Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment: Blasting my ears (Score 1) 153

by endus (#49783119) Attached to: Ask Slashdot: Will Technology Disrupt the Song?

What amazes me is that the more technology and information we get, the more the music seems to become harsh and random to listen to. All the pop music that has flowed down from dubstep is so jarring...just random ear-raping sounds firing at the listener. This is to say nothing of lyrics which seem to be getting more and more repetitive and less and less creative/sonically flowing.

I'm not saying this to necessarily criticize pop as being simple and vapid, which has been the case since pop has existed and is totally understandable/fine, but just from a sonic perspective popular music just seems...I guess, "not what I would expect people to find appealing to listen to" is what I mean.

Popular rap would be a good example - it used to be about finding creative ways of saying something...that was the whole joy of it. You could talk about having money or cars or partying, but you would flip it in a unique way and with a unique flow. Now popular rap is becoming so unbelievably basic. It's not the subject that's changed, but the way of communicating it has just gotten so incredibly stripped down.

Comment: Questions which are not sexy... (Score 1) 160

by endus (#49592791) Attached to: US Switches Air Traffic Control To New Computer System

Were all developers of the system required to complete training and pass a knowledge check prior to beginning work?
Has the application had manual/dynamic penetration testing performed against it?
Are there any critical/high/medium findings?
What is the timeline to address pen test findings?
How is access authenticated?
Is the application segmented housed in a dedicated DMZ?
Is there firewalling within the application stack?
Are Web Application Firewalls used?
What intrusion detection systems are in place?
What logs are generated and how are logs monitored?

The usual know...before we have a shitstorm in congress about the vulnerability of our critical infrastructure which somehow requires billions of dollars to be paid to defense contractors (like Lockheed Martin...hmmmmm) to mitigate.

Comment: Let's be honest here... (Score 1) 37

I'm all for accurate information not driven by hype/politics/marketing, but the state of U.S. cybersecurity is pretty dismal. Whatever you want to believe about the number and sophistication of the attacks, the preparedness in both the private and public sectors has a long way to go.

Comment: Ugh! (Score 4, Informative) 609

by endus (#49236809) Attached to: Clinton Regrets, But Defends, Use of Family Email Server

She's saying its secure when we know it was using self signed certs, exposed OWA, and I saw something this morning that said Qualys scanned it and it was riddled with vulnerabilities. She says there were no breaches, but does she have the extensive instrumentation required to detect a breach, especially one perpetrated by government sponsored entities who would absolutely have an interest in the contents of her email?

It's just so frustrating to see the ignorance, and then to read comments from people defending her. You can say the timing is politically motivated. I personally think this is the State Department's fault much moreso than hers...but don't tell me that it was a.) legal, b.) a good idea, c.) secure, d.) in any way, shape or form compliant with even the most basic security frameworks out there.

I wish I could just not see anything else about this issue, but it's like a magnet for my eyes.

Comment: I don't agree (Score 1) 114

by endus (#49142501) Attached to: Schneier: Everyone Wants You To Have Security, But Not From Them

The sad fact is that most companies aren't even implementing basic controls that everyone knew were important 10 years ago. If you look at a lot of the high profile breaches, they're due to fundamental stuff, not a lack of super high end ultra-expensive security appliances. Its something consumers reasonably expect companies to be doing, but they aren't doing.

I believe it is possible to have companies manage things and have good security. You could accomplish this by having individual consumers take more responsibility for their information, but its more likely and more effective that "we" would take more responsibility for our information through market pressure, standards, etc.

The most likely form for this to take right now is through standards and compliance. The improvements in the situation are being driven by this now. We're not there yet, but its improving.

The area where I do agree, though, is that it will be difficult to have effective security and privacy without legal support. The government is completely full of shit when it comes to information security, as they are full of shit when it comes to so many things. The NSA's efforts to compromise encryption and product security are a great example of this.

On the other hand there are laws like HIPAA. HIPAA is so vague, and yet it has been effective in driving change in the healthcare industry. Again we're not, "there" yet, but things are changing at a relatively rapid pace. HIPAA is actually a good example of where the government was not overly prescriptive, but does enforce substantive penalties for noncompliance with very general common sense requirements. On the other hand you have industry regs like PCI which are extremely prescriptive and have had a similar effect. Consequences are the only reason why PCI is having an effect as well...

Comment: Wow! (Score 2) 347

by endus (#49142299) Attached to: The Programmers Who Want To Get Rid of Software Estimates

Engineers think project managers and deadlines are a waste of time and a pain in the ass, while project managers think they are essential. Now that's what I call news! Whodathunkit!

This is business. Management wants to quantify everything to manage resources, manage spend, control cost, maximize profit, etc. It makes perfect sense at the same time that it doesn't really jive with how engineering works a lot of time. One thing for developers to keep in mind, though, is that *doing* something is never as important as *telling people* about how you did it. Metrics mean way more to the people who sign your paycheck than the code you write does and you should design your metrics accordingly.

The other component is PMs themselves. How many really good PMs have you worked with in your life? Grand total of 1 for me. Most PMs are people who don't really understand technology and have created a whole system of super-important metadata to "add value" to the process. When it's done properly a PM can help a lot, but mostly its just blustering and wasting everyone's time. These people want to protect their jobs, and their jobs are defined by timelines and metrics.

Comment: Re:But where/when does one explicitly learn securi (Score 1) 809

by endus (#49048881) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

Your company should provide secure coding practices training. It's something that is becoming more and more common, but hasn't quite hit full adoption yet. It's being driven by regs and customers. Pretty soon it's unlikely you'll be coding anything before you take the training. It's the way the industry is moving.

However, there is another piece here. I am about to give you the keys to becoming a superstar developer. No BS, this is going to sound obvious but if you follow these steps you'll become the go to guy in no time and your career will advance...

1.) Make sure there is a business requirements document *before the project begins*
2.) Circulate that document to stakeholders, *including the information security group*

That's it. That's the whole secret. It's the key to every development and infrastructure project. It will seem like security is a pain in the ass and is raising the cost of the project but in the medium to long term they are *greatly* reducing the cost. You will also be loved by the infosec group, which means that you will be loved by the customers and the business as well. They just won't know it until you go to actually sell the product but once you will be the savior.

I'm not kidding about this. Do this and you will be successful.

Comment: I'll let you in on a secret... (Score 5, Insightful) 809

by endus (#49048783) Attached to: Ask Slashdot: What Portion of Developers Are Bad At What They Do?

Almost everybody is extremely bad at their jobs. Especially in IT, but in general too. I would say a solid 85% of people working in IT today should not be in the field.

I work in Security and so my job is basically to know, at a high level, how other people should do their jobs. Of course there are compromises that have to be made for functionality and cost, but in reality most IT systems are developed and architected in a way that no one should architect anything for any reason. The amount of money that's wasted because of poor infrastructure is astonishing. Companies could have an architecture that's twice as secure and probably half the cost to maintain if they were willing to make a one time investment in doing it properly.

Developers are a weird animal too. I know I'm playing with fire saying this on Slashdot. :) In my experience developers have a deep understanding of how systems work and are designed (obviously), but their understanding is *extremely* narrow. This is by no means true of all developers, but it's true of a lot. They can write brilliant code, but they can't tell you how to go about FTP-ing a file, how to encrypt an email, or how a domain works. It's a specialized skill set.

At a previous company I had to call support because my computer didn't grok with the domain and wasn't getting group policy. The tech, with her domain admin access, comes over and is obviously floundering trying to fix the problem. I suggest running a DOS command I know...she googles it and pulls it up...she gets to the command prompt and starts typing, "command\optionfoobar-x7", etc. How can you possibly be in that field and not know the *most basic structure* of a DOS command? I don't care if you know the command and options, everyone googles that crap, but you don't know how to type it in properly? A backslash and no spaces? Really? Even when you're looking at a webpage which has it verbatim?

Its no wonder things are in the state they're in.

Comment: Not that crazy (Score 1) 391

by endus (#48748277) Attached to: Sony Thinks You'll Pay $1200 For a Digital Walkman

That's not out of line with other high end portables, especially with 128gb internally. Lots of other players in that space and price range.

It does need to be GOOD...VERY good....though. The guys on Head-Fi are pretty picky!

I need a large capacity high end player, but I'm not willing to spend quite that much. Geekwave looks promising.

Comment: Re:What a nightmare (Score 1) 332

I wasn't talking about the technology at all. I mean, generally, its so far off TOS it just doesn't even make sense at all. I would give them leeway to make it look cool and facilitate some story elements, but they're just off in lala land. Its a completely different universe.

What I was talking about is more the character development, the message, etc.

"What if" is a trademark of Hewlett Packard, so stop using it in your sentences without permission, or risk being sued.