It was just the easiest way to get a professional C compiler. I was stationed at this base that was basically the telephone system for the NSA. They had really good internet. So, they basically reprimanded me. They wanted to know what I was doing connecting to that foreign site. But they realized I was just a nerd who really wanted to get this one floppy disk. But there was another Sergeant, he was a Master Sergeant, he was in charge of the security for the place. Then there was actually the Commander, the Lieutenant Commander was the guy who at the top, top, top guy for the unit.
I got really bored, so I was just kind of like punching a wall. It was weird. My first duty station was bizarre. It was so weird. I could get a computer and then I could study. It was tough because I would go in at 6 am, and I would have to do all the Army stuff until 6 pm or 8 pm, then I would go home, and I would just code.
Then I would get up, and I would go to work, and I would code. That was my whole life. Zed Shaw: Yeah, so I was learning to code on my own to get a job. But, they did need programming, a lot of it. The problem was is you had to have a really good security clearance, and I had a lot of trouble just getting the security clearance, the basic one I needed for my job. My job at the base was nothing high tech or high security, I was a supply clerk.
So, basically, I gave people toilet paper. It was not the high speed at all. I ran a warehouse, that was my big thing. I needed a secret security clearance though because I would deliver parts and paper and things like that to the super secret building.
So, I needed a secret security clearance just to walk in with a pallet of stuff and give it to them. I had to sign off.
Then I would get up and I would go run and do all my Army stuff. That was my first duty station. What I did is I learned to code, I wrote little C programs to automate my job.
So, I kept automating myself out of a job. Then they would give me a new job, and I would automate myself out of that job. They just kept giving me jobs. I think my Sergeant made all the money on my work because if you save the Army money, they give you money. Zed Shaw: Yes, so, right after that, keep in mind, I was extremely poor, and I knew that the way out of that was getting a college degree. This was long before the insane tuition that we have today. That was with a GI Bill and I also worked at the university.
It was so hard-charging to get my degree done. I did it in three years. That was it and I worked full time at the university at the same time. I got it into computer information systems. So, I went over to the computer science department, and they had this guy, who was teaching a class in assembly language. This was old school back in the day when everything was compiled.
I set up office hours with him because he was actually wrong about it. But also the computer science had a lot of insane requirements. They were kind of over the top, it was a lot of extra engineering, it would take you five years to get the degree. I wanted to finish it and get out. So, I went over to the business school, and I found out the business school is way better because I had a logistics background from the Army. So they gave me tons of credits for Army for my logistics work, because it was Arizona State and they had a huge logistics department.
So, I did my whole degree in three years, and I got this 3. Only because, honestly, a lobotomized monkey could probably get a 3. But it was really great because I got to study anything I wanted. I studied jazz history, which then got me into wanting to play jazz. Yeah, it was the best decision, instead of computer science. And then in college as well. Zed Shaw: Yeah.
Computing when I was trying to learn as a kid, was considered a bad thing. It was up there with comic books and video games. You were just a nerd and a loser if you wanted to do that. But I knew that it was a good job at least.
My dream job, just to give you an idea of how long ago it was. Zed Shaw: That was my goal. It was a desk job that paid 30k a year. Chris: Sure, yeah, especially here in New York, yeah. Wow, so yeah. This kind of startup fever.
I think your story is interesting because you knew a lot about programming right around the time of the internet bubble, well boom we can say, in the late 90s. Zed Shaw: Yes, actually. I was kind of bad timing all around. So, for me, I got out of the Army in , right. I got out a little early like, if you get accepted to a college they let you out six months so you are three months early, something like that. I really miss it. But then one day the internet came out.
This is a weird thing I would love to study society and tech. Then right after that, boom, you had to have Netscape. You had to have a computer that could run Netscape. I had Linux, so I just installed Netscape. Like literally I think. I just accept the internet as real. I got a watch that I can walk around now and I can get phone calls on. Download a video? No way! Then a few other companies in the Valley, but I kept telling myself, no, I have to go get a degree because if you have a degree you have a future.
But I always had this thing, I guess just being poor, you always think, oh the people who seem to have jobs, are people with degrees who went and got college. In I swear, the month I graduated, is when the dot-com boom happened, it just imploded.
So, I just stayed at the university for a few years until I could find a decent job. I graduated, I think it was a month before I graduated that all the news about everything just imploding and just turning to dust overnight came up. The salaries for programmers just depleted over immediately.
There was sort of this sentiment of yeah, finally, we can get back at those coders who are charging us too much money. So jobs went down, nobody was hiring, everybody left San Francisco in the Valley. In a lot of ways, that made me hate the Valley. Chris: You were wrong. They figured out how to make money again.
They were like, the dot-com boom happened because stupid people invested in dumb jobs, dumb companies. If you look, a lot of the ideas that came out back then were actually totally viable. You look now, there are almost exact analog parallels of businesses that were proposed during the dot-com boom. If you think about it, Amazon was super early. They were right there, and they survived. They did just fine. The real thing that caused the dot-com boom, and then the bust, was shady banks.
We actually created a regulation called Sarbanes-Oxley because of this. Zed Shaw: So what they would do is they would go in, and they would find some terrible startup that seemed catchy, had a cool name.
But it was a terrible idea. Nobody should invest, but for some reason the banks did. Then they would have their analysts, Peter Blodgett actually went to jail for doing this. They would have their analysts go out and pump it up. Yeah, this is a hot stock you should buy this because nobody knew tax, they would dump all their money in it.
And then the banks would make money selling the stock. Is there a documentary about that or is that just kind of your experience? No, there are a few books. I want to say its Blood in the Streets, but that might be about the collapse.
Or it might be about long term capital management. Actually, the entire history of banking is nothing but boom and bust from dumb investments. The reason why I say it was the banks is, before the banks got into investing in these things and doing their pump and dump schemes, most of the companies that got investment had to have a good idea, because it was all venture capital centered in the Valley or Military contractors that actually knew what they were talking about.
Chris: It reminds me a lot of the Bitcoin rally that it had and you would see people like John McAfee would come out and he would talk about Verge, which was this cryptocurrency, and he would make videos about it and of course, he was an investor and he would just kind of pump it up.
For the time being. Yeah, so the regulation we created, Sarbanes-Oxley, was specifically for that purpose and I worked at a bank, Bear Stearns, and what it does is, it forces the investment banking side, the side of the bank that invests in companies, to not be able to talk to the analyst side without someone sitting there from legal.
I think they are trying to get rid of that, which is going to be a disaster. Because if you think about it, they have a vested interest in manipulating the stocks. So, and then also, somehow they manage to spin it that the reason all these companies collapsed is that they were dumb. It was more like yeah they were dumb, but they only existed because there was money thrown at them to run a pump and dump scheme. Zed Shaw: So I was like, why does this keep happening?
Yeah, I was working there, man. Zed Shaw: [JP Morgan] gave me a severance. I joined in and they collapsed like 10 months later. Because I was sick of startups not paying me my consulting fees. It turned out that was not a good move either.
I graduate with a Computer Information Systems programmer degree the year everything collapses in programming. I managed to get a job at a bank, the year everything collapses in banking. Zed Shaw: Yeah, so basically I had a friend who wanted to learn to code. She was in marketing, she was doing marketing for some programmers and she had no idea what they were talking about so she wanted to learn to code.
I had been thinking, well back up a little bit. After the Bear Stearns collapse, I went to school to study guitar. The teachers there were not very good.
Because years later I started studying on my own. One of the teachers did this crazy scales and had me doing this really contorted thing with my guitar to keep my fingers straight and it actually wrecked my thumb, so I had to stop playing. My recent blog post about crackpot cryptography received a fair bit of attention in the software community.
At one point it was on the front page of Hacker News which is something that pretty much never happens for anything I write. Unfortunately, that also means I crossed paths with Zed A. Shaw, the author of Learn Python the Hard Way and other books often recommended to neophyte software developers. Not a word. Not particularly, since you did lightly bring up the absurdity of telling people to not attempt implementing proven algorithms, but OpenSSL has been a broken piece of crap for a long time so if you are as legit as you say, then let's see your take down of OpenSSL.
In my mind, if you've got a blog post that authoritative then you should be able to take the OpenSSL code before Heartbleed and find all the defect that both openssl and libressl projects found. If not, then are you really as qualified as you think?
This is effectively a very weird hybrid of an oddly-specific purity test and a form of hazing ritual. Can you even fathom the damage attitudes like this can cause? I can tell you firsthand, because it happened to me. In the beginning of my career, I was just a humble web programmer. Not only was it fairly empty, but it emptied at a rapid rate. I could barely take a seat through the masses pushing me to escape. Then when I thought no more people could possibly leave, they kept going.
The room was almost empty when I gave in and left also. Heck, I was only there because we pwned the very resources you were talking about. My first security conference was B-Sides Orlando in Before the conference, I had been hanging out in the hackucf IRC channel and had known about the event well in advance and got along with all the organizers and most of the would-be attendees , and considered applying to their CFP.
Such is the danger of being self-taught! If it can happen to me, it can happen to anyone interested in tech. At this point, more clarifying questions came in, this time from Fredrick Brennan. And, my whole point is you're no expert because you didn't see them. One of Zed A.
Without even looking past the directory structure, we can already see that it implements an algorithm called TrueRand , which cryptographer Matt Blaze has this to say:. In dog years, it's eligible for retirement. Otherwise, why would he behave with such arrogance? Earlier versions of the protocol are out of scope; as are proposed variants e. Or using F fighter jets? No, we use cars with automatic shifting driving around in an empty parking lot at first.
MollyR on March 27, root parent next [—]. When I started to learn python, I bought his book. It was okay. I actually found youtube tutorials,videos,and codeacademy to be far more interesting and effective.
I don't think I would recommend a book to a pure beginner anymore, places like code academy have matured to be far better. I don't think your analogy really makes sense; the issue isn't that the author tries to teach people things which are too difficult to handle but that the author may state things which are just incorrect. A better analogy would be teaching beginning drivers to use their knees instead of hands to drive. I suppose I'm in a different position than you though; I don't see any need to get everyone to start coding.
I think if people want to code there are already good books out there, and if they don't then I don't think we need more developers who hate their job. What about the C book is incorrect? I want data and citations. I'm not sure if you're being sarcastic but I'll respond in case you aren't. I don't recall saying that I thought there were mistakes in the book; I wouldn't know I haven't read it. There was a link to a thread where the author of a book on C was wrong about one of the fundamental aspects of the language.
Again, I don't have the slightest idea whether there is wrong information in any of the author's books, but I can also see why one would be wary trusting a book written by someone who has shown a serious lack of mastery on previous occasion. I believe the person I was replying to misunderstood the cause of concern as being one where a person is taught poor or suboptimal practices as opposed to one where a person is taught things which are just flat out incorrect.
Got it. No idea why you thought I was attempting to criticize it, validly or not. I was just trying to elaborate on a previous comment that someone else seemed to have misinterpreted.
It's interesting that you'd use an anonymous account to sling some slander, but I'll answer you: Yep, that comment thread is great and people should read it for an explanation as to how completely insecure C is. It made me realize that nobody can teach C safely. The language is completely unsafe by design. Based on that, I killed my darlings.
I should have never started this book as a "C book". How to learn any programming language quickly with some tricks I know. Secure programming and defensive coding skills, which a broken language like C is perfect for teaching.
Testing and reliability. Most of the C I've found safe and useful, and how to avoid UB when possible. Algorithms and how to apply them. And finally building projects as small challenges to get better at C. So everyone was right, and I adapted the book to denote that. I think a good catalog of how to cause security failure with C UB would be instructive to everyone. And then we can all just stop using C.
It's terrible. Now that you have this new information, hopefully you'll update your slander. I'm just commenting from the position of an observer who has found that your general attitude undermines the work you do, irrespective of whether you are right or wrong about the issue at hand. We are all wrong at times. There is no shame in that. But finally admitting fault after months of intransigence I'm taking about from the launch of the book, when people first started criticising it, until that thread doesn't excuse your behaviour prior to that.
With a bit more humility from the beginning none of this would have happened. If you are going to pick a fight with people, C language lawyers are probably about the worst target.
Much like C itself, it generally assumes superhuman competence on the part of the reader. Putting that aside, I do think we are lacking in resources that teach people about the many pitfalls of C in one place if only to scare people away from the idea of using C for anything network facing.
Especially in an era when a lot of people learning C are probably already familiar with the basic syntax and control flow, through knowledge of Java or other languages, and will thus probably be tempted to skim through beginner C books. People coming from that direction probably find C deceptively familiar, and aren't aware of a bunch of things like the undefined behaviour of certain integer overflows and shifts, or the strict aliasing rules, or possibly even reading uninitialized variables.
Also some things are just plain tricky to do correctly and efficiently e. So you could get away with it, and incorrect code became the accepted way to do some things. This resulted in a lot of gnashing of teeth and a few well known security vulns when old code started to break with newer compilers.
If you are looking to catch bugs and undefined behaviour in test cases you should certainly look into the -fsanitize options in clang. This statement is quite unfair. I have read the code from Mongrel2 and I've learned things which completely eluded me in the past. Have you considered that he is actually a human being which can be surprised at how an old book can present aspects never noted before? Just because he hadn't thought about that particular language horror side effect doesn't mean he doesn't understand C.
C can be manipulated in horrific ways, such as a psychopath can absolutely horrify you. That doesn't mean you don't understand life for example. And no, he doesn't mock people who read the standard. The discussion was entirely about something else. That is what I saw in that thread. Allow me to quote for you, since this comment[1] was downvoted to the bottom of that thread and maybe you missed it: Ahhh the "undefined behavior" trope, whereby a C "expert" who's memorized a standard trots out the abstract machine to justify his point.
An abstract machine that doesn't actually exist and that no computer actually functions as. No, really. Somebody who isn't aware of undefined behaviour can't claim to understand C. The fact that he has now changed his position on the entire language now advising people not to use it, advice I broadly agree with BTW , indicates that he wasn't aware of these things prior to that discussion.
Never heard about Zed so consider this rather objective - I just read the post and I don't think I agree with your take on it: Just because he hadn't thought about that particular language horror side effect doesn't mean he doesn't understand C But UB is such a key aspect, if you don't understand in full what it is, I'd say you do lack some understanding of C?
It is open to interpretation, but you should admit his Ahhh the "undefined behavior" trope, whereby a C "expert" who's memorized a standard trots out the abstract machine to justify his point.
Every programming tutorial aimed at beginning students puts the student on a tricycle, points them toward a cliff, and tells them to peddle as hard as they can. Norvig points out the cliff is always there. How to Design Programs puts the student at a different distance. Instruction for advanced students [working programmers] expects the student to know they are headed for a cliff.
Records are quite similar to Pascal records and to C structures and to similar features in other programming languages. A record consists of a finite set of labelled fields, each with a value of any type as with tuples, different fields may have different types.
The type of such a value is a set of pairs of the form l : t where l is a label and t is a type, also enclosed in curly braces. The order of the equations and typings is completely immaterial components of a record are identified by their label, rather than their position. Equality is component-wise: two records are equal if their corresponding fields determined by label are equal. If he disagrees with you he's not afraid to tell you you're an idiot, and if he feels like you're attacking him he'll tell you to go fuck yourself.
He's also very, very staunch in his beliefs, some of which are somewhat contrarian. In an industry as opinionated and "willing-to-call-you-out" as tech is, that doesn't always win a lot of friends.
Zed is abrasive, and I don't think I'm a particularly defensive or indirect person. I don't think the issue is that he's willing to be direct with people, it's that he's too quick to tell people to go fuck themselves.
A lot of communication issues are misunderstandings and in my experience Zed would much rather tell you to go fuck yourself than listen and figure out what the misunderstanding is. The very best teachers and communicators I know don't hesitate to tell you when they disagree but would almost never literally tell you to go fuck yourself, they find a more polite route.
That said, Zed seems like a good guy at heart, I have seen him offer help to people out of nowhere both here on HN and on Twitter. Not to mention making most all? So while I don't particularly care for his communication style I don't want to distract from the fact that he is also doing a lot of great work that genuinely helps people. You're conflating internet interactions with real interactions. I don't drink at all.
Never done drugs and have never been drunk or anything. When I go to bars with friends I find that as the night goes on people become complete drunken idiots and are impossible to deal with. There's no polite way to tell a guy to stop talking to you about his chia pet collection or to keep someone from puking on your shoes or trying to start a fight.
Best solution is to just not go to bars, which is what I do. If I need to fit in for some reason, I usually just pretend I'm kind of drunk like everyone else, which I haven't done since I was in my early 20s. Especially toward the end of the day. Something about the internet makes people turn off their rational mind and just spew hate, stupidity, propaganda, and lies. In this case, it's the same interactions and I get tired of it. You can't tell a belligerent drunk to politely stop smashing your car any more than you can tell a belligerent twitter user to stop talking to you.
So, your comment amounts to judging my interactions with people professionally based on my interactions a bunch of drunk idiots at a bar. Nobody is a saint, and expecting me or anyone else to take abuse and poor behavior like Jesus before you'll think they're a good person is wrong.
I disagree with you about the internet. My bet is we're still learning what proper etiquette on the internet is. You have a great point about people not knowing when to let up online, but I also look around and see both the net etiquette evolving and the commentary on it evolving and to me that is a sign we're getting better.
Why am I spending my time today on this conversation? Because you've become reasonably influential and certainly for good reason, mongrel, learn the hard way, etc and because of your influence someone might say hey if I'm a good programmer it might be reasonable to have a short fuse with people and tell them to go fuck themselves because Zed Shaw does.
And I want to use this space to say, hey I hope we can be nicer to each other. That's it. I really don't want it to be about anyone in particular, I just hope since programmers work with each other and write about each other's work on the internet we can be considerate and try to be nice to each other even when we're being critical.
0コメント