Invariant Properties

About a year ago I published a number of articles on PL/Java:

• Introduction
• Working with Lists
• Triggers
• User Defined Types
• Operations and Indices

I had always intended to publish the code but never had the time to clean it up for publication – fleshing out the unit tests, adding the copyright and licensing notices, etc.

No longer – I’ve created a googlecode project for my project. At the moment it only has two user-defined types (Rational and Complex) and the unit tests are far from complete but I’ll flesh it out. Check back in… 10 months! 🙂

Google Code Project: PostgreSQL PL/Java examples.

I should point out that there’s a known bug in both UDTs when performing implicit casts. If the first implicit cast is from a string everything works. If the first implicit cast is from an int then all implicit casts are screwed up. I’m following up on this on the pl/java mailing list.

(Sidenote: there’s also a project containing the code I was using in my discussion on digital certificates. It’s much more ambitious and still needs a lot of work but it’s reached the ‘minimally useful’ threshold. Google Code Project: Otter CA.)

My wife says I get grouchy when I’m studying or doing security. I have no idea why….

Today’s beef is with the open-bed truck companies that have “not responsible for broken windshield” stickers on the back of their trucks.

It’s bullshit.

Seriously. Grade A bullshit.

In the first place the state law is absolutely clear that drivers are responsible for anything that falls from their vehicles. Full stop.

In the second place you can’t unilaterally impose contracts. Full stop. That statement is as unenforceable as one saying “The driver of the following car must run forward and give driver of this truck $100 at next red light.”

(A broken windshield doesn’t directly benefit the trucking company but in both cases you’re out hard cash that you could have used elsewhere.)

In the final place you can’t impose restrictions on other’s use of public spaces. Full stop. There is an apparent exception when you reserve a picnic table or campsite but that restriction is actually imposed by the city etc., not the person who rented the space.

As a practical matter it is nearly impossible to prove that your broken windshield was caused by something that blew off of a particular truck. You might have seen it happen but can you prove it in a courtroom? So is there any real harm?

I think there – it reduces moral risk. If a driver is told that he’s going to be docked $1000 by his employer if something flies out of his truck and damages a car behind him then he’s going to take a lot more care to ensure the load is properly capped than if he thinks that he won’t face any consequences no matter how poorly he secured his load. This won’t change the behavior of a conscientious driver but not all drivers are conscientious.

What does this have to do with software? It comes back to the first three items. Things aren’t true just because you say they are. The law trumps your terms of service. The courts may say that your users weren’t actually bound by your terms of service if nothing of value was exchanged. (This is a particular concern with free sites.)

So how many corners are you cutting because you’re sure your TOS will protect you?

UPDATE

I was discussing this with a lawyer friend and she explained how my counterpoint referred to a contract, not liability. My rhetorical points can open the discussion but they won’t get far in court.

So going back to the question of liability – there are issues about obvious risk, advertised risk, reasonable person, etc. It’s a lot grayer than my rhetorical argument assumed. However at the end of the day there’s still the simple fact that state law is very clear that the operator of a vehicle is responsible for debris that falls from the vehicle. Parties can reduce their liability by making proper notice or taking preventative steps but they can’t eliminate it. This situation is especially problematic since notice of road hazards is usually large orange signs some distance from the hazard, their notice is rolling and will often be illegible until the driver is well within the “we’re not responsible” distance.

The bottom line is that 1) of course you should hold back a bit (reasonable person) but 2) the company helps itself a bit by the notice but it’s fooling itself if it thinks that small print making unreasonable demands will protect themselves from statutory liability.

A few people have asked what’s on my desk since I’m posting (irregularly) on unusual topics. The answer is actually pretty boring. My posts are mostly the result of some lateral thinking and being unable to find any answers in google and stack exchange searches.

Scala

I’m taking the 7 week Functional Programming Principles in Scala course at Coursera. I’m also reading the book Programming In Scala. (I have the first edition.) I’ll probably also pick up Scala in Depth and/or Scala in Action.

As a rule I’ve found that it takes about 6 months in a new language to become familiar with the standard libraries and at least two years to become familiar with the ecosystem. (That’s the difference between being familiar with java.util.* etc and being familiar with Spring/EJB3, hibernate, at least one web framework, plus whatever you need for your specific tasks.)

So do I think I’ll be fluent in Scala in two months? No, of course not, but I should be able to work in the language even if I don’t yet have a good familiarity with, e.g., Play or Akka.

Sidenote: Ruby and JRuby are popular in many shops in the Boulder area.

Information Security

I’m also taking the 10 week Information Security and Risk Management in Context course at Coursera. The Coursera class is free but you can also enroll at the University of Washington for a certification program or for graduate level credit.

I’m still on the fence on this class. I’m a techie but have been studying for PMP and CISSP certs to get a broader perspective (but see below). The first week focused on the role of the CISO (C-level executive for information security – think CEO, CFO, CIO, CTO, etc.) and that’s a bit too far from my world. But we’ll see how the next few classes go.

Do Certificates Have Value?

There are two answers to this question. The less important one is that they can get you past the HR gatekeepers. Today the tech job market is extremely hot but at times in the past, and undoubtably at times in the future, there were far more applicants than positions and the HR gatekeepers would use things like certifications to winnow the resumes. The cert wouldn’t get you the job but it might get you the interview.

The more important answer is that studying for a cert forces you to take a broader view. I’ve never used much of what I learned when studying for my Security+ and java certs… but I did use things that I would have never seen unless I had studied for those exams.

Hence studying for the PMP and CISSP exams. I don’t have the practical experience for either cert but I’ve learned a tremendous amount by studying for them. And who knows – I’m still on the fence about getting a CISSP (Assoc) cert. I could have probably passed an earlier revision of the exam but it’s a moving target.

Prep Work For Next Job

EJB3 in Action. I know the Spring framework very well but some sites use EJB3. This should go quickly since I’ve read the first edition of the book and took a 3-day class on EJB 3.1 on the Sun Oracle campus in Broomfield, CO.

PCI DSS specification. These are the security requirements for any system that manages credit card data. I’ve touched on many of them previously. Again this should go quickly (cough) since I’ve already read the specification and I’ll just be refreshing my memory.