Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Peon's Guide To Secure System Development

michael posted more than 11 years ago | from the mincing-words dept.

Programming 347

libertynews writes "Michael Bacarella has written an article on coding and security. He starts out by saying 'Increasingly incompetent developers are creeping their way into important projects. Considering that most good programmers are pretty bad at security, bad programmers with roles in important projects are guaranteed to doom the world to oblivion.' It is well worth the time to read it."

Sorry! There are no comments related to the filter you selected.

Peon? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4679005)

Are we now allowing racist words to be included in the story titles? What's next? Nigger? Faggot?

Welcome to my website! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4679281)

I peon you!!

For great justice! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4679329)

Imposter! I jihad [] you!

bad coders... (0, Offtopic)

not_a_real_person (610455) | more than 11 years ago | (#4679008)

How come all the bad and incompetent people end up writing software for big companies?

Re:bad coders... (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4679029)

... because there is a recession on and companies are more interested in reducing costs.

Eventually, the money men will be pushed aside and companies will once again start to focus on quality.

Disgruntled Professional Software Engineer

Re:bad coders... (2)

RebelTycoon (584591) | more than 11 years ago | (#4679176)

and the color of the sky in your world is?


Poor soul.. you need to get out more..

Re:bad coders... (2, Insightful)

Max Coffee (559629) | more than 11 years ago | (#4679208)

I suppose that's a factor, but most of the non-secure software in common use today was written during a mad expansion, not a recession. At that point, the issue wasn't cutting costs, it was getting products out the door before your competitors did, and left you in the dust. Ultimately, app security comes down to the company's priority list. That, in turn, tends to be driven by the priority list of the market as a whole. Most people didn't care at all about security until very recently.

If the people care about security now, you can bet the companies that succeed over the next decade will be the ones that satisfy that demand.

Re:bad coders... (0)

Anonymous Coward | more than 11 years ago | (#4679072)

Boy, the bar for getting comments read on Slashdot is really getting absurdly high. Someone help this guy out with a +1 Underrated.

A more thought out approch..... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4679014)

In this article. []

Can I just say something to Michael Sims (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4679019)

You havn't been making your fucking annoying comments at the end of stories lately, I'm pretty impressed with you, keep up the good work you stupid fuck.

This isn't flame bait (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4679044)

I've mentioned this before Michael you stupid fuck, when you mod my post as flame bait, it implies that someone would possible flame me in defence of you. YOU HAVE NO ALLIES, YOU ARE HATED BY EVERYONE, making the parent not flamebait, but if anything, +1 insightful.

Wow, its like an infinite loop: (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4679090)

print "Michael, you are a stupid goat fucking ass licker" goto parent;

Gay post (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4679032)

I have it on good authority that the author of this article is an ass-ramming butt faggot. Who wears a dress.

Engineers (again...sorry) (5, Interesting)

jpt.d (444929) | more than 11 years ago | (#4679041)

The P.Eng has one thing right - we need 'software engineers' or 'computer engineers' that are liable for their work (and the company that uses them are liable for too).

If Microsoft's products are so good, why do they disclaim liability on it?

Of course it isn't just microsoft doing this either. The whole licensing thing. If a 'license' is supposted to give you the privledge to do or use something, then in most things you are completely liable for your actions. For example, I have a drivers license, I kill somebody it is my fault. If Acme's Nuclear Control Software 2002 goes faulty and blows up part of the states - they would probably claim no fault (bad example I know - special case currently probably).

Re:Engineers (again...sorry) (1)

EvilTwinSkippy (112490) | more than 11 years ago | (#4679162)

This sort of stuff makes sense to you and me. Unfortunately there is no column on a manager's spreadsheet for safety. Hell safety for the place I'm working at now is a cell phone strapped to my waist at all times.

One time I was in the next state visiting the wife's inlaws when I had to talk a layman through going to my office for the server room key, going to the right machine on the KVM switch, and rebooting it.

Lets see, scratch out Software Engineering. Some other careers that came up on my personality assesment: Tavern Owner, Military...

Your wife's in-laws? (3, Funny)

Wee (17189) | more than 11 years ago | (#4679209)

One time I was in the next state visiting the wife's inlaws...

Wouldn't your wife's in-laws be your parents?

Sorry, couldn't resist... :-)


Re:Your wife's in-laws? (0)

Anonymous Coward | more than 11 years ago | (#4679265)

Unless the "next state" is Utah...

Re:Engineers (again...sorry) (2, Funny)

ch-chuck (9622) | more than 11 years ago | (#4679217)

I think it, currently, is tied back to US 1st amendment Free Speech protection - a book is free speech, it doesn't have to be correct. If you read a book, follow it's advice and lose your shirt or damage something, the book publisher probably has a legal protection against being held liable for it ("we just published the false information, you're the one who acted upon it"). However, yelling 'fire' in a crowded theatre or 'fighting words'* is not protected speech - we might need to tie at least some software with potentially damaging consequences to something like that in some situations.

*In 1942, the U.S. Supreme Court in Chaplinsky v. New Hampshire defined fighting words as words which are likely by their very utterance to inflict injury, or which tend to incite the average person to immediate violence. The high court said that fighting words receive no First Amendment protection.

Re:Engineers (again...sorry) (3, Informative)

ergo98 (9391) | more than 11 years ago | (#4679227)

How absurd. This whole certification thing is such a tired argument, though it's one that the IEEE is revving up as a new source of income (and I'm an IEEE member, but that doesn't mean that I agree with ridiculous certifications). Certifications and licensing are not, in most cases, a guarantee of quality. In reality in many cases these licensing boards turn into self-protective entities that allow their members to get away with things that they would never get away with if not surrounding by the shroud of, err, "persona responsibility" (see some of the medical boards that act more like shields against personal responsibility). Did you know that one of the P.Eng criteria, at least here in Ontario, is that you cannot discredit another P.Eng?

Most certifications are nothing more than an economic barrier to entry: A club, if you will, whose membership betrays zero information about the capabilities of their members, but rather excludes those who haven't signed up. P.Eng is a particularly notorious one because they've tried to get their grubby hands on virtually all aspects of society, while provably offering nothing in return. No thank you. I don't need a "P.Eng of Burger Making" to make my Big Mac, even if that does help Bob get his friends a job through his exclusive club.

Re:Engineers (again...sorry) (2, Insightful)

varith (530137) | more than 11 years ago | (#4679242)

You don't need to make engineers liable. It management (executive management to be precise) that needs to be liable. Hell I keep getting turned down on projects to improve the code in my company. The only way I could possibly put reeally good security would be to put 20-30 hours a week of my own time in - past the 50-60 I already work. No thanks.

High level languages (2, Insightful)

Anonymous Coward | more than 11 years ago | (#4679250)

>High level languages like Ruby, Python, or even >Java are strongly recommended for all new >projects.

All of these languages use a C program to
run.(interperter, VM).

First this guy suggest against useing
close source components are components
that you do not understand.

Well, what are these high level languages that
he is suggesting. There just a convinent
ways to write C. (Java excluded)

Maybe he thinks that you should read through
the ruby and python source before you
start using these languages?

I think he's suggestion is the reason
we have bloated unsecure software,
everyone trust that there languages
is in a little black box just because
it has a VM. What if the VM has a security
flaw, isn't this just like running a
secure program on top of windows.

Just keeping a developer from using pointers
is no way to insure a projects security.

Re:Engineers (again...sorry) (2, Insightful)

ACNeal (595975) | more than 11 years ago | (#4679269)

The problem with this is that the whole system has to interoperate together. The system is only as secure as the total of all its components working together.

You can say the same thing for a bridge. It will only stand if all the parts of construction are good, which the developer (not the engineer) are in control of. If the design is inherently flawed, the engineering firm will liable. If the construction is flawed, the developer is liable.

The difference between software and your analogy is that the engineer/developer has complete control over the whole system. Developers don't. Microsoft doesn't. If the user of that same bridge goes and replaces all the rivets used, the developer can hardly be blamed when the bridge fails because of this.

If I build a huge structure right in the middle, and you build another, and CowboyNeal builds a third, much smaller building, and suddenly the bridge collapses, whose fault is that? The bridge developer? Me for starting the trend? CowboyNeal even though his was the smallest?

and then when we bring security into play, that is a whole different ball game. The engineer doesn't have to worry about people activly trying to make his bridge fail. If someone (say a tterrorist) plants shaped charges to destroy the main supports, and the bridge collapses under its own weight, no one would even think about sueing the engineer (except for maybe the lady that dumped coffee in her own lap, and somehow thought McDonalds was at fault).

In software systems we rely on everyone else to be well behaved. We also rely on the combination of everyone elses systems not interfering with our systems in unexpected ways. A system of mine could run fine without a single crash. A system of yours could run without a single crash. Together they might get spurious crashes. I have never had a crash on a fresh install of Windows while playing Freecell before I install anything else.

The same idea of liability can't be applied to software systems.

Re:Engineers (again...sorry) (5, Insightful)

aero6dof (415422) | more than 11 years ago | (#4679284)

If Microsoft's products are so good, why do they disclaim liability on it?

Because the customers don't want to pay the added cost of reliability beyond what they need. If you want absolutely, positively bulletproof software, you're going to have to pay a higher development cost (mostly in testing, but in extra liability insurance for the company too). For safety-critical applications, customers are willing (or should be willing anyway) to pay for the additional cost , but it's ridiculous to pay for it when you don't need to. Do some googling on the cost of the space shuttle software for instance...

Could this be happening? (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#4679043)

Michael posting a story w/o a snide comment at the end? I would have expected a "Except for Microsoft, cause they don't give a flying fuck about security" at the end of this article.

Re:Could this be happening? (0)

Anonymous Coward | more than 11 years ago | (#4679092)

Too bad the Linux programmers didn't read this book, eh?

Linux, Open Source have 'more security problems than Windows'
By Robin Miller,
Posted: 15/11/2002 at 08:37 GMT

According to a report published November 12 by Aberdeen Group, "Security advisories for open source and Linux software accounted for 16 out of the 29 security advisories - about one of every two advisories - published for the first 10 months of 2002 by Cert (, Computer Emergency Response Team)."

Aberdeen says Microsoft products have had no new virus or trojan horse advisories in the first 10 months of 2002, while Unix, Linux, and Open Source software went from one in 2001 to two in the first 10 months of 2002, that in the same 2002 time period "networking equipment" (operating system unspecified) had six advisories, and Mac OSX had four.

In other words, all except Microsoft had increases in reported vulnerabilities this year.

"Contrary to popular misperception," the report says, "Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to popular wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojan horses, and worms. Furthermore, Apple's products are now just as vulnerable, now that it is fielding an operating system with embedded Internet protocols and Unix utilities. Lastly, the incorporation of open source software in routers, Web server software, firewalls, databases, Internet chat software, and security software is turning most Internet-aware computing devices and applications into possible infectious carriers."

The report lauds Microsoft for having overhauled its development process in an attempt to fix security problems, and says, "Perhaps it is time for some of the suppliers of open source and Linux software to take similar measures."

(You'll need to register with Aberdeen to read the rest of the report -- it's one of their free ones -- but I believe I've covered the Linux-relevant high points here.)

And yet, here I sit with my virus-free, trojan-free Linux box, receiving tons of viruses and trojans from Windows users (that don't affect me), watching news item after news item about sites run on Windows servers getting defaced and broken into.

According to what I've heard from my many sysadmin and network security specialist friends, no OS or network-connected software is secure unless it's administered properly and security patches are applied as soon as they are available.

And then, after I started writing this story, a ZDNet article with the headline Linux utility site hacked, infected came across my monitor, and I started wondering, "What if these Aberdeen people are right? What if this isn't just Microsoft-sponsored nonsense?"

A look at CERT's 2002 Advisories and Incident Notes pages was not overly reassuring. Yes, I saw some Microsoft vulnerabilities there that Aberdeen apparently missed, and one for Oracle.

I also think we have enough Microsoft viruses left over from last year that we don't need any new ones this year.

But the real issue is that we all need to be more security-conscious. The Aberdeen report points out that the system with the most reported vulnerabilities can change from year to year, but that the overall vulnerability and incident trend is up. Way up. In other words, whatever operating systems we use, we all need to watch out more for security flaws than we have in the past, and work harder to protect ourselves from them.


developers? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4679046)

Developers Developers Developers Developers!!!

Bad Programmers == Shitty Salary (2, Insightful)

kevlar (13509) | more than 11 years ago | (#4679048)

They're just paying for what they get. I tend to believe that its not so much bad programmers as it is a general apathetic attitude that good programmers have now. If there's no incentive to bust your balls, you're not going to!

Re:Bad Programmers == Shitty Salary (1)

EvilTwinSkippy (112490) | more than 11 years ago | (#4679081)

Hey, and bad programmers are easily hired and fired. Like crappy cashiers or lousy wait staff.

Isn't it nice to see that computer technology has finally evolved into a service industry.

Programmers are overpaid as it is! (3, Insightful)

SexyKellyOsbourne (606860) | more than 11 years ago | (#4679370)

Most programmers graduate from state universities with no real-world experience in security, hacking, and so forth and no connections to anything that's going on -- it's simply a pass from the university of a student molded from the dirt-poor standards of a mainstream college system to a corporate programming world of laziness and no liabilities.

However, these people who are no more qualified to write code than a third worlder with no previous formal schooling trained to be an H1B in a cert mill -- yet are paid much more, for no good reason.

If anything, regular programmers who would ever, for example, use PHP's fopen() for a proxy like the article described should be paid like H1Bs and school teachers -- about $35,000 a year, at the most.

However, the ones who really know their shit -- like Mr. Bacarella -- should be the ones making $100,000 a year or more.

It is happening again... (0)

not_a_real_person (610455) | more than 11 years ago | (#4679073)

One thing that bugs me about opensource is that bad coders always tend to end up there. If anyone has used the bleeding-edge versions of KDE, Gnome2 or whatever their poison is, then they'll know what "bad code" really means. Thankfully, the security is not too shabby since there's always tons of people who look at opensource code and either exploit it or report it / fix it.

Have you read the article? (0)

Anonymous Coward | more than 11 years ago | (#4679077)

This article goes to show that Slashdot editors need to be subject to moderation. This one merits -1, Flamebait. Ask yourself: does the guy make a point in a civilized manner, or do you have to wear the proverbial asbestos suit to make sense of it?

This is a great article (0, Troll)

tps12 (105590) | more than 11 years ago | (#4679080)

for me to peon.

Re:This is a great article (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4679318)

LOL! mod this guy funny you dicks.

So basically... (5, Informative)

vasqzr (619165) | more than 11 years ago | (#4679082)

He read a few books on the subject, and summarized the most simple concepts in an article.

Nothing new here.

Head to Amazon and find some books ...

Software Project Survival Guide by Steve C McConnell (Paperback)
Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs by Steve Maguire (Paperback)
The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition (2nd Edition) by Frederick P. Brooks (Paperback)
The Pragmatic Programmer: From Journeyman to Master by Andrew Hunt, et al (Paperback)

Re:So basically... (4, Funny)

Anonymous Coward | more than 11 years ago | (#4679190)

Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs by Steve Maguire (Paperback

Also holds the world record for "Shortest Book".

If something like Windows plays any part at all .. (5, Interesting)

burgburgburg (574866) | more than 11 years ago | (#4679084)

in your system design, you should probably give up now.

A non-Windows system is not a guarantee of invulnerability, but keeping a Windows system is guaranteed to put you at risk.

The real world seems to agree with him on these.

Re:If something like Windows plays any part at all (1, Funny)

ProtonMotiveForce (267027) | more than 11 years ago | (#4679125)

Yet more nonsense. Unix [in general, including Unix-typical tools] has had the most pathetic security history of any operating system.

Cast ye not rocks from a precipice of cracked glass. Unix security is just as crappy as Windows, and has been for a lot longer.

But why does Windows feel the need to ... (2)

burgburgburg (574866) | more than 11 years ago | (#4679286)

repeat every Unix security flaw 15 years after it first found, three times, before attempting to correct it?

Not to mention Windows own unique security flaws.

Custom SW a huge security hurddle.. (2, Interesting)

Havoc'ing (618273) | more than 11 years ago | (#4679094)

I work for an IT security company that does works some pretty secure systems. When we come across custom apps we are amazed time and time again how the logic was put into developing them, not just security. Its one thing to code, its another to do it well. My favorite catch was an SQL developer who created a hyperlink to care and feed his system that simply had to many bugs and pushed to production. Its important that companies have good end to end IT polices, apps, usage and security, but in large part managements dont recognize the risk until its to late.

It wont matter much (5, Insightful)

Lumpy (12016) | more than 11 years ago | (#4679095)

The coders are still shackled to the management that are trying to push it out as soon as it compiles and runs.. management doesnt CARE about stability or security and sales/marketing doesn't even care if it works.

until you can get the COMPANY liable for their software claims. and make their claims open and public, not buried in legalease.. I.E. if you dont want to be liable for it not working then the packaging must state "MIGHT NOT WORK" on the front in big letters.

until then it will not change... not in commercial software anyways...

Impressive (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4679096)

Guess what everyone? I raped some dumb slut last night! It was great. There I was, in this bar, slugging down some beer, and this rather good looking girl comes in. Big fucking tits, blond hair, the IQ of a rock, and clothing that basically didn't exist. I decide to take advantage of her a few drinks, slip something into one of them. In no time flat, we're at her place, and I'm ramming her so hard the bed collapsed. She kept screaming no to me, but oh well, she brought it on herself. Guess I'll have a kid now, but I was just passing through. Dumb slut.

What are we talking about now? How Michael is a flaming cocksucker? Oh, alright...

Useless advice? (3, Insightful)

Ars-Fartsica (166957) | more than 11 years ago | (#4679101)

To quote "It should be a curse to teach C/C++"


While I have taken this out of context, its not worthwhile to dispense with systems coding issues - thats exactly where most security problems start and need to be stopped. Anyone can be safe in a sandbox.

Re:Useless advice? I don't think so (1)

zaqattack911 (532040) | more than 11 years ago | (#4679344)

Actually someone beat me up and stole my lunch money when I was playing in the schoolyard sandbox once....

Re:Useless advice? (5, Insightful)

Subcarrier (262294) | more than 11 years ago | (#4679369)

He's contradicting himself here:

You can tell the difference between a developer who gets it and one who doesn't because the developer who doesn't get it is content to build a custom system using closed source components that they cannot understand, let alone keep secure.

when he goes on to say that

High level languages are usually more secure than C/C++ ...

High level languages are built on layers and layers of things written by other people, things that you know nothing about. If you use C or assemlber, you're much more likely to be in control of the security of your code.

I guess the comment about C/C++ is aimed at coders who suck more than average; they're certainly better of using code written by other people.

bad coders (2, Insightful)

greechneb (574646) | more than 11 years ago | (#4679103)

When I look back at my programming classes in college, the majority of the people didn't have a freakin clue. I don't think most of them could install a program on their own. Unfortunately the teachers all walked them through it, and they ended up passing, because they had their hands held the entire way. Its scary to think that some of them could end up in high places.

Everyone has to start somewhere. (5, Insightful)

BoomerSooner (308737) | more than 11 years ago | (#4679232)

I guess you shot out of the womb with coding skills (doubtful). Everyone has to learn in their own way. In the end if someone wants to learn to program well, they will. Otherwise they'll just coast along until it's required.

I was a shitty programmer out of college and after moving between various jobs I learned along the way.

Business works by getting the most for the least amount of cash. Unfortunately most businesses don't have competent managers that can tell the difference between anything applicable in the real world and a buzz word they just read on CNet (most technical conversations are over their heads). That is my experience anyway.

The Real Peon Is: +4, Informative (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4679110)

George W. Bush [] , the lackey of the Cheney-Rumsfeld-G. H. W. Bush administration.

Be Patriotic: Smoke Amerikan Grown Marijuana


a good read (5, Funny)

lactose99 (71132) | more than 11 years ago | (#4679111)

I found 2 quotes particularly enjoyable:

Call yourself a computer professional? Congratulations. You are responsible for the imminent collapse of civilization.


The user is pure evil.

Very true and sometimes misunderstood bits of information.

Re:a good read (5, Funny)

Digital Mage (124845) | more than 11 years ago | (#4679307)

1) Users are pure evil.
2) Civilization is made up of users.
3) Computer professionals are responsible for the collapse of civilization.
4) Computer professionals will therefore destroy all evil. ;^)...Cool!

Of course... (3, Funny)

ultramk (470198) | more than 11 years ago | (#4679123)

the real question that any developer needs to ask...

"What you need doing? Daboo!"

going back to minding my fortress now...


All Programing languages suck (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4679127)

C++ is an ugly hack of c which was an ugly hack of algol which was an ugly programming languge which was crudley punched on to paper tape. All other languages suck because of this!

Not this one (0)

Anonymous Coward | more than 11 years ago | (#4679135)

Try Smalltalk.

You get what you measure (5, Insightful)

Max Coffee (559629) | more than 11 years ago | (#4679149)

I really don't think the blame can be placed on the programmers here. Software development organizations get from their programmers what they measure and reward.

I used to work at a software house, and I noticed our code always adapted to whatever the organization cared about. When they cared about timeliness, we gave it to them, but the bug count went up. When they cared about a low defect rate, we gave it to them, but the volume of code (completed feature set) went down. When they cared about maintainability too, they got that, but app performance suffered.

Most competent programmers can probably make meaningful conributions to secure apps, especially if the efforts are led by good architects. Not everyone has to be the best. The only thing is, whoever is commissioning the software has to rank security (which includes a low defect rate) above timeliness and feature count. If that's done, most programmers can rise to the challenge.

Don't blame the programers. They're just adapting to their environment. They do have to put food on the table after all, so they'll do what their companies value.

More experienced managers, in CODE, would be nice (1, Troll)

twocents (310492) | more than 11 years ago | (#4679151)

While 'tis true I'm sure that secure coding practices grow more likely to contain security flaws as more and more of us code, I think the best way for coding to become more secure is to have more managers in the bizz that know about code.

The more experienced a manager is in actual coding,the more likely he or she will:
>Listen to and support action upon security
>Allow time to make apps secure in project deadlines
>Be less likely buy crappy software from the start (see the section in the article on middleware)
>Hire good sys admins

I don't think coders should always get such a bad rap when those "above" tend to sell products without often thinking of how to make it secure, and sometimes don't allow programmers the time to design solid security into a system.

Don't retire, just replace someone that thinks powerpoint is a good web development app.

Better languages (3, Interesting)

PylonHead (61401) | more than 11 years ago | (#4679153)

It should be a crime to teach people C/C++.

High level languages like Ruby, Python, or even Java are strongly recommended for all new projects.

How about a high level, compiled language with static typing like Ocaml. More speed, more protection, and it's been officially certified as "The programming tool of choice for discriminating hackers".

Ocaml []

What hubris. (5, Insightful)

ProtonMotiveForce (267027) | more than 11 years ago | (#4679155)

This "technologist" is carrying on about bad programmers and security? Wow - I assume he's a seasoned professional with many large-scale projects under his belt?

With such trenchant insights as "Don't use C/C++"! "Don't use Windows!" "Watch out for user input"!.

Wow. How truly insightful. I'm not even going to bother pointing out the utter absurdity of claiming that using or not using C/C++ has anything to do with it, or the added security problems with using high level languages (do you trust the implementation?).

I'm just going to say I've had bloody poops with more useful information in them than this article.

Re:What hubris. (0)

Anonymous Coward | more than 11 years ago | (#4679199)

That sure was some hubris! Boy, I wish I was as cool as you *swoon*

Re:What hubris. (1)

ProtonMotiveForce (267027) | more than 11 years ago | (#4679353)

I detect a subtle amount of nerd sarcasm. Did Matt Groening develop the Simpsons' 'Comic Book Guy' character with you as a reference?

Was my post "Worst Post Ever"?

And get with the simes. "Boy"? As "Cool" as? At least use some modern slang, e.g. "I wish I was as pimp as you, dawg. Shoot."

Peon?! (5, Funny)

gergi (220700) | more than 11 years ago | (#4679156)

Everyone knows peons don't care about security. They just go around doing whatever they're told to do. Half the time, they're just standing around because there's nothing for them to do. They are oblivious to security breaches... I can't tell you how many peons I've seen getting hacked to death without them even noticing! And if they do notice, all they ever respond with is "Stop poking me!!!"

Peons, indeed

Exactly! (2)

truthsearch (249536) | more than 11 years ago | (#4679158)

Open source systems offer this power to the end user (you), that is their real strength. You can tell the difference between a developer who gets it and one who doesn't because the developer who doesn't get it is content to build a custom system using closed source components that they cannot understand, let alone keep secure.

That's precisely why the IT deparment of my company is setting themselves up to fall apart. My group's lead tech (lead not because of higher knowledge, but because he's hung around a while and sold himself) is convinced closed source is better. His arguments come from quoting Microsoft's advertising and web sites (which are basically just more advertising). Without even trying anything open source my company has whole-heartedly adopted .NET. I am so out of here as soon as possible.

Ignorance may be bliss, but only for the person who's ignorant. They're happy... I'm not.

Oh, come on now... (2)

talks_to_birds (2488) | more than 11 years ago | (#4679164)

...I mean, really:

"...Considering that most good programmers are pretty bad at security, bad programmers with roles in important projects are guaranteed to doom the world to oblivion..."


We are the important little center of the universe, aren't we!

Oh! this is just book-marketing bullshit?

Or maybe hyperbole, if the author is literate to know what that word means...


Huge middleware isn't such a great idea (2, Interesting)

Spy4MS (324340) | more than 11 years ago | (#4679165)

Gotta agree with him on this one. I finally got out of a multi-year project where we used a gigantic POS graphics package as the back end. It added unnecessary complexity and over a year of hacked code to what should have been a month-long project (had we coded the graphics functions ourselves).

We got stuck with the package because the client chose it, and refused to admit they were wrong. When the project when 10X over budget and people got fired, they still stayed with the graphics package and even upgraded it to the 2.0 version.

The only way out was to quote them an astronomical figure for upgrading our software to match the POS and hope they wouldn't bite. I cheered when they politely declined.

It's good to have a job where you can choose your clients.

Designer liability (1, Interesting)

slycer9 (264565) | more than 11 years ago | (#4679184)

While in theory I agree with the designers of said software being liable for the flaws therein, to what extent are we to pursue them? If I, as a coder in a firm unwilling to compensate me for the time, energy and resources necessary to produce good code, and they push for, and accept badly designed products, am I, as the actual creator to be held liable? Or would it be acceptable to go after the upper management types who accepted said code in the first place? A little perspective needs to be used here before we start screaming for the heads of those responsible for insecure software.

It should be a acrime to teach C/C++ (5, Insightful)

l33t-gu3lph1t3 (567059) | more than 11 years ago | (#4679187)

I agree whole-heartedly with the first of 2 non-superfluous statements the author makes: Why do you think Java and, to a lesser extent, C# are so popular right now? ESPECIALLY for teaching? Because with Java and C#, it's very, very hard to write code that can break the system it's running on. I also agree to some extent with his position on cyptography...most serious (non-IE/Outlook) insecurities aren't based on cracked crypto - they're in buffer overflows, and weak points in code. I don't pretend to be anything but a pathetic first year java student, but I can see where this author is coming from just be reading this website once a week...

Re:It should be a acrime to teach C/C++ (0)

Anonymous Coward | more than 11 years ago | (#4679384)

>Why do you think Java and, to a lesser extent, C# are so popular right now?

Because people are sheep? The exact same reason anything becomes popular.

>ESPECIALLY for teaching?
Yea, good thing I learned Pascal.

>I don't pretend to be anything but a pathetic first year java student, but I can see where this author is coming from just be reading this website once a week.

Ahh, that explains it.

Brilliant idea!?! (2)

jaredcoleman (616268) | more than 11 years ago | (#4679193)

Here's a wonderful paragraph...
High level languages like Ruby, Python, or even Java are strongly recommended for all new projects. The reason these languages are more secure (in theory) is that they don't have pointers. Most security vulnerabilities that involve breaking program code involve manipulating pointers-in fact, many programming bugs are generally related to pointers in some way. As with the OS issue noted above, do not mistake this for invulnerability. You're simply less likely to be compromised using this particular attack vector with a high level programming language.

I guess we better throw out everything other language, since these are "strongly recommended for all new projects." Here's a better idea: why not just write the software in the language best suited for the job, or that you're more familiar with, and code it to check for unexpected data.

Re:Brilliant idea!?! (1)

rebrane (17961) | more than 11 years ago | (#4679233)

You rated this at 2? Did you even read the article? He says right there that for systems programming, C/C++ are the most appropriate languages.

Wrong approach (5, Insightful)

lazyl (619939) | more than 11 years ago | (#4679221)

It should be a crime to teach people C/C++.

This guy is a little rough I think.

High level languages like Ruby, Python, or even Java are strongly recommended for all new projects.

This sentence should be continued "..for mediocre programmers.". Professional experts should use whatever language they are best at as long as it's reasonable for the project.

This article looks like he's giving advice on how to take a group of wanna-be progammers and try and get useful results from them. I think that's the wrong approach. What you should do is hire real experts. That way all the wanna-be programmers won't be able to get jobs and so they might realize "hmm.. maybe I should go back to school and get some real skills". Then we wont have as many of the problems that this guy talks about. Though maybe the schools aren't teaching the skills properly, but that's a different topic.

Re:Wrong approach (0)

Anonymous Coward | more than 11 years ago | (#4679283)

Look at the quote again. He specifically says "for all new projects." New projects should be sandboxed, while the implications of the I/O paths are worked out, and bad assumptions are caught and fixed. Once the behavior is well-understood, it can be re-implemented in a "better" language.

Re:Wrong approach (2)

maelstrom (638) | more than 11 years ago | (#4679303)

So are OpenBSD programmers good at coding in C securely? Are they not professionals? Have they not made mistakes that comprimised the security of the entire system? What was your point again?

Technological Solutions to administration. (1)

wray (59341) | more than 11 years ago | (#4679236)

I attended a colloquium here at BYU, where the guest speaker was Scott Lewandowski (MIT - Lincoln Labs) [] . They are working on an architecture called SARA (Survivable Autonomic Response Architecture) that deals with attacks in computer time. This does not negate the need for a good administration team, but does allow machines to be stronger and more fault tolerant.

For a quick summary:

Current computer security research is motivated by the realization that some cyber-attacks will succeed and that systems therefore must be designed for survivability. Two critical enabling technologies for building survivable systems are autonomic response and orchestration. SARA, the Survivable Autonomic Response Architecture, is an architecture developed as part of Lincoln Laboratory's participation in the DARPA SWWIM program. SARA facilitates orchestrated autonomic response by allowing components developed by independent information assurance developers to collaborate to defend computer networks and systems. SARA is well suited to defend against fast, distributed information attacks that require rapid, coordinated, network-wide responses. The core components of the architecture are a run-time infrastructure (RTI), a communication language, a system model, and defensive components. The RTI incorporates a number of innovative design concepts and provides fast, reliable, exploitation-resistant communication and coordination services to the components defending the network, even when challenged by a distributed attack. The architecture can be tailored to provide scalable information assurance defenses for large, geographically distributed, heterogeneous networks with multiple domains, each of which uses different technologies and requires different policies. The architecture can form the basis of a field-deployable system. Prototype versions of SARA have been used in a number of experiments and environments; most notably, SARA was a core technology in an experiment in which distributed defenses neutralized a self-propagating polymorphic email virus.

The only link I could find was the universites link [] to the colloquium which has the short abstract I quoted above.

We Need To Consider 1980s DOD Practices (5, Insightful)

DoctorMabuse (456736) | more than 11 years ago | (#4679251)

During the 1980s, I developed software for ICBM command and control systems and for ICBM targeting. One of these systems ran on a Rolm 16-bit computer and was programmed in Jovial, assembly and Fortran. At the time, this computer was already 5 to 10 years behind the commercial state-of-the-art. However, it worked and almost all of the bugs in the computer and the compilers were known, and THAT is the key to developing secure software.

Don't use the latest and greatest. Use something that has been in production for several years and has had the bugs worked out. The military used to do this on critical systems. Did I hate coding in Jovial on a machine that only had 64K? Yes. But I also knew the machine inside and out and had hand-checked the compiler's assembly code generation to make sure that it wasn't doing silly things. It didn't, because 5 years in production had wrung out all of the bugs.

Re:We Need To Consider 1980s DOD Practices (2, Funny)

malraid (592373) | more than 11 years ago | (#4679412)

We're talking important stuff here, like e-mail and P2P networks, not silly ICBM toys

Now getting into a more serious attitude, the DOD has always done things in a way which is completly different from Corporate America, and Consumer America, where 2.0 is much better than 1.5, because it has more features, nicer GFX, whatever. Ohh, and 8.0 is much better, even if there was never a version 7.0, or 6.0, or 5.0, etc.

Do you guys think that the Marketing people as Microsoft were thinking about security when they gave the 8.0 number to the new MSN?? Unfortunatly, this is a marketing world, and the best marketing almost always wins. And if the loose, the marketing people try to make it look like they won anyway !!

Just what we need... (5, Insightful)

j_kenpo (571930) | more than 11 years ago | (#4679256)

You know, theres something to be said for ignoring articles written in a degrading way towards its audience. It does make an interesting read if you imagine the comic book shop guy from the Simpsons was the author... worst article ever...

Very Good Work (2)

photon317 (208409) | more than 11 years ago | (#4679258)

This is one of the best all-around security articles I've read in a long time. If even 10% of the world's programmers read this and take it to heart, the world will be a measurably better place.

salt on the glass.... Big grains of salt! (2, Insightful)

Hamstaus (586402) | more than 11 years ago | (#4679260)

If something like Windows plays any part at all in your system design, you should probably give up now. Despite being closed source, holes are discovered constantly.

I hate to break it to this guy, but this article is basically a big rant of his personal opinions. Not that I have anything against that, but I feel anyone heeding this person's advice unerringly would be making just as big a mistake as if they didn't listen to any of his advice.

Open-source, closed-source, it doesn't goddamn matter. The fact is, code is written by humans, and is therefore imperfect. Realize that now and save yourself a lot of time. Open-source continues to have just as many flaws in it as closed-source. How many times has the bind package been updated in recent memory? And don't start the "many eyes" thing again, we all know it and we're all tired of it, and I realize open source gets fixed faster.

My point is, when I first got into Linux, I took a default install of Red Hat and threw it on there. I had read all sorts of advice that if I wanted a secure server, I should use *nix, so I did. Yeah... rooted. Rebuilt the box, using a way newer distro... rooted. My failing was trusting the code implicity based on what other people said. Old versions of open source stuff are just as vulnerable as old versions of closed source stuff! And you know what? I guarantee that this will always continue to be true.

Constant vigilance is your only safe-guard. The open-source/closed-source argument is secondary to this. If you can build, deploy and maintain a closed-source based system much easier/cheaper/faster than an open-source one, well, balance that against your security requirements.

inspectors (1)

Twillerror (536681) | more than 11 years ago | (#4679272)

Programmers are in a way like construction works. We build something up, usually based on some specs. The big difference is that we don't have people looking over our shoulders. Putting up a wall usually takes more then one person, so the other person will see the problem.

Code reviews, ie. open source, is the answer to this delima, but in a lot of cases the teams are just too small, and the application not used by enough programmers to really make this work.

If you worry about your app being secure your going to need it inspected. Even the best "security" programmer is going to make a mistake or two. A program could be in the wild for years before a hacker realizes a design flaw and takes advantage of it. You need people looking at it with a checklist. Ensuring now buffer overruns, easy to guess password schemes, and then you just need someone who hacks for a living to try out various scenarios.

We should also stop trying to patch the problem and fix it. Things like buffer overruns are getting old. Most high level languages are immune to. It's been a while since I did C programming, but if you writing a network server, why not use some kind of Object to repersent your data, verus a straight up char[] and have check in the object. Make it harder for inexpierence programmers to make mistakes, or even expierence ones for that. If you've used Java, you know the compiler throws a lot of fatal warnings to keep these things at bay. Why can't the C++ community adopt some of these.

Article missing key point (5, Insightful)

bigmouth_strikes (224629) | more than 11 years ago | (#4679275)

The article is a nice read, but it is obvious that the author have little experience in commercial software production.

Quality and security of a commercial software product is a financial decision, not a technical. Much like how software architecture is a strategic and not a technical decision, which many software developers do not realize.

When the cost of continuing to improve quality and security exceeds the income from support contracts, you have to draw the line. If you don't provide or charge for support, you draw the line when your investment exceeds your targeted income projections.

There are software products that are secure and virtually bug-free, but you and I can't afford them. They run nuclear plants, space shuttle command centers, etc etc. Hundreds of millions of dollars have been spent on that software, and it is not a question about "the user is evil". It's about having a thorough and mature development process and organization, preferable at CMM level [] 5.

So, I really don't know where the article would apply. Maybe when writing simple VB games for your website. Absolutely not when writing commercial grade software.

Buffer overflows (2)

Kiwi (5214) | more than 11 years ago | (#4679279)

One of the most common security bugs is a buffer overflow. BUGTRAQ often sounds like a broken record which says "buffer overflow"; obviously coding practices which prevent buffer overflows is desirable.

For my application [] , I have made a special string library which is resistant to buffer overflows. Instead of a string being a simple pointer to a string of characters, terminated by a null, a string is a structure with the following information:

  • The current length of the string
  • The maximum possible length for the string
  • The encoding of the string
  • The length, in octets, of a single piece of data in the string
I then make sure that any manipulations to the string library always check to make sure we do not exceed the maximum length; I also have a three-byte cusion in every sllocated string to insure that one-byte buffer overflows do not happen.

Some other practices:

  • Only give static strings to anything which accepts format (%s, etc.) strings.
  • Do not use signal handlers; or use them with the utmost care.
  • Do not use the system() call.

- Sam

Who the f*ck is this guy, anyway? (5, Insightful)

talks_to_birds (2488) | more than 11 years ago | (#4679280)

Surf to his web site [] , and it's just the same old self-absorbed bullshit that so many other people put up.


Let's see...

  • I was born on August 28th 1980, 4PM in Long Island.
  • My life was pretty aimless until I broke my arm in the 8th grade, keeping me from most sports and physical activity. That's when I discovered the magic of computers. I haven't stopped poking them since.
  • My chief interest is in information science (ie, computers). This interest involves my day job, my business, and most of my recreational activity.

Wow! Pretty exceptional, don't you think?

'bout the only thing going for the guy is he *doesn't* have a blog...

How the f*ck did this nonsense get put up on /. anyway?

What changed hands to get this deal done?


Re:Who the f*ck is this guy, anyway? (-1)

Anonymous Coward | more than 11 years ago | (#4679302)

What changed hands to get this deal done?


Re:Who the f*ck is this guy, anyway? (0)

Anonymous Coward | more than 11 years ago | (#4679325)

Sour grapes much? Sheesh. Like you're so much cooler. Cool enough to post at +2, anyway!

Re:Who the f*ck is this guy, anyway? (2, Insightful)

NullProg (70833) | more than 11 years ago | (#4679377)

I agree, what mindless drivel. All rant and no facts.

It should be a crime to teach people C/C++.

Then further into the article:
Whenever possible, use industry standards. For example: POSIX, ANSI C, OpenGL, SQL, etc. Resist using non-standard extensions, if you must have them, keep them limited.

I feel for his clients. Slashdot blew it on this story.


Re:Who the f*ck is this guy, anyway? (2)

evilviper (135110) | more than 11 years ago | (#4679378)

I think I've figured it out... Finally...

The Slashdot crew MUST BE using a magic 8-ball to decide what stories go up, and which do not.

That's the only explanation I've got.

Re:Who the f*ck is this guy, anyway? (1)

zaqattack911 (532040) | more than 11 years ago | (#4679394)

Not only do I want to know who the fuck he is,
but if he's ever worked a day in his life :)

As he even worked on a major project before?

Does he sleep next to a microwave oven? Was he born near high tension power lines?

All these things play a factor in his ignorance :)

The Solution? (1)

bacs (622545) | more than 11 years ago | (#4679288)

Education. The problem is employers will hire people based only on work experience. They think work experience can be substituted for a degree. I have recently graduated with a CS degree and cannot get employed because I don't have work experience with (insert popular language). I am seen as less desirable because my degree focused on theory and higher-level concepts of what makes a good program. Theses concepts would be harder to pick up in the workplace. I would place more of the blame for insecure systems on the requirements of employers. Besides, my degree has to be worth something... right?

Re:The Solution? (1)

Dionysus (12737) | more than 11 years ago | (#4679368)

There are no substitute for work experience. I thought I was pretty hot programmer coming out of college (with a CS degree), but it's nothing compared to what I've learned the last four years working.

I'm not saying college isn't useful. You can see the difference between people who got an education and who didn't, but work experience should count for a lot.

"Keep It Simple, Stupid " (1)

Dukebytes (525932) | more than 11 years ago | (#4679295)

Gods - what a line. I liked the suckass developers bit too - but hey, I'm a hardware guy :)

Programmers need to follow the KISS method of coding. I love this - RFC1925 - Fundamental Truth #12 - "In protocol design, perfection has been reached not when there is nothing left to add. but when there is nothing left to take away." You can not really say it any better. It is supposed to be funny - but it is really very true.

Being the hardware/network guy - I deal with this everyday. My place is getting crazy - everytime you pick up a dirty rug around here to shake it out you find another programmer... And they are all killin me. I try to lock something down - they cry "But my code won't work if you do that!!". I try to clean something up and they cry. I SUGGEST that we do something a different way - and they CRY!!!!!

OK - breathe.... It is really very hard to do my job. And it sucks. Mgmt doesn't understand why we need an IDS, or tighter VPN encryption, or NO access to the inside network from the DMZ and on and on and on...

Keep it simple, stupid. Words I try to live by - but you should see the code these guys write. This guy had hit it right on the head. This article is nothing special - it isn't rocket science - its FACTS. But try and teach it to a bunch of crying coders and a room full of suits. You can't - period. So I keep coming in on Sundays (salaried employee, thank you very much) and patching systems and go thru my logs everyday and sneak stuff past them when I can and just do what I can to keep us secure. Some of the really really stupid stuff they try to do I just tell them no - no one really fights with me about it - but if I try and change ANYTHING to make it more secure that would involve writting ONE line of code to fix - I get beat down till I just quit fighting it.

I love this stuff - but sometimes you can really hate doing it.

But hes right - WE have to do it. WE have to make things more secure - WE have to keep it simple. For the love of all that is holy - if you are a coder - please keep it simple and do your fucking job. Don't add shit you don't need - stop when you can't take anything else out. And don't worry about the OS patches or the firewall or the router - My end is already being taken care. See ya Sunday morning....


This article... (2)

Dot.Com.CEO (624226) | more than 11 years ago | (#4679330)

Is written by someone without any relevant experience in the field. Someone who has not put down any specific examples / case studies to support his case. He makes a point that he has not prove and we are supposed to argue about his unfounded and unproven theorem?

Yet, his article appears on the front page of /., the very "home" of the people he offends. To quote Michael:

It is well worth the time to read it

No it is definitely not.

Nothing will ever be secure (1)

LostCluster (625375) | more than 11 years ago | (#4679335)

There will never be a perfectly secure operating system that a dummy can run. Dummy will fall for the old trojan program trick, and open his machine up to doing things he it didn't expect to.

If Linux ever gets up to the ease-of-use level Windows has now, and therefore hits the popularity Windows has now, the virus writers will come too, and Linux will have just as many problems. Having the source is a double edged sword. If the bug is found first by a white hat, we'll find out in the form of a patch being released. If the bug is found first by a black hat, we will descover it in the form of an exploit in the wild.

The other problem with programmers (1)

co_fisha (196881) | more than 11 years ago | (#4679346)

This tone and language in this article is terrible! He sounds like a teenage mad at his parents. How is he supposed to be taken seriously? Most managers and businesses would walk him out the door after 5 minutes that article.

Seeing yourself as a professional, not matter what you're working on or what you're getting paid goes along way to the quality of the project. But it seems a lot of people don't take this seriously.

Solution (1)

psychopenguin (228012) | more than 11 years ago | (#4679363)

This sounds like an elitist attitude towards development... not surprising in today's competitive job market. Everyone has to start somewhere, and no developer can claim that they've never made mistakes (read bugs, poor design, etc).

The solution is not to be rid of "incompetent programmers". If you do that, then all the kids coming out of college, otherwise known as the ones who are in training today to become competent, will be shut out of the industry and become nice competent burger-flippers instead. When the so-called "competent" programmers reach retirement age, you'll be left with scrap.

The solution is easy, and well-know: code-review, and mentoring. This can and does work in a closed source environment, but it happens naturally in an open-source world.

Futile (1)

afreniere (611999) | more than 11 years ago | (#4679365)

This brings to mind an image of someone jumping up and down on the shore shaking his fist at the ocean... The market decides what is valued in software. Security is becoming more important, but if the risks of bad software were *really* so high, everyone would have "hacker" insurance, everyone would have very strong market pressures to buy software that traded features for security. Programmers who could program securely would be in higher demand. People would get trained. The brutal fact is that some security risk is evidently acceptable. Everyone would love to have perfect security, but it ain't cheap. And everyone's poor.

One could make an argument that the OS market is not functioning properly, so the market forces for secure OSes are not being felt. You'd have no argument from me there. But preaching ain't gonna fix that.


Open Source = Broken Source (2, Insightful)

VegetariMan (162508) | more than 11 years ago | (#4679367)

Let the flames begin!

Honestly, I applaud open source. I think it can be quite a boon to the rest of the world. However, I've definitely seen enough public code that looked like it was written by a wannabe compsci major. It's nice to see this topic discussed. Open source is a powerful tool, but without good management and high coding standards it's just broken source.

Re:Open Source = Broken Source (1, Informative)

Anonymous Coward | more than 11 years ago | (#4679383)

This is a horrible attempt at trolling.

You need more flesh and to play a bit more of a condescending role.

Re:Open Source = Broken Source (2)

defile (1059) | more than 11 years ago | (#4679399)

However, I've definitely seen enough public code that looked like it was written by a wannabe compsci major.

That may be true, but proprietary software I've experienced on a collective whole has been, far far worse.

At least with open source you can actually look at it and say that it's trash that's waiting to fall to pieces, no?

What are bad programmers always "the other guy"? (2, Insightful)

ProtonMotiveForce (267027) | more than 11 years ago | (#4679382)

I'd like to see someone, just once, say "He's right. I'm a bad programmer and I do these things sometimes. My co-workers are much more competent than I am and maybe that's why, because their code is over my head."

But noooo. It's always "the other guy" and "the place I used to work", etc... Bah.

Re:What are bad programmers always "the other guy" (0, Troll)

f1shlips (450124) | more than 11 years ago | (#4679402)

He's right, I'm a bad programmer, My co-workers are much more competent than I am.

I still make 75,000 a year.

Tim allowed to program, not bad programmers (1)

Sourtimes (553114) | more than 11 years ago | (#4679405)

This article doesn't take into fact, that now days developers are hurried to finish products to get it out before some other company. Back in the old days when computers just started getting up and going, companies didn't truly have to worry a whole lot about competition so they could in sense build more secure software because they were not rushed. there were very few software companies and the amount of time to build a piece of software was alot longer, and they had to make sure and keep it simple due to the limited space/RAM. If you think about Open source, they usually spend twice as long to release something than commercial software because they are not worried about competition since they don't have to worry about making a buck or two. OBviously there are goods and bads to this process, but I think overall there will come a point when all the software companies will realize that people are willing to wait for a more secure program.

angry, angry, angry (0)

Anonymous Coward | more than 11 years ago | (#4679407)

The author should just loosen up. Every developer, including him, has been guilty of writing code that wasnt as secure as it could have been. I don't see where his angry rants and insulting language get anyone. It sounds like this person had a bad day dealing with some substandard software and decided to write this fairly useless "guide" to release his anger. Perhaps throwing the office laser printer through the window, digitally recording it, then posting it here would have been a better use of his time.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?