While the linux kernel is distributed under the GPL, many programs traditionally provided on Linus distros are not, for example the Apache webserver has a license which permits closed-source versions of it to be sold - and I recall someone was selling a closed-source apache with SSL with the public-key code licensed from RSA, for example.
Thus see my other comment in this discussion, That's why it's important to choose GPL and I think that it's particularly important that every function of any significance that's used on linux should ultimately get written by someone under a GPL license
It's really not enough to just use open-source software if the license allows the source to be closed, if your aim is World Domination. Many of those who participate in Open Source, as distinct from Free Software, do so for their mutual benefit as closed-source commercial proprietary developers.
Generally, you'd only want to use the LGPL if there is already an existing high-quality library that is available in closed-source form and you want yours to be adopted by people who want to keep the source to their applications closed. This was done, for example, with glibc, to make a replacement for the proprietary libc popular.
But if you're writing a totally new library, or if you feel that your library is a significant improvement on an existing closed-source library, using the GPL rather than the LGPL will draw new free software into the world, and although it won't prevent people from selling your work, it will prevent them from holding the source closed.
Upon further examination, I see that if you are not going to use the GPL, you should at least use a license that would allow your code to be used in the same project with GPL'ed code. This is the case with the revised BSD license (without the advertising class) and the MIT license but not the Mozilla license, or, significantly, the Python license - in some cases the incompatibility is not caused by restrictions by what you can do with the code but in the case of Python it's because the licensed is governed by the laws of the state of Virginia in the U.S.A.
Sometimes people do specifically choose to use things like the MIT License because they intend for it to be used for commercial use. My friend Andy Green who wrote the ZooLib cross-platform application framework is an independent consultant, and he had it in mind to make things easier for other consultants and small commercial developers, as well as free software developers. It was a complex decision but they people with an interest in the code ultimately agreed on the MIT license.
On the one hand, this allows people like Microsoft to write cross-platform closed-source products that would compete with free software - so MS could port their products to ZooLib and have source compatibility with Linux, Windows and Mac (and BeOS too), and this source would be closed, which could be a problem.
So it is a complex decision, really. But I think that, when in doubt, use the GPL. If you hold the copyright yourself, you can always supply a separately licensed version to people who pay you for it. For example, while the CygWin library (a POSIX API for Windows, part of a GNU programming environment that is largely source-code compatible with Linux) is under the GPL, you can purchase a proprietary license for it from Redhat which is actually pretty expensive from the terms they used to have on their page.
I would rather drink twelve jars of herpes-ridden ejaculate than eat a sandwich with even a smear of mayonnaise. Mayonnaise is evil. Mayonnaise killed my cat.
I first came across them when doing a web search for the Journal of the American Medical Association - usually abbreviated JAMA - and found the Japanese Anti-Mayonnaise Association. Couldn't find them just now, let's try again.
As for me, I prefer mustard (hot or dijon is best) but my wife likes mayo. I was never too fond of mayo but I really started to avoid it when I found it was made out of raw eggs.
While certainly all us programmers should be reading it, much of the material is accessible to anyone who knows how to use a computer, and so really should be read by anyone who uses computers for anything of importance or makes policy decisions that involve computers.
While the complexity of todays software systems make it unlikely that we'll ever have truly bug-free software, the situation can be a lot better than it is today. One thing that's needed is for the public to wake up and demand that software companies take responsiblity for their products, and to understand that they're being ripped off.
There are no significant bugs in our released software that any significant number of users want fixed... The reason we come up with new versions is not to fix bugs. It's absolutely not. It's the stupidest reason to buy a new version I ever heard... And so, in no sense, is stability a reason to move to a new version. It's never a reason.
In the world I came from pursuits like software development were supposed to be clean and pure things, exercises to stimulate and enrich the mind and advance the cause of reason
and promote the betterment of human existence.
Instead the industry which appears to be the main driving force behind the tremendous recent growth of the world economy, especially the US economy, is in my opinion a cancer that
is desperately in need of the surgeon's knife.
The Cross-Platform Manifesto was really an early attempt at collecting some thoughts on the subject of how we could use cross-platform application frameworks to promote a better software industry and make life better for developers and end users. My much briefer and I think better stated discussion of this is found on the ZooLib at Freeing the Developer from OS Vendor Shackles.
Cell phones are suprisingly popular in the third world, because you can get a telephone without anyone having to string a wire to everyone's house.
In many third-world nations, the fraction of the population that have cell phones out of all phone owners is higher than in industrialized nations for this very reason.
One problem is that a lot, probably most of what would want to do with the wireless internet is to use the Wireless Application Protocol on something like a web-enabled cell phone.
However, the WAP Usability Report which you can purchase for download from useit.com (which is an excellent site for learning how to write good websites) says that people just don't like WAP.
From the report summary:
When users were asked whether they were likely to use a WAP phone within one year, a resounding 70% answered no. WAP is not ready for prime time yet, nor do users expect it to
be usable any time soon. Remember, this finding comes after respondents had used WAP services for a week, so their conclusions are significantly more valid than answers from
focus group participants who are simply asked to speculate about whether they would like WAP. We surveyed people who had suffered through the painful experience of using WAP,
and they definitely didn't like it.
The other thing folks might want to do with wireless is get on the net from a laptop while they're out and about, but I don't think that's as big a potential business as it might sound. It's hard to use a laptop standing up and you can't really carry one with you all the time like you can a cell phone.
In the case of my keystroke recorder Last Resort it was an operating system patch that ran as a bit of boot-time software that loaded some code into memory, patched an OS trap and then exited with the patch still resident.
With NT, you can hit ctrl-alt-delete and look at the processes. With *nix, you can do "ps".
But really you need a list of all the drivers that are active on the system, and on a modern OS there will be lots of them.
This is particularly pertinent to something like Linux because anything that's installed as a driver runs in the kernel and can basically do anything it wants. Is there even any user id boundaries for a driver, or does a driver effectively have root priveliges?
Really what you'd have to do is make a list of what is there when you get the system configured the way you like and then monitor for changes to this list.
BTW - a common security hole in a lot of Linux installations is that you should have all the kernel source owned by root and do the compile while logged in as root (don't run X as root - su in a shell window). That way no one can tamper with your modules.
If you build your modules as an ordinary user and install them, there's more of a possibility someone could overwrite them with a crack.
Get some cash together and drive to a distant city and buy a laptop right off the store shelves. There won't be a chance for anyone to plant a bug in it.
Wipe the hard drive and install Linux on it. Install the Linux encrypting kernel and keep all your real files on an encrypted volume.
Install Tripwire on the machine - it verifies the integrity of important files to be sure they aren't patched.
Learn how to administrate your machine effectively. Always log in as a non-priveliged user and never become root unless you really need to.
Learn about security and tighten down your machine. If you care about security on your laptop you're not going to be running a webserver but I bet a lot of you are running both Apache and SAMBA on a standalone user machine without even knowing it. The more services that are disabled the less anyone can screw with it, even on a non-networked machine.
Don't ever let the machine leave your sight. If you have to put it away, lock it in a safe. Do something to the safe that will enable you to tell if someone's blackbagged you - something like the trick of wedging a matchstick in your door when you leave, but something more concealed. If you find the matchstick on the ground when you return, someone's opened your door.
The VAX/VMS screen editor (what was it called?) would save a journal file that was a literal transcription of all your keystrokes, and a copy of the original file.
If the machine went down or you got disconnected without saving, you could replay the journal file to recover your edits.
The cool thing was that this worked by literally replaying your keystrokes back into the editor, so you got to see your edit session happen over again at high speed.
So I quickly found I could make zippy little ASCII animations by laboriously editing out frame after frame of the pictures in an animation and then turning the terminal off when I was done. Turn the terminal on, log in, and replay the journal! Better than animated GIFs! Kids these days...
Much to the chagrin of many people who thought they had kept something a secret, Microsoft Word does this too, with its "Fast Save" - it just saves deltas of each edit, rather than the whole file each time you save. It just does the replay in memory when it opens the file, but it is possible to see the changes, not just with a low-level editor but with Word itself. From The Forum on Risks to the Public in Computers and Related Systems:
I recently received a legal document as part of a personal negotiation that
I am doing. The document was e-mailed to me in MSWord format. As I was
showing it to my lawyer (who happens to be my wife), we decided to put our
thoughts inline using the track changes feature of word. After selecting
Tools, and Track Changes, we clicked on "Highlight changes in document" and
voila, suddenly a whole bunch of red appeared on the screen. We looked at it
closely and realized that everything in red represented changes in the
document that my counterpart's lawyer had written. We got a good look at the
previous version of the contract, as well as a bunch of comments and
justifications that the lawyer wrote to his client. It was an eye opening
experience.
It appears that instead of selecting "Accept all changes" before sending it
to me, the other party to the contract simply turned off the highlighting to
the track changes feature.
This is obviously a case of an unsophisticated person misusing a feature.
However, it is very dangerous. Lawyers send word documents around all the
time, and many of them do not really understand all the features that they
use, nor should they have to. I imagine that I was not the first person to
see some behind the scenes conversation in an important word document, that
I was never intended to see.
When I was an OS engineer ("debug meister") at Apple (see my resume) I widely advocated that ALL of Apple's engineering staff spend about a week a year doing end-user tech support.
In general, this wasn't received with enthusiasm;-> but you'd be suprised how much support it got.
The particular thing that drove me to advocate this was that when I was Product Development Manager at Working Software, it was such a small company that at times we had no dedicated tech support, so I fielded anything that couldn't be handled by the nontechnical clerical staff, or when we were doing enough business to hire a support tech, we were also moving enough products I had to back her up because of the increased call volume.
The result was that I got immediate feedback on product quality and useabilty problems. If I shipped a product with a serious bug or that had some weird UI that the users didn't understand, about 200 people would call me up and let me know personally that I screwed up.
This did a lot for product quality, and although it was difficult to bear at times, I found it very rewarding that many customers would say "You're Michael Crawford? The guy in the about box?" and I'd say "Yeah." and they'd get all amazed.
Sometimes for kicks I'd have a user open the about box and say, "You see the guy's name there? That's me."
But when I was at Apple, I was one of perhaps 500 engineers involved in system software, and there were thousands of engineers, and our the closest customer service was in a different city, and most of it was in Texas (Apple is headquartered in Cupertino, California).
The closest that we came to contact with a real user was the occasional contact with a third party developer we had, but even that was usually handled by developer tech support.
Now I'm sure Apple felt they didn't want their expensive engineers devoting their time to customers problems - they have much cheaper staff for that, and probably better trained too. But what few people seemed to realize, until they heard my arguments on this point, was that Apple's OS Engineering staff, the whole engineering staff, needed this contact with the end user in order to be able to do their jobs well.
That's one of the reasons small companies are often able to come in and steal the market away from larger, well-established companies with deep pockets - a real awareness of user needs and user reactions to the product. (Also smaller companies have the ability to adapt more quickly to changing market conditions)
My first job after high school was a minimum wage job pumping gas at a full service Shell gas station and car wash.
Average employee turnover was about a week. I stayed for six weeks, so it didn't take long to get seniority.
My manager said "Anybody gives you any trouble, you send them to me." so that's what I did.
And what would he do? He shook his fist at them and told them to get the fuck off his gas station or he'd pummel them.
Took care of irate customers pretty quick. We were grossing $20,000 per day, so losing a $10/day customer wasn't a big deal compared to losing a trained - and, more important - competent employee who'd already lasted longer than a week.
Now that's morale boosting!
And I didn't quit because of the low pay or working conditions or anything. I told the manager I had to leave to study astronomy at CalTech. He suggested he put me back on swing shift and I could bring my telescope to the gas lot (which was in the middle of the city!)
I explained this wasn't really how one did professional astronomy these days... at CalTech I ended up getting to observe with the 60" and 200" telescopes at Palomar Mountain.
There's a better life after tech support. Let me tell you about my experience.
When I interviewed for a programmer position at Microport Systems (then the vendor of SystemV/AT, Unix for the 286), I was asked by company president Chuck Hickey what was the best way to implement strcpy.
Well, even though I had been a manager (really a team leader) of a bunch of student programmers who wrote a Common LISP interpreter on the 8086 running DOS, it had been a few months and, well, I forgot.
Ol Chuck said "this is the kind of question that separates the men from the boys" and then he let me know I wasn't one of the men.
So I got tech support.
At least it was unix system administration tech support, and I got to learn a lot of stuff while I was there, and the engineers were friendly and helpful.
But there was some crazy shit like advertising new version numbers to match The Santa Cruz Operation's Xenix version number so we could compete (shades of Slackware anyone?) and then not telling the techs, so we all told the customers for a while that it must be a printing error, there was no such version.
And then there was the full page ad that said we'd have Berkeley Job Control in some upcoming version, and the customers all started calling and saying "Control-Z doesn't work, where's the job control?" and I'd ask the engineers, and the engineers said we had no intention of ever getting job control. When I told this to our marketing guy, he just said "Oh, OK", and took it out of the future ads.
What really killed me was the guy who staked his whole company on the FORTRAN compiler in our product. We had one, but it was buggy. After he'd delivered product to customers, it turned out it wasn't working right. Engineering kept promising they'd build a new one from source. But they were busy and never got around to it. So finally this guy told me he didn't hold it against me personally, but he was going out of business because he'd chosen to use Microport for his solution.
Well, I quit and went back to school again. But I was never very happy with school and eventually I got a programming and sysadmin job, a pretty low-level one where I'd take a whole month to write a 300 line image processing program. But I struggled, and eventually I did better for myself.
If you're working on tech support there's a few things I want you to do:
While you're with the company, use every opportunity you can to learn new skills, knowledge of new technologies, applications and operating systems.
On nights and weekends, study programming languages, or at least study system and network administration.
If you're going to do tech support for a while, then job-hop. You'll pick up a wide variety of skills at your different employers, even if it all has to be tech support.
And most of all, don't stay in tech support. It's a miserable existence. But it can be a good start on a much better career.
Why the heck did someone just mod the above as offtopic?
It is very pertinent and was meant very seriously. If you own your own domain name you can recover in a couple of days from your provider going down.
All you do is get a different provider and change your DNS - and any provider will be happy to change the DNS for you.
If, however, you don't own the domain name that your email is delivered to, like, say, AltaVista.com, and it either goes out of business or decides the service doesn't suit its business model anymore, then you're fucked.
It ran in only 8 kb of memory and we specifically advertised that it would capture:
Text that was backspaced over
Text that was typed and then highlighted and deleted
Text that was typed and never saved
Text that was saved but lost due to file corruption or accidental file deletion
It would save everything, even your backspace characters. You could use those to help you reconstruct your file.
Last Resort Programmer's edition will save menu key equivalents to aid testing and debugging and tech support. It helps you reconstruct the sequence of events before a crash.
And yes it would capture passwords but we had the option to pause it or disable it entirely.
I wrote the Mac version but it's available also for DOS and Windows (written by other guys).
Although we tried to make it very obvious when Last Resort was installed on a machine, we get occasional email from people asking how they can make it invisible. We don't tell them, but really if you want to make a hidden keystroke recorder it's pretty trivial.
Don't just worry about the FBI doing this to you - worry about your employer or loved ones. Not long after I shipped Last Resort, one of the editors of MacUser Magazine thanked me personally for it because he'd caught his girlfriend having an online affair - her hot and heavy emails were in his keystroke file.
He later wrote a novel that talked about a lot of software products with fictional names but that were obviously taken from real products. I'm proud to say that the faux-Last Resort saved the world in his novel.
Also I get occassional spam from companies selling keystroke recorders that aren't just invisible, but they encrypt the keystroke files and upload them to a location of your choice. They say this is meant for employee monitoring...
Such monitoring, by the way, has been held to be legal by the courts.
While I guess this goes to show that it's not unbreakable (do you keep your laptop in a safe at night?) I think in general it gives good motivation for why you should read my page:
In the article, I try to discuss in as approachable and as convincing a way as I can why everyone, even your mom, even your kids should use cryptography.
I use Yahoo mail in my example but I think this proves my point.
Each individual email recipient on earth should have their own domain name.
That way, if your provider goes down - whether it's a web-based service like Yahoo or AltaVista, or an ISP service, or if you just move geographically and don't want to keep paying for connectivity you don't use anymore, it just takes a couple days for changes to your DNS to take effect and your back up.
I got my own domain name after my ISP was down for a week. And they've been bought out so many times it's amazing they still serve the old domain anymore.
The big pain for me now is going to be moving all the web pages that are hosted at my old ISP. Some of them are important ones that people have linked to from other sites. If I'd owned my own domain in the first place, there'd be no problem. Instead I'll put placeholders will META REFRESH tags in them to point at all the pages on the new sites and keep paying their bill another year or so.
It's in a place called Owl's Head, near Rockland in mid-coast Maine.
Rockland is the site of the Maine Lobster Festival and the Farnsworth Museum, where much of the Wyeth family's paintings are kept. I think it's a pretty cool place. Owl's head is pretty sparsely populated.
We had the house pretty thoroughly inspected. Some things were fixed up by the previous owners. It is indeed on a septic system.
The authors of the Carnivore meta-comments read like a veritable who's who among esteemed experts in computer security, reliability and public policy:
Steven Bellovin, AT&T
Matt Blaze, AT&T
David Farber U of Pennsylvania
Peter Neumann, SRI International
Eugene Spafford, Purdue University CERIAS
Wasn't it Matt Blaze who cracked the Law Enforcement Access Field (LEAF) in that government approved crypto standard they were trying to ram down our throat in the mid-80's?
And Peter Neumann I know very well in an online way, as he is the moderator of the Forum on Risks to the Public in Computers and Related Systems which discusses all kinds of topics in software reliability and security, and provides an ongoing archive of known software bugs.
It is also available on the Usenet News as comp.risks and I consider it required reading for anyone wishing to take themselves seriously as a programmer.
This means you.
Neumann also wrote the book Computer Related Risks which draws on material from the forum but discusses it in more depth.
He is also a frequent consultant to the government and military on computer reliability, security and computer policy as you can see from Neumann's home page.
He writes great puns too, which are often found added to Risks submissions.
I've worked at A Big Fruit Company during layoffs and saw that there were lots of approved, open reqs for staff going around, and although hiring may have slowed during the layoffs it definitely didn't stop.
That is among the reasons (the other being my wedding last summer to a Newfoundland woman) that I moved my consulting business to St. John's, Newfoundland and then bought a house in mid-coast Maine, near Rockland.
In Santa Cruz, California I was paying $1275 a month to rent a two bedroom half of a duplex. In St. John's, I rented a three bedroom two-story house for $500, and in Maine I'll be owning a four-bedroom home for a house payment of $799 - with an oversized two-car garage.
I'm sure it's self evident that people with sensitive business data should use encryption - or is it? How many businesspeople do you know who carry out complex business negotiations via email?
One client wanted me to deliver them the source code to their product via the Internet. I refused to deliver until they got PGP.
The point of the above page is that everyone should be using encryption - even for casual stuff, as the sudden presence of an occassional encrypted document suggests you're up to something, an example of traffic analysis - if you can't decrypt the messages, watch where the messages are going.
Even people who really should know better may not keep their computer secure. CIA Director John Deutch was caught browsing porn sites from a home computer that contained classified data. There are numerous well-documented security holes in web browsers by which an rogue website can read documents off your hard disk.
Let's hope he didn't have any encrypted filesystems mounted when he was gazing at those titties.
I happen to remember specifically that the venerable phone phreak Captain Crunch made history when he placed his first Voice over IP Call using Speak Freely.
And I recall that he placed this call from inside of India, I think to the U.S. (although I'm less sure of the destination).
This works because you can configure Speak Freely's UDP port, so it gets through VoIP-blocking firewall software.
That indeed is a problem, but I don't think an insurmountable one.
While the strictly correct file format would require 1-second blocks (I wasn't aware of that, thanks), the basic principles of psychoacoustic audio compression should still work fine if the blocks are made shorter. Perhaps it might not be as efficient.
I sent email a couple of hours ago to the Ogg Vorbis folks about this, suggesting they look into it. I'm curious what they say; I'd be astounded if no one has considered it before.
Ogg Vorbis is a patent-free open specification and open source audio compression format meant to replace MP3.
You might think that's because he's the creator of C++ after all, but I doubt it - Bjarne has used languages you've likely never heard of, and he understands the strengths and weaknesses of each.
Stroustrup finds much of Java advertising insulting and offensive to other programmers. I do too.
Java, as a language, has some merits. But what I'd like to see is an ISO standard that is not controlled by Sun (note that although Stroustrup participated in the ISO standardization process for C++, AT&T certainly didn't try to control the process as Sun insists on doing with Java), and I'd also like to see one able to compile Java programs to native executable code so they can run directly without a VM; this is possible with gcc but I believe it's not yet ready for production use.
I certainly won't believe that Java is even valid as a language unless multiple independently written implementations can all pass compliance test suites; most of the Java VM's out there don't count because they're just ports of Sun's VM. That's one reason I'd like to see Kaffe succeed.
Meanwhile, for an alternative to Java - writing a single set of C++ sources and compiling to native executable binaries on Mac OS, Windows, BeOS and POSIX platforms with XWindows (such as Linux) see the ZooLib cross-platform application framework.
Slashdot Mirror
Thus see my other comment in this discussion, That's why it's important to choose GPL and I think that it's particularly important that every function of any significance that's used on linux should ultimately get written by someone under a GPL license
It's really not enough to just use open-source software if the license allows the source to be closed, if your aim is World Domination. Many of those who participate in Open Source, as distinct from Free Software, do so for their mutual benefit as closed-source commercial proprietary developers.
Michael D. Crawford
GoingWare Inc
You should only choose another license if you specifically intend to allow anyone to make closed-source, commercial use of your code.
That's why it's pointed out in an earlier comment that Microsoft wouldn't base an offerring on Linux, but on BSD - as Apple is doing, with Mac OS X.
The Free Software Foundation recommends against the general use of the LGPL - formerly called the GNU Library Public License but now called the lesser public license.
Generally, you'd only want to use the LGPL if there is already an existing high-quality library that is available in closed-source form and you want yours to be adopted by people who want to keep the source to their applications closed. This was done, for example, with glibc, to make a replacement for the proprietary libc popular.
But if you're writing a totally new library, or if you feel that your library is a significant improvement on an existing closed-source library, using the GPL rather than the LGPL will draw new free software into the world, and although it won't prevent people from selling your work, it will prevent them from holding the source closed.
Licenses that would be inappropriate for competing with Microsoft would be the BSD License or the MIT License, the Apache License or the Mozilla Public License.
That's why, despite Mozilla, we still need a good browser that is GPL'ed.
For lists of a lot of licenses, see the opensource.org approved licenses and GPL Compatible Licenses - these last basically can be combined in software with GPL'ed code. Also note License that are incompatible with the GPL.
Upon further examination, I see that if you are not going to use the GPL, you should at least use a license that would allow your code to be used in the same project with GPL'ed code. This is the case with the revised BSD license (without the advertising class) and the MIT license but not the Mozilla license, or, significantly, the Python license - in some cases the incompatibility is not caused by restrictions by what you can do with the code but in the case of Python it's because the licensed is governed by the laws of the state of Virginia in the U.S.A.
Sometimes people do specifically choose to use things like the MIT License because they intend for it to be used for commercial use. My friend Andy Green who wrote the ZooLib cross-platform application framework is an independent consultant, and he had it in mind to make things easier for other consultants and small commercial developers, as well as free software developers. It was a complex decision but they people with an interest in the code ultimately agreed on the MIT license.
On the one hand, this allows people like Microsoft to write cross-platform closed-source products that would compete with free software - so MS could port their products to ZooLib and have source compatibility with Linux, Windows and Mac (and BeOS too), and this source would be closed, which could be a problem.
On the other hand, the ready availability of an open source but commercially-compatible crossplatform library gives power to the third-party developer at the expense of all OS vendors whether closed or open source, which I feel is arguably a good thing.
So it is a complex decision, really. But I think that, when in doubt, use the GPL. If you hold the copyright yourself, you can always supply a separately licensed version to people who pay you for it. For example, while the CygWin library (a POSIX API for Windows, part of a GNU programming environment that is largely source-code compatible with Linux) is under the GPL, you can purchase a proprietary license for it from Redhat which is actually pretty expensive from the terms they used to have on their page.
Michael D. Crawford
GoingWare Inc
Ah, here we go, it's in Japanese:
Japanese Anti-Mayonnaise Association
As for me, I prefer mustard (hot or dijon is best) but my wife likes mayo. I was never too fond of mayo but I really started to avoid it when I found it was made out of raw eggs.
Michael D. Crawford
GoingWare Inc
The Forum on Risks to the Public in Computers and Related Systems
While certainly all us programmers should be reading it, much of the material is accessible to anyone who knows how to use a computer, and so really should be read by anyone who uses computers for anything of importance or makes policy decisions that involve computers.
While the complexity of todays software systems make it unlikely that we'll ever have truly bug-free software, the situation can be a lot better than it is today. One thing that's needed is for the public to wake up and demand that software companies take responsiblity for their products, and to understand that they're being ripped off.
Someone who's working towards that end is Mark Minasi, the author of the book The Software Conspiracy:
Also see my own essay The Cross-Platform Manifesto: The Cross-Platform Manifesto was really an early attempt at collecting some thoughts on the subject of how we could use cross-platform application frameworks to promote a better software industry and make life better for developers and end users. My much briefer and I think better stated discussion of this is found on the ZooLib at Freeing the Developer from OS Vendor Shackles.Michael D. Crawford
GoingWare Inc
In many third-world nations, the fraction of the population that have cell phones out of all phone owners is higher than in industrialized nations for this very reason.
Michael D. Crawford
GoingWare Inc
However, the WAP Usability Report which you can purchase for download from useit.com (which is an excellent site for learning how to write good websites) says that people just don't like WAP.
From the report summary:
The other thing folks might want to do with wireless is get on the net from a laptop while they're out and about, but I don't think that's as big a potential business as it might sound. It's hard to use a laptop standing up and you can't really carry one with you all the time like you can a cell phone.Michael D. Crawford
GoingWare Inc
With NT, you can hit ctrl-alt-delete and look at the processes. With *nix, you can do "ps".
But really you need a list of all the drivers that are active on the system, and on a modern OS there will be lots of them.
This is particularly pertinent to something like Linux because anything that's installed as a driver runs in the kernel and can basically do anything it wants. Is there even any user id boundaries for a driver, or does a driver effectively have root priveliges?
Really what you'd have to do is make a list of what is there when you get the system configured the way you like and then monitor for changes to this list.
BTW - a common security hole in a lot of Linux installations is that you should have all the kernel source owned by root and do the compile while logged in as root (don't run X as root - su in a shell window). That way no one can tamper with your modules.
If you build your modules as an ordinary user and install them, there's more of a possibility someone could overwrite them with a crack.
Michael D. Crawford
GoingWare Inc
Research what laptop will run Linux real well.
Get some cash together and drive to a distant city and buy a laptop right off the store shelves. There won't be a chance for anyone to plant a bug in it.
Wipe the hard drive and install Linux on it. Install the Linux encrypting kernel and keep all your real files on an encrypted volume.
Install Tripwire on the machine - it verifies the integrity of important files to be sure they aren't patched.
Learn how to administrate your machine effectively. Always log in as a non-priveliged user and never become root unless you really need to.
Learn about security and tighten down your machine. If you care about security on your laptop you're not going to be running a webserver but I bet a lot of you are running both Apache and SAMBA on a standalone user machine without even knowing it. The more services that are disabled the less anyone can screw with it, even on a non-networked machine.
Don't ever let the machine leave your sight. If you have to put it away, lock it in a safe. Do something to the safe that will enable you to tell if someone's blackbagged you - something like the trick of wedging a matchstick in your door when you leave, but something more concealed. If you find the matchstick on the ground when you return, someone's opened your door.
Best of all don't use a computer for anything of real importance. You can find out why you shouldn't by reading The Forum on Risks to the Public in Computers and Related Systems for a while.
Michael D. Crawford
GoingWare Inc
If the machine went down or you got disconnected without saving, you could replay the journal file to recover your edits.
The cool thing was that this worked by literally replaying your keystrokes back into the editor, so you got to see your edit session happen over again at high speed.
So I quickly found I could make zippy little ASCII animations by laboriously editing out frame after frame of the pictures in an animation and then turning the terminal off when I was done. Turn the terminal on, log in, and replay the journal! Better than animated GIFs! Kids these days... Much to the chagrin of many people who thought they had kept something a secret, Microsoft Word does this too, with its "Fast Save" - it just saves deltas of each edit, rather than the whole file each time you save. It just does the replay in memory when it opens the file, but it is possible to see the changes, not just with a low-level editor but with Word itself. From The Forum on Risks to the Public in Computers and Related Systems:
Michael D. Crawford
GoingWare Inc
In general, this wasn't received with enthusiasm ;-> but you'd be suprised how much support it got.
The particular thing that drove me to advocate this was that when I was Product Development Manager at Working Software, it was such a small company that at times we had no dedicated tech support, so I fielded anything that couldn't be handled by the nontechnical clerical staff, or when we were doing enough business to hire a support tech, we were also moving enough products I had to back her up because of the increased call volume.
The result was that I got immediate feedback on product quality and useabilty problems. If I shipped a product with a serious bug or that had some weird UI that the users didn't understand, about 200 people would call me up and let me know personally that I screwed up.
This did a lot for product quality, and although it was difficult to bear at times, I found it very rewarding that many customers would say "You're Michael Crawford? The guy in the about box?" and I'd say "Yeah." and they'd get all amazed.
Sometimes for kicks I'd have a user open the about box and say, "You see the guy's name there? That's me."
But when I was at Apple, I was one of perhaps 500 engineers involved in system software, and there were thousands of engineers, and our the closest customer service was in a different city, and most of it was in Texas (Apple is headquartered in Cupertino, California).
The closest that we came to contact with a real user was the occasional contact with a third party developer we had, but even that was usually handled by developer tech support.
Now I'm sure Apple felt they didn't want their expensive engineers devoting their time to customers problems - they have much cheaper staff for that, and probably better trained too. But what few people seemed to realize, until they heard my arguments on this point, was that Apple's OS Engineering staff, the whole engineering staff, needed this contact with the end user in order to be able to do their jobs well.
That's one of the reasons small companies are often able to come in and steal the market away from larger, well-established companies with deep pockets - a real awareness of user needs and user reactions to the product. (Also smaller companies have the ability to adapt more quickly to changing market conditions)
Michael D. Crawford
GoingWare Inc
Michael D. Crawford
GoingWare Inc
My first job after high school was a minimum wage job pumping gas at a full service Shell gas station and car wash.
Average employee turnover was about a week. I stayed for six weeks, so it didn't take long to get seniority.
My manager said "Anybody gives you any trouble, you send them to me." so that's what I did.
And what would he do? He shook his fist at them and told them to get the fuck off his gas station or he'd pummel them.
Took care of irate customers pretty quick. We were grossing $20,000 per day, so losing a $10/day customer wasn't a big deal compared to losing a trained - and, more important - competent employee who'd already lasted longer than a week.
Now that's morale boosting!
And I didn't quit because of the low pay or working conditions or anything. I told the manager I had to leave to study astronomy at CalTech. He suggested he put me back on swing shift and I could bring my telescope to the gas lot (which was in the middle of the city!)
I explained this wasn't really how one did professional astronomy these days... at CalTech I ended up getting to observe with the 60" and 200" telescopes at Palomar Mountain.
Michael D. Crawford
GoingWare Inc
When I interviewed for a programmer position at Microport Systems (then the vendor of SystemV/AT, Unix for the 286), I was asked by company president Chuck Hickey what was the best way to implement strcpy.
Well, even though I had been a manager (really a team leader) of a bunch of student programmers who wrote a Common LISP interpreter on the 8086 running DOS, it had been a few months and, well, I forgot.
Ol Chuck said "this is the kind of question that separates the men from the boys" and then he let me know I wasn't one of the men.
So I got tech support.
At least it was unix system administration tech support, and I got to learn a lot of stuff while I was there, and the engineers were friendly and helpful.
But there was some crazy shit like advertising new version numbers to match The Santa Cruz Operation's Xenix version number so we could compete (shades of Slackware anyone?) and then not telling the techs, so we all told the customers for a while that it must be a printing error, there was no such version.
And then there was the full page ad that said we'd have Berkeley Job Control in some upcoming version, and the customers all started calling and saying "Control-Z doesn't work, where's the job control?" and I'd ask the engineers, and the engineers said we had no intention of ever getting job control. When I told this to our marketing guy, he just said "Oh, OK", and took it out of the future ads.
What really killed me was the guy who staked his whole company on the FORTRAN compiler in our product. We had one, but it was buggy. After he'd delivered product to customers, it turned out it wasn't working right. Engineering kept promising they'd build a new one from source. But they were busy and never got around to it. So finally this guy told me he didn't hold it against me personally, but he was going out of business because he'd chosen to use Microport for his solution.
Well, I quit and went back to school again. But I was never very happy with school and eventually I got a programming and sysadmin job, a pretty low-level one where I'd take a whole month to write a 300 line image processing program. But I struggled, and eventually I did better for myself.
Now I have my own incorporated consulting business. Have a look at my resume too and scroll all the way down to where you see Microport and then look at all the stuff above it.
If you're working on tech support there's a few things I want you to do:
While you're with the company, use every opportunity you can to learn new skills, knowledge of new technologies, applications and operating systems.
On nights and weekends, study programming languages, or at least study system and network administration.
If you're going to do tech support for a while, then job-hop. You'll pick up a wide variety of skills at your different employers, even if it all has to be tech support.
And most of all, don't stay in tech support. It's a miserable existence. But it can be a good start on a much better career.
Michael D. Crawford
GoingWare Inc
It is very pertinent and was meant very seriously. If you own your own domain name you can recover in a couple of days from your provider going down.
All you do is get a different provider and change your DNS - and any provider will be happy to change the DNS for you.
If, however, you don't own the domain name that your email is delivered to, like, say, AltaVista.com, and it either goes out of business or decides the service doesn't suit its business model anymore, then you're fucked.
Michael D. Crawford
GoingWare Inc
It ran in only 8 kb of memory and we specifically advertised that it would capture:
- Text that was backspaced over
- Text that was typed and then highlighted and deleted
- Text that was typed and never saved
- Text that was saved but lost due to file corruption or accidental file deletion
It would save everything, even your backspace characters. You could use those to help you reconstruct your file.Last Resort Programmer's edition will save menu key equivalents to aid testing and debugging and tech support. It helps you reconstruct the sequence of events before a crash.
And yes it would capture passwords but we had the option to pause it or disable it entirely.
I wrote the Mac version but it's available also for DOS and Windows (written by other guys).
Although we tried to make it very obvious when Last Resort was installed on a machine, we get occasional email from people asking how they can make it invisible. We don't tell them, but really if you want to make a hidden keystroke recorder it's pretty trivial.
Don't just worry about the FBI doing this to you - worry about your employer or loved ones. Not long after I shipped Last Resort, one of the editors of MacUser Magazine thanked me personally for it because he'd caught his girlfriend having an online affair - her hot and heavy emails were in his keystroke file.
He later wrote a novel that talked about a lot of software products with fictional names but that were obviously taken from real products. I'm proud to say that the faux-Last Resort saved the world in his novel.
Also I get occassional spam from companies selling keystroke recorders that aren't just invisible, but they encrypt the keystroke files and upload them to a location of your choice. They say this is meant for employee monitoring...
Such monitoring, by the way, has been held to be legal by the courts.
Michael D. Crawford
GoingWare Inc
Why You Should Use Encryption
In the article, I try to discuss in as approachable and as convincing a way as I can why everyone, even your mom, even your kids should use cryptography.
Michael D. Crawford
GoingWare Inc
I use Yahoo mail in my example but I think this proves my point.
Each individual email recipient on earth should have their own domain name.
That way, if your provider goes down - whether it's a web-based service like Yahoo or AltaVista, or an ISP service, or if you just move geographically and don't want to keep paying for connectivity you don't use anymore, it just takes a couple days for changes to your DNS to take effect and your back up.
I got my own domain name after my ISP was down for a week. And they've been bought out so many times it's amazing they still serve the old domain anymore.
The big pain for me now is going to be moving all the web pages that are hosted at my old ISP. Some of them are important ones that people have linked to from other sites. If I'd owned my own domain in the first place, there'd be no problem. Instead I'll put placeholders will META REFRESH tags in them to point at all the pages on the new sites and keep paying their bill another year or so.
Michael D. Crawford
GoingWare Inc
Rockland is the site of the Maine Lobster Festival and the Farnsworth Museum, where much of the Wyeth family's paintings are kept. I think it's a pretty cool place. Owl's head is pretty sparsely populated.
We had the house pretty thoroughly inspected. Some things were fixed up by the previous owners. It is indeed on a septic system.
Michael D. Crawford
GoingWare Inc
- Steven Bellovin, AT&T
- Matt Blaze, AT&T
- David Farber U of Pennsylvania
- Peter Neumann, SRI International
- Eugene Spafford, Purdue University CERIAS
Wasn't it Matt Blaze who cracked the Law Enforcement Access Field (LEAF) in that government approved crypto standard they were trying to ram down our throat in the mid-80's?And Peter Neumann I know very well in an online way, as he is the moderator of the Forum on Risks to the Public in Computers and Related Systems which discusses all kinds of topics in software reliability and security, and provides an ongoing archive of known software bugs.
It is also available on the Usenet News as comp.risks and I consider it required reading for anyone wishing to take themselves seriously as a programmer.
This means you.
Neumann also wrote the book Computer Related Risks which draws on material from the forum but discusses it in more depth.
He is also a frequent consultant to the government and military on computer reliability, security and computer policy as you can see from Neumann's home page.
He writes great puns too, which are often found added to Risks submissions.
Now for my contribution - I'd like to suggest you read my page Why You Should Use Encryption.
This page discusses in a way that I hope is clear, approachable and compelling, why everyone - even your mom, even your kids, should use encryption.
Michael D. Crawford
GoingWare Inc
Michael D. Crawford
GoingWare Inc
In Santa Cruz, California I was paying $1275 a month to rent a two bedroom half of a duplex. In St. John's, I rented a three bedroom two-story house for $500, and in Maine I'll be owning a four-bedroom home for a house payment of $799 - with an oversized two-car garage.
Michael D. Crawford
GoingWare Inc
I'm sure it's self evident that people with sensitive business data should use encryption - or is it? How many businesspeople do you know who carry out complex business negotiations via email?
One client wanted me to deliver them the source code to their product via the Internet. I refused to deliver until they got PGP.
The point of the above page is that everyone should be using encryption - even for casual stuff, as the sudden presence of an occassional encrypted document suggests you're up to something, an example of traffic analysis - if you can't decrypt the messages, watch where the messages are going.
Even people who really should know better may not keep their computer secure. CIA Director John Deutch was caught browsing porn sites from a home computer that contained classified data. There are numerous well-documented security holes in web browsers by which an rogue website can read documents off your hard disk.
Let's hope he didn't have any encrypted filesystems mounted when he was gazing at those titties.
Michael D. Crawford
GoingWare Inc
And I recall that he placed this call from inside of India, I think to the U.S. (although I'm less sure of the destination).
This works because you can configure Speak Freely's UDP port, so it gets through VoIP-blocking firewall software.
Michael D. Crawford
GoingWare Inc
While the strictly correct file format would require 1-second blocks (I wasn't aware of that, thanks), the basic principles of psychoacoustic audio compression should still work fine if the blocks are made shorter. Perhaps it might not be as efficient.
I sent email a couple of hours ago to the Ogg Vorbis folks about this, suggesting they look into it. I'm curious what they say; I'd be astounded if no one has considered it before.
Ogg Vorbis is a patent-free open specification and open source audio compression format meant to replace MP3.
Michael D. Crawford
GoingWare Inc
You might think that's because he's the creator of C++ after all, but I doubt it - Bjarne has used languages you've likely never heard of, and he understands the strengths and weaknesses of each.
Stroustrup finds much of Java advertising insulting and offensive to other programmers. I do too.
Java, as a language, has some merits. But what I'd like to see is an ISO standard that is not controlled by Sun (note that although Stroustrup participated in the ISO standardization process for C++, AT&T certainly didn't try to control the process as Sun insists on doing with Java), and I'd also like to see one able to compile Java programs to native executable code so they can run directly without a VM; this is possible with gcc but I believe it's not yet ready for production use.
I certainly won't believe that Java is even valid as a language unless multiple independently written implementations can all pass compliance test suites; most of the Java VM's out there don't count because they're just ports of Sun's VM. That's one reason I'd like to see Kaffe succeed.
Meanwhile, for an alternative to Java - writing a single set of C++ sources and compiling to native executable binaries on Mac OS, Windows, BeOS and POSIX platforms with XWindows (such as Linux) see the ZooLib cross-platform application framework.
Michael D. Crawford
GoingWare Inc