I have to admit, I could've made that sentence more understandable. But maybe somethiing good came out of it. That lack of understandability could've led readers to read the article so that they'd know what I was talking about. Anything that gets people to read the article is good, right?:)
Anyway, I suppose I should try harder to avoid coming up with such long sentences, especially if they do not have punctuation. I must avoid writing long sentences in which I state several facts in which punctuation does not exist to serve the purpose of clarifying the point which I am making.
Translation of the last sentence: Long sentences without punctuation are hard to understand, so I shouldn't use them.:)
Couldn't this be avoided by making the honeypot actually "do something", thereby making it not a "honeypot"? IE,
stick some files on there and call it a backup server (unimportant files of course) or whatever. After all, isn't the most
effective honey pots those that fool the intruder into thinking that it's a real "site", what better way than to sorta
make it real? Nothing illegal about monitoring your own real site right?
I'd say that that's a good point. The article says that a "honeypot" is "a system that sits on an organization's network for no other purpose than to be hacked, in theory diverting attackers away from genuinely valuable targets and putting them inan closely monitored environment where every keystroke can be analyzed." Therefore, the server ceases to be a honeypot when it is used for another purpose, even if that purpose is redundant. That could be an good way to get around the problem. But there's a problem with that.
The server with unimportant stuff is also being used to monitor communication without the client knowing about the monitoring. So it could still be considered equivalent to illegal witetapping. But still, something else to consider is that the average Internet user doesn't know exactly how much of what they do is logged. Take HTTP logs, for example. You can tell which web pages a user has viewed just by looking at them. And no disclaimer needs to be put up saying that this information is logged.
So you may well be onto something here. You can monitor your own servers, but some may have a problem with certain ways you do it. And so long as there's nothing illegal about these methods, then it looks like your idea would work.
Stranger Than (Orwellian) Fiction
on
The Searchable Life
·
· Score: 2, Insightful
What can I say? After reading the articles on LifeLog and the one on Total Information Awareness (TIA) I'd have to say that I am in disbelief. How the former of these two ideas got as far as it did, even though it doesn't seem to be far it all is hard to believe. TIA has already been heavily criticized and a quote from the article said that LifeLog may be "TIA cubed." Well what I say to that is:
TIA^3 = (1984)^2
Yes, indeed. The society depicted Orwell's "1984" didn't even go this far. They didn't try to track this much information about people, IIRC. This idea, however, still has a long way to go before it is materialized. And even though DARPA seems to be giving it a push, I don't expect it to take off. Why? Let me explain.
TIA, which apparently keeps track of much less information has come under much criticism from those who are familiar with it. In fact, I understand that they decided to change to the TIA logo because it had an eye on it, implying that Big Brother was watching. People will become aware of this and not allow LifeLog to do the Orwellian things that TIA is supposed to do. It may not have many applications beyond military training systems (which was suggested in the article.) And TIA, and its petabytes of information on U.S. citizens it's supposed to store, was barred against use against U.S. citizens in February. Still, we need to watch for whatever Orwellian ideas gain popularity with those in power.
Why don't we just create a system where we all only accept mail that has been PGP encrypted with our public
keys? That way spammers will have to burn through a whole lot of clock cycles to get their crap out and as an
added benefit, we will get a bit more privacy.
That all sounds good, but it's much easier said than done. Having every single legitimate e-mail user use PGP (or their cryptographic e-mail software of choice) is something that'll take time, as well as standardization, I'd imagine. It will be a long time before rejecting all e-mail from those that don't encrypt it will be reasonable. These kinds of changes take lots of time. Although making encryption of e-mail a standard make speed it up, won't the FBI, who came up with that whole Carnivore idea, and certain other organizations that want to monitor our communications want to stand in the way of it?
The views stated in the politechbot.com article seemed to support taking more extreme measures against spam. It said that ISPs that are affected by it should tell those that send out spam that they either get rid of the spammers or be blacklisted. What would happen is the "Internet equivalent of the death penalty." This does seem quite extreme, but considering the amount of bandwidth consumed by spam, ISPs may need to do this. In fact, I understand that many ISPs do use blacklists and find it quite effective.
Of course, there are problems with it. The problem with "false positives" occurs with spam filters that solve the problem only after the bandwidth consumption occurs. And there may be many more false postives in this case. But those are from ISPs that support spam. Legitimate users wouldn't be able to have their messages get through, but who would want to support ISPs that are spammers? ISPs need to prevent their bandwidth from being consumed by junk, but how do they explain it when their customers don't get their intended mail? And here a true story: Somehow, a perfectly legitimate ISP found itself on one of the blacklists of the ISP where I used to work.
Perhaps blacklists should only be used to block those that are known to be spammers. It's a brute-force kind of method, and it works well, if used properly.
Ayala's e-mail told executives that if a deal involving governments or large institutions looked doomed, they were authorized to draw from a special internal fund to offer software at a steep discount, or free, if necessary.
Well, I'm assuming that when they speak of offering the software for free, they mean as in free beer, not free speech. And perhaps that is why this strategy, which is ethically questionable, will not take off. Governments may want the source to be open, and may not be impressed with Microsoft's track record with regards to some of their products. Also, one of the reasons Linux is so popular overseas is because it isn't American; it's international. Anti-U.S. sentiment and philosophical differences could make this rather anti-competitive strategy ineffective to the point of irrelevance.
Instead, the draft would require commercial e-mail to allow users to "opt out" of
future mailings and to provide accurate electronic and physical addresses of the
senders. It also would prohibit the "harvesting" of e-mail addresses that
spammers using special software obtain from Web pages.
Something that I would like to know is how exactly a law that prohibits use of software that harvests e-mail addresses from web pages can be enforced. What would happen? My understanding is that HTTP log files can be checked to determine if "bots" have collected information on the web page. But how can they tell what those bots did? This is my understanding, I could be wrong, and correct me if I am. And even if they can, then spammers will just look for other ways of getting e-mail addresses. This actually could set the wrong kind of precedent. As they say at the EFF, "coding is not a crime." And is such a law even necessary? According to an article I read a while ago on the CBC web site, obscuring one's e-mail address so that it does not seem to have to format of an e-mail address works quite well. And if you want to annoy spammers, I've seen CGI scripts that generate several fake e-mail addresses. You can implement one of those on your web site if you would like to annoy spammers right back.
Also from the article:
State attorneys general think
the proposed bill is riddled
with loopholes, in addition to
preventing states from
enacting and enforcing
tougher laws.
Loopholes. Great. And I wonder if any of the legitimate businesses that you do business with (within three years, and why three?) would be able to do what they want with your e-mail address once they have it. Such as selling them to spammers. So in a nutshell, I'd have to say that I still have yet to see any anti-spam legislation that I like
I did not read the entire document (all 70 pages of it) but I'd have to say that you don't need to read it all to find that at least some parts of it were quite interesting. For example, after reading pages 38-42, the section on Robert Tappan Morris and the "intended function test", I'd have to say that this section alone is quite interesting and is in itself a topic that worthy of debate.
For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:
The worm that he had written became "out of control." If that hadn't happened, then would we have ever heard about this? What I am saying is that unauthorized computer access and what is done with that access are two separate things. No harm, no foul, as they say.
The reason it is called the "intended fuction test" is because he used sendmail and the finger daemon for purposes for which they were not intended. Those that write software implicitly only allow users to use software for its intended purposes. What implications does this have for open source software? And game modifications? What about security testing?
These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read.:)
I'd have to say that some of those "new features" most certainly are syntactic sugar. Such as iterators in loops for example. My opinion is that there wasn't any need for the sort of shorthand that they added. I personally find that explicitly declaring the iterator in the loop makes the code more readable. I don't find it "ugly" as Mr. Bloch says it is. In addition, I usually prefer having only one way of doing everything. With different ways of writing code that performs the same task, it takes longer to parse the source code. So as it has been said before, it seems as though Java is becoming more and more like Perl.
But there are definitely some new features that you have to like. Such as autoboxing/unboxing. I have always found it tedious to use wrapper classes when working with int/Integer.
For those of you saying "just improve your filters," (1) give me a filter that can parse an HTML message containing only an image to determine whether it's spam or not (no, you can't reject all HTML mail or mail with attachments, if my brother drags-n-drops a picture of my nephew and clicks "send," I want to receive it), and (2) figure a way to keep the message from being delivered until that determination is made. Post-delivery filtering doesn't solve the bandwidth/cost/traffic problems.
Well, it's been said many times before: Spam filters are not perfect. Some spam just has a way of getting by the filters and there's the even worse problem of false positives. But filters tend to be effective, and their lack of perfection gives room for improvement. And we should continue to seek this kind of improvement.
So anyway, as for how to deal with an HTML message that contains only an embedded image, it should be noted that the subject line and the information on the sender can give away some useful information to the filter. Also, my understanding is that messages that contain nothing but HTML (IMG tags in particular) tend to be spam. So this kind of message you describe would likely be assigned a high "spam score." Shouldn't there be at least some text in the body of the message?
So if you want to send an image by e-mail, it may be best to send it as an attachment. If you receieve an e-mail from an unknown sender with any attachment, you shouldn't open it. And isn't it a better idea to send images as attachments? I find it more convenient for the recipient that way.
So in a nutshell, my take on spam filters is that they can be effective, but only one part of the solution to the problem of spam.
There are a number of problems with this idea, which may at first seem to be the ideal solution to problems plaguing e-mail. Some have suggested that something along these lines be done, and PFIR only seems to be the latest to make these kinds of suggestions. So what are the problems with it?
The whole idea of replacing e-mail protocols to solve this problem is nothing new. In fact, replacing protocols is something that has often been suggested, but it is not so easy to just replace them. For example, when will IPv6 ever take off?
It said that all e-mail would be encrypted by default. I believe that the FBI and any other organizations that have been wanting to monitor as many communications as possible would have a problem with this and try to stand in the way of it.
As it has been said many times before, Internet protocols were designed for a time that the Internet was more open and not inundated with malicious individuals. Well, as with all software times change, and so do requirements. Why go through all the trouble to come up with so many changes to the Internet infrastructure when more changes will be needed in the future? And won't spammers be able to circumvent whatever is in place for spam prevention? I don't believe I need to tell you how persistent spammers can be.
So I would say that we simply use what we currently have to take on spam and encrypt e-mail. Just a few thoughts...
In my experience most code lives for about four years and then dies. During that time the requirements often shift
by at least 25%. Given these observations, refactoring appears to be a waste of time.
Yes, requirements most certainly do change. And refactoring can be a waste of time. And as a matter of fact, Martin Fowler himself may agree with you. To an extent, anyway.
From the first section:
Martin Fowler: Refactoring improves the design. What is the business case of good design? To me, it's that you can
make changes to the software more easily in the future.
Refactoring is about saying, "Let's restructure this system in order to make it easier to change it." The corollary is
that it's pointless to refactor a system you will never change, because you'll never get a payback. But if you will be
changing the system-either to fix bugs or add features-keeping the system well factored or making it better
factored will give you a payback as you make those changes.
So Mr. Fowler would say that is that it is a waste of time to refactor code if it will not be used in the future. However, refactoring doesn't igonore changes. In fact, according to Fowler, the opposite is true. I understand that refactoring makes code more maintainable and understandable, and that what he seems to be saying. And considering that there are many software systems that use "legacy code" refactoring is certainly not always a waste of time. Refactoring, is exactly what such systems need.
It's quite interesting to see an interview from Martin Fowler just shortly after attending a lecture in a software engineering course in which maintenance was discussed. The lecturer, in his discussion of software maintenance, compared software maintenance to other forms of maintenance. Ususally, when people speak of maintenance, it is simply the act of ensuring that something is working as intended. In the context of software, however, when maintenance is done, so much about the software is changed that it maintenance would be an inaccurate term. When I hear about refactoring, however, I think that it is a more accurate term for it could be "maintenance" simply because it does not change the system, but improves the way in which it is built.
Just as in any other case in which maintenance must be done, it is quite important that this maintenance be done. It may not change the functionality of the code, but it can help make the software more easily adaptable. It can also help developers understand their own code, view it differently, and find different ways of implementing their systems. It may be more popular with Dilberts than PHBs, but perhaps those in the latter category should understand that even small amounts of refactoring can help save much time later on.
This is one of my favourite books on programming/software engineering and one of the many topics it covers is refactoring. I'd say that it does a good job arguing the importance of refactoring and how to convince those PHB types to accept it. But if you're just interested in refactoring itself, I suppose that this one is the best reference on the topic. I must say that for quite a few reasons, refactoring is something that should not simply be considered just another trend/buzzword, but an important part of maintenance, which in turn is an important part of the software development life cycle.
From the article:
John Weglian, chief of the special units division of the prosecutor's office, offers no apologies for Buckeye's unusually harsh treatment of the uncappers. "Cyber crime is potentially very damaging to society. We are taking a firm position on that type of criminal activity. We hope these cases
will have a deterrent value, given the cost factors for the defendants in successful prosecutions."
Once again, we see an example of people doing something that is relatively harmless and given an unusually strict punishment simply because it is labelled as "cyber crime." The people who create some laws seem to have little understanding of the technologies that we use and their lack of knowledge is leading to some sort of irrational fear of any individual who commits any sort of crime using technology that they don't seem to understand. However, what makes this so disturbing is that modem capping was not said to be illegal in the article. It was referred to as "not legal." So has there been any legislation against this? Anytime? Anywhere?
And of course, even if there were then we should be disturbed. Was this "crime" any reason to confiscate so much of the offender's equpiment? Even a VCR was taken, but strangely, an XBox gaming console was left behind. I'm not sure what exactly it is that's motivating these steps in the wrong direction. Is it some sort of irrational fear that leads to those that commit computer crimes being put in the same category as terrorists (which they have been, BTW) even if their crime is simply that of "stealing" bandwidth? Ignorance may be bliss for those at Buckeye Cablesystems and other corporations and the governments that make laws protecting them, but it certainly isn't for the rest of us.
This is bad news, people. It seems that if you're committing anything that can be labelled "cybercrime" you can be given absurdly strict punishments just because your crime has that label.
I keep some data stored on different servers located in different locations. So something I'd have to suggest is use of one of the services that offer free storage space. Here is a list of sites that offer these services. So in the event of fire or some similar event, you can have data stored in many different locations. Also, I believe that not only can you store this data remotely, you can store it securely in at least a few of these locations.
Of course, it's always a good idea to keep backups stored on rewritable CDs, since they can store more data. But having data stored in many remote locations would be a good idea if you want to ensure that your data is safe from disasters. I'd say that the more backups you have, and the more different locations they are stored in, the better.
We Fixed Ours
on
Due Diligence?
·
· Score: 2, Interesting
I worked at an ISP at the time that this was happening and we were quite well aware of these vulnerabilites. We often referred to CERT when looking for vulnerabilities that may have affected us. It was through sites like those that we found out about the problems with OpenSSL and we made the necessary changes. I'm not sure why it was found that many others didn't do what was necessary. Perhaps there are many admins that don't understand that they need to keep themselves up to date on these matters, and of course, they are often busy with many other tasks. It's not easy being an admin. Maybe that's why there is a System Administrator Appreciation Day.
Well, I must admit that I'm not an expert on comupter security issues. I'd have to say that I don't know enough about these issues to write an article on them, but it seems that at least a few of us would say that neither does the author of the article. But there are a few things that need to be pointed out.
My understanding is that the article put equal emphasis on education and entertainment. He makes such amusing remarks as "call yourself a computer professional? Congratulations. You are responsible for the imminent collapse of civilization." However, he also gives some information that was certainly not to be taken lightly. Therefore, it should be taken somewhat seriously, and quite a few people who read the article just might do that. And this could be a problem. Why? Because at the end of the article he says "Now that you know better, there is no excuse whatsoever. You cannot claim ignorance. Don't destroy humanity." And the article's title is "The Peon's Guide To Secure System Development." And that article could not have covered every ascpect of developing secure systems.
As I previously mentioned, I don't consider myself an expert in this area, but there are some things that I know that were not mentioned in the article. For example, when building secure systems, security must be kept in mind throughout the entire life cycle of the system. Perhaps his intent was to focus solely on programmers, but if he truly wants to see secure systems, he would focus all all aspects of system development. Those involved in software testing should be able to find pointer-related bugs, and many other memory-related problems that break software. In fact, in a recent issue of 2600, an program with less than 10 lines of code is given that crashes Windows. I'm not saying testers should find all bugs, I'm saying both they and developers have responsibility to be aware of potential security problems.
I also didn't like the remark about C++ being inherently insecure, and the statement supporting use of languages that don't use pointers, such as Java, C#, and Python. I would just like to say that programming languages don't break systems. People break them. Therefore, I would say that people should be made more aware of what security problems they can cause. Also, C/C++ won't go away anytime soon. So much software uses it, so it stands to reason that there will be legacy C/C++ applications for years to come. Therefore, teaching C/C++ shouldn't be a crime. Teaching C/C++ poorly should be a crime.
Well, I must say that I was somewhat disappointed in the way in which the article did not seem to go very far beyond the basics. I'll continue to recieve security information from other sources, namely CounterpaneCERT and other websites like those ones.
Yes, it seemed that much of the article focused on security basics, such as the importance of disabling unnecessary services and not trusting firewalls to be a security panacea.
Anyway, here are a few more suggestions for books that apparently go beyond the basics:
It seems that once again, the Australian government is going out of its way to censor the Internet. You may recall this story for example, where the South Australian goverment tried to censor web sites, newsgroups, and mailing lists with "adult-themed" content.
Australia's government does not seem to like to the way the Internet is lacking restrictions to free speech, and neither do many other governments. And one has to wonder if this strategy will work. Violent protests can still be organized without the Internet. Have violent protests not been organized long before the Internet was used by protesters as a medium for communication? And how can they know which protests being organized will be violent or not? Many people may show up at a protest with no intention to be violent, but keep in mind that it only takes a few people to start a riot.
Slashdot Mirror
Anyway, I suppose I should try harder to avoid coming up with such long sentences, especially if they do not have punctuation. I must avoid writing long sentences in which I state several facts in which punctuation does not exist to serve the purpose of clarifying the point which I am making.
Translation of the last sentence: Long sentences without punctuation are hard to understand, so I shouldn't use them. :)
I'd say that that's a good point. The article says that a "honeypot" is "a system that sits on an organization's network for no other purpose than to be hacked, in theory diverting attackers away from genuinely valuable targets and putting them inan closely monitored environment where every keystroke can be analyzed." Therefore, the server ceases to be a honeypot when it is used for another purpose, even if that purpose is redundant. That could be an good way to get around the problem. But there's a problem with that.
The server with unimportant stuff is also being used to monitor communication without the client knowing about the monitoring. So it could still be considered equivalent to illegal witetapping. But still, something else to consider is that the average Internet user doesn't know exactly how much of what they do is logged. Take HTTP logs, for example. You can tell which web pages a user has viewed just by looking at them. And no disclaimer needs to be put up saying that this information is logged.
So you may well be onto something here. You can monitor your own servers, but some may have a problem with certain ways you do it. And so long as there's nothing illegal about these methods, then it looks like your idea would work.
TIA^3 = (1984)^2
Yes, indeed. The society depicted Orwell's "1984" didn't even go this far. They didn't try to track this much information about people, IIRC. This idea, however, still has a long way to go before it is materialized. And even though DARPA seems to be giving it a push, I don't expect it to take off. Why? Let me explain.
TIA, which apparently keeps track of much less information has come under much criticism from those who are familiar with it. In fact, I understand that they decided to change to the TIA logo because it had an eye on it, implying that Big Brother was watching. People will become aware of this and not allow LifeLog to do the Orwellian things that TIA is supposed to do. It may not have many applications beyond military training systems (which was suggested in the article.) And TIA, and its petabytes of information on U.S. citizens it's supposed to store, was barred against use against U.S. citizens in February. Still, we need to watch for whatever Orwellian ideas gain popularity with those in power.
That all sounds good, but it's much easier said than done. Having every single legitimate e-mail user use PGP (or their cryptographic e-mail software of choice) is something that'll take time, as well as standardization, I'd imagine. It will be a long time before rejecting all e-mail from those that don't encrypt it will be reasonable. These kinds of changes take lots of time. Although making encryption of e-mail a standard make speed it up, won't the FBI, who came up with that whole Carnivore idea, and certain other organizations that want to monitor our communications want to stand in the way of it?
Of course, there are problems with it. The problem with "false positives" occurs with spam filters that solve the problem only after the bandwidth consumption occurs. And there may be many more false postives in this case. But those are from ISPs that support spam. Legitimate users wouldn't be able to have their messages get through, but who would want to support ISPs that are spammers? ISPs need to prevent their bandwidth from being consumed by junk, but how do they explain it when their customers don't get their intended mail? And here a true story: Somehow, a perfectly legitimate ISP found itself on one of the blacklists of the ISP where I used to work.
Perhaps blacklists should only be used to block those that are known to be spammers. It's a brute-force kind of method, and it works well, if used properly.
Well, I'm assuming that when they speak of offering the software for free, they mean as in free beer, not free speech. And perhaps that is why this strategy, which is ethically questionable, will not take off. Governments may want the source to be open, and may not be impressed with Microsoft's track record with regards to some of their products. Also, one of the reasons Linux is so popular overseas is because it isn't American; it's international. Anti-U.S. sentiment and philosophical differences could make this rather anti-competitive strategy ineffective to the point of irrelevance.
Instead, the draft would require commercial e-mail to allow users to "opt out" of future mailings and to provide accurate electronic and physical addresses of the senders. It also would prohibit the "harvesting" of e-mail addresses that spammers using special software obtain from Web pages.
Something that I would like to know is how exactly a law that prohibits use of software that harvests e-mail addresses from web pages can be enforced. What would happen? My understanding is that HTTP log files can be checked to determine if "bots" have collected information on the web page. But how can they tell what those bots did? This is my understanding, I could be wrong, and correct me if I am. And even if they can, then spammers will just look for other ways of getting e-mail addresses. This actually could set the wrong kind of precedent. As they say at the EFF, "coding is not a crime." And is such a law even necessary? According to an article I read a while ago on the CBC web site, obscuring one's e-mail address so that it does not seem to have to format of an e-mail address works quite well. And if you want to annoy spammers, I've seen CGI scripts that generate several fake e-mail addresses. You can implement one of those on your web site if you would like to annoy spammers right back.
Also from the article:
State attorneys general think the proposed bill is riddled with loopholes, in addition to preventing states from enacting and enforcing tougher laws.
Loopholes. Great. And I wonder if any of the legitimate businesses that you do business with (within three years, and why three?) would be able to do what they want with your e-mail address once they have it. Such as selling them to spammers. So in a nutshell, I'd have to say that I still have yet to see any anti-spam legislation that I like
For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:
These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read. :)
But there are definitely some new features that you have to like. Such as autoboxing/unboxing. I have always found it tedious to use wrapper classes when working with int/Integer.
Well, it's been said many times before: Spam filters are not perfect. Some spam just has a way of getting by the filters and there's the even worse problem of false positives. But filters tend to be effective, and their lack of perfection gives room for improvement. And we should continue to seek this kind of improvement.
So anyway, as for how to deal with an HTML message that contains only an embedded image, it should be noted that the subject line and the information on the sender can give away some useful information to the filter. Also, my understanding is that messages that contain nothing but HTML (IMG tags in particular) tend to be spam. So this kind of message you describe would likely be assigned a high "spam score." Shouldn't there be at least some text in the body of the message?
So if you want to send an image by e-mail, it may be best to send it as an attachment. If you receieve an e-mail from an unknown sender with any attachment, you shouldn't open it. And isn't it a better idea to send images as attachments? I find it more convenient for the recipient that way.
So in a nutshell, my take on spam filters is that they can be effective, but only one part of the solution to the problem of spam.
So I would say that we simply use what we currently have to take on spam and encrypt e-mail. Just a few thoughts...
Yes, requirements most certainly do change. And refactoring can be a waste of time. And as a matter of fact, Martin Fowler himself may agree with you. To an extent, anyway.
From the first section:
Martin Fowler: Refactoring improves the design. What is the business case of good design? To me, it's that you can make changes to the software more easily in the future. Refactoring is about saying, "Let's restructure this system in order to make it easier to change it." The corollary is that it's pointless to refactor a system you will never change, because you'll never get a payback. But if you will be changing the system-either to fix bugs or add features-keeping the system well factored or making it better factored will give you a payback as you make those changes.
So Mr. Fowler would say that is that it is a waste of time to refactor code if it will not be used in the future. However, refactoring doesn't igonore changes. In fact, according to Fowler, the opposite is true. I understand that refactoring makes code more maintainable and understandable, and that what he seems to be saying. And considering that there are many software systems that use "legacy code" refactoring is certainly not always a waste of time. Refactoring, is exactly what such systems need.
Just as in any other case in which maintenance must be done, it is quite important that this maintenance be done. It may not change the functionality of the code, but it can help make the software more easily adaptable. It can also help developers understand their own code, view it differently, and find different ways of implementing their systems. It may be more popular with Dilberts than PHBs, but perhaps those in the latter category should understand that even small amounts of refactoring can help save much time later on.
This is one of my favourite books on programming/software engineering and one of the many topics it covers is refactoring. I'd say that it does a good job arguing the importance of refactoring and how to convince those PHB types to accept it. But if you're just interested in refactoring itself, I suppose that this one is the best reference on the topic. I must say that for quite a few reasons, refactoring is something that should not simply be considered just another trend/buzzword, but an important part of maintenance, which in turn is an important part of the software development life cycle.
Once again, we see an example of people doing something that is relatively harmless and given an unusually strict punishment simply because it is labelled as "cyber crime." The people who create some laws seem to have little understanding of the technologies that we use and their lack of knowledge is leading to some sort of irrational fear of any individual who commits any sort of crime using technology that they don't seem to understand. However, what makes this so disturbing is that modem capping was not said to be illegal in the article. It was referred to as "not legal." So has there been any legislation against this? Anytime? Anywhere?
And of course, even if there were then we should be disturbed. Was this "crime" any reason to confiscate so much of the offender's equpiment? Even a VCR was taken, but strangely, an XBox gaming console was left behind. I'm not sure what exactly it is that's motivating these steps in the wrong direction. Is it some sort of irrational fear that leads to those that commit computer crimes being put in the same category as terrorists (which they have been, BTW) even if their crime is simply that of "stealing" bandwidth? Ignorance may be bliss for those at Buckeye Cablesystems and other corporations and the governments that make laws protecting them, but it certainly isn't for the rest of us.
This is bad news, people. It seems that if you're committing anything that can be labelled "cybercrime" you can be given absurdly strict punishments just because your crime has that label.
Of course, it's always a good idea to keep backups stored on rewritable CDs, since they can store more data. But having data stored in many remote locations would be a good idea if you want to ensure that your data is safe from disasters. I'd say that the more backups you have, and the more different locations they are stored in, the better.
I worked at an ISP at the time that this was happening and we were quite well aware of these vulnerabilites. We often referred to CERT when looking for vulnerabilities that may have affected us. It was through sites like those that we found out about the problems with OpenSSL and we made the necessary changes. I'm not sure why it was found that many others didn't do what was necessary. Perhaps there are many admins that don't understand that they need to keep themselves up to date on these matters, and of course, they are often busy with many other tasks. It's not easy being an admin. Maybe that's why there is a System Administrator Appreciation Day.
My understanding is that the article put equal emphasis on education and entertainment. He makes such amusing remarks as "call yourself a computer professional? Congratulations. You are responsible for the imminent collapse of civilization." However, he also gives some information that was certainly not to be taken lightly. Therefore, it should be taken somewhat seriously, and quite a few people who read the article just might do that. And this could be a problem. Why? Because at the end of the article he says "Now that you know better, there is no excuse whatsoever. You cannot claim ignorance. Don't destroy humanity." And the article's title is "The Peon's Guide To Secure System Development." And that article could not have covered every ascpect of developing secure systems.
As I previously mentioned, I don't consider myself an expert in this area, but there are some things that I know that were not mentioned in the article. For example, when building secure systems, security must be kept in mind throughout the entire life cycle of the system. Perhaps his intent was to focus solely on programmers, but if he truly wants to see secure systems, he would focus all all aspects of system development. Those involved in software testing should be able to find pointer-related bugs, and many other memory-related problems that break software. In fact, in a recent issue of 2600, an program with less than 10 lines of code is given that crashes Windows. I'm not saying testers should find all bugs, I'm saying both they and developers have responsibility to be aware of potential security problems.
I also didn't like the remark about C++ being inherently insecure, and the statement supporting use of languages that don't use pointers, such as Java, C#, and Python. I would just like to say that programming languages don't break systems. People break them. Therefore, I would say that people should be made more aware of what security problems they can cause. Also, C/C++ won't go away anytime soon. So much software uses it, so it stands to reason that there will be legacy C/C++ applications for years to come. Therefore, teaching C/C++ shouldn't be a crime. Teaching C/C++ poorly should be a crime.
Well, I must say that I was somewhat disappointed in the way in which the article did not seem to go very far beyond the basics. I'll continue to recieve security information from other sources, namely Counterpane CERT and other websites like those ones.
Anyway, here are a few more suggestions for books that apparently go beyond the basics:
Any others?
Australia's government does not seem to like to the way the Internet is lacking restrictions to free speech, and neither do many other governments. And one has to wonder if this strategy will work. Violent protests can still be organized without the Internet. Have violent protests not been organized long before the Internet was used by protesters as a medium for communication? And how can they know which protests being organized will be violent or not? Many people may show up at a protest with no intention to be violent, but keep in mind that it only takes a few people to start a riot.
"Big Brother's Biggest Blunder: Bad buggy bugs beget big bill-related bungle. Backlash begins."