The IP address doesn't work because the initial exploit is from the orignal user on the same computer, same ip address. Just a different tab or window of the same browser that carries the same cookie/http-auth as the original, but comes from a seperate malicious webpage.
I can think of 2 general fixes but both would require changes to the browser.
1) Allow Users/Webservers to determine that a cookie should be bound to a particular window, so that a request originating from a different window containing the malicious site does not include the cookie.
2) Add an extension to the cookie protocol where the cookie always sends the url and ipaddress that is the source of the request (I haven't thought out what the source is with confusing external js scripts which may be controled by js in the main html) - this would allow sites to weed out requests generated from malicious sources.
Both of these would still allow the exploit to be used in XSS situations, but could plug the hole in the more general cases.
Without a change to the browsers your best off generating some type of session token and passing it back and forth on the url and using that and a cookie as two part authentication. The malicious site shouldn't be able to read or guess the url's. A lot messier than simple cookie based authentication.
As someone who is about to take the plunge into fatherhood here is my perspective. There is something spiritually rejuvinating about having children. We get old and cranky and worn out. Through the eyes of a child we get to experience life fresh once more and enjoy life again. The flip side is it's the biggest sacrifice - the most selfless thing you'll ever do (much more so than an OSS project). But the good news is living for yourself has never been the key to happiness.
As the richest person in the world controlling one of the most influential companies everyone is gunning for you out of a combination of envy or fear. (I myself usually fall into the fear catagory against the windows monopoply.)
Bill has way too much money for 1 person, what's wrong with him donating a few million here and a few million there. It's the equivalent to us putting a few dollars into the salvation army bucket as we go by.
---
Need money for your school, sport, or civic, group - Help support a geek http://www.ilovefundraising.com/
Except for us part time sysadmin's that are wanting for php5 support on a stable server os and would rather just browse through slashdot rather than hitting a dozen other vendor sites for info.
They are just script-kiddie posers, who was the incompetent clod who programmed this last? What was the admin thinking when he installed anti-virus on exchange. Only morons use windows.
Let's face it geek arrogance is bar none. What ever our specialty, we trash everyone without that knowledge (why do you think some of us stay employed with our childish attitudes).
For Congressmen we expect them to be experts in every field, and unfortunately they "should" be to get their job done. Peggy noonan has a great article on it and how this unrealistic demand causes either extreme arrogance (I "created" the internet) or ignorance (Internet is a series of "tubes", I downloaded an internet the other night).
Support a geek, Raise money for your school.
I for one welcome our e-voting hacking overlords.
Geeks of the world Unite!
I must be an outlier. I did classic ASP and then ASP.NET development and have now switched to PHP. .NET while great forces you onto the Microsoft platform and ties you to expensive per processor SQL licenses.
.NET (note if your development team gets over 12 you MUST have a strong typed language.)
PHP is simplier, more like classic ASP only updated and supported by a huge community. Plus if you can live with the GPL there is an opensource project for every concievable thing you want to do that you can rip code off of.
Tools like phpEclipse fill in the gap of the integrated IDE and find parsing and the bain of weak typing script languages - mis-typed variable names.
Personally I prefer dynamic typed languages like classic ASP, PHP, and Ruby for web development vs. the strong typed JAVA and
Ruby may be the next big thing but I'm going to wait to see if it survives.
Bryan
>True. If ANY company says ANY product is uncrackable, they are full
>of it and/or marketing is having too much of a say in thier message.
Unless of course they are using a one time pad - http://en.wikipedia.org/wiki/One-time_pad in which case the question is not whether it is uncrackable, but if the key generation and distribution is practical.
As I'm sure others will point out the security of the complete system will never be perfect, at least open to social engineering and the like.
Good for you I have trouble getting past the 20% mark.
Imagine how much better things would be if we got past blaiming all the problems on religion and government and actually tried being selfless and giving.
O I'm sorry that's begginging to sound like that Jesus guy that all good slashdotters know is the root of all evil and is cousin to the spaghetti noodle monster.
Sorry, I'm sure I'm going to get modded troll. But I just get irritated how open-minded everyone is to everything but Christianity and then they instantly get dogmatic and hostile.
Let's face it - religion does a lot of good and our society would be in a much worse place if many of the beliefs of Jesus weren't incorparated into our western cultural understanding of law and morality.
Both Google and Yahoo have been getting a lot of bad press lately so they need to do something. It's good to see yahoo follow Googles "high ground" even if Google's straying a bit. This is much better PR than re-running analysis on turning people over to oppressive foreign governments (Yahoo) or collaborating with governments to cover up and control information and make sure the truthspeech gets out (Google).
It's goingt to be a long road for both of them as growing resentment http://www.useit.com/alertbox/search_engines.html to their status as gatekeepers builds up.
Blatant plug! Death to the gatekeepers!!
Step 2 ??? Step 3 $$$$ - Forget Tech, you need candy http://www.ilovefundraising.com/
>In other words, 39% chose creationism, as there is no discernable >difference between creationism and ID. Score another victory for ID, for >once again successfully obfuscating the issue
The difference is easily discernable.
Evolution - Once life started those organisms that survived reproduced, while those that didn't didn't. This natural breeding program produced the organisms that we see today.
Creationism - God created the world because the Bible says so.
Intelligent Design - Something created life because the organisms we see today are different and more varied from what we would have through the evolutionary processes. Their similarities are often due to a consistent 'design' rather than heredity.
As such Intelligent Design is just as palatable, studyable, arguable, and researchable as Evolution to your average agnostic. It starts with observations and stops where it can go no futher.
The problem is no one stops and thinks about the theories and tries to determine which one is more likely. Rather they start in the Athiest or God camp and then call each other stupid for believing in Intelligent Design. Or Dangerously arrogant and foolish for thinking you were created by accident and believing that the law of the jungle is the path to life and beauty.
P.s. I am not an accident, and you are not either. You have more dignity than that.
Since I used to work at another company that ponied up the money for the license and spyglass source I can say that the original mosaic code was total crap and was rewritten by both IE and Netscape.
Most cryptome people are so paranoid and anti-government that the monitoring of them would easily be enough to scare them off (or make them go to great links of misdirection to anonymously surf the web). Now if the government is singling them out because of their paranoia and anti-government beleifs then you have a self fulfilling prophesy.
Hopefully, but not necessarily there is a statement or posting that relates more directly to the case.
help help I am being repressed! Now you see the violence inherent in the system!
I personally like the distinctions.
I would argue that we should fight to make sure that life is considered special and that human life is more special.
Even if you don't by into the dogma that God created man in his image and therefore human life should be treated differently than other things. You have to at least appreciate the more practical aspects of cultural distinctions between lunch and cannibalism. Mutual respect for other humans keeps civilization going, along with our authority over (and responsibility to) lesser life forms.
As for this particular experiment safety considerations are important, but I don't see it differing substantially from eating, breeding, processing, etc other life. Nor do I think it gives us diety status any more than landing on the moon and "touching the heavens". Now when we start doing genetic experiements on/with humans, we cross the moral line and have to carefully consider the consequences and rights of those involved.
My favorit part of the paper:
"Then the issue can be handled elegantly in Equation(2). Game A happens to be the always-exciting "Work Game of Earth," where you go to the office and face the challenges, denoted C, presented by you boss, your co-workers, and your competitors, and where overcoming those challenges garners you rewards, denoted R, in the form of wages, perks, fring benefits, and assorted entertainments involving the office copy machine."
Oops back to the copy machine.
Yeah,
But did you see the promo brochure picture with all of the pale white guys in black t-shirts laptops in hand, sunning themselves like beached whales.
They should have at least included one token flower-print bikini beauty.
And the picture of the beatiful waterfall and a boring classroom with an overhead (at least give us an LCD projector - this IS a computer conference).
I just don't quite get it maybe I'm not g33k enough.
The benefits of this are enourmous in a place like Papua New Guinea where subsitance farmers don't really have a true cash economy and as such don't have any way to adequately pay for kerosene or "zoom" - motorboat fuel as I like to call it. Solar is to expensive, but fruits and vegitables are really cheap and plentiful.
Arrgghhhhh.....
You're exactly right about being unbreakable. But unfortunately people just don't care. I worked for a start-up that had a commerical One-Time PAD encryption solution that was quite workable for basic email.
Everyone is still sending their email around in cleartext because ANY crypto system is too complicated to futz with day-to-day. OTP while more secure has more complicated key distrubution issues than other systems.
More legal cases and hacker attempts may change peoples opinions but right now PHB doesn't want to spend the money.
So we have the hobbiest who have annoying PGP sigs attached and everyone else waiting for someone to do all the work for them and make it free.