Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Twitter Hit With Second Worm In a Week

CmdrTaco posted about 4 years ago | from the security-is-hard dept.

Social Networks 97

adeelarshad82 writes "Days after a site update unleashed a Twitter cross-site scripting attack, the micro-blogging site was again hit with a bug that spread via questionable links. The offending messages appeared on a user's Twitter feed with 'WTF:' followed by a link. If you clicked on that link, you were taken to a blank page, but behind the scenes, the worm would post vulgar messages on your account that discussed, well, sex involving goats."

cancel ×

97 comments

Sorry! There are no comments related to the filter you selected.

where is that goatsex link when you need it? (1, Funny)

ehack (115197) | about 4 years ago | (#33713414)

where is that goatsex link when you need it?

Re:where is that goatsex link when you need it? (5, Informative)

ShaunC (203807) | about 4 years ago | (#33713504)

WTF: Goatse [goatse.fr]

Re:where is that goatsex link when you need it? (5, Funny)

Anonymous Coward | about 4 years ago | (#33713560)

Now I've seen everything!

A link to goatse is at "+2 Insightful" as I type this.

A historical day at slashdot to be sure

Re:where is that goatsex link when you need it? (2, Funny)

AnonymousClown (1788472) | about 4 years ago | (#33713628)

That's because goatse is on topic and appropriate in this case. It's also on topic whenever anything to do with Congress comes up.

Geeze!

Re:where is that goatsex link when you need it? (0)

Anonymous Coward | about 4 years ago | (#33713772)

That's because goatse is on topic and appropriate in this case.

You can now get goatse from teh Twatter?

Kewl......

Re:where is that goatsex link when you need it? (3, Informative)

Jedi Alec (258881) | about 4 years ago | (#33715290)

Next up: Twitter worms that discuss Natalie Portman naked and petrified, GNAA trolls and of course the classic penis bird.

Re:where is that goatsex link when you need it? (1)

mahoney.d.82 (1884354) | about 4 years ago | (#33733090)

OK, I know I shouldn't be clicking on anything with the word "Goatse" in it, so it's kinda my fault... But what about a big freakin NSFW beside that link?

Re:where is that goatsex link when you need it? (0)

Anonymous Coward | about 4 years ago | (#33714066)

It's like a classic British mistake: The UK military wanted to go with the times and registered a site on the internet called getfitta, after their training routine Get FitTA [telegraph.co.uk] .... what they didn't realize was the in Swedish, getfitta is a rude name for goat genitalia.

Goatse Worm? (3, Insightful)

WrongSizeGlass (838941) | about 4 years ago | (#33713420)

It's no surprise that you could get worms from having sex, well, with goats.

Re:Goatse Worm? (0)

Anonymous Coward | about 4 years ago | (#33715494)

Yeah, moral of the story: don't French kiss goats before having sex with them.

Re:Goatse Worm? (1)

stdarg (456557) | about 4 years ago | (#33716798)

I have never gotten worms from having sex with goats. Maybe vacuosly true maybe not...

I guess this script is baaaad for you. (1)

Even on Slashdot FOE (1870208) | about 4 years ago | (#33713426)

And I'm still not as bad as the Twit-head who lets scripts like that gets Twitted in the first place.

Twit.

Re:I guess this script is baaaad for you. (4, Informative)

Bill, Shooter of Bul (629286) | about 4 years ago | (#33713524)

No. This is a Cross site Request Forgery attack. The Script in this case, was on the linked site, not in the tweet.

For those not in the know:

OWASP Cross Site Request Forgery Prevention sheet Sheet [owasp.org]

Re:I guess this script is baaaad for you. (0)

Anonymous Coward | about 4 years ago | (#33714058)

Could standards be created to prevent these types of attacks from occurring? It seems this is a problem worthy of a fix. I know there are work-arounds and design patterns for application developers, but couldn't this attack be prevented if we add another layer to the HTTP protocol to prevent this from occurring in the first place?

What about HTTPA:// for authorized?

Re:I guess this script is baaaad for you. (2, Interesting)

Yvan256 (722131) | about 4 years ago | (#33714962)

What about stopping that stupid cross-domain mess and only allow subdomains to be used? Sure it's going to break a lot of things (including banners...), but it would solve a lot of problems.

Re:I guess this script is baaaad for you. (4, Informative)

nacturation (646836) | about 4 years ago | (#33714166)

This post explains it quite well: http://www.andrewnacin.com/2010/09/26/csrf-twitter/ [andrewnacin.com]

Essentially, just create one or more iframes, with the iframe source set to http://twitter.com/share/update?status=WTF+PAYLOAD [example.com]

As long as you're logged into Twitter via the web, it will auto-post that update without any request for permission from you.

Re:I guess this script is baaaad for you. (0)

thePowerOfGrayskull (905905) | about 4 years ago | (#33714238)

So... um... don't click the link without verifying it with the sender?

This is a basic common sense fail of the variety that keeps anti-virus vendors in business. In fact, I'm sure that right now AV companies are cooking up great Extended Plus products that will Protect you from the Evils of Twitter.

Re:I guess this script is baaaad for you. (3, Insightful)

miffo.swe (547642) | about 4 years ago | (#33714614)

The fucking point of the internet is klicking on links. Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken. If you have to verify every damn link you could as well just go for chess by physical mail and penpals instead of the internet.

The user uses the internet as intended, the developers, not so much.

Re:I guess this script is baaaad for you. (1)

Plekto (1018050) | about 4 years ago | (#33715248)

Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken.

Correct. The two most common operating systems are truly broken at this point and need a full re-write with security as their primary goal. Apple does a bit better, but it's a security joke right of the box. Windows is a mass of Swiss cheese that has a welcome sign up. And you're right, playing whack-a-mole never works. And, no, Linux also is no magic cure, either. It just has too few users to be a target of botnets and the like.

We need a new generation of operating systems that do it right and are designed from the beginning with the idea that your machine WILL be attacked and it WILL be online and vulnerable unless it's designed to make it difficult for hackers.

Re:I guess this script is baaaad for you. (1)

thePowerOfGrayskull (905905) | about 4 years ago | (#33716418)

You're aware that there is only ONE way to make this secure OS you speak of, right? THe walled garden. You must only allow access to carefully hand selected applications. You must not allow any interpreted language to execute (including javascript) unless you can vet the code. You must not allow updates to be received from any source but the True Source, after manual review for approval.

Sound familiar? Except even Apple doesn't go far enough - the source code itself must be reviewed for every app in the garden in order for true security. No client app may be permitted to execute instructions originating from an external system (including , for example, an HTTP redirect). Your reviewers must also be subject to strict scrutiny, and your reviewer-reviewers and....

In other words, there is no technical solution to this problem. The walled garden presents a reasonable compromise (for people willing to accept it), but there is no true solution when you have an end user with control over his own machine connected to the Internet.

Re:I guess this script is baaaad for you. (1)

vadim_t (324782) | about 4 years ago | (#33716624)

No, the walled garden is just as flawed. It fails as soon whoever maintains it lets the wrong thing in.

The real security approach is more like SELinux, where any random application is prevented from the system from accessing more than it's supposed to be able to. So for instance, a secure MP3 player is only capable of playing music, even if exploited via a buffer overflow, because the process itself has no ability to do anything but reading MP3 files and outputting sound.

The problem with with Twitter is that the web moved from static content to combining code and data, so any input needs to be carefully sanitized. The fix is making sure that any input sent to Twitter is properly escaped so that it can never, ever reach outside its bounds and execute. There's no need to manually vet, or use an antivirus-like approach then.

Re:I guess this script is baaaad for you. (1)

thePowerOfGrayskull (905905) | about 4 years ago | (#33719256)

I agree re: walled garden (hence my final comment about "no technical solution") for exactly the reason you state.

But SELinux can't do it either - if you think about it, it's just another kind of walled garden. *somebody* has to decide what apps are allowed what permissions.

As far as the twitter issue - it' s more insidious than that. Because a tweet can be posted via a GET URL, anything that causes the browser to redirect to a static URL (even a standard HTTP 302 redirect) can cause this; it's not a case of sanitizing inputs, because the inputs are all valid. And because the request comes from a user who remains logged in via preference... twitter has *no* way of knowing if the request is real or not.

The problem is more insidious than it seems. It's not specific to GET requests(even though this hasn't been discussed yet - people are still blaming the RESTful nature of Twitter end points) - though GET requests do make it so that javascript is not required to perform the exploits. A script could just as easily silently POST the same data.

The only change I can see working in a foolproof fashion is to require a random unique ID from any browser-based request that's single-use and provided by twitter in the posting form. Ideally you'd also move service requests to a new host that requires credentials to be included with every request.

Re:I guess this script is baaaad for you. (1)

Plekto (1018050) | about 4 years ago | (#33719808)

SELinux, while flawed, is a massive step in the right direction, though. I'd liken it to at least putting up security cameras and reinforced plexi-glass at the local bank. It won't stop real hardened thieves, but it will deter the random criminal most of the time. As it is, on my Windows box, I have to have the following running:

Registry locker. Massive oversight by MS that I have to ADD back in.
Firewall to lock all unused ports and sharing/connections *by default*. Also a massive oversight that I have to effectively add back into the OS.
Popup Blocker - because most browsers still assume, wrongly so, that the default state is happy and nice and trusting. Especially where Java is concerned.
AV software - because the security is still a massive headache.
DNS blocker - because this also was not part of the system by default.(it does exist, but it's useless garbage)

5 programs just to get online. And it's only going to get worse until the OS makers get rightfully paranoid and distrustful.

Re:I guess this script is baaaad for you. (1)

vadim_t (324782) | about 4 years ago | (#33723990)

SELinux, while flawed, is a massive step in the right direction, though. I'd liken it to at least putting up security cameras and reinforced plexi-glass at the local bank. It won't stop real hardened thieves, but it will deter the random criminal most of the time. As it is, on my Windows box, I have to have the following running:

Why not? How do you think they'll get around it?

5 programs just to get online. And it's only going to get worse until the OS makers get rightfully paranoid and distrustful.

And that reminds me why I don't use Windows anymore. Not good out of the box, lots of third party software required that slows the system down to a crawl and constantly wants attention, and which eventually is almost guaranteed to do something fishy or outright against your interests.

Examples:
Zone Alarm, which makes it sound like it's saying you've got a virus [slashdot.org] (unless you read very carefully) and suggests to pay money.
Antivirus companies, for instance Symantec, which worked closely [cnet.com] with the maker to avoid reporting the Sony rootkit.

No, this is most definitely the entirely wrong way to do security. Not only it misses things, sometimes it actually sides with the very thing it's supposed to protect from.

Re:I guess this script is baaaad for you. (1)

miffo.swe (547642) | about 4 years ago | (#33716946)

While Linux arent a magic cure it has been and continue to be well ahead of Windows. Coupled with SELinux i would dare to say its pretty darn secure. If viruses becomes a problem im 100% sure the solution on Linux wont be antivirus as its a flawed and utterly stupid kind of action that does not address the underlying problem.

My fav security OS right now is Chrome, mostly because it regards the user himself a security risk and dont trow an UAC tantrum pushing any security related issue over onto the users shifting the blame away.

Re:I guess this script is baaaad for you. (2, Interesting)

thePowerOfGrayskull (905905) | about 4 years ago | (#33716024)

And as I said above... if I see a link that's immediately followed by some spam about leisure activities with barnyard animals, I'm gonna question that link.

Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken

I agree that all of the above are a waste of time - you can't keep up. But you also can't blame the OS because it's no more capable of keeping up (unless it's a true walled garden - which works well for some people.) than OS vendors are. My point - and I don't see how it was missed - was that "security" vendors will jump on this bandwagon claiming that they can "fix" this problem when it's a problem that can only be solved via user education.

(What I didn't say is that's also no solution at all. Users - rightfully I feel - don't want to be educated extensively in security practices when to their perspective they're using a simple tool. )

The user uses the internet as intended, the developers, not so much.

I agree. This exploit could just as easily be done without XSS. Someone clicks a link that says "check this out"; which in turn does an HTTP redirect to a GET URL that does the exact same thing. No script required.

But there's also no OS currently in existence that can prevent this. Users click links, often blindly. Just because it's not fair that they need to do so intelligently doesn't change the fact that they must be responsible for what they click on.

Re:I guess this script is baaaad for you. (3, Insightful)

Anonymous Coward | about 4 years ago | (#33714658)

So you're saying that every single time a friend posts a link, you phone or email them and ask if you actually posted a link, and want a description of the page linked to?

Wow... you're a douche. If you were my friend, I'd have long since put you into a group that can't see my updates, or just de-friended you altogether.

Re:I guess this script is baaaad for you. (1)

thePowerOfGrayskull (905905) | about 4 years ago | (#33715686)

No, I'm saying that if my friend posts a link and also posts to discuss his carnal relations with barnyard animals, yer damned skippy I'm gonna check with him first.

Wow... you're a douche. If you were my friend, I'd have long since put you into a group that can't see my updates, or just de-friended you altogether.

So you're saying you DO enjoy carnal relations with barnyard animals? Oops, my bad...

Sigh... (1)

BrokenHalo (565198) | about 4 years ago | (#33714056)

This exploit is no better or worse than any other social engineering attack that would work just as well via email or any other internet channel.

I don't use twitter, facebook or any other social networking site, so my interest is academic. But there is no excuse for people clicking on dodgy links, given the prominent media exposure that such exploits receive. Natural selection at work...

Great - more 4Chan? (1)

Algorithmnast (1105517) | about 4 years ago | (#33713446)

As funny as this could be, I certainly wouldn't want people to see these things coming from me.

Of course, I don't USE twitter.

Any un-protected protocol is a viable route for hacking, and a single vulnerability can allow someone to do whatever they want with your computer. Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?

Re:Great - more 4Chan? (2, Insightful)

Dancindan84 (1056246) | about 4 years ago | (#33713540)

You have to use twitter and be the type of person who clicks on questionable links without regard. This worm sounds like watching Darwinism in action in the digital age.

Re:Great - more 4Chan? (1)

AvitarX (172628) | about 4 years ago | (#33713880)

questionable is a friend saying WTF: though.

Trusted source, something someone may regularly do. As far as dubious links go it is quite well formed.

Re:Great - more 4Chan? (1)

thePowerOfGrayskull (905905) | about 4 years ago | (#33714356)

Noo.... questionable is a friend saying WTF, providing a link, then posting another update talking about goat sex ;)

Re:Great - more 4Chan? (1)

fishexe (168879) | about 4 years ago | (#33714004)

This worm sounds like watching Darwinism in action in the digital age.

I wish. If only worms like this knocked people off the internet permanently.

Re:Great - more 4Chan? (4, Insightful)

amicusNYCL (1538833) | about 4 years ago | (#33714214)

You have to use twitter and be the type of person who clicks on questionable links without regard.

Which of these links is "questionable":

http://tinyurl.com/2tx [tinyurl.com]
http://bit.ly/heezy [bit.ly]
http://xrl.us/bh2p3m [xrl.us]

That's what all of the links on Twitter look like, which are OK and which are questionable? How does one distinguish?

Re:Great - more 4Chan? (5, Insightful)

Dancindan84 (1056246) | about 4 years ago | (#33714250)

All of them. I don't click on shortened URLs. Nor should anyone who isn't a Rick Astley or Goatse fan.

Re:Great - more 4Chan? (4, Informative)

icebraining (1313345) | about 4 years ago | (#33714528)

Or you could install this GM script [userscripts.org] which expands them to the real URL without actually loading it.

Re:Great - more 4Chan? (2, Insightful)

Dancindan84 (1056246) | about 4 years ago | (#33715976)

So people send a URL to a shortening service and receive a shortened URL they can post/send to me, and I can use a GreaseMonkey script that contacts the service and caches results to decode that shortened URL into the original URL they shortened... I understand we're not in the days of memory being measured in KB or 9600 baud modems, but this is retarded. Most phones aren't even bound by a character limit in SMS anymore. If a URL is stupidly long due to variables being sent, it's not hard to shorten a link without a stupid 3rd party service. Is it? [slashdot.org]

Re:Great - more 4Chan? (1)

Abcd1234 (188840) | about 4 years ago | (#33716058)

So people send a URL to a shortening service and receive a shortened URL they can post/send to me, and I can use a GreaseMonkey script that contacts the service and caches results to decode that shortened URL into the original URL they shortened... I understand we're not in the days of memory being measured in KB or 9600 baud modems, but this is retarded.

Umm, no, it's not.

Let's see, Twitter limits the length of the message you can send.

URL shortening services decrease the length of URLs.

Do I need to put two and two together for you?

Re:Great - more 4Chan? (1)

Dancindan84 (1056246) | about 4 years ago | (#33716114)

Yes, and Twitter limits the length of the message you can send because of a now mostly defunct cell phone limit on SMS messages. Which I mentioned. So apparently I needed to put two and two together for you.

Re:Great - more 4Chan? (1)

amicusNYCL (1538833) | about 4 years ago | (#33716216)

The limit for SMS still exists, most phones just automatically wrap it to 2 or more messages for you if you type more than 160 characters. If a single message is longer than that, then it's not SMS (or your phone is smart enough to combine several messages into one, if it wants to wait to see if more than one comes in).

In the end, it doesn't really matter why Twitter limits the length of their messages as long as they do so. It only matters that they do, not why they do.

Re:Great - more 4Chan? (1)

Dancindan84 (1056246) | about 4 years ago | (#33716374)

  • People use shortened URLs. Why? A big reason is twitter's character limit, and because of stupidly long URLs (the latter of which is easy to get around)
  • So, twitter has a character limit. Why? Because they designed the system with the same limit as cell phone SMS to make integration with cell phones easier
  • So, cell phones have an SMS limit... well not so much anymore. A lot of phones have browsers and just use web services like twitter directly, so the limit isn't a problem with them. And out of those that do use SMS, the limit may not be an issue because of the way they can chain multiple SMSs together for ones too large.

Once you get down to the root, it looks like the limit could be removed with minimal disruption to their end users. Which would remove the handcuffs from their users in terms of message length. Which would remove the need for URL shortening services. Which would eliminate a rather large security/annoyance issue.

I don't use twitter (and as I mentioned earlier refuse to click on shortened URLs because I easily get songs stuck in my head...) so I don't care, but the why is always important if you want things to change.

Re:Great - more 4Chan? (1)

amicusNYCL (1538833) | about 4 years ago | (#33717010)

URL shortening was around before Twitter. That service started in response to things like instant messaging. People just think shorter URLs are more attractive than larger ones. So the only solution is to shorten all real URLs, and that's not really going to happen. URL shortening services are a bad idea in general, if bit.ly or tinyurl.com shuts down or loses their data then all of these links online are now dead, even though the content is still there. But as long as people think brevity is attractive, people will use those services. It doesn't really have much to do with Twitter, that's just a perfect use for them. Some URLs alone are larger than the character limit on Twitter, so sometimes it's necessary.

Re:Great - more 4Chan? (1)

PPalmgren (1009823) | about 4 years ago | (#33716106)

Because of the rediculous character limit on twitter and texts, and the fact that not all sites are created of equal or sensible URL lengths.

Re:Great - more 4Chan? (1)

icebraining (1313345) | about 4 years ago | (#33716898)

I agree with you, and I don't create such URLs, but other people do, hence the GM script.

Personally, I think Twitter should just strip out URLs before sending them through SMS. If the person doesn't have Web access to read the Twitter updates, the URL will probably be useless anyway.

Re:Great - more 4Chan? (1)

amicusNYCL (1538833) | about 4 years ago | (#33716184)

Or you could install this GM script [userscripts.org] which expands them to the real URL without actually loading it.

What about all of the Twitter users using IE? How do they know what's safe to click on? Should people be expected to install software to expand shortened URLs?

Re:Great - more 4Chan? (1)

icebraining (1313345) | about 4 years ago | (#33716856)

People should be expected to do whatever the hell they want, why should I care? If you don't want to install software don't click on tinyURLs.

And if some people can't figure out how to install an extension, an expanded URL probably won't be more useful than a tiny one.

Re:Great - more 4Chan? (1)

amicusNYCL (1538833) | about 4 years ago | (#33717162)

And if some people can't figure out how to install an extension, an expanded URL probably won't be more useful than a tiny one.

That's right. So tiny URLs are not the issue.

Re:Great - more 4Chan? (1)

amicusNYCL (1538833) | about 4 years ago | (#33716160)

That's great, but that's not practical for most people. This comes back to the expected level of (internet) education for internet users, and the fact that most internet users are operating at a lower level than a lot of people like you or I think they should be. For most people, when one of their friends sends them a link on Twitter they're going to click it, it doesn't really matter where it goes.

Re:Great - more 4Chan? (1)

TheLink (130905) | about 4 years ago | (#33714388)

You can turn preview mode on for tinyurl, so you can tell that link goes to google.com without having to actually go there.

As for the rest, good luck :).

Re:Great - more 4Chan? (1)

Culture20 (968837) | about 4 years ago | (#33715222)

Could you change your bit.ly link in your sig to a tinyurl link please? kthxby

Re:Great - more 4Chan? (1)

TheLink (130905) | about 4 years ago | (#33715906)

OK done... Better now? :)

Re:Great - more 4Chan? (2)

lul_wat (1623489) | about 4 years ago | (#33715796)

http://unshorten.com/ [unshorten.com]

That said, I don't even bother clicking shortened links or unshortening them.

Re:Great - more 4Chan? (0)

Anonymous Coward | about 4 years ago | (#33717834)

switch to dialup and click stop before it actually loads the page

Re:Great - more 4Chan? (1)

listentoreason (1726940) | about 4 years ago | (#33718954)

Just give in and use Shady URL [shadyurl.com] instead. For example, link to this article: http://5z8.info/5waystokillwithamelon_f9j6f_hitler [5z8.info] .

Re:Great - more 4Chan? (1)

amicusNYCL (1538833) | about 4 years ago | (#33725658)

OK, that's funny. I still don't like the concept of URL redirectors, but that's funny.

Re:Great - more 4Chan? (1)

amicusNYCL (1538833) | about 4 years ago | (#33725734)

The Geocities-izer is brilliant.

Re:Great - more 4Chan? (1)

nacturation (646836) | about 4 years ago | (#33714240)

You have to use twitter and be the type of person who clicks on questionable links without regard. This worm sounds like watching Darwinism in action in the digital age.

Clicking the link is not necessary for this attack to work. All that's needed is visiting a compromised webpage. If a prominent website were hacked, every Twitter user who was logged in and visited that site would have been affected. Twitter's heavy reliance on stupid shortened "surprise links" (and the gullibility of those who click on them) doesn't help things, of course. But this attack would not have succeeded had Twitter followed basic web security practices.

Re:Great - more 4Chan? (0)

Anonymous Coward | about 4 years ago | (#33719782)

And how did one visit this compromised web page?

Not to mention NoScript and such make viewing said page perfectly harmless.

Users need to follow some basic web security practices as well.

Re:Great - more 4Chan? (1)

neumayr (819083) | about 4 years ago | (#33713660)

Uh, I can see it now, hysterical activists rallying to stop general purpose computers from executing non-certified code. After all, who knows what they could put in there. I heard there was profanity in source code!! Can't somebody, for once, please think of the children?!


What're you're asking for is ridiculous, yes. Please don't go around giving people any ideas of that sort..

Re:Great - more 4Chan? (1)

Algorithmnast (1105517) | about 4 years ago | (#33713836)

Ah - proof by insinuation.

Note that in my post I didn't ask for anything.

I only said, "software shouldn't be puked out by just anyone". I didn't say anything about certifying code, or implanting a chip in your goat, or anything else.

But for one, I'm tired of the crap code pumped out by the masses, which then leads to an easy exploit and - unlike this joke - can lead to real problems.

Re:Great - more 4Chan? (1)

neumayr (819083) | about 4 years ago | (#33714242)

Of course you didn't say anything of the sort.
But pray tell, how do you stop people from writing code, or, failing that, how do you stop code from being run?

Re:Great - more 4Chan? (1)

Algorithmnast (1105517) | about 4 years ago | (#33715246)

To quote Stroustrup from here [simple-talk.com]

RM:

"Do you think education is the answer to developing better software and that somehow we get out from the 'we must do it first no matter how buggy it is' way of thinking?"

BS:

"Education is part the answer, an essential part, but 'education' itself is not a solution. We need an education for software developers that combine principles from science and engineering with practical skills. Most likely, we will need several specializations, hopefully with a common base. Unfortunately, I am not at all sure that the fields of computer science, software engineering, IT, whatever, are mature enough to agree on such a principled common base and specialisations. I also suspect that such a degree would be a master's rather than a bachelor's.

Currently, we have another problem: students often leave educational establishments with a set of skills that are seriously misaligned to what the industry needs. We can argue that maybe industry should ask for something different, but there is a lot of hasty re-training and un-learning going on at the handover from education to industry. I think this is really bad for both sides. It discourages industry from relying on more than basic skills and puts an emphasis on tools and techniques that can be used by relatively unskilled labour. Students know that and therefore pay less attention to higher-level skills and some of the best students chose what they perceive as more challenging fields, such as physics and biology.

Perhaps his decades of experience in not only teaching, but writing software will get your ear in a way that my decades of experience in both writing, evaluating, and teaching software hasn't.

Re:Great - more 4Chan? (1)

neumayr (819083) | about 4 years ago | (#33715502)

Okay, so we improve education and have the industry actually value and make use of those advanced skills.
So what's with code from people that don't have any formal education in software engineering?

Re:Great - more 4Chan? (1)

Algorithmnast (1105517) | about 4 years ago | (#33717884)

I think that Stroustrup's point was that those skills are the baseline, not an advanced level.

As a nit-pick (for precision, not to really nit-pick), "Software engineering" is more about process than about writing good code. The practical use of SE seems to be "If we use process then the result has to be good! After all, it works in other engineering disciplines!" It's a naive point of view, since "other engineering disciplines" which are "hard sciences" all share a single concept - that their "engineering" discipline (their science) can be modeled with math, and that all of their engineers learn that math.

How many programmers understand what an invariant is? Or how to program to a contract? [Yes, I repeat myself.]

And when it comes to C++ [My personal LOC - please no flame wars], how many know that a class should represent a (mathematical) group?

Or for any programmer, that their types should be an algebra?

So yeah, education is important, but seeing the math of our discipline is a bare minimum for helping CS be treated and understood as an engineering discipline.

And for code which comes from people who don't understand that... well how can we trust it to be flawless?

Yes, flawless is possible. It does require a level of discipline that is ... hard [VERY hard] to achieve without the math.

Re:Great - more 4Chan? (1)

neumayr (819083) | about 4 years ago | (#33769446)

I do not disagree with your point. OTOH, you shouldn't study CS to become a programmer, that'd be like studying physics to become an engineer or maybe studying engineering to become a carpenter..

My point was another one though - there are a lot of hobbyist coders out there implementing really interesting ideas. Of course their code often does not meet the same criteria you would expect from formally engineered software.
Still, I really like that those programs exist, and that everyone is free to make them.
Open platforms rock.

Re:Great - more 4Chan? (1)

Qzukk (229616) | about 4 years ago | (#33714412)

Note that in my post I didn't ask for anything.

Won't someone rid me of this meddlesome slashdot poster?

Call me hysterical if you will... (0)

Anonymous Coward | about 4 years ago | (#33713946)

but my browser runs with javascript off (the real thing, not NoScript), just to avoid the risk of running code which might be written by the likes of you ;-D

Re:Call me hysterical if you will... (2, Insightful)

neumayr (819083) | about 4 years ago | (#33714184)

Hehe, good choice. But please be aware that you have no idea of knowing how much of my code you're already running ;P

Your code... (0)

Anonymous Coward | about 4 years ago | (#33715288)

If it's anything different from Javascript I have a chance you know what you are doing ;-)

And no, PHP doesn't count, as it just runs on those of my customer's machines who don't heed my advice, that's selection à la Asimov

Re:Great - more 4Chan? (1)

fishexe (168879) | about 4 years ago | (#33713980)

Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?

Yes. It makes you an elitist. Why don't you come down from your ivory tower now and then, huh?

Re:Great - more 4Chan? (1)

John Hasler (414242) | about 4 years ago | (#33714500)

> Yes. It makes you an elitist.

There is, unfortunately, nothing ridiculous about that (it is ironic, though, as most elitists are not elite in any sense).

Re:Great - more 4Chan? (1)

Algorithmnast (1105517) | about 4 years ago | (#33715160)

Rather than show you my resume, I'll merely point out that Proof-by-ad-hominem is not a valid method of proof.

Re:Great - more 4Chan? (1)

fishexe (168879) | about 4 years ago | (#33718242)

Rather than show you my resume, I'll merely point out that Proof-by-ad-hominem is not a valid method of proof.

What about proof by parody?

Re:Great - more 4Chan? (0)

Anonymous Coward | about 4 years ago | (#33714386)

Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?

Sure. We'll start with you.

This is why... (5, Funny)

thescreg (1854974) | about 4 years ago | (#33713456)

It took me awhile to realize what was going on. This is pretty much what I post about on Twitter anyway.

sex involving goats? (-1)

Anonymous Coward | about 4 years ago | (#33713482)

Well, at least it wasn't discussing se involving goats.

And if any of you youngsters doesn't know what I'm talking about, do not click this link [goatse.fr] .

Sex with goats? (4, Funny)

The Good Reverend (84440) | about 4 years ago | (#33713488)

Um, no, actually. That really was me.

Yeah, yeah, yeah (3, Funny)

microbee (682094) | about 4 years ago | (#33713616)

blame the virus, you perverts!

The early bird... (4, Funny)

Anne_Nonymous (313852) | about 4 years ago | (#33713750)

...gets the worm.

Re:The early bird... (1, Insightful)

_PimpDaddy7_ (415866) | about 4 years ago | (#33714900)

OMG, I gotta retweet that!

-Tweet Tweet!

Re:The early bird... (0)

Anonymous Coward | about 4 years ago | (#33714944)

YEEEEEEEAH!

ta3o (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#33713870)

on slashdot.Org [goat.cx]

sex with goats or sex on boats? (0)

Anonymous Coward | about 4 years ago | (#33714002)

just go watch some good pr0n videos at http://www.hotsex.com/

i don't think you'll find sex with goats ... but then i haven't checked. LOL!

People have the wrong default (0)

Anonymous Coward | about 4 years ago | (#33714102)

Most people's default: "Hey, I'll run anything from anywhere - I don't need to know what that script or executable is doing to my machine..."

Smarter people's default: "I'll run things I have some valid reason to run".

Guess which group seems to be the one getting in trouble all the time?

Really this kind of thing can be addressed with education. OK, not completely addressed - you can't fix terminally stupid - but most people are not stupid, they just haven't been conditioned to think about the consequences of what they do on their computers. With a little public education, it could get a lot better.

Finally (4, Funny)

rudy_wayne (414635) | about 4 years ago | (#33714130)

the worm would post vulgar messages on your account that discussed, well, sex involving goats

Finally!! Something worthwhile on Twitter.

NoScript (1)

dpolak (711584) | about 4 years ago | (#33714332)

If only everyone used Firefox and had NoScript installed. This would never happen. Then again it's tedious with always granting access to the pages you want buy what value do you put on security?

Re:NoScript (0)

Anonymous Coward | about 4 years ago | (#33714502)

Well, I'd argue it's only tedious for a few days until you grant permanent permission to your bank and this and that. After that, it's takes pretty much zero effort.

It's just that most people don't actually *care* what their computer does. They'd rather have hours of trouble, maybe lost data, maybe hundreds of dollars for virus removal than they would spend 15 minutes distributed over two weeks time to prevent their machine from run every random crapware and adware it comes into contact with. The wisdom of this escapes me, but it's how 99.5% of everyone is.

Re:NoScript (0)

Anonymous Coward | about 4 years ago | (#33715060)

I'd ask that you read the attack details before posting about noscript. Seeing as how there was no script (haha) being used here... It was simply a "click a web link to a site that uses twitter in a cross domain way" (not javascript). So your protection in this case would not have worked at all.

Re:NoScript (1)

Beelzebud (1361137) | about 4 years ago | (#33715234)

The solution is even simpler. See Twitter for what it is, and stop using it!

Re:NoScript (1)

Abcd1234 (188840) | about 4 years ago | (#33716124)

See Twitter for what it is, and stop using it!

Broadcast IM.

So why should people stop using it?

The Revolution (1, Insightful)

Beelzebud (1361137) | about 4 years ago | (#33715206)

Will not be Tweeted.

Re:The Revolution (1)

evilbessie (873633) | about 4 years ago | (#33715402)

I don't know telling all Twits* to line up against the wall would make the revolution much easier to start...

*People who use Twitter as Twitterers is unnecessary.

I for one... (0)

Anonymous Coward | about 4 years ago | (#33715398)

would rather have people believe I'm a goatfucker than have them think I'm stupid enough to click on a random link.

Now I have a use for Twitter (1)

mujadaddy (1238164) | about 4 years ago | (#33717022)

BRB, signing up...
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?