Chaos Program

In a computer forensics class I’m currently taking, we studied a federal document that goes in to great detail about how to handle computer security incidents. Malicious code, intrusions, denial of service attacks, the whole gamut of computer/network events that can cause an organization trouble. The document, put out by the National Institute of Standards and Technology is called the Computer Security Incident Handling Guide (aka SP800-61) and it is some of the most useful, albeit hideously boring, reading available for IT professionals currently available.

However, useful and wonderful though it is, I have some problems with this publication. There is very little I can point to and say, “This is wrong.” It covers a lot of territory in an organized way. It gives good advice. Yet I find the total effect to be unsatisfying. Sure, any organization that implements all of the recommendations in this document will be well protected and very capable at responding to incidents when they happen. The trouble is that no organization on Earth is ever going to implement ALL of the recommendations. I don’t think there is enough trained manpower or enough time or money in the world to ever achieve the level of protection detailed (I could even say mind-numbingly detailed) herein.

There is discussion of plans, policies and procedures, guidelines and knowledge bases. The document includes checklists and tables, incident categories and even a marvelous equation for rating the severity of an event. It’s all very complete and very thorough and, as I said, all very sound and reasonable.

I just can’t imagine it can possibly work in practice.

read more »

I learned an interesting lesson at my job today.

Our team recently gained a member who is trained in user experience stuff, actual testing and measuring it, not just eyeballing it like me. During a couple meetings lately, we’ve discussed the language used on the web site. We’ve changed the terminology a couple times during the course of development as we thought of new implications and also as we struggled to describe the technology in ways that people who are new to it can understand. When you’ve been working on a project for a couple years, learning how to talk about it to people who are brand new to it can be a challenge.

What do you mean you don’t understand what a child node is? It’s a node directly linked by a default or alternate path from a parent! (Note: Never end this type of sentence with words like “dummy,” “idiot,” “moron” or anything similar. For some reason it doesn’t go over well.) (See here for a partial explanation of child node)

One result of the changes in terminology is that the web site is inconsistent. Sometimes it uses one term, sometimes an older one that is no longer approved. This might be because we forgot to change it or it might be because someone was writing stuff and forgot that we had changed the term. An attentive reader might be thinking, “Ah! So you learned you should thoroughly edit everything when you make changes, maybe even have copy written by a professional who will be focused on the words and not think of them as a distraction from the real job of hacking code!” This would be wrong. Nice try though.
read more »

In my current employment I’m a website programmer. And a technology researcher and system administrator and probably a couple other things. But that’s not important right now. It’s the programming stuff that matters tonight. I have a big deadline coming up in a couple days and I’ve been putting in some extra hours and I’ve had something of an epiphany. It’s probably nothing new to other programmers but it is to me.

We need more comment labels.

It’s like this: Programmer’s make notes in the code we write. They’re called comments. There are certain commonly accepted prefixes that can start a comment – so commonly accepted that certain IDEs (for people who don’t know what that means, think of it as a window you type programs into) recognize them. Some IDEs will apply special highlighting to the labels so they are easy to see. This makes it simple to look at a file and find places where improvements need to be made.

The most common of these labels are TODO and FIXME. Here’s an example from one of my current projects:

#TODO: Move this function to the observer

For the record, I use TODO  a lot more often than FIXME. It would be nice to never use FIXME but sometimes there are other considerations than making every piece of code perfect. Like lunch. Or the demo that’s coming up in 15 minutes and the code had better be working (even if it’s not very pretty).
read more »

For some people, one of the things that makes science fiction interesting is the way it deals with ideas. I’m one of the old school that prefers the scientific and technological ideas over philosophical ones, as I find most philosophy (particularly when it’s in the context of science fiction) to be pretentious and illogical. Technology is a tool for building things and making people’s lives longer and more comfortable. It can’t change who we are (which could be a reference to the exceptional TV show Dollhouse or it could just be a segue into the discussion that follows. Don’t ask me which. I just write this stuff, I don’t analyze it).

Lately, due to the release of the new Terminator movie (Terminator: Salvation – a title apparently chosen more for dramatic impact than for anything that happens in the movie), there has been a slew of articles about how technology – especially robots – will shape the future of the human race. Usually the headline is something like, “Real life Terminators: How much time do we have?”

I’m not going to link to any of those articles because they are, almost without exception, not worth the paper that no one is bothering to print them out on (Sorry. This isn’t supposed to be a “what’s wrong with newspapers” post). For the moment it should be enough to say that the technology to build terminators doesn’t yet exist. Not the hardware and not the software. The robot apocalypse proposed by the Terminator movies is not just around the corner. Those movies came out of a different time and a different generation that grew up with the idea that some kind of apocalypse (probably a nuclear one) was always around the corner.
read more »