Trailrunner7 writes "Bug bounty programs have been a boon for both researchers and the vendors who sponsor them. From the researcher's perspective, having a lucrative outlet for the work they put in finding vulnerabilities is an obvious win. Many researchers do this work on their own time, outside of their day jobs and with no promise of financial reward. The willingness of vendors such as Google, Facebook, PayPal, Barracuda, Mozilla and others to pay significant amounts of money to researchers who report vulnerabilities to them privately has given researchers both an incentive to find more vulnerabilities and a motivation to not go the full disclosure route. This set of circumstances could be an opportunity for the federal government to step in and create its own separate bug reward program to take up the slack. Certain government agencies already are buying vulnerabilities and exploits for offensive operations. But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who don't pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks. DHS has a massive budget–a $39 billion request for fiscal 2014–and a tiny portion of that allocated to buy bugs from researchers could have a significant effect on the security of the nation's networks. Once the government buys the vulnerability information, it could then work with the affected vendors on fixes, mitigations and notifications for customers before details are released."
Catch up on stories from the past week (and beyond) at the Slashdot story archive
itwbennett writes "If you've ever worked on a team you can probably recall a time when, as a group, you produced work that was not as good as any one of you could have done on your own. Sarah Mei had this sort of sub-par teamwork experience, which she shared in her session at the O'Reilly Fluent Conference this week. Mei 'spoke about a time she worked on a team with really expert developers. Every one of them was someone whom you'd admire, who had previous written code that you and I would boast to have created. Yet, these smart people created modules that didn't talk to each other. And its quality was, to be kind, on the rotten side.' It's not an uncommon story, but why and how does it happen? The answer, says Mei, is that code quality 'is defined by its patterns of dependencies,' not all of which have equal weight. And, as it turns out, team communication is the heaviest dependency of all."
AvailableNickname writes "I am currently pursuing a bachelor's in CompSci and I just spent three hours working on a few differential equations for homework. It is very frustrating because I just don't grok advanced math. I can sort of understand a little bit, but I really don't grok anything beyond long division. But I love computers, and am very good at them. However, nobody in the workforce is even going to glance at my direction without a BSc. And to punish me for going into a field originally developed by mathematicians I need to learn all this crap. If I had understood what I was doing, maybe I wouldn't mind so much. But the double frustration of not understanding it and not understanding why the heck I need to do it is too much. So, how important is it?"
theodp writes "'Every programmer likely remembers how they learned to code,' writes GeekWire's Taylor Soper. 'For guys like Bill Gates and Paul Allen, the magic began on the Teletype Model 33 (pic). For others, it may have been a few days at a coding workshop like the one I attended for journalists.' If you're in the mood to share how and in what ways your own developer days began, Soper adds, 'cyborg anthropologist' Amber Case is collecting stories to help people understand what it takes to learn how to code. Any fond computer camp stories, kids?"
itwbennett writes "Are good developers really that hard to find? Cambridge, MA-based inbound marketing company HubSpot seems to think so. The company has upped its developer referral bonus from $10,000 to $30,000 — and you don't have to be an employee to get in on the deal. Beats a free puppy. What has your experience been with referral bonuses?"
New submitter NeoHermit writes "This language (Dao) has never been mentioned on Slashdot before, but it might be interesting to many people here. As it has recently become feature-complete and just made its first beta release, it may be the right time to mention it here. Dao is an optionally-typed programming language that supports many advanced features with a small runtime. The feature list is probably as long as that of Python, but they are supported by a much smaller runtime (somewhere between Lua and Python, but closer to Lua). Besides optional typing, the other major features that worth mentioning include: built-in support for concurrent programming for multicore computers, very friendly C programming interfaces for embedding and extending, a LLVM-based JIT compiler, a Clang-based module for embedding C/C++ codes in Dao, and a Clang-based tool for automatic binding generation from C/C++ header files. You can also see many familiar features from other languages."
blackbearnh writes "Most commencement speeches are long on platitudes and short on practical advice. O'Reilly blogger James Turner has tailored a speech aimed specifically at the current batch of graduating CS majors. Among the advice that the 35-year industry veteran offers are to find a small company for your first job, but not one that is going to burn you out. Also, keep learning new things, but don't fall into the trap of learning the flavor of the day technology. Quoting: 'Being passionate about software is critical to being successful, because the field is a constantly moving target. What will net you $130K today will be done by junior programmers in five years, and unless you're constantly adding new tools to your belt, you’re going to find yourself priced out of the market. ... You are rarely going to get an opportunity to have your current employer pay for you to learn things, so learn them on your own and be in a position to leverage the skills when a new project comes along. But if you have a passion for technology, you'll already be doing it, and enjoying it without needing me to tell you to."
An anonymous reader writes "I really want to go travel the world with the money I've saved up at my day job, but I also want to grow as a developer in the process. This is a long-term engagement: 2-3 years or more depending on whether my software is successful. I'll probably be hopping from hostel to hostel at first, with a few weeks at each. How do I find a good work environment in these conditions? Do hostels generally have quiet areas where work could be done? Is it OK to get out your laptop and spend the day in a cafe in Europe, assuming you keep buying drinks? What about hackerspaces — are those common on the other side of the globe? (Apartments are an option for later on, but I'm concerned about losing the social atmosphere that's built in with the hostel lifestyle.) I've never done anything like this before, but I'm really excited about the idea! Any advice would be greatly appreciated."
itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."
alphadogg writes "A freelance Java developer claims it took him only 30 days to build and launch a basic open source office suite that runs on multiple OSes. Called Joeffice, it works on Windows, Mac OS X and Linux as well as in browsers, according to the developer, Anthony Goubard. It includes a very basic word processor, spreadsheet program, presentation program and database software, Goubard said. The office suite was built with NetBeans and uses many popular open source Java libraries. That allowed him to built the program in 30 days, he said, a process that he documented daily on YouTube (video). The suite was released as an alpha version, which means that not everything works yet. Goubard's Amsterdam company, Japplis, launched the suite, which is available under an Apache 2.0 license. This license allows companies to change and redistribute the code internally without having to share the new code publicly, he said."
An anonymous reader writes "Twilio's Jon Gottfried has written an article about the lessons he's learned after six months of developing software for Google Glass. He has some insightful points: 'I expected it to be very similar to building mobile applications for Android. In fact, I began learning to build Android applications in preparation. My efforts were for naught, because the Mirror API is a RESTful web service. This means that developing applications for Glass is actually more similar to building a website than it is to building an Android application.' He also talks about how this fits in with the future of technology: 'I would argue that Google took the only option available to them. The only truly scalable products of the future will be developer platforms. Facebook, Twitter, Twilio, Google, Apple, Microsoft, Arduino – all of these products have been successful in large part by embracing and empowering their developer communities. No company is omniscient enough to imagine every potential use of their products. This gives developers an immense amount of power to define the success or failure of an entire product line.'"
00_NOP writes "'Universal Credit' — the plan to consolidate all Britain's welfare payments into one — is the world's biggest 'agile' software development project. It is now close to collapse, the British government admitted yesterday. The failure, if and when it comes, could cost billions and have dire social consequences. 'Some steps have been taken to try to rescue the project. The back end – the benefits calculation – has reportedly been shifted to a "waterfall" development process – which offers some assurances that the government at least takes its fiduciary duties seriously as it should mean no code will be deployed that has not been finished. The front end – the bit used by humans – is still meant to be “agile” – which makes some sense, but where is the testing? Agile is supposed to be about openness between developer and client and we – the taxpayers – are the clients: why can’t we see what our money is paying for?'"
An anonymous reader writes "Google has sent letters to app developers registered in Argentina saying they won't be able to accept payments on developers' behalf after June 27th. 'The change applies to both paid apps and apps that use in-app purchases. The move appears to be related to new, restrictive regulations the Argentine government has imposed on currency exchanges.' According to the Telegraph, 'The new regulations required anyone wanting to change Argentine pesos into another currency to submit an online request for permission to AFIP, the Argentine equivalent of HM Revenue & Customs. To submit the request, however, you first needed to get a PIN from AFIP, either online or in person. Having finally obtained your number, submitted your online request and printed out your permission slip, you could then present it at the bank or official cambio and buy your dollars. Well, that was the theory. In practice, the result was chaos. ... damming the flood has come at a huge cost to the economy, especially since the currency restrictions were coupled with another set of regulations that effectively imposed a near-total ban on any imported goods.'"
gadzook33 writes "I had an interesting experience at work recently. A colleague suggested during a meeting that we were building something that would make it far too easy for the customer to perform a certain task; a task that my colleague felt was deleterious. Without going into specifics, I believe an apt analogy would be giving everyone in the country a flying car. While this would no doubt be enjoyable, without proper training and regulation it would also be tremendously dangerous (also assume training and regulating is not practical in this case). I retorted that ours is not to reason why, and that we had the responsibility to develop the best possible solution, end of story. However, in the following days I have begun to doubt my position and wonder if we don't have some responsibility to artificially 'cripple' the solution and in doing so protect the user from themselves (build a car that stays on the ground). I do not for a second imagine that I am playing the part of Oppenheimer; this is a much more practical issue and less of an ethical one. But is there something to this?"
OpenShift, says Wikipedia, "is a cloud computing platform as a service product from Red Hat. A version for private cloud is named OpenShift Enterprise. The software that runs the service is open-sourced under the name OpenShift Origin, and is available on GitHub." This is a video interview in which Diane Mueller Explains OpenShift in depth. You may want to watch this OpenStack demo video as well.
New submitter c0d3g33k writes "Google Project Hosting announced changes to the Download service on Wednesday, offering only 'increasing misuse of the service and a desire to keep our community safe and secure' by way of explanation. Effective immediately, existing projects that offer no downloads and all new projects will no longer be able to create downloads. Existing projects which currently have downloads will lose the ability to create new downloads by January 2014, though existing downloads will remain available 'for the foreseeable future.' Google Drive is recommended as an alternative, but this will likely have to be done manually by project maintainers since the ability to create and manage downloads won't be part of the Project Hosting tools. This is a rather baffling move, since distributing project files via download is integral to FOSS culture."
Nerval's Lobster writes "MariaDB is a fork of the MySQL source code, split off in the wake of concerns over what Oracle would do with MySQL licensing. In addition to its role as a 'drop-in replacement' for MySQL, MariaDB also includes some new features that (some claim) make it better than MySQL. Jeff Cogswell compares MySQL and MariaDB and suggests (in his opinion) that there's 'more than enough reason to ditch MySQL and switch over to MariaDB and stay there.' Why? While he breaks down MariaDB's new features and thinks many of them aren't that fantastic, and while MariaDB's performance isn't that much better than that of MySQL ('MariaDB's performance appears a bit better on multi-core machines, but I strongly suspect that one could tweak MySQL to match'), the questions over Oracle and MySQL licensing give him pause. 'MariaDB shows every indication that it will be around for quite awhile, while you can't really say the same of Oracle's MySQL,' he writes. 'Free-and-open MySQL competes with Oracle's proprietary and extremely competitive tools. That alone is grounds for concern — will Oracle do something to impede MySQL's development?'"
beaverdownunder writes "I recently attended a 'hackathon' that was really just another pitching contest, and out of frustration am tempted to organize an event myself that is better suited to developers and far less entrepreneur-centric than some of the latest offerings. What I'd like to know from the /. community is, what would you like to see in a hackathon? What are some good hackathons you've attended that weren't just thinly-veiled pitch-development workshops? I have an idea around assigning attendees to quasi-random teams based on their skill sets, then giving them 48 hours to complete a serious coding / engineering challenge (probably in the not-for-profit space) — but maybe you've got some better ideas?"
An anonymous reader writes "I run a small software consulting company who outsources most of its work to contractors. I market myself as being able to handle any technical project, but only really take the fun ones, then shop it around to developers who are interested. I write excellent product specs, provide bug tracking & source control and in general am a programming project manager with empathy for developers. I don't ask them to work weekends and I provide detailed, reproducible bug reports and I pay on time. The only 'rule' (if you can call it that) is: I do not pay for bugs. Developers can make more work for themselves by causing bugs, and with the specifications I write there is no excuse for not testing their code. Developers are always fine with it until we get toward the end of a project and the customer is complaining about bugs. Then all of a sudden I am asking my contractors to work for 'free' and they can make more money elsewhere. Ugh. Every project ends up being a battle, so, I think the solution is to finally hire someone full-time and pay for everything (bugs or not) and just keep them busy. But how can I make that transition? The guy I'd need to hire would have to know a lot of languages and be proficient in all of them. Plus, I can't afford to pay someone $100k/year right now. Ideas?"