Thanks! You're pretty reasonable yourself. It's an interesting subject, isn't it? Kind of makes me wish I was in High School again, so I could give the course a try and see how it looks from the inside...
I like the guy who's running the program, too. He's very sensible. Apparently, they DO focus mostly on security, with the hacking aspect being more of a test of the security projects the other kids are doing. He said the kids basically play capture the flag, switching sides periodically. The way he describes it, it sounds totally sensible and reasonable. I think it just got some bad spin early on, you know?
That's true; it's probably a good thing that this brings the issue into the view of a larger number of people. And, it's also true that the media don't often present things in the best or even most accurate light. I was rabidly misquoted in a major magazine article once, over a tattoo of a company logo I had placed on my arm. During the interview, I had told the reporter that I felt that since the company was going to be my one and only dot-com job, the tattoo would make an interesting souvenier to tell my grandchildren about. The reporter turned around and fabricated a quote about my not really knowing why I got the tattoo, I just got it, making me look like a total idiot. I vowed never to speak to a reporter again (and so far, knock on wood, I've managed to avoid them). As far as the tattoo goes, I got sick of explaining it to people and having them say, "Oh, I read about you -- you're that tattoo guy". So I had it covered up with a Japanese dragon a month or two ago, and no one bothers me anymore.;)
Good luck with everything. You seem like a pretty okay guy.
Well... Ok, I'm warming to the idea. I just responded to a post from one of the people involved with the project, and admitted that what he was describing (teams taking turns attacking and defending, etc) actually did sound like a pretty good way of testing defenses. So, I'd have to admit, maybe they're on to something here after all.
I don't know; actually I'm kind of torn on the issue now. I still think the focus should be on network security rather than cracking per se. But, ok, I think I can see why you might want to develop those skills to test your work.
The way you describe it, it actually sounds quite attractive and a great idea for training security staff. But I felt that the way it was originally described to me focused way too much on the hacking aspect, which I would think would turn off your average suit. "Hacker" is such a dirty word these days; it doesn't seem all that safe to use it. Just recently, someone I know almost got into some serious trouble because a clueless manager overheard him talking about enjoying the hacking simulator in the new Matrix game! It took a bit of explanation to calm everyone down.;)
I totally "get" the usefulness of the tiger-team approach, I just think it's a little dangerous to spin it as hacker training, especially in an article that is going to be read by the clueless.
Having said that, I think maybe I would like to modify part of my position, i.e. the part where I said that people shouldn't learn hacking skills but rather should focus on system hardening. Now that you mention it, I can see the usefulness of teams taking turns attacking and defending. In fact it sounds like a blast, besides being very informative.
Still, there's GOT to be a better way to spin this to the media. People are bound to react badly, don't you think? I don't have a lot of faith in people suddenly developing open minds...:)
As I've said, reading up on security issues at CERT and SecurityFocus, paying attention to how sites are being hacked, reading articles about what other people have done to secure their systems, all of these things will give you the information you're describing. You don't have to learn system cracking to protect your system. As far as windows firewalls go, if you're not behind a hardware firewall/router, you shouldn't be running windows, period. Honestly. Even getting a cheap Linux box and using that as a NAT firewall would be helpful.
Besides, even if the public sites I've mentioned didn't have the info you craved, there are plenty of books out there that you can learn from. You don't have to participate in a very public after-school activity that'll mark you for life (do you think those kids haven't found their way onto a bunch of lists, just by virtue of their being in the course? Those cops didn't agree to chat with them out of the goodness of their hearts, you can bet they're getting course rosters and paying very close attention to the curriculum with an eye towards noting what techniques the kids prefer -- or does that make me paranoid?).
What method did probably 90% of the currently problematic worms and hacks use to get around? Vulnerabilities in MS Exchange, MS Outlook, and MS Outlook Express, IIS, and SQL Server. What language offers the tightest integration with all of these systems, including many, many prebuilt system objects for working with them? VB. What language would an employee of a Microsoft shop probably be working with daily? VB. So, if you were to hire a hacker to work in your Microsoft shop, he would probably find it most convenient to work with the development tools sitting right there in front of him. Not that he would need any others. And, he would even be inside the firewall of your organization, possibly able to start using other people's internet accounts, and etc... It would be a nightmare with the potential of massive liability if he were to use your system to do something nefarious.
My POINT is, especially if you're a Microsoft shop, you'd have to be absolutely NUTS to hire someone who was a self-professed hacker, and had coursework already completed which would give him the skills he would need to cause problems for you.
As far as the interview goes, think about it: as soon as the HR Drone reads the blurb about "computer security training", he's going to ask about it. Boom -- the kids boat is sunk the minute he opens his mouth to reply, unless he lies his ass off, and if that's the case, office politics will get him later as soon as a coworker figures out where he learned his skills.
Again, I would expect a security professional to understand the techniques used by hackers. However, I would look upon a person who had spent time in an actual hacking course very dubiously. Again, it's a matter of focus. If a person is primarily interested in security, and had to read up on past incidents and such to understand the ways in which he needed to secure his system, that would be fine. If a person claims to be interested in security, but spent most of his time in training learning how to crack systems, then I would consider him a system cracker, not a security professional. And, again, he'd end up with the old "do not admit" picture by the security office.
You don't have to learn to crack systems to defend them. That's propaganda used by people who *really* just want to learn system cracking, but don't want to be viewed as system crackers. It's like the NRA saying that they need access to assault rifles so they can go hunting. Suuuure they do. I'm sure it has nothing with private fantasies about fending off an attack on their home, bandanna on head, AK in hand, cordite in the air... Think about it. What people SAY their motives are, and what their motives ACTUALLY are, are two different things. Can you really tell me that all those kids want to learn hacking because they want to be straight-arrow security geeks? That none of them are interested in the coolness of being a badass, at least on some level? At least a few are probably going to give their skills a test drive at some point. Then the cops get involved, and it isn't fun and games anymore.
But, see, what I'm getting at is that although some hacking techniques have to be considered, the FOCUS of the course should be on methods for securing systems, and the lions share of the material should involve security techniques that have been proven in the field. This course seems to focus mostly on system cracking, not on the security-related material that would be of use to a sysadmin.
Another issue is that this course is for adolescents, who have neither the maturity nor the common sense an older practitioner would possess. I wonder just how wise it is to present a young person with so much rope suitable for hanging himself!
BUT, and this may come as a shock to you, many business DO use Visual Basic (or its bastard child, VB.Net). And, where would a young, feisty hacker type fresh out of after-school hacking class be able to do more damage? A Linux/Java shop, where he probably doesn't have root and won't be able to do all that much before the sysadmin introduces him to the cluebat? Or a Windows shop, where the admins are all generally MCSE's and he would be able to run rampant? Think about it. It was a well-chosen satirical example. The question is, how will a relatively uninformed HR Drone react to knowing that a job candidate spent all his time after school learning how to hack computer systems? Especially when most suits read article after article in the media about how the evil hackers of the world are busily working on stealing their credit cards, their bank accounts, nekkid pictures of their wives, and their daughter's virginity... MY theory is, the HR drone will circular-file that person's resume instantly. Even if the person is hired, sooner or later, it'll come out that he did this and he'll fail a security audit.
By the way: in response to your example, if I was hiring an architect, and he told me that he'd spent all his time after school blowing up abandoned buildings, so he's going to design my building to be safer than all the other non-bomb-proof buildings, I'd hire someone else and make sure that the bomber architect's picture was posted on the wall in the security office with "DO NOT ADMIT" in giant red letters. It was a really bad example, dude.;)
Knowing how to secure a system and knowing how to attack one are not the same thing. You can consider case histories and factual accounts of prior incidents to try and see how a system is going to be attacked, and work that information into a new design. Naturally, you would want to consider hacking techniques in a course on security, but I think it's a question of focus. This course seems to focus on hacking, rather than the other side of the coin, system security. I think it's foolish to approach the subject -- especially with adolescents -- in this manner.
ChrisNowinski said: "You don't teach people how to create security systems by teaching them to break into bad systems. You teach them to comment their code, watch the buffers and never let programs leave the box unless you absolutly have to. This whole hacker mythology is poor."
I agree. Instead of teaching people how to hack systems, wouldn't it make more sense to teach them how to set up firewalls properly, restrict setuid, restrict the number of services running, set up a patching strategy, and run an intrusion detection system like PSAD? People interested in programming could take a course focused on verifying user input, and avoiding buffer overruns. That sort of thing would be useful to kids, instead of just making them unemployable.
And, this WILL make it hard for them to get a job. Who on earth is going to want to hire a kid who already has experience hacking? Imagine what the legal staff would say, the kind of liability the company would be up against if he or she decided to have a little fun using his work PC, especially when the company KNEW he was a hacker and gave him net access anyway!
I think that every HR Drone who sees a resume from one of these kids is going to at least briefly envision the following exchange taking place:
Lawyer: "So, you knew that Joey was a hacker -- it's right here in his resume. You knew that, correct?"
HR Drone: "That is correct."
Lawyer: "But you hired him anyway. And, you gave him access to the net, Visual Basic development tools, and access to your servers."
HR Drone: "Well, he WAS a developer..."
Lawyer: "Yes, but also a hacker."
HR Drone: "Yes."
Lawyer: (voice rising, Perry Mason style): "So, you KNEW he was a hacker, and you gave him everything he would need to do whatever he might want to do -- including take down Wall Street's trading systems for two whole days?"
HR Drone: "God, when you put it THAT way, you make it sound like it was our fault or something!"
Lawyer: "Perhaps it is. Your hacker cost Wall Street tens of millions of dollars in lost trades. Maybe if you'd have hired someone who HADN'T expressed an interest in hacking, we wouldn't be in this courtroom in the first place. You DID have other applicants, I assume?"
HR Drone: "We had over 100."
Lawyer: "But you chose the hacker."
HR Drone: "Yes."
Lawyer: "No further questions."
The above fantasy would scare any HR Droid senseless. And, you just KNOW it's the first thing they'll think of when they see a resume from one of these kids.
If SCO were to sue God, God would probably be mildly amused for about a second or so. A second later, he would snap his ethereal fingers and SCO would change into a septic tank service company, with their CEO and the lawyers as the "sewage engineers" running the trucks. The SCO IP would simply cease to exist along with the company.
BTW: Here's a joke. Apparently, Hell and Heaven are separated by a white picket fence. So, late one night, a demon gets drunk and drives its car along the picket fence, knocking it down. God, furious, demands that the devil repair the damage. Contractors come and repair the fence, but when God comes to check their work, he finds that the fence is now 20 feet inside Heaven's property line.
God is livid. "Hey, Satan! You'd better get your contractors to put this fence where it's supposed to be!"
You're totally right about that, of course... I just wanted to add a note of explanation, by "real work" I don't mean the work you get paid for, because at work you'll be using CrapOS like everyone else. I mean, your private, interesting explorations into computer science and programming, the stuff you do at home for fun and share with other like-minded people. The stuff we do at work is just more of the price of doing business -- it keeps you well fed, and online, but it doesn't nourish your soul.
I think that we'll all have to buy at least one "sacrificial" computer just so we can interact with the world. Call it a "cost of doing business"; pick up a shitty, low-end machine for web browsing and email, $300.00 worth. Do all your gaming on consoles. And, do all your REAL work on pre-DRM laptops you've carefully preserved...
An A/C said: "Is it me or are the 1984 quotes so 1994? Orwell would have been for this. This about freedom. Having the government tell you what you can and cannot own in a free market is, well, Orwellian!"
You misunderstand the situation. The government is all for the concentration of ownership of media, because it makes it that much easier to ensure that virtually all major media outlets are disseminating the "proper" government propaganda, and not allowing any pesky dissenting voices to be heard. Once the media is completely under the control of a select group of people, which it nearly was already, it will be very easy for the government to say, "Oh, no, we were always at war with Eastasia." Which is EXACTLY what Orwell was warning about. Centralized control of the media is just one method by which a government can exact an absolute level of control over its citizens. Don't try to muddy the issue with poorly-thought-out arguments about the free market. This is NOT about the market, or about who gets to own what. This is about who gets to control which points of view you get exposed to, and what information you are permitted to consider.
So, no, you're wrong. Orwell would NOT have approved. Not even in the slightest.
Here you go again, calling people morons, pretending you left programming because of other people's "incompetence" instead of the fact that your skills are no longer in demand... You're not fooling anyone except yourself. You were ejected from the industry because your skills are worthless and you were unwilling or unable to adapt, ok? You're living in the past, fantasizing that your RPG, COBOL, and xBase skills are still relevant, that you actually have the right to try and throw your weight around, that you actually have something relevant to say. So you spend all your time criticizing the current practitioners of the field, like a crusty old fart at the end of the block who yells at the kids playing stickball outside, shaking his fist and hollering "you damn kids!" when really, in your heart of hearts you wish you could join them in their game. You're a stereotype made real. Worse than that: you're a cliche.
You had your time. Now it's our world -- it's our time. Show some class and fade into the background like the ghost you are, or show some initiative and get back in the game. But don't sit on the sidelines and howl. It's unseemly.
Master of Transhuman said two things I have to reply to: 1)"First of all, I programmed for fifteen years in RPG, Cobol, and xBASE starting in the seventies." 2)"In short, one reason why I'm not programming now is the level of incompetence in the field is now taken for granted and accepted as normal." (then he wrapped up with some doofy comment about Windows 98).
Ok, taking them one at a time, in response I say:
1) The seventies lasted only ten years, so you cannot have programmed for fifteen years during the seventies. Second, the technologies you used are absolutely archaic, so how can you claim that you are even remotely qualified to second-guess modern programmers? You weren't even doing structured programming, much less OOP or event-driven programming. You have no basis for understanding the current state of the trade, and you have no right whatsoever to pretend you're some kind of expert.
2) What amazing arrogance and self-delusion this reveals! No, pal, the reason you're not programming now is that your antediluvial skills are worthless in the modern marketplace. You couldn't get an entry level job with that skill-set, much less a job with real responsibilities. So, stop insulting the current practitioners of the trade and go back to puttering around with your Altair, or whatever it is you weird old farts do when you're not screaming at the rest of us about our supposed "incompetence".
Look, to some degree, I sympathize with you old cats who can't seem to pull it together and learn the new stuff. It must really suck to fall further and further behind with every passing year. I mean, Jesus, you're still using Windows 98! Who still uses that? If you were really a techie, you'd be using Linux or FreeBSD by now. Or at least, you'd have moved to Windows 2000 and gotten rid of some of your stability problems. But my sympathy for you has limits; no one is twisting your arm, and making you use an old piece-of-shit like Win 98, you're CHOOSING to use it instead of better alternatives. No one is blocking you from doing modern programming; you're CHOOSING to be a crusty old fart instead of a current and up-to-date pro. You're not even willing to help yourself, so how can you dare to second guess others? It's nothing but hubris -- hubris and arrogant, false pride.
What a waste. You're deliberately dooming yourself to utter irrelevance.
I think the most important part of the incredibly boorish flame listed above is the poster's admission, "I don't know enough about the internal code of Apache or the HTTP protocol which mandates this". It is important because it indicates that the poster is aware that he doesn't know enough to know whether he has a basis for his complaint.
Another gem is (talking about system failure messages that the poster considers permissable): "...should identify itself as such and direct the end user to contact the sysadmin (which in fact this message tried to do)". So, he's basically saying that the error message he's flaming about actually met his criteria for being permissable.
So here we have an end-user who is angry because a website got slashdotted, and spit out a descriptive error message he didn't have the technical wherewithal to comprehend. He admits that he doesn't know enough to know whether he should be angry or not, and he admits that the message he is angry about is reasonable, but he's angry anyway. And, he wants to let all of us "geeks" know that he thinks we are morons.
Quite remarkable. I didn't know guys like this could work a web browser.
Ha ha ha!!! That's beautiful!!! From one programmer to another, well said! At least I'm not alone in being sick of end-user pissing and moaning... I never could figure out why the hell they all get so worked up about things, anyway... It's like the fans at baseball games getting pissed off because a pitcher uses a curveball instead of a fastball. Ridiculous...:)
First of all, you're completely overreacting to an issue that is relatively insignificant. I don't know your background, but your approach makes me suspect you're not a programmer -- perhaps someone who is only involved with programming on the periphery of the activity, like a programmer's manager, or a nontechnical website manager. I'm not saying this to insult you; it's just an observation, that professional programmers don't let this stuff get them all worked up, while nontechnical staff often do, and the less directly a person is involved with an activity, the more obsessively they seem to want to control how the activity is carried out.
There's nothing wrong with putting some debugging information in a production page. In doing so, when your clients call tech support, they can give you the actual error message that was generated, and let you know what sort of query (or whatever) they were doing at the time when they had the error. This lets you reproduce the error more easily, and solve the problem. IF, that is, solving the problem is more important to you than conveying the illusion that your software is perfect. I don't get the sense you feel this way.
You really, really ought to calm down. Who nominated you as the guardian of easily frightened end users, anyway? And, what makes you think you've got any right to call programmers "idiots" just because they don't agree with your views on software development? Bossy, flaming screeds about how people ought to do their work are pointless and stupid. There must be a better way you could use your time.
Slashdot Mirror
Thanks! You're pretty reasonable yourself. It's an interesting subject, isn't it? Kind of makes me wish I was in High School again, so I could give the course a try and see how it looks from the inside...
I like the guy who's running the program, too. He's very sensible. Apparently, they DO focus mostly on security, with the hacking aspect being more of a test of the security projects the other kids are doing. He said the kids basically play capture the flag, switching sides periodically. The way he describes it, it sounds totally sensible and reasonable. I think it just got some bad spin early on, you know?
Thanks for a good, hearty discussion!
That's true; it's probably a good thing that this brings the issue into the view of a larger number of people. And, it's also true that the media don't often present things in the best or even most accurate light. I was rabidly misquoted in a major magazine article once, over a tattoo of a company logo I had placed on my arm. During the interview, I had told the reporter that I felt that since the company was going to be my one and only dot-com job, the tattoo would make an interesting souvenier to tell my grandchildren about. The reporter turned around and fabricated a quote about my not really knowing why I got the tattoo, I just got it, making me look like a total idiot. I vowed never to speak to a reporter again (and so far, knock on wood, I've managed to avoid them). As far as the tattoo goes, I got sick of explaining it to people and having them say, "Oh, I read about you -- you're that tattoo guy". So I had it covered up with a Japanese dragon a month or two ago, and no one bothers me anymore. ;)
Good luck with everything. You seem like a pretty okay guy.
Well... Ok, I'm warming to the idea. I just responded to a post from one of the people involved with the project, and admitted that what he was describing (teams taking turns attacking and defending, etc) actually did sound like a pretty good way of testing defenses. So, I'd have to admit, maybe they're on to something here after all.
I don't know; actually I'm kind of torn on the issue now. I still think the focus should be on network security rather than cracking per se. But, ok, I think I can see why you might want to develop those skills to test your work.
Good points.
The way you describe it, it actually sounds quite attractive and a great idea for training security staff. But I felt that the way it was originally described to me focused way too much on the hacking aspect, which I would think would turn off your average suit. "Hacker" is such a dirty word these days; it doesn't seem all that safe to use it. Just recently, someone I know almost got into some serious trouble because a clueless manager overheard him talking about enjoying the hacking simulator in the new Matrix game! It took a bit of explanation to calm everyone down. ;)
:)
I totally "get" the usefulness of the tiger-team approach, I just think it's a little dangerous to spin it as hacker training, especially in an article that is going to be read by the clueless.
Having said that, I think maybe I would like to modify part of my position, i.e. the part where I said that people shouldn't learn hacking skills but rather should focus on system hardening. Now that you mention it, I can see the usefulness of teams taking turns attacking and defending. In fact it sounds like a blast, besides being very informative.
Still, there's GOT to be a better way to spin this to the media. People are bound to react badly, don't you think? I don't have a lot of faith in people suddenly developing open minds...
Thanks, that's what I was going for. At least the joke wasn't wasted... ;)
As I've said, reading up on security issues at CERT and SecurityFocus, paying attention to how sites are being hacked, reading articles about what other people have done to secure their systems, all of these things will give you the information you're describing. You don't have to learn system cracking to protect your system. As far as windows firewalls go, if you're not behind a hardware firewall/router, you shouldn't be running windows, period. Honestly. Even getting a cheap Linux box and using that as a NAT firewall would be helpful.
Besides, even if the public sites I've mentioned didn't have the info you craved, there are plenty of books out there that you can learn from. You don't have to participate in a very public after-school activity that'll mark you for life (do you think those kids haven't found their way onto a bunch of lists, just by virtue of their being in the course? Those cops didn't agree to chat with them out of the goodness of their hearts, you can bet they're getting course rosters and paying very close attention to the curriculum with an eye towards noting what techniques the kids prefer -- or does that make me paranoid?).
Boy, did you ever miss my point.
What method did probably 90% of the currently problematic worms and hacks use to get around? Vulnerabilities in MS Exchange, MS Outlook, and MS Outlook Express, IIS, and SQL Server. What language offers the tightest integration with all of these systems, including many, many prebuilt system objects for working with them? VB. What language would an employee of a Microsoft shop probably be working with daily? VB. So, if you were to hire a hacker to work in your Microsoft shop, he would probably find it most convenient to work with the development tools sitting right there in front of him. Not that he would need any others. And, he would even be inside the firewall of your organization, possibly able to start using other people's internet accounts, and etc... It would be a nightmare with the potential of massive liability if he were to use your system to do something nefarious.
My POINT is, especially if you're a Microsoft shop, you'd have to be absolutely NUTS to hire someone who was a self-professed hacker, and had coursework already completed which would give him the skills he would need to cause problems for you.
As far as the interview goes, think about it: as soon as the HR Drone reads the blurb about "computer security training", he's going to ask about it. Boom -- the kids boat is sunk the minute he opens his mouth to reply, unless he lies his ass off, and if that's the case, office politics will get him later as soon as a coworker figures out where he learned his skills.
that's all I'm saying.
Again, I would expect a security professional to understand the techniques used by hackers. However, I would look upon a person who had spent time in an actual hacking course very dubiously. Again, it's a matter of focus. If a person is primarily interested in security, and had to read up on past incidents and such to understand the ways in which he needed to secure his system, that would be fine. If a person claims to be interested in security, but spent most of his time in training learning how to crack systems, then I would consider him a system cracker, not a security professional. And, again, he'd end up with the old "do not admit" picture by the security office.
You don't have to learn to crack systems to defend them. That's propaganda used by people who *really* just want to learn system cracking, but don't want to be viewed as system crackers. It's like the NRA saying that they need access to assault rifles so they can go hunting. Suuuure they do. I'm sure it has nothing with private fantasies about fending off an attack on their home, bandanna on head, AK in hand, cordite in the air... Think about it. What people SAY their motives are, and what their motives ACTUALLY are, are two different things. Can you really tell me that all those kids want to learn hacking because they want to be straight-arrow security geeks? That none of them are interested in the coolness of being a badass, at least on some level? At least a few are probably going to give their skills a test drive at some point. Then the cops get involved, and it isn't fun and games anymore.
I think it's a bad idea all around.
But, see, what I'm getting at is that although some hacking techniques have to be considered, the FOCUS of the course should be on methods for securing systems, and the lions share of the material should involve security techniques that have been proven in the field. This course seems to focus mostly on system cracking, not on the security-related material that would be of use to a sysadmin.
Another issue is that this course is for adolescents, who have neither the maturity nor the common sense an older practitioner would possess. I wonder just how wise it is to present a young person with so much rope suitable for hanging himself!
Ha! That one was funnier than mine. Kudos.
BUT, and this may come as a shock to you, many business DO use Visual Basic (or its bastard child, VB.Net). And, where would a young, feisty hacker type fresh out of after-school hacking class be able to do more damage? A Linux/Java shop, where he probably doesn't have root and won't be able to do all that much before the sysadmin introduces him to the cluebat? Or a Windows shop, where the admins are all generally MCSE's and he would be able to run rampant? Think about it. It was a well-chosen satirical example. The question is, how will a relatively uninformed HR Drone react to knowing that a job candidate spent all his time after school learning how to hack computer systems? Especially when most suits read article after article in the media about how the evil hackers of the world are busily working on stealing their credit cards, their bank accounts, nekkid pictures of their wives, and their daughter's virginity... MY theory is, the HR drone will circular-file that person's resume instantly. Even if the person is hired, sooner or later, it'll come out that he did this and he'll fail a security audit.
;)
By the way: in response to your example, if I was hiring an architect, and he told me that he'd
spent all his time after school blowing up abandoned buildings, so he's going to design my building to be safer than all the other non-bomb-proof buildings, I'd hire someone else and make sure that the bomber architect's picture was posted on the wall in the security office with "DO NOT ADMIT" in giant red letters. It was a really bad example, dude.
Knowing how to secure a system and knowing how to attack one are not the same thing. You can consider case histories and factual accounts of prior incidents to try and see how a system is going to be attacked, and work that information into a new design. Naturally, you would want to consider hacking techniques in a course on security, but I think it's a question of focus. This course seems to focus on hacking, rather than the other side of the coin, system security. I think it's foolish to approach the subject -- especially with adolescents -- in this manner.
ChrisNowinski said: "You don't teach people how to create security systems by teaching them to break into bad systems.
You teach them to comment their code, watch the buffers and never let programs leave the box unless you absolutly have to.
This whole hacker mythology is poor."
I agree. Instead of teaching people how to hack systems, wouldn't it make more sense to teach them how to set up firewalls properly, restrict setuid, restrict the number of services running, set up a patching strategy, and run an intrusion detection system like PSAD? People interested in programming could take a course focused on verifying user input, and avoiding buffer overruns. That sort of thing would be useful to kids, instead of just making them unemployable.
And, this WILL make it hard for them to get a job. Who on earth is going to want to hire a kid who already has experience hacking? Imagine what the legal staff would say, the kind of liability the company would be up against if he or she decided to have a little fun using his work PC, especially when the company KNEW he was a hacker and gave him net access anyway!
I think that every HR Drone who sees a resume from one of these kids is going to at least briefly envision the following exchange taking place:
Lawyer: "So, you knew that Joey was a hacker -- it's right here in his resume. You knew that, correct?"
HR Drone: "That is correct."
Lawyer: "But you hired him anyway. And, you gave him access to the net, Visual Basic development tools, and access to your servers."
HR Drone: "Well, he WAS a developer..."
Lawyer: "Yes, but also a hacker."
HR Drone: "Yes."
Lawyer: (voice rising, Perry Mason style): "So, you KNEW he was a hacker, and you gave him everything he would need to do whatever he might want to do -- including take down Wall Street's trading systems for two whole days?"
HR Drone: "God, when you put it THAT way, you make it sound like it was our fault or something!"
Lawyer: "Perhaps it is. Your hacker cost Wall Street tens of millions of dollars in lost trades. Maybe if you'd have hired someone who HADN'T expressed an interest in hacking, we wouldn't be in this courtroom in the first place. You DID have other applicants, I assume?"
HR Drone: "We had over 100."
Lawyer: "But you chose the hacker."
HR Drone: "Yes."
Lawyer: "No further questions."
The above fantasy would scare any HR Droid senseless. And, you just KNOW it's the first thing they'll think of when they see a resume from one of these kids.
If SCO were to sue God, God would probably be mildly amused for about a second or so. A second later, he would snap his ethereal fingers and SCO would change into a septic tank service company, with their CEO and the lawyers as the "sewage engineers" running the trucks. The SCO IP would simply cease to exist along with the company.
BTW: Here's a joke. Apparently, Hell and Heaven are separated by a white picket fence. So, late one night, a demon gets drunk and drives its car along the picket fence, knocking it down. God, furious, demands that the devil repair the damage. Contractors come and repair the fence, but when God comes to check their work, he finds that the fence is now 20 feet inside Heaven's property line.
God is livid. "Hey, Satan! You'd better get your contractors to put this fence where it's supposed to be!"
"Or what?"
"I'll sue you!"
"Oh, YEAH? Where are YOU gonna find a lawyer?"
Ain't it the truth?
You're totally right about that, of course... I just wanted to add a note of explanation, by "real work" I don't mean the work you get paid for, because at work you'll be using CrapOS like everyone else. I mean, your private, interesting explorations into computer science and programming, the stuff you do at home for fun and share with other like-minded people. The stuff we do at work is just more of the price of doing business -- it keeps you well fed, and online, but it doesn't nourish your soul.
I think that we'll all have to buy at least one "sacrificial" computer just so we can interact with the world. Call it a "cost of doing business"; pick up a shitty, low-end machine for web browsing and email, $300.00 worth. Do all your gaming on consoles. And, do all your REAL work on pre-DRM laptops you've carefully preserved...
And, the commercials! Don't forget the commercials!
An A/C said: "Is it me or are the 1984 quotes so 1994? Orwell would have been for this. This about freedom. Having the government tell you what you can and cannot own in a free market is, well, Orwellian!"
You misunderstand the situation. The government is all for the concentration of ownership of media, because it makes it that much easier to ensure that virtually all major media outlets are disseminating the "proper" government propaganda, and not allowing any pesky dissenting voices to be heard. Once the media is completely under the control of a select group of people, which it nearly was already, it will be very easy for the government to say, "Oh, no, we were always at war with Eastasia." Which is EXACTLY what Orwell was warning about. Centralized control of the media is just one method by which a government can exact an absolute level of control over its citizens. Don't try to muddy the issue with poorly-thought-out arguments about the free market. This is NOT about the market, or about who gets to own what. This is about who gets to control which points of view you get exposed to, and what information you are permitted to consider.
So, no, you're wrong. Orwell would NOT have approved. Not even in the slightest.
You're welcome! :)
Oceania is now allied with Eastasia. Oceania has ALWAYS been allied with Eastasia.
Here you go again, calling people morons, pretending you left programming because of other people's "incompetence" instead of the fact that your skills are no longer in demand... You're not fooling anyone except yourself. You were ejected from the industry because your skills are worthless and you were unwilling or unable to adapt, ok? You're living in the past, fantasizing that your RPG, COBOL, and xBase skills are still relevant, that you actually have the right to try and throw your weight around, that you actually have something relevant to say. So you spend all your time criticizing the current practitioners of the field, like a crusty old fart at the end of the block who yells at the kids playing stickball outside, shaking his fist and hollering "you damn kids!" when really, in your heart of hearts you wish you could join them in their game. You're a stereotype made real. Worse than that: you're a cliche.
You had your time. Now it's our world -- it's our time. Show some class and fade into the background like the ghost you are, or show some initiative and get back in the game. But don't sit on the sidelines and howl. It's unseemly.
Master of Transhuman said two things I have to reply to:
1)"First of all, I programmed for fifteen years in RPG, Cobol, and xBASE starting in the seventies."
2)"In short, one reason why I'm not programming now is the level of incompetence in the field is now taken for granted and accepted as normal." (then he wrapped up with some doofy comment about Windows 98).
Ok, taking them one at a time, in response I say:
1) The seventies lasted only ten years, so you cannot have programmed for fifteen years during the seventies. Second, the technologies you used are absolutely archaic, so how can you claim that you are even remotely qualified to second-guess modern programmers? You weren't even doing structured programming, much less OOP or event-driven programming. You have no basis for understanding the current state of the trade, and you have no right whatsoever to pretend you're some kind of expert.
2) What amazing arrogance and self-delusion this reveals! No, pal, the reason you're not programming now is that your antediluvial skills are worthless in the modern marketplace. You couldn't get an entry level job with that skill-set, much less a job with real responsibilities. So, stop insulting the current practitioners of the trade and go back to puttering around with your Altair, or whatever it is you weird old farts do when you're not screaming at the rest of us about our supposed "incompetence".
Look, to some degree, I sympathize with you old cats who can't seem to pull it together and learn the new stuff. It must really suck to fall further and further behind with every passing year. I mean, Jesus, you're still using Windows 98! Who still uses that? If you were really a techie, you'd be using Linux or FreeBSD by now. Or at least, you'd have moved to Windows 2000 and gotten rid of some of your stability problems. But my sympathy for you has limits; no one is twisting your arm, and making you use an old piece-of-shit like Win 98, you're CHOOSING to use it instead of better alternatives. No one is blocking you from doing modern programming; you're CHOOSING to be a crusty old fart instead of a current and up-to-date pro. You're not even willing to help yourself, so how can you dare to second guess others? It's nothing but hubris -- hubris and arrogant, false pride.
What a waste. You're deliberately dooming yourself to utter irrelevance.
I think the most important part of the incredibly boorish flame listed above is the poster's admission, "I don't know enough about the internal code of Apache or the HTTP protocol which mandates this". It is important because it indicates that the poster is aware that he doesn't know enough to know whether he has a basis for his complaint.
Another gem is (talking about system failure messages that the poster considers permissable): "...should identify itself as such and direct the end user to contact the sysadmin (which in fact this message tried to do)". So, he's basically saying that the error message he's flaming about actually met his criteria for being permissable.
So here we have an end-user who is angry because a website got slashdotted, and spit out a descriptive error message he didn't have the technical wherewithal to comprehend. He admits that he doesn't know enough to know whether he should be angry or not, and he admits that the message he is angry about is reasonable, but he's angry anyway. And, he wants to let all of us "geeks" know that he thinks we are morons.
Quite remarkable. I didn't know guys like this could work a web browser.
Ha ha ha!!! That's beautiful!!! From one programmer to another, well said! At least I'm not alone in being sick of end-user pissing and moaning... I never could figure out why the hell they all get so worked up about things, anyway... It's like the fans at baseball games getting pissed off because a pitcher uses a curveball instead of a fastball. Ridiculous... :)
First of all, you're completely overreacting to an issue that is relatively insignificant. I don't know your background, but your approach makes me suspect you're not a programmer -- perhaps someone who is only involved with programming on the periphery of the activity, like a programmer's manager, or a nontechnical website manager. I'm not saying this to insult you; it's just an observation, that professional programmers don't let this stuff get them all worked up, while nontechnical staff often do, and the less directly a person is involved with an activity, the more obsessively they seem to want to control how the activity is carried out.
There's nothing wrong with putting some debugging information in a production page. In doing so, when your clients call tech support, they can give you the actual error message that was generated, and let you know what sort of query (or whatever) they were doing at the time when they had the error. This lets you reproduce the error more easily, and solve the problem. IF, that is, solving the problem is more important to you than conveying the illusion that your software is perfect. I don't get the sense you feel this way.
You really, really ought to calm down. Who nominated you as the guardian of easily frightened end users, anyway? And, what makes you think you've got any right to call programmers "idiots" just because they don't agree with your views on software development? Bossy, flaming screeds about how people ought to do their work are pointless and stupid. There must be a better way you could use your time.