Forgot your password?

Comment: Re:Definitely interesting.... (Score 3, Interesting) 220

by nodwick (#35228102) Attached to: Anatomy of the HBGary Hack

I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security).

Sadly the moral of the story is the exact opposite - the custom CMS HBGary commissioned was actually less secure, as it appears not to have been subjected to proper security audits, nor was it being updated to patch discovered bugs. Direct from TFA:

Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer. Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

The very thing you consider a disadvantage in an open software system - the fact that anyone can discover bugs in it - also helps ensure that such bugs are publicized and fixed. With HBGary's custom CMS, the bugs were still there, but the only people looking were the ones specifically trying to break into their system. There can be a case for code obscurity, but if that's all you're relying on to protect yourself, I'd say you're really just burying your head in the sand.

Comment: Re:I take exception (Score 1) 828

by nodwick (#33090030) Attached to: What's Wrong With the American University System

Most universities have *INSANE* endowment funds. I've heard both Harvard and Michigan mentioned as schools that could offer their incoming freshman classes free education from undergrad through PhD without making so much as a dent in these funds.

Wouldn't it be neat if we could do a bit of research to see if the above were true? Oh wait, we can.

Harvard endowment: $25.7 billion

Harvard 2009-2010 undergrad tuition (excluding various student fees): $33,696

Admitted undergrads per year: 2,175 students

Total cost for 1 year of undergraduates to get their undergraduate degree, assuming everyone graduates and takes 4 years to do so (as a ball-park approximation):

>>> 33696*2175*4/1e6

That's $293 million dollars, or 11.4% of the total endowment. And that's just for undergrads, excluding graduate school, so I'd call that a "dent". They could keep it up for about a decade before going from having the nation's largest endowment to being bankrupt.

Comment: Re:Because.. (Score 5, Informative) 447

by nodwick (#31380652) Attached to: Why Paying For Code Doesn't Mean You Own It

Other posters have already said that legally it all depends on the license you work out with the customer, and they are correct.

Having said that, I find that the customer's expectations will depend on what the financing model for the product was. Typically when you get paid for software, it will have been developed under one of two models:

  • My company does the product development on with its own money, and then sells the finished product to multiple customers. Examples are products like Microsoft Office or Adobe CS4. Typically customers assume that they're paying for just a license of the product, since they weren't involved in the actual creation of the code itself at all.
  • The customer has a specific need it needs to address, and hires and pays my company to develop software to address it. Most of the consultant arms of major software vendors operate this way; for example, OPNET (which makes a product called Modeler popularly used in simulating communication networks) develops some protocol models for Modeler this way. As the customer is directly involved in directly funding the development (often billing will involve paying for actual developer-hours, and is typically much more expensive than licensing an existing product), they'll usually expect to get the rights to the code as well.

If you're using one of the above approaches but want your licensing to work differently, the key is to make this clear to the customer up-front (managing expectations isn't something techies typically enjoy spending time doing, but it's a very important part of having a successful business relationship with your customer) and make sure all your legal wording is done correctly as well. I've worked at companies before where product development was funded by customers, but the need the customer wanted addressed was sufficiently general that the company wanted to retain the copyright and IP to resell to others. In this case, the customer was granted cheap or free perpetual licenses to use the software that was developed, but the contract was written so that the company retained the copyright and the right to sell licenses to others as well.

Comment: Re:The SS/Medicare comment is pointless (Score 5, Interesting) 339

by nodwick (#30872310) Attached to: Larry & Sergey To Cash In $5.5B of Google Chips
Except that money from capital gains are not subject to either Social Security or Medicare. Taxes for those programs are deducted from employment income, not investment income. Furthermore, capital gains tax rates are significantly lower than those for ordinary income - currently the former is capped at 15%, while the latter is 39%. Not a knock on the Google founders specifically, but rather on the wealthy in general - as Warren Buffet has pointed out, our tax system is skewed so that wealthy folks like himself pay an effective tax rate of 17.7%, while his secretary is taxed at 30%.

Comment: Re:Uh No (Score 5, Insightful) 582

by nodwick (#30584750) Attached to: Bruce Schneier On Airport Security

One of these days, when I have enough time before a plane flight, I'm going to follow the letter of the rules while showing off (in a non-threatening manner) how easily they can be worked around

You don't even have to work around the list of things you can't carry on board; items on the list get missed all the time. Jeffrey Goldberg of the Atlantic had an article from last year detailing all the things he's managed to sneak onto planes, including pocketknives, matches from hotels in Beirut and Peshawar, cigarette lighters, nail clippers, bottles of Fiji Water, and box cutters. He's even brought two cans' worth of beer through security by wearing a Beerbelly under his clothes and walking it through the metal detector. And this in spite of the fact that he was selected for secondary inspection at the time he was wearing it.

He's also tried forging and printing out his own boarding pass (with help from Bruce Schneier) and getting through security with it, with similar results:

I would try to pass through security with no ID, a fake boarding pass, and an Osama bin Laden T-shirt under my coat. I splashed water on my face to mimic sweat, put on a coat (it was a summer day), hid my driver's license, and approached security with a bogus boarding pass that Schneier had made for me. I told the document checker at security that I had lost my identification but was hoping I would still be able to make my flight. He said I'd have to speak to a supervisor. The supervisor arrived; he looked smart, unfortunately. I was starting to get genuinely nervous, which I hoped would generate incriminating micro-expressions. "I can't find my driver's license," I said. I showed him my fake boarding pass. "I need to get to Washington quickly," I added. He asked me if I had any other identification. I showed him a credit card with my name on it, a library card, and a health-insurance card. "Nothing else?" he asked.

"No," I said.

"You should really travel with a second picture ID, you know."

"Yes, sir," I said.

"All right, you can go," he said, pointing me to the X-ray line. "But let this be a lesson for you."

Machines that have broken down will work perfectly when the repairman arrives.