Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

IEEE Guides Software Architects Toward Secure Design

Rob Fielding Re:Number 5 (51 comments)

By what technical means do you prevent data leakage though? You need to specify what the system (and its users) will NOT do. Defending against bad input (and bad state transitions) is the foundation for everything else, because there is no technical means of enforcing any other security property otherwise. The game of the attacker is to reach and exploit states that are undefined or explicitly forbidden. Think of the Heartbleed bug as an example of a failure in 5 mooting 6. Bad input causes a web server to cough up arbitrary secrets, which is used to violate every other security constraint. For 5 mooting everything, including data leakage protections: SQL injections can be used to extract sensitive data out of web sites (ie: SilkRoad user lists presented back to the administrator with ransom demands). I work on a data leakage protection system, and it's based on earlier intrusion detection and prevention systems for a reason. I regard Intrusion Detection and Intrusion Prevention systems as essentially trying to force a fix of number 5 over a zoo of applications that didn't get it right; amounting to taking action on a connection that looks like it's not safely following protocol.

about a month ago
top

IEEE Guides Software Architects Toward Secure Design

Rob Fielding Number 5 (51 comments)

Number 5 is the most important. It is about defending against bad input. When an object (some collection of functions and a mutable state) has a method invoked, the preconditions must be met, including message validation and current state. A lot of code has no well defined interfaces (global states). Some code has state isolated behind functions, but no documented (let alone enforced) preconditions. The recommendation implies a common practice in strongly typed languages: stop using raw ints and strings. Consume input to construct types whose existence proves that they passed validation (ex: a type "@NotNull PositiveEvenInteger" as an argument to a function, etc). DependentTypes (types that depend on values) and DesignByContract are related concepts. With strong enough preconditions, illegal calling sequences can be rejected by the compiler and runtime as well. If secure code is ever going to start being produced on a large scale, people have to get serious about using languages that can express and enforce logical consistency.

about 1 month ago
top

Apple Announces New Programming Language Called Swift

Rob Fielding Re:Whoa 1.3x (636 comments)

Bad algorithms are the major difference between a totally self-taught programmer and a programmer who has learned some actual computer science. Yes, "1000x speedup" is not ridiculous at all. Use the wrong algorithm, and you can make this speedup number as large as you want by feeding it a larger data set.

about 4 months ago
top

Imparting Malware Resistance With a Randomizing Compiler

Rob Fielding Or deal with pointer arithmetic properly (125 comments)

This is only an issue because of unchecked pointer arithmetic. For garbage collected and range checked items, you can't take advantage of co-location of data. In a JVM, if you try to cast an address to a reference to a Foo, it will throw an exception at the VM level. Indexing arrays? Push index and array on the stack, and it throws an exception if index isn't in range when it gets an instruction to index it. In these cases, pointer arithmetic isn't used. In some contexts, you MUST use pointer arithmetic. But if the pointer type system is rich enough (See Rust) then the compiler will have no trouble rejecting wrong references, and even avoiding races involving them. In C, an "int*" is not a pointer to an int. It is really a UNION of three things until compiler proves otherwise: "ptr|null|junk". If the compiler is satisfied that it can't be "junk", its type is then a union of "ptr|null". You can't dereference this type, as you must have a switch that matches it to one or the other. The benefit of this is that you can never actually deref a null pointer, and you end up having exceptions at the point where the non-null assumption began, rather than deep inside of some code at some random usage of that nullable variable. As for arrays, if an array "int[] y" is claimed, than that means that y[n] points to an int in the same array as y[0] does. Attempts to dereference should be proven by the compiler or rejected; even if that means that like the nullable deref, you end up having to explicitly handle the branch where the assumption doesn't hold. You can't prove the correctness of anything in the presence of unlimited pointer arithmetic. You can set a local variable to true, and it can be false on the next line before you ever mention it because some thread scribbled over it. Pointers are ok. Pointer arithmetic is not ok except in the limited cases where the compiler can prove that it's correct. If the compiler can't prove it, then you should rewrite your code; or in the worst case annotate that area of code with an assumption that doubles as an assert; so that you can go find this place right away when your program crashes.

about 4 months ago
top

Ask Slashdot: Minimum Programming Competence In Order To Get a Job?

Rob Fielding Re:Average (466 comments)

Yes, that is what I meant. You will be parsing data almost every day. If you are not good at this, then you will be responsible for the creation of a huge number of security holes, and never-ending quality issues. Complexity theory (ie: algorithms), Probability (ie: measuring), and a basic understanding of language theory (the core of compiler writing) are the key CS specific skills that excellent developers share. You do need to be good at math, but not necessarily the kind of math that is emphasized in the academic world.

If you already have a couple of good developers on a team and put on a guy who can't be trusted to edit the code without breaking its performance, correctness, or usability; he will both cause the good developers to leave and start creating maintenance burdens. That's why I say that the minimum competence bar to get into a programming team is actually pretty high.

Now if you have a job which isn't primarily programming, but are writing code to *automate* a tedious process that you would otherwise have to do manually; then go ahead and write horrible code. Maybe you have nothing to lose in that situation, or the consequences of maintenance fall on somebody else.

about 5 months ago
top

Ask Slashdot: Minimum Programming Competence In Order To Get a Job?

Rob Fielding Re:Average (466 comments)

Security correct input reading is a compiler problem. Almost all security holes result from haphazard file and socket reading. In any case, people who can only do simple things are not your 10x developers. Due to the maintenance costs of having bad code in the first place, a lot of places will do without a developer than have one that writes code that is just ok.

about 5 months ago
top

Ask Slashdot: Minimum Programming Competence In Order To Get a Job?

Rob Fielding Re:Average (466 comments)

Self-taught developers do need to pick up enough math to stop writing code that dies under its first realistic load (complexity theory). You can't write a good compiler without being able to learn the math. Computer graphics and Statistical programming require absurd amounts of math to do well (to be the 10x developer). I agree that the academic background isn't necessarily useful, and we see good people who went from high school to military to industry. Computer Science as it now stands has serious rigor problems. Which is why it is undergoing a serious security crisis, and the only light at the tunnel is languages that will reject logically inconsistent input that wont follow a specification. That means that at some point, programming is going to look a bit more like Haskell, and require some ability to write code that meets it's spec the first time; rather than quickly building something that undergoes haphazard maintenance for years on end.

about 5 months ago
top

Ask Slashdot: Minimum Programming Competence In Order To Get a Job?

Rob Fielding Re:Average (466 comments)

Even when you get good programmers, projects are often managed to push as many amps through a developer as possible. When that happens to a team, more difficult things do get accomplished, but the code often still looks like it was written by an amateur. Bad code ends up being like credit card charges that never get paid off, while the owed amount continues to climb until bankruptcy occurs. This is because the bad code wastes a percentage of everybody's time every day, and the mess compounds as everybody works around it. So, it is often better to just not hire a developer that isn't "the one" (who is often worth about 10 normal people). We used to do interviews including the entire office, and generally require unanimous approval. Maybe 50 to 100 people between phone screens and actual interviews were done to get one person. I think there is an oversupply of people trying to specialize in programming; and most people should be learning programming as a supplemental skill to a specific business.

about 5 months ago
top

Band Releases Album As Linux Kernel Module

Rob Fielding Re:Lol wut (128 comments)

This! I had to reload my psmouse module half way through the album. Apparently this is not so uncommon on Dell laptops. I read the source code, and it was trivial. But the very large byte array size makes this something that's generally inadvisable, precisely because you could jump somewhere into it where the audio happens to be specific byte code. I also discovered it from tweets coming out of thegrugq, etc.

about 5 months ago
top

Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

Rob Fielding The real failure is in the process (447 comments)

C is a perfect language for back-dooring code. Without good tools - even for the sake of code reviewers that are trying to defend the code base against good malicious programmers - we won't be able to keep up. Most C code is going to be full of accidental back doors, and possibly a few intentional ones. Something has to be done about machine assisted proof of memory safety, and about ensuring that parse code either follows a spec or stops parsing the input. High level languages with memory safe semantics are essentially constructive proof of memory safety at the cost of performance. You can also go the route of fixing the defaults of what is going to be allowed in important C files, and force programmers to #pragma their way out of violating the constraints so that potential bugs are easy to spot. Or better yet, stop using read() in the raw to ingest input; and force the code to parse input with a well defined grammar (and fail to compile otherwise). You don't necessarily need an abstract garbage collected language that prevents you from cutting yourself. What you really need is by any means necessary to limit security critical code to constructs that the compiler can prove the consistency of. Code review should essentially amount to the reviewer making a list of proof demands, with the review process failing until there are machine checkable proofs of these facts. Every exception to these rules (Supress warnings, or accepting a hand proof, or proof by authority) need to be documented at the line where they happen. That way, when the next back door is discovered, we can easily search for the place that introduced it. This is not theoretical at all. I worked with a guy who was publicly accused of back dooring a Unix. No amount of code review will clear anyone of suspicion; because we use the crappiest tools for proving correctness of even small things.

about 6 months ago
top

App Developers, It's Time For a Reality Check

Rob Fielding Re:It doesn't cost... (161 comments)

You have to calculate it as: (Sales + JobOpportunities - (Taxes + Hardware + Software + Books + TheJobYouCantTakeWhileYouDoDev)) .... If you really are good enough to make a profitable app that covers all of your costs, then TheJobYouCantTakeWhileYouDoDev is about $100000. I put my well paid day job at risk doing part time mobile app development for a few years. My partner did in fact quit to do it full time (and eventually got tired of making $30k a year for 60hr workweeks doing work at about the $130k/year level - and found a remote development gig through the connections that app development gave him.) I calculate that had I quit the job to do it full time, it would be roughly competitive with my day job; but with very large variables for both risk and future opportunities. I consider it roughly equivalent to getting a Masters Degree. I learned a lot about the business side of development.

about 6 months ago
top

App Developers, It's Time For a Reality Check

Rob Fielding Re:Most of these guys got connections (161 comments)

There are other ways, like the military. I work at a place that is full of kernel developers. Most of our people have college degrees, but it seems that our best people went straight into tech work in the Israeli military and didn't stop to go to college when their mandatory service was up. It's different from the US because everybody does 3 years of military before they are able to go to college; but it seems to effectively provide a nationalized trade school that precedes college.

about 6 months ago
top

App Developers, It's Time For a Reality Check

Rob Fielding I have been there - Mobile Apps (161 comments)

For mobile apps, this is actually not a bad idea if you can afford to fail; because you are still unattached enough that nobody depends on your income in a critical way. If nobody is going to pay your way through college, then you have nothing to lose. Get your failures and experience in before you have a house and a kid. LinkedIn will light up for you as a side-effect. A lot of my friends are the top developers in the iOS music app space; and I was in the mosh pit trying to make it happen along with them (while working a good full-time job - contemplating full time app dev). A small number of them make a healthy living doing little more than occasional maintenance on long-shipped apps while using the rest of their time learning the craft and having a life. 90% of them fail badly, with improved job prospects. The 30% Apple tax is high, but the mobile user mindset is what makes it hard. The large volume of users that can drive your asking price down nicely can also be a major support nightmare because you have to deal with them directly. You will deal with fads, gaming the review system (ie: send you an email that implies that if they don't get something for free in a few days that you will get a 1 star review, or requesting refunds while keeping the app and still sending support questions for months on end). The huge numbers of apps can make it hard to get a foothold on iOS/Android. On other platforms, even a well promoted and executed (even best and only for its category) app can still fail because there really are almost no users. Even given a *great* app and somebody that's good at the business, it's still far more of a gamble than showing up to a job and knowing how much you will make. But it's far better to do this while you are living with your mom than sitting around doing nothing or working an unskilled job for minimum wage.

about 6 months ago
top

Ask Slashdot: Modern Web Development Applied Science Associates Degree?

Rob Fielding Re:Yes (246 comments)

Then remake the math curriculum around coding and probability. You should be writing lisp(?) programs to do your symbolic (not numeric) solves very early on. Put discrete math and probability far before calculus; and focus on writing programs to do the solves rather than on doing the calculations. Whipping up an app that succeeds just well enough to get into production but not to actually survive it is a problem that purely vocational training doesn't help with. That is how you end up with situations where a contractor is brought in to clean up a mess or to move blame to the contractor. The basics of computational complexity need to be absorbed before you can make web sites; even if they are all being hosted in AppEngine or AWS. Computer Science education is a bit floppy about teaching good software engineering (ie: small conceptual changes creating small code changes, making code organization scale, making efficient abstractions that don't leak). There comes a day where a vocational developer encounters major performance problems and things like this are found all over the code: 1) immutable string append in a loop (not understanding what O(n^2) means) 2) select * from two giant tables and group by unindexed field (not understanding what O(n^2) means) 3) deeply nested for/while loops (not understanding what O(n^2) means 4) data races (not having a coherent model of how the computer works, or what to do if you dont want to have to think about it too carefully)

about 7 months ago

Submissions

Rob Fielding hasn't submitted any stories.

Journals

Rob Fielding has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?