I've spent a very happy day in the labs marking student work. Normally I hate marking. Exam scripts send me into a cold sweat. But this was much more fun. Rather than dead trees I was looking at live code. Each of our students in the first year was given 15 minutes to pitch their Snake game. And there have been some super ones. We are going to open up the "wherewouldyouthink hall of fame" and put some of these programs up there for download. Great stuff.

Next semester we are going to take the snake game and move it onto an XBOX. And I reckon we will be the first people in the world to do this in an undergraduate course at first year level.

Today we went up to Bradford for a rather special talk. The folks at Black Marble arrange seminars for IT professionals (you'll never guess who's giving the next one) and today they had managed to get Ed Gibson over to talk about Computer Security. Ed is quite a chap, an ex FBI guy who is now Microsoft UK's chief security advisor.  So a bunch of students and myself boarded a magic bus to Bradford.

We were lucky enough to meet up with Ed. before the talk. Thanks to my super advanced planning I managed to get everyone to the venue around 90 minutes early, and so we had plenty of time to sit around a roaring fire in the hotel bar and chat. Ed turned up and the first thing he did was buy everyone a drink. My kind of guy.

Then, after some superb sandwiches courtesy of Black Marble it was time to get down to the serious business of the evening. And it is serious. Ed has been there, done that, and told us some truly scary stories. For me the most interesting thing that emerged from his talk is that the computer fraudsters don't want your bank details. They want your bandwidth. If they can get enough machines on the net under their control they can pretty much take down any server, anywhere. Unless you pay them big money.

At some point we will have laws that extend far enough to catch the perpetrators and enough systems out there hard enough to resist the attacks that can turn your home PC into an agent of the bad guys. However,  until then the rule has got to be keep your system up to date. Don't think of computer crime as a "soft" crime with no real victims. The people who do it are in there for the cash, very organized and totally ruthless.

Ed made some good points on a broad canvas. The speaker that followed him zoomed right down into the low level detail. He showed how breathtakingly easy it is to attack a system. One of my programming rules is "build yourself a nice place to work". What I means is make sure that it is very easy to create, build and test the systems that you are writing. It never really occurred to me that hackers would do the same.

We were shown a tool which used SQL injection (basically a way of putting database commands into the text you feed into a web page) to stripmine entire company databases. I knew about the technique, but I never thought there would be such advanced tools for this kind of thing. The next thing that we were shown fair took my breath away. It involved changing the way that the .NET Framework itself works.

Imagine that a developer has got some permissions set on a program. And they want to stop users from pressing certain buttons on certain screens. The Forms library that ships with Windows will do this for you. With a simple property change you can disable a button. If the button is disabled it turns grey and the user can't press it. Job done.

Unless someone changes the guts of .NET so that this property change no longer works. By just changing one particular byte in the right library file a nasty person who has access to your machine can make every single button work all the time. So simple, sooo scary.

Admittedly you'd have to do something rather stupid to let someone else run their program on your machine in the first place, but the result of this is that even securely written code can now be totally banjaxed by being hosted on a corrupted system. Amazing stuff. Simple yet brilliant. And a very worthy follow on to the talk from Ed.

This was a superb evening. Kudos to Black Marble, Ed and his associate (who's name I've forgotten I'm afraid). All the students had a great time, with some pretty deep conversations on the bus on the way back. This was the first Black Marble event I've been to. It will not be the last...

And with that, I'm just going to update my virus scanner...

I was talking in a Software Engineering lecture today about "Rob's Laws" amongst other things. I think it is time these were finally written down.

1. Any given computer is too slow. No matter how fast you think it is when you get it, after a while you will think it is too slow.
2. Any given project will take longer than you think. Even (or especially) if you allow for this. The only exception to this rule is a project you won't get paid for, or one where you have massively misunderstood the requirement and are therfore doomed.
3. A program that is useful will have bugs in it. The only programs that can be proved to be correct are too small to do anything that you might want.
4. A highly successful, fully working, system which contains hardware components will just about always have a massive "kludge" somewhere in the middle of it. This is the bit that has to be there, otherwise it won't work. Nobody will completely understand why it has to be there, or what it does, but they do know that if you take it out the system stops working.
5. A customer will never ring you up and tell you their program is working fine. Never. If the phone rings, it is always bad news. Silence either means they haven't got round to testing it yet, or it is working fine. At the point where you think it has gone quiet for long enough for it to be definitely working the phone will ring and they will tell you they've just got around to testing it and have found something they don't like.
6. As soon as you assume something about what the customer wants you are doomed. For sure.