Saturday, August 27, 2005

Mambo and the problems of Open Source

Recently, trouble's been brewing in project Mambo.
Mambo source was originally developed by a company named Miro which chose to license the source under GPL, but retained copyright.
Conflcit arose over who controls the future of the project, the volunteer developers or the copyright owners.
An excellent outlines the developers' POV, and the developers website is OpenSourceMatters.

From the company's POV, however, I would think GPL-ing the source led to undesirable consequences. In short, once the source was GPLed, they lost all control over the future of the project - since the developers can (and did) fork the source, and continue development in the new fork.

While many hail this as a victory to the Open Source movemenet, which proved its supremecy over the corporation who developed the code, I am not so sure. This proves to be an incentive against corporations Open-Sourcing projects and cooperating with the OSS movement. OSS 'purists' would prefer it be that way, but as corporations do add value to projects, the OSS has lost many potential allies.

Tags: opensource mambo

Friday, August 26, 2005

Windows Communication Foundation ("Indigo") channels explained

I'm writing a serie of blog posts explaining the WCF channel architecture and extensibility point. The first in the serie is posted, others soon to come.

Monday, August 15, 2005

PMP Certification

I recently acquired the PMP certification, and wanted to share some insights.

What is PMP certification?
The PMP (Project Management Professional) is the leading project management certification, issued by the PMI (project management institute)

Why did I choose to get PMP certified?
In the software industry, project management skills are an intrinsic part of the roles of individual developers, leads, development managers, and of course project/program managers. While I am not currently looking for a project manager role, as the classical project manager seems too far removed from technology, I think the skills would be useful. And I might change my mind...
.. and, of course, the PMP designation looks good on my resume.

How was the test?
Hard. It's a hard test, the questions are misleading, and a 4 hours a test is a looong test.
I scored overall 86%. It seems traditional to share the sections breakdown, so here goes:
Initiating: 88%
Planning: 91%
Executing: 90%
Controlling: 84%
Closing: 79% [makes sense, I ran out of time before my final review of 'closing']
Professional responsibility: 86%

How did you study?
I used the Rita book, the Kim book, Achieve PMP success, the examcram2 book, the PMBOK (from which I learned very little, the style was too dry for my taste) and additional online resources - especially useful was the table of the 39 precesses, their inputs, tools, and outputs.
I spent half my time taking tests, and half reading textbooks or my notes. I estimate I put in 40-50 hours over 2 months - there seemed to be too much information for cramming.

Tags: PMP certificattion

Friday, August 05, 2005

Cisco, Mike Lynn, and my door

Recently, there was much discussion (also see here ) about Mike Lynn's presentation exposing a a Cisco vulnerability.
Details are a bit fuzzy. It seems the patch was already made by Cisco.
In some ways, exposing security issues is beneficial for the industry, which would otherwise ignore them and never fix them - an industry needs watchdogs to force it to fix product defects, and the car industry is an excellent example. And of course, it is very human to want to (and have the right to) discuss your achievements - and for a security researcher, finding a security vulnerability is a major achievement.
However, I refuse to glorify such actions. If a neighbor noticed my house door is open, and updated a bulletin board in the middle of the town ("houses with unlocked doors can be found at...."), I would be unhappy; and I don't think I'll be loaning him the lown mower again.

I think there should be a way for security researchers to get the fame (and improved job opportunity, and better pay, and everything an achievement usually entails) they deserve for finding security issues; and security researchers should show more responsibility on their part.
It boils down to processes and money. If a security researcher spends (on average) months and very sophisticated skill set finding a security issue, and he'll inform the company and make no big deal about it, he's been cheated out of any rewards for his efforts - and both the community and the company got security testing and review for free.
That's an untenable situation; as long as researchers have an incentive to disclose security holes, they will; but I can't quite see that sueing researchers would create the right kind of incentive.
What would I like to see? a substential monetary reward & public recognition program for security researchers who find issues, complemented by a much longer wait time on disclosing the details of any security issue.