Slashdot Mirror

Javascript is a steaming pile of shit, riddled with vulnerabilities and broken from tip to top.

So of course they try to allow some overrides:

http://stackoverflow.com/quest...

Basically, you can google anything with "javascript disable" and get developers asking how to fuck their users in the pee hole. Often, there's an answer.

It wouldn't actually prevent users from viewing source though- I'm not aware of a way to do that. However, if there is, you can find it at good old google bombing expert sex change:

http://www.experts-exchange.co...

Also note: the real workaround for this isn't globally disabling javascript, though if everyone did that the web would shape up immediately. The real workaround is the various -monkeys that let you redefine pieces of javascript locally. Many sites go through several hoops to prevent loading on a browser that won't run their shitscript, but redefining parts and/or loading your own CSS can get you around most of it.

This is what happens when you adapt computerized records in medical practice using more money than brains, as we do here in the U.S.

You quickly get huge databases of patients. Any medical resident looking for a cheap, easy journal publication can take a medical record database, run some standard statistical packages, and spit out correlations at p LT 0.05. https://xkcd.com/882/

Then they say, "Our statistical software https://blog.stackoverflow.com... corrected for cigarette smoking and every other known factor, and we're left with this correlation."

I'm dismayed that so many people don't understand this simple distinction, which has caused so much damage.

For example, the Nurses' Health Study found out that post-menopausal women who took hormone replacement drugs were less likely to have heart disease. The drug companies used this in a classic marketing campaign to sell hormone replacement drugs to post-menopausal women.

Then it turned out that hormone replacement drugs caused more breast cancer. This was responsible for a major uptick (epidemic) of breast cancer in the US. The correlation was spurious because some women tried to have healthy behaviors -- diet, exercise, weight loss, and hormone replacement drugs in the mistaken belief that the drugs were "healthy".

So you can expect a lot more studies and news stories like this in the future.

So the blogger uses 2 polls in his article, one his own twitter poll of 101 responses, hardly meaningful. The other is a the 2015 Stack Overflow developers survey, that survey had 21,314 respondents for the education question which is certainly better than 101. He uses the graph for education to backup his statements which has the following data:

41.8% I'm self-taught
37.7% Bachelor of Science in Computer Science (or related field)
36.7% On-the-job training
18.4% Masters degree in Computer Science (or related field)
17.8% Online class
16.7% Some university coursework in computer science (or related field) but no degree
6.1% Industry certification program
4.3% Other
3.5% Intensive code "boot-camp" or night school
2.2% PhD in Computer Science (or related field)
1.0% Mentorship program

He then goes on to say "Only a third have a computer science or related degree and nearly 42%, the largest group, are self taught."

Turns out the percentages add up to 186.2%, the horror, some people had more than one source of education or they lied about their education. Now it's probably safe to assume that if the poll respondent had a PHD they didn't also claim a Bachelor and Masters degrees, that would mean that 58.3% of the poll have a computer science or related degree. If you include the response of some university course work it turns out that 75% of the respondents had some level of university training. It would seem that according to Mr. Hadlow's sources that university training is important.

Perhaps Mr. Hadlow should head back to university, his math and logic skills need refreshing.

It depends if all systems are remotely attackable, even if only http/ssh is opened, for instance. Basically if you are using SCTP, instead of TCP/UDP you may be at risk. But not so many applications are using that protocol.

The solution is:

- ask the question one more time.
- link previous "duplicates"
- tell exactly how they don't answer it
- tell what you expect from the answer, that the accepted answer doesn't have.

Example. The original question asked "how to deal with the problem". My question was "Why the problem exists; what are its potential consequences?" - I had to state I'm not looking for solution but for a rationale, not "do it because standard says so" but "what rationale lies behind this entry in the standard?" - it was three close-votes down before I got the point across.

Another one, not on SO but on Arquade, one of SE sites. A Minecraft question, which was at first deemed a duplicate... except the original was about the Creative mode, and mine was about Survival, making the (trivial) answers for the original useless in my context. Again, underlying the difference... made all the difference.

So: Just re-ask the non-duplicate, just make sure to show clearly why and how it's non-duplicate.

Oh, and calling my a script kiddie, dispite your misspellings, just makes you look like an absolute moron. A script kiddie is someone who doesn't know how to create the script, but just uses it without the underlying knowledge.

This is how you should do your host file comparisons:
http://stackoverflow.com/quest...

Instead, you feel you need to create atomic string comparison functions by hand, like it is terribly hard. So everyone should just reinvent the wheel to prove how "leet" they are, so they can be "leet" like you. You act like Unix never existed, and persist in not using the tools provided which would make your software run faster and use less resources. It also would prevent mistakes in your comparison code, but I guess you already know that, and so feel that your source code should be hidden away to avoid being proven a programming idiot rather than god like you claim with "no proof"

I've seen some *amazing* replies on SO that must have easily taken the programmer an hour or more to craft. The great thing is that answers of that quality tend to get voted up highly, and lots of people seem to point links to that page, so Google ranks it quite highly.

For a long while, my top rated answer on SO was this joke.

I have written one or two answers of which I am quite proud and that took me an hour or two to craft, but my current top rated answer by a mile is a two line snippet of code demonstrating how to split a string in Objective-C.

What's hilarious to me is when I get to a SO question, and you have the inevitable jerk that tells the person asking the question to just "Google the answer". My inevitable thought is: how the hell do you think I got here, you self-righteous ass? I saw a great response from someone else as well, which was: "someone has to first answer the question before Google can link to an answer."

Soon after I started posting, somebody added some code to the site that refused to allow any answers with lmgtfy.com embedded as a link. I was outraged for about five seconds.

Could this be built into phone apps like Shazam? Shazam needs microphone access. That app seems built for collecting information for advertisers so it seems a likely candidate to me. There are lots of popular phone apps that request mic access even on iOS: Skype, Telegram, Dolphin Browser, Shazam, Snapchat, Instagram, etc. We need a way to tell which apps are doing this.

It also appears that even on iOS if you give an app microphone access then the app can access the microphone in the background:
http://stackoverflow.com/quest...

If an app wants microphone access in ios, it has to explicitly request it. You get a popup and have to ok it. If you don't, it doesn't have access. It can refuse to work, if it wants, but fuck them.

Does that happen in Android? I feel it does not, and you probably can, in the latest version, explicitly disable mic access or something? An android user can correct me.

I will say that questions like this:
http://stackoverflow.com/quest...

SO question:
"
1- I want to record.
2- User disallowed.
3- I want to record again.
4- I call requestRecordPermission:
5- It simply returns granted=NO (without prompting for permission)

Can I prompt the permission Alert to user somehow?
"

Make me VERY happy to see answers like: "There's no way to do this"

"I want to spam the user with access requests that are full screen OS level stuff until he says ok. How can I do this?" -> "Nnnnnnope!"

Anyway, if Android doesn't do this, that's sad, and hopefully they will soon. If Android and Ios both do this, I don't see how most programs will be able to get mic access at all in the first place.

No, this only affects SSL certificates using the SHA-1 hash. Git isn't using the SHA-1 hash in a way where generating a collision would have security risks so there is no reason why anything has to change for Git.

Quoting a post from the old article quoting another article quoting an old answer from Linus on the issue:

[...] it's not really a big deal.

instruction or two with appropriate compilers, by using the JC instruction rather than a CMP/JZ and in really performance critical code this will matter, but most code benefits more from readability than that extra instruction.

More to the point, if that single instruction is so all-fired important, fix the dang compiler to recognize that case! Don't uglify the source code.

This builtin IS the fix. Most architectures have a register that flips when overflow happens and this builtin is how you can agnostically access it. http://stackoverflow.com/quest...

The only real problem with the original code is that it's hard to read and the performance benefits better be worth making the code more cumbersome. If the code is in a loop that runs millions of times, then Linus may be wrong here(I didn't look deep into this).

YouTube has RSS feeds although you have to do some URL gymnastics to get them because they really rather you'd use their inferior web interface.

Although I was unaware Java had those labeled jumps. Funny, given that I've been a Java coder the last 15 years.

A Stackoverflow answer had a decent example of where they could be used; a straightforward nested loop that quits when it finds something. Especially with foreach that doesn't look too bad.

search:
for(List<String> names : groupNames) {
for(String name : names) {
if("joe".equalsIgnoreCase(name)) {
break search:

Horrible? Maybe if the average coder hasn't seen labeled breaks before...

Why can't git be updated to just use another algorithm?

First off, Linus on the topic of SHA1 safety: (SO link, as the git mailing list links are flaky on me today)

The Linus' comment is somewhat outdated.

For the first type of collision - the inadvertent kind - a check was added to the git very long time ago. It will not let you commit, if there is a hash collision. The time-stamp is also part of the commit, and as such, the workaround is to simply wait one second and try to commit again.

TFA completely did not mention that chucknorris is a valid color (it's a shade of red); likewise, OprahWinfrey is blue, MrT is black, and BarackObama is a faded green. (And yes, those are defined by the standard, they're not browser quirks.)

TFA completely did not mention that chucknorris is a valid color (it's a shade of red); likewise, OprahWinfrey is blue, MrT is black, and BarackObama is a faded green. (And yes, those are defined by the standard, they're not browser quirks.)

Why can't git be updated to just use another algorithm?

First off, Linus on the topic of SHA1 safety: (SO link, as the git mailing list links are flaky on me today)

The problem is that git uses the SHA1 hash *extensively* for "permanent" identification of things. There's a host of existing usage out there which would need to be updated/converted, and any conversion of an existing repository would completely invalidate any crosslinks/references using the SHA1 format. Also, because git allows shortened hashes to be used for identification, there's no way you can use the length of the hash to tell the difference between two hash formats for a "mixed" repository.

That said, it's not really a big deal. Even if you can manufacture a hash collision, there really isn't a good way to use it to attack a (remote) git repository. Even if you could create a file with the same SHA1 hash as a typical file in a git repository, it's highly unlikely to be anything approximating something that's in an appropriate format. The colliding file will be line noise, rather than a compile-able C++ file, for example.

Moreover, git is set up to use the *previous* version of a file in case two files have the same SHA1 has. So you can create a SHA1 collision of an existing file ... which is then ignored by git in favor of the other file. The only way around that is if you have admin access to the remote git repository, or can somehow contrive to get your malicious file accepted to the repository prior to the file you're trying to collide with. (In which case, where are you getting the SHA1 you're targeting from?)

Even then, if someone has a "clean" copy of the file you're colliding with, makes a modification to that and re-commits, your malicious file will be overwritten wholesale by the new version of the non-malicious file (as git commits encode full file changes, rather than file deltas, so the new SHA1 will be encoded as the new version of the old SHA1).

You might be able to promote a divergence in the code tree due to the different files, but given that everyone in git has a full version of the repository on their disk, it would soon become apparent that something "funky" is going on in the commit history.

In short, even if you can make deliberate collisions with SHA1, that doesn't change the usefulness (and safety) of SHA1 for git, just like rot13 being a poor encryption doesn't mean you need to use PGP to encode your usenet joke punchlines.

(BTW,. I'm guessing the GP post is supposed to be a joke)

I just checked the installation on my PC and the minified JQuery file (jquery-1.11.1.min.js) is all of 96 kilobytes.

I've read that it's common for scripts hosted on separate sites to import separate copies of jQuery so that widgets on the page don't break when a new version of jQuery changes some otherwise unspecified behavior. With noConflict mode, you end up with jquery-1.11.1.min.js, jquery-1.otherversion.min.js, and jquery-1.yetanother.min.js. So that's 96 kilobytes, times a factor accounting for the overhead of JIT compilation, times the number of copies of jQuery loaded into a single page, times the number of tabs open in your browser. It also adds latency to the page load, especially on cellular and satellite. And loading it from Google's CDN causes problems for users in China.

I just checked the installation on my PC and the minified JQuery file (jquery-1.11.1.min.js) is all of 96 kilobytes.

I've read that it's common for scripts hosted on separate sites to import separate copies of jQuery so that widgets on the page don't break when a new version of jQuery changes some otherwise unspecified behavior. With noConflict mode, you end up with jquery-1.11.1.min.js, jquery-1.otherversion.min.js, and jquery-1.yetanother.min.js. So that's 96 kilobytes, times a factor accounting for the overhead of JIT compilation, times the number of copies of jQuery loaded into a single page, times the number of tabs open in your browser. It also adds latency to the page load, especially on cellular and satellite. And loading it from Google's CDN causes problems for users in China.

This whole feature doesn't even sound possible. I can't find any details about how this feature is supposed to work, but there has to be more to it than "it magically opens another connection and it just works." The Wifi and Cellular connections have different IPs. The packets would suddenly be coming from a different IP address. TCP and UDP do not support that.

At the transport layer, suppose a phone is on Wifi at IP 1.1.1.1, is authenticated, and is receiving data. Suppose the cell connection is 5.5.5.5. There's no way to tell the server "Hey, I know I'm on 5.5.5.5, but I'm actually that guy who was on 1.1.1.1 a moment ago, so start routing my packets here." You can't pick-up a TCP stream and just continue it on another IP address. UDP won't work either, because it will ignore packets from 5.5.5.5 and keep sending to 1.1.1.1. That is why cellular voice connections use special protocols where the towers negotiate with each other. There is unique design considerations for such a hand-off and most protocols don't consider that.

Supposing the transport layer could solve this, the session layer won't allow it. When you log in to a network service, you send credentials and get back some kind of security token. Those tokens are usually not valid when sent from another IP address. That's a pretty common security best practice.

You would need the application to realize that the connection went bad, then renegotiate the connection on the other IP address by sending the login credentials and accepting a new security token. Then it would need to tell the server to continue the connection from the point it left off. The OS can't do that for you.

It seems to me that if the OS transparently sent the packets from another IP, even if the server somehow got those packets, and for some reason the TCP stack routed it to the application - which it would not - any well written service would probably assume it was a hack and log both connections out. Or at least ignore the second one.

I also wonder what the OS would do if both connections returned data? Now there's 2 response streams for 1 single outgoing stream.

The only way that I could see this working is if some other server in the middle is proxying all your data, and there is a way to tell the proxy about your new IP address.

Here's a SO post on the topic of changing IP addresses:
http://stackoverflow.com/quest...
Here's an academic paper on a proposed modification to TCP to allow this:
http://www.prevelakis.net/Pape...

From the Stack Overflow Blog:

It turns out that people will do anything for fake internet points.

if a program lacks a configuration file because it is being started for the first time

That isn't an exception. That's a given.

Based on a cursory Google search, "given" appears not to be a term of art in programming. What is the C++ idiom to handle givens? I know Python's idiom is Easier to Ask Forgiveness than Permission (EAFP), which uses exceptions liberally because they're less likely to be vulnerable to time of check to time of use (TOCTTOU) attacks on a multitasking system than the alternative Look Before You Leap (LBYL) paradigm.

Exceptions were devised to handle exceptional events, not to handle your main flow of control.

"Use the settings in the configuration file except when the configuration file does not exist." How is that not "exceptional"?

Every object that can be thrown/caught must implement the Throwable interface

Then have all exceptions extend a subclass of std::exception . The guidelines mention use of a subclass as opposed to using the built-in exceptions directly.

the C++ alternative is only allocating objects on the stack and implementing destructors that clean up their resources

Also called Resource Acquisition Is Initialization (RAII), or "automatic resource destruction" if you don't want to remind readers of the record industry (RIAA).

but then you have the restriction of not being able to allocate on the heap

You can take advantage of automatic resource destruction if you wrap your object on the heap in a smart pointer type (std::unique_ptr or std::shared_ptr as appropriate) on the stack. If that isn't appropriate in a given situation, C++11 supports a scope guard idiom using std::shared_ptr and lambda expressions. The finally factory described in the Guidelines is ultimately an update of a method described in a 2000 article by Andrei Alexandrescu in Dr. Dobb's .

Building containers is easy to automate and integrate as part of a build process. For example, Docker has Dockerfiles that describe how to build a container image based on an existing image (like base operating system image, or another image you have built).

A script could be, for example:

1. Start at a premade operating system image (e.g. Ubuntu)
2. Run command to install a web application container
3. Copy this web application archive from local system to container's web application directory
4. At runtime, expose port 8080
5. When starting image, run this command (start web application)

A real example can be seen at here.

Apart from that, containers are pretty similar to virtual machines. I failed to find similar utilities for creating virtual images.

A subclass should be used only when all of the following are true:

• You need two objects that behave very differently, but share some common behaviors

Congratulations, you don't get OO either.
Inheritance for re-use is quite possibly the worst reason ever to use subclasses. Inheritance should be used when you need polymorphism and the two objects behave *alike* - AKA the Liskov Substitution Principle. (Public) Inheritance that violates some of the assumptions of the parent class is really painful.

But you know what, you are still entirely correct that probably about 3 programmers in the world "get" OO, and I'm not one of them either.

It's not that Google or Thawte have failed to correctly revoke certificates: it's that far too many people, at far too many sites and with far too many technologies, do not actually keep their signature authorities up-to-date. Because these people don't update signature authorities, they are unable to verify numerous valid certificates. These people then simply set their automated procedures, or make it their personal practice, to accept invalid certificates.

There's a second problem: How the hell does one validate a certificate? There's no out-of-band communication - there's no way to do something as simple as googling "gmail TLS fingerprint" and getting the right answer, and I'm looking at you, Google Security Blog -- why do you not publish the signatures when you rotate the keys?

Homework assignment: Try this.

msmtp --port=587 --serverinfo --host=smtp.gmail.com --tls=on --tls-certcheck=off

Should the SHA1 fingerprint end in 7e:60 as this IBM thread or this stackoverflow thread?

Or should it, as the guy in this thread observed and I was able to replicate, end with 05:4c?

Or should it still be this guy who says it ends in 69:a8, and which I observed with my own eyes about a year ago and commented out when I saw random people on the 'net confirming they'd rotated to the key ending in 7e:60?

Yes, I know web pages can be compromised by bad actors.

And I know connections to web pages can also be MITM'd by even worse actors.

Certificates are broken without out-of-band communication, and Google has, by ignoring the issue, made it effectively impossible to do out-of-band communication. What is the correct TLS fingerprint for smtp.gmail.com? Will it be the same in 5 seconds? How many "correct" fingerprints are there?

Seems IBM WebSphere did something like that. Their default URL's were often longer than a Giraffe's intestines.

http://stackoverflow.com/quest...

MATLAB is cross platform but if you have a lot of toolboxes you can start to run into errors under Linux with it.

http://stackoverflow.com/quest...

It has to do with static thread local storage and dynamically loading libraries. I don't know why the error does not occur with Windows ever but it seems to be within the design of glibc. There are ways to work around it but making sure some of the libraries you need the most are loaded first but then other stuff can just fail later.

MATLAB is easy to install and easy to use under Linux but with this bug that it seems there is no realistic way to fix it can be a pain in the ass sometimes.

Using the accelerometer in such a way requires a double integral and will definitely introduce drift. i.e. You can probably translate a little but when you come back you won't be in the same spot. Also this work was intended for large displays, when you're collaborating with other people in front of large displays you don't want to be waving your arms around to translate, you'll be hitting your collaborators. Finally, waving your arms around with your $800 smartphone has a danger of dropping and cracking it. Which is why this approach has merit.

So would you say that Edge is useless as a web browser, or that it doesn't work very well for your specific use case? Because those are 2 completely different things, and it sounds like you're trying to claim that it is useless as a web browser. Obviously it's not. What's more, Microsoft is aware of the bug you've found and has promised a fix.

Yeah, a bug. Not "things missing for no reason", like they made a design decision to remove that, but a bug. Keep in mind also that Edge is not the new IE, it is a new browser. They did not remove anything, they've only been adding features and fixing bugs.

But I'm sure you've already added your voice to the bug report so that Microsoft knows that it is affecting people, rather than just bitching about it on Slashdot. After all, you're a developer.

I have a 4k monitor, with 125% scaling enabled.
The website where I order food recently managed to increase the amount of whitespace and lack of content to such an extent that now generally 10 rows of food fit on the screen.
10.

The rows are (pre-scaling) at least 140px high, even if no images are included. It's ridiculous.

Of course it doesn't help that determining the dpi of the user device wasn't well-supported in the past. Responsive CSS should really use min-resolution instead of relying on pixel counts:
http://stackoverflow.com/quest...

The workaround for the whitespace plague of course is creating and always applying some user CSS code for frequently visited sites.

This is just ridiculous.

Yes, you're completely right.

Rrrrright.

A pile of generic performance optimization tricks definitely solves real world problems in real world applications. Or probably it does for you, the whole world is reduced to games and Android.

Try to write some business logic which crunches 100 millions entities, and then come back. Or networking application which serves 10K+/s requests in real-time. But why go so far - an Eclipse-like text editor without C, in pure Java. All that is routinely done in C/C++ - and still generally fails in Java. I know it, because I have tried.

That's like saying "do not use classes or templates in the C++".

No, it's like saying if you want a performant game written in Java then you must avoid doing certain things.

This is just ridiculous.

Yes, you're completely right.

I'm talking mostly about high performance numerical computing, games, etc. Right now if you look at the object code generated by swift you'll see that even a trivial method call may generate dozens of retain/release calls on seemingly innocuous code. ARC is fine for most things but you pay a small penalty for it ever time you reference or pass a reference to an object... as opposed to a garbage collected language (e.g. Java) where you expect referencing long lived objects to be essentially free, pointer operations. Right now the only way to write high performance code in Swift is to essentially abandon classes and work only with structs. And the built in types suffer indirectly from things like retain/release unwrapping Optional types, etc. Here's a stackoverflow link to an example (Swift's dictionary is something like 25x slower than Java's right now).

e.g. http://stackoverflow.com/quest...

I found that a straightforward port of my application from Java to Swift was spending 90% of its time in retain release calls, which is what got me deep into this.

BTW, if anyone knows of a good forum where people are talking about this type of thing I'd appreciate a reference.

You are right about HTML & CSS not being programming languages - unless you allow user-interaction as part of "running a program" because then CSS can "run" Rule 110.

If LaTeX & troff were in the top 10, they would probably have been mentioned. I do not know if anybody uses troff on GitHub (don't care enough to look it up), but I do use a (private) LaTeX repository on GitHub myself to work on articles with my co-authors.

C is a trivially simple language

You're crazy.

Back in the eighties when I was primarily a C programmer, I spent years mastering the art of writing portable C code. Our main application was required to compile under both the Microsoft and the Watcom compiler, and under the Watcom compiler we targeted both MSDOS and QNX. This was a royal PITA at times. The worst case I recall is that Microsoft had a bug in their type deduction logic for expressions that mixed signed and unsigned values. In actual fact, the Microsoft code generator used the correct rules, but the Microsoft diagnostic routine in the parser did not, causing it to issue "type conversion" warnings opposite to its own internal behaviour. Just imagine how that gave us a bad case of group-consciousness head spin until we tracked down the underlying cause.

It's terribly hard in C to defend yourself against certain kinds of accidental errors, which is one of my original reasons for moving to C++. My well-developed C programming subset (oh yes, I had a subset) was even more robust in C++. For example, in modern C++ there's much less justification for writing complex expressions using #define. Modern C++ programmers largely restrict the use of the C++ preprocessor for implementing a Turing-complete language at compile time.

Is the C99 preprocessor Turing complete?

Actually, I lied. That harmless looking C preprocessor from the dusty depths of time is but a C-hair short of being Turing complete at compile time. The smallest fiddle in the specification of token pasting might get you there.

Concerning underhandedness, the Karen Pease PIU winner would not survive having __isleap() recoded from a macro to a C++ inline function. Many of the other examples abuse the #define mechanism for encoding object lengths, rather than having the objects maintain their own lengths, such as any STL container does.

What you can foist in the unwary if you're off-scale malicious in C++ is off-scale high (it is, after all, a superset of C itself).

On the other end of the scale, if you use C++ abstractions to do good rather than evil, the never-ending refinement of the C++ language takes you to a better place, not a worse place.

Elements of Modern C++ Style

I'm not overly enamoured of Great Man theory, and likewise I'm not greatly enamoured of sanitary-conception language design, in which all the sins of the past are taken behind the woodshed and put straight en masse.

Co-existence with our dirty origins is a simple fact of human biology. It isn't true that every complexity of human evolution is automatically a turn for the worse (as you seem to imply about accrued complexity in programming language design).

The truth of the matter is that C++ used wisely can be a clean and empowering programming language, for those of us able and willing to pay the price of admission.

Whether it's reasonable to pay that price given the many other choices available now is another question. In my case, I had already paid half the price in my first professional decade as a C programmer, after stripping away the illusion that C is simple language.

I'm pretty much agnostic at this point about whether an ambitious young programmer should bother learning C++ or not, unless it happens that C++ is the only vehicle that will take you where you want to go (high abstraction level co-existing with raw hardware performance).

Too many people sit there in a state of contempt fundamentally saying "if C++ is the only viable solution, then I want a simpler problem to solve!"

Well, go to it. Fill your boots. But don't sit there and sneer at the brave souls who make the opposite choice.

They are not, because they lack recursion. However, you can use a script to iteratively run C macros so they are Turing complete. See stackoverflow discussion here.

And you can see a program that does it as part of the IOCCC here with hint file here

Actually, it's pretty pathetic that C++ doesn't give you a stack trace for exceptions.

Though, as an aside, that just reminded me of the equally-as-pathetic amount of Stockholm Syndrome exhibited by C++ programmers on Stack Overflow:

http://stackoverflow.com/quest...

You don't need it! They're useless! If you use it you're not a good programmer! Why would you want C++ to be like other languages?!

Any vulnerability in Debian, Fedora, or Android is Linux-gate.

For the interested: Understanding-And-Managing-Entropy-Usage Whitepaper Black Hat whitepaper.

So it seems this is the classic problem that (Linux) programmers are told to use /dev/urandom (which never blocks) and some programs are doing so at system startup thus there's the opportunity for there to be "insufficient" randomness because not enough entropy has been gathered at that point in time. In short: using /dev/urandom is OK but if you are using it for security purposes you should only do it after /dev/random would have stopped blocking for a given amount of data for the first time since system startup (but there's no easy way to determine this on Linux). Or is there? Since the v3.17 kernel there is the getrandom syscall which has the beahviour that if /dev/urandom has never been "initialised" it will block (or can be made to fail right away by using flags). More about the introduction of the Linux getrandom syscall can be read on the always good LWN. And yes the BSD's had defences against this type situation first :-)

So this is bad for Linux systems that make security related "things" that depend on randomness early in startup but there may be mild mitigations in real life. If the security material is regenerated at a later point after boot there may be enough entropy around. If the the system is rebooted but preserves entropy from the last boot this may be mitigated for random material generated in subsequent boots (so long as the material was generated after the randomness was reseeded). If entropy preservation never takes place then regeneration won't help early boot programs. If the material based on the randomness is never regenerated then again this doesn't help. If you take a VM image and the entropy seed isn't reset then you've stymied yourself as the system believe it has entropy that it really doesn't.

Actually, what you're describing is formally defined as undefined behavior in the C and C++ standards.

Undefined behavior:

doSomething(pixel[i++],pixel[i++],pixel[i++]); /* function call commas are NOT sequence points, so the result is undefined */

Refer to the Sequence point article. The [3] citation says

"Clause 6.5#2 of the C99 specification: "Between the previous and next sequence point an object shall have its stored value modified at most once by the evaluation of an expression. Furthermore, the prior value shall be accessed only to determine the value to be stored."

Pay spectial attention to see point #4 under "Sequence points in C and C++", because that talks about your exact problem. But beware that you'd still have a bug even if you hid the increment inside of a function, because order of argument evaluation is not specified (as oppposed to undefined behavior, which can cause nasal demons or format your hard drive).

Fixed with least diff:

int r=pixel[i++], g=pixel[i++], b=pixel[i++]; /* commas between declarators ARE sequence points */
doSomething(r,g,b);

See also: S.O. questions related to undefined behavior and sequence points in C and C++.

Actually, what you're describing is formally defined as undefined behavior in the C and C++ standards.

Undefined behavior:

doSomething(pixel[i++],pixel[i++],pixel[i++]); /* function call commas are NOT sequence points, so the result is undefined */

Refer to the Sequence point article. The [3] citation says

"Clause 6.5#2 of the C99 specification: "Between the previous and next sequence point an object shall have its stored value modified at most once by the evaluation of an expression. Furthermore, the prior value shall be accessed only to determine the value to be stored."

Pay spectial attention to see point #4 under "Sequence points in C and C++", because that talks about your exact problem. But beware that you'd still have a bug even if you hid the increment inside of a function, because order of argument evaluation is not specified (as oppposed to undefined behavior, which can cause nasal demons or format your hard drive).

Fixed with least diff:

int r=pixel[i++], g=pixel[i++], b=pixel[i++]; /* commas between declarators ARE sequence points */
doSomething(r,g,b);

See also: S.O. questions related to undefined behavior and sequence points in C and C++.

After 5 seconds of googling.
http://stackoverflow.com/quest...

Then let me reiterate the question I linked above: How should I, as a server administrator or as the developer of an application that will be installed on servers by third parties, go about determining at any moment in time what "the top several" OpenID Connect identity providers are?

Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication.

One problem is that a lot of identity providers,* such as Google, have switched from classic OpenID to OpenID Connect. Because of the OAuth 2 underlying OpenID Connect, it has become more common for IDPs to require each relying party* to enter into a contractual relationship with the identity provider. With classic OpenID, if you had an identifier URL from a given IDP, you could use it on any RP. But in OpenID Connect, you can't use your identifier unless the RP has a client ID and client secret pair issued by the same IDP that issued your identifier. There is a Dynamic Client Registration protocol for an RP to automatically obtain a client ID and client secret from an IDP, but no major IDPs appears to support DCR. If there are n RPs and m IDPs, a human has to review and accept a contract m*n times, and managing this becomes O(n^2):

* In OpenID, an "identity provider" is the website that issues OpenID identifier URLs and takes your password, such as Google, and a "relying party" is the website that takes your OpenID identifier and redirects you to the identity provider to log in.

This is some MUMPS i wrote for fun. I guess if you can analyze this, your tool works:

nothing you can't have in perl today, with a relational database, and a table or two to track relationships between objects.

Sure, and there have been written entire books and essays and algorithms on how to get your relational database to store and return a hierarchy. It reminds me of those highschool programming challenges where you implement a binary tree in a single array because why the fuck not?

But instead, it's a whole new opportunity to create problems!

Every language invented in the 60's was a whole new opportunity to create problems. The problem now is continuing to use it without fixing the problems. Even PHP has made improvements to the language.

Sorry, found it :
http://stackoverflow.com/quest...

I already used it, but forgot it since.

Who the hell still uses Javascript (library or not) to fade things in/out? Use CSS, damnit.

You still need the script to insert the class that triggers the CSS fade or size transition. You also need the script to work around the fact that CSS cannot transition to or from height: auto .

This is a stackoverflow question. http://stackoverflow.com/