Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment A tradeoff. Million $ SOC vs data entry clerk (Score 0) 42

> HTTPS everywhere protects against the mass surveillance

To some extent it does. For simplicity, let's assume it did, completely. Your choices then are:

A) The NSA can tell that someone in your company viewed catvideos.com.
B) The NSA can't tell that someone viewed catvideos.com, and you get infected with malware that somebody put on catvideos.com.

It's not clear that (A) is always preferable. Obviously that doesn't mean you should never use TLS. It means there is a tradeoff.

> there's always a way to get around the firewall

No, that's the difference between an actual real firewall, which is installed on the network at the demarc, and "personal privacy software", which runs on the host. A firewall has two network ports. One connects to the internet (or other "outside" network) one connects to the internal network. There is literally no physical path for signals to travel except through the firewall. There's physically no way around a hardware firewall, no wires for packets to travel through. All packets go *through* the firewall.

You can also do some checks on the local host, but given you must assume the local host is compromised, you don't trust the local host to identify the malware that it's infected by. Any anti-virus anti-malware on the host is *always* auxiliary to monitoring from a trusted system. Also, the local host obviously can't detect anomalous botnet traffic when a worm infects your network, sweeps trying default and common passwords across your network, etc.

You get much better security by having dedicated security appliances (some of which cost $20,000 or more, not practical to run one for each desktop and laptop), managed and monitored 24/7 by the SOC, looking at a holistic view of the entire network, rather than trusting a potentially infected laptop, run by an accountant, clerk or manager, to protect itself. Frankly, your perspective of security is very much that a typical home user in 1995. That's not how it's done in the enterprise, and that's not how its done in 2017. Our SOC, as an example, employees about 200 security specialists. CorpSec is probably another 40 specialists. We've moved a bit beyond installing McAfee and thinking we're protected. Those 200 specialists in the SOC can't monitor and manage things nearly as well if they can't see anything, though. 10,000 encrypted TLS connections doesn't provide many actionable events.
Btw, you mentioned "(as opposed to IP / site blocking)". Where do you think the IP blacklists come from? They come from the SOC, both ours and Cisco TALOS. They are based on what we learn about traffic flows from those IP addresses - because we can *see* the malware being delivered from those IPs.

Comment Worse than that, it hides the malware on WordPress (Score 1) 42

> But why the FUCK do I have to do it on someone's stupid WordPress or Joomla site?
> Hell, even company sites. If all they're serving is flat HTML content who gives a shit about HTTPS?
> But NO! Their website is now SUSPECT! Are you REALLY sure you want to ENDANGER yourself?

Its worse than that. The WordPress or Joomla site, where you're not entering any personal information and therefore have no need for HTTPS, is a very common vector for malware. The kind of malware that your company's firewall is set up to block. But of course it can't see and block the malware encrypted via https. A lot of security, protection from malware, phishing, etc, requires visibility into what's happening on the network. Encryption is very useful when applied properly in the proper places, but https everywhere also has a very real security *cost*. Every security-related decision will have both costs and benefits.

It is wise to consider both costs and benefits and apply the right tools for each situation. *Anything* "everywhere" is probably less than ideal.

Comment That's a broad question - Experience, break it dow (Score 1) 214

That's a bit of a broad question. At a broad level, I suppose the answer is:
Tasks are decomposed into chunks of a manageable size, chunks that will be done be one person, and might take anywhere from 30 to minutes to 3 days to do.

Then based on experience each member of the team says how many points they would say for each, where the allowed values for points are: 1, 3, 5, 8, 13. The "missing" numbers help avoid getting bogged down in deciding whether it's a five or six; six isn't even an option.

Comment One great req solution I was taught, and a backup (Score 2) 214

> I don't know any easy solution to that: mind-reading machines don't exist.

I came across a solution that works really well, whenever you can possibly do it. First, let's be clear about the most common method, which does NOT work. Most commonly, the users' boss talks to someone, maybe a product manager, about what they think the users need. Then the product manager or whoever talks to the developers about what they think the users' manager said. That doesn't work very well most of the time.

Most of the time, new software is needed to handle a process that is currently being done by hand, perhaps on paper or in Excel. Maybe you're replacing legacy software. Normally, the job is getting done *somehow*. So go *watch* the job being done. If it's being done on paper, watch thr person do it on paper. Follow the piece of paper as it is filed with another department and they type the information into some computer system. While watching the person do the job manually or via the legacy software, ask questions and take notes. Then if possible try to do it once with them watching you and correcting your mistakes. Now you know pretty much exactly what's required to get that task done, because you've just done it by hand. Ask what kind of exceptional conditions come up - what kinds of weird things happen that cause a change in the process? Obviously you'll code for those specific exceptional conditions, but also that lets you know what general *types* of variation there might be, meaning where you should try to build some flexibility into your system. When you discover there are three different types of X, you'll build X modularly, knowing that another type of X may come up.

If it's not possible to actually watch the line people doing the job, at least try very hard to get them on the phone. Talking to the actual users, asking them what's frustrating about their current process, will tell you a lot about the requirements that you won't get from listening to your boss talk about what their boss said.

Comment Tracking weeks works better than hours (Score 1) 214

I've used Fogbugz. I totally agree with this:

> In practice, it is hard to remember to clock into the task that you are working on, and to clock out of the task you are working on

What has worked much better for us has been tracking what we actually accomplish in a two-week sprint. We estimate each task using "points", which are a completely artificial construct designed solely to indicate one job will probably take about the same amount of time as some other job, while a third one will take twice as long. At the end of each two-week sprint, we can see that we usually accomplish about 65 "points" of work. So we can assign points to a group of tasks, divide by 30, and that's how many weeks. But we don't think about weeks when assigning points - a task is a 5 point task if it should take about as long as previous 5 point tasks.

Comment Each dev consistently off by a constant factor (Score 2) 214

That's similar to what I've experienced and seen reported in studies. When I say "10 hours", that really means "10 times X hours", but that X factor is relatively consistent. Each of my teammates are similar - they are always wrong, but normally by the same multiplier each time.

Developers tend to be reasonably good at estimating the RELATIVE amount of work, they can say "job A will probably take twice as long as job B". This assumes the work is broken down into pieces small enough to estimate. What they tend to NOT be good at is saying how many hours, days, or weeks.

That's where Scrum "story points" come in. We assign each task a number of points. Historical data shows that we can complete 65 points in a two-week sprint. That's relatively consistent.

Some tasks will take longer than expected, some less, but that tends to average out over two weeks of a four-man team. The four of us complete 65 points per sprint.

Comment Long-term broad market net of inflation (Score 1) 524

That's the overall long term average US stock market return net of inflation. As you might expect*, returns tend to be higher when inflation is higher, and lower when inflation is lower. Therefore the net-of-inflation return is actually fairly steady at 7%-8%.

Obviously a late 2008 early 2009 time period causes people to worry, but we're talking about 30 years of saving followed by 30 years of withdrawals. That will surely include some good times and some bad times. 2008 AND 2002-2007, AND 2009-2017. In the last 20 years, the Dow has gone from 11,000 to 21,000. In the last 10 years, from 15,000 to 21,000.

* Consider that bonds compete with stocks on price, aka discount, aka return. Obviously bonds must pay high rates when inflation is high. When bonds pay higher net rates, buyers go to bonds, and leave stocks cheap in terms of PE, increasing stock returns.

Comment It's called "interest" (aka dividends aka returns) (Score 0) 524

Here's the real quick run down for you.

There's something called a "mutual fund". It's a way to invest in lots of companies at ounce. A specific type, the "index mutual fund" means you are investing in 200 of the largest companies. That's pretty damn safe long term - Coke, Walmart, Toyota, etc aren't all going to go bankrupt any time soon. By investing in an index fund, you'll get paid about 8% per year more than inflation. So if you invest $100, every year you'll get paid about $7-$8 plus a bit more that covers inflation.

If you want to spend about $60K / year in retirement, that means you need to have about $850K invested. (7% of $850K is $60K). In other words, $850K invested will provide a PERMANENT income of about $60K.

That does NOT mean you need to put $850K into your investments, because your investment (your index fund) is growing *while* you're working. To have $850K 30 years from now, about $580/month needs to go into your index fund. That doesn't mean *you* have to put in $580 each month, though. Most employers match retirement savings (that match is basically free money for you). Typically, you need to put in about $373 / month and your employer will match half of that, $186 / month.

So you put in $373 / month, your employer puts in $186, and after 30 years you have a *permanent* source of income that produces $60K / year forever.

Comment Truth a discussion about the UL (underwriters labs (Score 2, Interesting) 268

Everything I can find that actually cites a source indicates that the President's proposal directs the EPA to look into the possibility of spinning it off to operate like Underwriters Laboratories (UL) operates - with actual testing, and self-funding rather than taxpayer funded and government run.

Slashdot Top Deals

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982