Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment I don't think the PINs were secret (Score 1) 83

I've been doing electronic tax filing since the days of yore, even back when the tax software was generating a special machine-readable "1040PC" form with all your data on one page. If I remember correctly, the PIN was supposed to be a replacement for your physical signature on the return, since the rules say you need to certify that you are submitting a true return and acknowledge the penalties for not doing so. So, I'm not sure it was a secret PIN in that sense.

BUT -- these e-filing services shouldn't be so insecure that someone can just sniff traffic and collect the PINs. I always assumed that it worked something like this -- IRS hands out TLS certificate to "authorized e-file providers" who operate the tax payment gateways and communicate the return data from the program, to the gateway, to the IRS. Hopefully they're not just FTPing the data around :)

Comment Hope this is just the first step (Score 1) 54

The site does appear to list more details than traditionally were provided, but I'm hoping they're planning on giving more details. It's great to know "something" was fixed with "some component" but previous granular Windows Update packages often had references to the KB articles prompting the release of the hotfix.

I know the goal is to get customers on a completely stateless iPhone-style device, but there are a lot of use cases that need the power and control of a traditional PC for whatever reason. Legacy code isn't going away, and sometimes you just need to run things locally because of network constraints or security. Knowing that "applying this KB fixes X, but will break your application because of a dependency" is a very useful thing when you're supporting thousands of PCs.

Comment The endless contractor cycle has to stop (Score 4, Interesting) 184

Most of the "cybersecurity holes" can be tracked down to some contractor slapping in an insecure installation of -whatever- to do the bare minimum needed to keep the contract. This is what needs to be fixed -- contracts need to be monitored closely and terminated in cases of poor performance. Security is a human error thing mostly:
- Not removing default passwords and accounts
- Leaving ports open and services running that aren't necessary
- Not keeping up with product versions and patch cycles
- Leaving unencrypted disks full of data on trains or in cars that get broken into

The problem is that even big companies can't manage to get this right, let alone government agencies. Big companies fall prey to the same mentality of just hiring contractors. Even the NSA did this -- if there was ever an organization that needed to do their own in-house IT, that's definitely #1 on the list. Employees will care about security when employers start demanding it.

The solution, which is nearly impossible to implement, is to make everyone involved step their game up. Hire real, full time employees who are committed to the agencies' or companies' missions at a level slightly above "I can keep my job." Make sure everyone is trained and double-check work.

Comment Math education turns students off! (Score 1) 215

I remember elementary and high school math from the 80s and early 90s. It was an endless cycle of memorization of procedures and formulas, with very little emphasis on the real utility of it all. In particular, I remember plane geometry proofs that barely made sense to me -- I can't imagine what someone who was bad at math or disinterested thought of those. That, and the algebra manipulation phase (factoring, quadratic equations, etc.) I will always remember that x = (-b +/- sqrt(b^2 - 4ac)) / 2a -- for some reason. :-)

Here's a question for math lovers -- what needs to be taught differently in early math so that students will enjoy it? I know the only time I ever got interested in math was later on, using it in science courses to solve actual problems. Everything before that was just operations. The problem was that being behind in math kept me from doing well in engineering coursework. Contrast this with my eventual degree in chemistry -- I had a great high school chemistry teacher and really caught onto it immediately, probably because it wasn't as math heavy until physical chemistry and analysis courses. Most people barely understand chemistry and consider it something they pass once and never see again. Is it really just as simple as good initial teaching? What makes math interesting?

Comment PC is necessary in today's world (Score 1) 668

Yes, yes, flame away, but I feel that the world isn't PC enough given the changes in the way discourse is handled.

Before the Internet and easy-to-use social media platforms, people who had social issues could only offend a limited number of people within their local sphere of influence. By this I'm talking about the people who don't have a filter and just let their mouths run without thinking about how they sound or who they're talking to. I know many, and giving people like this access to Facebook, Twitter and the other social platforms just makes them worse. They also tend to pull in more people around them who are attracted to their abrasive style.

PC is required because the loud-mouth crowd is using the concept of free speech as a license to say whatever comes to their minds with no repercussions. If people would simply follow the golden rule of "don't be a total asshat to one another" we wouldn't need it.

The problem with a situation like this is that the loudest mouth wins, whether or not what they have to say is worth listening to. Look at people like Trump, angry conservative talk show hosts, or radical leftists for that matter, and you'll see how extreme positions affect the public narrative. Putting reasonable limits on what people can say to one another is a good idea in my opinion.

Comment Voluntary separations = talent removal spiral (Score 3, Insightful) 217

Layoffs should always be a last resort in positions that require technical talent. This goes double if your staff are more experienced and able to see the writing on the wall. I've chosen companies carefully over the years and have had long tenures at places I've worked. But, when a talented person who can get a job somewhere else sees the layoff balloons going up, the immediate thought is whether or not they'll be next. This causes everyone good to head for the exits, and you're left with the low-talent people who are just hanging on hoping they don't get it in the next round. This has happened to me twice, and I've carefully considered my options both times, opting to leave before things got worse.

This is partially driven by the (irrational) preference to hire only employed people. I know a lot of talented people who've just been blindsided by a sudden layoff, capricious firing or even the business going bankrupt. The road back for these people is very hard and they often have to take lower-salary work or work for companies with less-than-ideal working conditions.

Comment Not surprised (Score 3, Insightful) 428

There have been a lot of stories like this over the brief history of technology. IBM is a really good example. Their senior management is doing everything they can to sell off the company bit by bit while collecting money, and they still can't kill it. Microsoft is another excellent example, riding Windows and Office through to their current states. They're currently poised to pull the ultimate vendor lock-in trick with Azure and subscription software because they have loads of money to spend. Some companies, especially those with huge cash balances, can manage through transitions. Others will just keep beating money out of their cash cows for as long as possible (again, IBM is the perfect example.) Others, like Sun, end up getting bought at fire sale prices. All of the companies mentioned were absolutely dominant at one time or another. IBM is a total joke these days, but in the 70s/80s they represented the state of the art in all things computing.

Apple's problem is that they are now too consumer-focused and don't have a pipeline of expensive gadgets to sell them. Whether they'll use that huge pile of cash they have to buy into the next trend remains to be seen.

Comment I'm amazed it's taken this long (Score 3, Interesting) 37

There are so many vulnerable SCADA systems, device-specific Ethernet adapters and other stuff out there, and it just chugs along for years and years. Especially with public sector stuff, multiple layers of contractors put gear in, barely document it and hand it over to the operating authority. The problem is that since no one permanent knows the ins and outs of the system, it can stay vulnerable for ages. Even if a vendor does release patches, the "don't touch it or 500K customers lose power" mentality around critical infrastructure means they barely ever get applied.

Anything IoT is going to have to be secure by default, as in, hard to get working instead of open and easy. I doubt the "just contract it out" mentality is ever going to go away in the public sector -- I've inherited systems where the only documentation is a statement of work from 5 years back that the contractor cut and pasted from the vendor's manuals.

Comment OK, so our lab isn't that bad after all! (Score 2) 169

It's amazing how much cabling gets forgotten about when you have a chaotic lab environment and new stuff coming in all the time (we do hardware evaluations and other systems integration work.) There's never any money left over for structured cabling once it's been spent on all the fancy new hardware. Even if we invested in structured cabling it would turn into an unstructured mess quickly. I have racks that look like those Magic Eye pictures; the only thing that will solve it is unplugging everything. I'm sure world class scientists can't be bothered to label anything if we can't!

Comment End of the bubble is coming (Score 1) 125

I saw this back in the late 90s. People I knew with very shaky skills were getting paid 6 figures to design website back-ends, simply because the demand was so astronomical. Come 2001, a lot of those people were unemployed or were being paid a lot less. The point is that the bubble is coming to an end:
- CS enrollments are at an all time high (just in time for grads to get out into the nonexistent job market...)
- Companies are paying insane salaries due to the bubble and hype around apps, social media, etc.
- More and more semi-skilled people are jumping on the bandwagon, getting into the "exciting world of development"

As a counterpoint, look at the story about Disney's H-1B replacement workers still on the front page. That seems to be what's coming for the low end of the market. The high end is cyclical -- BS artist consultants on the latest fad come and go, really good consultants and employees can still command a good salary if they know how to market themselves correctly.

Comment Lawsuits won't fix this (Score 5, Interesting) 243

It's interesting to see a new angle on this, and to see a group actually fighting back against such a large employer. But...lawsuits won't fix this long term. What is going to fix this is a professional organization with a little more teeth than something like the IEEE or ACM. IT Professionals (developers, systems guys, DevOps people, whatever) need to start standing up against stuff like this before any hope of combating it goes away.

I walk the line between worker and manager in a lead position, so I see both sides of an employers' argument. Here's the uncomfortable truth -- there really is a shortage of qualified people, always has been. You need to find and hang on to qualified people for dear life, because you're not going to get a department full of superstars. The problem is that a lot of unqualified people can BS their way to a $150K+ job, and employers often don't know the difference between good and bad. Because of this, they're always looking to cut costs. So when Tata or Infosys comes in, and tells the CIO to write them a monster check to make their lazy good-for-nothing IT department go away, the argument holds water. Anyone working in an offshored IT environment knows that it never works out, but we do a very poor job of communicating our value to the business in some cases.

Other professionals are much smarter than we are about this. They saw companies moving to limit their power and formed professional organizations. The AMA pays for legislation, makes political campaign donations, and ensures its members still continue to command high salaries. If they ever let up, United Healthcare or similar would buy a law saying that nurses or medical assistants could perform advanced procedures for 1/10 the cost. Same thing with engineers, accountants, etc. There is an accepted barrier to entry (medical school, accreditation, licensure, etc.) to weed out the first-level BS artists. Imagine if an IT professional with X years' experience came with a full well-rounded education in computing fundamentals and their speciality, as opposed to graduating from a certification bootcamp. Or if a developer could be guaranteed to know something other than the JQuery and Python scripting he was taught in Coder Academy. As an employer, I'd pay for that instead of having to cycle endlessly through crappy onshore and offshore employees.

The point is that both sides have to give a little. Employers need to stop offshoring to the lowest bidder long enough to allow a talent pool to grow domestically, and IT professionals need to embrace the idea of a profession with salary progression commensurate with experience. If I were king and were able to form the IT Professionals Association tomorrow, here's what would happen:
- A huge collection would have to be taken up from members to purchase legislation banning the most obvious abuses of the current visa system. (Not an outright ban, because the original idea is good.)
- Some fundamental standards and practices would need to be established. This is the really hard part, because everyone is used to things going a million miles an hour and vendors promoting lock-in at every turn. But we're big boys and girls now, and computers are a part of our daily lives; their use should be more like a branch of engineering than a mad scientists' lab or skunkworks.
- Experience levels would need to be set, and training requirements to reach the next level would need to be established. Yes, this includes the idea of licensure, and at the lower levels, the dirty word "apprenticeship." This would allow employers to pay less for lower-skilled domestic labor. Does that sound like a skilled trade? It should -- the fundamentals of computing are becoming skilled labor now, and the creative engineering work should be done higher up the stack by people who have done the grunt work before.
- Members of the profession would need to start taking responsibility for their work, PE or medical malpractice style. It infuriates me when I've walked into projects where someone messed things up so badly they were fired, and they just clean up their resume and move on like nothing happened. That would be part of the bargain with employers -- they would get quality work or compensation in the case of incompetence.
- Vendor neutral lifelong continuing education, period.
- For this to work, it can't be a union-style seniority over all arrangement. Veteran workers who have kept up with technology all through the lifecycles don't deserve to train their replacements, but I'm not sure how I feel about the mainframe programmer who has never done anything different and has no interest in cross-training.

The H-1B program is being used for an unintended purpose -- getting rid of long term domestic employees and replacing them with "equivalent" workers. I'm fine with the original purpose, allowing truly talented people who really deserve it to come work here. I've been able to work with a few people like this, but I've also worked in IT sweatshop environments as one of the last onshore guys as they rotate less-than-qualified people in and out on H-1Bs. I think this needs to be fixed, but it's only the first step. We need to grow up and start advocating for our profession the same way employers advocate for their positions. And yes, that involves slimy lobbyists and paying for what you want.

Comment This sounds a lot like e-discovery rules (Score 5, Insightful) 231

I've worked in a few corporate environments where they were extremely paranoid about e-discovery (back when this was a new thing.) Almost always, the answer was to set the retention policy to 30 days, as in, no email backups older than 30 days, no (sanctioned) way to archive email, and everything older than 30 days was purged from mailboxes. This allowed the company to say with a straight face, "I'd love to give you the messages relevant to such-and-such business deal gone bad 5 years ago, but I simply cannot."

It sounds a lot like what Apple's doing -- they purposely built the encryption system with no way to bypass it so they can push it right back on the police and courts -- "Sorry, can't help you!" That gets them tons of great customer PR, as opposed to Google/Android, so it makes sense.

Comment You need something engaging with kids (Score 1) 214

The problem with introducing software development is that environments like Scratch are the easiest way these days to get a kid to write something and get immediate feedback. How many old timers remember:
10 PRINT "I am Cool"
20 GOTO 10
as their first BASIC program on one of the old home computer platforms of the 80s?

Scratch is like that. You stitch together simple statements and make something actually happen on the screen. You could argue that you could teach them a little JavaScript or something similar. but you still need enough syntax and backstory to get them to do something interesting. This is especially true now that most kids are being raised with "consume only" mobile devices and tablet OSes as their main computing platforms. The Wolfram language is similar -- very easy to pick up, -but- for a beginner the syntax is a barrier. Now that programming is so abstract from the actual hardware, it takes a little effort to introduce the concepts slowly and walk back all that abstraction.

Comment Industrial controls are having their "XP Moment" (Score 1) 162

I work with lots of serial-to-Ethernet stuff, various gateways, etc. in an industry with a lot of old technology. The truth is that the vendors of this stuff make it easy to set up, open access by default, and almost never updated. Patches for known things like ssh vulnerabilities or kernel bugs take months. What often happens is some lowest-bid contractor is hired by the utility company to implement control systems, leaves them wide open and the company has no idea how to secure them.

Remember Windows XP SP2? This was the first client OS update after Microsoft started acknowledging security issues. Before that, the firewall was off and everything was on by default, including remote access to system files and services. That was a pretty big shift - before this, very little in the way of security hardening was done because the goal was to make it as easy as possible to use the system. The same thing probably has to happen for these SCADA vendors and other "magic Ethernet converter" device manufacturers to make it difficult to access things remotely by default.

Comment Business model has to change. (Score 2) 442

The problem with online ads now is how much CPU/battery/data they use up. Since people are desensitized to them now, the advertisers respond by making the ads more interactive, flashier and in-your-face, which eats all these resources. Your computer needs to run a million JavaScript snippets that go out to all sorts of web addresses to collect content, update cookies, etc.

I don't run ad blockers at some, simply because I'm not really bothered by them that much. But on my work PC, which is on a very slow connection (proxy server in another country,) I have to run them to make browsing tolerable. The problem is that if ads go away, people will need to pay for content. I doubt many people are under the illusion that Google is giving its massive amount of (very helpful) services for free. Given how helpful Google is to my daily work, I'd gladly pay a monthly fee for a "do not track me" version. But how many others would do the same?

Slashdot Top Deals

Mirrors should reflect a little before throwing back images. -- Jean Cocteau