Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



OpenBSD Team Cleaning Up OpenSSL

bmajik Re:de Raadt (232 comments)

Ok, I actually think you, me, and Theo all agree :)

1) We don't think a specific technical change would have _prevented_ the issue.

2) We all agree that better software engineering practices would have found this bug sooner. Maybe even prevented it from ever getting checked in (e.g. suppose the codebase was using malloc primitives that that static analysis tools could "see across", and that the code was analysis clean. Could this bug have existed?)

7 hours ago

OpenBSD Team Cleaning Up OpenSSL

bmajik Re:de Raadt (232 comments)

Who has claimed that using the system allocator, all else being equal, would have prevented heartbleed?

Who has claimed that heartbleed was an allocation bug?

I understand what freelists are and do.

The point here is that rigorous software engineering practices -- including the use of evil allocators or static analyzers that could actually understand they were looking at heap routines -- would have pointed out that the code implicated in heartbleed was unreliable and incorrect.

If you read the link you pointed at, after making a modification to OpenSSL such that coverity could understand that the custom allocator was really just doing memory allocation, Coverity reported 173 additional "use after free" bugs.

There are bugs from years ago showing that openSSL fails with a system allocator.

Don't you suppose that in the process of fixing such bugs, it is likely that correctness issues like this one would have been caught?

8 hours ago

OpenBSD Team Cleaning Up OpenSSL

bmajik Re:de Raadt (232 comments)

Actually, it is you who are wrong.

Theo's point from the beginning is that a custom allocator was used here, which removed any beneficial effects of both good platform allocators AND "evil" allocator tools.

His response was a specific circumstance of the poor software engineering practices behind openSSL.

Furthermore, at some point, openSSL became behaviorally dependant on its own allocator -- that is, when you tried to use a system allocator, it broke -- because it wasn't handing you back unmodified memory contents you had just freed.

This dependency was known and documented. And not fixed.

IMO, using a custom allocator is a bit like doing your own crypto. "Normal people" shouldn't do it.

If you look at what open SSL is

1) crypto software
2) that is on by default
3) that listens to the public internet
4) that accepts data under the control of attackers ... you should already be squarely in the land of "doing every possible software engineering best practice possible". This is software that needs to be written differently than "normal" software; held to a higher standard, and correct for correctness sake.

I would say that, "taking a hard dependence on my own custom allocator" and not investigating _why_ the platform allocator can no longer be used to give correct behavior is a _worst practice_. And its especially damning given how critical and predisposed to exploitability something like openSSL is.

Yet that is what the openSSL team did. And they knew it. And they didn't care. And it caught up with them.

The point of Theo's remarks is not to say "using a system allocator would have prevented bad code from being exploitable". The point is "having an engineering culture that ran tests using a system allocator and a debugging allocator would have prevented this bad code from staying around as long as it did"

Let people swap the "fast" allocator back in at runtime, if you must. But make damn sure the code is correct enough to pass on "correctness checking" allocators.

9 hours ago

Should Microsoft Give Kids Programmable Versions of Office?

bmajik Re:Microsoft does not want kids coding... (226 comments)

Suppose it has a security vuln?
Suppose it depends on a certain version of a legacy DLL we need to service for other callers?
Suppose it was never localized beyond English?
Suppose admins want to enable/disable it via group policy?


For better or for worse, it is incredibly expensive to put something in the Windows Box.

We give away VS for free, in a variety of different versions/avenues. By not putting it in the windows box, we avoid a huge # of headaches.

about a week ago

Should Microsoft Give Kids Programmable Versions of Office?

bmajik Re:Microsoft does not want kids coding... (226 comments)

Your conclusion is entirely wrong.

Because Microsoft doesn't do the things YOU think Microsoft should do, you can ascertain the motivations and goals of Microsoft?

How interesting. Suppose we hire you to lead our CS education strategy. Can you promise results? Are you willing to bet your career on your prophecies coming true?

Let me tell you what IS true.

Microsoft lets me -- and many other MS employees -- volunteer to teach CS in public K-12 schools, 1 hour a day, before heading into the office for our "real jobs".

MS spends money to make this happen (volunteer matching hours), and gets less of my productive time (without docking my pay). There are full-time employees dedicated to this project. They have no other MS business function.

The program I am referring to is called TEALS (www.tealsk12.org)

It is just one of the ways that MS puts time, money, and people, into trying to build a better pipeline of students who can do CS.

I don't think stuffing GWBASIC back into windows is going to take us from where we are to where we need to be.

about a week ago

How Many People Does It Take To Colonize Another Star System?

bmajik Spacedocking? (392 comments)

Luckily, tens of thousands of pioneers wouldn't have to be housed all in one starship. Spreading people out among multiple ships also spreads out the risk. Modular ships could dock together for trade and social gatherings



I don't think this will contribute to genetic diversity....

about two weeks ago

60 Minutes Dubbed Engines Noise Over Tesla Model S

bmajik Re:60 minutes is not longer of value (544 comments)

60 minutes has had credibility problems for a long time.

They _destroyed_ Audi in the 1980s. They fabricated the "tests" and the results. They modified the cars and rigged them to fail in the way 60 minutes wanted them to.

Nothing 60 minutes says about cars should be considered accurate.

If there was any justice in the world, the show and the people behind it would have been in prison 30 years ago.

about two weeks ago

Ask Slashdot: Do Any Development Shops Build-Test-Deploy On A Cloud Service?

bmajik Re:Don't do it. period. (119 comments)

Funny you mention that.

Early in my Microsoft career, I built a system that provisioned thousands of windows machines on an as needed basis, differing by SKU level, language type, windows version, etc.

I'm was proficient in scripting the installs of windows machines -- even back when windows didn't natively support that sort of thing very well(e.g. NT4)

To be honest, Windows looks pretty good compared to any Linux distro I've worked with when it comes to automated provisioning and post configuration. That's a subjective comparison, of course, so I'll just say: I don't think windows was your problem.

It sounds like your management wasn't especially visionary nor technical, and that you failed to make an adequate business case to them regarding how much productivity the team would gain in the long run if you worked to automate these repetitive tasks.

That's a shame. I'm glad you moved on to greener pastures.

about two weeks ago

Ask Slashdot: Do Any Development Shops Build-Test-Deploy On A Cloud Service?

bmajik Re:Don't do it. period. (119 comments)

Why didn't you script all of the activities you just described?

about two weeks ago

Tesla Model S Gets Titanium Underbody Shield, Aluminum Deflector Plates

bmajik Re:Quadratic, not exponential (314 comments)

2 is an exponent :)

I apologize for misspeaking. I remembered that drag increased with velocity according to some power, but didn't remember which one. Thus, my sloppy language.

about three weeks ago

Tesla Model S Gets Titanium Underbody Shield, Aluminum Deflector Plates

bmajik Re:Very amusing but... (314 comments)

Most German cars (which is who Tesla competes with) have undercarriage engineering for reasons of sound and high-speed aero concerns. They are expected to sustain 200kmh, and the relevance of drag rises exponentially with speed, but also, controlling airflow is important so that the car doesn't have too much high speed lift. What you do NOT want is a vehicle that loses significant grip as speed rises, yet most cars are shaped like (poor) airfoils so this is a concern.

You may recall that the first gen Audi TT did not have a rear deck spoiler, but real world driving showed that there were many high speed loss-of-control accidents with the vehicle, so a rear spoiler was fitted later.

about three weeks ago

More On the Disposable Tech Worker

bmajik Re:Not easy? (323 comments)

Of course.

I would say it is more of an exceptional case, but I've worked with folks who have non-technical degrees (Philosophy) and those who have no degree at all.

I think most of our listings say they require a 4 year degree in CS or a related field. So, that's a pretty harsh filter.

If you're the kind of person that doesn't match resume filters, your best bet is to know somebody already in the company, and get referred by them.

It's probably easier than ever to get noticed in the software industry though. There is a whole world o open source projects out there for you to contribute to, and all of that work is, by definition, public knowledge.

When I see someone has listed work they've done on OSS projects on their resume, that tells me way more than whatever they write about education or school projects.

about three weeks ago

More On the Disposable Tech Worker

bmajik Re:Not easy? (323 comments)

Your conclusion -- that good candidates never make it to my inbox because of recruiter filtering -- is certainly possible.

I think you've misunderstood what I wrote, however, on criteria.

Not only do we not have a policy of only hiring the top 20%, we don't even know how to measure that.

I am basing those comments on the observation that we talk to many more people than we're actually able to feel good about extending an offer to. I surmised it might be the top 20% based on the # of people I personally have had to "no hire" before I could recommend a hire. I apologize for not making that clearer.

I suspect that, as a college hire, you'd have been an ideal candidate for us. Clearly you had passion in the software space, given what you'd accomplished before finishing college. It's always possible that you'd bomb an interview question about doing something perverse in C with linked lists, but, that's really a matter of your technical competence and if you have any hangups about technical interviews (some people do).

fwiw, I went to a boring state university, and had a pile of UNIX/linux experience before and during college.

We have no restrictions or criteria at all as far as what universities people come from (we do have a finite amount of university recruiting money, so, we don't send campus recruiters to every college in the US.)

Regarding recruiting -- the recruiters we have are not programmers, but technical recruiting is the entirety of their job. And, they are not the only way people get into the pipeline. For instance, when I do campus recruiting trips, there is little to no pre-filtering of the resumes I get.

The conclusion I really want you to take away is that just because somebody has a degree in CS doesn't mean we can hire them.

about three weeks ago

More On the Disposable Tech Worker

bmajik Re:Not easy? (323 comments)

You can do a quick search to see the # of open positions at Microsoft, Google, Facebook, etc.

For just Microsoft, the # of open IT & Software engineering positions in the US is in the thousands. Most of them stay open for months.

I've been interviewing software engineers at Microsoft for over a decade. For a given position, I normally talk to around 5-10 folks before we find one we can make an offer to.

You might argue that that's because all the really good people won't talk to us, because we pay so poorly.

I don't think that's true. We pay pretty well, especially for entry level positions. I've interviewed outside the company on a few occasions over my career. For any smaller company, trying to match my existing compensation package is usually a non-starter. I figure that if I lose my job, I'm taking a 50% pay cut to come onboard somewhere else.

Furthermore, as per federal law, the salary range for every open position for which we are entertaining H1-B applicants is posted internally. The idea is that people here on H1-B cannot be left "in the dark" about what "normal" pay is for their job title and level.

So, the bottom line is this: Google, Amazon, Microsoft, Facebook, etc all have deep pockets and are competing with each other for labor. Apple and Goog may have been doing their collusion thing but in general, I don't think the problem with Microsoft hiring folks is the money. Often the people we're hiring could get by just fine on less money; what they want is more autonomy or to work on something they perceive to be cooler. Basically, any number of non-compensation related issues.

Despite the outrageous comp packages we offer, there simply aren't enough qualified people applying for positions.

And, by the way, the issue isn't, "we need 15 years of .net experience" or other such requirements. We try as much as possible to hire on aptitude and passion. Unless its a special situation, I don't care what technology people are familiar with when I interview them; I care that they can explain an algorithm to me, and that whatever code or pseudocode they use is plausible (and explainable by them)

Seriously. Finding people who can develop and explain a basic algorithm is difficult. We can't find enough of them.

It isn't a new thing, or even an MS specific thing, btw. When I was interviewing developers at a much, much smaller company, I came across A candidate who didn't know about binary search. She had absolutely no idea where to start.

She had a CS degree.

If you're holding out for great talent, you're competing with a lot of other companies, and all of them have deep pockets. The need is simply greater than the domestic supply.

You can look at the # of American kids going into CS, EE, CompE, etc in American Universities. Then you can look at how many come out.

A quick web search told me: in 2009, the number of CS undergraduates from American universities was 38,000.

Suppose that we want only the top 20% of those graduates -- and that 100% of them are American.

That's 8000 people. Can you see how every company in America chasing after the same 8,000 people may make it difficult to fill positions?

We need more people going into CS (something I'm helping with by volunteering at a local highschool), and we need more of them to be really, really good.

Until then, we're going to try and get the best people we can get from anywhere we can get them.

One other point -- it is horribly expensive to take on foreign workers. There are binders of lawyers at MS that deal with employee visa and immigration problems, on an ongoing basis. We have employees that go on vacation and then can't get back into the US. That's months of lost productivity. Even if someone is here and working, they have all kinds of immigration bullshit to deal with. That's time they're not working, and that's time they're keeping our immigration lawyers busy. It's all a huge tax that domestic workers do not incur.

So, in conclusion, i think the oft-repeated meme that H1-B is all about saving rich companies money is mostly bullshit.

In my experience, it's about getting good people from anywhere we can get them. Not all of the smart hard working folks were born in the US.

about three weeks ago

OASIS Approves OData 4.0 Standards For an Open, Programmable Web

bmajik Re:What is OData? Why should you care? (68 comments)

I suggest you look at the $metadata document for the service I linked to.

The property names, conceptual storage types, relationship info, etc, is all in there.

I'm not sure what problem you're trying to solve, exactly.

about a month ago

OASIS Approves OData 4.0 Standards For an Open, Programmable Web

bmajik Re:Reinvention of RDF + SPARQL (68 comments)

You could be right.

OData predates SPARQL 1.1, however, and supported all CRUD operations from its inception.

about a month ago

OASIS Approves OData 4.0 Standards For an Open, Programmable Web

bmajik Re:Reinvention of RDF + SPARQL (68 comments)

SPARQL appears to be read only, and to be restricted to data in kvp or 3-tuples.

OData supports mutable entities, change and request batching, and http GET semantics for data access. It would appear to map much better to real-world databases and business use-cases.

about a month ago

OASIS Approves OData 4.0 Standards For an Open, Programmable Web

bmajik What is OData? Why should you care? (68 comments)

OData is (now) a standard for how applications can exchange structured data, oriented towards HTTP and statelessness.

OData consumers and producers are language and platform neutral.

In contrast to something like a REST service, for which clients must be specifically authored and the discovery process is done by humans reading an API doc, ODATA specifies a URI convention and a $metadata format that means OData resources are accessed in a uniform way, and that OData endpoints can have their shape/semantics programmatically discovered.

So for instance, if you have entity named Customer hosted on http://foo.com/myOdataFeed, I can issue an HTTP call like this:

GET http://foo.com/myODataFeed/Cus...

and get your customers.

furthermore, the metadata document describing your customer type will live at

foo.com/myODataFeed/$metadata ... which means I can attach to it with a tool and generate proxy code, if I like. It makes it easy to build a generic OData explorer type tool, or for programs like Excel and BI tools to understand what your data exposes.

Suppose that your Customers have have an integer primary key, (which I discovered from reading $metadata), and have a 1:N association to an ORders entity. I can therefore write this query:

GET http://foo.com/myODataFeed/Cus... .. and get back the Orders for just customer ID:1

I can add additional operators to the query string, like $filter or $sort, and data-optimization operators like $expand or $select.

OData allows an arbitrary web service to mimic many of the semantics of a real database, in a technology neutral way, and critically, in a way that is uniform for anonymous callers and programmatically rigorous/discoverable.

Examples of OData v3 content are available here:


OData V4 is a breaking protocol change from V3 and prior versions, but has been accepted as a standard

And, shameless plug: If you want to consume and build OData V1/V2/V3 services easily, check out Visual Studio LightSwitch :)

about a month ago



Thousands of sites desroyed via HyperVM 0-day

bmajik bmajik writes  |  more than 4 years ago

bmajik writes "Sunday, A2B2, who runs VAServ and fsckvps had many of its customer Virtual Private Server (VPS) objects compromised and suffered widespread data loss. The exploit appears to have been based on the HyperVM / kloxo VPS management software that they used. On June 4, a massive list of bugs in kloxo was posted publicly, after what appears to be an attempt at responsible disclosure which met with total disinterest from the vendor, LXlabs. As the VPS management software allows commands to be run on each virtual guest, hundreds if not thousands of customer VPSs have had partial or complete data loss. Note that this was a fully-patched HyperVM installation. Anyone using HyperVM or kloxo is strongly encouraged to disable that software immediately. The crackers in question appear to be with a Chinese group called fag0.cn and have no clear motive apart from causing destruction. There is a long thread on webhostingtalk.com discussing the issue."
Link to Original Source

Microsoft's Interop Announcement

bmajik bmajik writes  |  more than 6 years ago

bmajik writes "Microsoft is making a big deal about its new interoperability initiative. The announcement of "principles" include data portability, increased support for standard data file formats, open protocols, open API access, and a list of which MS patents apply to which protocols, and the terms under which those patents may be licensed. Additionally, the announcement includes a covenenant not to sue creators and users of F/OSS software who make use of these open protocols. What do people make of this announcement? Does it change things?"



More reflections on geek relationships

bmajik bmajik writes  |  more than 3 years ago

This post got a lot of points and apparently a lot of traffic interest. An A.C. suggested that it was the first post they'd ever seen that should have been modded "+100", and _their_ post got modded up.

So now that I've gotten lots of people to read and think about what I wrote, and many who liked it, I'm going to diagree with part of it.

I think I was perhaps being too hard on AMD lady, and perhaps I was missing the focus of what she was talking about. My post deals a lot with _maintaining_ relationships and building them. But I think TFA was referring to _meeting_ geeks.. "catching" them if you will. And my post is potentially not relevant as a response to TFA.

There are some key points that I think still stand, but one thing that I want to revise or comment on a bit is when a woman takes an interest. The 1-liners or plausible topics of conversation postulated by the AMD lady didn't hit me because I am not that interested in PC video cards any more. So in the context of an advice blog to women about how to approach some easily-fits-in-a-box hypothetical geek, I rejected not only the premise but the specific lines used.

But then I got to thinking about my own history, and I remember a specifc time where I was at wedding reception or "couples baby shower" or some similar thing, and there was another woman there who had a real interest in cars and spirited driving. And so we chatted just breifly about it...I think she had heard that I was a car guy and so she approached me to talk about it.

Later that night I had to admit to my wife that it was troubling me just how _haunted_ I was with thoughts of this gal, because she approached me about an interest of mine, essentially out of nowhere, and it is an interest that women typically don't share -- certainly my wife doesn't. And so even though I was happily married, my thoughts that day kept returning to this woman. It was a few minutes of conversation and it was at least 8 years ago. Yet i still remember the experience and how i felt about it.

So there is certainly something to the idea of "snaring" a guy by letting him know you share his interests. I think the parts of my post that suggest you need to be authentic, legitimately interested, and so on all still apply. But I wouldn't want someone to read what I had written and come away with the idea that approaching a guy about his interests would be detrimental.

(As an aside, a great friend of mine, who is also a go-fast junkie, ended up having a very serious relationship with a younger girl who was _also_ a driver. And it turned ugly. Sometimes, shared passions/interests/hobbies make better introductions than they do compatible mates. I bet there is some interesting literature on competitiveness/etc dynamics within relationships where each party has some similar jobs/hobbies/interests/whatever).


What do you do with hardware you can't give up?

bmajik bmajik writes  |  more than 5 years ago

Growing up, I was a big fan of workstation class machines. This persisted all through highschool and college, and for a while, a bit afterwards.

For instance, I left highschool with a Sparc IPX and a Sparc 10, but no car. Goofy priorities, I guess. When I was in school I picked up an SGI I^2 High Impact. I outfitted my SS10 with dual SunVideo cards, a dual-proc upgrade, a couple different framebuffers (TGX, ZX, etc).

The Math Department of my school auctioned its entire remaining inventory of NeXT workstations -- which I bought in its entirety. In addition, I picked up a color Turbo, an NCD X-Terminal, a few VT100 clones, etc.

Now, I've moved a lot since then. I sold my SS IPX to get some other hardware. I gave my SGI machine to a friend that had never used SGIs or IRIX before. I sold my Color Turbo to a guy who might make better use of it. The X-term ended up with a friend I think.

I divested half of my NeXT lab -- including the monitors -- to people that wanted to play with them. I have 3 non-functioning 030 cubes left, and with a sheet of plain glass, they make up one of my coffee tables. I also have my SS10, which I cannot let myself get rid of because of all the money I dumped into it.

I've made my peace with using the remaining NeXT cubes as furnture. I'm not sure what to do with the SS10 - it uses a lot of power, it's very loud, and I can't think of much interesting to do with it. It's utterly worthless on ebay.

I think I still have my Apple ][+ somewhere. It's the machine I learned to program on.... :)

What do you do with old computers that are "special", but that you don't have a computing need for?


The standard argument against an ABM know-it-all

bmajik bmajik writes  |  more than 8 years ago

I read a lot of funny comments about "MS should do this", "MS is stupid", "those people are idiots", "this is the obvious thing to do", etc.

Here's my standard response:

1) We (MS employees) don't know everything

2) Some of us are pretty smart

3) If the "obvious" answer you are parrating were both obvious _and_ satisfactory, wouldn't some of the smart people already have suggested it?

3a)We can safely conclude that your answer is either
3a-1) novel and non-obvious
3a-2) utterly unworkable for reasons that you may never know
3a-3) unattractive for a variety of reasons, which, again, you may never know

4) In the event you can fix whatever large problem you're describing about microsoft (from the tone of your post, it seems that you think you can, i.e. you make a lot of really basic suggestions (which further suggests that we're idiots for not doing the obvious things you point out), please, please come work for us. We want more smart people. We want people that can solve all of the problems we have. If you could solve just the _one_ problem you described to the satisfaction of all relevant parties, and then accomplish nothing else, we'd pay you any realistic amount of money you'd want. Seriously. I don't have the pull to authorize that sort of thing, but Bill and Steve have personally hired people straight out of college.

We suck, you know it, and in just a few sentences you've described completely how to fix it. Problem is, if your suggestions had never occured to us to begin with, what are the odds that you telling us is all the help we need ? It's downright inhumane of you to not help us get better by coming to work for us and showing all of us how wrong we've been and how we've been missing it the whole time.

The ball is squarely in your court.


welcome to the midwest

bmajik bmajik writes  |  more than 10 years ago

moving from redmond to uh.. North dakota is a bit of a change :)

See, I bought an old BMW a few years back because I liked the first one I had in college. (i bought that one because it was cheap and fast)I bought my wife a VW because almost nobody makes station wagons with a manual gearbox besides VW. And When i moved out here i needed a winter car, so i bought an old used Audi.

So, thats 3 german cars. My wife and I contribute roughly 50% of the imported car market for ND, as near as I can tell.

Who buys all these craptacular american cars that are usually fleet vehicles or rental cars in the rest of the world ? I mean, Civics and Camry's aren't even common out here - those are cheaper AND more reliable than this junk..

Also, if you live in a place that is regularly below freezing, and gets lots of snow.. please buy snow tires for your lame pickup truck. That way you wont spin your rear tires all the way across the intersection at 2mph.

One nice thing though. The house we just bought out here cost us half of what our house in Redmond cost. Screw property prices out there. It's just ridiculous.


friends, foes, freaks, fans

bmajik bmajik writes  |  more than 10 years ago

want to see something funny ? look at the "fans" info for "John Carmack". His fans list could be like an HTML renderer perf benchmark :)

Now look at John's "Friends"

Now, look at John's "Freaks". Who are these people that insist they hate John Carmack ? Why would you hate John Carmack ?


If you read this..

bmajik bmajik writes  |  more than 11 years ago

Reply with the following info:

What made you look at my user info page ?

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account