I am a software consultant, with thirteen years total experience as a working programmer and a little over two years working independently as a consultant (not through agencies).
I have this word of advice for everyone in the high-tech industries: find an attorney who practices business and intellectual property law. Do this right now, when you're not looking for a job. Most attorneys will spend a reasonable amount of time just chatting with you about stuff without charging you when you first meet them so you can evaluate whether to work with them.
When an employer or client gives you an NDA, tell them you'd like to have your attorney read it and advise you on whether to sign it. Don't even bother to read it, certainly don't read it while the interviewer is hovering over you.
Consider preparing your own NDA that the client or employer will sign, that you have your attorney draft ahead of time. That way you can be prepared with an NDA, and if they want you to sign one, say that you aren't comfortable doing so without legal advice, but if they'd like you have one handy. This is what I'm working on doing - with the help of an excellent attorney.
I may be belaboring an obvious point but most NDA's usually don't obligate the employer to keep your secrets secret. If they won't agree to protect your trade secrets, why should you agree to protect theirs?
It happens that I've signed a lot of NDA's and contracts over the years, but since I had some trouble with a client I've started discussing everything with an attorney up front. Nothing gets my signature unless my lawyer says it's OK with her. Just the conversations I've had with the attorneys I've discussed these things with have been well worth the money I've spent.
Most attorneys will only charge you by the minute for such matters, and it takes them less time to evaluate a contract than it would for you as a programmer to do so (how long would it take an attorney to evaluate your source code?). The attorney fees I've spent in the last year evaluating all the NDA's and contracts I've signed have come to maybe $400.
Considering that you could be taken for tens of thousands if you lose a lawsuit, or you could lose a job opportunity if you signed a non-compete or a potential employer feared you'd expose them to liability because you knew a competitor's trade secrets, isn't it worth it to get an attorney?
If, in the interview, they balk at you getting an attorney to sign an NDA, you should politely point out that it would have been appropriate for them to have sent you the NDA before the interview so you could have it checked out. Then offer to either leave right now and come back later, or keep the discussion limited to non-secret material.
Remember, the labor market is very tight for employers these days. The power is in the hands of the engineers. You don't have to put up with intimidation.
I was up late working in a locked building (but not a terribly secure one - the Galleria in Santa Cruz California) and at 3 am I went to the restroom down the hall, which was locked and had to be opened with a key.
When I opened the restroom door, finding the room dark of course because it was after hours, much to my suprise a giggling teenage couple came running out of the bathroom past me and headed out the door.
They must have got the keys from one of their parents, I suppose.
Bet they thought the john in an office building downtown would be a secure private place for some hanky panky - but they didn't count on there being a software company down the hall!
I've been working as a programmer for 13 years now, and for most of my career, the way I described it is this:
I've spent most of my career fixing somebody else's broken code.
This is not to say that my own has always been of the very highest quality, but in fact I decided early on to try to come to a fundamental understanding of what was wrong with software development, to get very good at debugging (I say that debugging is a specialty on my homepage) and to learn to write better code.
In my early years I was initially very shocked at what I'd discover in production use at companies. Over the years I just learned that that's standard practice, in commercial software, in-house software, and even in scientific software (where I have become convinced, because of my experiences with high-energy physics data analysis, that many scientific papers are published with erroneous measurements because of software bugs).
Early on I read that something like 90% of software development is spent doing maintenance programming. Some of this is doing legitimate upgrading, but a lot of it is just spent fixing bugs, and even a lot of time spent doing upgrades would be more productive if the code were of better quality.
After reading this figure and having so many experiences with software bugs, both other people's and my own, I decided very early on to get very good at debugging.
One of the first things I did was adopt the regular use of "lint" for checking my C code. I would integrate lint targets into my makefiles and after editing a source file I would type "make lint" before compiling to objects and lint would check all the files that were out of date with the object modules. Pretty quickly I got to where I could write code that was nearly always lint-clean - but the existing code I worked on would make lint scream with hundreds if not thousands of complaints, often serious things like variables being used before they are initialized.
One of the first solid clues I got about software quality came from Robert Ward's book "Debugging C" - now out of print, it predated the common use of source code debuggers and talked about how to write your own stack crawls and other tools.
Ward emphasized the use of the Scientific Method in debugging, and because I was trained in physics, this came very naturally to me; before that I'd mostly floundered and used printf a lot.
I've gotten very good at debugging and have even worked full-time as a debugger at Apple Computer where I was a "Debug Meister" and my business card gave my title as "Cybernetic Entomologist".
I can easily get highly paid consulting work doing debugging for companies desperate to ship a product (and have in the past) but I don't really like to do it for various reasons, some of the same reasons I quit my debugging job at Apple.
One is that if I only do debugging I don't have something to point to at the end of the day and say "I wrote that". I could say "that works because of me", but sadly there's usually lots of bugs left that I didn't have the time to find so I don't really feel proud of the result. The other problem is that the bugs are usually not there because of something interesting, it's not like the code is mostly good but there's some subtle flaws, rather the code is a heap of dung and I can go in with a pitchfork and do debugging wholesale until I get tired of it and the client or manager decides the rate new bugs are being found is low enough they can feel OK about shipping it.
I don't feel good about contributing to such shoddiness. If a company is not good enough to support quality in their corporate culture I don't want to come in and put on a band-aid for them. It would be an entirely different thing if a company hired me to restructure their development process so that quality was a goal that was achieved through direct application of process but gee whiz no one has ever asked me to do that for them.
I do have to say though that the best thing that ever happened to me is that I became a "technology prostitute" as the author of the original article puts it. One benefit of this is that the process is entirely of my own creation, and almost all of the work I've been given has been to write entirely new products from scratch, so I can engineer in quality from the beginning.
Here's a few recommendations I have. Get good tools. Besides a compiler, editor and debugger, you need a static code checker and you also need dynamic testers. The ones I know about are (I haven't used them all yet):
PC-Lint static code checking for C and C++. It runs on Windows but Flexe-Lint comes as shrouded source code and is highly portable.
Spotlight dynamic tester for Mac PowerPC - I use this every day and recommend it highly
Purify dynamic tester for Unix (but apparently not Linux) and Windows NT
Optimizeit dynamic tester for Java - do you know many Java programs have memory leaks? Can you understand why? Not just Java but any garbage collected program.
There's also memprof and electric fence, which I think run on Linux. It would be possible to modify gcc so that you program when built with debugging flags and linked with a special library would have all memory references boundschecked before allowing the access. This could work with both read and write access and would catch overruns by as little as one byte - Spotlight does this by patching the executable powerpc code and rewriting the debugging symbol table.
Finally, to really come to understand the software quality problem in the industry and what you can do about it, read The Forum on Risks to the Public in Computers and Related Systems also available on the Usenet News as comp.risks. The book The Software Conspiracy exposes the complete disregard the commercial software industry has for serving the consumer by providing quality products - I haven't read it yet but it looks interesting.
A very interesting methodology that emphasizes personal responsibility and puts the fun back into programming as well as maintaining quality from the very start is Extreme Programming. I'm starting to adopt extreme programming (the the extent a one man operation can - I can't work in pairs:-/ ) and find it a tremendous benefit.
The Yellow Network Coalition takes old 486's and turns them into firewalls and IP masquerading servers they give away for free to people who have cable modems and DSL. I gave them my 486 when I moved. They also set up free public-access kiosks. These guys are inspired by the freely available yellow bicycles in Amsterdam.
They Need Your Donations of Old 486's and Other Hardware
The CERT Coordination Center carries authoritative announcements of security problems and what you can do to fix them; provides rapid response to security emergencies while they are in progress.
I've also heard BugTaq is good and better than CERT for timely information but don't have a URL handy.
I should have said that my friend asserted this years ago, quite possibly before Javascript was invented, certainly before it was widely available in most browsers or you could count on any consistency in Javascript implementation.
BTW - I have left Javascript turned off in my browser for most of a year now, ever since the CERT Coordination Center recommended everyone do so because some online discussion sites allow HTML posts but don't filter <SCRIPT> tags out of their users' posts so someone who knows how to crack javascript can eat your machine with a forum post (Slashdot filters out script tags), and I leave Java off ever since that web server thingy appeared a couple days ago - and I urgently emailed everyone I knew and told them to turn off Java too.
Yes, solutions are on the horizon but they're not here yet. Yes, there are workarounds like typing posts into a notepad and copying them in from the clipboard - so my problem can be taken care of, but not the novice users.
So I'll take my applications as locally executing programs, thank you, and I'll be happy when a solution does appear which survives extensive security auditing
My friend's opinion wasn't about doing stuff with Java or Javascript at his company - they specifically didn't use it because they said they couldn't count on it being implemented in the browser - but with plain old HTML, generated by perl scripts on the server backed by a Sybase database, and forms.
He thought this was the best thing since sliced bread, and as a long-time Mac GUI programmer, I thought he was completely clueless.
Read Risks Forum about Online Voting
on
Online Voting?
·
· Score: 2
While anyone may submit to Risks, some of the people who post there are respected experts in their fields, and will often write very well-thought-out criticism of online and telephone voting schemes as they are actually practiced - usually without much regard for security and privacy - as opposed to the ideal schemes thought up by security experts and cryptographers.
I can't remember any specific posts on online voting, lets see what the search form produces:
Just searching for "voting" produces dozens of submissions, mostly related to computerized voting - that is, electronic voting booths, which have their own reliability and security issues but are not what we're discussing here - but see Computer Causes Chaos in Brazilian Election in which a program designed to weed out fraudulent voters (like dead people) canceled the voting rights of 70,000 twins.
Wonder about the accuracy of unofficial online votes? Check out the risks of paying attention to uncontrolled e-voting in which a public opinion voting site on abortion funnelled votes from both sides to the anti-abortion side.
While there will always be quality problems in software, current practice in many companies is to not even try to do the basic things that tend towards improving software quality. Until the public wakes up and realizes they're being ripped off, and their safety and corporate information being put at risk, we will always have this problem.
One solution is to get every programmer in a company a copy of some good quality tools, static analysis tools like PC-Lint and dynamic (runtime) analysis tools like Spotlight (for the MacOS) or BoundsChecker (for Windows) or Purify for Unix (but apparently not Linux) and NT.
As a Spotlight user and a long-time reader of the Risks forum, I wouldn't dream of shipping a Mac product unless it tested absolutely cleanly under Spotlight and had zero memory leaks.
But it is amazing to try Spotlight on a mature commercial product for the first time. Think you're program's free of bugs? Guess again. I proposed using Spotlight to my manager, on our program which had been shipping for several years and cost $600 retail. It was a serious product for high-end users. My manager said it would be a waste of time because "Our program has so many bugs, Spotlight would keep finding them and progress would be very slow." And you know, he was right. I persisted anyway, and spent three months ferreting bugs out of that program with Spotlight.
There's a lot of tools out there (and there's tools like these for Java too, like OptimizeIt - do you know many Java programs have memory leaks?). You don't have to pick the tools I recommend, but look out for what's available there and make sure you have something for every developer seat in the house.
It will be the best investment you make. The $199 for Spotlight will be paid for in the day it's first used.
And free software writers, I suggest writing free software versions of these. It would be possible in principle to write a special version of gcc, or an command-like option to it, that when your program is linked to a special library all your memory accesses are boundschecked. Note that Spotlight can validate memory reads as well as memory writes.
I'd like to suggest that you look up Macromedia's phone number on the web and give them a call. Ask the receptionish for the fax number for the legal department. Copy the above text out and fax it to them (lawyers like faxes). Give it a cover page that says "This Prior Art Invalidates Adobe Tab Patent" in about 48-point text.
Give them your phone number.
They'll make short work of the patent and Adobe will come out with egg on their faces - as will the patent office for yet again granting a patent that is not only obvious but which had already been done.
It's not likely that the right people at Macromedia will see this unless someone makes the effort to put it under their noses. C'mon, be a hero.
How many high-school kids don't do much more than hang around at the mall, drive their cars up and down main street or do bong hits when they're not watching the tube?
I've thought of doing Tivo/Replay in Linux for a while and posting it to the net just to be funny.
While they probably have hardware compressors and fancy algorithms, if you can use any PC you can use a public open-source compressor and just get a bigger hard drive.
I saw the link to the Kill Your TV Website a few comments back and after following it and reading some of the page I wrote the following email to a number of my friends. I urge you to check out the site too.
No this is serious. He claims that Sesame Street may teach your kid to
recognize letters and numbers, but it shortens their attention span.
It happens that, when I was a kid, I stopped watching television when my
sister left for college. I had never really actively watched TV before,
but would sit passively while she changed the channels. With my sister
gone, I would at first just sit in silence in the empty house. But I
started listening to music which, unlike TV, allows you to devote your
attention to other things while you listen.
I read a lot, ground telescope mirrors, acted in the high school theater
and eventually became the set director, started college at 16 while
still attending high school, scored 890 out of a possible 900 on the SAT
Math II achievement test and was accepted into CalTech, where I
published in the astrophysical journal and did research on the 200" and
60" telescopes.
Note - you can find refs to my papers in the "Publications" section of my resume. Abstracts are available online. I didn't say it in my original letter but the work that was published I did while employed as a research assistant the summer after my freshman year.
I've had this idea for a while, which the internet could make much more practical especially with always on services like cable modem and DSL.
People who like to watch TV and want to make a few extra bucks would sign up to be commercial monitors. Either they'd enter the station they're watching into their handheld web browser or this would be handled for them by a set-top box.
When a commercial comes on they press the "commercial start button". When all the commercials end they press the "commercial end" button.
People who subscribe to the service would receive a little unit that plugs into the internet and, when a commercial is on, turns off the sound, maybe blackens the picture and pauses their VCR.
For this to work reliably there'd need to be a voting system so you'd only skip content if a lot of monitors said there was a commercial on. Monitors who were consistently outvoted would be dropped from the monitor pool.
If you don't blacken the picture the subscriber could notice there was an error and override to turn the content back on (or if the commercial looked interesting)
There are things you can do to try to detect a commercial technologically (like have hardware listen for sudden changes in audio volume) but I'm sure advertisers will pay technologists to find a way to defeat it. I don't think there's a way to defeat the power of thousands of bored couch potatoes who feel they're putting something over on the corporation.
This invention was conceived by me, Michael D. Crawford a couple of years ago. I place it in the public domain as of Friday, August 11.
Basketball Diaries wrongful death trial
on
Hacker Crackdown?
·
· Score: 2
I don't know how the court case came out, but I recall that the book The Basketball Diaries by Jim Carroll had a scene of a student fantasizing about murdering someone, a teacher I think.
When the movie came out and included this scene, a similar murder followed, and the relatives of the deceased sued the movie producers - I'm not sure but I think maybe Carroll got sued too, and he'd written the book years and years before the movie came out.
Is the trial finished? Anyone know the results?
Read alt.computer.consultants about striking
on
Hacker Crackdown?
·
· Score: 1
A frequent topic of discussion in alt.computer.consultants is the idea of forming a programmers union and going on strike over such things as loose H1-B visa laws in the US.
A number of people are actively trying to organize such things, but the results so far haven't been promising and the consensus on the reason way is that programmers are just a bunch of pussies too concerned with bringing home the immediate bacon rather than lift a finger to look after their future.
Yeah, that's right - you. Pussies. You may have the balls to post anonymously on Slashdot, but when was the last time you not only voted, but gave money to a political campaign whose position you supported, and did volunteer work for it.
Last time for me was '92, I'm afraid, when the president of Working Software and I organized the Jerry Brown for President campaign in Santa Cruz, California in the company offices.
I donated the maximum Jerry would accept during that campaign - $100.
I say this all the time here, I think it is important. It is very pertinent to programmer liability (although more from a safety or cost of failure perspective) - read the Forum on Risks to the Public in Computers and Related Systems. It is also available on the Usenet News as comp.risks.
If you think programmers can really escape liability for their products (or should), think about what kind of effort and investment companies like the tobacco industry and auto manufacturers of automobiles and childrens toys and food put into defending themselves from lawsuits and government regulation.
It's only a matter of time before the public rises up and demands accountability for software. Imagine a senator getting elected on the platform of promising to put programmers behind bars for writing software that is unreliable. Or a district attorney setting out to put programmers behind bars, not for hacking or writing viruses, but for writing products that don't meet government standards.
And I mean this not just in regard to installers and packages, but everything.
And no, I'm not proposing that what we need to do is make Linux look more like Windows or the MacOS.
But there are problems that others have solved and we can draw on their solutions, even if we can't use their source code.
(Even when I was working at Apple I would tell people about stuff from SunOS or Linux that I thought would go good in the Mac - they wouldn't hear of it).
I think an indicator of the problem we face in trying to bring Linux to the desktop was when I was corresponding with RMS about things I thought would be helpful to the users and I suggested an installer. He replied "What's an installer?"
The best installer I've ever come across on any platform, both to create packages with and for the user to install products with is Mindvision Vise.
It would be worthwhile to find a friend with a Mac and download it, and make a little toy installer that installs SimpleText and a readme file to try it out (you can download it for free - the installers created with it complain that you've lifted it until you get a valid serial number. It is possible to get a serial for free for installers for freeware).
It beats the living hell out of anything I've seen for Linux.
BTW - if you want to see an installer that really blows, check out PackageBuilder/Software Valet for the BeOS. The thing drove me to distraction. It wasn't just the way it would corrupt the data in my archives or crash while users were installing my software with it.
What really drove me nuts is that it had no concept of updating an installer when I had built new software to go in it.
With vise you just drop your new files in the folder next to your installer project and tell it to update. It gives you a list of files that have changed and you can approve or disapprove of updating them (or deleting the ones that are now missing).
PackageBuilder requires you to delete the old file from the installer project, which loses its settings, then you have to go and add your file back in and reset your settings. This is probably the number one reason for every time I've been reluctant to release a new version of my software on the BeOS - I enjoy programming it but I hate the damn installer.
The resolution you get is determined by the laws of physics. You can work it out either classically, as was originally done using diffraction of electromagnetic waves, or you can do it quantum mechanically, using the uncertainty principle.
Classically, the blurring is caused by scattering of light by the edges of the telecope. The narrower a "slit" you pass light through, the greater the scattering. If you mount a pair of razor blades a hair's breadth apart and shine a laser through, you'll see bands of light on a wall on the other side from the diffraction. As you move the blades apart (make the opening bigger), the bands get smaller.
A telescope is like a really big diffraction slit. The problem here also is that the amount of diffraction is determined by the wavelength of light, so that an image taken in the infrared will always have poorer resolution than the same object taken in visible light. There is also atmospheric distortion to contend with.
Radio waves have very long wavelengths, so a single dish telescope resolves very poorly (like a degree or so). But because the frequency is manageably low you can record the phase on tape and later digitize the signals and combine them from more than one dish you can do interferometry with radio telescopes in a practical way - even interferometry using the whole width of the earth as a baseline. In principle you could have dishes orbiting in different places around the sun and get enormous resolution.
There is a limited amount of optical interferometry going on too, combining the beam of two or more telescopes, as with the 10 meter on mauna kea - they're building a second to use as an interferometer.
Quantum mechanically, you cannot know the product of the location of a particle and its momentum better than about Planck's constant h/2 PI. Putting a particle through a slit determines its position with some certainty and so its momentum across the slit becomes undetermined by a corresponding amount.
With a very narrow slit and a laser beam the uncertainty is large so the photons are scattered as much as a foot or two to either side passing across a room. But passing through the aperture of a 3.6 meter mirror the uncertainty introduced is actually fairly low, so the resolution of a big telescope is high.
One thing you gotta realize is the apparant diameter as viewed from earth is really miniscule. Look up the actual diameter of Titan in an ephemeris and the distance of both Saturn and the Eart from the Sun (earth is 93 million miles) and you can figure out the solid angle it takes up in the sky at closest approach. It's really tiny!
For comparison, the usual resolution of most earth-based telescopes is limited to about a quarter of an arc-second on a really good night.
Up until recently the biggest telescope in the world was the 200" at Palomar Mountain, and it couldn't get nearly the quality of photos of Jupiter and Saturn that the space probes sent by NASA did.
Now after a good night's testing by the Slashdot community, with posting of which version numbers work and which don't, which OSes work and which don't, whether it matters that some other service is using the default port and the effect of firewalls and IP masquerading and so on, somebody who wanted to really use this for evil ends can now be well-armed with the information they need to make not just an effective exploit, but a reliable one as well!
At my interview with the company that hired my for my second computer job, Microport Systems, company president Chuck Hickey (who had done a large part of the first port of AT&T Unix to the 286) asked me the following question:
"What is the most efficient implementation, written in C, of the standard library function strcpy?"
Well damn me, I wasn't able to answer this, and so I was put on technical support at six bucks an hour - graveyard shift, BTW, they offered 24 hour tech support.
I'm a consultant, and I see a lot of other consultants out there groping for a clue. I also have lots of friends wandering in the dark trying to build a career.
I've been working as a programmer for thirteen years, and I've been an independent consultant for two and a half years. I do not do business with recruiters - I find all my clients myself. The above page tells how I do it.
Tip: the Digital Telephony Act has been around for years mandating built-in wiretaps in phone switches, but Speak Freely is free, includes source, and provides your choice of strong encryption methods.
Slashdot Mirror
You can read about my business on my homepage and some helpful information on the consulting business at Market Yourself - Tips for High-Tech Consultants.
I have this word of advice for everyone in the high-tech industries: find an attorney who practices business and intellectual property law. Do this right now, when you're not looking for a job. Most attorneys will spend a reasonable amount of time just chatting with you about stuff without charging you when you first meet them so you can evaluate whether to work with them.
When an employer or client gives you an NDA, tell them you'd like to have your attorney read it and advise you on whether to sign it. Don't even bother to read it, certainly don't read it while the interviewer is hovering over you.
Consider preparing your own NDA that the client or employer will sign, that you have your attorney draft ahead of time. That way you can be prepared with an NDA, and if they want you to sign one, say that you aren't comfortable doing so without legal advice, but if they'd like you have one handy. This is what I'm working on doing - with the help of an excellent attorney.
I may be belaboring an obvious point but most NDA's usually don't obligate the employer to keep your secrets secret. If they won't agree to protect your trade secrets, why should you agree to protect theirs?
It happens that I've signed a lot of NDA's and contracts over the years, but since I had some trouble with a client I've started discussing everything with an attorney up front. Nothing gets my signature unless my lawyer says it's OK with her. Just the conversations I've had with the attorneys I've discussed these things with have been well worth the money I've spent.
Most attorneys will only charge you by the minute for such matters, and it takes them less time to evaluate a contract than it would for you as a programmer to do so (how long would it take an attorney to evaluate your source code?). The attorney fees I've spent in the last year evaluating all the NDA's and contracts I've signed have come to maybe $400.
Considering that you could be taken for tens of thousands if you lose a lawsuit, or you could lose a job opportunity if you signed a non-compete or a potential employer feared you'd expose them to liability because you knew a competitor's trade secrets, isn't it worth it to get an attorney?
If, in the interview, they balk at you getting an attorney to sign an NDA, you should politely point out that it would have been appropriate for them to have sent you the NDA before the interview so you could have it checked out. Then offer to either leave right now and come back later, or keep the discussion limited to non-secret material.
Remember, the labor market is very tight for employers these days. The power is in the hands of the engineers. You don't have to put up with intimidation.
When I opened the restroom door, finding the room dark of course because it was after hours, much to my suprise a giggling teenage couple came running out of the bathroom past me and headed out the door.
They must have got the keys from one of their parents, I suppose.
Bet they thought the john in an office building downtown would be a secure private place for some hanky panky - but they didn't count on there being a software company down the hall!
This is not to say that my own has always been of the very highest quality, but in fact I decided early on to try to come to a fundamental understanding of what was wrong with software development, to get very good at debugging (I say that debugging is a specialty on my homepage) and to learn to write better code.
In my early years I was initially very shocked at what I'd discover in production use at companies. Over the years I just learned that that's standard practice, in commercial software, in-house software, and even in scientific software (where I have become convinced, because of my experiences with high-energy physics data analysis, that many scientific papers are published with erroneous measurements because of software bugs).
Early on I read that something like 90% of software development is spent doing maintenance programming. Some of this is doing legitimate upgrading, but a lot of it is just spent fixing bugs, and even a lot of time spent doing upgrades would be more productive if the code were of better quality.
After reading this figure and having so many experiences with software bugs, both other people's and my own, I decided very early on to get very good at debugging.
One of the first things I did was adopt the regular use of "lint" for checking my C code. I would integrate lint targets into my makefiles and after editing a source file I would type "make lint" before compiling to objects and lint would check all the files that were out of date with the object modules. Pretty quickly I got to where I could write code that was nearly always lint-clean - but the existing code I worked on would make lint scream with hundreds if not thousands of complaints, often serious things like variables being used before they are initialized.
One of the first solid clues I got about software quality came from Robert Ward's book "Debugging C" - now out of print, it predated the common use of source code debuggers and talked about how to write your own stack crawls and other tools.
Ward emphasized the use of the Scientific Method in debugging, and because I was trained in physics, this came very naturally to me; before that I'd mostly floundered and used printf a lot.
I've gotten very good at debugging and have even worked full-time as a debugger at Apple Computer where I was a "Debug Meister" and my business card gave my title as "Cybernetic Entomologist".
I can easily get highly paid consulting work doing debugging for companies desperate to ship a product (and have in the past) but I don't really like to do it for various reasons, some of the same reasons I quit my debugging job at Apple.
One is that if I only do debugging I don't have something to point to at the end of the day and say "I wrote that". I could say "that works because of me", but sadly there's usually lots of bugs left that I didn't have the time to find so I don't really feel proud of the result. The other problem is that the bugs are usually not there because of something interesting, it's not like the code is mostly good but there's some subtle flaws, rather the code is a heap of dung and I can go in with a pitchfork and do debugging wholesale until I get tired of it and the client or manager decides the rate new bugs are being found is low enough they can feel OK about shipping it.
I don't feel good about contributing to such shoddiness. If a company is not good enough to support quality in their corporate culture I don't want to come in and put on a band-aid for them. It would be an entirely different thing if a company hired me to restructure their development process so that quality was a goal that was achieved through direct application of process but gee whiz no one has ever asked me to do that for them.
I do have to say though that the best thing that ever happened to me is that I became a "technology prostitute" as the author of the original article puts it. One benefit of this is that the process is entirely of my own creation, and almost all of the work I've been given has been to write entirely new products from scratch, so I can engineer in quality from the beginning.
Here's a few recommendations I have. Get good tools. Besides a compiler, editor and debugger, you need a static code checker and you also need dynamic testers. The ones I know about are (I haven't used them all yet):
- PC-Lint static code checking for C and C++. It runs on Windows but Flexe-Lint comes as shrouded source code and is highly portable.
- Spotlight dynamic tester for Mac PowerPC - I use this every day and recommend it highly
- BoundsChecker dynamic tester for Windows
- Purify dynamic tester for Unix (but apparently not Linux) and Windows NT
- Optimizeit dynamic tester for Java - do you know many Java programs have memory leaks? Can you understand why? Not just Java but any garbage collected program.
There's also memprof and electric fence, which I think run on Linux. It would be possible to modify gcc so that you program when built with debugging flags and linked with a special library would have all memory references boundschecked before allowing the access. This could work with both read and write access and would catch overruns by as little as one byte - Spotlight does this by patching the executable powerpc code and rewriting the debugging symbol table.Finally, to really come to understand the software quality problem in the industry and what you can do about it, read The Forum on Risks to the Public in Computers and Related Systems also available on the Usenet News as comp.risks. The book The Software Conspiracy exposes the complete disregard the commercial software industry has for serving the consumer by providing quality products - I haven't read it yet but it looks interesting.
A very interesting methodology that emphasizes personal responsibility and puts the fun back into programming as well as maintaining quality from the very start is Extreme Programming. I'm starting to adopt extreme programming (the the extent a one man operation can - I can't work in pairs :-/ ) and find it a tremendous benefit.
Stack overflow? Heap corruption? Unanticipated input?
'Nuff said.
The Yellow Network Coalition takes old 486's and turns them into firewalls and IP masquerading servers they give away for free to people who have cable modems and DSL. I gave them my 486 when I moved. They also set up free public-access kiosks. These guys are inspired by the freely available yellow bicycles in Amsterdam.
They Need Your Donations of Old 486's and Other Hardware
The Forum on Risks to the Public in Computers and Related Systems discusses security holes, bugs in software, user and usability problems that cause such trouble as security problems, and carries security announcements.
The CERT Coordination Center carries authoritative announcements of security problems and what you can do to fix them; provides rapid response to security emergencies while they are in progress.
I've also heard BugTaq is good and better than CERT for timely information but don't have a URL handy.
BTW - I have left Javascript turned off in my browser for most of a year now, ever since the CERT Coordination Center recommended everyone do so because some online discussion sites allow HTML posts but don't filter <SCRIPT> tags out of their users' posts so someone who knows how to crack javascript can eat your machine with a forum post (Slashdot filters out script tags), and I leave Java off ever since that web server thingy appeared a couple days ago - and I urgently emailed everyone I knew and told them to turn off Java too.
Yes, solutions are on the horizon but they're not here yet. Yes, there are workarounds like typing posts into a notepad and copying them in from the clipboard - so my problem can be taken care of, but not the novice users.
So I'll take my applications as locally executing programs, thank you, and I'll be happy when a solution does appear which survives extensive security auditing
My friend's opinion wasn't about doing stuff with Java or Javascript at his company - they specifically didn't use it because they said they couldn't count on it being implemented in the browser - but with plain old HTML, generated by perl scripts on the server backed by a Sybase database, and forms.
He thought this was the best thing since sliced bread, and as a long-time Mac GUI programmer, I thought he was completely clueless.
While anyone may submit to Risks, some of the people who post there are respected experts in their fields, and will often write very well-thought-out criticism of online and telephone voting schemes as they are actually practiced - usually without much regard for security and privacy - as opposed to the ideal schemes thought up by security experts and cryptographers.
I can't remember any specific posts on online voting, lets see what the search form produces:
Just searching for "voting" produces dozens of submissions, mostly related to computerized voting - that is, electronic voting booths, which have their own reliability and security issues but are not what we're discussing here - but see Computer Causes Chaos in Brazilian Election in which a program designed to weed out fraudulent voters (like dead people) canceled the voting rights of 70,000 twins.
Searching for "voting;online" produces a few hits such as the announcement of Arizona's online voting and a comment that there is no promise of privacy in online voting - that your identity and your vote won't be correllated, which is forbidden for conventional voting.
Wonder about the accuracy of unofficial online votes? Check out the risks of paying attention to uncontrolled e-voting in which a public opinion voting site on abortion funnelled votes from both sides to the anti-abortion side.
The Forum on Risks to the Public in Computers and Related Systems
The Software Conspiracy
While there will always be quality problems in software, current practice in many companies is to not even try to do the basic things that tend towards improving software quality. Until the public wakes up and realizes they're being ripped off, and their safety and corporate information being put at risk, we will always have this problem.
One solution is to get every programmer in a company a copy of some good quality tools, static analysis tools like PC-Lint and dynamic (runtime) analysis tools like Spotlight (for the MacOS) or BoundsChecker (for Windows) or Purify for Unix (but apparently not Linux) and NT.
As a Spotlight user and a long-time reader of the Risks forum, I wouldn't dream of shipping a Mac product unless it tested absolutely cleanly under Spotlight and had zero memory leaks.
But it is amazing to try Spotlight on a mature commercial product for the first time. Think you're program's free of bugs? Guess again. I proposed using Spotlight to my manager, on our program which had been shipping for several years and cost $600 retail. It was a serious product for high-end users. My manager said it would be a waste of time because "Our program has so many bugs, Spotlight would keep finding them and progress would be very slow." And you know, he was right. I persisted anyway, and spent three months ferreting bugs out of that program with Spotlight.
There's a lot of tools out there (and there's tools like these for Java too, like OptimizeIt - do you know many Java programs have memory leaks?). You don't have to pick the tools I recommend, but look out for what's available there and make sure you have something for every developer seat in the house.
It will be the best investment you make. The $199 for Spotlight will be paid for in the day it's first used.
And free software writers, I suggest writing free software versions of these. It would be possible in principle to write a special version of gcc, or an command-like option to it, that when your program is linked to a special library all your memory accesses are boundschecked. Note that Spotlight can validate memory reads as well as memory writes.
Give them your phone number.
They'll make short work of the patent and Adobe will come out with egg on their faces - as will the patent office for yet again granting a patent that is not only obvious but which had already been done.
It's not likely that the right people at Macromedia will see this unless someone makes the effort to put it under their noses. C'mon, be a hero.
How many high-school kids don't do much more than hang around at the mall, drive their cars up and down main street or do bong hits when they're not watching the tube?
While they probably have hardware compressors and fancy algorithms, if you can use any PC you can use a public open-source compressor and just get a bigger hard drive.
It really wouldn't be that hard.
You'd probably get better realtime media streaming performance in the BeOS but then there'd be a chokepoint and I don't think the company is deserving of support by third party developers anymore.
Better to give people yet another reason to use Linux.
Are there any readily available hardware video compressor boards that aren't too expensive and have open source linux drivers?
The Kill Your TV Website:
http://othello.localaccess.com/hardebeck/
No this is serious. He claims that Sesame Street may teach your kid to recognize letters and numbers, but it shortens their attention span.
It happens that, when I was a kid, I stopped watching television when my sister left for college. I had never really actively watched TV before, but would sit passively while she changed the channels. With my sister gone, I would at first just sit in silence in the empty house. But I started listening to music which, unlike TV, allows you to devote your attention to other things while you listen.
I read a lot, ground telescope mirrors, acted in the high school theater and eventually became the set director, started college at 16 while still attending high school, scored 890 out of a possible 900 on the SAT Math II achievement test and was accepted into CalTech, where I published in the astrophysical journal and did research on the 200" and 60" telescopes.
I still don't watch TV, and have a successful software consulting business.
Mike
Note - you can find refs to my papers in the "Publications" section of my resume. Abstracts are available online. I didn't say it in my original letter but the work that was published I did while employed as a research assistant the summer after my freshman year.
One
Two
Three
Four
People who like to watch TV and want to make a few extra bucks would sign up to be commercial monitors. Either they'd enter the station they're watching into their handheld web browser or this would be handled for them by a set-top box.
When a commercial comes on they press the "commercial start button". When all the commercials end they press the "commercial end" button.
People who subscribe to the service would receive a little unit that plugs into the internet and, when a commercial is on, turns off the sound, maybe blackens the picture and pauses their VCR.
For this to work reliably there'd need to be a voting system so you'd only skip content if a lot of monitors said there was a commercial on. Monitors who were consistently outvoted would be dropped from the monitor pool.
If you don't blacken the picture the subscriber could notice there was an error and override to turn the content back on (or if the commercial looked interesting)
There are things you can do to try to detect a commercial technologically (like have hardware listen for sudden changes in audio volume) but I'm sure advertisers will pay technologists to find a way to defeat it. I don't think there's a way to defeat the power of thousands of bored couch potatoes who feel they're putting something over on the corporation.
This invention was conceived by me, Michael D. Crawford a couple of years ago. I place it in the public domain as of Friday, August 11.
When the movie came out and included this scene, a similar murder followed, and the relatives of the deceased sued the movie producers - I'm not sure but I think maybe Carroll got sued too, and he'd written the book years and years before the movie came out.
Is the trial finished? Anyone know the results?
A number of people are actively trying to organize such things, but the results so far haven't been promising and the consensus on the reason way is that programmers are just a bunch of pussies too concerned with bringing home the immediate bacon rather than lift a finger to look after their future.
Yeah, that's right - you. Pussies. You may have the balls to post anonymously on Slashdot, but when was the last time you not only voted, but gave money to a political campaign whose position you supported, and did volunteer work for it.
Last time for me was '92, I'm afraid, when the president of Working Software and I organized the Jerry Brown for President campaign in Santa Cruz, California in the company offices.
I donated the maximum Jerry would accept during that campaign - $100.
If you think programmers can really escape liability for their products (or should), think about what kind of effort and investment companies like the tobacco industry and auto manufacturers of automobiles and childrens toys and food put into defending themselves from lawsuits and government regulation.
It's only a matter of time before the public rises up and demands accountability for software. Imagine a senator getting elected on the platform of promising to put programmers behind bars for writing software that is unreliable. Or a district attorney setting out to put programmers behind bars, not for hacking or writing viruses, but for writing products that don't meet government standards.
I haven't read it yet, but the Software Conspiracy looks interesting.
And I mean this not just in regard to installers and packages, but everything.
And no, I'm not proposing that what we need to do is make Linux look more like Windows or the MacOS.
But there are problems that others have solved and we can draw on their solutions, even if we can't use their source code.
(Even when I was working at Apple I would tell people about stuff from SunOS or Linux that I thought would go good in the Mac - they wouldn't hear of it).
I think an indicator of the problem we face in trying to bring Linux to the desktop was when I was corresponding with RMS about things I thought would be helpful to the users and I suggested an installer. He replied "What's an installer?"
The best installer I've ever come across on any platform, both to create packages with and for the user to install products with is Mindvision Vise.
It would be worthwhile to find a friend with a Mac and download it, and make a little toy installer that installs SimpleText and a readme file to try it out (you can download it for free - the installers created with it complain that you've lifted it until you get a valid serial number. It is possible to get a serial for free for installers for freeware).
It beats the living hell out of anything I've seen for Linux.
BTW - if you want to see an installer that really blows, check out PackageBuilder/Software Valet for the BeOS. The thing drove me to distraction. It wasn't just the way it would corrupt the data in my archives or crash while users were installing my software with it.
What really drove me nuts is that it had no concept of updating an installer when I had built new software to go in it.
With vise you just drop your new files in the folder next to your installer project and tell it to update. It gives you a list of files that have changed and you can approve or disapprove of updating them (or deleting the ones that are now missing).
PackageBuilder requires you to delete the old file from the installer project, which loses its settings, then you have to go and add your file back in and reset your settings. This is probably the number one reason for every time I've been reluctant to release a new version of my software on the BeOS - I enjoy programming it but I hate the damn installer.
Classically, the blurring is caused by scattering of light by the edges of the telecope. The narrower a "slit" you pass light through, the greater the scattering. If you mount a pair of razor blades a hair's breadth apart and shine a laser through, you'll see bands of light on a wall on the other side from the diffraction. As you move the blades apart (make the opening bigger), the bands get smaller.
A telescope is like a really big diffraction slit. The problem here also is that the amount of diffraction is determined by the wavelength of light, so that an image taken in the infrared will always have poorer resolution than the same object taken in visible light. There is also atmospheric distortion to contend with.
Radio waves have very long wavelengths, so a single dish telescope resolves very poorly (like a degree or so). But because the frequency is manageably low you can record the phase on tape and later digitize the signals and combine them from more than one dish you can do interferometry with radio telescopes in a practical way - even interferometry using the whole width of the earth as a baseline. In principle you could have dishes orbiting in different places around the sun and get enormous resolution.
There is a limited amount of optical interferometry going on too, combining the beam of two or more telescopes, as with the 10 meter on mauna kea - they're building a second to use as an interferometer.
Quantum mechanically, you cannot know the product of the location of a particle and its momentum better than about Planck's constant h/2 PI. Putting a particle through a slit determines its position with some certainty and so its momentum across the slit becomes undetermined by a corresponding amount.
With a very narrow slit and a laser beam the uncertainty is large so the photons are scattered as much as a foot or two to either side passing across a room. But passing through the aperture of a 3.6 meter mirror the uncertainty introduced is actually fairly low, so the resolution of a big telescope is high.
One thing you gotta realize is the apparant diameter as viewed from earth is really miniscule. Look up the actual diameter of Titan in an ephemeris and the distance of both Saturn and the Eart from the Sun (earth is 93 million miles) and you can figure out the solid angle it takes up in the sky at closest approach. It's really tiny!
For comparison, the usual resolution of most earth-based telescopes is limited to about a quarter of an arc-second on a really good night.
Up until recently the biggest telescope in the world was the 200" at Palomar Mountain, and it couldn't get nearly the quality of photos of Jupiter and Saturn that the space probes sent by NASA did.
"What is the most efficient implementation, written in C, of the standard library function strcpy?"
Well damn me, I wasn't able to answer this, and so I was put on technical support at six bucks an hour - graveyard shift, BTW, they offered 24 hour tech support.
If you want to see where I've come since check out my resume
(Yes, Apple has always used Unix, I had a Sun 3/280 on my desk in 1990).
I got invited into the game after complaining long and loud at A/UX 2.0 wasn't living up to the CERT advisories during it's beta cycle.
Please read Market Yourself - Tips for High-Tech Consultants.
I'm a consultant, and I see a lot of other consultants out there groping for a clue. I also have lots of friends wandering in the dark trying to build a career.
I've been working as a programmer for thirteen years, and I've been an independent consultant for two and a half years. I do not do business with recruiters - I find all my clients myself. The above page tells how I do it.
This is not spam. I'm serious!
Tip: the Digital Telephony Act has been around for years mandating built-in wiretaps in phone switches, but Speak Freely is free, includes source, and provides your choice of strong encryption methods.