You might think that "security" is a concept that only applies to some information, and then that information is either "secure" or "not secure". Essentially what I'm arguing (and I think you are too) is that "security" is a concept that applies to all information, and it's a spectrum of "how inaccessible is it to people that I don't want to have this information" vs. "how accessible is it to people that I do what to have access to this information". Nothing falls outside of that.
So even the contents of your post, this post that I'm responding to, falls under a sort of security scheme that you're not really thinking about. The key thing with this post is, there probably isn't anyone who you're particularly averse to them having access, and you want it to be accessible to the public in general, so security is very light. Therefore, the level of security that Slashdot offers (basically none) is an appropriate level of security. As I pointed out, when you log into Slashdot, you type in your username, which has a security level comparable to the contents of your post. For both of those things, you have to trust Slashdot only a very small, almost non-existent amount, but it's still trust.
Now you might be thinking, why is this trusting Slashdot to put in public information? Well, that's where it gets a bit foggy and complicated. You don't know what they're doing with that information, and you probably don't know exactly what you're disclosing to Slashdot. By your word choice, you might be giving them information about your background. Use "lift" instead of "elevator", and it hints that you're not American. Mention that you went sledding when you were a kid, and it tells us something about the region where you grew up. There has actually been research into identifying the author of an anonymous writing sample by word choice and sentence structure alone, potentially allowing someone to identify all of your posts across various sites and usernames as "written by the same person".
Really, who knows what information you give away when you post something online, but the point is, that is information that you're trusting Slashdot (and the rest of us) to have.
But then in addition, you also give Slashdot your password. You can say, "Well I don't care about that password. I don't reuse it anywhere and so it doesn't constitute trust." I bet that you don't want me to have your Slashdot password, though, because you don't trust what I'd do with it. That means, when you're logging into the Slashdot website, you're trusting that the site is valid and not compromised, and that Slashdot will keep the password secret. The level of security you're demanding may not be very high, but it's higher than what you're expecting from the contents of your post.
In addition to that, by visiting the site, you're trusting that Slashdot doesn't have malicious code that will compromise your computer. You're also trusting them with information about what browser you're using, and what your IP address is. Now you might have your browser set up to be super-secure, not to run any javascript or Flash, to route through Tor, to block tracking attempts, to obscure data about the system you're working on, etc. In that case, then you're trusting Tor, the developers of your browser, etc. to do those things competently.
No matter what, you're trusting some people, to some degree, with some information. It may all be information that you don't care that much about, but sharing it still implies some base level of trust.
Why should I "implicitly" trust hardware as praxis stated?
It's not so much a matter of "you should" as it is a matter of "you do." You already do trust hardware. I assume you're posting on Slashdot using some kind of electronic computing device, and you're typing this by banging rocks together.
Do you know what you are defending?
Yes, I'm defending the concept of security from those who have a very poor understanding of it.
But the risk isn't them decrypting with your private key, it's them adding their own public key (or one they generate) to your list of keys without your knowledge.
Well yeah, or they could also backdoor the whole device without doing anything half so subtle or sneaky. So could RIM, Microsoft, or Android phone manufacturers. On some level, with every device you use, every service you use, and every piece of software you use, you are assuming that the manufacturer/provider/developer isn't a malicious evil mastermind.
But in general, their system is designed so that it won't add a public key without approval from an already approved device, or some other authorization. It seems like that's about as good as you're going to get for any system where there's a repository of approved public keys, which is basically what we do for GPG and HTTPS as well. (e.g. if you don't trust certificate authorities, than HTTPS is not secure)
For example, if you're texting someone who's not using an iPhone.
In those cases, it's actually pretty clear whether you're using iMessage or SMS. iMessage users turn blue, and it says "iMessage", while SMS users are grey/green and it says, "Text Message". I have no objection to the idea of them including a setting that says, "Just don't use SMS no matter what, and only allow iMessage," but it doesn't seem fair to criticize that it "silently" switches. I would say that the switch is obvious yet unobtrusive, which is honestly what most people want.
Bullshit. As praxis pointed out, you trust some people, sometimes, with some data. Otherwise you wouldn't post here. At a bare minimum, you've trusted Slashdot with your username and password, and you've trusted us, the Slashdot readership, with the contents of your post. What's more, whatever computer you're working on has at least hardware (with BIOS/firmware), an OS, and a web browser. You've trusted whoever made all of those things. Even if you are using FOSS, unless you've performed a thorough code review of the sort that you would perform on a suspected virus, you've trusted the community to review the code and remove security threats. Even if you encrypt your data, you're trusting whoever wrote the encryption software, along with the people who created the platform that the encryption software runs on, to be both honest and competent.
What praxis was pointing out, which is entirely correct, is that security is not about being "absolutely secure". It's about balancing "making things accessible to those who I'd like to grant access" against "making things inaccessible to those who I would not like to have access." It inherently includes trusting authorized users, but also it pretty much always includes some level of trust (not necessarily absolute trust) of some 3rd parties. When you put money in the bank, you're putting some trust in the people who own the bank, in the bank's guards and tellers, in the police to protect the bank, and in the government to oversee the whole system and provide legal recourse if anyone else violates your trust. You don't have to trust any of those people absolutely, but that's because of the security practice of dispersing trust among multiple parties.
So no, you're trusting someone, whether you admit to it or not.
Apple retains the keys for all of your devices, which is how one iMessage can be sent to multiple devices.
Do you actually know this, or is this your guess? Because my understanding is that iMessage encryption was designed explicitly to avoid having Apple hold the kind of private keys that can decrypt the message. I thought there was some scheme where each device got its own decryption key, and that those keys never left the device.
Add to that that iMessage silently falls back to SMS,
Well, not entirely "silently". Messages sent via SMS turn green, so you know whether they were sent via iMessage. You don't necessarily know ahead of time whether, when you hit "Send", your message will be sent via SMS or iMessage, but I believe that can also be turned off on the device itself, so that it won't fall back to SMS.
This is actually a very important technical difference, even if it's not a big practical difference. Essentially, the NSA was already collecting all of the data first, and just saying, "we promise we won't look at it unless we have a warrant." If the procedure is now to have telecoms (who inherently have access to that information) turn over records when they're presented with a warrant, then this falls back into something resembling normal law enforcement procedures. The police can get your phone records if they have a warrant.
It's like this: The police can search your home if they can get a search warrant. It's as though the NSA was performing a warrant-less search your home on a regular basis, collecting photos, samples for analysis, fingerprints, and anything else they wanted, then running it all through analysis looking for crimes, and then saying, "But that's not an illegal search because we promise not to use that evidence against you unless we can get a warrant first."
So if now there's reform that says, "No, you can't collect that evidence until you have a warrant," then it's a big step towards solving the problem. I feel like the whole "secret court" thing is still a problem. The records should be made public at some point, even if it's somewhat delayed and with some information redacted. You can't have a democracy while having secret courts devoid of public oversight.
Royalties don't always mean a percentage of money earned. I forget what all the deals are, but for example, I believe songwriters often get a set amount of money (not a percentage) every time a song is played publicly, even if no money is earned from the playing of the song. There are lots of different deals, depending on whether it's a specific negotiated contract or an ASCAP thing....?
Like I said, I don't remember. That was never my field. But I believe Pandora, for example, has to pay for every time a song is streamed, regardless of whether they are charging the listener or whether ads are being played alongside.
Because they negotiated it in advance. It's not really that Apple "refused to pay royalties", but that they negotiated licensing terms such that they aren't required to pay royalties under specific circumstances.
When they say, Apple "refused to pay royalties", they're giving a false impression that Apple is supposed to pay royalties, but they refused. In fact, they negotiated a deal with record labels so that they wouldn't have to pay royalties during their "free trial" period. Customers aren't paying Apple during that period, and Apple isn't going to pay record labels, but that was all negotiated with record labels in advance.
But safety can't be tacked on at the end, it has to be considered up front and will impact the design.
Sure it can. Seatbelts, airbags, crumple zones, windshield wipers, and whatever else, there are lots of safety precautions that were added on later. In fact, that's pretty much inherent in the way these things work. First, you build it. Then you see how it's likely to fail. Then you build protections against those failures. When it seems safe, you start using it, but over the next few years, or the next few decades, or the next few hundred years, you keep finding new risks, new things that could go wrong, and you figure out ways to make it more safe.
Cars kill something like 30-40k people in the United States every year. We keep finding ways to make them safer.
These seem like they may be valid complaints, I don't know. But you're complaining about something in the prototype/proof-of-concept phase. If it works, then they can go about trying to turn it into a practical method of transportation, but at this point, we may as well be complaining about what color it is.
My impression was that Carmack wasn't particularly great at designing games, but his real genius was in developing the game engines. In fact, I'd say that's my general impression of id Software for the last couple of decades.
On the other hand, I feel like I've seen a flood of Fallout 4 hype, so much so that I completely missed that Dishonored 2 was announced. Don't get me wrong, I'm a big fan of the Fallout series, but I don't mind that there's at least some attention paid to news other than Fallout 4.
I'm disappointed for entirely different reasons. I read, "An AI Learned Magic..." and thought, "Wow! What could that mean? Did it learn how illusionists perform their tricks? Are they claiming it somehow learned real magic? This should be interesting!"
It's not immediately clear why the new ad-blocking privacy feature was included in iOS 9
Well there's a pretty obvious reason why, and I don't see any reason to discount it. It's a feature that users will like, and Apple is in the business of trying to make devices that people like. Even more specifically, Apple's general approach to making "devices that people like" tends to be to try to take the hassle out of using the product, as much as is possible. Ads are a big hassle.
It seems like a pretty obvious answer, so much so that I don't see a reason to go hunting for another one without some kind of additional information that there's some other reason.
Good. It is malware. I can't think of a browser toolbar that I wouldn't consider to be malware to some degree. Has anyone in the past 5 years intentionally installed one of those things? My impression is that they only ever get installed because someone wasn't paying enough attention when they installed some crappy piece of software, and it was bundled in.
That's how things like NoSQL, significant whitespace, binary log files and flat mystery-meat UIs happen.
Regarding your examples: Is NoSQL bad? I've never dealt with it, but was under the impression that it was pretty good for particular things, but perhaps being implemented too widely by people who are overenthusiastic. Significant whitespace is just dumb. The concept of binary log files don't necessarily seem bad to me, if we have a universal format with high-quality tools to access them.
And I actually tend to favor the "flat mystery-meat UIs" when executed well rather than trying to make everything look like some kind of gem, bubble, or fisher-price toy. Most of the old Windows design philosophy reminds me of a kid playing with Photoshop for the first time. You get bevels, gradients, lens flares, partial transparencies, and drop shadows put everywhere. IMO, good UI design is about using those kinds of effects (as well as animation) where they help the user understand the interface, or otherwise make the interface more pleasant to deal with, and using them pretty much nowhere else.
the critical question for a programming language is... whether it's feasible to make open source software with it
I don't see any clear reason to think that it wouldn't be feasible to make open source software. They're releasing some kind of development kit for Linux, claiming that the released materials will be open sourced under a permissive license. Now they could by lying, or they might have a crazy idea about what constitutes a "permissive license", but otherwise, how could it not be feasible to make open source software with it? Even if their tools are somehow geared toward developing Mac apps, if they're open sourced, those tools can be rewritten.
It seems to me that the question that's more critical is, "Will the open source community want to use this language?" I don't know the answer to that.
Funny, because I was just thinking, what the computing industry really needs is stagnation. I'm tired of all this innovation and people trying to create new things. It would be so nice if we'd just stuck with the technologies that we had in the 70s, but no, people had to ruin it by coming up with new things. We should know by now that no one can improve on the wonderful language that is Javascript.
On a different level, since when is important technical documentation solely stored on the company email server anyway?
Yeah, but in reality, there's always a bunch of random bits of information that aren't very well documented, appearing only in someone's head or in an email message, that somehow you just haven't gotten around to writing good documentation for it. It's usually not super-important, but when you're leaving a job, you should search through your head and try to get that stuff down as much as possible. And that's the best possible scenario. The reality is that most documentation is terrible or non-existent.
The problem with it, if I'm being honest, is that I want to do a good job. I don't want to screw things up for my employer, especially if I have a decent relationship with them. So if they say, for example, "Hey, go ahead and delete these files," and I know those files are very important, I'm not going to just delete them without saying anything, wait for them to discover the problem, and then say, "Well you told me to do it!" I'm going to give them a big warning that they've just asked me to do something stupid. I may even fight them on it a bit.
Now if they absolutely insist that I delete important information, I might go ahead and do it. I'd probably say, as the last thing I do before deleting it, "Just to be clear, I'm doing this at your request, overriding my own objections." I might even put that in writing.
To me, that kind of conscientiousness shouldn't end when you start planning to leave your company. So in that vein, I agree with you, with the assumption that you're also informing the employer what you're doing, and making it clear why you're doing it. Tell them, "I'm saving these documents here. These are important for my successor. I don't recommend deleting them, since then my successor may have trouble doing [whatever]. Would you prefer that I store them anywhere else?" If they ignore that and delete the files, then that's their own fault, and you charge consulting fees for helping them.
I also agree that they probably won't hire you on as a consultant. No matter how indispensable you are, the graveyards are full of indispensable men.
Part of my point is that yes, it's possible that a hack will cause management to respond, but they're just as likely to respond with something stupid. They'll have you trying to install Windows 7 on an old Windows 2003 server because "it's supported". Or they'll buy a new server, but they won't buy appropriate hardware. Or they'll hire an expensive consultant to provide a plan for resolving the "security issue", or they'll fire you for allowing the security breach, even though it was caused by their shortsightedness. Or.... whatever. Who knows.
If you want to use a crisis to sell them on doing the upgrade they should have done anyway, use the fact that Windows 2003 support is going away. It's also serious, but waiting for a breach may be closing the barn door after the horse has run away. The responsible thing is to have a plan and a budget to make regular upgrades and to replace aging hardware.
Third, it means things like future versions of AD and software tools won't be compatible
Another thing that people don't think about that I think is important is, if you lag too far behind, the upgrade path gets pretty dodgy. This is more of a general rule, and not addressing the particular problem, but it's a good rule.
Going from Exchange 2010 to Exchange 2013? Pretty easy. Going from Exchange 2000 to Exchange 2013? It might be possible by stepping through some other versions in the middle, but I don't want to do that upgrade. And that's a huge, ubiquitous, well supported app. If you start talking about some smaller random software, the upgrade paths can be even scarier.
So my general advice as an IT guy is, for any software, try to stay within the last couple of versions. Windows 10 is coming out this year, which means by the end of the year in 2016, you should try to have your computers all running Windows 8 or Windows 10. Windows 7 should be on its way out, and Vista should be gone already. If you have any Exchange 2007 or earlier, upgrade. If you have any Windows servers before 2008R2, upgrade. Upgrading regularly will make the upgrades much easier.
Slashdot Mirror
You might think that "security" is a concept that only applies to some information, and then that information is either "secure" or "not secure". Essentially what I'm arguing (and I think you are too) is that "security" is a concept that applies to all information, and it's a spectrum of "how inaccessible is it to people that I don't want to have this information" vs. "how accessible is it to people that I do what to have access to this information". Nothing falls outside of that.
So even the contents of your post, this post that I'm responding to, falls under a sort of security scheme that you're not really thinking about. The key thing with this post is, there probably isn't anyone who you're particularly averse to them having access, and you want it to be accessible to the public in general, so security is very light. Therefore, the level of security that Slashdot offers (basically none) is an appropriate level of security. As I pointed out, when you log into Slashdot, you type in your username, which has a security level comparable to the contents of your post. For both of those things, you have to trust Slashdot only a very small, almost non-existent amount, but it's still trust.
Now you might be thinking, why is this trusting Slashdot to put in public information? Well, that's where it gets a bit foggy and complicated. You don't know what they're doing with that information, and you probably don't know exactly what you're disclosing to Slashdot. By your word choice, you might be giving them information about your background. Use "lift" instead of "elevator", and it hints that you're not American. Mention that you went sledding when you were a kid, and it tells us something about the region where you grew up. There has actually been research into identifying the author of an anonymous writing sample by word choice and sentence structure alone, potentially allowing someone to identify all of your posts across various sites and usernames as "written by the same person".
Really, who knows what information you give away when you post something online, but the point is, that is information that you're trusting Slashdot (and the rest of us) to have.
But then in addition, you also give Slashdot your password. You can say, "Well I don't care about that password. I don't reuse it anywhere and so it doesn't constitute trust." I bet that you don't want me to have your Slashdot password, though, because you don't trust what I'd do with it. That means, when you're logging into the Slashdot website, you're trusting that the site is valid and not compromised, and that Slashdot will keep the password secret. The level of security you're demanding may not be very high, but it's higher than what you're expecting from the contents of your post.
In addition to that, by visiting the site, you're trusting that Slashdot doesn't have malicious code that will compromise your computer. You're also trusting them with information about what browser you're using, and what your IP address is. Now you might have your browser set up to be super-secure, not to run any javascript or Flash, to route through Tor, to block tracking attempts, to obscure data about the system you're working on, etc. In that case, then you're trusting Tor, the developers of your browser, etc. to do those things competently.
No matter what, you're trusting some people, to some degree, with some information. It may all be information that you don't care that much about, but sharing it still implies some base level of trust.
Why should I "implicitly" trust hardware as praxis stated?
It's not so much a matter of "you should" as it is a matter of "you do." You already do trust hardware. I assume you're posting on Slashdot using some kind of electronic computing device, and you're typing this by banging rocks together.
Do you know what you are defending?
Yes, I'm defending the concept of security from those who have a very poor understanding of it.
But the risk isn't them decrypting with your private key, it's them adding their own public key (or one they generate) to your list of keys without your knowledge.
Well yeah, or they could also backdoor the whole device without doing anything half so subtle or sneaky. So could RIM, Microsoft, or Android phone manufacturers. On some level, with every device you use, every service you use, and every piece of software you use, you are assuming that the manufacturer/provider/developer isn't a malicious evil mastermind.
But in general, their system is designed so that it won't add a public key without approval from an already approved device, or some other authorization. It seems like that's about as good as you're going to get for any system where there's a repository of approved public keys, which is basically what we do for GPG and HTTPS as well. (e.g. if you don't trust certificate authorities, than HTTPS is not secure)
For example, if you're texting someone who's not using an iPhone.
In those cases, it's actually pretty clear whether you're using iMessage or SMS. iMessage users turn blue, and it says "iMessage", while SMS users are grey/green and it says, "Text Message". I have no objection to the idea of them including a setting that says, "Just don't use SMS no matter what, and only allow iMessage," but it doesn't seem fair to criticize that it "silently" switches. I would say that the switch is obvious yet unobtrusive, which is honestly what most people want.
I trust nobody
Bullshit. As praxis pointed out, you trust some people, sometimes, with some data. Otherwise you wouldn't post here. At a bare minimum, you've trusted Slashdot with your username and password, and you've trusted us, the Slashdot readership, with the contents of your post. What's more, whatever computer you're working on has at least hardware (with BIOS/firmware), an OS, and a web browser. You've trusted whoever made all of those things. Even if you are using FOSS, unless you've performed a thorough code review of the sort that you would perform on a suspected virus, you've trusted the community to review the code and remove security threats. Even if you encrypt your data, you're trusting whoever wrote the encryption software, along with the people who created the platform that the encryption software runs on, to be both honest and competent.
What praxis was pointing out, which is entirely correct, is that security is not about being "absolutely secure". It's about balancing "making things accessible to those who I'd like to grant access" against "making things inaccessible to those who I would not like to have access." It inherently includes trusting authorized users, but also it pretty much always includes some level of trust (not necessarily absolute trust) of some 3rd parties. When you put money in the bank, you're putting some trust in the people who own the bank, in the bank's guards and tellers, in the police to protect the bank, and in the government to oversee the whole system and provide legal recourse if anyone else violates your trust. You don't have to trust any of those people absolutely, but that's because of the security practice of dispersing trust among multiple parties.
So no, you're trusting someone, whether you admit to it or not.
Apple retains the keys for all of your devices, which is how one iMessage can be sent to multiple devices.
Do you actually know this, or is this your guess? Because my understanding is that iMessage encryption was designed explicitly to avoid having Apple hold the kind of private keys that can decrypt the message. I thought there was some scheme where each device got its own decryption key, and that those keys never left the device.
Add to that that iMessage silently falls back to SMS,
Well, not entirely "silently". Messages sent via SMS turn green, so you know whether they were sent via iMessage. You don't necessarily know ahead of time whether, when you hit "Send", your message will be sent via SMS or iMessage, but I believe that can also be turned off on the device itself, so that it won't fall back to SMS.
This is actually a very important technical difference, even if it's not a big practical difference. Essentially, the NSA was already collecting all of the data first, and just saying, "we promise we won't look at it unless we have a warrant." If the procedure is now to have telecoms (who inherently have access to that information) turn over records when they're presented with a warrant, then this falls back into something resembling normal law enforcement procedures. The police can get your phone records if they have a warrant.
It's like this: The police can search your home if they can get a search warrant. It's as though the NSA was performing a warrant-less search your home on a regular basis, collecting photos, samples for analysis, fingerprints, and anything else they wanted, then running it all through analysis looking for crimes, and then saying, "But that's not an illegal search because we promise not to use that evidence against you unless we can get a warrant first."
So if now there's reform that says, "No, you can't collect that evidence until you have a warrant," then it's a big step towards solving the problem. I feel like the whole "secret court" thing is still a problem. The records should be made public at some point, even if it's somewhat delayed and with some information redacted. You can't have a democracy while having secret courts devoid of public oversight.
A better analogy would be "dealer gets supplier to bankroll first shot is free campaign on promise of bigger future earnings".
You're implying that Apple's music service will be so good that it's addictive. If so, good for Apple.
It's just two business partners looking to maximize profits
Oh no! Businesses trying to have a successful business venture!
Like I said, I don't remember. That was never my field. But I believe Pandora, for example, has to pay for every time a song is streamed, regardless of whether they are charging the listener or whether ads are being played alongside.
Because they negotiated it in advance. It's not really that Apple "refused to pay royalties", but that they negotiated licensing terms such that they aren't required to pay royalties under specific circumstances.
The summary is poorly worded.
When they say, Apple "refused to pay royalties", they're giving a false impression that Apple is supposed to pay royalties, but they refused. In fact, they negotiated a deal with record labels so that they wouldn't have to pay royalties during their "free trial" period. Customers aren't paying Apple during that period, and Apple isn't going to pay record labels, but that was all negotiated with record labels in advance.
But safety can't be tacked on at the end, it has to be considered up front and will impact the design.
Sure it can. Seatbelts, airbags, crumple zones, windshield wipers, and whatever else, there are lots of safety precautions that were added on later. In fact, that's pretty much inherent in the way these things work. First, you build it. Then you see how it's likely to fail. Then you build protections against those failures. When it seems safe, you start using it, but over the next few years, or the next few decades, or the next few hundred years, you keep finding new risks, new things that could go wrong, and you figure out ways to make it more safe.
Cars kill something like 30-40k people in the United States every year. We keep finding ways to make them safer.
These seem like they may be valid complaints, I don't know. But you're complaining about something in the prototype/proof-of-concept phase. If it works, then they can go about trying to turn it into a practical method of transportation, but at this point, we may as well be complaining about what color it is.
My impression was that Carmack wasn't particularly great at designing games, but his real genius was in developing the game engines. In fact, I'd say that's my general impression of id Software for the last couple of decades.
On the other hand, I feel like I've seen a flood of Fallout 4 hype, so much so that I completely missed that Dishonored 2 was announced. Don't get me wrong, I'm a big fan of the Fallout series, but I don't mind that there's at least some attention paid to news other than Fallout 4.
I'm disappointed for entirely different reasons. I read, "An AI Learned Magic..." and thought, "Wow! What could that mean? Did it learn how illusionists perform their tricks? Are they claiming it somehow learned real magic? This should be interesting!"
And then I continued reading.
It's not immediately clear why the new ad-blocking privacy feature was included in iOS 9
Well there's a pretty obvious reason why, and I don't see any reason to discount it. It's a feature that users will like, and Apple is in the business of trying to make devices that people like. Even more specifically, Apple's general approach to making "devices that people like" tends to be to try to take the hassle out of using the product, as much as is possible. Ads are a big hassle.
It seems like a pretty obvious answer, so much so that I don't see a reason to go hunting for another one without some kind of additional information that there's some other reason.
Good. It is malware. I can't think of a browser toolbar that I wouldn't consider to be malware to some degree. Has anyone in the past 5 years intentionally installed one of those things? My impression is that they only ever get installed because someone wasn't paying enough attention when they installed some crappy piece of software, and it was bundled in.
That's how things like NoSQL, significant whitespace, binary log files and flat mystery-meat UIs happen.
Regarding your examples: Is NoSQL bad? I've never dealt with it, but was under the impression that it was pretty good for particular things, but perhaps being implemented too widely by people who are overenthusiastic. Significant whitespace is just dumb. The concept of binary log files don't necessarily seem bad to me, if we have a universal format with high-quality tools to access them.
And I actually tend to favor the "flat mystery-meat UIs" when executed well rather than trying to make everything look like some kind of gem, bubble, or fisher-price toy. Most of the old Windows design philosophy reminds me of a kid playing with Photoshop for the first time. You get bevels, gradients, lens flares, partial transparencies, and drop shadows put everywhere. IMO, good UI design is about using those kinds of effects (as well as animation) where they help the user understand the interface, or otherwise make the interface more pleasant to deal with, and using them pretty much nowhere else.
You do know I was joking, right?
the critical question for a programming language is... whether it's feasible to make open source software with it
I don't see any clear reason to think that it wouldn't be feasible to make open source software. They're releasing some kind of development kit for Linux, claiming that the released materials will be open sourced under a permissive license. Now they could by lying, or they might have a crazy idea about what constitutes a "permissive license", but otherwise, how could it not be feasible to make open source software with it? Even if their tools are somehow geared toward developing Mac apps, if they're open sourced, those tools can be rewritten.
It seems to me that the question that's more critical is, "Will the open source community want to use this language?" I don't know the answer to that.
Funny, because I was just thinking, what the computing industry really needs is stagnation. I'm tired of all this innovation and people trying to create new things. It would be so nice if we'd just stuck with the technologies that we had in the 70s, but no, people had to ruin it by coming up with new things. We should know by now that no one can improve on the wonderful language that is Javascript.
On a different level, since when is important technical documentation solely stored on the company email server anyway?
Yeah, but in reality, there's always a bunch of random bits of information that aren't very well documented, appearing only in someone's head or in an email message, that somehow you just haven't gotten around to writing good documentation for it. It's usually not super-important, but when you're leaving a job, you should search through your head and try to get that stuff down as much as possible. And that's the best possible scenario. The reality is that most documentation is terrible or non-existent.
I agree mostly. Sort of.
The problem with it, if I'm being honest, is that I want to do a good job. I don't want to screw things up for my employer, especially if I have a decent relationship with them. So if they say, for example, "Hey, go ahead and delete these files," and I know those files are very important, I'm not going to just delete them without saying anything, wait for them to discover the problem, and then say, "Well you told me to do it!" I'm going to give them a big warning that they've just asked me to do something stupid. I may even fight them on it a bit.
Now if they absolutely insist that I delete important information, I might go ahead and do it. I'd probably say, as the last thing I do before deleting it, "Just to be clear, I'm doing this at your request, overriding my own objections." I might even put that in writing.
To me, that kind of conscientiousness shouldn't end when you start planning to leave your company. So in that vein, I agree with you, with the assumption that you're also informing the employer what you're doing, and making it clear why you're doing it. Tell them, "I'm saving these documents here. These are important for my successor. I don't recommend deleting them, since then my successor may have trouble doing [whatever]. Would you prefer that I store them anywhere else?" If they ignore that and delete the files, then that's their own fault, and you charge consulting fees for helping them.
I also agree that they probably won't hire you on as a consultant. No matter how indispensable you are, the graveyards are full of indispensable men.
Part of my point is that yes, it's possible that a hack will cause management to respond, but they're just as likely to respond with something stupid. They'll have you trying to install Windows 7 on an old Windows 2003 server because "it's supported". Or they'll buy a new server, but they won't buy appropriate hardware. Or they'll hire an expensive consultant to provide a plan for resolving the "security issue", or they'll fire you for allowing the security breach, even though it was caused by their shortsightedness. Or.... whatever. Who knows.
If you want to use a crisis to sell them on doing the upgrade they should have done anyway, use the fact that Windows 2003 support is going away. It's also serious, but waiting for a breach may be closing the barn door after the horse has run away. The responsible thing is to have a plan and a budget to make regular upgrades and to replace aging hardware.
Third, it means things like future versions of AD and software tools won't be compatible
Another thing that people don't think about that I think is important is, if you lag too far behind, the upgrade path gets pretty dodgy. This is more of a general rule, and not addressing the particular problem, but it's a good rule.
Going from Exchange 2010 to Exchange 2013? Pretty easy. Going from Exchange 2000 to Exchange 2013? It might be possible by stepping through some other versions in the middle, but I don't want to do that upgrade. And that's a huge, ubiquitous, well supported app. If you start talking about some smaller random software, the upgrade paths can be even scarier.
So my general advice as an IT guy is, for any software, try to stay within the last couple of versions. Windows 10 is coming out this year, which means by the end of the year in 2016, you should try to have your computers all running Windows 8 or Windows 10. Windows 7 should be on its way out, and Vista should be gone already. If you have any Exchange 2007 or earlier, upgrade. If you have any Windows servers before 2008R2, upgrade. Upgrading regularly will make the upgrades much easier.