Yeah, I thought it would be lame, but seeing how the code flows and watching it execute is kind of cool, actually. The ascii art turns into a kind of flow chart. It's like a map of the execution of the code, and you can watch the program counter travel through, like a car in a small city. It's just a toy but it gives me ideas for visualization that might work in larger, more realistic, projects.
May I interject this is a silicon valley thing more than it is an everywhere thing
It's not a Silicon Valley thing either, it's just a whiner thing. There are plenty of jobs available in Silicon Valley for people who have the skills.
There are not quite so many jobs available for people who still use tables to lay out their HTML, or who only know COBOL. (There are jobs for people who only know COBOL, but not in Silicon Valley).
There are certainly companies that discriminate on age (and Google might be one of them, I don't know), but there are also companies that discriminate based on what you wear. The proper thing to do is move on, and find a company that doesn't. There are plenty.
I understand that in some circles it is quite fashionable to be a victim, in order to seek sympathy and acceptance. I respectfully choose not to participate in the victim industry, or engage in victim mentality. Now, if you excuse me, I have to go back to hacking on this fine, beautiful weekend, in order to keep my skills up to date, and be employable..
Thankyou. Please enjoy your coding, and please release it as open source if you get a chance.
Do you know what a bug is? It's a mistake. What do you do when you find a mistake? You find some way to avoid it in the future.
There are entire classes of mistakes that should never happen. SQL injection? Never. We know how to make this not happen. The extra time it takes to avoid SQL injections is minimal to none. You can be perfect at avoiding SQL injections. There are many other ways to avoid bugs, techniques that can be learned and used. Because this company is making security devices, ideally they should devote some real resources to QA, giving them a multi-layered bug avoidance system. They should keep their bug tracker empty, fixing all known bugs as soon as they are reported. How much do you want to bet they don't have QA?
Keep your interfaces simple so you can reason about them. Test your code. Learn how to avoid bugs that can be easily avoided. Soon you will find that your code is solid, and bugs are rare (even without QA).
These frameworks will de-serialize any object. Send them a Process object in.NET, and the framework will deserialize it into something that can fork a new process. The APIs in Java and.NET are so huge, that it is extremely difficult to filter out every kind of object that might cause problems (some frameworks try......and fail).
There is no 'pure' data here, the purpose of these frameworks is to deserialize into objects, and objects by definition are functions combined with data.
Trust me I've built systems both ways and deserialization directly into objects is no bueno.
Yeah, running a auto-deserializer on untrusted data is basically guaranteed to be a security flaw. The NSA and FSB will pwn you at that point, along with anyone else who wants to (just ask PayPal).
It's probably better to parse out to low-level "scalar" values and hand-code the part that stuffs them into objects or databases rather than let a parser actually build objects or object trees itself.
This is exactly right. Because the data is untrusted, you need to verify it anyway, and adding parsing code to that usually doesn't add much overhead (it can often be the same code).
In the defcon talk they made a strong case that these generic de-serialization libraries are extremely difficult if not impossible to use securely. They were just grabbing at low-hanging fruit, as soon as you've imported these libraries, you're compromised. They didn't even discuss ways that the libraries might be used incorrectly.
Say no to generic deserializers on untrusted data.
No. If you're making something like locks, you need to make a huge effort to write solid code in the first place. People are depending on your code to keep things secure, and you need to follow either formal logic design, or the DJB school of programming. You don't release things and fix them later,
your lock needs to have pretty close to zero bugs.
This is just a sign that they have lousy procedures, and the code is just as bad.
You have a point, the Amiga wore the crown in a time when there were many different computer brands, and they were all being thinned out. Only a few were able to survive that, and even Apple had trouble against the PC.
Look at it another way, though. There was enough room in the market for another OS (Linux), so why not for another hardware platform as well? Perhaps difficult, but it seems like it would have been possible.
Cool, thanks. That's something I'm going to have to think about.
I'm not entirely convinced (tentatively). It seems to some degree you are trying to sandbox something, but privilege escalation exploits are all over the place in OSes.
If you want to get the whole picture, you need to pay attention to how it does in international sales. Pirates of the Caribbean made $$173 million in the US, but it made $781 million worldwide. Which market do you think they are going to pay the most attention to? The US is just one small market now.
That's true of coin flips too. This matches your requirement, a legitimate scientist who is very well respected, had plenty of time to update his prediction, and it looks like he's going to be wrong in any case.
In the cases you mentioned would the outcomes have been different if the offending speech were circulated internally and not on a public domain?
That's a good question, and in some cases the question of whether or not he used company resources would be extremely important.
A case on that topic would likely revolve around whether Google disallows personal use of the company resource (in this case, I believe it's their internal Google+ system). Google can say, "Only work related things on internal Google+" or "Only work related things on company email." Once they allow personal things however, it is a lot harder for them to censor things they don't like. See this for one example.
A good portion of the manifesto is criticizing workplace policies, which is allowed. I expect a major question of the lawsuit to be whether the parts that were harassing women were separate from the critiques of workplace policies. (Other potential areas of dispute are whether he was actually critiquing work-place policies, and whether he was actually harassing women. Google might also have to address whether they followed standard policy in firing him instead of giving him a warning).
That is ridiculous. Of course the state will incur extra costs because of this plant. To suggest otherwise is disingenuous.
How much? If you have numbers, please present them. That would be good info and a strong argument.
Right now you are just ranting emotionally. I hope it made you feel better.
This is not "breaking even" because they did not pay any money out to begin with. If Foxconn pays even one dollar in taxes, then Wisconsin has more revenue than it would otherwise.
Of course, Wisconsin might have other expenses increase from this, like road upkeep, and that would be an interesting story, worth comparing......but the present story is just a hack job.
When it comes between "giving a talk at DEFCON" and "keeping your job at Salesforce," for a penetration tester the former is a much better career choice.
The scenario where Google could have offered Damore a big severance package was not really an option, assuming Google wants to maintain internal morale. Once the PC authoritarians heard about any severance
That's why they offer it with a nondisclosure agreement, so no one finds out about it.
And wished you had earplugs to deal with the drum memory......
Yeah, I thought it would be lame, but seeing how the code flows and watching it execute is kind of cool, actually. The ascii art turns into a kind of flow chart. It's like a map of the execution of the code, and you can watch the program counter travel through, like a car in a small city. It's just a toy but it gives me ideas for visualization that might work in larger, more realistic, projects.
May I interject this is a silicon valley thing more than it is an everywhere thing
It's not a Silicon Valley thing either, it's just a whiner thing. There are plenty of jobs available in Silicon Valley for people who have the skills.
There are not quite so many jobs available for people who still use tables to lay out their HTML, or who only know COBOL. (There are jobs for people who only know COBOL, but not in Silicon Valley).
There are certainly companies that discriminate on age (and Google might be one of them, I don't know), but there are also companies that discriminate based on what you wear. The proper thing to do is move on, and find a company that doesn't. There are plenty.
I understand that in some circles it is quite fashionable to be a victim, in order to seek sympathy and acceptance. I respectfully choose not to participate in the victim industry, or engage in victim mentality. Now, if you excuse me, I have to go back to hacking on this fine, beautiful weekend, in order to keep my skills up to date, and be employable..
Thankyou. Please enjoy your coding, and please release it as open source if you get a chance.
I think age is a biological difference. FWIW.
Please clarify instead of posting cryptic pointless posts.
Do you know what a bug is? It's a mistake. What do you do when you find a mistake? You find some way to avoid it in the future.
There are entire classes of mistakes that should never happen. SQL injection? Never. We know how to make this not happen. The extra time it takes to avoid SQL injections is minimal to none. You can be perfect at avoiding SQL injections. There are many other ways to avoid bugs, techniques that can be learned and used. Because this company is making security devices, ideally they should devote some real resources to QA, giving them a multi-layered bug avoidance system. They should keep their bug tracker empty, fixing all known bugs as soon as they are reported. How much do you want to bet they don't have QA?
Keep your interfaces simple so you can reason about them. Test your code. Learn how to avoid bugs that can be easily avoided. Soon you will find that your code is solid, and bugs are rare (even without QA).
These frameworks will de-serialize any object. Send them a Process object in .NET, and the framework will deserialize it into something that can fork a new process. The APIs in Java and .NET are so huge, that it is extremely difficult to filter out every kind of object that might cause problems (some frameworks try......and fail).
There is no 'pure' data here, the purpose of these frameworks is to deserialize into objects, and objects by definition are functions combined with data.
Trust me I've built systems both ways and deserialization directly into objects is no bueno.
Yeah, running a auto-deserializer on untrusted data is basically guaranteed to be a security flaw. The NSA and FSB will pwn you at that point, along with anyone else who wants to (just ask PayPal).
It's probably better to parse out to low-level "scalar" values and hand-code the part that stuffs them into objects or databases rather than let a parser actually build objects or object trees itself.
This is exactly right. Because the data is untrusted, you need to verify it anyway, and adding parsing code to that usually doesn't add much overhead (it can often be the same code).
In the defcon talk they made a strong case that these generic de-serialization libraries are extremely difficult if not impossible to use securely. They were just grabbing at low-hanging fruit, as soon as you've imported these libraries, you're compromised. They didn't even discuss ways that the libraries might be used incorrectly.
Say no to generic deserializers on untrusted data.
No. If you're making something like locks, you need to make a huge effort to write solid code in the first place. People are depending on your code to keep things secure, and you need to follow either formal logic design, or the DJB school of programming. You don't release things and fix them later, your lock needs to have pretty close to zero bugs.
This is just a sign that they have lousy procedures, and the code is just as bad.
You have a point, the Amiga wore the crown in a time when there were many different computer brands, and they were all being thinned out. Only a few were able to survive that, and even Apple had trouble against the PC.
Look at it another way, though. There was enough room in the market for another OS (Linux), so why not for another hardware platform as well? Perhaps difficult, but it seems like it would have been possible.
Cool, thanks. That's something I'm going to have to think about.
I'm not entirely convinced (tentatively). It seems to some degree you are trying to sandbox something, but privilege escalation exploits are all over the place in OSes.
Where are the prosecutions of clearly corrupt Democrats by the clear majority Republicans
Which democrats in particular would you like to be prosecuted?
I don't see how any other authority system is better.
How we handle money.......so you are saying have a double-entry bookkeeping system for file permissions?
As long as it keeps getting over 1,000 comments, I guess. People want to talk about it, let them, I say.
If you want to get the whole picture, you need to pay attention to how it does in international sales. Pirates of the Caribbean made $$173 million in the US, but it made $781 million worldwide. Which market do you think they are going to pay the most attention to? The US is just one small market now.
That's true of coin flips too. This matches your requirement, a legitimate scientist who is very well respected, had plenty of time to update his prediction, and it looks like he's going to be wrong in any case.
Cool, thanks for reading the PDF.
In the cases you mentioned would the outcomes have been different if the offending speech were circulated internally and not on a public domain?
That's a good question, and in some cases the question of whether or not he used company resources would be extremely important.
A case on that topic would likely revolve around whether Google disallows personal use of the company resource (in this case, I believe it's their internal Google+ system). Google can say, "Only work related things on internal Google+" or "Only work related things on company email." Once they allow personal things however, it is a lot harder for them to censor things they don't like. See this for one example.
A good portion of the manifesto is criticizing workplace policies, which is allowed. I expect a major question of the lawsuit to be whether the parts that were harassing women were separate from the critiques of workplace policies. (Other potential areas of dispute are whether he was actually critiquing work-place policies, and whether he was actually harassing women. Google might also have to address whether they followed standard policy in firing him instead of giving him a warning).
That's good to know, thanks.
That is ridiculous. Of course the state will incur extra costs because of this plant. To suggest otherwise is disingenuous.
How much? If you have numbers, please present them. That would be good info and a strong argument.
Right now you are just ranting emotionally. I hope it made you feel better.
This is not "breaking even" because they did not pay any money out to begin with. If Foxconn pays even one dollar in taxes, then Wisconsin has more revenue than it would otherwise.
Of course, Wisconsin might have other expenses increase from this, like road upkeep, and that would be an interesting story, worth comparing......but the present story is just a hack job.
When it comes between "giving a talk at DEFCON" and "keeping your job at Salesforce," for a penetration tester the former is a much better career choice.
The scenario where Google could have offered Damore a big severance package was not really an option, assuming Google wants to maintain internal morale. Once the PC authoritarians heard about any severance
That's why they offer it with a nondisclosure agreement, so no one finds out about it.