We understand well the idea of being in favor or something, or against something, but we don't particularly understand how criticism fits into this dichotomy.
The reason a person is critical of a thing is because he is passionate about that thing. In order to have a critical opinion, you have to love something enough to understand it, and then love it so much more that you want it to be better. Passion breeds critical thinking.
“That sucks” is negativity. “That sucks, here's why, and here's how to fix it” is criticism, and it comes from a place of love. That's the difference.
Everyone says they're comfortable with criticism and with critics, because not being able to handle criticism is a sign of immaturity. What people really want, though, are cheerleaders. Nowhere in life is this more true than in business.
A healthy business needs passionate employees to succeed. Critics are the most passionate people you can find, but we're conditioned to assume that critics are negative curmudgeons with nothing more than slings and arrows to contribute. So rather than seeking out critics, employers seek out cheerleaders.
Read the article.. its worth it..
The first one from hacker news, aptly titled "How I Hacked Hacker News (with arc security advisory)"
and the 2nd, a welcome-back-to-the-blogosphere-tptacek post on the matasano blog: [Typing The Letters A-E-S Into Your Code? You're Doing It Wrong!]
PS. for those going, man i wish someone would break down the important crypto stuff for me in a way thats understandable without being patronizing, there is Chris Eng and his owasp talk on [Cryptography For Penetration Testers]
Anyone who has honestly reflected on what they know about hiring, will tell you that no matter how locked-down you think you have it, you dont. There is still way too much left to chance and way too much that you just dont know. To avoid this, companies that care about preserving their culture will sometimes adopt a "default deny" approach. It's ok to miss a potentially good hire rather than to take on a bad one. This isn't silly geek risk aversion.. It's because one bad hire can do amazing damage to a culture (an area bad hires can be amazingly productive in).
We have been hiring and interviewing people for about 7 years and have learned many lessons along the way but without fail, the one that works best for me, is the T-Shirt test.
The T-Shirt test is simply to ask yourself: "how will i feel standing at a conference, with this guy next to me wearing my company T-Shirt". If you don't like the thought, you shouldn't make the hire.
Now this doesn't translate to only hiring good looking people (but if whats important to you when standing up at a conference is the looks of the person next to you - you probably dont read this blog). The immediate question that comes up is "what if the guy is a real rockstar - but isnt presentable?". In truth, im happy with that, and far prefer it to a very presentable GQ model with a brain of a pea.
The T-Shirt question is a good evaluation of how you feel about the candidate and personally i can tell you that everytime i have ignored it, i have kicked myself a little later.
Interestingly enough, this doesn't have to be just for tech-geeks. If you are sitting at a management level or at a board level, the same question applies. I.e. How do i feel about standing next to this person at X, and how do i feel about him representing me / my brand. If your answer isn't positive, either he shouldn't be there, or you shouldn't..
While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to many SQL2005 dba's)
Essentially i was tryign to track down something in sp_addserver.
The source of this stored proc [System Databases\Master\System Stored Procedures\sys.sp_addserver] showed that another stored proc called: sys.sp_MSaddserver_internal was being called.
For the life of me though, i could not track down sys.sp_MSaddserver_internal.
Turns out the answer is reasonably well documented [SQL Books Online], with 2005 - MSFT moved stored procs / and friends into a readonly hidden db. This can be made visible by copying the physical .mdf files and attaching them. [Process reasonably documented on the interwebs if you know what to search for]
This effectively will allow you to do a:
use Resource_Copy go select name from sys.objects where name like '%MS%internal%'
to reveal the missing procs for you to examine/tinker with
On a recent assessment we came across the following scenario:
1) We have command execution through a web command interpreter script (cmd.jsp) on a remote Linux webserver 2) The box is firewalled only allowing 53 UDP ingress and egress
3) The box is sitting on the network perimeter, with one public IP and one internal IP, and not in a DMZ So we want to tunnel from the SensePost offices to Target Company's internal machines, with this pretty restrictive setup. How did we accomplish this?
1) Upload and compile dns2tcp to the target machine
2) Create a dns2tcp tunnel from target (dns2tcp client) to SPDNSTUNNEL (dns2tcp server)
See the attached picture for a summary of the above.