A big part of it is the "nobody is going to die if this isn't just right" mentality (except when they do) most developers take on. Even if the planning phase is done correctly, your average developer will take lightly any changes they feel need to be made to the design; when the whole thing comes crashing down, it's not like peoples' lives will be affected in any way. Right?
This is precisely what the article is getting at. Compare the design phase you just described to the design phase from the summary; now, look at a real bridge construction design phase and compare that to the ideal software design phase. See it now?
The problem with Waterfall is that, often, the people implementing it are not qualified to do so. In all honesty, there is no reason the engineer(s) designing it and the engineer(s) implementing it can't be one in the same; the important part is that the design is completed, by a qualified team or individual, before the build begins.
The bridge construction workers follow a plan that has already been decided, they don't get to change the design and decide whether to add another beam or not. So they are not coders - they are compilers", like software compilers they can make some "optimizations" but they are not supposed to deviate significantly from the design.
The bridge construction workers can stop construction if they see a problem (like a compiler) and point out where the problem is (like a compiler), but they can also point out a solution (much unlike a compiler) and they often don't have to restart the build from scratch after encountering an error, which a compiler most certainly would. A human developer, on the other hand, can point out solutions, and likely won't have to scrap all of his work of a problem is found in the design; and, much like the construction workers, the issue should be brought to the attention of the engineers who botched the design, and fixed by those engineers, before the developer continues his work.
If the specification for the program (the design phase) leaves enough wiggle room that the developer is making those decisions, then the design phase has failed. I think that's the whole point of this article.
Precisely. Ostensibly, if I am running a criminal enterprise, I am doing so for profit. If I am profiting, the money is going somewhere. If it is all being done from my phone, that rules out cash, so the money is in an account somewhere; when I file my taxes, I either claim that money (with a flimsy explanation, which the IRS will catch) or I don't (which the IRS will also catch), leading to an audit. After the audit, the IRS contacts the FBI and provides them all the evidence they need to build a case for, at a minimum, money laundering; that very same evidence will net them a warrant for pretty much whatever bits of my property they're interested in, as well as logs from any services I may have used.
Of course, that's only if I'm running the whole op from my phone and making no outside connections with anyone for any reason related to the criminal venture. The moment I make any such connections, catching me gets even simpler than just waiting for the IRS to audit the questionable income.
The only instances in which obtaining a warrant for the data on my phone would be difficult are instances where my phone isn't involved (e.g. me being a serial killer and being smart enough not to carry my phone with me when I'm out doing my thing -- hypothetically, of course) or where its involvement is immaterial to the act (e.g. me being a serial killer and not being smart enough to not carry my phone with me when I'm out doing my thing -- again, hypothetically), in which case, they'll have one or more dead bodies, murder weapons, or crime scenes containing my fingerprints, hair, fingernails, teeth, clothing, shoeprint, blood, and/or other DNA-carrying materials, with which they can get a warrant for the data on the phone that won't be useful to them, anyway, as they've already got their case made by then, unless I have an airtight alibi, in which case my phone will corroborate my story (otherwise it wouldn't be airtight).
In fact, were I a criminal, perhaps I would prefer they be able to snatch my phone and go through it anytime they want. That would allow me to carry a decoy phone with my alibis already laid out, and leave the real one in a safe, for which they would need a warrant. Of course, once they look through the phone they find on me and find nothing, they'll never get the warrant for the safe, and I can continue on with my crime spree.
Until the IRS finds that money, that is. And we've come full-circle.
Sure looks like the same shape squid tentacles make when you bread and deep fry them. Have these guys never had calamari? Or maybe just the crappy "rings only" stuff you get at most "trying to be more upscale" chain restaurants?
The bandwidth savvy consumer would like to download more content and play it back at any time, but do those consumers even exist as the majority anymore?
They do, but there's a lot of overlap between them and the "i do it this way because it's more convenient" set. If there were a simple (for the lay person) way to say "I'm gonna want to watch these at some point over the next week" and have the media transferred to your device, you'd see people doing it.
Yes! I have a fixed entertainment budget, more or less, and something like this would enable me to give more of that to the music and movie industries. I sure wouldn't mind being able to encourage the production of things I like and discourage the production of things I don't by throwing money where I want it *BEFORE* the fact, taking the wind out of the sails of the "we lost money because of piracy" set (by showing that they simply didn't *make* money due to lack of interest).
Can I sue them over the fact that I can no longer enjoy their products, thereby reducing my quality of life? The reason, of course, being one of liability; I can not and will not take on liability for their actions and any possible disastrous consequences of failures of their quality control processes or side effects caused by their current or future products, which is precisely the choice they're giving me: "Forgo being our customer, or take liability for our actions."
Absolutely! This isn't something that could have been foreseen, but I've been noticing more of a tendency toward "well, I can't stop everything, so why bother" lately, and I'm beyond not sure I like it; I'm sure I don't. You seem to get this, thank you for giving me hope for humanity.:)
Or, you know, fuzz the hell out of it until you find something, like I said in my post. No source necessary. At least with open source, I can fuzz it until I find a vulnerability, then find the code that caused the vulnerability and fix it.
I mean, I suppose if I got my hands on the source for IE, I could fix that, as well, but why go through the trouble when I can readily obtain the source for a number of other browsers?
Reading comprehension? You just agreed with me... I ended my comment by pointing out that fuzzing is super-effective. You can ignore the source and just fuzz away with open source, just like you're forced to do with closed. And, as a user, you can fix vulnerabilities in open source software, rather than having to wait for the developer to do so. In fact, as a user, you can fuzz *and* fix your open source application.
That is to say, having the source doesn't make finding vulns easier (or harder, as you imply), it does, however, make fixing them easier.
And anyone who's serious about security is taking mitigation steps for every scenario that can conceive, known exploit or not. That should be SOP whether or not you have source available.
Anyone can view the source of an open source project, which means anyone can find vulnerabilities in it. Specifically, hackers wishing to exploit the software, as well as users withing to audit and fix the software. But, someone who knows what they're doing has to actually look at the source for that to matter; and this rarely happens.
Hackers must black-box closed source software to find exploits, which make it more difficult than finding them in open source software; the flip-side is that they can only by fixed by the few people who have the source. If the hacker doesn't disclose the exploit and the people with access to the code don't look for it, it goes unpatched forever.
Open source software does provide an advantage to both sides, hackers can find exploits more easily and users can fix them more easily; with closed source, you're at the mercy of the vendor to fix their code but, at the same time, it's more difficult for a hacker to find a vulnerability without access to the source.
Then, we consider how good fuzzing techniques have gotten and... well, as it becomes easier to find vulnerabilities in closed source software, open source starts to look better.
You do realize you failed to disagree with me at all, right? I can distribute something without selling or licensing it; it's called putting up my own website.
Okay, you did disagree with me regarding the model's level of involvement in the sale or licensing of the photo. And you're wrong; as a photographer, I hold a fair hand of cards cards. The model can decide who I *can* not sell or license to, and I can decide who I *will* not; if the model had all they say, I'd have to sell or license the photo to whomever the model dictated and that is, simply, not the case.
Okay and now I *am* going to natter on. Since you can't see how your approach failed, let me point it out. This is an effective response when someone admits they were wrong and this is an appropriate way to present an opposing viewpoint, what you wrote was neither of those things.
While you did "[invite me] to consider whether [my] position would change if [I] knew one of those victims"; you also, immediately before that, managed to insinuate that I didn't give this any thought, rather than accepting the possibility that I was working off of incorrect or incomplete information, as was the case, and took the liberty of making another bold assumption about me; I'll leave it to you to figure out what that assumption was and why you were wrong to do so.
Stating that you disagree with me and providing your opinion, as you did in the first paragraph of your initial reply to me, was spot-on. Everything you've wrote after that was inflammatory, and I think you know that. Stopping at the end of your first paragraph would have garnered a more positive response; simply, me stating that I had actually been presented additional information and an alternative viewpoint on the subject, and had already reconsidered my position. I would have had nothing to call out out on and, therefore, would not have done so.
At least one of us can admit they were wrong. Who's the one nattering on and behaving dickishly? Seriously, rather than politely suggest I reconsider my position, taking into consideration that I may have been coming from a position of ignorance, rather than malice, you chose to take a stab at me, and you're attempting to do so.
I've admitted everything you're trying to point out about how I was wrong in my postings on this topic. I've learned, I've grown, and I'm man enough to admit I was wrong. That's more than you can say.
Go ahead, have the last word. You know you want it. But if you choose to take another stab at me, don't expect me to let it stand.
LAX: It's not just an airport, it's our security model!
A big part of it is the "nobody is going to die if this isn't just right" mentality (except when they do) most developers take on. Even if the planning phase is done correctly, your average developer will take lightly any changes they feel need to be made to the design; when the whole thing comes crashing down, it's not like peoples' lives will be affected in any way. Right?
This is precisely what the article is getting at. Compare the design phase you just described to the design phase from the summary; now, look at a real bridge construction design phase and compare that to the ideal software design phase. See it now?
The problem with Waterfall is that, often, the people implementing it are not qualified to do so. In all honesty, there is no reason the engineer(s) designing it and the engineer(s) implementing it can't be one in the same; the important part is that the design is completed, by a qualified team or individual, before the build begins.
The bridge construction workers follow a plan that has already been decided, they don't get to change the design and decide whether to add another beam or not. So they are not coders - they are compilers", like software compilers they can make some "optimizations" but they are not supposed to deviate significantly from the design.
The bridge construction workers can stop construction if they see a problem (like a compiler) and point out where the problem is (like a compiler), but they can also point out a solution (much unlike a compiler) and they often don't have to restart the build from scratch after encountering an error, which a compiler most certainly would. A human developer, on the other hand, can point out solutions, and likely won't have to scrap all of his work of a problem is found in the design; and, much like the construction workers, the issue should be brought to the attention of the engineers who botched the design, and fixed by those engineers, before the developer continues his work.
If the specification for the program (the design phase) leaves enough wiggle room that the developer is making those decisions, then the design phase has failed. I think that's the whole point of this article.
Precisely. Ostensibly, if I am running a criminal enterprise, I am doing so for profit. If I am profiting, the money is going somewhere. If it is all being done from my phone, that rules out cash, so the money is in an account somewhere; when I file my taxes, I either claim that money (with a flimsy explanation, which the IRS will catch) or I don't (which the IRS will also catch), leading to an audit. After the audit, the IRS contacts the FBI and provides them all the evidence they need to build a case for, at a minimum, money laundering; that very same evidence will net them a warrant for pretty much whatever bits of my property they're interested in, as well as logs from any services I may have used.
Of course, that's only if I'm running the whole op from my phone and making no outside connections with anyone for any reason related to the criminal venture. The moment I make any such connections, catching me gets even simpler than just waiting for the IRS to audit the questionable income.
The only instances in which obtaining a warrant for the data on my phone would be difficult are instances where my phone isn't involved (e.g. me being a serial killer and being smart enough not to carry my phone with me when I'm out doing my thing -- hypothetically, of course) or where its involvement is immaterial to the act (e.g. me being a serial killer and not being smart enough to not carry my phone with me when I'm out doing my thing -- again, hypothetically), in which case, they'll have one or more dead bodies, murder weapons, or crime scenes containing my fingerprints, hair, fingernails, teeth, clothing, shoeprint, blood, and/or other DNA-carrying materials, with which they can get a warrant for the data on the phone that won't be useful to them, anyway, as they've already got their case made by then, unless I have an airtight alibi, in which case my phone will corroborate my story (otherwise it wouldn't be airtight).
In fact, were I a criminal, perhaps I would prefer they be able to snatch my phone and go through it anytime they want. That would allow me to carry a decoy phone with my alibis already laid out, and leave the real one in a safe, for which they would need a warrant. Of course, once they look through the phone they find on me and find nothing, they'll never get the warrant for the safe, and I can continue on with my crime spree.
Until the IRS finds that money, that is. And we've come full-circle.
Sure looks like the same shape squid tentacles make when you bread and deep fry them. Have these guys never had calamari? Or maybe just the crappy "rings only" stuff you get at most "trying to be more upscale" chain restaurants?
The bandwidth savvy consumer would like to download more content and play it back at any time, but do those consumers even exist as the majority anymore?
They do, but there's a lot of overlap between them and the "i do it this way because it's more convenient" set. If there were a simple (for the lay person) way to say "I'm gonna want to watch these at some point over the next week" and have the media transferred to your device, you'd see people doing it.
Yes! I have a fixed entertainment budget, more or less, and something like this would enable me to give more of that to the music and movie industries. I sure wouldn't mind being able to encourage the production of things I like and discourage the production of things I don't by throwing money where I want it *BEFORE* the fact, taking the wind out of the sails of the "we lost money because of piracy" set (by showing that they simply didn't *make* money due to lack of interest).
Webscale, baby!
I|lum
You'll take my Haruo Sato designed lenses away from me when you pry them from my cold, dead fingers.
But it's not an Apple board, so there's no need to be so smug about it.
Redundant Aerosol Incapacitation Devices?
Can I sue them over the fact that I can no longer enjoy their products, thereby reducing my quality of life? The reason, of course, being one of liability; I can not and will not take on liability for their actions and any possible disastrous consequences of failures of their quality control processes or side effects caused by their current or future products, which is precisely the choice they're giving me: "Forgo being our customer, or take liability for our actions."
Absolutely! This isn't something that could have been foreseen, but I've been noticing more of a tendency toward "well, I can't stop everything, so why bother" lately, and I'm beyond not sure I like it; I'm sure I don't. You seem to get this, thank you for giving me hope for humanity. :)
Or, you know, fuzz the hell out of it until you find something, like I said in my post. No source necessary. At least with open source, I can fuzz it until I find a vulnerability, then find the code that caused the vulnerability and fix it.
I mean, I suppose if I got my hands on the source for IE, I could fix that, as well, but why go through the trouble when I can readily obtain the source for a number of other browsers?
Thank you for clarifying that... a bit frazzled today, bad day at work.
Reading comprehension? You just agreed with me... I ended my comment by pointing out that fuzzing is super-effective. You can ignore the source and just fuzz away with open source, just like you're forced to do with closed. And, as a user, you can fix vulnerabilities in open source software, rather than having to wait for the developer to do so. In fact, as a user, you can fuzz *and* fix your open source application.
That is to say, having the source doesn't make finding vulns easier (or harder, as you imply), it does, however, make fixing them easier.
And anyone who's serious about security is taking mitigation steps for every scenario that can conceive, known exploit or not. That should be SOP whether or not you have source available.
It's 6 of one, half-dozen of the other.
Anyone can view the source of an open source project, which means anyone can find vulnerabilities in it. Specifically, hackers wishing to exploit the software, as well as users withing to audit and fix the software. But, someone who knows what they're doing has to actually look at the source for that to matter; and this rarely happens.
Hackers must black-box closed source software to find exploits, which make it more difficult than finding them in open source software; the flip-side is that they can only by fixed by the few people who have the source. If the hacker doesn't disclose the exploit and the people with access to the code don't look for it, it goes unpatched forever.
Open source software does provide an advantage to both sides, hackers can find exploits more easily and users can fix them more easily; with closed source, you're at the mercy of the vendor to fix their code but, at the same time, it's more difficult for a hacker to find a vulnerability without access to the source.
Then, we consider how good fuzzing techniques have gotten and... well, as it becomes easier to find vulnerabilities in closed source software, open source starts to look better.
Exactly! One is copyright infringement and the other is fraud and, semantically, much closer to stealing.
Distributing without selling or licensing is still distributing, and is still covered by copyright.
As the photographer, I hold the copyright on my work. You must be confused.
You do realize you failed to disagree with me at all, right? I can distribute something without selling or licensing it; it's called putting up my own website.
Okay, you did disagree with me regarding the model's level of involvement in the sale or licensing of the photo. And you're wrong; as a photographer, I hold a fair hand of cards cards. The model can decide who I *can* not sell or license to, and I can decide who I *will* not; if the model had all they say, I'd have to sell or license the photo to whomever the model dictated and that is, simply, not the case.
Okay and now I *am* going to natter on. Since you can't see how your approach failed, let me point it out. This is an effective response when someone admits they were wrong and this is an appropriate way to present an opposing viewpoint, what you wrote was neither of those things.
While you did "[invite me] to consider whether [my] position would change if [I] knew one of those victims"; you also, immediately before that, managed to insinuate that I didn't give this any thought, rather than accepting the possibility that I was working off of incorrect or incomplete information, as was the case, and took the liberty of making another bold assumption about me; I'll leave it to you to figure out what that assumption was and why you were wrong to do so.
Stating that you disagree with me and providing your opinion, as you did in the first paragraph of your initial reply to me, was spot-on. Everything you've wrote after that was inflammatory, and I think you know that. Stopping at the end of your first paragraph would have garnered a more positive response; simply, me stating that I had actually been presented additional information and an alternative viewpoint on the subject, and had already reconsidered my position. I would have had nothing to call out out on and, therefore, would not have done so.
At least one of us can admit they were wrong. Who's the one nattering on and behaving dickishly? Seriously, rather than politely suggest I reconsider my position, taking into consideration that I may have been coming from a position of ignorance, rather than malice, you chose to take a stab at me, and you're attempting to do so.
I've admitted everything you're trying to point out about how I was wrong in my postings on this topic. I've learned, I've grown, and I'm man enough to admit I was wrong. That's more than you can say.
Go ahead, have the last word. You know you want it. But if you choose to take another stab at me, don't expect me to let it stand.