Philosophically Secure

This isn’t exactly breaking news, but it’s new to me! I just came across this screencast by Sean Kelly of NASA, where he does a bake-off between several web application frameworks: J2EE, Ruby on Rails, Zope/Plone, TurboGears, and Django. He starts out by creating a simple “Hello, world” application, just to get a feel for the frameworks. As he goes along, he gives each one a “fun level” rating, as well as making note of how many lines of code, configuration files, and XML sit-ups were required to get the desired functionality. Once that’s done, he goes into creating a more involved application, so that he can really try out a few of the advanced features each framework offers.

Not to spoil the ending, but it did make me want to give Plone a try. I currently do mostly Python with Django for the web stuff at work, and its been great so far. But it certainly couldn’t hurt to try out something different and see how it fits in…

No, not the Mac kind of apples. I’m talking about the problem team member - someone who is working on a team, but really ends up working against the team. I found this quote from McConnell’s Rapid Development to really ring true:

…the most consistent and intense complaint from team members was that their team leaders were unwilling to confront and resolve problems associated with poor performance by individual team members.

Everyone knows that there will be conflicts whenever a group of people attempt to work towards some goal. But once in a while, the entire team suffers because of just one person constantly going against the grain. And it’s frustrating when your leadership seems to refuse to do anything about it, even after you’ve made the situation crystal clear to them. As Jeff says on his blog: “…if your team leader or manager isn’t dealing with the bad apples on your project, she isn’t doing her job.”

Sometimes the problem isn’t that a team member is necessarily doing negative things, but rather not doing anything at all. Why keep someone around when he’s completely unproductive? Unless, of course, you only care about spending your client’s money.

Bruce Schneier talks about a paper he helped write with a few other researchers on breaking the deniable encryption feature of TrueCrypt.

The claim behind this feature is that you can have a secret encrypted file system that will remain undetected, and so you can deny its existence if your drive is confiscated somehow. Schneier and the other authors prove that this deniability is rather weak. Since the encrypted file system is stored and used within a normal operating system (Windows, Linux, etc.), traces of its existence are scattered throughout the unencrypted parts of the hard drive. There are swap files, temporary files, and other remnants created by various applications, such as word processors.

Since the paper [PDF] came out, TrueCrypt released version 6.0, which addresses many of the issues presented in this paper. But the bottom line is that you shouldn’t depend on this deniability feature. It’s much safer to encrypt the entire disk, to ensure that sensitive data isn’t left on unencrypted portions of the file system. The only problem with this method is that you can’t deny having anything encrypted.