afongen

A few recent items of note from my del.icio.us links that I think merit calling out.

Damien Barrett writes up a few quick reviews of Mac OS X antivirus software. ClamXav looks good.

Michael Howard writes about his recent spyware experience. Which reminds me: please, please don’t always be logged in as an administrative user. This is true no matter what OS you’re using. If you’re using Windows, here’s some advice on how and why. I recently paid attention to my own advice and took away admin rights from the account I usually use on the iBook. Haven’t had any trouble.

PZ Myers, one of my favorite bloggers right now, calls out the National Center for Science Education’s answers to the sadly misleading Ten Questions to Ask Your Biology Teacher.

OWASP.Net, OWASP with a .NET focus.

Catalyst, an MVC framework in Perl. Cake, a framework in PHP. Rails is having such an interesting effect.

At some point I might just get off my duff and combine my RSS feeds. It’ll take all of 10 minutes, for crying out loud.

I finally came to grips with the realization that I won’t make it to YAPC::NA this year, which is a damn shame because it’s incredibly cheap (US$85 for 3 days! decent rooms at CDN $79/night!) and would be a great chance to go to Toronto, and I do so terribly miss living and breathing Perl. That’s bad enough.

Then, what arrives in the mail today? A brochure for a week-long workshop on studying medieval manuscripts up at the Hill Museum and Manuscript Library .

The Minnesota Manuscript Research Laboratory is a project developed by the Center for Medieval Studies (CMS) in the College of Liberal Arts at the University of Minnesota ― Twin Cities, in collaboration with the Hill Museum and Manuscript Library at St. John’s University, Collegeville.

The Laboratory’s objective is to make available to interested and qualified graduate and undergraduate students and others who are interested an orientation to the study of medieval manuscripts and their contents.

To this end, the Laboratory is developing a coordinated sequence of learning materials, which it proposes to make available on-line: for example, through websites maintained by CMS and HMML.

During the week beginning Sunday, June 5 and ending on Friday, June 10, the Laboratory will hold a workshop to help its designers test the pedagogical effectiveness of various new materials and to give participants a practical, hands-on introduction to the study of manuscripts.

This is the sort of thing that leaves me hyperventilating with excitement. Seriously. And I can’t go. If I had more than a month’s notice, if I’d budgeted for it this summer, if I weren’t years out of touch with this sort of study, if I didn’t think that a week away from the family were a bad idea so shortly on the heels of 4 days away, if I weren’t so good at making up excuses, then maybe I’d go. But alas, it’s not in the cards.

I really have to plan to do something like this next year. The Center for Medieval Studies is always putting on cool events like this. And YAPC. Gotta remember YAPC.

Tiger was released Friday, but I don’t have it yet. Soon. Owen and I did drop by the Apple Store at Roseville, though, to take in the hubbub. The line was longer than what Garrick saw but still nothing like at the Mall of America store — which is a large part of why I was not at the Mall. I’ll go there for midnight releases to take part in the excitement, but not one that doesn’t feel any different than just dropping by the mall. We in line were still subject to strange looks from people who just can’t understand. Heh.

And Hitchhikers. I fully intended to be there opening day, but realized too late that Kiara was working Friday night and we hadn’t arranged a sitter for Owen. So I think it will be next week before we see it. Sigh.

There’s a bunch of new stuff on the Serenity web site, including links to the trailer. Wow, am I excited. I’m more excited about this movie than Episode III and Hitchhikers, maybe combined. Kiara and I rented Firefly a short while back, and damn was that fine TV! The movie looks like it’s going to be fantastic.

Update: A downloadable 1280×544 trailer is available.

Minnesota governor Tim Pawlenty has ordered an audit of all state web sites (registration required, see BugMeNot.com). This is in response to the audit findings I wrote about last night.

Wow. A bold and necessary step, but probably an unfunded mandate. This will make the governor look good, but I am worried that the audit won’t have nearly the resources that it needs to be done properly — and that it will result in knee-jerk overspending such as hiring consultants for quick fixes. We don’t need quick fixes, we need software development processes that incorporate security planning and assessment. On the bright side, I’m willing to bet that where there are security problems, addressing a few issues (quick fixes) will have big impact on existing apps, so a deep audit won’t be necessary. Low-hanging fruit and all that.

There are at least a couple things preventing more secure development: apathy and lack of funding. I say apathy because security is something to which people pay lip service but do not even attempt to understand. Because of that, it’s easy to point to a lack of resources to address security properly. Developer training is sadly lacking (this is true throughout the industry, and we do a terrible job integrating security in computer science curriculum) and security is not addressed throughout the development lifecycle — which ends up being more expensive.

I’ll write a lot more about this later. Were I not putting the finishing touches on handouts for next week’s presentation, I’d write more now.

A couple feeds I’ve recently discovered:

• The Minnesota Office of the Legislative Auditor web site has an RSS feed.
• FirstGov has a US government RSS library.

Cool. We need more of that.

Minnesota Driver and Vehicle Services took down their web site for online license tab renewal in response to a Legislative Auditor’s report sharply criticizing the lack of security in the site. The report is less than kind.

Good. This should be a wake-up call.

The report centers around the fact that DVS did not address findings and recommendations in a 2001 audit. There was no security program in place, inadequate documentation and processes to support secure software development and deployment. The system was found to be vulnerable at several levels: not just the application code, but network and database access as well. I credit DVS for shutting down the site and can commiserate with their lack of resources to address the problem. State government budgets are being cut right and left, and like it or not intangibles like security are often the first victims. Taking the site down might just make it seem a bit more real.

For me personally, the timing of the audit report could not be better. On Tuesday I’m delivering a presentation about web application security to college and university IT staff from throughout the state. My focus is on integrating security throughout the software development life cycle. I’ll be touching on topics such as developer training, security requirements, misuse cases, threat modeling, code review, penetration testing, maintenance and monitoring. It will be nice to have this audit report to bolster my message. And it’s clear that upper management is standing up and taking notice.

A final note. Chris Buse, an auditor who worked on this review, stopped through our offices a couple months ago and poked his head in on a web team meeting. “Say,” he asked, “are you familiar with the OWASP Top Ten?” Coincidentally, we had just been talking about it, so to my enormous gratification everyone around the table nodded their head with an air of “oh yeah, that’s old hat.” It isn’t, but we’re getting there. The projects we’re working on now, apps that will be rolled out this summer, are in good shape. I am so much more confident than ever before about the state of security in our current web development. It’s a good feeling.

Yes, that’s right. Via New Patriot, Michigan is preparing legislation to allow doctors to refuse to treat gays.

WTF?! When I read a story like this, I am dumbstruck. Livid. Pharmacists refusing to dispense birth control, and state laws being passed to allow that. And now this. Gay marriage is nothing compared to this.

Update: Paul Krugman’s essay in today’s New York Times addresses the effect of religious extremism on medical care.

Garrick writes about using fake data to see if anyone’s paying attention.

When putting together a prototype for usability testing, it’s best to use realistic data. If you’re evaluating the readability of a search results screen, put in the actual results. If you’re evaluating a check-out process, make all the information throughout the entire process real.

Then, after tweak the data just slightly. Make it humorous, make it unrealistic, throw in a knock-knock joke.

I go back and forth on this. When using real data I’ve certainly had my share of “but that’s not Jane’s phone number!” moments, and it is fun when someone barks with laughter in the middle of a meeting because they just got a joke in the mockup. (Although y’know, no one has yet asked why Takeshi Kaneshiro and Yuen Biao are rooming together at Alexandria Technical College … maybe I should have picked a school that has campus housing. :) Not surprisingly, I’ve found that the type of data I use really depends on what I’m doing.

Dan Brown has put together a fantastic (and large!) poster about Representing Data in Wireframes (PDF) that touches on the nuances involved in choosing what kind of data to use, the risks of using each type, and how to apply each technique. This one’s a keeper. (Via UXCentric.)

Oh. When I say large poster, I mean large: three by six feet. Not quite a Unicode chart, but whew!

Via The Panda’s Thumb, I see that Colin Purrington has something new, Charles Darwin bookmarks and stickers.

Purrington, you may recall, is the man who brought us the textbook disclaimer stickers. You know, I’ve had those on my wall at work and not one person has commented. But I know they’ve been read.

In similar news, some Imax theaters are refusing to show movies that mention evolution for fear of offending the religious right. Unbelievable.