People are usually the weakest link, but they're also not ideal for an attacker because they're rarely in control of a lot of communication channels. Stagefright, for example, was a vulnerability that made it possible to install malware (with root privilege - more privilege, in fact, than the owner of the device) on 100% of Android phones that visited a malicious URL for about a week and around 30% of them for several months (it took a really long time to roll out the patch). Malware installed via that vector could protect itself from removal by updates and could compromise all encrypted communication to or from that device. It's unlikely that you can find a human that could give the same level of access.
All those co-ops and apprenticeships require connections
Yes they do, but it's the institution, not the student, that needs them. If there's no one teaching you who can help you get an internship, then you might wonder why no one in industry is interested in people from your institution and whether it's worth the money.
Add to that, internships are the primary way in which a lot of companies hire fresh grads. Would you rather make a hiring decision based on a couple of pages of mostly unverifiable information and a few hours of conversation, or based on watching the candidate work with your team for three months?
That report has been criticised for not controlling for socioeconomic status associated with names. For example, more recent research has shown that CVs from Clive and Sharon also do worse than those from Greg and Emily, and the set 'black sounding' names that they picked did not correlate with the same socioeconomic index as the 'white sounding' ones.
MVC is a particularly bad example, because the original Smalltalk MVC was very different from modern MVC libraries.
While he might claim this problem was solved decades ago, it is just a fact that compile-time static analysis for dynamic memory allocation did not exist until recently, except in the form of "scope" as opposed to "lifetime", which, while similar, it is different from.
Actually, it did since the '70s (and some of the theoretical work dates back to the '60s), it's just that it was regarded as computationally infeasible for most software until recently. Even then, it doesn't really handle covariant and contravariant types very well. The same is true of a lot of 'modern' compiler techniques: a lot of things are possible on dev machines with 16GB of RAM that seemed practically impossible to people who invented them on machines with 128KB.
I'm not the grandparent, and I use Jenkins, but I don't disagree with him. It is a piece of crap, it's just that everything else seems to be worse (especially hand-rolled scripts). Travis-CI is better for a limited set of use cases, but impossible to extend to more complex things (e.g. we have to run some of our tests on specialised hardware and you can't do that with their cloudy thing and even though it's open source they explicitly state that they don't believe anyone else will be able to get it working).
Experience is really not that rare, it is actually pretty much impossible to prevent getting more experienced
Old and experienced correlate, but they're not the same. Some people manage to spend decades repeating the same mistakes without learning from them. It's hard to gain experience without age, but it's surprisingly common to gain age without experience. This is also part of the reason some older folk find it hard to get hired: when you're young, ignorance and stupidity manifest similar symptoms and you can always hope that the person is simply ignorant and can be cured. When you're old, if you're still ignorant then the root cause is likely to be stupidity and so it's better to take a risk on someone younger (who is definitely ignorant, but might not be stupid). If you're old and competent, then you're far less likely to struggle to find employment.
It's a bit different, because it's now not the person that you're attacking, it's something that the user views as part of the communication channel. The analogy would be sending a message in a sealed box in an armoured car with an armed escort and then delivering it to someone's unlocked mailbox where anyone off the street could grab it and make a copy.
The fact that you think the TV going is the problem says a lot about you, but nothing about the real problem: It's really annoying to have people talking when you're trying to work, and if everyone in the office (or on the train, or wherever) is talking to their computer then everyone is going to be distracted.
It was the market that replaced Linux with Windows, but there was also some aspect of conspiracy. Microsoft couldn't charge the full license cost of Windows for a machine as cheap as a netbook without driving up the price significantly (and making the Linux versions a lot cheaper) so they offered Windows XP for netbooks, but with a bunch of caps on the maximum spec that it would support to avoid cannibalising the rest of the laptop market. This effectively capped the maximum specs for netbooks.
Even if speech to text were perfect, it is only a solution when you're in a room by yourself, so becomes less feasible once you leave your parents' basement.
And it's a stupid business model. Microsoft could have made a big deal over the fact that you pay for Microsoft products and so you're their customer, not their product. They could have used Azure for hosting, but allowed you to run the exact same server components on your own Windows Server machine or private cloud. They could have spent a big chunk of their ad budget on pointing out how much everyone knows about you from using free services. Instead, they decided to try to turn the company into a crappy copy of Google.
When I got out of college, I was already well into my second decade of coding experience, and nobody wanted to hire me because nobody wants to hire a n00b with no professional experience
Everywhere I've worked (and when I've been hiring people for development jobs), having two decades of open source code that we can look at prior to interview and ask you questions about in the interview would have given you a huge advantage over someone who's been writing proprietary / in-house code that they can't let the hiring panel see.
How much do you think that you're saving? I provide meter readings every few months via my provider's web site and every 12-18 months they send someone out to double check. When they come, it takes about 5 minutes to check my meter and they check a bunch of others at the same time (the same company is contracted by a bunch of suppliers so will check all of the ones on the same street, even if they're not all using the same supplier). That I'd be surprised if there's more than $2-3/year on my bill from the meter reader. Switching one CFL to LED would probably save me more over the course of a year.
UX is a very useful term. HCI people who know what they're talking about don't use it, so anyone who claims to be a UX expert has helpfully self identified as someone that it's safe to ignore.
Exactly. A typical working day is 9-5. That's 3 hours before noon and 5 hours after, yet more people do outdoor things after work than before. It makes a lot more sense to arrange the clocks so that work finishes while the sun is up.
A lot of banks run FreeBSD. Quite a lot still use OpenVMS. Back end stuff varies hugely and includes Linux, FreeBSD, OpenVMS, Windows, and even some more esoteric things.
It's not so much about the paycheque, it's about the layers of indirection between the developer and the user. For a very small open source project, the developer and the user are the same person. The project grows and gets more users, then the developer is one of the users, but still directly in contact with people who have other use cases. Then the project grows a bit more and there are multiple developers, but they're all still users.
Then it grows a bit more, and now other people are paid to work on the project. They're paid by companies that are using the software though, so even though they're not users then their pay check depends on keeping at least some users happy. It's not ideal, but it's better than the next step.
The final step mirrors proprietary off-the-shelf software development. A company like RedHat or Canonical (or Moz Corp) starts paying developers. This company may not be using the software much, but ships a product that incorporates it. They have customers that use the software and so need to provide features that those users need, but they also need to justify why those customers should buy the new version or keep paying the support contract, so they have to demonstrate change. Once this happens, there are two layers of indirection between developers and users and the incentives are no longer aligned between the two. Software generally goes down hill at this point.
There's a related issue with open source software that's less common in COTS proprietary software: the fame issue. Once a piece of software is popular, there's a big ego boost for some people in contributing to it, because stuff that they did is widely used. There's an even bigger ego boost if a change that they made is one that everyone knows about. This gives a big incentive to change things that users will notice and those changes are not generally because the user wants them.
I'd wondered why a load of sites seem to be asking for WebGL access now when nothing seems to need it - using it for fingerprinting makes sense. I disable it by default, because I've worked on GPU drivers and there's no way in hell I'd allow untrusted code into them, even if it's been through a WebGL verifier.
"Oh, but then google.com doesn't work, and I can't watch funny cat videos on YouTube!" Well... what did you expect?
That's absolutely fine. The problem is that it's not just Google, it's every third-party site that uses reCAPTCHA stops working properly as well if you don't permit Google to track you all across the web.
I went on a job interview for a network engineering job where I explained my passion for computer networking by describing how I built my own IPX router out of spare parts and wrote the routing software from scratch for fun. The interviewer's response? Nobody uses IPX anymore, tell me something else. I didn't get the job.
I'm not sure what network engineering means in this context, but companies like SolarFlare would hire someone who's actually done what you describe and can talk about it intelligently in a heartbeat.
Fanboys like to point out that not everyone needs to have a copy of the block-chain, but that completely negates the 'decentralised' part.
You don't need an entire copy of the blockchain unless you want to audit the entire history. To validate the most recent entry, you need to scan the block chain once, but that's a matter of streaming that 100GB, not having to store it. Still more than you'd like to do on a mobile device, but quite plausible. You can also have well-known entities publicly attest to the state at specific intervals, so that you only need to validate the last few records. Unlike a centralised banking system, anyone can attest to this state and anyone can verify that attestation.
Slashdot Mirror
People are usually the weakest link, but they're also not ideal for an attacker because they're rarely in control of a lot of communication channels. Stagefright, for example, was a vulnerability that made it possible to install malware (with root privilege - more privilege, in fact, than the owner of the device) on 100% of Android phones that visited a malicious URL for about a week and around 30% of them for several months (it took a really long time to roll out the patch). Malware installed via that vector could protect itself from removal by updates and could compromise all encrypted communication to or from that device. It's unlikely that you can find a human that could give the same level of access.
All those co-ops and apprenticeships require connections
Yes they do, but it's the institution, not the student, that needs them. If there's no one teaching you who can help you get an internship, then you might wonder why no one in industry is interested in people from your institution and whether it's worth the money.
Add to that, internships are the primary way in which a lot of companies hire fresh grads. Would you rather make a hiring decision based on a couple of pages of mostly unverifiable information and a few hours of conversation, or based on watching the candidate work with your team for three months?
That report has been criticised for not controlling for socioeconomic status associated with names. For example, more recent research has shown that CVs from Clive and Sharon also do worse than those from Greg and Emily, and the set 'black sounding' names that they picked did not correlate with the same socioeconomic index as the 'white sounding' ones.
While he might claim this problem was solved decades ago, it is just a fact that compile-time static analysis for dynamic memory allocation did not exist until recently, except in the form of "scope" as opposed to "lifetime", which, while similar, it is different from.
Actually, it did since the '70s (and some of the theoretical work dates back to the '60s), it's just that it was regarded as computationally infeasible for most software until recently. Even then, it doesn't really handle covariant and contravariant types very well. The same is true of a lot of 'modern' compiler techniques: a lot of things are possible on dev machines with 16GB of RAM that seemed practically impossible to people who invented them on machines with 128KB.
So what do you have that's better?
I'm not the grandparent, and I use Jenkins, but I don't disagree with him. It is a piece of crap, it's just that everything else seems to be worse (especially hand-rolled scripts). Travis-CI is better for a limited set of use cases, but impossible to extend to more complex things (e.g. we have to run some of our tests on specialised hardware and you can't do that with their cloudy thing and even though it's open source they explicitly state that they don't believe anyone else will be able to get it working).
Experience is really not that rare, it is actually pretty much impossible to prevent getting more experienced
Old and experienced correlate, but they're not the same. Some people manage to spend decades repeating the same mistakes without learning from them. It's hard to gain experience without age, but it's surprisingly common to gain age without experience. This is also part of the reason some older folk find it hard to get hired: when you're young, ignorance and stupidity manifest similar symptoms and you can always hope that the person is simply ignorant and can be cured. When you're old, if you're still ignorant then the root cause is likely to be stupidity and so it's better to take a risk on someone younger (who is definitely ignorant, but might not be stupid). If you're old and competent, then you're far less likely to struggle to find employment.
It's a bit different, because it's now not the person that you're attacking, it's something that the user views as part of the communication channel. The analogy would be sending a message in a sealed box in an armoured car with an armed escort and then delivering it to someone's unlocked mailbox where anyone off the street could grab it and make a copy.
The fact that you think the TV going is the problem says a lot about you, but nothing about the real problem: It's really annoying to have people talking when you're trying to work, and if everyone in the office (or on the train, or wherever) is talking to their computer then everyone is going to be distracted.
It was the market that replaced Linux with Windows, but there was also some aspect of conspiracy. Microsoft couldn't charge the full license cost of Windows for a machine as cheap as a netbook without driving up the price significantly (and making the Linux versions a lot cheaper) so they offered Windows XP for netbooks, but with a bunch of caps on the maximum spec that it would support to avoid cannibalising the rest of the laptop market. This effectively capped the maximum specs for netbooks.
Even if speech to text were perfect, it is only a solution when you're in a room by yourself, so becomes less feasible once you leave your parents' basement.
You get what you pay for.
I believe the point of this story is that you don't.
And it's a stupid business model. Microsoft could have made a big deal over the fact that you pay for Microsoft products and so you're their customer, not their product. They could have used Azure for hosting, but allowed you to run the exact same server components on your own Windows Server machine or private cloud. They could have spent a big chunk of their ad budget on pointing out how much everyone knows about you from using free services. Instead, they decided to try to turn the company into a crappy copy of Google.
When I got out of college, I was already well into my second decade of coding experience, and nobody wanted to hire me because nobody wants to hire a n00b with no professional experience
Everywhere I've worked (and when I've been hiring people for development jobs), having two decades of open source code that we can look at prior to interview and ask you questions about in the interview would have given you a huge advantage over someone who's been writing proprietary / in-house code that they can't let the hiring panel see.
How much do you think that you're saving? I provide meter readings every few months via my provider's web site and every 12-18 months they send someone out to double check. When they come, it takes about 5 minutes to check my meter and they check a bunch of others at the same time (the same company is contracted by a bunch of suppliers so will check all of the ones on the same street, even if they're not all using the same supplier). That I'd be surprised if there's more than $2-3/year on my bill from the meter reader. Switching one CFL to LED would probably save me more over the course of a year.
The leaks tell us that encryption only works if the endpoints are secure, which they are not.
UX is a very useful term. HCI people who know what they're talking about don't use it, so anyone who claims to be a UX expert has helpfully self identified as someone that it's safe to ignore.
Exactly. A typical working day is 9-5. That's 3 hours before noon and 5 hours after, yet more people do outdoor things after work than before. It makes a lot more sense to arrange the clocks so that work finishes while the sun is up.
A lot of banks run FreeBSD. Quite a lot still use OpenVMS. Back end stuff varies hugely and includes Linux, FreeBSD, OpenVMS, Windows, and even some more esoteric things.
It's not so much about the paycheque, it's about the layers of indirection between the developer and the user. For a very small open source project, the developer and the user are the same person. The project grows and gets more users, then the developer is one of the users, but still directly in contact with people who have other use cases. Then the project grows a bit more and there are multiple developers, but they're all still users.
Then it grows a bit more, and now other people are paid to work on the project. They're paid by companies that are using the software though, so even though they're not users then their pay check depends on keeping at least some users happy. It's not ideal, but it's better than the next step.
The final step mirrors proprietary off-the-shelf software development. A company like RedHat or Canonical (or Moz Corp) starts paying developers. This company may not be using the software much, but ships a product that incorporates it. They have customers that use the software and so need to provide features that those users need, but they also need to justify why those customers should buy the new version or keep paying the support contract, so they have to demonstrate change. Once this happens, there are two layers of indirection between developers and users and the incentives are no longer aligned between the two. Software generally goes down hill at this point.
There's a related issue with open source software that's less common in COTS proprietary software: the fame issue. Once a piece of software is popular, there's a big ego boost for some people in contributing to it, because stuff that they did is widely used. There's an even bigger ego boost if a change that they made is one that everyone knows about. This gives a big incentive to change things that users will notice and those changes are not generally because the user wants them.
The web-based malware will be a lot easier to deploy, if that's your question.
- Blocking Flash/WebGL/Canvas fingerprinting
I'd wondered why a load of sites seem to be asking for WebGL access now when nothing seems to need it - using it for fingerprinting makes sense. I disable it by default, because I've worked on GPU drivers and there's no way in hell I'd allow untrusted code into them, even if it's been through a WebGL verifier.
"Oh, but then google.com doesn't work, and I can't watch funny cat videos on YouTube!" Well... what did you expect?
That's absolutely fine. The problem is that it's not just Google, it's every third-party site that uses reCAPTCHA stops working properly as well if you don't permit Google to track you all across the web.
I went on a job interview for a network engineering job where I explained my passion for computer networking by describing how I built my own IPX router out of spare parts and wrote the routing software from scratch for fun. The interviewer's response? Nobody uses IPX anymore, tell me something else. I didn't get the job.
I'm not sure what network engineering means in this context, but companies like SolarFlare would hire someone who's actually done what you describe and can talk about it intelligently in a heartbeat.
Fanboys like to point out that not everyone needs to have a copy of the block-chain, but that completely negates the 'decentralised' part.
You don't need an entire copy of the blockchain unless you want to audit the entire history. To validate the most recent entry, you need to scan the block chain once, but that's a matter of streaming that 100GB, not having to store it. Still more than you'd like to do on a mobile device, but quite plausible. You can also have well-known entities publicly attest to the state at specific intervals, so that you only need to validate the last few records. Unlike a centralised banking system, anyone can attest to this state and anyone can verify that attestation.