Where’s responsible security reporting?

While I totally agree that once a company fails to respond to a security problem reported privately the problem should be reported publically, it’s horrible when that report greatly compounds the problem. That hapenned recently with ThinkTank‘s disclosure of PayMaxx‘s major security problem.

PayMaxx developers unfortunately did a stupid thing–they didn’t check that a person viewing a W-2 or other payroll related record is accessing the record they are allowed to; they only check if the user is logged in. That certainly is a major problem and unfortunately is too common (I’ve found this problem myself in e-commerce sites I used and reported it to the site owners–who both fixed the problem within 24 hours in the instances where I found it).

The ThinkTank report went much further than disclosing the nature of the problem and reported specific login information for a test account which allowed anyone to log-in and exploit the problem. Before this, only customers could exploit the problem. After ThinkTank’s disclosure, anyone can exploit the problem. They made the problem significantly worse.

Shame on you ThinkTank. If you agree, tell them.

If at first you don’t succeed, apply and apply again… :(

We’re hiring for a few positions (cfmx admin, vb.net desktop, and a pm). I’m quite frankly amazed at the applications we’re getting. Here’s a brief synopsis…

If at first you don’t succeed…
We’re getting a lot of repeat resumes. Some are right after another like we get one at 9:08 and then we get another one at 9:23. On several occasions we’ve gotten repeat applications for the same job coming from different sources (Monster and Craig’s List) but more often the case they’re multiple Monster applications. I’m not sure whether or not to throw someone out just for applying twice. It’s been a while since I looked for a job, but I always remember keeping careful track of where I applied. Maybe that’s not the case any more.
E-mail does not make a resume
This is my biggest pet peave, but I can’t really bring myself to fault the applicants. Monster apparently has a feature where people store their resume and do a single-click apply and they send the resume as plain text in an e-mail. The result is a jumbled mess of skills, experience, and education all mixed in and almost completely illegible. I wish Monster didn’t have this feature or at least that we could set up our Monster account to disallow these types of applications. What ever happened to customizing resumes and sending personal cover letters?
Novel as a resume
What’s with the long page resumes? When I went to resume workshops in college (which admittedly was a few years ago, but not that long ago) we were told to keep resumes to 2 pages and maybe 3 if absolutely necessary. How long does everyone else take to read a resume? Do you really read a 5, 7, or 10 page resume? I tend to scan the objective, skills, and last two jobs, and if relevant skills don’t pop-out at me, I move on. I’ve been told that’s pretty typical but I’d love to hear other employer’s opinions.
Desktop vs. Web
This is just an interesting twist. A few years ago it was hard to find people with a lot of web experience. Now it appears the opposite is true. There’s a lot of applicants with web experience but very few have recent desktop experience (we’re hiring for a .NET WinForms position).
So, you can find job here at website.

So enough with the rants… if anyone still wants to apply (and no, I wouldn’t be your boss so you don’t have to listen to me complain all the time) feel free to e-mail me. And no special prizes for the 20 page jumbled plain text mess sent a dozen times.

MXDU 2005 next week!

This weekend I will be packing up and heading over to MXDU, last year I had to cancel last minute but this year I will be there for sure. I’m giving two sesssions at the conference. The first “Integrating Flash and .Net on the desktop” is a new session that covers embedding Flash in a .Net WinForm application which will allow people to build custom projecters that meet their exact needs. The other is “Creating Components using the V2 component architecture”, a session that I have given before and has always been popular.

The speaker line-up, the venue, the Xbox Gaming Room, all reason someone should attend. I’m looking forward to my first time in Australia. Make sure to say hello if you will be there!

Posted in Uncategorized | 1 Reply

Some thoughts on organizing source code [PART 1]

I’m I the process of moving some of our applications to Subversion from CVS, and while doing so I thought I would take the chance to think about standardizing on a directory structure for our applications/source code. Although it seems like a simple task, it has turned out to be a lot more complicated than I initially thought it would. The main application I work on has many parts, and makes use of many technologies (Flash, ASP.Net, WinForm .Net, C++, Flash Remoting, FlashCom, SQL Server).


Continue reading