Smalltalk Tidbits, Industry Rants

While I was in Florida last week, I thought the water was getting colder on Tuesday and Wednesday - it was great on Monday, and very cold by Wednesday - I was at Melbourne Beach (east coast), and the water there is normally in the 80's at this time of year. By Wednesday, it must have been in the 60's. That was weird. So I was interested by this article on cold water in the Atlantic:

Water temperatures at South Jersey beaches over the last two weeks have hovered in the high 50s and low 60s at a time of year when they are normally in the low 70s.

Some experts blame the chilly water on prevailing southwest winds. These can create currents that push the sun-warmed surface waters out to sea, said Charles Tilburg, a University of Delaware physical oceanographer. As the warm water heads out, frigid water comes up from the depths to replace it. That's "upwelling," a fairly common summer phenomenon along the coast.

If that article's right, it's going to play havoc with the tourist season on the east coast - water that cold is for surfers in body suits...

Scoble relates an outsourcing tale:

On the way back to Seattle, I sat next to a guy I won't name, cause I didn't tell him I was gonna put his comments on my weblog. He's Vice President of IT at one of the world's largest title insurance companies. Thousands of seats. Big deal, all over the world. Uses all Microsoft products.

He told me they are shipping all of their development work over to India. 50 developers affected. Many were from India to begin with.

Why are they doing that? He told me, it's all cost based. Moving developers over to India, saves tons of money

IMHO, the cost savings for this kind of work might end up being nebulous. Why? Well, I'd be willing to be that the management - the people who come up with the development requirements - will not be moving to India, nor will their jobs. That means that all the user representatives will be US based, and the developers will be 9 to 12 hours distant in timezone terms. Meaning, communication with these people will be fitful at best. Software just isn't like manufacturing - it's not automatic, and it requires a lot of communication. Either the Indian developers will be on nightshift (to allow for communication), or they will be effectively incommunicado. In the former case, you can expect a lot of turnover. In the latter case, expect a return to the glass house era of apps being "thrown over the wall".

It's not about the quality of engineers in India; it's about their remoteness. I simply don't think that you can get timely delivery of applications that actually meet your needs with a staff that remote. It's hard working with a distributed staff - trust me on that one! The Cincom Smalltalk team has people scattered across North America (with a few in Europe) - and communications are more difficult as a result. If the developers were 12 hours away, I'd never properly communicate with them. The question I'd ask that manager Scoble spoke to is this - "So, how do you expect to manage requirements with a staff that is out of synch (time-wise) with your management and users? Heck, if it saves money, why didn't you outsource management to India?". Whatever answer applies to management applies at least as well to software development.

This story on the hunt for how to shutdown Windows (from a complete neophyte's perspective) is very telling. How many of the apps we build could pass muster with a neophyte user? Something to think about...

I posted here on Tablet PC's, and Scoble responds with some questions:

OK, but now email that pad of paper to me, OK? Oh, and call me up on NetMeeting and let's work collaboratively on screen? Oh, and when you have 200 filled notebooks, I want you to search through all of them to find all the documents you've handwritten that mention me, OK? (Did you know that the Tablet PC automatically lets you search your handwritten documents?)

As to emailing, let me introduce Scoble to scanner technology. Cheap, easy to use, creates a nice document I can push anywhere I want. It allows me to use the best tool for the job (paper), and then send it along if I needd to. As to searching, maybe that's something he needs for these type of things - in my experience, such diagrams are mostly one-off exercises, rarely something I need to save. Certainly not enough to justify a Tablet. He goes on:

Oh, and, I want you to take a picture of Hillary Clinton, print it out, glue it on your paper notebook, and then get her to sign it, all before she leaves the building. That's precisely what I did. Why do you think she reacted so well to it? When I showed her my Tablet, it had her picture on it (one that I had taken just minutes before). She signed her own digital picture.

Had I really wanted a signature of Hillary's to save, I would have brought her book along and had her sign that. Far less ephemeral, and possibly even worth something someday. Five years on, the digitized signature will be lost, a victim of some system upgrade and filing in a directory you decided not to transfer. The book signature, on the other hand, would still be around. There are electronic documents and formats from 5 to 10 years ago that we can't really read easily - for instance, just try to get information (quickly) from a 5 1/4" floppy. On the other hand, I have books that I bought 30 years ago, and they are all still quite legible. If I want something like a signature to last, a PC is the very last place I would put it - because it's a very impermenent way to store things

Here's an interesting take on why NIH isn't always bad. There are some good points there.

A California couple is suing credit card companies for processing online gambling debts they incurred. There's this word I'm looking for here..... Oh yeah - Responsibility. As in, Personal responsibility. Here's hoping they get socked with the entire bill, plus court costs....

Have a look at this problem using Struts, which is Java based. Now, had he been using Smalltalk, or Python, or Ruby, or Lisp - guess what? No problem at all. And people wonder when I say that static typing has costs associated with it....

There's been some talk in the Smalltalk IRC channel about Jabber recently - now Dave Murphy points to this and this - two existing efforts.

Anthony Lander has pushed out a new version of Pongo - you can get the standalone application on the sourceforge site, or the plugin with BottomFeeder. Check the upgrade tool for the download. There are lots of new Pongo features, including support for encryption. Check it out!

Then look out for the upcoming Zip format war. Your aggregator will probably track both formats - BottomFeeder, for instance, is already keeping up with Atom - while you'll likely need a different tool for each zip format. Oh, happy day...

Gosling on the object/primitive gap via Charles Miller:

Depends on your performance goals. Uniform type systems are easy if your performance goals aren't real strict. In the java case, I wanted to be able to compile "a=b+c" into one instruction on almost all architectures with a reasonable compiler. The closest thing I've seen to accomplishing this is "Self" which gets close, except that the compiler is very complex and expensive, and it doesn't get nearly all the cases. I haven't read any of the squeak papers, so I can't comment on it.

Self and the Animorphic (Strongtalk) systems showed the way. The problem with his decision is that it gets the priorities exactly backwards. Most developers are not writing applications with hard constraints on numeric performance - if they were, VB wouldn't be so popular. Or PHP, or Python. Most people are writing "business" applications where time to market and correct behavior matter a lot more. What he did here is optimize for the infrequent case, at the cost of (expensive) developer time. It's a common mistake in this industry, and one that the curly brace crowd seems content to make over and over again. There are real costs associated with this choice, and the benefits are few. Heck, read this IBM white paper if you don't believe me. Yes, for the minority with real constraints, this is a benefit. But they aren't a big enough crowd to have driven this decision, IMHO.

Via Matt Croyden we get news that Panera Bread is going to offer free WiFi access in their shops! That means I can stop dropping the 10 bucks at Starbucks over at the Columbia Mall.

Gordon has some great first hand comments on SharePoint vs. Wikis. I know Cincom's IS group thinks that SharePoint is the way to go, while the Smalltalk group is sold on Wikis. Gordon's experience is worth looking at.

I got this link from Dave Buck. I'd laugh more if I hadn't seen something astonishingly like this at two different sites....

Not a natural thought for a Smalltalker, IMHO - declare everything final? This goes back to my main problem with the whole notion of final - it assumes knowledge on the part of the library designer that he can't possibly have - he doesn't know how the code will actually be used in the field, or what possible extensions someone else might consider. Instead, he just arbitrarily closes the whole thing off and announces it's perfect just the way it is

Now - how much software have you seen that qualifies as perfect?

Blaine Buxton fully explains 'final' to me. Scroll down to Blaine's comment - I simply did not realize tthat final had this meaning for variables in Java - and now the original post makes a lot more sense to me.

According to port 80 (by way of Scoble, in the top 1000 corporations, IIS use stands at 53%. No wonder there are so many security issues. Apache is hardly invulnerable, but it sure seems to have fewer issues than IIS.

Ted Leung notes that people don't think that Lisp has evolved much since 1982:

Now, I've been posting away about the virtues of Lisp and Lisp like languages in an effort to educate folks about what Lisp can do. But I certainly don't think that there's no room for advancement. So it was a little disturbing to read this

Could he be right? Is old-style Common Lisp or Scheme actually the best that we can do?

in Greenspun's post. Not because Greenspun believes it, but because I think a lot of people in the Lisp community appear to believe it. It's not enough to say Python/Ruby/C#/Java 2003 = Lisp 1982

Many people have the same perceptions about Smalltalk - they read about it once a long time ago, maybe used it a bit, and have since decided that it's old and outmoded (never mind that Java and C# are pale imitations). I don't think the pothole we fell into in 1997 is as deep as the one Lisp is in, but we do need to get the word out further.

Cook Computing makes some good points about XP pitfalls, but makes the mistake of recommending this book. I've posted on this crap before - Rosenberg and Stephens know how to attack a strawman, but wouldn't know XP if it bit them in the posterior lobes. However, Cook makes some useful points on the subject:

I heard of one group who, when asked for the design documentation of their current project, replied "We don't have any documentation, we do XP". Needless to say they weren't really following any XP practices.

I suspect you need high-calibre motivated and disciplined developers to get XP to work and that development groups who struggle with more traditional development processes will struggle even more with XP. So examine why the current development process doesn't work well before jumping to XP. The same problems may well make XP even less effective.

Like any other popular tool or methodology, the number of camp followers who claim to be doing it will be much higher than the number of people actually doing it.

Cook Computing makes some good points about XP pitfalls, but makes the mistake of recommending this book. I've posted on this crap before - Rosenberg and Stephens know how to attack a strawman, but wouldn't know XP if it bit them in the posterior lobes. However, Cook makes some useful points on the subject:

I heard of one group who, when asked for the design documentation of their current project, replied "We don't have any documentation, we do XP". Needless to say they weren't really following any XP practices.

I suspect you need high-calibre motivated and disciplined developers to get XP to work and that development groups who struggle with more traditional development processes will struggle even more with XP. So examine why the current development process doesn't work well before jumping to XP. The same problems may well make XP even less effective.

Like any other popular tool or methodology, the number of camp followers who claim to be doing it will be much higher than the number of people actually doing it.

In a Usenet thread, Ed posted this:

SPR Numbers

Language Comparisons

Actually based on metrics we have gathered from several large Smalltalk projects and reviewed with Capers Jones, the productivity numbers Jones cites are probably too conservative for Smalltalk. We found that the tables Jones provides in his seminal book on "Estimating Software Costs" ISBN 0-07-913094-1,on predicting how long a software project will take, match very closely with actual results. The book takes into account a number of variables in terms of software project type, (i.e. business software vs operating system), team skill as well as lowest cost or quickest delivery. The models are based on SPR's database of thousands of projects.

Since the models Jones provides predict project man hours fairly accurately when compared with actual results, we can then use the models to test various "what if" sceanrios including differences in programming languages. The models that Jones presents seem to show that typical Smalltalk productivity is about 6x that of typical Java productivity for the same type of large project. If one is working on a small project, then the differences in programming technology don't matter because the inertia of getting going, technology set up and debugging are much more of the total project time.

We have presented our results at several conferences with good feedback from the audience about their veracity. One other point is that, as of a few months ago, all of the data regarding Java productivity from the SPR language comparison, appears to be unchanged from several years ago.

Ed Klimas

Every time this comes up on Usenet, the common response is "those studies are bogus". However, the SPR data is the best data we have, and it's fairly conclusive - if you want to shorten your delivery time, use Smalltalk. If you want to enrich consultants, use Java.

Thomas Gagne makes some interesting observations on Smalltalk and the developers who use it in this Usenet thread:

In response to this question: Why do you think Smalltalkers are so loyal to their technology?

That's a really interesting observation. Entire herds of programmers (increasing their numbers picking up strays along the way) start with C, migrate to C++, then migrate again to Java, and threaten to abandon that pasture for C#. Perhaps they're not leaving devestated pastures for greener ones, but are instead wrangled from one to another by cowboy consultants, marketers, publishers, and other keepers riding the same wagon (gravy) train.

Meanwhile another group, unimpressed with the direction of the herd, remains in their own valley--having fed there 25 years--have found no greener pasture worth migrating too--wrangled or not. According to them they've already arrived. All the features the herd is chasing (object-orientation, a virtual machine, garbage collection, mature IDE, sane collection classes, and recently dynamic typing) are leading them there anyway. Why not wait for them?

It would be arrogant to think that Smalltalk is the last word in programming languages. But it seems several chapters ahead as other languages slowly add or imitate features Smalltalk's had for a generation. Is it possible that Smalltalk really is ahead of its time, or simply the average programmer (or programming shop, or whatever) is only capable of slowly digesting its features? I'm sure this is how LISP programmers feel about the rest of us.

Another way of looking at it is one group is following their food source (a good survival instinct) while another /may/ be threatened by starvation.

Curiously, Smalltalkers (it seems) demonstrate both traits--they prefer to write Smalltalk but "will write Java for food". What inspires this loyalty?

Interesting. Also of interest is the fact that the JVM remains frozen, making sure that actual progress in Java-land is limited. Microsoft seems to realize that's a mistake, and looks like they will be extending and changing the CLR as time goes by (in particular, they seem interested in adding better support for dynamic languages). Meanwhile, the Java folks are stuck with an early 90's vision of what a VM can and should do....

SCO says "we mean it!" about IBM's AIX license, and pulls the Sequent license for good measure. Now that IBM has deployed the lawyers, does anyone care?

Mosaic (the original) for Linux. Via Raw Blog.

If I had one, I'd post some pictures of the drainage project we've been doing in the back yard. A 50 foot long trench down the side yard, and two lines on the patio. Now we have to put the whole thing back together and get rid of the extra dirt....

Another new development system based on ideas coming out of Smalltalk and Self - Slate. Go check it out - the slides from StS are on the site as well!

I posted on the cold Atlantic phenomenon a week ago, and now this morning I see this report on the melting of arctic (North Pole) ice. Most reports I've seen on the cold water blame upwelling - an event where wind currents and other things combine to force deep water to the surface. These reports have also mentioned that a flow of cold, fresh water from an arctic melt could cause such a cold water event - and muck with the gulf stream. We better hope the gulf flow isn't being changed - because a shift could make the US east coast much cooler, and make Northern Europe's climate more like that of Canada....

Ted Leung makes a really good point about how companies get - and lose - business:

Companies don't get it anymore. You respect me. I learn to trust you. When I trust you, I keep buying from you. If I really trust you, I go out of my way to buy from you. I recommend you to my friends. But if you don't respect me? I had a telemarketer persistently call me about fixing my unbroken auto glass. I finally told him, "I know your company's name very well now. I'll be sure that I go anywhere except to you when my auto glass needs fixing". I told a Qwest telemarketer I wasn't interested. She climbed down my throat, asking me angrily "Didn't I want to save money?". I told her that if it meant having to deal with her, that I'd rather pay more. These companies are doing themselves a world of hurt, and they don't even know it.

I agree with that - and it goes beyond companies. There are charities - ones that do honest to goodness good work - that have completely turned me off with their phone solicitations. When you are asking me to help out and do a good deed, here's a hint - don't hint that I'm stingy if I don't give. Drives me nuts. Here's another example - late last year, for the first time ever, I made a donation to a political party (never mind which one - in this regard, I doubt it matters). Ever since then, there's been a steady stream of junk mail asking me to give more. I suspect that the postage alone for the solicitations has gotten to be more than I donated! That's irritating, but about a month ago, I got a new one - a letter stating that I "must not care anymore" and was "letting the other side win" - because I hadn't given more! Yeesh, in what Universe will that make me feel like donating again? Hot tip - if you want my money, don't berate me for not giving more! Who does the market research for these people anyway? Whoever it is, they need to go, and they need to go now.

Linux Today points outt an interesting development - SCO will argue in its suit against IBM that the GPL is invalid:

"SCO will attempt to win its $3 billion case against IBM by arguing that the General Public Licence (GPL) is invalid.

"That's what a pleader at legal practice Boies Schiller and Flexner is telling the Wall Street Journal today...

"But according to today's WSJ, quoting lawyer Mark Heise, the GPL is pre-empted by US federal copyright law..."

Confused yet? Read the full story here. Looks like the prediction that the GPL will be tested was correct. Most people seem to think that SCO will not succeed iin this money grab - but they could leave a trail of legal wreckage even in defeat.

The northeast blackout started while I was out dealing with our drainage situation. Here are the links, courtesy of Matt Croyden:

• CNN
• Washington Post
• BBC

Thank goodness I'm not trying to fly today...

Have a look at this page from Siemens:

PSE has experts with excellent Smalltalk know-how (both in the programming language as such and in the programming systems being commonly used today) and develops object-oriented software also in Smalltalk (beside other object-oriented programming languages). We like to use Smalltalk for prototyping and for software with high-end portability requirements.

Scoble talks about Anderss Hejlsberg. Here's something to assk him - what about closures? I asked him that at OOPSLA last year, and he squirmed - and then mumbled something about "not wanting to pay the cost". I'd be interested in a real answer someday...

The Register reports that the GNU serrvers have been owned by crackers since March:

Crackers owned the primary file servers of the GNU Project from mid-March until two weeks ago, the Free Software Foundation admitted this week.

The attack raises concerns about whether malicious code could have been inserted in the software available for download, including Linux.

Wow. Ok, all you people who have a faith based notion that open source is automatically safer than proprietary code - here's the counter-example. What this shows is everyone has to monitor their systems and keep up to date on security patches...

This article from Steven Den Beste lays out the whys and wherefores pretty well.

The NY Times (registration required) has a story on a possible source of the problem - northern Ohio:

William Museler, president of the New York Independent System Operator, which manages the state's electric grid, said "huge'' power fluctuations originating from a Midwest power plant started the downfall of the grid at 4:11 p.m. Thursday. He said the power swings became so large that the Ontario system could not sustain them, and the problem migrated to New York.

Maybe now the Canadian authorities will stop blaming non-existant lightning, or fires that didn't happen. Of course, the speculation about Ohio could easily be off as well; we really don't know anything useful yet.

When the user asks why did they even bother writing it?. The Pixela ImageMixer software is just horrid. The author or authors of this atrocity should get out of software and into something simple - like, say, ditch digging - now. Stop them before they code again! I've posted on this crap before - this morning, the problem seems to be getting video from the camera to the PC (XP Home) so that we can burn a VCD. Suggestions on better software welcome....

Just what we need on the east coast - a repeat of the sniper madness from last summer. I saw a few reports on this two days ago, but the blackout coverage has just swamped the story. However, the possible death toll from this now stands at 4. All in West Virginia so far, but that's not all that far away from the parts of Maryland and Virginia where last year's sniper attacks took place. Watch for this to splash the news once the blackout story recedes....

Sun's Ulander says Mad Hatter will be safer than Windows:

When asked how he knows it is not as vulnerable to viruses, Ulander explained it would have fewer holes to exploits due to the fact it is built on top of Linux.

"How [Microsoft] built their OS makes it fairly easy to exploit," said Ulander. "Virus writers can script to their macro environment."

I realize that this is mostly just marketing speak - however, Ulander may as well have painted a target on his back. Once MadHatter ships, the black hats out there are going to take that statement as a challenge...

How to turn the power on quickly, courtesy of Scotty and Mr. Spock....

Spotted in Cook Computing - I guess I'm not the only one wondering about closures in C# (see this post from this morning).

Joshua Marinacci confuses weak typing and dynamic typing. Smalltalk - for instance - is strongly, but dynamically typed. You can't get a type error of the sort you can see in a weakly typed language - like C++. In Smalltalk, if an object doesn't understand a message, you get a well understood exception. In C++, you can get an actual attempt to execute, followed by an ugly crash. Here's an example of his confusion:

I've seen lots of arguments on the merits of weak typing. It encourages flexiblity. It lets me write code faster. I don't worry about the details until later. I can do cool runtime tricks.

I don't buy it. I use a strongly typed language because the code it produces is more robust. Typing solves a slew of common programming errors all at once. It ensures that my code will always do exactly what I mean, no more and no less.

And yet... I can see the advantages of weak typing too. Java is a better prototyping language than C++ but it's no where near the speed of Perl for whipping up something quick.

Except.... C++ is weakly typed. With Casting, you get the worst of all possible worlds - the strictures of manifest typing, along with the runtime's utter inability to cope with a missent message. He continues to miss the point:

Why do we have strong typing anyway? I can only think of two things. First is performance. If you better specify what you want then the compiler can make faster code. The second is for people. The computer doesn't really care if this string really contains a number. It's all just bits in the end. The typing is for you, the programmer. To help you avoid mistakes. To express what you want the code to do to another programmer. It could be someone using your API, or someone modifying your code, or even yourself hacking on your own code in the future. Typing is a more detailed expression of what you want. But creating that expression can be time consuming and constraining.

Odd then, that Smalltalkers almost never run across the sort of typing error he touts as one of the two top reasons for having manifest typing, isn't it? 50% of his argument is crap, because that kind of error just doesn't happen that often. As to performance - the words premature optimization come to mind.

In case you were wondering, whales do actually fart:

Spotted via Al Hoang

I posted on outsourcing doubts last week. Well, I'm not the only one thinking these thoughts; Cringely has a few ideas as well:

And this leads us to why many development efforts of western companies in India don't work out. The problem with Indian software development is typically two-fold. In one sense, the Indian developers can't relate very well to the foreign end-users (us), and that can lead to problems. But far worse is a problem that is almost the opposite: The Indian coders are treated as just that -- coders -- with all architectural decisions being made 12,000 miles away. There is virtually no input to the architects from the coders because none is sought. That means problems that ought to be noticed early -- and probably are, but in India, not the U.S. -- are noticed too late.

One solution is to allow the Indians greater autonomy, but I think the best solution is to make the architects, whomever they are, live with the coders -- something that is literally NEVER done.

Very, very true. In fact, this sort of outsourcing takes us back to the worst days of early IT - the requirements get tossed over the wall to a bunch of people that are hard to communicate with, and the finished application gets thrown back some time later. There's a pretty good consensus out there that this process didn't work well with IT groups that communicated badly; it's not clear to me why a repeat performance with remote developers will work out better. I'll say it again - if outsourcing is a good idea for developers, why not for the marketing department? Or C level managers? The offshore replacements will certainly be cheaper. What's that you say? That the managers need to communicate more directly? Hmmmm. That's different from developers how?

Interesting speculation on the power outage yesterday.

Spotted in Matt Croydon::postneo:

MS: We'll show that worm that we can beat it.  Let's take our site down.

Worm: Mission accomplished.

About the size of it....

Scoble writes about security:

The problem is, at some point you'd have to ship new products. Our investors demand that too (new products are where new revenues come from). And, then, you'd be shipping new code with potential new vulnerabilities. Any code that does something interesting is a potential security problem. Think about that for a minute.

For instance, Microsoft just shipped OneNote. It doesn't have an API. Why? Because of security issues. But, it really limits the functionality of the app. I'd love to have Radio UserLand talk to OneNote, so I could use OneNote for blogging. I can't do that today because of security concerns.

Two things come to mind

• Security is in some sense a trade-off with aapplication integration (as alluded to above. In the past - mostly to please customers, IMHO - MS has rated interop higher than security (see MS Office, COM, DDE, etc)
• If MS had been using a managed environment for these apps, it would be far less of a problem. Buffer overflows just aren't an issue when I integrate plugins into BottomFeeder, for instance

However, it's not simply a matter of MS hosting stuff on top of the CLR from here on out either. There's a huge pile of legacy applications, and most of them aren't Microsoft's code. This is going to be an issue as long as people continue to use C and C++ for application development - and not only on Windows. As Linux popularity grows, start watching that platform for interesting buffer overflow issues more frequently...

Over at Artima, Bill Venners continues his tradition of asking dumb questions (his last effort was an interview of these idiots. Today, I see that's he's gone back to not understanding dynamic typing:

Bill Venners: In you book you say, "It is always beneficial to detect programming errors as quickly as possible." I've met people who don't feel that way: people from the Smalltalk community, people who like Python, and so on. These people feel that all those compile time errors get in the way of their productivity. They feel more productive in a weakly typed environment, where more problems must be discovered at runtime. These people feel that their weakly-typed language of choice gives them as much robustness, but more quickly, than strongly-typed languages such as Java.

Josh Bloch: I quibble with the fact that they are getting as much robustness. I suppose the extreme example of that is shell scripts, which are interpreted. There is no compile time. You can code anything you want. And I think anyone who has used shell scripts has seen them blow up in the field. In fact, people don't expect them to run on all inputs. If you take a shell script, try to do something fancy with it, and it doesn't work, you say "Oh well, I guess it doesn't handle that." And you play around with the inputs and try to find something it does handle.

That's right guys, we just throw crap at the system until it works. You can code anything you want in the popular languages with manifest typing as well - witness void * in C, and casting in general. Test first doesn't mean that you just keep hacking until it works. In fact, my experience is that the hack it until it works mindset is far, far more common in the world inhabited by the curly brace crowd than it is by the Smalltalk (or Lisp, or Python) crowd. Based on this little interplay, it looks like Josh Bloch:

• Has never actually used a dynamic language - or
• Didn't understand what he saw if he tried using one

Hey guys - let me know the next time you see a buffer overflow exploit in Smalltalk, Python, or Lisp. And by the way, Smalltalk and Python are strongly typed. For weak typing, look at C or C++

Don Park thinks spam is killing email, and he may be right:

I used to feel comfortable with reliability of e-mails.  When I send something to somebody, I felt reasonably sure that it will be delivered and read.  That is no longer true today even with wide use of spam filters.  When I send an e-mail now, I no longer feel sure of it being read by the receipient.

He goes on to discuss the ins and outs of how he classifies email that makes it through his filters; suffice to say that the volume is still high enough that a lot gets blown away with barrely a glance.

I actually don't use a spam filer; instead, I have filters for all my mail lists and people I expectmail from, and that all gets organized into folders. What's left in inbox is almost all spam, and gets manually deleted without a lot of detailed scanning. This is dangerous though - as the Product Manager for Cincom Smalltalk, I get a fair number of mails from people I don't know and have never met - more than once I've had to scan back through the trash for mails I deleted. I don't have any faith at all in digital signatures; I'me sure the spammers will find a way through that as well. Email, once a highly useful tool for communication, is getting more and more like regular mail every day...

I got three games of Puerto Rico in last night - and it must have been my night, because I won all three. The first two were close, but I really dominated the last game. I played a money/building game all three games, but the last one played very differently. In the first two, I bought the Factory early, and made sure to produce 4 different goods (first game) or all 5 goods (second game). I didn't really worry about losing goods to the ocean. Those games played within 2 points, and in the first, I just barely beat out the shipping strategy (corn). The third game was odd. I had almost saved enough to get the Factory again, when one of the players - producing only corn at that point - bought the last one (he later said that yes, it was to stop me from getting it). So I stopped diversifying, stayed with indigo, tobacco, and coffee - and bought a Large Market. By the end of the game, I had more victory chips than the other guys, and two big buildings. That was a fun game. I doubt I'll win three straight next time out though.

I recently got a request for a simpler feed for the public Store - someone using Trillian to read RSS had trouble with the 2.0 feed. I've added a new feed - there's now an RSS 0.92 feed and the same RSS 2.0 feed. Enjoy!

Charles Miller curses RedHat and RPM. I've had issues running RPM updates myself.

Wired News has a story about RSS - it's a light brush over the topic - but shows that syndicated content is starting to get wider interest

Casinos up the ante in the battle against card counters - with an application that tracks cards and bets at the table, looking for anomalies:

MindPlay works by placing a set of 14 digital cameras around a specially built blackjack table tray. The optical equipment registers every card in play by reading special invisible ink printed on them.

But that isn't the only trick up MindPlay's sleeve. It can recognize the differences between a player's drink, a napkin, an ashtray, a stack of chips being held by a player and a pile of chips in play, Soltys said. And it tracks the location and value of chips by comparing 3-D models of them in a database to all objects on the table.

It will be interesting to see where that will go.

The Register tells us about an IT security who got sent to the big house - after trying to notify consumers about a problem. Admittedly, he used questionable methods to do this; but jail time?

About six months later, according to defensive filings, McDanel discovered that Tornado had never fixed the vulnerability he discovered. Using the moniker "Secret Squirrel" he sent a single email to about 5600 of Tornado's customers over the course of three days, staggering the release each day to prevent flooding Tornado's email servers.

The email told Tornado's customers about the vulnerability, and directed them to his own website for information about it.

So what did Tornado? First, they scrambled to delete their own customer's emails (without their permission) to prevent them from learning about the vulnerability. Then they took other steps to conceal the hole. Ultimately, the fixed the vulnerability, and upgraded their general security.

For his efforts, McDanel was arrested, tried, convicted and sentenced to 16 months in the federal pokey, which he has now served. He has appealed his conviction to the federal Ninth Circuit Court of Appeals.

If that stands, watch reports to CERT and Bugtraq drop like stones in the pond.

The Register reports that MS' fix for the feared Blaster DDOS attack made some people think MS switched the update service to Linux:

What actually happened, as we mentioned earlier, was that Microsoft removed the redirect from windowsupdate.com to windowsupdate.microsoft.com, thus cunningly frustrating the worm, which was written with a view to performing a denial of service operation on the former, but not the latter. The BRS approach to security, which owes much to the theory that viruses don't come out at night, is one we particularly like, as it's cheap and approximately 50 per cent effective, but the move did not make Windows Update unavailable as such.

In the absence of windowsupdate.com the first stop of incoming requests was the Akamai caching service which Microsoft uses. This runs on Linux, hence Netcraft report a Linux host, but behind this the Microsoft servers were still operational, hence the report of Microsoft IIS running on Linux. So Microsoft isn't running Windows Update on Linux, and although it's using a service provider that runs on Linux, those services are still fielding back to Windows 2003 servers, clear?

Now, watch the various USENET groups and blogs report "Windows Update on Linux" as fact....

We refinanced our mortgage today, and boy, was it confusing. We were concerned over how much money they wanted up front for the escrow account, and called them on it. After a flurry of phone calls, they dropped the amount nearly in half - the fun part was that the aggregate accounting amount (refunded to us) kept going down as well. We got an explanation that I thought held some water, but I still left the whole experience feeling like I got stiffed somewhere. On the bright side, even with more money going into the principal each month, the monthly bill came down nicely. I guess my question is, do the documents for these things really need to be so complex?

VWNC has been out for years now, and VAST NC has been around or at least a year (maybe longer). Slashdot just noticed.

CNET News shows SCO continuing to lay it on thick:

Sontag also said thousands of lines of Unix have made their way into Linux in the form of derivative works that should have been bound by SCO licensing agreements that require licensees to keep the code secret. The company said several enterprise features of Linux--the NUMA (nonuniform memory access, RCU (read-copy update), SMP (symmetrical multiprocessing), schedulers, JFS (journal file system) and XFS (extended file system) portions--all include copied code. The company broke out the number of lines of code that had been directly copied from each. It said, for example, that more than 829,000 lines of SMP code had been duplicated in Linux.

Next up - SCO claiming that breathing was their proprietary idea...