And on the seventh day He said, "Oh, one more thing..."
-Jobs 3:15
Tuesday, October 25, 2005
Wednesday, October 12, 2005
A nerdish way to spend an evening
- Get a laptop
- Install stellarium
- Go outside and bring:
- binoculars or a telescope if you have one
- a bottle of wine (or beer)
- cheese
- a blanket
Launch stellarium, see the sky. Enjoy.
I'm human, so sue me
Developers 'should be liable' for security holes - ZDNet UK News:
Making developers liable for security exploits is a stupid idea. The first problem with it is, who do we blame? Most of the security bugs nowadays are not your typical buffer overflow kind, which could have been prevented with careful programming. Most of the security bugs today have to do with interactions between system components. Let me explain.
There are two kinds of bugs, security or otherwise. Bugs that reflect the programmers lack of knowledge of a well established coding practice or API usage, and bugs that unless you have actually written the same code before in the same circumstances, you could not have predicted would occur.
If a web programmer takes a string from a user in a web form, and then passes that string unquoted to a shell, that programmer shouldn't be allowed within 15 feet of a web app. If a programmer writes a piece of code that interacts with other pieces of code, and the resulting interaction has a bug (which might be exploitable), we have an interaction bug. It's one of those "How could I have known?" moments we've all had. And if you sit and think about all the possible interactions before writing any code, you never get anything done.
What about liability? Assuming you have a sensible version control system in place, you can ask the question "Who wrote this pice of crap?" and get an answer. But who do you blame when the security bug is a result of a combination of changing APIs, implementing new features, fixing old bugs, etc. The answer to "Who wrote this piece of crap?" is "a group of programmers working at different times". For the web app example, some of the code might have been written when it wasn't a web app at all. There is human history in the code. It was written by humans.
And humans make mistakes. There is no way to avoid that. We just screw up every once in a while. Depending on how much you have to pay for your mistakes, you might be afraid of doing anything daring again. For instance, if I write a little application (single author, so all the bugs are mine), and get sued because it has a security bug, guess how many more applications I'll be writing. None. The cost of making a mistake is too expensive.
If companies are liable, you're just moving the problem to management. Companies get sued, so they are hesitant to put new applications out there. Applications that are not being used are not being debugged, and are thus less secure.
Markus Ranum wrote a great piece about this subject called Inviting Cockroaches to the Feast. It's a very good read.
Making developers liable for security exploits is a stupid idea. The first problem with it is, who do we blame? Most of the security bugs nowadays are not your typical buffer overflow kind, which could have been prevented with careful programming. Most of the security bugs today have to do with interactions between system components. Let me explain.
There are two kinds of bugs, security or otherwise. Bugs that reflect the programmers lack of knowledge of a well established coding practice or API usage, and bugs that unless you have actually written the same code before in the same circumstances, you could not have predicted would occur.
If a web programmer takes a string from a user in a web form, and then passes that string unquoted to a shell, that programmer shouldn't be allowed within 15 feet of a web app. If a programmer writes a piece of code that interacts with other pieces of code, and the resulting interaction has a bug (which might be exploitable), we have an interaction bug. It's one of those "How could I have known?" moments we've all had. And if you sit and think about all the possible interactions before writing any code, you never get anything done.
What about liability? Assuming you have a sensible version control system in place, you can ask the question "Who wrote this pice of crap?" and get an answer. But who do you blame when the security bug is a result of a combination of changing APIs, implementing new features, fixing old bugs, etc. The answer to "Who wrote this piece of crap?" is "a group of programmers working at different times". For the web app example, some of the code might have been written when it wasn't a web app at all. There is human history in the code. It was written by humans.
And humans make mistakes. There is no way to avoid that. We just screw up every once in a while. Depending on how much you have to pay for your mistakes, you might be afraid of doing anything daring again. For instance, if I write a little application (single author, so all the bugs are mine), and get sued because it has a security bug, guess how many more applications I'll be writing. None. The cost of making a mistake is too expensive.
If companies are liable, you're just moving the problem to management. Companies get sued, so they are hesitant to put new applications out there. Applications that are not being used are not being debugged, and are thus less secure.
Markus Ranum wrote a great piece about this subject called Inviting Cockroaches to the Feast. It's a very good read.
Saturday, October 08, 2005
First BitMover Regatta
Last week we had the First BitMover Regatta. On Tuesday, BitMover rented a bunch of sailboats, and a group of employees raced across the San Francisco Bay. It was my first time on a sailboat, and I had an excellent time. I had been on a Yacht before, deep sea fishing, but sailboats are an entirely different experience. Now I understand why Evi is sailing across the world. Sailing is too cool.
At around noon, we drove to Sausalito, where the sailboats were waiting for us in the dock. We divided in 3-person teams, and each team got a sailboat and a skipper. The skipper's role was giving us directions and basically taking care of us since not many
people had sailed before. At the dock, we found our sailboat, a 42-foot Bēnēteau 423. The Bēnēteau 423 was one of the top 10 sailboats of 2003 according to Sail Magazine, and it's price is around $165,000. Not bad at all! Upon boarding the sailboat, we met Stan, our skipper, who had been in the Coast Guard for 20 years before becoming a sailing instructor for the Modern Sailing Academy in Sausalito. He explained all the boat terminology (port is left, starboard is right when facing the ship's front, or rather, the bow). And taught us how to work the sails. We used the motor to get out of the docks, hung around the start line until the race started, and set sail towards San Francisco.
Stan asked for a volunteer to take the helm (steering wheel) and I immediately stepped forward (knowing that working the helm would be easier than pulling all the
ropes). Since I had never been in a sailboat, I didn't expect it to lean that much. It's a little scary at first, but I was assured by Stan that they don't tip over under normal conditions (i.e. not in a hurricane). Driving that thing was fun, but it required a lot of attention. Basically if you let your attention drift for 10 seconds, you would slightly change course and lose the lift. If you lose the lift often enough, your skipper can order a Keelhauling, which I've been told is not pleasant. I must have done allright because we were going at about 3 knots towards San Francisco.
It took us a while to find the buoy where we were supposed to turn, but after a while, we found it and headed towards the bay bridge. We were going with the wind, which is really cool because you can go really, really fast. The course took us around Alcatraz, the famous prison where Al Capone was an inmate.
to the other side. It was amazing being under the bridge. We got a little taste of the ocean too, with a slightly rougher sea than what the bay had been. After a quick turn, we got back to the dock, returned the sailboat and called it a day.
Once we were in the land again, we were tired and hungry. We headed to the Buckeye Roadhouse in Mill Valley for dinner, and what a dinner we had! If you ever go to the Buckeye, try the Ahi tuna appetizer. It's unbelievably good.
After this first taste of sailing, I'm left wanting to learn how to sail. Who knows, maybe when I retire, I'll buy a sailboat and follow Evi's course around the World.
At around noon, we drove to Sausalito, where the sailboats were waiting for us in the dock. We divided in 3-person teams, and each team got a sailboat and a skipper. The skipper's role was giving us directions and basically taking care of us since not many
people had sailed before. At the dock, we found our sailboat, a 42-foot Bēnēteau 423. The Bēnēteau 423 was one of the top 10 sailboats of 2003 according to Sail Magazine, and it's price is around $165,000. Not bad at all! Upon boarding the sailboat, we met Stan, our skipper, who had been in the Coast Guard for 20 years before becoming a sailing instructor for the Modern Sailing Academy in Sausalito. He explained all the boat terminology (port is left, starboard is right when facing the ship's front, or rather, the bow). And taught us how to work the sails. We used the motor to get out of the docks, hung around the start line until the race started, and set sail towards San Francisco.Stan asked for a volunteer to take the helm (steering wheel) and I immediately stepped forward (knowing that working the helm would be easier than pulling all the
ropes). Since I had never been in a sailboat, I didn't expect it to lean that much. It's a little scary at first, but I was assured by Stan that they don't tip over under normal conditions (i.e. not in a hurricane). Driving that thing was fun, but it required a lot of attention. Basically if you let your attention drift for 10 seconds, you would slightly change course and lose the lift. If you lose the lift often enough, your skipper can order a Keelhauling, which I've been told is not pleasant. I must have done allright because we were going at about 3 knots towards San Francisco.It took us a while to find the buoy where we were supposed to turn, but after a while, we found it and headed towards the bay bridge. We were going with the wind, which is really cool because you can go really, really fast. The course took us around Alcatraz, the famous prison where Al Capone was an inmate.
Seeing Alcatraz up close was quite a thrill. I have wanted to go to Alcatraz since 1994, when I first visited San Francisco, but because of various reasons, I have never taken a tour of "The Rock". After we went around Alcatraz, we headed back towards Sausalito, and the finish line. During that last segment, even though we were going more or less against the wind, we did a pretty good time. We won the race, crossing the finish line 7 minutes before the next sailboat.
to the other side. It was amazing being under the bridge. We got a little taste of the ocean too, with a slightly rougher sea than what the bay had been. After a quick turn, we got back to the dock, returned the sailboat and called it a day.Once we were in the land again, we were tired and hungry. We headed to the Buckeye Roadhouse in Mill Valley for dinner, and what a dinner we had! If you ever go to the Buckeye, try the Ahi tuna appetizer. It's unbelievably good.
After this first taste of sailing, I'm left wanting to learn how to sail. Who knows, maybe when I retire, I'll buy a sailboat and follow Evi's course around the World.
Technorati Tags: BitKeeper, BitMover, Sailing, San Francisco
Sunday, October 02, 2005
Yet Another Stupid Idea
Single-play DVDs will never work, at least not for the rental market. Not only because they require new players, and of course the first thing I will do is get a new DVD player so that I can watch the new rentals only once. But because they don't interact well with how people watch movies. I often fall asleep while watching a movie, how would I see the ending? How about that phone call, or little emergency right in the middle of the movie? Or when I don't have 2 hours to watch the entire movie, but I'm willing to see 30 minutes now and the rest later?
People rent because it's more flexible than going to the movies. Taking away from people the flexibility of renting without giving them any of the advantages of movie theaters is not going to fly.
People rent because it's more flexible than going to the movies. Taking away from people the flexibility of renting without giving them any of the advantages of movie theaters is not going to fly.
Unix died in 1982
If you look at this time history of Unix, you can see how after 1982 Unix became practically impossible to support. I mean, who was going to worry about compatibility between so many different flavors of Unix. I'm glad the list is short again in 2005. Now if only the GUIs had a standard ;-)
Subscribe to:
Posts (Atom)
