So this article made my Friday! I tracked down the actual site where the sites are for sale. All joking aside. this is serious. These sites are trusted sites by a large amount of people; especially the Army sites. Those sites give attackers direct access to DoD internal networks. This just underscores the importance of application security and how much work we have ahead of us.
I bought a T-Mobile Vibrant (Samsun Galaxy S) in July and I’ve been really happy with it. The only down side was that it had Android 2.1 (Éclair), I was hoping for 2.2 (Froyo). Today, I read an article saying that Samsung was pressuring T-Mobile to not upgrade Vibrants over the air with Froyo so that people will upgrade to other Samsung phones. Oh, I don’t think so. I spent a lot of money on this phone and I will not let some no-talent-ass-clowns at Samsung/T-Mobile keep me from the Froyo goodness.
So, I rooted my phone and installed the Eugene Ginger Clone 2.2 ROM. It’s Froyo with a Ginger look and feel. Very, very, very nice. This was my first attempt at rooting my phone or using a ROM. Here’s how I did it:
1. Root the phone. I spent some time working with the SuperOneClick app from XDA, but couldn’t get it to work. For the Vibrant it would involve toggling USB Debugging multiple times and sacrificing a chicken. I found this post that worked like a champ…much easier. When the phone finished booting, I had the SuperUser app and everything worked great.
2. Backed Up Phone. Now that I had root, I used Titanium Backup from the Google Market to make a back up of the phone. This came in helpful for after I installed the ROM. I had to reinstall of my apps.
3. Install ROM Manager. To install a new ROM, you need to do a few things. First, download the ROM Manager app from the Market. After installing, install the Clockwork Recovery. Before doing this, make sure you have deleted the update.zip file from step one. If you don’t, then Clockwork Recovery will not be installed.
4. Download a ROM. At this point, you can use any ROM you want. I chose the Eugene Ginger Clone R2 ROM because I wanted Froyo and I thought the Ginter interface looked cool. You can download the ROM here. After downloading, connect your phone to a computer and transfer the ROM zip on to the internal storage.
5. Install the ROM. Open ROM Manager, and then choose install ROM from SD. Choosing the ROM you want to install, and then click go. It will automatically reboot your phone and the new ROM will install. Voila!
It took me a few hours to do this, but it would have been much quicker had I not bothered with the SuperOneClick app. Happy rooting! Oh, and I’m not responsible if you brick your phone…
I laughed my head off when I read this post on Slashdot this morning:
"My current boss asked me what I thought of asking all employees to work 10-11 hour days until the company is profitable. He read something from Joel Spolsky that said the best way to get new customers is to add new features. Anyways, we are a startup with almost a year live. None of the employees have ownership/stock and all are salary. Salaries are at normal industry rates. What should I say to him when we talk about this again?"
My first question would be, has this manager ever developed software? In my experience, developers write code in spurts. When writing code, I’m usually not going at it for 8 hours straight. Usually after my second cup of coffee I throw on the headphones and plow through some code. More coffee and some reflection about more important things (Auburn winning the National Championship for example), then plow through some more code. Honestly, I write more code when I don’t feel like I have to be writing code. There have been plenty of times I would be in bed, awake because I’ve got some implementation problem stuck in my head. I would get up, grab the laptop, and work when I didn’t have to because it was fun. That’s why we write code: it’s fun.
Making people sit at a desk for 10-11 hours straight just because the boss says so is not fun. If you want more out of your developers, find out what motivates them. Stock options, better perks at work, an Xbox in one of the spare cubes. If you create an atmosphere where people are happy and creative, then you can get good results out of them. It works for Google…
Usually the next argument is something like how much money Google has and that they can afford to let their employees prance around. There is some truth to this, but only some. If you’re going to drive your developers like slaves, give them some stock options. Make them feel like their work will pay off. If this guy wants to stick to just salary, then you will need to find other ways to motivate the developers.
Recently saw an article about Estonia’s efforts to build a volunteer cyber army. Very cool idea. After being attacked and seeing how it affected their government, I could see why their citizens with security backgrounds would be willing to get involved. The article poses the questions of could this work in the US? The article leans toward no, but I would say yes.
It is true that many techie types are suspicious of government, but I believe you could find a core group of people who would be willing to volunteer. They could form a new reserve service under USCYBERCOM using same model they have for the reserves now: train one weekend a month and be ready if needed. One caveat, no required PT! That would likely be a deal breaker for many. Hacking is a couch sport, so being able to run 3 miles or do 100 pushups doesn’t help. Multitasking skills, such as attacking targets while eating Cheetos and watching Family Guy, would be a better fit.
On another note, I think this line of progress will lead to a large swell in the size of the security community. When software development was young, you couldn’t just pluck some guy off the street and have him writing code in a couple of weeks. Now, IDEs and frameworks have matured so much that you can teach monkeys how to write code. Over time, the tools used for attacking/protecting targets will get better. You will still need good people planning things, but you will see more worker bees with less experience/education in security actually doing the work.
I was reading an article this week in Fast Company called How an Army of Techies Is Taking on City Hall about a new non-profit called “Code For America”. It’s a similar model to Teach For America where graduating college seniors work as teachers in poor neighborhoods. The focus is writing software for municipal governments so that citizens get more bank for their tax bucks. This is a fantastic idea and I applaud their Founder, Jennifer Pahlka.
In the article they allude to sharing code between cities. Code sharing is always beneficial, but thinking about graduating seniors writing and and sharing code makes me think security nightmare. Only a hand full of colleges are doing a decent job of educating future developers on writing secure code. I hope that Mrs. Pahlka has some security expertise lined up…