While encryption is indeed computationally expensive, it is not nearly as computationally expensive as badly written GUI code, and that's what's usually running on modern computers. Encryption software is generally quite optimized, while the crud we call shrink-wrap software is a poor excuse for engineering.
I first found I was color-blind when my mom brought home some color blindness tests from the library.
There are circles filled with lots of colored dots and you're supposed to be able to see figures in the dots.
I didn't know I had a problem before then, but since it was pointed out to me I notice it sometimes. Broad fields of color are easily distinguishable, but if you make small dots of red and green next to each other with felt tip pens on a sheet of paper, I will have trouble telling them apart.
I can easily tell that they are of different colors and one is red and one is green - but which is which is hard for me, and as I stare at them they switch color.
Resistor color codes - you know Victory Garden Walls - are just unfathomable to me.
On the other hand, I am an artist when I'm not programming (not much there at the site yet) and I particularly like oil painting; if I paint a lot for some period of time my color perception gets much sharper. If I spend all my time just programming it gets dulled.
Use and depend on computers in any but the most trivial way
Program computers
Make policy decisions regarding computers
Operate computers in a way that affects safety (pilot a modern airplane, work in a hospital)
Use computers in a way that may impact your own safety (flown on a modern airplane lately?)
I think that probably covers most Slashdot readers, which is why I keep posting it here.
You might also want to check out the book "Computer Related Risks" by
forum moderator Peter G. Neumann ISBN 020155805X. It draws on material from the forum but discusses it in greater depth. You'll find it at all the online bookstores and many local bookstores as well.
A US Navy submarine was sunk in the Mare Island channel near Vallejo, California by a test technician. He was trying to level the ship to run a test, and only knew how to take in ballast water, not expel it. The forward sonar hatch was off, power cables were run through the pressure safety doors because the sub was in for repairs, and so the might Gitarro sunk. My dad was stationed at the shipyard at the time, back in the 60's.
Copy of a letter I wrote the patent office, on the problem of defining what is or is not an algorithm in a program when the boundaries between them cannot be precisely defined. Discussed the problems that occur when the virtual machine breaks down (as I guess happens in this case).
In which a friend of mine bounced a business check for four thousand dollars because of a bug in Microsoft Excel - a bug he could later demonstrate at will.
I also recommend that everyone refer regularly to the CERT Coordination Center to read the latest in security advisories and report security problems to them when you find them.
The ZDNet article included the quote from my question:
What do you do if your productivity drops to two lines of code a day, and you just sit and stare at the code and feel like you don't know how to do it anymore?
I emailed the author, Mary Jo Foley and asked her why she didn't attribute me, pointing out how easy it was to find out who I was from the link in the ask slashdot article and my first post.
It particularly irritated me that I didn't get credit when she interviewed Linus about it, who didn't participate in the discussion, and some other guy who compared a programmer being stuck to your plumber saying he couldn't fix your pipes because he had "plumber's block".
She replied that she didn't give attribution to my post (and I guess to any of the posts that came directly from the Slashdot discusion) because she had been flamed in the past for quoting people from Slashdot!
I consider that pretty cowardly. Say what you want to me in the press - but spell my name right. Imagine she'd quoted some government official saying something, but didn't attribute them because other government officials had complained in the past!
She should be very well aware that any snippets she quotes from Slashdot are perfectly legal because of fair use (I could not imagine a fairer use) and it is not just ethical, it is a very basic rule of journalistic practice to provide such attributions.
It is important for historical reasons - what if the ZDNet article survives to be quotes later but the slashdot discussion is no longer available to be linked to? What if someone reads my quote but does not follow the link?
She felt that simply providing a link to the original article was sufficient attribution, but that's not true - my words appeared on her page, and I want my name next to them.
Can You Cogently Explain Why Javascript is Bad?
on
Full Frontal Quickies
·
· Score: 2
Don't worry about convincing me that Javascript is bad - I already leave it turned off, and have ever since I read the CERT advisory that said you should turn off scripting in your browser because crackers might post scripts in web forums that don't filter the posted HTML correctly
Slashdot doesn't allow the SCRIPT tag but some sites do (perhaps unknowingly) and so someone can write an apparently innocent comment in a chat and include a script that eats your hard disk.
A close friend of mine told me that she's been writing largely in Javascript for a long time now and her company is in fact basing their entire online strategy on Javascript. They're making a huge investment in it and will be selling a product that will be very expensive that will require very highly paid people to leave Javascript on all day long just to do their work.
I was astonished at that idea and said they were doing a disservice to their customers by encouraging them to enable Javascript, let alone requiring it for the basic functions of their product.
She was pretty incredulous about this, even after I recounted the above CERT advisory. She told me Javascript was sandboxed and could not do anything destructive. I told her it was full of holes and highly nonstandardized and bugs were being found in it all the time.
I told her I felt that reading Risks was a very basic requirement for anyone who wrote software for a living, and was doubly important for someone like her who wrote software that would effect people's lives in a substantial way (I can't be too specific - but she's not writing entertainment software). She thought this was all very silly.
Now, slashdotters, what can I say to my friend - what can I say that is of real substance not just flaming? Can you give me literature references or URL's? Pertinent CERT advisories would be good.
BTW - here's a suggestion - while I leave Javascript turned off most of the time, I often find I have to turn it on to use some sites. It really gets me down that some sites don't even function if Javascript is not enabled.
But Junkbuster is a simple proxy that will filter out ads and stop cookies, but allow them in controlled ways. For example, I only allow cookies from Slashdot and my bank, so I don't have to have cookies from any other site and I don't have to keep turning cookies back on to read slashdot.
I think it would be a fairly simple matter to modify the Junkbuster source code to filter out SCRIPT tags for most sites except those that are on an approved list. The source code is GPL'ed so someone with the inclination could just get the source and do it. I'd do it myself but I'm real busy for the next little while.
Mentally disturbed people deserve to be in institutions receiving care.
I have some news for you buddy. Most mentally disturbed people don't need to be in hospitals and there's no room for them even if there they did.
First I'll quote a few statistics:
One third of the people that are in hospitals in america today are in psychiatric hospitals (including the psych wards of regular hospitals).
About one percent of the population is manic depressive
About one percent is schizophrenic
About thirty percent of the population will experience clinical depression at some point during their lives, and at any given time about five percent of the population is experiencing clinical depression.
Hospitalization is only appropriate for the very worst of times, when someone has just cracked up and needs to get diagnosed, or some life crisis has happened and they need a safe place to put things back together. Sometimes their medicine is not working and new stuff needs to be prescribed, and they need a place to go while it takes effect, which can take weeks.
But you can't have a real life in a hospital. You can't go to college in a hospital, hold down a job, cook for yourself, do your laundry, drive a car or provide for your family while you're in the hospital.
What most mentally ill people need is to put their lives back together in the real world, and to do that, they need to be in the real world - living in regular housing, driving cars, going to school, holding down jobs.
You'd probably be pretty amazed if all the mentally ill people that you encountered in your daily existence came up to you and told you what their illness was. I'm very unusual for people who suffer from this in that I make it public - because I want to educate people like you to make it easier for others who have to go through what I went through.
If one percent of the population is manic depressive, chances are pretty good you know at least one, and maybe you know several - they're just not telling you, or they haven't been diagnosed yet.
It happens to me all the time in workplaces when I've confided to my coworkers, as, for example, at a small fruit company in cupertino california where I told a woman I was bipolar and she told me she was too.
I met a technician from the Jet Propulsion Laboratory when I was in the psych hospital near there, and he told me that he told a staff counselor at the lab that he felt bad that he took Thorazine at work. The counselor said, "Don't worry, lot's of people at JPL take thorazine."
What the mentally ill people need from people like you is not to be locked up, but to be treated with basic decent human respect.
Why was my post moderated down to 1, offtopic (it got posted at 2).
I was responding to the "coder scorned" post and meant it to be a warning to everyone reading it to keep control of your internet assets.
You may regard my friend as an asshole - but he regards it as his business strategy, much to the dismay of his clients who do not make the effort to get informed about important things like who owns the domain name registration.
Web consultant directs corporate site to pornsite
on
Full Frontal Quickies
·
· Score: 2
I know a web consultant who had an issue with some large site not paying its bills for his service.
It seems that my friend often deals with clients who are not too savvy - so he often keeps the registration for the clients domain names under his own control.
He just directed his client's DNS (which was some major company) to a porn site.
It backfired on him though. A sheriff's deputy showed up at my friend's parent's house to serve a lawsuit process over this and I guess the parents (who are very elderly, conservative, and not hip to the ways of the web) were pretty astounded at the name of the porn site that was listed on the process.
This same fellow makes it a practice to always register domain names under his own name and never give them up until the money is settled. I know of a number of companies that are probably unaware that they don't have control over their own DNS and that he's keeping this card up his sleeve in case negotiations turn bad.
I've done the same thing that RMS did, when he was asked for change for food - I bought food for the hungry person.
I haven't done it a whole lot, and I have to admit that sometimes the approaches I get frighten me or I am too busy with my own thing to deal with them. But whenever I have done so it has been extremely rewarding.
I also know from my own experiences with mental illness that one of the most miserable things about it is the reaction that strangers on the street have to you. Being disturbed makes you look and act different sometimes, and often people will avoid your glance, cross the street upon your approach, or lock their car doors when they see you standing at the street corner. You'd better believe that the affected person notices that even if they don't visibly react to it.
The first time I did this a man in Pasadena asked me for money for food. I bought him lunch, spent an hour with him and ended up giving him ten dollars. He was a very nice man and said he was a hardworking construction laborer but couldn't get work.
The second time I met a couple homeless people, a vietnam vet and a teenage girl on Pacific Avenue in Santa Cruz California. The girl was coming down from an acid trip and having a very bad time. We talked for quite a long time - the vet recounted the horrors he still sufferred from having killed a soldier with a bayonet in Laos. I bought the girl a slice of thick-crust pizza at Pizza My Heart. It comforted her greatly.
On another occassion I had noticed a schizophrenic woman around town, who hung out downtown a lot but never seemed to talk to anyone. I just walked up to her, asked her name, and we got to talking.
Allison was a very nice woman and interesting to talk to - but was having such a hard time with her hallucinations that she had to keep brushing them out of her face with her hands so she could see me. I bought her a coffee at the Santa Cruz Coffee Roasting Company. We just sat and talked. I imagine she was on government assistance and was neither homeless nor hungry, but probably (like I back in the dark days) welcomed someone to talk to who didn't react with revulsion.
That was years ago, and better medicines for treating schizoid symptoms have been developed (clozaphine, and the risperdal I take). I ran into Allison again not too long ago and she seemed like a pretty ordinary woman, and spoke of her husband and children. She didn't remember me from before.
My wife tells me about how a lot of people say panhandlers are just trying to rip you off, and I imagine some of them are - there are dishonest programmers too, aren't there, but we still associate with each other? She's very generous in giving money to those who ask for it because she knows that by doing so her conscience is clear. Maybe a few people will come by the money dishonesty, but far more people will be helped a little bit out of their misery.
Even if you feel you can't or won't give spare change to someone who asks, stop and chat with them. They may not admit to it but it's far more likely that they are hungering for genuine human contact more than food or money. I know I was.
When I used to work at Live Picture (publisher of the Live Picture image editing app, and one of the creators of the flashpix file format) one of the things I got in the habit of doing was going out the back with the smokers when they'd all go out and smoke.
I don't smoke. Never have.
I'd just stand where the wind blew the smoke away and we'd have a little chat. It was very helpful. Sometims we'd talk about programming issues or sometimes we'd talk about nothing at all.
One of the side effects of moving up here to Newfoundland is that we drive long distances to get to my wife's parent's house, and we also made a trip (via the ferry) to Nova Scotia, which is a really long way.
I couldn't afford to not work for such long times so we bought an inverter at Canadian Tire and I plugged my laptop into the car cigarrette lighter.
And damned if I didn't get more work done on the road with my wife driving that at any other time.
I'm writing a cross-platform product right now and have a choice to program on a Mac desktop or my windows laptop (it also runs Slackware Linux and BeOS). Sometimes my wife borrows the laptop to browse the web and - zing! - I get a lot of work done.
The problem was that I'd leave elm open in a terminal window and a web page open on slashdot and hit reload whenever I was running a long compile or something.
So recently I made the choice to turn off my laptop when I've set into my work, or give it to my wife. It's greatly improved my productivity.
(I only paid for one computer on my cable modem, and haven't figured out IP Masquerading yet, so my mac can't hook to the internet. Modems are interchangeable but the DHCP for the cable modem is keyed off of your physical ethernet address so unless you cough up for the second connection or use masquerading you can't use a second machine).
I apologize for not having been able to join into the discussion today but I'm afraid my new bride pointed out that all I'd done was work since we got married a week ago Saturday and we weren't going to get to take a honeymoon anytime soon and so we spent a bit of quality time together.
I don't think she would have understood if I told her I'd been featured on Slashdot and had to take breaks from her to go post...
I did read through some of the comments here earlier this evening and I must say that this has been an excellent discussion. The sheer number of comments posted shows I must have struck a chord with the community - and my experience with other programmers shows that this is a common problem with others.
I'll post tomorrow what the folks on comp.lang.c++ and comp.sys.mac.programmer.misc had to say but they were in general along the same lines as what was posted here:
Take a break
Get a life
Do something fun that doesn't involve computers
Engage in vigorous physical exercise
associate with the attractive sex
Step back from low-level coding and do other software-oriented things like design, discussions with a coworker or documentation
There's some more, some of which I'll discuss in a moment.
I did in particular step back to think about software from a different level than coding, but I didn't actually do design work. Instead, I just cracked open some good programming texts. If you haven't read much lately there's probably a lot of good stuff that will stimulate you and improve the effectiveness of your work - check the book reviews online at The Association of C and C++ Users (and consider joining it - I did, a couple months ago).
One thing I consider important in the reading I did was that I wasn't looking for solutions to the problem at hand. Rather, I was trying to get back to something I'd been missing for a long time and wanted to indulge in - the sheer joy of learning for its own sake.
It was the case that the books I was reading were pertinent to my work but I wasn't searching them for solutions. I was just reading and flipping through them as my curiousity led me. And when solutions to my problem would occur to me, I'd put them out of my mind until the time I'd decided ahead of time would be my time to resume work.
What actually got me going again was that I had such a flood of ideas and they had crystallized so clearly I was able to sit down and implement my solution in a day and it worked just fine - still does.
Something else that helped stimulate me was the website on Extreme Programming.
A lot of the approaches there really appeal to me. Particularly I like the ideas they have that could be generally expressed as "design by coding" and are mentioned I think by Stroustrup in the intro to More C++ Gems as "expressing designs in the code".
That is, rather than doing a bunch of up-front modeling using diagrams like OMT or UML or what have you, you just write code - but you are designing in the code, so they emphasize in extreme programming that you constantly rewrite the code as designs gel.
One thing that saddnes me though is that Extreme Programming also suggests programming in pairs. This is something I used to do with Dave Johnson when we were at Working Software together. We'd help each other through hard spots and just rap about politics and stuff and go have coffee or a beer and get a lot of work done.
Now I live at the End of the Internet and I'm working for myself as a one-man consultant shop. It has its advantages (I can work at home and set my own hours) but one big disadvantage is that I work very much alone and there's no one around to bounce ideas off of.
I have other programmer friends and I do call them up but they all have their own gigs - it's not the same.
On another important note, several people both here, privately via email and in the newsgroups raised the possibility of this being clinical depression.
Well that is something I was well aware of and had been considering. Depression is something I have been dealing with all my life, as you will see in another slashdot article I posted:
I didn't used to be (woefully so) but now I'm very introspective about my mental and emotional state. I have to be. I didn't used to be but now I just won't tolerate the depths of misery that I just thought were part of the normal human condition.
But I don't think that what was happening to me was the sort of depression that I usually consider. There are "endogenous" and "reactive" depressions. Endogenous depression just happens to you and is usually caused by chemical imbalances in the brain (shortages of serotonin or norepinephrine) and is what's usually experienced with Manic Depression, while reactive depression is (naturally) a reaction to external events, like a personal tragedy.
Life has been really hectic for me for a long time, with the turbulence of my consulting business, falling in love with a woman from another country, planning a wedding, moving to Canada, and just trying to keep it all together. Maybe if all that hadn't been going on, I wouldn't have gotten stuck. But basically, I just got stuck.
Robert Pirsig talks about stuckness and ways to overcome it extensively in Zen and the Art of Motorcycle Maintenance, which I recommend highly (and probably ought to reread). And I really was suffering the kind of stuckness he described, the stuckness that occurs when you just want to get your bike fixed and you break the head off a crucial screw...
(Robert Pirsig went nuts while a grad student in philosophy at the University of Chicago. He had shock treatment back when it wasn't very carefully administered and lost nearly all his memories. The book is about his motorcycle trip across to some of the places he used to live to visit old friends he hardly remembered, along with an amazingly enlightening discussion of what he'd been so obsessed about that it drove him crazy - what is Quality?)
Someone mentioned meditation in the discussion. I had found reading about Zen and doing meditation on my own was of profound help in overcoming my mental illness back in the really dark days. But as things got better and my career got in shape and I stopped seeking so much and concentrated on learning to program and making a place in the world for myself I drifted away from that, something that I think is really wrong.
During my time off my then-fiance lent me her copy of Chogram Trungpa's The Path is the Goal, A basic handbook of buddhist meditation. It is published by Shambhala Publications
I'm afraid I read a little bit of it then when my time off came to an end I set it aside and started thinking again.
One of the little traps our mind has for us is thinking. I like to think, and I'm particularly well-developed at it. But my wife tell me that we are not our thoughts, and actually our thoughts can lead us astray. And when I was getting so stuck on my programming problem I was thinking really hard and trying to solve my problem by thinking harder.
One thing you do in meditation is to stop thinking. Hardened programmers might find that a frightening concept. And you can't really try to stop thinking - you just sit, and look, but not too hard, and experience
You cannot experience your world as it really is and be thinking.
One thing that Pirsig discusses in his book is how to bring the wisdom attained at the rarified mountain peaks of meditation down to practical value in everyday experience. He uses fixing a motorcycle as an illustrative example but when I read the book I found that I was able to program better because I could "become one with the machine".
My wife doesn't really believe this is possible but I think it is, that one can meditate while carrying out an intellectual activity like computer programming. That's something that I seem to have lost long ago, that I had years ago when I was not nearly so knowledgeable but I did have the ability to really lose myself in the machine all day long without distraction - and without getting tired or worn out.
When I run Gnutella (the original Windows client) or gtk_gnutella, I get from 1 to 200 host reported instead of the usual 3000 or so, and searches respond with very few hits no matter what I search for.
There are numerous messages over on the chat board at the Gnutella website that indicates that others are having the same problem.
I always thought that something was likely to happen bad to gnutella, seeing how it loaded the network so heavily with only 3000 clients at a time - the most I ever saw was maybe 5000. Napster had a total of 23 million users (not all of whom were logged in at any given time).
Has the gnutellanet gotten broken into islands? Is there a failure in the protocol?
I don't believe there really could only be a few users because there is a message on the Gnutella site that says they had to install a new server and buy more bandwidth to handle all the hits and client downloads they are getting.
Maybe decentralized peer-to-peer isn't all that it's cracked up to be - or at least the kinks aren't worked out of it yet.
Ah, I see this message posted on the development board:
Many of you developers have probably noticed that GNet is not working as well as usual today. We think this is may be because there is a ping-flood DOS in progress, or there is a very poorly-behaving new client out there. I thought at first that we may just be suffering from really high usage, but the contents of the packets have changed my mind.
We are seeing many thousands of pings coming in (most of our traffic!) with hops/TTLs that are very large -- often 255. These pings have port numbers that appear to be random, and the IP addresses in the headers are not reachable -- some of them are clearly bogus (like 0.10.23.0), so they're probably random, too.
We all have to do whatever we can do to stop broadcasting these bogus pings, ASAP. Because of Napster being shut down, many newbies are joining Gnutella, and things aren't going so well for them.
Ideas: 1) As suggested elsewhere, anytime the TTL+HOPs count is large (>20?), the packet should be dropped. 2) Multiple pings with the same IP address in the header should be dropped (don't know if this will help). 3) Pings with a hop count of 0 should come from the same IP address as the one in the header -- if not, the packet should be dropped. 4) Change our servents so that the TTL is not configurable. 5) Change our servents so that the ping frequency is much, much lower.
The easiest message to crack is the message that is not encrypted at all.
Most encryption software is still too hard to use. This plays into the hands of those who would spy on us because they don't even have to try hard.
PGP is more approachable now on Windows than it was back in the command-line-only days, but it is also a huge program.
What we need is for everyone to be using encryption all the time. Encryption should just be the standard, not the exception.
My client asked me to email her my source code, and I made her download PGP and send me a public key. It took some persuading to get her to do it. But I don't have the sense that she's going to be continuing to use it, I think that she only did it to humor me.
I encrypt every thing of value on my laptop with PGPDisk under windows and the Linux encrypting kernel under Linux - so if my laptop gets stolen the theives get nothing of value to them and my client's trade secrets are not revealed.
A friend's office was once broken into and all of his computers were stolen. They got all of his source code, his customer sales database, and all of his sales and support correspondence.
I don't have time tonight to write at my usual length, but this brings up a good opportunity to recommend that you read my web page on Why You Should Use Encryption.
I posted a lengthier discussion of this before with a link to the above page but it has fallen off my user info - it wasn't too long ago, maybe someone can find it in the archives and post a link to the archived slashdot discussion in a reply.
I've had an idea for a while for a "cookie mixer".
What this would be is a program functionally similar to the many cookie manager programs that already exist - you could designate certain sites that you want to keep the cookies for, for example your bank and your slashdot login.
But any site not on the approved list, when you run the cookie mixer, well that site's entries from your cookie file would be uploaded to a server somewhere, and it would be physically replaced in the cookie file with a new cookie that would be received from the central server.
If it were possible to write to the cookie file while the browser is running (that is, it's not kept open or locked the whole time) then the results of saving cookies on mixer member's machines would be essentially random.
The whole point of saving cookies for the marketers purpose is to track your habits, and this would particularly screw them up. There are legitimate uses for cookies - creating a continuous "session" of browsing so you can be logged in as for non-anonymous slashdot posting or using a shopping cart and it would be easy to make exceptions for this.
I don't think it would even be very hard to write this.
The basic thesis of the cluetrain manifesto is that carefully controlled corporate communications are basically hopeless in the age of the internet, because information is readily available to anyone and anyone can publish it.
Another (old) example is an ironically named one about why I chose not to develop macintosh software anymore after being dicked around too many times by Apple Computer:
(For those of you who don't know, Be's history has been to screw its developers even harder than Apple.)
Vast numbers of people have their own web pages where they speak out about companies and business practices that they don't like. Do you have any examples? (let's not forget Mr. Sorehands).
When I was working at Microport Systems back in the 80's, we were in version 1.something of System V/AT for the 286.
Version 2 was expected sometime soon so imagine how perplexed us tech support engineers were when the customers started calling us and asking us about the upcoming version 3.5.
We told the customers there must be some mistake because we were only just about to release version 2.
The calls got so frequent that finally we asked a customer where they'd heard about this 3.5 (not sure if that was the exact number but that's approximately correct). He'd seen it in our full-page magazine ad in a major Unix magazine.
I asked our ad guy what that version number was. He told me that they'd decided to go with version 3.5 because the Santa Cruz Operation was on version 3.4.
Of course we were all pretty pissed off, not just that the company was being dishonest but that they didn't tell the people who took the phone calls - those of us on tech support - and the customers must have thought it was hilarious when the ads kept appearing even though they'd heard it straight from the company that they were misinformed!
A very important thing to understand is that you are only as secure as the neighboring machines you allow logins from.
Since most Unix machines will allow telnet access from any IP address, and many other machines allow FTP or other filesharing access from any address, then you are basically as secure as the weakest machine one of your friends or users happens to log into you from, which could be anywhere and is not under your control unless you make special effort.
The reason for this is that if a cracker (always use the correct terminology...) should break into some less-secure machine than yours, he could install a network sniffer or keystroke recorder on it that captures your buddy's password the next time he logs into your supposedly secure machine from the compromised one.
Poof goes your carefully secured fortress. He doesn't have to use any careful exploit at all to crack your machine. He just logs in using your buddy's username and password.
Better hope you're machine is tightened down against root cracks, and you better hope your buddy wasn't logging in using the root password.
One thing for sure - don't every log into anywhere as root, or do an su, if your telnetted via an intermediate machine, as there could be a sniffer or recorder running on that machine.
This exploit may be even easier than you think - one of the original versions of telnet could be compiled with a debugging flag that, if set to true, would dribble all the keystrokes out to a file. All the hacker had to do would be to gain write access to the telnet executable file and set the value of the global debugging flag from 0 to 1 and he'd get everyone's keystrokes that ever used telnet.
Me? I don't ever use telnet. I use ssh (secure shell). The only external site I ever log into is my web hosting service. I think a minimum requirement of a web hosting service these days is that they provide secure shell access to their customers - mine does, it is Seagull Networks. Does anyone know any others?
Also don't transfer files with FTP - passwords are provided in the clear and crackers can copy your files with sniffers. Use scp (secure copy) instead.
When I was at Apple in 1990 I was raising hell about security holes in A/UX. The thing shipped with no-password guess access enabled by default, and I could become root on the thing in about 30 seconds after a bit of practice if I could log in at all.
While my complaints about A/UX fell on deaf ears in the A/UX team, the people who maintained the Unix machines for Apple employees to use (yes, some Apple employees do use Unix, they even used to have a Cray running Unicos) invited me to play capture/flag.
In the root directory of some of the multiuser machines was a file named flag that was not writeable. The objective was to write into it and then tell the admins how you did it.
When I started the current contents was "such and such a department rules". I guess I would have written "Mike was here" or something.
While I was able to crack A/UX 2.0 every which way, I never could capture/flag.
My understanding is the security holes got fixed in A/UX 3.0. It's a dead product now.
The way I found the security holes was to start methodically working through the CERT advisories and checking which ones A/UX was not compliant with. When I'd find one and they'd refuse to fix it, I'd file a bug report and send some emails around with explicit details of how you can break root because they weren't listening to CERT.
If you administrate a computer on a network, you should go through the CERT advisories yourself and tighten up your system.
If you worry as I do that people snoop on the Internet, then you should use encryption. Don't just use encryption for important secret messages, use it all the time so that the snoopers won't be able to tell when you're up to something they should be paying attention to. Even if you have nothing to hide, generating encrypted traffic on the net improves its overall security because it makes it more difficult for crackers to focus on those who appear to have something going because they use encryption (even encryption is subject to traffic analysis).
If you get your mail from and put web pages on a hosting service, then at a minimum you should use one that provides secure shell (ssh) and secure copy (scp) access. One such hosting service that does is Seagull Networks. Does anyone know any others?
When you retrieve your email via POP or load a web page via FTP your password is being transmitted in the clear. You have no control over which routers and cables it passes through in the process, so you have no way of knowing if someone's running a sniffer on a compromised host. Usually you have no knowledge even of the route, unless you go to the trouble to run traceroute regularly.
You can download your email via an encrypted channel with ssh port forwarding if your mail host provides ssh. The instructions given are oriented to the BeOS but apply in general to any OS for which an SSH client exists.
If you run a website that uses passwords please consider allowing the users to enter their passwords via SSL (https).
If you use websites that require passwords, please use a different password for each site. At the very least, use a unique password for your important sites, like your email, web pages and financial sites. If you keep the passwords in a file (which you may have to do because there are so many sites that take passwords), encrypt the file.
Be aware that most sites that have passwords do not encrypt them, otherwise they wouldn't be able to send you your password reminder in clear text. I've even used sites that mailed out password reminders in the clear every couple months just to prompt me to use the service. Note that anyone at the site who has root access, anyone who compromises the site or anyone running a sniffer on or near the site will be able to catch your passwords.
Also I think it is very likely that many websites are provided for no other purpose than to collect passwords for later use by crackers - beware of that free trial and use a unique password if you must accept the offer!
Use the anonymizer or, if you have Windows 95 or 98, Freedom to protect your privacy while you web surf.
Finally, do you use a laptop computer? Do you have files on it that you don't wish to share with the random stranger who might steal it someday? How about your competitors? A thief won't likely be in the direct employ of your competitors but they may recognize the value of the information and sell it to them, or even post it on the net for fun.
And remember in this information age the information on our computers is more valuable than the hardware itself, and unlike car stereos can continue providing value to a thief because, once it is fenced, it is still available to be fenced again.
Consider encrypting important information on your desktop too. A friend of mine who is a software developer lost every machine in his company in a robbery - source code, strategic plans, and the customer database.
I know of two cases where laptops were stolen from intelligence agents, once during the Gulf war, and once from an MI5 agent while he'd set it between his legs at a train station. Good thing they used encryption!
Finally, read the Forum on Risks to the Public in Computers and Related Systems available on the Usenet News as comp.risks and on the web at http://catless.ncl.ac.uk/Risks
Slashdot Mirror
I think this is with a 5000 RPM disk.
While on this topic, please read my page on Why You Should Use Encryption
While encryption is indeed computationally expensive, it is not nearly as computationally expensive as badly written GUI code, and that's what's usually running on modern computers. Encryption software is generally quite optimized, while the crud we call shrink-wrap software is a poor excuse for engineering.
I also refer you to the Risks Forum
Compile just finished...
Expect an announcement soon for a cool open-source cross-platform application framework.
C over Lambda, of course.
There are circles filled with lots of colored dots and you're supposed to be able to see figures in the dots.
I didn't know I had a problem before then, but since it was pointed out to me I notice it sometimes. Broad fields of color are easily distinguishable, but if you make small dots of red and green next to each other with felt tip pens on a sheet of paper, I will have trouble telling them apart.
I can easily tell that they are of different colors and one is red and one is green - but which is which is hard for me, and as I stare at them they switch color.
Resistor color codes - you know Victory Garden Walls - are just unfathomable to me.
On the other hand, I am an artist when I'm not programming (not much there at the site yet) and I particularly like oil painting; if I paint a lot for some period of time my color perception gets much sharper. If I spend all my time just programming it gets dulled.
You need to read Risks if you:
- Use and depend on computers in any but the most trivial way
- Program computers
- Make policy decisions regarding computers
- Operate computers in a way that affects safety (pilot a modern airplane, work in a hospital)
- Use computers in a way that may impact your own safety (flown on a modern airplane lately?)
I think that probably covers most Slashdot readers, which is why I keep posting it here.You might also want to check out the book "Computer Related Risks" by forum moderator Peter G. Neumann ISBN 020155805X. It draws on material from the forum but discusses it in greater depth. You'll find it at all the online bookstores and many local bookstores as well.
Here's a few of my own posts to Risks:
I also recommend that everyone refer regularly to the CERT Coordination Center to read the latest in security advisories and report security problems to them when you find them.I emailed the author, Mary Jo Foley and asked her why she didn't attribute me, pointing out how easy it was to find out who I was from the link in the ask slashdot article and my first post.
It particularly irritated me that I didn't get credit when she interviewed Linus about it, who didn't participate in the discussion, and some other guy who compared a programmer being stuck to your plumber saying he couldn't fix your pipes because he had "plumber's block".
She replied that she didn't give attribution to my post (and I guess to any of the posts that came directly from the Slashdot discusion) because she had been flamed in the past for quoting people from Slashdot!
I consider that pretty cowardly. Say what you want to me in the press - but spell my name right. Imagine she'd quoted some government official saying something, but didn't attribute them because other government officials had complained in the past!
She should be very well aware that any snippets she quotes from Slashdot are perfectly legal because of fair use (I could not imagine a fairer use) and it is not just ethical, it is a very basic rule of journalistic practice to provide such attributions.
It is important for historical reasons - what if the ZDNet article survives to be quotes later but the slashdot discussion is no longer available to be linked to? What if someone reads my quote but does not follow the link?
She felt that simply providing a link to the original article was sufficient attribution, but that's not true - my words appeared on her page, and I want my name next to them.
Slashdot doesn't allow the SCRIPT tag but some sites do (perhaps unknowingly) and so someone can write an apparently innocent comment in a chat and include a script that eats your hard disk.
A close friend of mine told me that she's been writing largely in Javascript for a long time now and her company is in fact basing their entire online strategy on Javascript. They're making a huge investment in it and will be selling a product that will be very expensive that will require very highly paid people to leave Javascript on all day long just to do their work.
I was astonished at that idea and said they were doing a disservice to their customers by encouraging them to enable Javascript, let alone requiring it for the basic functions of their product.
She was pretty incredulous about this, even after I recounted the above CERT advisory. She told me Javascript was sandboxed and could not do anything destructive. I told her it was full of holes and highly nonstandardized and bugs were being found in it all the time.
I also advisted her to read the Forum on Risks to the Public in Computers and Related Systems (also available as comp.risks on the Usenet News).
I told her I felt that reading Risks was a very basic requirement for anyone who wrote software for a living, and was doubly important for someone like her who wrote software that would effect people's lives in a substantial way (I can't be too specific - but she's not writing entertainment software). She thought this was all very silly.
Now, slashdotters, what can I say to my friend - what can I say that is of real substance not just flaming? Can you give me literature references or URL's? Pertinent CERT advisories would be good.
BTW - here's a suggestion - while I leave Javascript turned off most of the time, I often find I have to turn it on to use some sites. It really gets me down that some sites don't even function if Javascript is not enabled.
But Junkbuster is a simple proxy that will filter out ads and stop cookies, but allow them in controlled ways. For example, I only allow cookies from Slashdot and my bank, so I don't have to have cookies from any other site and I don't have to keep turning cookies back on to read slashdot.
I think it would be a fairly simple matter to modify the Junkbuster source code to filter out SCRIPT tags for most sites except those that are on an approved list. The source code is GPL'ed so someone with the inclination could just get the source and do it. I'd do it myself but I'm real busy for the next little while.
I have some news for you buddy. Most mentally disturbed people don't need to be in hospitals and there's no room for them even if there they did.
First I'll quote a few statistics:
- One third of the people that are in hospitals in america today are in psychiatric hospitals (including the psych wards of regular hospitals).
- About one percent of the population is manic depressive
- About one percent is schizophrenic
- About thirty percent of the population will experience clinical depression at some point during their lives, and at any given time about five percent of the population is experiencing clinical depression.
Hospitalization is only appropriate for the very worst of times, when someone has just cracked up and needs to get diagnosed, or some life crisis has happened and they need a safe place to put things back together. Sometimes their medicine is not working and new stuff needs to be prescribed, and they need a place to go while it takes effect, which can take weeks.But you can't have a real life in a hospital. You can't go to college in a hospital, hold down a job, cook for yourself, do your laundry, drive a car or provide for your family while you're in the hospital.
What most mentally ill people need is to put their lives back together in the real world, and to do that, they need to be in the real world - living in regular housing, driving cars, going to school, holding down jobs.
You'd probably be pretty amazed if all the mentally ill people that you encountered in your daily existence came up to you and told you what their illness was. I'm very unusual for people who suffer from this in that I make it public - because I want to educate people like you to make it easier for others who have to go through what I went through.
If one percent of the population is manic depressive, chances are pretty good you know at least one, and maybe you know several - they're just not telling you, or they haven't been diagnosed yet.
It happens to me all the time in workplaces when I've confided to my coworkers, as, for example, at a small fruit company in cupertino california where I told a woman I was bipolar and she told me she was too.
I met a technician from the Jet Propulsion Laboratory when I was in the psych hospital near there, and he told me that he told a staff counselor at the lab that he felt bad that he took Thorazine at work. The counselor said, "Don't worry, lot's of people at JPL take thorazine."
What the mentally ill people need from people like you is not to be locked up, but to be treated with basic decent human respect.
I was responding to the "coder scorned" post and meant it to be a warning to everyone reading it to keep control of your internet assets.
You may regard my friend as an asshole - but he regards it as his business strategy, much to the dismay of his clients who do not make the effort to get informed about important things like who owns the domain name registration.
It seems that my friend often deals with clients who are not too savvy - so he often keeps the registration for the clients domain names under his own control.
He just directed his client's DNS (which was some major company) to a porn site.
It backfired on him though. A sheriff's deputy showed up at my friend's parent's house to serve a lawsuit process over this and I guess the parents (who are very elderly, conservative, and not hip to the ways of the web) were pretty astounded at the name of the porn site that was listed on the process.
This same fellow makes it a practice to always register domain names under his own name and never give them up until the money is settled. I know of a number of companies that are probably unaware that they don't have control over their own DNS and that he's keeping this card up his sleeve in case negotiations turn bad.
I haven't done it a whole lot, and I have to admit that sometimes the approaches I get frighten me or I am too busy with my own thing to deal with them. But whenever I have done so it has been extremely rewarding.
I also know from my own experiences with mental illness that one of the most miserable things about it is the reaction that strangers on the street have to you. Being disturbed makes you look and act different sometimes, and often people will avoid your glance, cross the street upon your approach, or lock their car doors when they see you standing at the street corner. You'd better believe that the affected person notices that even if they don't visibly react to it.
The first time I did this a man in Pasadena asked me for money for food. I bought him lunch, spent an hour with him and ended up giving him ten dollars. He was a very nice man and said he was a hardworking construction laborer but couldn't get work.
The second time I met a couple homeless people, a vietnam vet and a teenage girl on Pacific Avenue in Santa Cruz California. The girl was coming down from an acid trip and having a very bad time. We talked for quite a long time - the vet recounted the horrors he still sufferred from having killed a soldier with a bayonet in Laos. I bought the girl a slice of thick-crust pizza at Pizza My Heart. It comforted her greatly.
On another occassion I had noticed a schizophrenic woman around town, who hung out downtown a lot but never seemed to talk to anyone. I just walked up to her, asked her name, and we got to talking.
Allison was a very nice woman and interesting to talk to - but was having such a hard time with her hallucinations that she had to keep brushing them out of her face with her hands so she could see me. I bought her a coffee at the Santa Cruz Coffee Roasting Company. We just sat and talked. I imagine she was on government assistance and was neither homeless nor hungry, but probably (like I back in the dark days) welcomed someone to talk to who didn't react with revulsion.
That was years ago, and better medicines for treating schizoid symptoms have been developed (clozaphine, and the risperdal I take). I ran into Allison again not too long ago and she seemed like a pretty ordinary woman, and spoke of her husband and children. She didn't remember me from before.
My wife tells me about how a lot of people say panhandlers are just trying to rip you off, and I imagine some of them are - there are dishonest programmers too, aren't there, but we still associate with each other? She's very generous in giving money to those who ask for it because she knows that by doing so her conscience is clear. Maybe a few people will come by the money dishonesty, but far more people will be helped a little bit out of their misery.
Even if you feel you can't or won't give spare change to someone who asks, stop and chat with them. They may not admit to it but it's far more likely that they are hungering for genuine human contact more than food or money. I know I was.
I don't smoke. Never have.
I'd just stand where the wind blew the smoke away and we'd have a little chat. It was very helpful. Sometims we'd talk about programming issues or sometimes we'd talk about nothing at all.
Mike
I couldn't afford to not work for such long times so we bought an inverter at Canadian Tire and I plugged my laptop into the car cigarrette lighter.
And damned if I didn't get more work done on the road with my wife driving that at any other time.
I'm writing a cross-platform product right now and have a choice to program on a Mac desktop or my windows laptop (it also runs Slackware Linux and BeOS). Sometimes my wife borrows the laptop to browse the web and - zing! - I get a lot of work done.
The problem was that I'd leave elm open in a terminal window and a web page open on slashdot and hit reload whenever I was running a long compile or something.
So recently I made the choice to turn off my laptop when I've set into my work, or give it to my wife. It's greatly improved my productivity.
(I only paid for one computer on my cable modem, and haven't figured out IP Masquerading yet, so my mac can't hook to the internet. Modems are interchangeable but the DHCP for the cable modem is keyed off of your physical ethernet address so unless you cough up for the second connection or use masquerading you can't use a second machine).
I don't think she would have understood if I told her I'd been featured on Slashdot and had to take breaks from her to go post...
I did read through some of the comments here earlier this evening and I must say that this has been an excellent discussion. The sheer number of comments posted shows I must have struck a chord with the community - and my experience with other programmers shows that this is a common problem with others.
I'll post tomorrow what the folks on comp.lang.c++ and comp.sys.mac.programmer.misc had to say but they were in general along the same lines as what was posted here:
- Take a break
- Get a life
- Do something fun that doesn't involve computers
- Engage in vigorous physical exercise
- associate with the attractive sex
- Step back from low-level coding and do other software-oriented things like design, discussions with a coworker or documentation
There's some more, some of which I'll discuss in a moment.I did in particular step back to think about software from a different level than coding, but I didn't actually do design work. Instead, I just cracked open some good programming texts. If you haven't read much lately there's probably a lot of good stuff that will stimulate you and improve the effectiveness of your work - check the book reviews online at The Association of C and C++ Users (and consider joining it - I did, a couple months ago).
One thing I consider important in the reading I did was that I wasn't looking for solutions to the problem at hand. Rather, I was trying to get back to something I'd been missing for a long time and wanted to indulge in - the sheer joy of learning for its own sake.
It was the case that the books I was reading were pertinent to my work but I wasn't searching them for solutions. I was just reading and flipping through them as my curiousity led me. And when solutions to my problem would occur to me, I'd put them out of my mind until the time I'd decided ahead of time would be my time to resume work.
What actually got me going again was that I had such a flood of ideas and they had crystallized so clearly I was able to sit down and implement my solution in a day and it worked just fine - still does.
Something else that helped stimulate me was the website on Extreme Programming.
A lot of the approaches there really appeal to me. Particularly I like the ideas they have that could be generally expressed as "design by coding" and are mentioned I think by Stroustrup in the intro to More C++ Gems as "expressing designs in the code".
That is, rather than doing a bunch of up-front modeling using diagrams like OMT or UML or what have you, you just write code - but you are designing in the code, so they emphasize in extreme programming that you constantly rewrite the code as designs gel.
One thing that saddnes me though is that Extreme Programming also suggests programming in pairs. This is something I used to do with Dave Johnson when we were at Working Software together. We'd help each other through hard spots and just rap about politics and stuff and go have coffee or a beer and get a lot of work done.
Now I live at the End of the Internet and I'm working for myself as a one-man consultant shop. It has its advantages (I can work at home and set my own hours) but one big disadvantage is that I work very much alone and there's no one around to bounce ideas off of.
I have other programmer friends and I do call them up but they all have their own gigs - it's not the same.
On another important note, several people both here, privately via email and in the newsgroups raised the possibility of this being clinical depression.
Well that is something I was well aware of and had been considering. Depression is something I have been dealing with all my life, as you will see in another slashdot article I posted:
Manic Depressive Geeks
I didn't used to be (woefully so) but now I'm very introspective about my mental and emotional state. I have to be. I didn't used to be but now I just won't tolerate the depths of misery that I just thought were part of the normal human condition.
But I don't think that what was happening to me was the sort of depression that I usually consider. There are "endogenous" and "reactive" depressions. Endogenous depression just happens to you and is usually caused by chemical imbalances in the brain (shortages of serotonin or norepinephrine) and is what's usually experienced with Manic Depression, while reactive depression is (naturally) a reaction to external events, like a personal tragedy.
Life has been really hectic for me for a long time, with the turbulence of my consulting business, falling in love with a woman from another country, planning a wedding, moving to Canada, and just trying to keep it all together. Maybe if all that hadn't been going on, I wouldn't have gotten stuck. But basically, I just got stuck.
Robert Pirsig talks about stuckness and ways to overcome it extensively in Zen and the Art of Motorcycle Maintenance, which I recommend highly (and probably ought to reread). And I really was suffering the kind of stuckness he described, the stuckness that occurs when you just want to get your bike fixed and you break the head off a crucial screw...
(Robert Pirsig went nuts while a grad student in philosophy at the University of Chicago. He had shock treatment back when it wasn't very carefully administered and lost nearly all his memories. The book is about his motorcycle trip across to some of the places he used to live to visit old friends he hardly remembered, along with an amazingly enlightening discussion of what he'd been so obsessed about that it drove him crazy - what is Quality?)
Someone mentioned meditation in the discussion. I had found reading about Zen and doing meditation on my own was of profound help in overcoming my mental illness back in the really dark days. But as things got better and my career got in shape and I stopped seeking so much and concentrated on learning to program and making a place in the world for myself I drifted away from that, something that I think is really wrong.
During my time off my then-fiance lent me her copy of Chogram Trungpa's The Path is the Goal, A basic handbook of buddhist meditation. It is published by Shambhala Publications
I'm afraid I read a little bit of it then when my time off came to an end I set it aside and started thinking again.
One of the little traps our mind has for us is thinking. I like to think, and I'm particularly well-developed at it. But my wife tell me that we are not our thoughts, and actually our thoughts can lead us astray. And when I was getting so stuck on my programming problem I was thinking really hard and trying to solve my problem by thinking harder.
One thing you do in meditation is to stop thinking. Hardened programmers might find that a frightening concept. And you can't really try to stop thinking - you just sit, and look, but not too hard, and experience
You cannot experience your world as it really is and be thinking.
One thing that Pirsig discusses in his book is how to bring the wisdom attained at the rarified mountain peaks of meditation down to practical value in everyday experience. He uses fixing a motorcycle as an illustrative example but when I read the book I found that I was able to program better because I could "become one with the machine".
My wife doesn't really believe this is possible but I think it is, that one can meditate while carrying out an intellectual activity like computer programming. That's something that I seem to have lost long ago, that I had years ago when I was not nearly so knowledgeable but I did have the ability to really lose myself in the machine all day long without distraction - and without getting tired or worn out.
Don't forget:
There are numerous messages over on the chat board at the Gnutella website that indicates that others are having the same problem.
I always thought that something was likely to happen bad to gnutella, seeing how it loaded the network so heavily with only 3000 clients at a time - the most I ever saw was maybe 5000. Napster had a total of 23 million users (not all of whom were logged in at any given time).
Has the gnutellanet gotten broken into islands? Is there a failure in the protocol?
I don't believe there really could only be a few users because there is a message on the Gnutella site that says they had to install a new server and buy more bandwidth to handle all the hits and client downloads they are getting.
Maybe decentralized peer-to-peer isn't all that it's cracked up to be - or at least the kinks aren't worked out of it yet.
Ah, I see this message posted on the development board:
Most encryption software is still too hard to use. This plays into the hands of those who would spy on us because they don't even have to try hard.
PGP is more approachable now on Windows than it was back in the command-line-only days, but it is also a huge program.
What we need is for everyone to be using encryption all the time. Encryption should just be the standard, not the exception.
My client asked me to email her my source code, and I made her download PGP and send me a public key. It took some persuading to get her to do it. But I don't have the sense that she's going to be continuing to use it, I think that she only did it to humor me.
I encrypt every thing of value on my laptop with PGPDisk under windows and the Linux encrypting kernel under Linux - so if my laptop gets stolen the theives get nothing of value to them and my client's trade secrets are not revealed.
A friend's office was once broken into and all of his computers were stolen. They got all of his source code, his customer sales database, and all of his sales and support correspondence.
Are you protected against such an event?
I posted a lengthier discussion of this before with a link to the above page but it has fallen off my user info - it wasn't too long ago, maybe someone can find it in the archives and post a link to the archived slashdot discussion in a reply.
What this would be is a program functionally similar to the many cookie manager programs that already exist - you could designate certain sites that you want to keep the cookies for, for example your bank and your slashdot login.
But any site not on the approved list, when you run the cookie mixer, well that site's entries from your cookie file would be uploaded to a server somewhere, and it would be physically replaced in the cookie file with a new cookie that would be received from the central server.
If it were possible to write to the cookie file while the browser is running (that is, it's not kept open or locked the whole time) then the results of saving cookies on mixer member's machines would be essentially random.
The whole point of saving cookies for the marketers purpose is to track your habits, and this would particularly screw them up. There are legitimate uses for cookies - creating a continuous "session" of browsing so you can be logged in as for non-anonymous slashdot posting or using a shopping cart and it would be easy to make exceptions for this.
I don't think it would even be very hard to write this.
The basic thesis of the cluetrain manifesto is that carefully controlled corporate communications are basically hopeless in the age of the internet, because information is readily available to anyone and anyone can publish it.
For an example of this, see my own cluetraining on the subject of high-tech headhunters at GoingWare's Policy on Recruiters and Headhunters.
Another (old) example is an ironically named one about why I chose not to develop macintosh software anymore after being dicked around too many times by Apple Computer:
I'm worried about my future. That's why I'm a Be developer.
(For those of you who don't know, Be's history has been to screw its developers even harder than Apple.)
Vast numbers of people have their own web pages where they speak out about companies and business practices that they don't like. Do you have any examples? (let's not forget Mr. Sorehands).
Version 2 was expected sometime soon so imagine how perplexed us tech support engineers were when the customers started calling us and asking us about the upcoming version 3.5.
We told the customers there must be some mistake because we were only just about to release version 2.
The calls got so frequent that finally we asked a customer where they'd heard about this 3.5 (not sure if that was the exact number but that's approximately correct). He'd seen it in our full-page magazine ad in a major Unix magazine.
I asked our ad guy what that version number was. He told me that they'd decided to go with version 3.5 because the Santa Cruz Operation was on version 3.4.
Of course we were all pretty pissed off, not just that the company was being dishonest but that they didn't tell the people who took the phone calls - those of us on tech support - and the customers must have thought it was hilarious when the ads kept appearing even though they'd heard it straight from the company that they were misinformed!
And, BTW, look at the reason why Slackware jumped from version 4 to 7
Since most Unix machines will allow telnet access from any IP address, and many other machines allow FTP or other filesharing access from any address, then you are basically as secure as the weakest machine one of your friends or users happens to log into you from, which could be anywhere and is not under your control unless you make special effort.
The reason for this is that if a cracker (always use the correct terminology...) should break into some less-secure machine than yours, he could install a network sniffer or keystroke recorder on it that captures your buddy's password the next time he logs into your supposedly secure machine from the compromised one.
Poof goes your carefully secured fortress. He doesn't have to use any careful exploit at all to crack your machine. He just logs in using your buddy's username and password.
Better hope you're machine is tightened down against root cracks, and you better hope your buddy wasn't logging in using the root password.
One thing for sure - don't every log into anywhere as root, or do an su, if your telnetted via an intermediate machine, as there could be a sniffer or recorder running on that machine.
This exploit may be even easier than you think - one of the original versions of telnet could be compiled with a debugging flag that, if set to true, would dribble all the keystrokes out to a file. All the hacker had to do would be to gain write access to the telnet executable file and set the value of the global debugging flag from 0 to 1 and he'd get everyone's keystrokes that ever used telnet.
Me? I don't ever use telnet. I use ssh (secure shell). The only external site I ever log into is my web hosting service. I think a minimum requirement of a web hosting service these days is that they provide secure shell access to their customers - mine does, it is Seagull Networks. Does anyone know any others?
Also don't transfer files with FTP - passwords are provided in the clear and crackers can copy your files with sniffers. Use scp (secure copy) instead.
While my complaints about A/UX fell on deaf ears in the A/UX team, the people who maintained the Unix machines for Apple employees to use (yes, some Apple employees do use Unix, they even used to have a Cray running Unicos) invited me to play capture /flag.
In the root directory of some of the multiuser machines was a file named flag that was not writeable. The objective was to write into it and then tell the admins how you did it.
When I started the current contents was "such and such a department rules". I guess I would have written "Mike was here" or something.
While I was able to crack A/UX 2.0 every which way, I never could capture /flag.
My understanding is the security holes got fixed in A/UX 3.0. It's a dead product now.
The way I found the security holes was to start methodically working through the CERT advisories and checking which ones A/UX was not compliant with. When I'd find one and they'd refuse to fix it, I'd file a bug report and send some emails around with explicit details of how you can break root because they weren't listening to CERT.
If you administrate a computer on a network, you should go through the CERT advisories yourself and tighten up your system.
I was quite fascinated by it. It had a really mysterious, ethereal sound.
Please read my page Why You Should Use Encryption.
If you get your mail from and put web pages on a hosting service, then at a minimum you should use one that provides secure shell (ssh) and secure copy (scp) access. One such hosting service that does is Seagull Networks. Does anyone know any others?
When you retrieve your email via POP or load a web page via FTP your password is being transmitted in the clear. You have no control over which routers and cables it passes through in the process, so you have no way of knowing if someone's running a sniffer on a compromised host. Usually you have no knowledge even of the route, unless you go to the trouble to run traceroute regularly.
You can download your email via an encrypted channel with ssh port forwarding if your mail host provides ssh. The instructions given are oriented to the BeOS but apply in general to any OS for which an SSH client exists.
If you run a website that uses passwords please consider allowing the users to enter their passwords via SSL (https).
If you use websites that require passwords, please use a different password for each site. At the very least, use a unique password for your important sites, like your email, web pages and financial sites. If you keep the passwords in a file (which you may have to do because there are so many sites that take passwords), encrypt the file.
Be aware that most sites that have passwords do not encrypt them, otherwise they wouldn't be able to send you your password reminder in clear text. I've even used sites that mailed out password reminders in the clear every couple months just to prompt me to use the service. Note that anyone at the site who has root access, anyone who compromises the site or anyone running a sniffer on or near the site will be able to catch your passwords.
Also I think it is very likely that many websites are provided for no other purpose than to collect passwords for later use by crackers - beware of that free trial and use a unique password if you must accept the offer!
Use the anonymizer or, if you have Windows 95 or 98, Freedom to protect your privacy while you web surf.
Finally, do you use a laptop computer? Do you have files on it that you don't wish to share with the random stranger who might steal it someday? How about your competitors? A thief won't likely be in the direct employ of your competitors but they may recognize the value of the information and sell it to them, or even post it on the net for fun.
And remember in this information age the information on our computers is more valuable than the hardware itself, and unlike car stereos can continue providing value to a thief because, once it is fenced, it is still available to be fenced again.
Depending on your OS, you should use PGPDisk or the Linux encrypting kernel on your laptop.
Consider encrypting important information on your desktop too. A friend of mine who is a software developer lost every machine in his company in a robbery - source code, strategic plans, and the customer database.
I know of two cases where laptops were stolen from intelligence agents, once during the Gulf war, and once from an MI5 agent while he'd set it between his legs at a train station. Good thing they used encryption!
Finally, read the Forum on Risks to the Public in Computers and Related Systems available on the Usenet News as comp.risks and on the web at http://catless.ncl.ac.uk/Risks