dmharrison's comments

This doesn't look like a CVE based on this. To execute this you'd have to post in the class file, deserialise and then exec. All of this takes explicit additional code. This looks to be the same as any other language where you would let a user upload code and then just exec it, not something you really do accidentally and not part of core spring (I'm hoping). @Serializable is going to send the fields not the methods, so again you'd usually have deserialise to a known object which rehydrates, and then exec.

I struggle to see that usage in any std spring app which is going to use say jackson/json parsers typically and is hooked of content-type field which has to be mapped for usage really. If there's other vectors to trigger even with the object you'd still then have to invoke which would take additional explicit code. Using object deserialisation would be pretty uncommon (ie non existent) hooked up to http stack. Json, XML, yaml parsers etc are different libs. To get this to CVE you'd have to trigger this automatically somehow through the spring request processing stack and then say invoke the object with vulnerabilities in java's core deserialisation libs which I'm assuming is relatively solid and verified given it's key role in java, see java security manager in jvm for actions like dynamic class loading etc.

From https://github.com/spring-projects/spring-framework/pull/280... "The core Spring Framework does not use SerializationUtils to deserialize objects from untrusted sources." They talk about use against a cache but again rule out CVE.

For this to get to CVE issue it would be if there was a vector where spring can take a request with a class file/location eg urlclassloader bypass a bunch of security checks and get it to run, which again java security manager will not allow typically. As it stands in the bug, that's not called out as a vector and more of a don't do silly things, sure we'll mark it as deprecated tone. There may be something somewhere else, but as it stands I read this issue as don't exec untrusted code in your webapp which should be true in any language. Your example is explicitly coding to do this, not something any typical spring app does. I guess use cases like job interview, code testing tools might do this. but it's still going to be execing against a specific interface/abstraction typically on the server side, ie still not unknown code. Ie the methods live in server side classes that correspond to the type the serialised class is deserialised to, no code transmitted so can't inject behaviour simply by deserialising

I haven't found that. I've moved back about a year ago and found despite being less that syd/canberra it's still pretty solid, even with the financial climate.

There's a few startups dotted round and some now big ones as well mincom, tech1, ... I think there are quite a few around however they stay quite and do tend to be more enterprise focussed, which makes sense for here. I don't think you're going to get many aus backers without really clear revenue plan hence targeting people who clearly have money. Seems to be slowly opening up though.

Walking round YOW this year you could pick out a few startups round. The lean startups and mike lee's product dev talks were pretty well attended so maybe there'll be a spate in the next 9 months.

I'm also in Brisbane (moved back from canberra) and it does seem more service orientated, hence consulting/corporate/mining, however it's the same anywhere. Most great jobs aren't advertised and you get them through doing great work and building a network of people who can get you that awesome job hence are biased toward proof in the form of experience and social connections/proof. I've done the corporate drill but I figure as long as you've got a goal|outcome, an exit plan and timeframe it can be worth it.

Small firms/startups for bizdev are likely to target experienced people recruited from networks even more than bigCo IMHO.

It's been my experience that once you have dev you don't go back. I was lead engineer for a pretty complex technical product that needed strong technical testing and money wouldn't win. I think it's part perception. I have seen using something like a performance engineer role work, in that it's technically QA but usually works in as a dev role and highly specialised and technical. We used our (small) technical consulting staff during their downtime a bit which helped. They'd get to train up and be involved in the product direction and we'd get highly experienced engineers which could give us feedback like if an API /felt/ right. One thing I have come accross that I thought was very successful was at small software company here in oz (now part of oracle). They'd get fresh software engineering grads or final year students and get them in as (paid, mostly part time) technical testers under the mentor of experienced testers and software engineers. They'd get them to write and develop automated testing systems and learn to test systems and understand what made a good system. They'd then go work in the R+D teams better prepared. So part apprenticeship learning product development, part recruitement and job selection filter.

I was the same (although got to see the acquisition from the inside which was pretty interesting), we were in Aus though which meant we had comparatively high degree of independence, ie all our dev platforms, code tools were hosted locally. So our team stayed pretty much the same, nerf guns, christmas trees, boardies in the office and all. Releases slowed but revenue went up which meant we could take time to really think through releases etc. Learnt heaps about the business of software as opposed to just engineering. So good and bad like most things.

Generally I think it depends on the group; as with any large group there's the excellent and below average, you just see more of it. Different to a startup/small company though where you can't really suffer poor performance for long.

As a engineer I went into dev management. Anything above IC5/6 (high level engineer) in Aus seems not really to happen, but more a function of less product dev as opposed to service delivery in Aus. This is generally true of Aus. Good product management and strategic releases, so was interesting experience. I found your M/IC level matters dealing internally within the org, ie trying to make stuff happen with people you've never met before means you prioritise based on looking at ARIA, but what you'd expect in a large distributed org.

I've got friends still there, still fighting the good fight. As with all things it's really about what you make of it and want to do.

That sounds great. As a tech founder that's the thing I'm working through. There's a few good sources but very little that says, for tech with std tech structures you probably want to do it this way.

One thing that would be really good to see come out of this IMHO is a better profile for tech startups in Aus. The more open this can be around tech scene, gotchas and contacts focussed on Australia the better. Most information and discussion I've seen tends to be US based not surprisingly; This doesn't always translate well, particularly around company structure, equity, tax etc. You know, all the small stuff that can kill you.

Looking forward to see what develops.

Good to see the Australian tech sector has some life. The thing I found most interesting was that they bootstrapped off their credit card.

I guess what I was trying to point out is that they're not the crazy greens social enviro anarchist party that you'd tend to think of if you heard of the 'greens' for the first time (generally). They're 'closer' but I agree I wouldn't consider them equivalent or overlapping on an absolute scale. The US center being quite different from the Aus center of course, but normalising across countries is bound to result in a loss of direction.

I do wonder if voting wasn't so constrained to party lines what we'd end up with though.

As someone just getting started with my own small tech company I find this quite alarming.  I particularly find the technical cluelessness of senator Conroy the most disturbing thing.  With technical absolutes that the filter will be ineffectual and easily bypassed and an impediment to broadband speeds it seems to be just ignored and the technological costs are treated as malleable when they're not. My main fear is that when this is found to not be effective protecting children or stemming child porn it won't be removed, rather will be extended and creep deeper and deeper into our infrastructure.

It just means whenever I look for hosting, internet services etc it means I'm already deliberately using services not based in Aus which I think will be a long term trend and detriment to the technology industry here. Just adding latency to any service as it has an extra few hops through the filter is a cost I wouldn't expect customers to bare.

The impact on Australia's technical reputation I think is the major thing.  Previously travelling a bit and being involved in a US-AUS acquisition; Australians tended to be pretty well respected technologically, and with this, I fear that we're going to have that reputation quashed and look like luddites.

I plan on writing a series of letters to the ministers and chronicling the results if anyone's interested.  I also encourage any other fellow aussies to do the same.  Here's some good tips on writing letters to parliamentarians and get a good chance of reply http://www.efa.org.au/Campaigns/lobby.html and this one for the more subversive http://www.crikey.com.au/2009/12/16/dont-waste-your-time-was...

Yep good point RC refused classification is typically anything above R. So for example a porn store owner was just jailed for selling gay porn http://www.abc.net.au/unleashed/stories/s2927840.htm . RC != childporn and is quite broad, so if it is the bar quite a lot could be filtered and caught up in it. I'm sure some content would definitely be RC on youtube for example and with the general malaise of large swathes of the public service IT; I wouldn't put it past a ham fisted approach that catches up quite a lot.

Was this on your connection? AFAIK none of this is blocked and no one was actively filtering. What ISP are you with?

Australia's heading to an election later this year and with the series of missteps by the Rudd/Labor camp (mining tax, education revolution, dodgy insulation implementation) it's likely that the greens will hold the balance of power in the senate, so if the greens don't like it, there's a fair chance it won't make it into legislation.

I'd say the Australian greens are closer to the democratic party in the US or the liberal democrats in the UK. So I'd put them center left on average.

Depends on who you expect to consume it I think. If you're going to have enterprisey folks use it then they're most likely going to want SOAP etc, if you expect it to be used in service orchestration ...... then the people with that kind of skillset tend to end up using SOAP etc. General consumer access REST all the way. I've wrote a custom service that did both as there was nothing at the time that did both, but that was ~4 years ago. The REST service was never really used, I think that because for your average joe sitting there in a corporation, the training and toolset he's got is all SOAP focussed for the most part.

Yep, but this is true for RSS and most news sites generally as well IMHO. You see it, read it and then unless someone reposts it, it's gone forever. I use delicious to tag that I've liked it and then can search, but it doesn't search content etc.

But the primary reason I use the feed is that it's filtered high quality new material that I'm genuinely not likely to have seen before.

I would wager it's probably Sydney, but then again I don't think any Australian town is the clear winner.

Canberra had a lot of enterprise focussed software startups which didn't get much notice; but I think compared to the US equivalents, alot of Australian companies fly under the radar.

My belief is if you're starting in the Aus rather than the US it doesn't really matter which city you're in as long as it's got a reasonable feeding uni. Having worked and recruited with US and Aus staff I definitely think Australian software engineers are some of the best and typically suitably pragmatic for software startups. (Until they fully roll out the US style of generalist and masters, aka uni melbourne approach, but I guess we'll see)

Thanks, signed up.

I'd definitely be in.

Brisbane, hi!

Recently moved to Brisbane from Canberra and starting knowtu. Looking at ilab and will make it to opencoffee sometime. Are there any good Brisbane entrepreneurship/tech groups someone could recommend? HN meetup?

thanks ;) I would have preferred; stop, collaborate and listen but had a feeling this had been used before.

1) Full time 3 weeks ;), thinking and planning, 3 years 2) No - YC isn't for me. Think bootstrapping is probably the better model, particularly for an Australian based company. 3) No - self financed. 3) http://knowtu.com