I just looked on Wikipedia for what happened on October 28, 2012, and there's nothing there! The 29th doesn't look very complete either. Jeez, how sloppy. So clearly it's not finished yet...
I can see people eventually using these as 'windows' on interior walls. Now we just need 4K video feeds from scenic locations like Yosemite Valley and we can all enjoy the view!
That beachfront property I bought in West Virginia will be worth millions! Going to go out and buy a surfboard today! And will go buy a Hummer 2 to speed things along! Surf's up, dude!
Anyway, I interviewed with Microsoft back in 1989 or 1990, and it appears that things have changed since then. Back then, they definitely were more focused on technical questions. I don't remember anyone asking anything about customers or business or communications. It was all technology, with a bit of design thrown in. The position wasn't even a hard-core programming job. Since I was a few years out of college, the customer/business/communications questions would have been nice, since I would probably would have been better positioned to answer those than the college seniors, as my then current job had me working with customers a lot. Their recruiting group was horribly disorganized back then also -- they switched recruiters and the job at the last minute, so no one (myself, the recruiter, the interviewers) was properly prepared. I suppose they've probably fixed that since then... One of the weirdest things was the "cult of Bill" -- whenever you asked a question, the answer seemed to always be prefaced with something like, "Well, Bill thinks that..." Even questions that had nothing to do with technology or Microsoft, like "what do people in Redmond do for fun?" "Well, Bill thinks that being fit and active helps the brain, so a lot of us like to mountain bike..."
They can take my encrypted files and index, reproduce, modify, publish, etc them to their heart's content! I really look forward to seeing derivative works created from my gpg-encrypted files! Similarly, I can't wait to browse to web pages publicly displaying the contents of someone else's 700MB encrypted file; reading that will be a great cure for insomnia!
But more seriously, I can see Google wanting to have some capabilities for their ad/marketing businesses, but some of these (create derivative works, modify, publish, publicly display?) are really unnecessary. Looks like the product manager forgot to review the ToS after the lawyers were done with it. Oops.
Yeah, I've used it for a few trips, and it does make you have really weird, bizarre dreams. Crazy stuff. I'm not sure I would go back on it. I didn't go psychotic or anything, but I'm a pretty even-keeled person. Anything that affects your brain that much could definitely have bigger consequences for someone who's a bit unstable to begin with.
I imagine your usage of that password will be just as ethical as theirs, too. So yeah, fair trade.
Oh, completely ethical! Trust me! I just want to validate you all are a company that I want to be part of. As part of that analysis, I'll be poking around your servers to ensure that you have the proper security, logging, and auditing set up correctly. And review your financial and accounting software. And I want to make sure that you're friends with the right sort of other companies, and that you're not posting any inappropriate or obscene files on your servers, of course. Don't want to join a company and later have it blow up in a security or financial scandal. I mean really, I can't afford to have my reputation tarnished by being associated with *that* kind of company, can I?
The actual lesson is: Criminals are bloody stupid. If I had $35 million worth of drugs in a place, I would avoid doing anything that could get the police into my place. Like stealing an iPad. Or even picking one up that someone left on the train or bus.
They're even stupider than you think. The police didn't have a search warrant, so they just asked if they could come in, and the people in the apartment said yes. Can you believe it? They've got $35mm worth of meth and they invite the cops in? They must have been under the influence of drugs at the time...
By the way, to give credit where credit is due, it was detectives from Palo Alto who found the meth, not San Jose police, although the apartment was in San Jose.
This software doesn't work at all! I downloaded it and it installed fine. Then I ran it, and waited for like hours, and no beer yet! Here I am sitting with my mug under the USB port, and nothing is coming out. Jeez. Damn open source software. The USB port is for input / output, right? Well, where's the damn output?
It said something about hops, so I did lots of hopping and even a little jumping, but to no avail.
Wait a minute, it's saying something about adding water. Let me go pour some water into the keyboard and see if that helps...
I think "properly written" is the key phrase there, which applies to any technology implementation.
Ideally, they would have used the gpg libraries or gpgme and called it directly from the Ruby code. But that's harder, so they chose the easy way and got burned.
I agree. Asking the community to test the system out does show remarkable common sense and good intentions, which seems to be lacking in e-voting community.
Unfortunately, they did not have the common sense (or perhaps judgement) to hire a technical team that knew what they were doing when comes to security. Which is not good in any project, but seems like a huge lapse of judgement in an e-voting project.
They also appear not to have hired an independent security review group to scan the code and review the implementation, or if they did hire one, they hired one that was no good.
Nice troll. Actually, it's kind of a lame troll. I suppose, as is normal on/., you didn't read the report from Prof Halderman.
The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C. This is also pretty basic security stuff, and there are tons of guidelines and tutorials in the Rails community for avoiding this kind of mistake. There are also plenty of code vulnerability scanners that would pick this up. It's amazing that the DC team didn't use one of these to check their code.
But they had plenty of other problems such as easy-to-guess passwords and a lousy IDS configuration.
So the real problem was with the people who developed and implemented the system, not with the tools. I've seen plenty of similar mistakes in systems developed using all sorts of technologies. The developers clearly didn't have a very solid background in security. That's OK actually, as long as you have someone on the project who does and who can check their designs and implementation. Sounds like they didn't have anyone well versed in security, which seems a bit odd for an e-voting project. I'm certainly no expert on security, but I am RoR coder, and even I know not to make these mistakes.
But I suppose it's fun to bash the Rails programmers because they are in really high demand and able to command very high billing rates:-) I'll take the bashing along with the money and the ease of programming!
In other news, U.S. radars were not responsible for the highly confusing and contradictory summary posted this morning to a Slashdot story about Russia's Phobos-Grunt probe. A thorough investigation has determined that the story's chips should have been able to withstand the radiation received when the story was transmitted through the intertubes and routed over northern Alaska. Instead, investigators blamed a typing failure on the story editors. "A series of tests showed that the editing was lousy and sloppy, and disciplinary action will be taken on those responsible," a spokesman said.
Everyone who's met the guy knows that Pincus is a class A a**hole. No one I've met actually likes working there. They're just sticking around to cash out. I don't see a bright future for Zynga. All the key employees will jump ship once they can sell their stock. And what's to prevent them from copying all of Zynga's games and marketing them for less? They've got the knowledge and the experience, and they'll have the capital too. Plus the big boys in gaming are jumping in, and they will copy Zynga's games too. EA and so on will hire away all of Zynga's key people once they're free to move on. It will be a race to bottom, with everyone copying everyone else's games, probably farming out development to India or China. That will favor whoever can run the games the cheapest. I think Zynga's best hope is to get bought while they're still riding high. Of course, Pincus will do fine no matter what.
What the article doesn't say is that they're only installing this on metered parking spots. So the app will guide you to a spot where you have to feed $8 an hour into the meter, or whatever ridiculous rate SF is charging today, but won't tell you about the free spot 1/2 a block away. Of course, at the rate SF is installing new meters on previously unmetered streets, there won't be any free spots left in the city in a few years. This is all about raising city revenues.
Slashdot Mirror
Let me guess: these Bit9 geniuses are all ex-RSA employees?
Try this: http://youtu.be/YxHcJTs2Sxk
I just looked on Wikipedia for what happened on October 28, 2012, and there's nothing there! The 29th doesn't look very complete either. Jeez, how sloppy. So clearly it's not finished yet...
I can see people eventually using these as 'windows' on interior walls. Now we just need 4K video feeds from scenic locations like Yosemite Valley and we can all enjoy the view!
That beachfront property I bought in West Virginia will be worth millions! Going to go out and buy a surfboard today! And will go buy a Hummer 2 to speed things along! Surf's up, dude!
Well, that was a fairly lame article...
Anyway, I interviewed with Microsoft back in 1989 or 1990, and it appears that things have changed since then. Back then, they definitely were more focused on technical questions. I don't remember anyone asking anything about customers or business or communications. It was all technology, with a bit of design thrown in. The position wasn't even a hard-core programming job. Since I was a few years out of college, the customer/business/communications questions would have been nice, since I would probably would have been better positioned to answer those than the college seniors, as my then current job had me working with customers a lot. Their recruiting group was horribly disorganized back then also -- they switched recruiters and the job at the last minute, so no one (myself, the recruiter, the interviewers) was properly prepared. I suppose they've probably fixed that since then... One of the weirdest things was the "cult of Bill" -- whenever you asked a question, the answer seemed to always be prefaced with something like, "Well, Bill thinks that..." Even questions that had nothing to do with technology or Microsoft, like "what do people in Redmond do for fun?" "Well, Bill thinks that being fit and active helps the brain, so a lot of us like to mountain bike..."
I'm sorry, what were you saying? I was, uh, solving problems...
They can take my encrypted files and index, reproduce, modify, publish, etc them to their heart's content! I really look forward to seeing derivative works created from my gpg-encrypted files! Similarly, I can't wait to browse to web pages publicly displaying the contents of someone else's 700MB encrypted file; reading that will be a great cure for insomnia!
But more seriously, I can see Google wanting to have some capabilities for their ad/marketing businesses, but some of these (create derivative works, modify, publish, publicly display?) are really unnecessary. Looks like the product manager forgot to review the ToS after the lawyers were done with it. Oops.
Does the movie contain anyone ordering food in a restaurant like this?
"It's not the job of Russian security firms to know where our security holes are"
And also, Macs only get malware "when you hold it wrong"
Yeah, I've used it for a few trips, and it does make you have really weird, bizarre dreams. Crazy stuff. I'm not sure I would go back on it. I didn't go psychotic or anything, but I'm a pretty even-keeled person. Anything that affects your brain that much could definitely have bigger consequences for someone who's a bit unstable to begin with.
But you probably didn't get that root password as part of the interviewing process. That's what I'm talking about!
I imagine your usage of that password will be just as ethical as theirs, too. So yeah, fair trade.
Oh, completely ethical! Trust me! I just want to validate you all are a company that I want to be part of. As part of that analysis, I'll be poking around your servers to ensure that you have the proper security, logging, and auditing set up correctly. And review your financial and accounting software. And I want to make sure that you're friends with the right sort of other companies, and that you're not posting any inappropriate or obscene files on your servers, of course. Don't want to join a company and later have it blow up in a security or financial scandal. I mean really, I can't afford to have my reputation tarnished by being associated with *that* kind of company, can I?
Right after you give me the root password to the company's servers!
Seems like a fair trade to me...
The actual lesson is: Criminals are bloody stupid. If I had $35 million worth of drugs in a place, I would avoid doing anything that could get the police into my place. Like stealing an iPad. Or even picking one up that someone left on the train or bus.
They're even stupider than you think. The police didn't have a search warrant, so they just asked if they could come in, and the people in the apartment said yes. Can you believe it? They've got $35mm worth of meth and they invite the cops in? They must have been under the influence of drugs at the time...
By the way, to give credit where credit is due, it was detectives from Palo Alto who found the meth, not San Jose police, although the apartment was in San Jose.
This software doesn't work at all! I downloaded it and it installed fine. Then I ran it, and waited for like hours, and no beer yet! Here I am sitting with my mug under the USB port, and nothing is coming out. Jeez. Damn open source software. The USB port is for input / output, right? Well, where's the damn output?
It said something about hops, so I did lots of hopping and even a little jumping, but to no avail.
Wait a minute, it's saying something about adding water. Let me go pour some water into the keyboard and see if that helps...
This is BS. I'm posting this from my mobile phone while speeding down the freeway at 80 mph, and look no problems whatsoev (*&$&*# NO CARRIER
I think "properly written" is the key phrase there, which applies to any technology implementation.
Ideally, they would have used the gpg libraries or gpgme and called it directly from the Ruby code. But that's harder, so they chose the easy way and got burned.
Yeah, and I believe you. That's why I can't find any experience RoR developers to hire. Our recruiters can't find anyone either. They're all busy.
I agree. Asking the community to test the system out does show remarkable common sense and good intentions, which seems to be lacking in e-voting community.
Unfortunately, they did not have the common sense (or perhaps judgement) to hire a technical team that knew what they were doing when comes to security. Which is not good in any project, but seems like a huge lapse of judgement in an e-voting project.
They also appear not to have hired an independent security review group to scan the code and review the implementation, or if they did hire one, they hired one that was no good.
Nice troll. Actually, it's kind of a lame troll. I suppose, as is normal on /., you didn't read the report from Prof Halderman.
The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C. This is also pretty basic security stuff, and there are tons of guidelines and tutorials in the Rails community for avoiding this kind of mistake. There are also plenty of code vulnerability scanners that would pick this up. It's amazing that the DC team didn't use one of these to check their code.
But they had plenty of other problems such as easy-to-guess passwords and a lousy IDS configuration.
So the real problem was with the people who developed and implemented the system, not with the tools. I've seen plenty of similar mistakes in systems developed using all sorts of technologies. The developers clearly didn't have a very solid background in security. That's OK actually, as long as you have someone on the project who does and who can check their designs and implementation. Sounds like they didn't have anyone well versed in security, which seems a bit odd for an e-voting project. I'm certainly no expert on security, but I am RoR coder, and even I know not to make these mistakes.
But I suppose it's fun to bash the Rails programmers because they are in really high demand and able to command very high billing rates :-) I'll take the bashing along with the money and the ease of programming!
In other news, U.S. radars were not responsible for the highly confusing and contradictory summary posted this morning to a Slashdot story about Russia's Phobos-Grunt probe. A thorough investigation has determined that the story's chips should have been able to withstand the radiation received when the story was transmitted through the intertubes and routed over northern Alaska. Instead, investigators blamed a typing failure on the story editors. "A series of tests showed that the editing was lousy and sloppy, and disciplinary action will be taken on those responsible," a spokesman said.
Everyone who's met the guy knows that Pincus is a class A a**hole. No one I've met actually likes working there. They're just sticking around to cash out. I don't see a bright future for Zynga. All the key employees will jump ship once they can sell their stock. And what's to prevent them from copying all of Zynga's games and marketing them for less? They've got the knowledge and the experience, and they'll have the capital too. Plus the big boys in gaming are jumping in, and they will copy Zynga's games too. EA and so on will hire away all of Zynga's key people once they're free to move on. It will be a race to bottom, with everyone copying everyone else's games, probably farming out development to India or China. That will favor whoever can run the games the cheapest. I think Zynga's best hope is to get bought while they're still riding high. Of course, Pincus will do fine no matter what.
What the article doesn't say is that they're only installing this on metered parking spots. So the app will guide you to a spot where you have to feed $8 an hour into the meter, or whatever ridiculous rate SF is charging today, but won't tell you about the free spot 1/2 a block away. Of course, at the rate SF is installing new meters on previously unmetered streets, there won't be any free spots left in the city in a few years. This is all about raising city revenues.
Microsoft must have been late with its kickback check this quarter.
Where is that funny & insightful mod button when you need it?