There was piracy without copy protection in the cassette tape days, and the recording business survived. They will survive just fine without DRM in the future. TiVo is a good example to learn from. Much money was made in the past on the assumption that people would watch commercials. TiVo and similar devices allowed a significant fraction of consumers to skip commercials. The ham-fisted approach would have been to make the fast-forward button illegal. The proper approach, that the market took, was to move many of the advertisements into the program.

DRM is a ham-fisted way to preserve a business model that is losing relevancy. The correct solution is to create new business models.

I hire a lot in IT. I started out by disregarding any resume with a provable lie on it. I quickly learned that 95% of the resumes that made it through pre-screening had blatant lies on them. Most of those weren't even the candidates fault, the employment agency they worked with put the lies on there to ensure that the resume made it to my desk (and it worked!!).

Now, I trust references from trusted sources first, things I learn from an interview second, and never trust a resume. It's a huge pain in the ass and I long for the old days when a piece of paper was a good summary of the history of a candidate. The last guy I hired came strongly recommended by my neighbor - he's working out well. The guy before him did very well on the phone interview, but it wasn't worth flying him out for a face-to-face interview for a four month contract job. We fired him after six days; we're pretty sure he had someone else do the interview for him.

Not really. Nitromethane has poor energy content, but makes for 4000HP engines. The amount of air you can pump through an engine is fixed by the displacement and maximum RPM of the components, and the fuel is limited by the amount of air that that quantity of fuel properly mixes with. Gasoline works at about a 13:1 ratio with air, alcohol at 6:1 and nitromethane at 2:1. So, for one revolution of a one liter engine, you can put through 1 unit of gasoline, 2.5 units of alcohol, or 6.4 units of nitromethane (with a unit being the amount of gasoline that properly mixes with one liter of air). Factoring in energy content, that makes alcohol capable of 30% more power and nitromethane capable of 75% more power, with no other modifications than a change of fuel and mixture adjustment. Add the cooling benefit of more liquid fuel being vaporized and it gets even better. Nitromethane engines use so much fuel that it's possible to hydro-lock them (the entire combustion chamber fills with incompressible liquid fuel - and very bad things happen).

That's the worst idea I've ever heard. Apache and IIS both average less than ten discovered meaningful vulnerabilities per year. Making a secure HTTP server is way harder than you think it is.

Look up Cross-Site Request Forgery, it's a whole class of attack that makes the browser do the hard work for you. This is a great example of a case where using a framework instead of rolling your own is best. Most authentication frameworks had some CSRF protections in them before most web developers even knew it was a problem to be worried about (for example, marking session cookies as HttpOnly).

Earthquakes don't adapt their attack strategies as well as hackers. Learning to hack will help you harden against the lamest attacks of five years ago. Every single buffer-overflow can be fixed by simply keeping up on patches. Every SQL Injection vulnerability can be fixed by using a proper database access layer.

I find it much more effective to first apply basic coding standards based on OWASP, then to think of every web page from a request-response perspective instead of from a user perspective. 90% of the stupid security coding I've seen came from somebody who never considered that an attacker doesn't have to be using a standard web browser. Once you get over that hump, there is no value in learning all of the script-kiddie tricks.

I also find that security professionals often lack perspective. I once had a security guy go into great detail showing me how a page was vulnerable to cross-site request forgery and replay attacks. I told him "It's a catalog page, I don't care who reads it. It's URL-parameterized so that my customers can email links to each other. In other words, I'm counting on CSRF for sales.". The funny part is that if I had used URL rewriting instead of a query string parameter, he wouldn't have even known the feature existed.

I am a firm believer that security belongs in the application team. Engaging an outside expert tends to send the message that it's somebody else's responsibility to do security. In reality, security is everyone's problem.

That's easy to game. IT is generally the "say no" department, so if you need to have someone talk you up to the boss, simply turn off the FaceBook filter for someone while you're working on a ticket. Or maybe do shoddy work on the PITA users because their feedback is going to be ignored anyways so you have extra time to bring coffee to one of the more respected users. There are a ton of things you can do to elevate the metric without actually doing better work. On the other side of the coin, being rude is a near guarantee that you will get horrible feedback. I'm not saying it's OK to be rude to people, but I am saying that politeness is over-represented in satisfaction metrics to the point where incompetent but good-natured people will never get poor feedback, even if they never solve a single problem.

Yup. However, having just had one of my applications scanned by one of these tools, I can say that if you fail one of these scans, you're app is worse than it says it is. I got a mostly clean bill of health, but the feedback I got was ridiculous. For example, the security department says that all pages of all publicly facing web apps should use SSL. Fine. But, the scan dinged me for caching pages delivery by SSL. So, do I violate the mandate to use SSL on trivial data? Do I violate the common sense approach of adding cache-control directives to static trivial elements like company logos? All the scan did for me is make me spend 4 hours justifying why the scan was worthless.

I live near Niagara Falls, NY. I assure you that a large fraction of southern Ontario fully participated in Black Friday madness.

No, he's saying that it's expensive to say exactly what he wants, and that offsets all of the savings. At the end of the day, it's the thinking that's expensive not the typing. If you move the typing to India, but don't move the thinking, then you've hired a typist instead of a programmer.

Yes, one counterexample proves a correlation invalid. Are you a manager, or just a sociopath?

It's well documented that people with sociopathic personality traits succeed in management. Also, I don't need to "get over myself", I do work with people. I've been successful in both training and management.

So, in a thread about engineering education, you bring up learning languages and OSes and paying for your own training. You do know that engineers and programmers are different set of people, right?