Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Outrageous (Score 1) 86

It wasn't a "small" mistake.

The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.

Comment Just one fund, not the foundation (Score 2) 231

Rockefeller family is big - note that only RFF made that announcement, not jointly with all their other funds or the foundation. It is still a grand gesture, and clearly makes a strong political statement, but I doubt the monetary impact is anywhere close to the Rockefeller foundation.
The Rockefeller Foundation - Founded in 1913, this is the famous philanthropic organization set up by Senior and Junior. Endowment of 3.4 billion.
The Rockefeller Brothers Fund - Founded in 1940 by the third-generation's five sons and one daughter of Junior. Endowment of 811 million.
The Rockefeller Family Fund - Founded in 1967 by members of the family's fourth-generation. Endowment ?

Comment Dual major (Score 1) 397

I strongly recommend for anyone considering a computer science degree to pick a dual major.

Mine was a hybrid telecommunications engineering and computer science degree - it was very interesting to observe those of us who clearly enjoyed programming and had the knack for it would elect for increasingly more programming and computer science oriented courses, while those who didn't had many other good course options. In our course of about 35 people, about half had the knack for programming while the other half always seem to need help.

Comment Re:We're dealing with an imbalance of power here (Score 2) 211

I'm on the side of moving software engineering towards a Profession rather than Unionization.

Right or wrong my impression of unions are that they are catered towards less skilled labor, while professions require a lot more skill that can be encapsulated by many certifications. Lawyers with their bar and accountants with their CPA are examples. I've no doubt many of us can easily come up with a fairly basic curriculum for basic certification - take for example Secure Coding practices. Given how diverse and specialized a lot of our work can be, I imagine a lot of esoteric certificates can be devised. Certifications would likely need to be renewed from time to time as well, considering how quickly technologies and techniques evolve. A profession centered around good education benefits everyone.

Comment Shutting down because no Executive Director? (Score 1) 223

Reading through the website, it seems the reason they're shutting down is because the current Executive Director is stepping down, and they haven't found anyone that's a good fit, or those who are a good fit don't want the job.

Reading through the job description - I think it kind of sucks. Salary 120k-160k which is apparently the market rate for this sort of position in San Francisco - doesn't seem very much. And the following paragraph jumped out:

While this job is fulfilling and supportive in many ways, it also has some serious downsides. As the visible leader of a feminist activism organization, many people will feel entitled to your time and energy without compensation and you will need to tell them no frequently so that we can fulfill our mission. We will provide you with experienced support in handling harassment and threats, as you will almost certainly be the target of these. Sometimes partners, sponsors, donors, or community members will pressure the Ada Initiative to do things contrary to its mission and you will need to stand up to them. Listening to and responding to reports of sexual violence, intimate partner violence, and criminal harassment are a frequent part of the job.

Comment the credit card playbook (Score 1) 112

The credit card system works pretty well - so easy to use that family members usually don't have any trouble using each other's cards. Behind the scenes however, there are comprehensive fraud detection systems, as well as clear responsibilities of fraud liability (usually card issuer).

I agree with another poster who mentioned that the onus of security should be mainly on the system - much more than the end user. What this means is that if you're going to setup any kind of password or multi-factor authentication system, it must be relatively easy to use. But then ensure there's an intrusion system in place that works in a similar manner to credit card fraud detection, where anomalies are quickly flagged and escalated for investigation.

Comment VLSI is hard (Score 1) 150

The final project of this VLSI elective course I took required each team to build three logical modules that would work together. I was responsible for the control and integration portion bringing together all the logical modules. I spent an entire sleepless night sorting out the issues. Our team was the only one that had a functioning chip (simulated) in the end. The lecturer wasn't surprised - most chips of any reasonable complexity require A LOT of painstaking (e.g. efficient routing, interference) work to get them working - often requiring certain modules to be pulled apart (or redesigned) so they integrate better with others.

Comment Potential can be incredible (Score 2) 264

Actually, if you're willing to take a risk and join a startup and have stock options, you can stand to gain an incredible amount. Most startups fail, but finding another job shouldn't be a problem.

What I suggest is to first find a relatively large stable corporation to work for after graduation. After 3-5 years experience, join a startup (do your research on them first of course) or a relatively new company that is planning to go public, and negotiate a nice chunk of stock options. It is likely there will be many long nights at work, but the energy and vibrancy will sustain you. Don't get married too early - if the relationship gets serious, live with each other for at least two years, and get a prenup.

Best area for this sort of lifestyle is still the US west coast, home of the venture capitalists.

But as another poster noted, it helps to have a certain love for this field that extends into your personal life - technologies evolve quickly enough that you should be constantly learning. From my fifteen years plus experience as a software engineer, there are very few people who have this sort of passion. Most prefer to settle into doing the same thing day in day out - their priorities shift elsewhere like to their families - the good news is that most larger companies need people like that, and still pay a decent salary.

Comment Audiophiles and NwAvGuy (Score 1) 288

I wonder how many of you find the faith based approach of many audiophiles silly (or disturbing). Nevertheless, it's amazing how large the audio industry has grown, in effect selling snake oil. For those of you who have not heard of NwAvGuy, he's an electronics engineer (most likely specializing in audio) who called BS on the racket - ran his own analysis to debunk expensive headphone amplifiers, and went so far as coming up with a cheap yet excellent reference design.

Comment secure software dev (Score 1) 135

Secure software development is something I've gotten into recently, and the growth potential there is excellent. Become familiar with BSIMM (Build Security In Maturity Model), in particular what they categorize as the SSG (Software Security Group). Here are some highlights from their document about the SSG:

The best SSG members are software security people, but software security people are often impossible to find. If you must create software security types from scratch, start with developers and teach them about security. Do not attempt to start with network security people and teach them about software, compilers, SDLCs, bug tracking, and everything else in the software universe. No amount of traditional security knowledge can overcome software cluelessness.

Submission + - Sourceforge staff takes over a user's account and wraps their software installer ( 11

An anonymous reader writes: Sourceforge staff took over the account of the GIMP-for-Windows maintainer claiming it was abandoned and used this opportunity to wrap the installer in crapware. Quoting Ars:

SourceForge, the code repository site owned by Slashdot Media, has apparently seized control of the account hosting GIMP for Windows on the service, according to e-mails and discussions amongst members of the GIMP community—locking out GIMP's lead Windows developer. And now anyone downloading the Windows version of the open source image editing tool from SourceForge gets the software wrapped in an installer replete with advertisements.

Comment Re:The absolute #1 contribution of Java (Score 1) 382

Seems to me that's the fault of the college/university for not teaching these concepts.

A good syllabus will teach students enough important concepts, and how to think with these concepts. It will also recognize different languages being better for teaching different aspects of CS. High level languages like Haskell are excellent for teaching algorithms. Prolog/Lisp for AI. C and assembly for low level concepts. Java IMO would be good for teaching concurrency/threading. At the end of the day, the student will be able to express the core portion of quicksort in a single line of code with Haskell, yet be able to convert it to Java, C or even assembly - and understand why you might need to do so, and the additional factors needed in lower level languages.

Comment Not a waste of time but... (Score 4, Informative) 125

Good courses and certifications are offered by the SANS Institute ( Black Hat organizes one of the premier security conferences, and also hosts many interesting courses ( Certifications and courses provide a great way to start learning about security along with some really esoteric specialties, but if you think a certificate is suddenly going to make your software secure, you'd be sadly mistaken. To be effective in computer security, you need to constantly learn and keep up with recent developments. If I were hiring a candidate I wouldn't care about certifications as much as the effort and interest the individual exercises in the extremely broad field - some humility wouldn't hurt either.

The mindset of software developer working on secure or hardened software is also a little different - normally good developers focus on aspects such as clean design, extensible architecture, performance, and efficiency, but few tend to be aware of the things hackers do to exploit your code because you didn't do proper input validation, or ensure that you were protected against buffer overflows from maliciously crafted payloads.

More good resources for software developers:
- CERT coding standards (
- OWASP ( if you're doing anything related to the internet

There's a lot to learn, which is why courses can be useful to get you started. Here are some of the things you would learn:

Security occurs at many levels. Your software is the obvious focus. Also, the application or web servers they're hosted on if any, as well as the O/S. Your software might be pretty secure, but if you do not setup your web server properly you could get screwed as well. Given the pervasive nature of SSL/TLS, you should also be aware of security vulnerabilities in openssl (if your software or servers make use of - most likely they do) and be able to understand the description and lingo used to describe the vulnerabilities. This is the more IT or sys admin oriented aspect of security. Some familiarity in this area is good.

Layered security design. Develop multiple security layers to protect your critical data. Do not rely on SSL/TLS only. Learn about public key infrastructure (asymmetric encryption algorithms), and their role with symmetric encryption algorithms like AES.

Understand what threat modeling and analysis is about. Familiarity with assurance case modeling is also interesting where you start to see the boundary between reliability and security become increasing blurry.

Do not invent your own protocols/algorithms if you can find one that already exists, especially if it has a threat analysis to accompany it. Some courses go over some of the better known protocols for things like authentication or authorization, and how to deploy them correctly.

Comment Miranda anyone? (Score 1) 138

I was taught Miranda (precursor to Haskell) some twenty years ago in my undergraduate degree. To this day I use still functional programming (Haskell) to prototype any reasonably complex algorithm.

To give you an idea of how compact functional programming languages can express complex algorithms - here's quicksort:
qsort (x:xs) = qsort (filter ( x) xs)

Couple high level functions with closure gives us a very powerful tool to express complex algorithms.

Comment So how do you develop relatively secure software? (Score 2) 58

Here's what works in most practical systems with a little effort:
- Threat model. Sequence diagram of all external communication between all servers and clients. Apply STRIDE analysis. May be take a step back to see if you can simplify the workflow.
- Assurance model. State diagram of system. Capture success and error states. Unit tests for each case.

Add to that third party oversight:
- Static analysis tools.
- Third party verification.

I assume you're not developing mission critical systems that control functions in a nuclear power station, or even a car breaking system. Rather you're looking at consumer or enterprise level systems that involve some confidential, and possibly credit card information. Short deadlines and budget constraints mean you can't spend forever coming up with a solid specification or even do extensive analysis.

Slashdot Top Deals

If this is a service economy, why is the service so bad?