Slashdot Mirror

theodp (442580) writes "Simon Allardice takes a stroll down coding memory lane, recalling that when he got started in programming in 1983, hand-writing one's programs with pencil on IBM coding sheets was still considered good enough for British government work (COBOL, Assembler forms). Allardice writes, 'And when you were finished handwriting a section of code — perhaps a full program, perhaps a subroutine — you'd gather these sheets together (carefully numbered in sequence, of course) and send them along to the folks in the data entry department. They'd type it in. And the next day you'd get a report to find out if it compiled or not. Let me say that again: the next day you could find out if your code compiled or not.' So, does anyone have 'fond' memories of computer programming in the punched card era? And for you young'uns, what do you suppose your C++ or Java development times would be like if you got one compile a day?" The other way you could program in 1983.

theodp (442580) writes "Simon Allardice takes a stroll down coding memory lane, recalling that when he got started in programming in 1983, hand-writing one's programs with pencil on IBM coding sheets was still considered good enough for British government work (COBOL, Assembler forms). Allardice writes, 'And when you were finished handwriting a section of code — perhaps a full program, perhaps a subroutine — you'd gather these sheets together (carefully numbered in sequence, of course) and send them along to the folks in the data entry department. They'd type it in. And the next day you'd get a report to find out if it compiled or not. Let me say that again: the next day you could find out if your code compiled or not.' So, does anyone have 'fond' memories of computer programming in the punched card era? And for you young'uns, what do you suppose your C++ or Java development times would be like if you got one compile a day?" The other way you could program in 1983.

UnknowingFool (672806) writes "In a pair of unanimous rulings yesterday, the Supreme Court made it easier for defendants in patent cases to collect attorneys fees if the litigation was frivolous. In the first case, Octane Fitness v. Icon Health & Fitness, the court ruled that a standard used by lower courts to award attorney's fees was impossible to meet. The original standard under Brooks Furniture Mfg., Inc. v. Dutailier Int'l, Inc. had ruled that a claim had to be both 'objectively baseless' and 'brought in subjective bad faith' before fees could be awarded. The high court ruled that fees should be awarded merely when the case is 'exceptional' and not when the defendant must prove there was zero merit.

In the second case, Highmark v. Allcare Health Management, the Supreme Court also noted the 'exceptional' standard in reversing the appellate court's decision but specifically ruled that appellate courts should give more deference to the lower courts on rulings of fact. In Highmark, the district court found that Allcare had engaged in a pattern of 'vexatious' and 'deceitful' conduct throughout the litigation and awarded fees. The appellate court while agreeing with the lower court about part of the case reversed the fees in their de novo review of the case. In de novo reviews, the court case is essentially retried with the higher court. The Supreme Court iterated that de novo reviews should be done typically for 'questions of law' and reviews on 'questions of fact' are done if there are clear errors with decisions on matters of discretion 'reviewable for "abuse of discretion."' In other words, the appellate courts can review a case if a lower court has not correctly interpreted law; however, they should not retry a lower case on facts unless the lower court made a clear error. Also unless the lower court abused their power in some way, the appellate court should not review their final decisions.

For example, if a person is tried for murder, an appellate court could rule that a district court misinterpreted a statute about sentencing if the person if found guilty. The appellate court should not retry the facts of the case unless the lower court had made a clear error like ruling that there was a DNA match when there was not. Also an appellate court should not reverse the lower court if they sentenced the person to a reasonable time. Now if the district court sentenced the person to 400 years for one murder, then the appellate court should intervene.

In effect the two rulings make it easier for companies to recover money should they be sued in frivolous patent lawsuits. This would make the risks greater for those who sue."

An anonymous reader writes "Red Hat announced their pending acquisition of Inktank this morning. Sage Weil and a team of researchers at University of California Santa Cruz first published the architecture in 2007. Sage joined DreamHost after college and continued development on Ceph until DreamHost spun off a Inktank, a company focused solely on Ceph. In Sage's blog post on the acquisition, he says 'In particular, joining forces with the Red Hat team will improve our ability to address problems at all layers of the storage stack, including in the kernel.' Sage goes on to announce that Inktank's proprietary management tools for Ceph will now be open sourced, citing Red Hat's pure open source development and business models.

Ceph has seen wide adoption in OpenStack customer deployments, alongside Red Hat's existing Gluster system." Ceph looks pretty cool if you're doing serious storage: CERN has a 3 Petabyte "prototype" cluster in use now (Only tangentially related, but still interesting, is how CERN does storage in general).

profBill (98315) writes "Way back in 2002, Slashdot ran a story asking what people thought about C++ and the STL. Well, it's 2014 and C++11 is well out there with C++14 on its way.

I teach a second programming course in C++ with a heavy emphasis on the STL (containers and generic algorithms). I just wondered what people think about the situation today. Personally, I think C++11 has cleaned up a lot of problems, making it easier to use, but given all those who work with C++ for a living, I wondered what they thought today compared to then. Are people using C++11? Does it matter at all? I'd love to share the responses with my students! They are always curious about what practitioners are doing these days."

profBill (98315) writes "Way back in 2002, Slashdot ran a story asking what people thought about C++ and the STL. Well, it's 2014 and C++11 is well out there with C++14 on its way.

I teach a second programming course in C++ with a heavy emphasis on the STL (containers and generic algorithms). I just wondered what people think about the situation today. Personally, I think C++11 has cleaned up a lot of problems, making it easier to use, but given all those who work with C++ for a living, I wondered what they thought today compared to then. Are people using C++11? Does it matter at all? I'd love to share the responses with my students! They are always curious about what practitioners are doing these days."

New submitter jostber (304257) writes "It's been a long wait, but now GNU Screen, the most useful CLI windows manager around, is available. Version 4.2.1 was released a couple of days ago and the maintainer's release news is here." There are fewer commits than you might expect for software that's had six years since its last major update, but that could be because the developers have had 23 years to knock out the major bugs.

Hugh Pickens DOT Com (2995471) writes "Sean Gallagher writes that the government built facilities for the Minuteman missiles in the 1960s and 1970s and although the missiles have been upgraded numerous times to make them safer and more reliable, the bases themselves haven't changed much and there isn't a lot of incentive to upgrade them. ICBM forces commander Maj. Gen. Jack Weinstein told Leslie Stahl from "60 Minutes" that the bases have extremely tight IT and cyber security, because they're not Internet-connected and they use such old hardware and software. "A few years ago we did a complete analysis of our entire network," says Weinstein. "Cyber engineers found out that the system is extremely safe and extremely secure in the way it's developed." While on the base, missileers showed Stahl the 8-inch floppy disks, marked "Top Secret," which is used with the computer that handles what was once called the Strategic Air Command Digital Network (SACDIN), a communication system that delivers launch commands to US missile forces. Later, in an interview with Weinstein, Stahl described the disk she was shown as "gigantic," and said she had never seen one that big. Weinstein explained, "Those older systems provide us some, I will say, huge safety, when it comes to some cyber issues that we currently have in the world.""

An anonymous reader writes "Netflix [on Monday] confirmed that it has reached a deal to gain itself access to Verizon's network. This deal is similar to the one that Netflix already made with Comcast and should improve streaming video quality for Verizon customers. Readers should note that Netflix is paying Verizon and Comcast only to gain access to its networks by by-passing third-party transit providers like Cogent and Level 3. If the FCC's new proposal passes, ISPs like Verizon and Comcast could also charge Netflix for faster direct connections to its customers over the last mile."

mdsolar (1045926) writes with news that funding for the mPower, a Small Modular [Nuclear] Reactor, has been cut due to the inability to find investors interested in building a prototype. From the article: "The pullback represents a major blow to the development of SMRs, which have been hailed as the next step forward for the nuclear power industry. ... All told, B&W, the DOE, and partners have spent around $400 million on the mPower program. Another $600 million was needed just to get the technology ready for application to the Nuclear Regulatory Commission for licensing. ... B&W plans to continue low-level R&D on the mPower technology with a view to commercial deployment in the mid-2020s, said CEO James Ferland. But without a major shift in the business environment and in investor perceptions of the risks and rewards associated with nuclear power, that seems fanciful."

mdsolar (1045926) writes with news that funding for the mPower, a Small Modular [Nuclear] Reactor, has been cut due to the inability to find investors interested in building a prototype. From the article: "The pullback represents a major blow to the development of SMRs, which have been hailed as the next step forward for the nuclear power industry. ... All told, B&W, the DOE, and partners have spent around $400 million on the mPower program. Another $600 million was needed just to get the technology ready for application to the Nuclear Regulatory Commission for licensing. ... B&W plans to continue low-level R&D on the mPower technology with a view to commercial deployment in the mid-2020s, said CEO James Ferland. But without a major shift in the business environment and in investor perceptions of the risks and rewards associated with nuclear power, that seems fanciful."

Hugh Pickens DOT Com (2995471) writes "Red Orbit reports that after nearly 50 years of warping across galaxies and saving the universe from a variety of alien threats and celestial disasters, Star Trek's William Shatner was honored with NASA's Distinguished Public Service medal, the highest award bestowed by the agency to non-government personnel. 'William Shatner has been so generous with his time and energy in encouraging students to study science and math, and for inspiring generations of explorers, including many of the astronauts and engineers who are a part of NASA today,' said David Weaver, NASA's associate administrator for the Office of Communications at NASA Headquarters in Washington. 'He's most deserving of this prestigious award.' Past recipients of the NASA Distinguished Public Service Medal include astrophysicist Neil deGrasse Tyson, former NASA Jet Propulsion Laboratory director and Voyager project scientist Edward Stone, theoretical physicist and astronomer Lyman Spitzer, and science fiction writer Robert Heinlein. The award is presented to those who 'have personally made a contribution representing substantial progress to the NASA mission. The contribution must be so extraordinary that other forms of recognition would be inadequate.'"

StartsWithABang (3485481) writes "Just a second after the Big Bang, the Universe was a hot bath of radiation, with a small fraction of protons and neutrons in about equal numbers left over. By time it was four minutes old, it was 92% hydrogen (by number of atoms) and 8% helium. Yet the Universe has aged nearly 14 billion years since then, and have formed many generations of stars, all of which burn hydrogen into heavier elements. So how much hydrogen is left, and how much will be left far into the future? A lot more than you might think."

StartsWithABang (3485481) writes "Just a second after the Big Bang, the Universe was a hot bath of radiation, with a small fraction of protons and neutrons in about equal numbers left over. By time it was four minutes old, it was 92% hydrogen (by number of atoms) and 8% helium. Yet the Universe has aged nearly 14 billion years since then, and have formed many generations of stars, all of which burn hydrogen into heavier elements. So how much hydrogen is left, and how much will be left far into the future? A lot more than you might think."

whisper_jeff writes: "Under the bold assumption that, since they were able to do it with books, they must be able to do it with comics, Amazon has decided to avoid Apple's 30% cut of in app purchases by removing the option from digital comic book platform Comixology for iOS users. It will be interesting to see if digital comic readers leap through the extra hoops to read digital comics on their iOS device or if Amazon has just signed the death knell for their new purchase. Readers may decide that buying a book and buying a comic aren't the same thing — that the extra hoops they're being forced to leap through simply aren't worth it for a comic that takes five minutes to read."

An anonymous reader writes "Astronomer Kevin Luhman just found the 7th closest star to the sun. It's a mere 7.2 light-years away, discovered using NASA's Spitzer and WISE telescopes. How could it exist so close for so long without us knowing? It's a brown dwarf — barely a star at all. 'Brown dwarfs are star-like objects that are more massive than planets, but not quite massive enough to ignite sustained fusion in their cores. Hydrogen fusion is what powers the Sun, and makes it hot; it's the mighty pressure of the Sun's core that makes that happen. Brown dwarfs don't have the oomph needed to keep that going.' This small almost-star is downright chilly at around 225-260 Kelvin. That's -48 to -13 C (or -54 to 9 F). As Phil Plait points out, that's not much different from the temperature in the freezer in your kitchen. He adds, 'It implies this object is very old, too, because it would've been a few thousands degrees when it formed, and would take at least a billion years to cool down to its current chilly temperature. It's hard to determine how old it actually is, but it's most likely 1-10 billion years old. It has a very low mass, too, probably between 3 and 10 times the mass of Jupiter. That's pretty lightweight even for a brown dwarf. And here's another amazing thing about it: It might be a planet. What I mean is, it may have formed around a star like a planet does, then got ejected by gravitational interactions with other planets.'"

KentuckyFC writes: "Memes are the cultural equivalent of genes: units that transfer ideas or practices from one human to another by means of imitation. In recent years, network scientists have become increasingly interested in how memes spread, work that has led to important insights into the nature of news cycles, into information avalanches on social networks and so on. But what exactly makes a meme and distinguishes it from other forms of information is not well understood. Now a team of researchers has developed a way to automatically distinguish scientific memes from other forms of information for the first time. Their technique exploits the way scientific papers reference older papers on related topics. They scoured the half a million papers published by Physical Review between 1893 and 2010 looking for common words or phrases. They define an interesting meme as one that is more likely to appear in a paper that cites another paper in which the same meme occurs. In other words, interesting memes are more likely to replicate. They end up with a list of words and phrases that have spread by replication and can also see how this spreading has changed over the last 100 years. The top five phrases are: loop quantum cosmology, unparticle, sonoluminescence, MgB2 and stochastic resonance; all of which are important topics in physics. The team say the technique is interesting because it provides a way to distinguish memes from other forms of information that do not spread in the same way through replication."

theodp writes: "GeekWire reports that Gary Kildall, the creator of the landmark personal computer operating system CP/M, will be recognized posthumously by the IEEE for that contribution, in addition to his invention of BIOS, with a rare IEEE Milestone plaque. Kildall, who passed away in 1994 at the age of 52, has been called the man who could have been Bill Gates. But according to Kildall's son, his dad wasn't actually interested in being what Bill Gates became: 'He was a real inventor,' said Scott Kildall. 'He was much more interested in creating new ideas and bringing them to the world, rather than being the one that was bringing them to market and leveraging a huge amount of profits. He was such a kind human being. He was always sharing his ideas, and would sit down with people and show flowcharts of what he was thinking. I think if he were around for the open-source movement, he would be such a huge proponent of it.' Techies of a certain age will also remember Gary's work as a co-host of Computer Chronicles."

the_newsbeagle (2532562) writes "Solar power stations in orbit aren't exactly a new idea — Asimov set one of his stories on such a space station back in 1941. Everyone thinks it's a cool idea to collect solar power 24 hours a day and beam it down to Earth. But what with the expense and difficulty of rocketing up the parts and constructing and operating the stations in orbit, nobody's built one yet. While you probably still shouldn't hold your breath, it's interesting to learn that Japan's space agency has spec'd out such a solar power station."

porkchop_d_clown (39923) writes "When Hendrikje van Andel-Schipper died in 2005, she was the oldest woman in the world. [New Scientist reported Wednesday] that, at the end of her life, most of her white blood cells had been produced by just two stem cells — implying the rest of her blood stem cells had already died, and hinting at a possible limit to the human life span."

the_newsbeagle writes "Currently, the best way to check if a person has a high likelihood of developing Alzheimer's is to perform a PET scan to measure the amount of amyloid plaque in his or her brain. That's an expensive procedure. But a startup called Akili Interactive says it has developed a mobile game that can identify likely Alzheimer's patients just by their gameplay and game results. The game is based on a neuroscience study which showed that multitasking is one of the first brain functions to take a hit in Alzheimer's patients. Therefore the game requires players to perform two tasks at the same time."

chicksdaddy writes: "In a now-famous 2003 essay, 'Cyberinsecurity: The Cost of Monopoly,' Dr. Dan Geer argued, persuasively, that Microsoft's operating system monopoly constituted a grave risk to the security of the United States and international security, as well. It was in the interest of the U.S. government and others to break Redmond's monopoly, or at least to lessen Microsoft's ability to 'lock in' customers and limit choice. The essay cost Geer his job at the security consulting firm AtStake, which then counted Microsoft as a major customer. These days Geer is the Chief Security Officer at In-Q-Tel, the CIA's venture capital arm. But he's no less vigilant of the dangers of software monocultures. In a post at the Lawfare blog, Geer is again warning about the dangers that come from an over-reliance on common platforms and code. His concern this time isn't proprietary software managed by Redmond, however, it's common, oft-reused hardware and software packages like the OpenSSL software at the heart (pun intended) of Heartbleed. 'The critical infrastructure's monoculture question was once centered on Microsoft Windows,' he writes. 'No more. The critical infrastructure's monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them.'"

Bennett Haselton writes: "If you watch a movie or TV show (legally) on your mobile device while away from your home network, it's usually by streaming it on a data plan. This consumes an enormous amount of a scarce resource (data bundled with your cell phone provider's data plan), most of it unnecessarily, since many of those users could have downloaded the movie in advance on their home broadband connection — if it weren't for pointless DRM restrictions." Read on for the rest of Bennett's thoughts.

T-Mobile may not have great coverage — on our way to the Olympic National Park, my T-Mobile phone stopped working a long time before my friend's Verizon phone did — but I switched two weeks ago because the $80/month plan came with unlimited data, and I thought it would be convenient to watch Netflix streaming content and queued shows on Hulu from anywhere in the city. Since then I've been using data at about 10 times the rate that I did when I was capped at 2GB/month on Verizon.

But there was never any good reason that any of that data had to be downloaded over my data plan at all. I always know in advance what I'm going to be watching on Hulu, and almost always what I'm going to be watching on Netflix, which means if the apps would let me, I would rather download and queue up those movies and shows over my home broadband connection, and then watch the locally saved copies on the go. Hulu and Netflix would make at least the same profit off of me as they do now — I would still be watching Hulu's mandated advertisements before each show, and I would still be paying my monthly Netflix subscription. The difference is that I wouldn't be wasting a limited resource by downloading the content over my data plan. Even if my plan comes with unlimited data, that's not without costs, since one of the reasons I had to upgrade to unlimited data (and give up the broader Verizon coverage in the process) is that I can't download this content in advance at home. Otherwise, Verizon's sub-2GB data cap would have been fine with me.

Unfortunately, Hulu and Netflix apps both make it impossible to save their content locally, presumably due to a misguided attempt at DRM. ("DRM" is often used to refer to static content which has been encrypted in a way to make it difficult to copy; I'm using it more broadly here to include the practice of streaming content in a way which makes it difficult for users to save the content to a local file.)

(It has been pointed out, for example by Timothy Geigner on Techdirt, that data plan bandwidth may not truly be a "scarce resource" at all, and providers impose the data caps just to extract more money from users. The irony, though, is that even if the "scarcity" of cell phone plan data is not real, the streaming of content still constitutes waste of a precious resource, because users waste resources dealing with the data cap — prioritizing which content to download, or figuring out how to download the content illegally at home so they can save it as a local file. Or, they may simply decide to go without having the content on the go because they don't have enough data on their data plan — this counts as a deadweight economic loss caused by the DRM as well.)

You might think that the apps do not allow locally saved copies because the copyright owners prohibit it, but the Google Play app, for example, does allow you to download a saved copy of any content that you have rented or purchased from the Google Play store. (If you "rent" a movie or TV show episode from the Google Play store, you can still save it locally, but some predetermined time after you start watching the content, the content will "expire" and the file will be deleted.) So there is precedent for a non-fly-by-night company allowing you to save a local copy of content that you have paid for the right to access. So why not Hulu and Netflix?

I fear it may be that either the copyright holders, or the lawyers at Hulu and Netflix themselves, have been led to believe that locally saved content is easier to pirate, and neither of them want to be pegged as responsible for enabling piracy. This is fallacious for a couple of reasons: (a) If it's that easy, why hasn't it happened on a large scale with movies from Google Play, which can be saved locally? (b) Streaming content is just as easy to pirate, by, as a last resort, holding up a video camera to a screen playing the movie. (Yes, most users would not bother, but for piracy to occur, only one user in the entire world has to go to the trouble of doing this, and once it's done, an unprotected copy will be freely available on peer-to-peer networks for as long as people have any interest in the movie at all.) Which leads to: (c) Any user technically savvy enough to figure out how to pirate streamed content, is obviously going to be savvy enough to simply download the same content from p2p networks. In other words, forcing users to stream content instead of watching it from locally saved copies, gains the copyright holders and the app makers exactly nothing.

If I had to save content locally in the Hulu app before watching it, of course I'd have to watch ads before the content started playing, just as I do with the streaming version. In that scenario, if I had the time, I could probably try to find a black-market application that would watch the saved content without the ads, but like probably 90% of users, I probably wouldn't bother. And if I did want to make the effort, I'd just BitTorrent a copy of the movie or TV show instead, instead of trying to defeat copy protection on the local saved file.

I have no idea how much data plan bandwidth is used every day on content that users would have preferred downloading at home in advance, but it seems like a non-trivial percentage. Most Hulu and Netflix viewing is of movies or TV shows that you knew in advance you would want to watch, and could have saved. On the other hand, this wouldn't be true of random browsing of YouTube videos in the kind of mindset where you just watch a 60-second clip, feel mildly amused, and watch whatever comes up next in the recommendations bar to the right. Ironically, as you read these words, multiple telecommunications companies are drawing up plans to roll out billions of dollars' worth of communications infrastructure to provide more data services to more users — meanwhile, we could vastly increase the utility of the existing infrastructure with just the flick of a switch. (Well, a couple of switches -- convincing the copyright holders, and the Netflix and Hulu legal departments, that locally saved content is not illegal, as Google Play has shown, and could in fact make them more money. Hulu, after all, is making more money off of me now than the used to, since I'm watching more of their shows on the road, and viewing more of their ads.)

With a static download model, I'm sure the overwhelming majority of Hulu and Netflix users would go on paying (and Hulu would probably actually make more money, from the increased ad views). I would even start the day the same way, before even getting out of bed — by taking the phone on the bedside table, loading up a queued Hulu show, and getting the ad out of the way, then pausing just as the real show begins so that later on I can start watching it immediately. Because it just feels good to start the day with a feeling of accomplishment.

Bennett Haselton writes: "If you watch a movie or TV show (legally) on your mobile device while away from your home network, it's usually by streaming it on a data plan. This consumes an enormous amount of a scarce resource (data bundled with your cell phone provider's data plan), most of it unnecessarily, since many of those users could have downloaded the movie in advance on their home broadband connection — if it weren't for pointless DRM restrictions." Read on for the rest of Bennett's thoughts.

T-Mobile may not have great coverage — on our way to the Olympic National Park, my T-Mobile phone stopped working a long time before my friend's Verizon phone did — but I switched two weeks ago because the $80/month plan came with unlimited data, and I thought it would be convenient to watch Netflix streaming content and queued shows on Hulu from anywhere in the city. Since then I've been using data at about 10 times the rate that I did when I was capped at 2GB/month on Verizon.

But there was never any good reason that any of that data had to be downloaded over my data plan at all. I always know in advance what I'm going to be watching on Hulu, and almost always what I'm going to be watching on Netflix, which means if the apps would let me, I would rather download and queue up those movies and shows over my home broadband connection, and then watch the locally saved copies on the go. Hulu and Netflix would make at least the same profit off of me as they do now — I would still be watching Hulu's mandated advertisements before each show, and I would still be paying my monthly Netflix subscription. The difference is that I wouldn't be wasting a limited resource by downloading the content over my data plan. Even if my plan comes with unlimited data, that's not without costs, since one of the reasons I had to upgrade to unlimited data (and give up the broader Verizon coverage in the process) is that I can't download this content in advance at home. Otherwise, Verizon's sub-2GB data cap would have been fine with me.

Unfortunately, Hulu and Netflix apps both make it impossible to save their content locally, presumably due to a misguided attempt at DRM. ("DRM" is often used to refer to static content which has been encrypted in a way to make it difficult to copy; I'm using it more broadly here to include the practice of streaming content in a way which makes it difficult for users to save the content to a local file.)

(It has been pointed out, for example by Timothy Geigner on Techdirt, that data plan bandwidth may not truly be a "scarce resource" at all, and providers impose the data caps just to extract more money from users. The irony, though, is that even if the "scarcity" of cell phone plan data is not real, the streaming of content still constitutes waste of a precious resource, because users waste resources dealing with the data cap — prioritizing which content to download, or figuring out how to download the content illegally at home so they can save it as a local file. Or, they may simply decide to go without having the content on the go because they don't have enough data on their data plan — this counts as a deadweight economic loss caused by the DRM as well.)

You might think that the apps do not allow locally saved copies because the copyright owners prohibit it, but the Google Play app, for example, does allow you to download a saved copy of any content that you have rented or purchased from the Google Play store. (If you "rent" a movie or TV show episode from the Google Play store, you can still save it locally, but some predetermined time after you start watching the content, the content will "expire" and the file will be deleted.) So there is precedent for a non-fly-by-night company allowing you to save a local copy of content that you have paid for the right to access. So why not Hulu and Netflix?

I fear it may be that either the copyright holders, or the lawyers at Hulu and Netflix themselves, have been led to believe that locally saved content is easier to pirate, and neither of them want to be pegged as responsible for enabling piracy. This is fallacious for a couple of reasons: (a) If it's that easy, why hasn't it happened on a large scale with movies from Google Play, which can be saved locally? (b) Streaming content is just as easy to pirate, by, as a last resort, holding up a video camera to a screen playing the movie. (Yes, most users would not bother, but for piracy to occur, only one user in the entire world has to go to the trouble of doing this, and once it's done, an unprotected copy will be freely available on peer-to-peer networks for as long as people have any interest in the movie at all.) Which leads to: (c) Any user technically savvy enough to figure out how to pirate streamed content, is obviously going to be savvy enough to simply download the same content from p2p networks. In other words, forcing users to stream content instead of watching it from locally saved copies, gains the copyright holders and the app makers exactly nothing.

If I had to save content locally in the Hulu app before watching it, of course I'd have to watch ads before the content started playing, just as I do with the streaming version. In that scenario, if I had the time, I could probably try to find a black-market application that would watch the saved content without the ads, but like probably 90% of users, I probably wouldn't bother. And if I did want to make the effort, I'd just BitTorrent a copy of the movie or TV show instead, instead of trying to defeat copy protection on the local saved file.

I have no idea how much data plan bandwidth is used every day on content that users would have preferred downloading at home in advance, but it seems like a non-trivial percentage. Most Hulu and Netflix viewing is of movies or TV shows that you knew in advance you would want to watch, and could have saved. On the other hand, this wouldn't be true of random browsing of YouTube videos in the kind of mindset where you just watch a 60-second clip, feel mildly amused, and watch whatever comes up next in the recommendations bar to the right. Ironically, as you read these words, multiple telecommunications companies are drawing up plans to roll out billions of dollars' worth of communications infrastructure to provide more data services to more users — meanwhile, we could vastly increase the utility of the existing infrastructure with just the flick of a switch. (Well, a couple of switches -- convincing the copyright holders, and the Netflix and Hulu legal departments, that locally saved content is not illegal, as Google Play has shown, and could in fact make them more money. Hulu, after all, is making more money off of me now than the used to, since I'm watching more of their shows on the road, and viewing more of their ads.)

With a static download model, I'm sure the overwhelming majority of Hulu and Netflix users would go on paying (and Hulu would probably actually make more money, from the increased ad views). I would even start the day the same way, before even getting out of bed — by taking the phone on the bedside table, loading up a queued Hulu show, and getting the ad out of the way, then pausing just as the real show begins so that later on I can start watching it immediately. Because it just feels good to start the day with a feeling of accomplishment.

Bennett Haselton writes: "If you watch a movie or TV show (legally) on your mobile device while away from your home network, it's usually by streaming it on a data plan. This consumes an enormous amount of a scarce resource (data bundled with your cell phone provider's data plan), most of it unnecessarily, since many of those users could have downloaded the movie in advance on their home broadband connection — if it weren't for pointless DRM restrictions." Read on for the rest of Bennett's thoughts.

T-Mobile may not have great coverage — on our way to the Olympic National Park, my T-Mobile phone stopped working a long time before my friend's Verizon phone did — but I switched two weeks ago because the $80/month plan came with unlimited data, and I thought it would be convenient to watch Netflix streaming content and queued shows on Hulu from anywhere in the city. Since then I've been using data at about 10 times the rate that I did when I was capped at 2GB/month on Verizon.

But there was never any good reason that any of that data had to be downloaded over my data plan at all. I always know in advance what I'm going to be watching on Hulu, and almost always what I'm going to be watching on Netflix, which means if the apps would let me, I would rather download and queue up those movies and shows over my home broadband connection, and then watch the locally saved copies on the go. Hulu and Netflix would make at least the same profit off of me as they do now — I would still be watching Hulu's mandated advertisements before each show, and I would still be paying my monthly Netflix subscription. The difference is that I wouldn't be wasting a limited resource by downloading the content over my data plan. Even if my plan comes with unlimited data, that's not without costs, since one of the reasons I had to upgrade to unlimited data (and give up the broader Verizon coverage in the process) is that I can't download this content in advance at home. Otherwise, Verizon's sub-2GB data cap would have been fine with me.

Unfortunately, Hulu and Netflix apps both make it impossible to save their content locally, presumably due to a misguided attempt at DRM. ("DRM" is often used to refer to static content which has been encrypted in a way to make it difficult to copy; I'm using it more broadly here to include the practice of streaming content in a way which makes it difficult for users to save the content to a local file.)

(It has been pointed out, for example by Timothy Geigner on Techdirt, that data plan bandwidth may not truly be a "scarce resource" at all, and providers impose the data caps just to extract more money from users. The irony, though, is that even if the "scarcity" of cell phone plan data is not real, the streaming of content still constitutes waste of a precious resource, because users waste resources dealing with the data cap — prioritizing which content to download, or figuring out how to download the content illegally at home so they can save it as a local file. Or, they may simply decide to go without having the content on the go because they don't have enough data on their data plan — this counts as a deadweight economic loss caused by the DRM as well.)

You might think that the apps do not allow locally saved copies because the copyright owners prohibit it, but the Google Play app, for example, does allow you to download a saved copy of any content that you have rented or purchased from the Google Play store. (If you "rent" a movie or TV show episode from the Google Play store, you can still save it locally, but some predetermined time after you start watching the content, the content will "expire" and the file will be deleted.) So there is precedent for a non-fly-by-night company allowing you to save a local copy of content that you have paid for the right to access. So why not Hulu and Netflix?

I fear it may be that either the copyright holders, or the lawyers at Hulu and Netflix themselves, have been led to believe that locally saved content is easier to pirate, and neither of them want to be pegged as responsible for enabling piracy. This is fallacious for a couple of reasons: (a) If it's that easy, why hasn't it happened on a large scale with movies from Google Play, which can be saved locally? (b) Streaming content is just as easy to pirate, by, as a last resort, holding up a video camera to a screen playing the movie. (Yes, most users would not bother, but for piracy to occur, only one user in the entire world has to go to the trouble of doing this, and once it's done, an unprotected copy will be freely available on peer-to-peer networks for as long as people have any interest in the movie at all.) Which leads to: (c) Any user technically savvy enough to figure out how to pirate streamed content, is obviously going to be savvy enough to simply download the same content from p2p networks. In other words, forcing users to stream content instead of watching it from locally saved copies, gains the copyright holders and the app makers exactly nothing.

If I had to save content locally in the Hulu app before watching it, of course I'd have to watch ads before the content started playing, just as I do with the streaming version. In that scenario, if I had the time, I could probably try to find a black-market application that would watch the saved content without the ads, but like probably 90% of users, I probably wouldn't bother. And if I did want to make the effort, I'd just BitTorrent a copy of the movie or TV show instead, instead of trying to defeat copy protection on the local saved file.

I have no idea how much data plan bandwidth is used every day on content that users would have preferred downloading at home in advance, but it seems like a non-trivial percentage. Most Hulu and Netflix viewing is of movies or TV shows that you knew in advance you would want to watch, and could have saved. On the other hand, this wouldn't be true of random browsing of YouTube videos in the kind of mindset where you just watch a 60-second clip, feel mildly amused, and watch whatever comes up next in the recommendations bar to the right. Ironically, as you read these words, multiple telecommunications companies are drawing up plans to roll out billions of dollars' worth of communications infrastructure to provide more data services to more users — meanwhile, we could vastly increase the utility of the existing infrastructure with just the flick of a switch. (Well, a couple of switches -- convincing the copyright holders, and the Netflix and Hulu legal departments, that locally saved content is not illegal, as Google Play has shown, and could in fact make them more money. Hulu, after all, is making more money off of me now than the used to, since I'm watching more of their shows on the road, and viewing more of their ads.)

With a static download model, I'm sure the overwhelming majority of Hulu and Netflix users would go on paying (and Hulu would probably actually make more money, from the increased ad views). I would even start the day the same way, before even getting out of bed — by taking the phone on the bedside table, loading up a queued Hulu show, and getting the ad out of the way, then pausing just as the real show begins so that later on I can start watching it immediately. Because it just feels good to start the day with a feeling of accomplishment.

hypnosec writes: "National Institute of Standards and Technology (NIST) has removed the much-criticized Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from its draft guidance on random number generators following a period of public comment and review. The revised document retains three of the four previously available options for generating pseudorandom bits required to create secure cryptographic keys for encrypting data. NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible."

Hugh Pickens DOT Com (2995471) writes "Hasani Gittens reports that as miraculous as it was that a 16-year-old California boy was able to hitch a ride from San Jose to Hawaii and survive, it isn't the first time a wheel-well stowaway has lived to tell about it. The FAA says that since 1947 there have been 105 people who have tried to surreptitiously travel in plane landing gear — with a survival rate of about 25 percent. But agency adds that the actual numbers are probably higher, as some survivors may have escaped unnoticed, and bodies could fall into the ocean undetected. Except for the occasional happy ending, hiding in the landing gear of a aircraft as it soars miles above the Earth is generally a losing proposition. According to an FAA/Wright State University study titled 'Survival at High Altitudes: Wheel-Well Passengers,' at 20,000 feet the temperature experienced by a stowaway would be -13 F, at 30,000 it would be -45 in the wheel well — and at 40,000 feet, the mercury plunges to a deadly -85 F (PDF). 'You're dealing with an incredibly harsh environment,' says aviation and security expert Anthony Roman. 'Temperatures can reach -50 F, and oxygen levels there are barely sustainable for life.' Even if a strong-bodied individual is lucky enough to stand the cold and the lack of oxygen, there's still the issue of falling out of the plane. 'It's almost impossible not to get thrown out when the gear opens,' says Roman.

So how do the lucky one-in-four survive? The answer, surprisingly, is that a few factors of human physiology are at play: As the aircraft climbs, the body enters a state of hypoxia—that is, it lacks oxygen—and the person passes out. At the same time, the frigid temperatures cause a state of hypothermia, which preserves the nervous system. 'It's similar to a young kid who falls to the bottom of an icy lake," says Roman. "and two hours later he survives, because he was so cold.'"

An anonymous reader writes "The Citizens Commission on Human Rights (CCHR), a Scientology front group, has received a 'grant from Google in the amount of $10,000 per month worth of Pay Per Click Advertising to be used in our Orange County anti-psych campaigns.' CCHR believes that ALL psychiatrists are evil. They believe that psychiatrists were behind the holocaust, and these shadow men were never brought to justice. CCHR also believes that psychiatrists were behind the 911 attacks. Scientologists believe that psychiatrists have always been evil, and their treachery goes back 75 million years when the psychiatrists assisted XENU in killing countless alien life forms. Thanks Google! We may be able to stop these evil Psychs once and for all!"

An anonymous reader writes "The Citizens Commission on Human Rights (CCHR), a Scientology front group, has received a 'grant from Google in the amount of $10,000 per month worth of Pay Per Click Advertising to be used in our Orange County anti-psych campaigns.' CCHR believes that ALL psychiatrists are evil. They believe that psychiatrists were behind the holocaust, and these shadow men were never brought to justice. CCHR also believes that psychiatrists were behind the 911 attacks. Scientologists believe that psychiatrists have always been evil, and their treachery goes back 75 million years when the psychiatrists assisted XENU in killing countless alien life forms. Thanks Google! We may be able to stop these evil Psychs once and for all!"

An anonymous reader writes "The Citizens Commission on Human Rights (CCHR), a Scientology front group, has received a 'grant from Google in the amount of $10,000 per month worth of Pay Per Click Advertising to be used in our Orange County anti-psych campaigns.' CCHR believes that ALL psychiatrists are evil. They believe that psychiatrists were behind the holocaust, and these shadow men were never brought to justice. CCHR also believes that psychiatrists were behind the 911 attacks. Scientologists believe that psychiatrists have always been evil, and their treachery goes back 75 million years when the psychiatrists assisted XENU in killing countless alien life forms. Thanks Google! We may be able to stop these evil Psychs once and for all!"

The Houston Chronicle reports the death of John C. Houbolt, whose ideas helped guide the U.S. moon-landing programs. Houbolt died on Tuesday at the age of 95, in a nursing home in Maine. Says the Chronicle's obituary: "His efforts in the early 1960s are largely credited with convincing NASA to focus on the launch of a module carrying a crew from lunar orbit, rather than a rocket from earth or a space craft while orbiting the planet. Houbolt argued that a lunar orbit rendezvous, or lor, would not only be less mechanically and financially onerous than building a huge rocket to take man to the moon or launching a craft while orbiting the earth, but lor was the only option to meet President John F. Kennedy's challenge before the end of the decade."

Three former astronauts — Ed Lu, Tom Jones, and Bill Anders — say that reassuring figures about the rarity of asteroid collisions with Earth are perhaps too reassuring. The B612 Foundation, of which Lu is a director, has been established to draw public awareness to the risks of a large asteroid hitting a population center -- which these three men say is a far more serious public danger than has been acknowledged by NASA and other agencies. And beyond awareness, the Foundation's immediate goal is to raise money to " design and build an asteroid-finding space telescope and launch it by 2017," and then, Armageddon-style, to follow that up with technology to divert any asteroids whose path would threaten earth.

Hugh Pickens DOT Com (2995471) writes "Joel Werner writes in Slate that when Citicorp Center was built in 1977 it was, at 59 stories, the seventh-tallest building in the world but no one figured out until after it was built that although the chief structural engineer, William LeMessurier, had properly accounted for perpendicular winds, the building was particularly vulnerable to quartering winds — in part due to cost-saving changes made to the original plan by the contractor. "According to LeMessurier, in 1978 an undergraduate architecture student contacted him with a bold claim about LeMessurier's building: that Citicorp Center could blow over in the wind," writes Werner. "LeMessurier realized that a major storm could cause a blackout and render the tuned mass damper inoperable. Without the tuned mass damper, LeMessurier calculated that a storm powerful enough to take out the building hit New York every 16 years." In other words, for every year Citicorp Center was standing, there was about a 1-in-16 chance that it would collapse." (Read on for more.) Pickens continues: "LeMessurier and his team worked with Citicorp to coordinate emergency repairs. With the help of the NYPD, they worked out an evacuation plan spanning a 10-block radius. They had 2,500 Red Cross volunteers on standby, and three different weather services employed 24/7 to keep an eye on potential windstorms. Work began immediately, and continued around the clock for three months. Welders worked all night and quit at daybreak, just as the building occupants returned to work. But all of this happened in secret, even as Hurricane Ella, the strongest hurricane on record in Canadian waters, was racing up the eastern seaboard. The hurricane became stationary for about 24 hours, and later turned to the northeast away from the coast. Hurricane Ella never made landfall. And so the public—including the building's occupants—were never notified.

Until his death in 2007, LeMessurier talked about the summer of 1978 to his classes at Harvard. The tale, as he told it, is by turns painful, self-deprecating, and self-dramatizing--an engineer who did the right thing. But it also speaks to the larger question of how professional people should behave. "You have a social obligation," LeMessurier reminded his students. "In return for getting a license and being regarded with respect, you're supposed to be self-sacrificing and look beyond the interests of yourself and your client to society as a whole.""

Hugh Pickens DOT Com (2995471) writes "Joel Werner writes in Slate that when Citicorp Center was built in 1977 it was, at 59 stories, the seventh-tallest building in the world but no one figured out until after it was built that although the chief structural engineer, William LeMessurier, had properly accounted for perpendicular winds, the building was particularly vulnerable to quartering winds — in part due to cost-saving changes made to the original plan by the contractor. "According to LeMessurier, in 1978 an undergraduate architecture student contacted him with a bold claim about LeMessurier's building: that Citicorp Center could blow over in the wind," writes Werner. "LeMessurier realized that a major storm could cause a blackout and render the tuned mass damper inoperable. Without the tuned mass damper, LeMessurier calculated that a storm powerful enough to take out the building hit New York every 16 years." In other words, for every year Citicorp Center was standing, there was about a 1-in-16 chance that it would collapse." (Read on for more.) Pickens continues: "LeMessurier and his team worked with Citicorp to coordinate emergency repairs. With the help of the NYPD, they worked out an evacuation plan spanning a 10-block radius. They had 2,500 Red Cross volunteers on standby, and three different weather services employed 24/7 to keep an eye on potential windstorms. Work began immediately, and continued around the clock for three months. Welders worked all night and quit at daybreak, just as the building occupants returned to work. But all of this happened in secret, even as Hurricane Ella, the strongest hurricane on record in Canadian waters, was racing up the eastern seaboard. The hurricane became stationary for about 24 hours, and later turned to the northeast away from the coast. Hurricane Ella never made landfall. And so the public—including the building's occupants—were never notified.

Until his death in 2007, LeMessurier talked about the summer of 1978 to his classes at Harvard. The tale, as he told it, is by turns painful, self-deprecating, and self-dramatizing--an engineer who did the right thing. But it also speaks to the larger question of how professional people should behave. "You have a social obligation," LeMessurier reminded his students. "In return for getting a license and being regarded with respect, you're supposed to be self-sacrificing and look beyond the interests of yourself and your client to society as a whole.""

mosb1000 (710161) writes "SpaceX is reporting that they've successfully landed the first stage of their CRS3 Falcon 9 rocket over the Atlantic Ocean today. This is potentially a huge milestone for low-cost space flight." In another win for the company, as the L.A. Times reports, SpaceX also has launched a re-supply mission to the ISS.

mosb1000 (710161) writes "SpaceX is reporting that they've successfully landed the first stage of their CRS3 Falcon 9 rocket over the Atlantic Ocean today. This is potentially a huge milestone for low-cost space flight." In another win for the company, as the L.A. Times reports, SpaceX also has launched a re-supply mission to the ISS.

RoccamOccam sends news that the Virginia Supreme Court has ruled that Michael Mann, a climate scientist notable for his work on the "hockey stick" graph, does not have to turn over the entirety of his papers and emails under Freedom of Information laws. Roughly 1,000 documents were turned over in response to the request, but another 12,000 remain, which lawyers for the University of Virginia say are "of a proprietary nature," and thus entitled to an exemption. The VA Supreme Court ruled (PDF), "the higher education research exemption's desired effect is to avoid competitive harm not limited to financial matters," and said the application of "proprietary" was correct in this case. Mann said he hopes the ruling "can serve as a precedent in other states confronting this same assault on public universities and their faculty."

Bennett Haselton writes: "I was an early advocate of companies offering cash prizes to researchers who found security holes in their products, so that the vulnerabilities can be fixed before the bad guys exploited them. I still believe that prize programs can make a product safer under certain conditions. But I had naively overlooked that under an alternate set of assumptions, you might find that not only do cash prizes not make the product any safer, but that nothing makes the product any safer — you might as well not bother fixing certain security holes at all, whether they were found through a prize program or not." Read on for the rest of Bennett's thoughts.

In 2007 I wrote:

It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead?

Well, I still believe that part's true. You can visualize it even more starkly this way: A stranger approaches a company like Microsoft holding two envelopes, one containing $1,000 cash, and the other containing an IE security vulnerability which hasn't yet been discovered in the wild, and asks Microsoft to pick one envelope. It would sound short-sighted and irresponsible for Microsoft to pick the envelope containing the cash — but when Microsoft declines to offer a $1,000 cash prize for vulnerabilities, it's exactly like choosing the envelope with the $1,000. You might argue that it's "not exactly the same" because Microsoft's hypothetical $1,000 prize program would be on offer for bugs which haven't been found yet, but I'd argue that's a distinction without a difference. If Microsoft did offer a $1,000 prize program, it's virtually certain that someone would come forward with a qualifying exploit (and if nobody did, then the program would be moot anyway) — so both scenarios simply describe a choice between $1,000 and finding a new security vulnerability.

But I would argue that there are certain assumptions under which it would make sense not to offer a cash prize program — and, in keeping with my claim that this is equivalent to the envelope-choice problem, under those assumptions it actually would make sense for Microsoft to turn down the envelope containing the vulnerability, and take the cash instead. (When I say it would "make sense", I mean both from a profit-motive standpoint, and for the purposes of protecting the security of their users' computers.)

On Monday night I saw a presentation put on by Seattle's Pacific Science Center "Science Cafe" program, in which Professor Tadayoshi Kohno described how he and his team were able to defeat the security protocols of a car's embedded computer system by finding and exploiting a buffer overflow. That's scary enough, but it was more interesting how his description of the task made it sound like a foregone conclusion that they would find one — you simply sink this many person-hours into the task of looking for a buffer overflow, and eventually you'll find one that can enable a complete takeover of the car. (He confirmed to me afterwards that in his estimation, once the manufacturer had fixed that vulnerability, he figured his same team could have found another one with the same amount of effort.)

More generally, I think it's reasonable to assume that for a given product, there is a certain threshold amount of money/effort/person-hours such that if you throw that much effort at finding a new security vulnerability, you will always find a new one. Suppose you call this the "infinite bug threshold." Obviously the amount of vulnerabilities is not really infinite — you can only do finitely many things to a product in a finite amount of time, after all — but suppose it's so close to infinite as to make no difference, because the manufacturer would never be able to fix all the vulnerabilities that could be found for that amount of effort. I'm sure that $10 million worth of effort, paid to the right people, will always find you a new security vulnerability in the Apache web server; the same is probably true for some dollar number much lower than that, and you could call that the "infinite bug threshold". On the other hand, by definition of that threshold, that means that the amount of vulnerabilities that can be found for any amount of money below that, will be finite and manageable.

(I'm hand-waving over some details here, such as the disputes over whether two different bugs are really considered "distinct," or the fact that once you've found one vulnerability, the cost of finding other closely related vulnerabilities in the same area of the product, often goes way down. But I don't think these complications negate the argument.)

Meanwhile, you have the black-market value of a given type of vulnerability in a given product. This may be the value that you could actually sell it for on the black market, or it may be the maximum amount of effort that a cyber-criminal would invest in finding a new vulnerability. If a cyber-criminal will only start looking for a particular type of vulnerability if they estimate they can find one for less than $50,000 worth of effort, then $50,000 is how much that type of vulnerability is worth to them.

Now consider the case where

infinite bug threshold > black-market value

This is the good case. It means that if the manufacturer offered a prize equal to the black-market value of an exploit, any rational security researcher who found a vulnerability, could sell it to the manufacturer rather than offering it on the black market (assuming they would find the manufacturer more reliable and pleasant to deal with than the Russian cyber-mafia). And we're below the infinite bug threshold, so by definition the manufacturer only has to pay out a finite and manageable number of those prizes, before all such vulnerabilities have been found and fixed. I've made a couple of optimistic assumptions here, such as that the manufacturer would be willing to pay prizes in the first place, and that they could correctly estimate what the black-market value of a bug would be. But at least there's hope.

On other hand, if

infinite bug threshold < black market value

everything gets much worse. This means that no matter how many vulnerabilities you find and fix, by the definition of the infinite bug threshold there will always be another vulnerability that a black-hat will find it worthwhile to discover and exploit.

And that's the pessimistic scenario where it doesn't really matter whether Microsoft chooses the envelope with the vulnerability or the envelope with the $1,000, if the infinite-bug-threshold happens to be below $1,000. (Let's hope it's not that low in practice! But the same analysis would apply to any higher number.) If the black-market-value of a bug is at least $1,000, so that's what the attacker is willing to spend to find one, and if that's above the infinite-bug-threshold, then you might as well not bother fixing any particular bug at that level, because the attacker can always just find another one. It doesn't even matter whether you have a prize program or not; the product is in a permanent state of unfixable vulnerability.

At that point, the only ways to flip the direction of the inequality, to reach the state where "infinite bug threshold > black-market value", would be to decrease the black market value of the vulnerability, or increase the infinite bug threshold for your product. To decrease the black market value, you could implement more severe punishments for cyber-criminals, which makes them less willing to commit risky crimes using a security exploit. Or you could implement greater checks and balances to prevent financial fraud, which decreases the incentives for exploits. But these are society-wide changes that would not be under the control of the software manufacturer. (I'm not sure if there's anything a software company could do by themselves to lower the black-market value of a vulnerability in their product, other than voluntarily decreasing their own market share so that there are fewer computers that can be compromised using their software! Can you think of any other way?)

Raising the infinite bug threshold for the product, on the other hand, may require re-writing the software from scratch, or at least the most vulnerable components, paying stricter attention to security-conscious programming standards. Professor Kohno said after his talk that he believed that if the programmers of the car's embedded systems had followed better security coding practices, such as the principle of least privilege, then his team would not have found vulnerabilities so easily.

I still believe that cash prizes have the potential to achieve security utopia, at least with regard to the particular programs the prizes are offered for — but only where the "infinite bug threshold > black-market value" inequality holds, and only if the company is willing to offer the prizes. If the software is written in a security-conscious manner such that the infinite bug threshold is likely to be higher than the black-market value, and the manufacturer offers a vulnerability prize at least equal to the black-market value, then virtually all vulnerabilities which can be found for less than that much effort, will be reported to the manufacturer and fixed. Once that nirvana has been achieved, for an attacker to find a new exploit, the attacker would have to be (1) irrational (spending an estimated $70,000 to find a vulnerability that is only worth $50,000), and (2) evil beyond merely profit motive (using the bug for $50,000 of ill-gotten gain, instead of simply turning it in to the manufacturer for the same amount of money!). That's not logically impossible, but we would expect it to be rare.

On the other hand, for programs and classes of vulnerabilities where "infinite bug threshold < black-market value", there is literally nothing that can be done to make them secure against an attacker who has time to find the next exploit. You can have multiple lines of defense, like installing anti-virus software on your PC in case a website uses a vulnerability in Internet Explorer to try and infect your computer with a virus. But Kaspersky doesn't make anything for cars.

Bennett Haselton writes: "I was an early advocate of companies offering cash prizes to researchers who found security holes in their products, so that the vulnerabilities can be fixed before the bad guys exploited them. I still believe that prize programs can make a product safer under certain conditions. But I had naively overlooked that under an alternate set of assumptions, you might find that not only do cash prizes not make the product any safer, but that nothing makes the product any safer — you might as well not bother fixing certain security holes at all, whether they were found through a prize program or not." Read on for the rest of Bennett's thoughts.

In 2007 I wrote:

It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead?

Well, I still believe that part's true. You can visualize it even more starkly this way: A stranger approaches a company like Microsoft holding two envelopes, one containing $1,000 cash, and the other containing an IE security vulnerability which hasn't yet been discovered in the wild, and asks Microsoft to pick one envelope. It would sound short-sighted and irresponsible for Microsoft to pick the envelope containing the cash — but when Microsoft declines to offer a $1,000 cash prize for vulnerabilities, it's exactly like choosing the envelope with the $1,000. You might argue that it's "not exactly the same" because Microsoft's hypothetical $1,000 prize program would be on offer for bugs which haven't been found yet, but I'd argue that's a distinction without a difference. If Microsoft did offer a $1,000 prize program, it's virtually certain that someone would come forward with a qualifying exploit (and if nobody did, then the program would be moot anyway) — so both scenarios simply describe a choice between $1,000 and finding a new security vulnerability.

But I would argue that there are certain assumptions under which it would make sense not to offer a cash prize program — and, in keeping with my claim that this is equivalent to the envelope-choice problem, under those assumptions it actually would make sense for Microsoft to turn down the envelope containing the vulnerability, and take the cash instead. (When I say it would "make sense", I mean both from a profit-motive standpoint, and for the purposes of protecting the security of their users' computers.)

On Monday night I saw a presentation put on by Seattle's Pacific Science Center "Science Cafe" program, in which Professor Tadayoshi Kohno described how he and his team were able to defeat the security protocols of a car's embedded computer system by finding and exploiting a buffer overflow. That's scary enough, but it was more interesting how his description of the task made it sound like a foregone conclusion that they would find one — you simply sink this many person-hours into the task of looking for a buffer overflow, and eventually you'll find one that can enable a complete takeover of the car. (He confirmed to me afterwards that in his estimation, once the manufacturer had fixed that vulnerability, he figured his same team could have found another one with the same amount of effort.)

More generally, I think it's reasonable to assume that for a given product, there is a certain threshold amount of money/effort/person-hours such that if you throw that much effort at finding a new security vulnerability, you will always find a new one. Suppose you call this the "infinite bug threshold." Obviously the amount of vulnerabilities is not really infinite — you can only do finitely many things to a product in a finite amount of time, after all — but suppose it's so close to infinite as to make no difference, because the manufacturer would never be able to fix all the vulnerabilities that could be found for that amount of effort. I'm sure that $10 million worth of effort, paid to the right people, will always find you a new security vulnerability in the Apache web server; the same is probably true for some dollar number much lower than that, and you could call that the "infinite bug threshold". On the other hand, by definition of that threshold, that means that the amount of vulnerabilities that can be found for any amount of money below that, will be finite and manageable.

(I'm hand-waving over some details here, such as the disputes over whether two different bugs are really considered "distinct," or the fact that once you've found one vulnerability, the cost of finding other closely related vulnerabilities in the same area of the product, often goes way down. But I don't think these complications negate the argument.)

Meanwhile, you have the black-market value of a given type of vulnerability in a given product. This may be the value that you could actually sell it for on the black market, or it may be the maximum amount of effort that a cyber-criminal would invest in finding a new vulnerability. If a cyber-criminal will only start looking for a particular type of vulnerability if they estimate they can find one for less than $50,000 worth of effort, then $50,000 is how much that type of vulnerability is worth to them.

Now consider the case where

infinite bug threshold > black-market value

This is the good case. It means that if the manufacturer offered a prize equal to the black-market value of an exploit, any rational security researcher who found a vulnerability, could sell it to the manufacturer rather than offering it on the black market (assuming they would find the manufacturer more reliable and pleasant to deal with than the Russian cyber-mafia). And we're below the infinite bug threshold, so by definition the manufacturer only has to pay out a finite and manageable number of those prizes, before all such vulnerabilities have been found and fixed. I've made a couple of optimistic assumptions here, such as that the manufacturer would be willing to pay prizes in the first place, and that they could correctly estimate what the black-market value of a bug would be. But at least there's hope.

On other hand, if

infinite bug threshold < black market value

everything gets much worse. This means that no matter how many vulnerabilities you find and fix, by the definition of the infinite bug threshold there will always be another vulnerability that a black-hat will find it worthwhile to discover and exploit.

And that's the pessimistic scenario where it doesn't really matter whether Microsoft chooses the envelope with the vulnerability or the envelope with the $1,000, if the infinite-bug-threshold happens to be below $1,000. (Let's hope it's not that low in practice! But the same analysis would apply to any higher number.) If the black-market-value of a bug is at least $1,000, so that's what the attacker is willing to spend to find one, and if that's above the infinite-bug-threshold, then you might as well not bother fixing any particular bug at that level, because the attacker can always just find another one. It doesn't even matter whether you have a prize program or not; the product is in a permanent state of unfixable vulnerability.

At that point, the only ways to flip the direction of the inequality, to reach the state where "infinite bug threshold > black-market value", would be to decrease the black market value of the vulnerability, or increase the infinite bug threshold for your product. To decrease the black market value, you could implement more severe punishments for cyber-criminals, which makes them less willing to commit risky crimes using a security exploit. Or you could implement greater checks and balances to prevent financial fraud, which decreases the incentives for exploits. But these are society-wide changes that would not be under the control of the software manufacturer. (I'm not sure if there's anything a software company could do by themselves to lower the black-market value of a vulnerability in their product, other than voluntarily decreasing their own market share so that there are fewer computers that can be compromised using their software! Can you think of any other way?)

Raising the infinite bug threshold for the product, on the other hand, may require re-writing the software from scratch, or at least the most vulnerable components, paying stricter attention to security-conscious programming standards. Professor Kohno said after his talk that he believed that if the programmers of the car's embedded systems had followed better security coding practices, such as the principle of least privilege, then his team would not have found vulnerabilities so easily.

I still believe that cash prizes have the potential to achieve security utopia, at least with regard to the particular programs the prizes are offered for — but only where the "infinite bug threshold > black-market value" inequality holds, and only if the company is willing to offer the prizes. If the software is written in a security-conscious manner such that the infinite bug threshold is likely to be higher than the black-market value, and the manufacturer offers a vulnerability prize at least equal to the black-market value, then virtually all vulnerabilities which can be found for less than that much effort, will be reported to the manufacturer and fixed. Once that nirvana has been achieved, for an attacker to find a new exploit, the attacker would have to be (1) irrational (spending an estimated $70,000 to find a vulnerability that is only worth $50,000), and (2) evil beyond merely profit motive (using the bug for $50,000 of ill-gotten gain, instead of simply turning it in to the manufacturer for the same amount of money!). That's not logically impossible, but we would expect it to be rare.

On the other hand, for programs and classes of vulnerabilities where "infinite bug threshold < black-market value", there is literally nothing that can be done to make them secure against an attacker who has time to find the next exploit. You can have multiple lines of defense, like installing anti-virus software on your PC in case a website uses a vulnerability in Internet Explorer to try and infect your computer with a virus. But Kaspersky doesn't make anything for cars.

First time accepted submitter DeathByLlama (2813725) writes "Years ago I made the switch from DD-WRT to Tomato firmware for my Linksys router. I lost a couple features, but gained one of the best QoS and bandwidth management systems I have seen on a router to date. Admins can see graphs of current and historical bandwidth usage by IP, set minimum and maximum bandwidth limits by IP range, setup QoS rules, and see and filter graphs and lists of current connections by usage, class or source/destination — all from an elegantly designed GUI. This has allowed me to easily and intelligently allocate and adjust my network's bandwidth; when there is a problem, I can see where it's coming from and create rules around it. I'm currently using the Toastman's VPN Tomato firmware, which has about everything that I would want, except for one key thing: support for ARM-based routers (only Broadcom is supported). I have seen other firmware projects being actively developed in the last few years, so in picking a new 802.11ac router, I need to decide whether Tomato support is a deal-breaker. With solid bandwidth management as a priority, what firmware would you recommend? Stock Asuswrt? Asuswrt-Merlin? OpenWRT? DD-WRT? Tomato? _____?"

First time accepted submitter DeathByLlama (2813725) writes "Years ago I made the switch from DD-WRT to Tomato firmware for my Linksys router. I lost a couple features, but gained one of the best QoS and bandwidth management systems I have seen on a router to date. Admins can see graphs of current and historical bandwidth usage by IP, set minimum and maximum bandwidth limits by IP range, setup QoS rules, and see and filter graphs and lists of current connections by usage, class or source/destination — all from an elegantly designed GUI. This has allowed me to easily and intelligently allocate and adjust my network's bandwidth; when there is a problem, I can see where it's coming from and create rules around it. I'm currently using the Toastman's VPN Tomato firmware, which has about everything that I would want, except for one key thing: support for ARM-based routers (only Broadcom is supported). I have seen other firmware projects being actively developed in the last few years, so in picking a new 802.11ac router, I need to decide whether Tomato support is a deal-breaker. With solid bandwidth management as a priority, what firmware would you recommend? Stock Asuswrt? Asuswrt-Merlin? OpenWRT? DD-WRT? Tomato? _____?"

KentuckyFC (1144503) writes "Iapetus, Saturn's third largest moon, was first photographed by the Cassini spacecraft on 31 December 2004. The images created something of a stir. Clearly visible was a narrow, steep ridge of mountains that stretch almost halfway around the moon's equator. The question that has since puzzled astronomers is how this mountain range got there. Now evidence is mounting that this mountain range is not the result of tectonic or volcanic activity, like mountain ranges on other planets. Instead, astronomers are increasingly convinced that this mountain range fell from space. The latest evidence is a study of the shape of the mountains using 3-D images generated from Cassini data. They show that the angle of the mountainsides is close to the angle of repose, that's the greatest angle that a granular material can form before it landslides. That's not proof but it certainly consistent with this exotic formation theory. So how might this have happened?

Astronomers think that early in its life, Iapetus must have been hit by another moon, sending huge volumes of ejecta into orbit. Some of this condensed into a new moon that escaped into space. However, the rest formed an unstable ring that gradually spiraled in towards the moon, eventually depositing the material in a narrow ridge around the equator. Cassini's next encounter with Iapetus will be in 2015 which should give astronomers another chance to study the strangest mountain range in the Solar System."

theodp (442580) writes "As Google Glass goes on sale [ed: or rather, went on sale] to the general public, GeekWire reports that Bill Gates has already snagged one patent for 'detecting and responding to an intruding camera' and has another in the works. The invention proposes to equip computer and device displays with technology for detecting and responding to any cameras in the vicinity by editing or blurring the content on the screen, or alerting the user to the presence of the camera. Gates and Nathan Myhrvold are among the 16 co-inventors of the so-called Unauthorized Viewer Detection System and Method, which the patent application notes is useful 'while a user is taking public transportation, where intruding cameras are likely to be present.' So, is Bill's patent muse none other than NYC subway rider Sergey Brin?" A more cynical interpretation: closing the analog hole. Vaguely related, mpicpp pointed out that Google filed a patent for cameras embedded in contact lenses.

An anonymous reader writes "Researchers from Princeton University and Northwestern University have concluded, after extensive analysis of 1,779 policy issues, that the U.S. is in fact an oligarchy and not a democracy. What this means is that, although 'Americans do enjoy many features central to democratic governance,' 'majorities of the American public actually have little influence over the policies our government adopts.' Their study (PDF), to be published in Perspectives on Politics, found that 'When the preferences of economic elites and the stands of organized interest groups are controlled for, the preferences of the average American appear to have only a minuscule, near-zero, statistically non-significant impact upon public policy.'"

An anonymous reader writes "Researchers from Princeton University and Northwestern University have concluded, after extensive analysis of 1,779 policy issues, that the U.S. is in fact an oligarchy and not a democracy. What this means is that, although 'Americans do enjoy many features central to democratic governance,' 'majorities of the American public actually have little influence over the policies our government adopts.' Their study (PDF), to be published in Perspectives on Politics, found that 'When the preferences of economic elites and the stands of organized interest groups are controlled for, the preferences of the average American appear to have only a minuscule, near-zero, statistically non-significant impact upon public policy.'"

April 15, 2014 isn't just a full moon: it's Tax Day in the U.S. That means most American adults have already submitted a tax return, or an extension request, to the IRS and -- except for a few lucky states -- to their state governments as well. I filed my (very simple) tax return online. After scanning the free options, since I live in a state -- Texas -- that does not collect personal income tax, I chose Tax Act's free services. That meant enduring a series of annoying upgrade plugs throughout the process, but I could live with that; I have no reason to think it was better or worse than TurboTax or any of the other e-Filing companies, but I liked Tax Act’s interface, and it seemed less skeevy in all those upgrade plugs than the others I glanced at. The actual process took an hour and 19 minutes once I sat down with the papers I needed. My financial life is pretty simple, though: I didn't buy or sell a house, didn't buy or sell stocks outside of a retirement account mutual fund, and didn't move from one state to another. How do you do your taxes? Do you have an argument for one or another of the online services, or any cautionary tales? Do you prefer to send in forms on paper? Do you hire an accountant? (And for readers outside the U.S., it's always interesting to hear how taxes work in other countries, too. Are there elements of the U.S. system you'd prefer, or that you're glad you don't need to deal with?)

Hugh Pickens DOT Com (2995471) writes "Bloomberg reports that humans are taking the place of machines in plants across Japan so workers can develop new skills and figure out ways to improve production lines and the car-building process. "We need to become more solid and get back to basics, to sharpen our manual skills and further develop them," says Mitsuru Kawai, a half century-long company veteran tapped by President Akio Toyoda to promote craftsmanship at Toyota's plants. "When I was a novice, experienced masters used to be called gods (Kami-sama in Japanese), and they could make anything."

According to Kawai, learning how to make car parts from scratch gives younger workers insights they otherwise wouldn't get from picking parts from bins and conveyor belts, or pressing buttons on machines. At about 100 manual-intensive workspaces introduced over the last three years across Toyota's factories in Japan, these lessons can then be applied to reprogram machines to cut down on waste and improve processes. In an area Kawai directly supervises at the forging division of Toyota's Honsha plant, workers twist, turn and hammer metal into crankshafts instead of using the typically automated process. Experiences there have led to innovations in reducing levels of scrap and shortening the production line and Kawai also credits manual labor for helping workers improve production of axle beams and cut the costs of making chassis parts. "We cannot simply depend on the machines that only repeat the same task over and over again," says Kawai. "To be the master of the machine, you have to have the knowledge and the skills to teach the machine.""

Bennett Haselton writes "If you read no further, use either the BestParking or ParkMe app to search all nearby parking garages for the cheapest spot, based on the time you're arriving and leaving. I'm interested in the question of why so few people know about these apps, how is it that they've been partially crowded out by other 'parking apps' that are much less useful, and why our marketplace for ideas and intellectual properly is still so inefficient." Read below to see what Bennett has to say.

I casually asked a couple of my friends in Seattle -- where street parking is often unavailable, and parking garages vary widely in price -- if they'd ever heard of an app that would let them find the cheapest available parking garage, based on the time they wanted to enter and the time they planned on leaving. (Street parking is usually cheaper if you can find it, but the app would be useful for times that you can't find any.) Most of my friends said that they'd never heard of such an app, but they'd definitely use one if it existed. I also looked up parking apps on Google but the small subset that I randomly tried out, didn't do what I needed. So I thought about writing a "Somebody-with-more-time-than-me-should-go-and-do-this-thing" article, similar to the ride-swapping piece, when one of my friends casually mentioned the BestParking app.

Well, I tried it and it worked. (Lest I be accused of undue favoritism, ParkMe does the same thing just as well, although I didn't find it until later.) In both apps, you bring up a map centered on your current location, or scroll the map to where you plan on looking for parking later. You enter the time that you'll be entering and leaving, and the app shows a map with each parking garage represented by an icon showing the dollar amount that it will cost to park for that time. Without these apps, comparing rates is an annoyingly complex process to do by hand, in a crowded city like Seattle with many garages with different rates (and different times when their "evening rates" kick in -- usually 5 PM, but ranging from 4 to 7 PM), but the apps factor all of that in to give you the cheapest garage for the given time range. You can tap the individual garage icons for more information (if you plan on returning by 11 PM but you're not sure, you'd probably prefer a 24-hour garage instead of one that locks up at midnight). Also, if you're sitting at your computer and you already know the neighborhood where you'll be parking later, you can do the same search on each of their websites. (Although if you are on your phone, please don't do this from a moving car, duh. In Seattle there are plenty of 3-minute spots where you can pull over and do a search.)

So, I've been quite happy with both apps -- but I thought it was interesting that almost none of my friends had ever heard of them. I threw a quick survey up on Amazon's Mechanical Turk website, which I've used before for crowdsourced surveys and other experiments. I polled 50 people, offering them 25 cents apiece to answer these questions:

Would you use these apps? Section A: Parking garage app

Suppose a website and/or smartphone app existed where you could specify a neighborhood of a city, and enter a start and end time for when you wanted to park, and the app would automatically find the cheapest parking garage for that time range (assuming its too hard to find street parking).

1. Are you aware of any such apps/websites that already exist? If yes, whats the name of the app? (No need to do a web search -- only answer "Yes" if you already know of such an app or website.)

2. Would you use such an app/website if it existed? (Or, if youre aware of such an app that already exists, do you use it?)

Yes/No Section B: Spare room rental app

Suppose a website and/or smartphone app existed where you could list a room in your house as a temporary rental, and visitors to your city could rent it out for a single night, or more.

3. Are you aware of any such apps/websites that already exist? If yes, whats the name of the app? (No need to do a web search -- only answer "Yes" if you already know of such an app or website.)

4. Would you use such an app/website if it existed? (Or, if youre aware of such an app that already exists, do you use it?)

Yes/No

The second section, about a spare room rental app, was thrown in as a control in the experiment -- I knew the answer to that question (AirBnB), and I thought a large portion of the survey-takers would too, so I wanted to make sure they weren't just filling out the survey with blow-off answers to get the 25 cents as fast as possible.

Of the 50 people who filled out the survey, 14 of them said they had heard of using AirBnB, Couchsurfing, or Craigslist for the purpose of renting out a room or finding one to rent (almost all of them mentioned AirBnB specifically). But of the same 50 respondents, only two of them mentioned any parking apps that they had heard of, and only one of them mentioned one of the two that I'd found which actually worked. (The other person mentioned an app called ParkWhiz, which, when I tested it out, only displayed one $17 parking garage in a neighborhood where I know of several $5 garages, which BestParking and ParkMe did list correctly.)

This seems to confirm the anecdotal evidence from my survey of my Seattle friends -- there is a great deficiency in awareness of these apps, relative to how useful people would find them if they knew about them.

So how is it that people are finding -- or not finding -- these apps? In a Google search for "parking app", the first result was an ad for ParkWhiz. BestParking and ParkMe did show up in the results, but so did another one called Parker, as well as a Mashable article by Kate Freeman listing "7 City Parking Apps to Save You Time, Money and Gas". Of the apps listed in the article, the only city-specific one that worked in Seattle (PrimoSpot) has been discontinued, and of the non-city-specific ones, only Parker is still around. (The article doesn't even mention BestParking or ParkMe, although I don't know if they existed when it was written.) Finally, a friend in my survey told me about an app called Parkopedia, which has over 100,000 downloads on Google Play (the same as BestParking, and more than ParkMe).

So even if it did occur to you to look for a parking-garage-finding app, the problem is that if you randomly picked one of the five most popular parking apps (BestParking, Parker, ParkMe, Parkopedia, and ParkWhiz), you might accidentally pick one of the three out of five that is a fail:

• ParkWhiz, as noted above, only showed one $17 garage in a neighborhood full of other, cheaper garages.

• Both ParkMe and Parkopedia display their results as a map with an icon marking each parking garage -- but with no price information. Simply having a map of parking garage locations isn't too useful, since you could get that by searching Google Maps for "parking" anyway. In both apps, you can click on parking garage icons to bring up a window showing their rates, but in Parker most of the listed garages just said "Contact facility for current rates". Parkopedia did usually display the rates for different garages -- but it's a pain to click on each of a dozen parking garage icons looking for the cheapest one. A typical area of downtown Seattle will have one garage where you can park for $5 for the evening, surrounded by garages where parking costs $10 or more, but Parkopedia doesn't make it easy to find it. And neither app lets you specify a start and end time for your parking so that you can find the cheapest garage for that time range.

So it seems odd that according to the Google Play store, Parkopedia has more downloads than ParkMe (100,000+ vs 50,000+), even though ParkMe seems a lot more useful. Meanwhile ParkWhiz, the one that found only one overpriced parking garage in a neighborhood full of cheaper ones, has fewer downloads but a slightly higher star rating in the app store than ParkMe. Of course in my parking-app survey of friends and Mechanical Turk users, the far-and-a-way winner was simply not knowing that any of these apps existed at all.

And here's why it matters to you even if you ride a granola-powered bike to work: I think this is a confirming instance of what I've been arguing for years, that the marketplace for ideas, inventions, and intellectual property is far less efficient than most people think it is. Every day a huge amount of human capital is squandered by people trying to jostle their competitors out of Google search results, or even just trying to raise the capital to advertise their products to people who would find them extremely useful, but will never find out about it if the venture capitalists don't come through with the money to advertise it. All of that is time and effort that could have instead gone towards making the products better.

I've suggested an algorithm based on "random-sample voting" as an antidote to some of these market inefficiencies, such as stopping people from buying votes on Digg, promoting the best ideas on Obama's "We The People" petition website, or even deciding whether J.K. Rowling is the world's greatest author or just lucky. Basically, in each scenario, the competing entities -- whether apps, or songs, or ideas for improving U.S. government policy -- would be rated by a sufficiently large random sample of qualified raters. ("Qualified raters" might mean economists in the case of the White House policy-petition website, or it might mean music consumers in the case of an algorithm to find the best new songs.) Each entity would receive an average rating from those raters, and then the entities with the highest average rating would be the ones promoted to the widest audience (at the top of Google search results, for example). It sounds deceptively simple, but it's far less amenable to "gaming the system", because you can't rope in your friends to vote for your app, or pay voters to rate you highly on Digg. The only way to win in this system is to make your song, idea, or app, the best that it can be -- which means your human capital is being channeled productively, instead of being wasted hiring an SEO company to try and knock your competition out of the top spot on Google.

If competition between parking apps worked this way, then all the current users of Parker, ParkWhiz and Parkopedia, would switch to BestParking and ParkMe, saving themselves a lot of hassle in the process, and those second-rate apps would have never even gotten on the ground unless they got their act together and implemented the same features. More broadly, if competition in the marketplace of ideas worked this way, then there wouldn't be so many users who really wish they could have an app like this, without realizing that the apps exist!

One striking thing about looking at a map of downtown parking garages, is how wildly the rates vary from each other, with $15 garages situated right next to the $5 ones. In theory, in a competitive marketplace, such rates should stabilize around a single price, for goods that are roughly comparable. But the $10 lots do still manage to get some customers who don't know any better, because it's just not practical to criss-cross a grid of several dozen city blocks looking for the cheapest garage. BestParking and ParkMe help people deal with this inefficient marketplace. So it's ironic that they're being held back by a marketplace for ideas that operates just as inefficiently in its own way.

An anonymous reader writes "For the last 6 weeks the Debian developers have had an election to determine the new Debian Project Leader. The election is now over and Lucas Nussbaum was re-elected. As always in Debian, the result of the voting was found using the Condorcet method."

KentuckyFC (1144503) writes "Imagine the following scenario. The end of civilization has occurred, zombies have taken over the Earth and all access to modern technology has ended. The few survivors suddenly need to know the value of pi and, being a mathematician, they turn to you. What do you do? According to a couple of Canadian mathematicians, the answer is to repeatedly fire a Mossberg 500 pump action shotgun at a square aluminum target about 20 meters away. Then imagine that the square is inscribed with an arc drawn between opposite corners that maps out a quarter circle. If the sides of the square are equal to 1, then the area of the quarter circle is pi/4. Next, count the number of pellet holes that fall inside the area of the quarter circle as well as the total number of holes. The ratio between these is an estimate of the ratio between the area of the quarter circle and the area of a square, or in other words pi/4. So multiplying this number by 4 will give you an estimate of pi. That's a process known as a Monte Carlo approximation and it is complicated by factors such as the distribution of the pellets not being random. But the mathematicians show how to handle these too. The result? According to this method, pi is 3.13, which is just 0.33 per cent off the true value. Handy if you find yourself in a post-apocalyptic world."