I disagree. While you're correct about the zen aspect, you wouldn't need to have a constant loop like that. You could launch the voice recognition app from Launcher as you would any other application and simply press have the user press a button and poll it every couple milliseconds (as in other applications) to determine whether or not you should be "listening." Presuming that the dragonball palms have enough processing power to handle (and a Mic) to handle this task in the first place, I see no reason why it'd need be unduly burdensome. It'd be pretty much a standard application.
Another data point: I live in Australia. We have ~19 million people, spread over an area as large as the mainland US (or probably central Europe, too). We have maybe 4 cities with a population above a million people. Yet I can get a mobile signal anywhere in the city, in the suburbs, along highways, in country towns in the middle of nowhere.
Why hasn't your magical free market given you better service than my hybrid-'socialist'[1]/regulated competition system?
If your answer is 'obviously people don't want to pay for it', then you're a fucking moron.
[1] in the retarded American sense of the word.
Firstly, where are you facts to demonstrate Australia's superior coverage? It is my experience, based on my having lived all over the US and having traveled even further, that the coverage is good throughout urban areas and their outlying areas within two or three hours drive and even in some other places that you wouldn't expect it (like say Cody WY), providing that you have a good wireless provider (some are much better than others). You say AU is good too. But what do you have to show that your data is any better than mine? Ok, you use GSM throughout, which is arguably a better standard (in the areas that are covered), but that does not mean that you, in fact, receive better service.
Secondly, what do Australia's customers and/or tax payers pay to provide that level of coverage? If government is somehow subsidizing costs, then that is a very important factor here. I've seen data that shows that AU customers paid at least twice as much on average per minute than the US and Europe last year.
Thirdly, while Australia is much less dense than the US when taken as a whole, the vast majority of the land is not particularly useful and as such is almost completely unpopulated. In fact, the only part of Australia that really has a significant population is the South East edge, baring one or two rare/dense population pockets. (Do you really want to tell me that you get coverage outside of there??? And then do you want to explain to me why they might be providing coverage to something like 1 person per square mile?) Contrast this with the US where most of the land, except for perhaps in some parts of Alaska, has some industrious use that can sustain a population, whether that be a port, mining, agriculture, tourism, fishing, supporting interstate commerce or what have you. Just look at a population density map of the world that offers decent granularity if you don't believe me.
Fourthly, the US has experienced a rapid increase in cell phone penetration as prices have dropped steeply, even though it's still lower than AU or Europe. When you combine this information with the fact that the US has excellent land line coverage, this leads me to the reasonable hypothesis that many customers, who are basically satisfied with their land lines, are only willing to pay for the convenience of wireless coverage when the price is sufficiently low. This is relevant because it is foolish for the phone companies to invest billions into infrastructure when the demand in each cell is not quite there yet.
Lastly, it is not impossible that regional/cultural and lifestyle differences may account for different proportions of people in countries desiring cell phone coverage. Although I do not believe this is a major factor between the US and Europe in basic cell phone coverage, it is quite apparent when you're comparing people's receptiveness to, say, gadgets in US, Japan, and Europe and possibly wireless data as well.
You offer a lot of caveats and contingent arguments (not proven) to my very simple statement of fact.
One of the main reaons the US cellular system is so screwed up is because it has several standards of communication. I'm not touting GSM as the be-all-end-all of cellular networks, but it seems to work very well in Europe, which has both dense metro areas and sparsely populated outlying areas, no?
You can try to escape my point, but it it will stand unchallenged: regulating the communication protocols of a network will only improve the reach of the network, presuming of course the the protocol scales well. GSM, CDMA might both do OK, but it seems to me that Japan, France, England, Germany, Holland, etc., seem to understand how to make regulate their network so that it works well.
The US "free" market approach seems, for now, to be building a largely broken network, in both outlying areas and in densely populated urban cent
It is not I that is challenging the status quo based on the fact that it "works" in Europe (ignoring the fact that many of these same european wireless providers are having great financial difficulty) and that it should work in the US. Nor is it I that am asserting that the primary cause of this is because we don't have a single standard (esp. one that I happen to like). I really don't have a point here other then to highlight your lack substantive proof for your claims. You do and as such the onus is on you to prove that you are right.
You cannot merely excuse away the differences to make your point by saying that Europe has "both dense metro areas and sparsely populated areas." That ignores some not so subtle differences:
1) The overall population density of the US is far less. If we use the European Union as an example (which basically covers the area in question plus a few countries), then Europe (302p/m^2) is almost 4 times as dense as the United States (76p/m^2). That is a huge difference for a companies that have to provide coverage or support.
2) The population centers themselves are much more dispersed. In other words, the urban areas are significantly further away from each other more often in the US.
3) The residential areas, i.e., suburbs, also tend to be more widely dispersed. You do not have the same amount of long distance commuting in Europe that you do in US.
The point of 2 and 3 is that you cannot just merely throw out AK, MT, WY, etc. The real problem, in fact, is not so much the truly rural areas, but distant cities and the far reaching suburbs in areas that we do not think of as being particularly rural.
Look at http://www.ciesin.org/datasets/gpw/gppycpd-12in.gi f if you wish to get a feel for the difference. Notice how there is not just more red, but that those red spots are a lot more contiguous than they are in the US. That's very relevant. As an example, if you wished to provide service to NYC, you could not just cover Manhattan and the other boroughs, you'd also need to cover West Chester, Long Island, a good part of N. NJ, CT, and so on. Many of these scattered areas, when you add them up, do not have the same density you'll often see in similarly sized cities in Europe. To take it a step further, that's also cutting out a lot of commuters that commute between cities. For instance, quite a few of my co-workers commute between my office, a philadelphia-area company, to/from N. NJ surburbs that are considered to be suburbs of NYC. Do they really want to go without service on their commute? I don't think so. And that's just the Eastern Seaboard which, compared to the west coast, is far far more dense (you don't have the interlocking suburban type areas between cities...but you still have far reaching suburbs)
Put bluntly, your assertion is unproven because you fail to isolate out differences in population density distributions and major external factors such as land line availability and quality. You assert that greater regulation is what we need, but that's just theory and it runs contrary to our experiences with deregulation. The countries you list as successful implementors of common standards are bad examples because most of the population lives in more dense and more contiguous areas (not mention that they tend to have historically poor landline service). Nor do you demonstrate that lack of standardization is the cause of alleged bad service in the US because you do not isolate it out. If a less dense country like Canada were able to provide better coverage at a lower price, then you might have an excellent point, but you don't offer any such examples.
What density? Hong Kong is as dense as New York, yet we have coverage in all subway, throughout the harbor, and in every building and nearly every ELEVATOR in the buildings. Given enough cell towers, we can overcome the wavelenght issue. It's only when u try to put up 1 cell tower to cover Broadway, then the signal degenerates indoor.
USA's urban coverage is one of the worst amomg developed nations. Emphasize the urban part, since good rural coverage is unrealistic anyway. One of the major reaons was that USA can't agree on one standard. You can have 3 cell towers in Broadway, but one on TDMA, one on CDMA, and one on GSM, so effectively u only get 1/3rd the signal of the entire cell infrastructure, which somewhat explains why there are over 100 million cell phone subscribers in USA, and the coverage is still so bad.
Also, since USA doesn't use GSM, u can't just switch by changing your SIM card...u have to change your phone. Therefore the companies each essentially has a guaranteed subscriber base, and has no incentive to improve coverage or enter price wars.
In Hong Kong there are 6 carriers, and you can actually transfer your cell number when you switch carriers. Now that's true competition which benefits the customer. By the way, did I mention that there are nearly same number of registered phone numbers as the population. That's what defines a commodity. Cell phones, like land-line phones, should be a commodity not a prestige. In Hong Kong the pricing of cell airtime is comparable to land lines, and you actually pay less if you chat infrequently than a land-line, so many single people abandoned home- line phone altogether in favor of a cell. Apparently, USA is nothing close to that.
Notice how countries with successful cell phone service are ones that can agree on a single standard (UK - GSM, Korea - CDMA, Japan - PHS...), and notice how no CDMA phone companies (such as Verizon and Sprint) even bother to adversise international roaming....cause they can't! (your fingers and toes can count all the countries that use CDMA, while there are more than 160 countries on GSM...you do the math). [By the way, T-Mobile USA offers $1/min roaming in Western Europe (long dist free)]
Firstly, I, and most people I know, get very solid coverage with Verizon in NYC. It's primarily only with Cingular, Sprint, and some of the other carriers that you hear these complaints about. So the criticism of NYC is not quite right. Secondly, the fact that Hong Kong is much more dense than all but, say, Manhattan means that they've got considerable economic advantages. Thirdly, like I was saying for Europe, only more so, they do not have to support (many) customers that need to use it outside of dense areas (I doubt too many people in Hong Kong need to chat in less dense areas very often, i.e., China...except for perhaps in recent history). This allows them to go exclusively with, say, GSM, a choice that may not be economically viable in USA outside of some select niche markets.
My point is not that the rest of the world is wrong and we are right. My point is that you are making an apples and oranges comparison to support your conclusion that more or better regulation would solve these problems. Not only can it not be shown given my objections but it also calls into questions the conclusion itself. If GSM is not a viable technology in our many less dense areas, then you can hardly say that we should be using GSM to drive prices down. For instance: If all providers in the US were forced to adopt GSM that may well force them into fierce price wars would eliminate any profits that they make, but that does not mean that we would pay less or get better coverage than what we are receiving today, because we'd likely either sacrifice coverage outside of metro areas or have to somehow pay for its uneconomical use in the outlying areas (and no price war is going to cover that cost in the long run).
In summary, name a market that is similar enough to the US to truly demonstrate your point or prove that are truly expert on cell phone infrastructure and construct an actual plan that makes sense before you say that you can prove that this is the fault of the regulation (or lack thereof) and/or the wireless providers.
New York has the highest population density in the US, comparable to the density of Paris and London. New York's cell service sucks, especially if you're on Sprint or Verizon which uses (surprise) Code Division Multiple Access instead of GSM (used in Europe)
You can try to deny it, but regulation matters in questions of standard service. If it's a network, standardization can be facilitated by regulation. Far from hindering the growth of a network, regulation can help. In the case of the US cellular network, a "free" market means a fragmented market which in turn means broken cellular network
Firstly, let me say that I've use Verizon and I've used it throughout NYC without any great difficulty. So I'd hardly call it crappy. Granted, I generally can't get it underground (on the subway) or in certain buildings, but I doubt this is much better in Europe. Sprint and Cingular as far far worse on the east coast in my experience.
Anyways, even if you accept as fact that the US has substantively worse coverage in true metropolitan areas than the level of service throughout western europe (an assertion that I question), you still cannot ignore the importance of the overall density in the US. For instance, a significant city like, say, Seattle, may be relatively dense within city limits, but without having a cluster of other large cities nearby certain (meta-level) infrastructure considerations may not be economically viable. Unless you are intimately familiar with cell phone technology (more than just the summaries of CDMA, GSM, or what have you) to say otherwise, I don't think you can just ignore that. Furthermore, the fact that people in the US do often venture into less dense areas, whether they be suburbs, exurbs, vacation retreats, or even commuting to another population center, means that they will take the level of service outside their nearest metro area into great account. In other words, while GSM may make sense in Europe, that same technology may not make a great deal of sense, even in cities, BECAUSE it is not economically viable in outlying areas. This may well present the telecos with the choice of either: supporting multiple standards on a single service/phone (much more expensive), losing all customers that wish to have service outside of their city, or supporting a single standard that some may regard to be technically inferior (even though it's the only economically viable solution). Furthermore, besides just the density of the population, you must take into consideration the percentage of those customers that are willing to buy service. If the US has a lower overall adoption rate, then this must factor into the economic calculus of the telecos. I do not have the statistics on hand, but I would venture a guess, from my own experience in europe and in the US, that the US has a significantly lower percentage of the population using cell phone technology than the parts of western europe that you are comparing. Now you may assert that this is a result of poor service, but it cannot be held a priori, especially considering the fact that Europe's land lines have long been less reliable and most costly than the US (thereby encouraging the adoption of such new tech).
Lastly, if you want to argue that fragmentation of standards may be the root of the problem, then I can hardly see how you can ignore fragmentation of standards as a result of fundamental population differences. For instance, GSM hardly makes sense if it's not economically viable in less dense areas.
So if that explains everything, why is cellphone coverage in New York terrible?
Umm, terrible in what way? I use Verizon and I get solid coverage throughout NYC (well except for when I'm in some buildings, but that's a fundamental limitation of those wavelengths. If you mean NY, as in upstate, then you need to examine the lack of density there.
Each GSM cell has a maximum diameter of about 30Km, so it's understandable that very lightly populated areas will have signal issues. You're not going to be able to call your friend from an uninhabited island off the coast of Alaska, but that should not affect your calls from any of the big metropolitan areas on the East or West coasts.
This is not necessarily true. Even if you accept as fact that the US has substantively worse coverage in true metropolitan areas than the level of service throughout western europe (an assertion that I question), you still cannot ignore the importance of the overall dispersion. For instance, a significant city like, say, Seattle, may be relatively dense within city limits, but without having a cluster of other large cities nearby certain (meta-level) infrastructure considerations may not be economically viable. Unless you are intimately familiar with cell phone technology (more than just the summaries of CDMA, GSM, or what have you) to say otherwise, I don't think you can just ignore that. Furthermore, the fact that people in the US do often venture into less dense areas, whether they be suburbs, exurbs, vacation retreats, or even commuting to another population center, means that they will take the level of service outside their nearest metro area into great account. In other words, while GSM may make sense in Europe, that same technology may not make a great deal of sense, even in cities, BECAUSE it is not economically viable in outlying areas. This may well present the telecos with the choice of either: supporting multiple standards on a single service/phone (much more expensive), losing all customers that wish to have service outside of their city, or supporting a single standard that some may regard to be technically inferior (even though it's the only economically viable solution). Furthermore, besides just the density of the population, you must take into consideration the percentage of those customers that are willing to buy service. If the US has a lower overall adoption rate, then this must factor into the economic calculus of the telecos. I do not have the statistics on hand, but I would venture a guess, from my own experience in europe and in the US, that the US has a significantly lower percentage of the population using cell phone technology than the parts of western europe that you are comparing. Now you may assert that this is a result of poor service, but it cannot be held a priori, especially considering the fact that Europe's land lines have long been less reliable and most costly than the US (thereby encouraging the adoption of such new tech)
I, on the other hand, would maintain that it is to the point. It was a clear example of the sort of emotional (as opposed to rational) argument you were offering. In particular, your heated tone implies sharp distinctions that all but vanish when examined a little more calmly. They are (I would argue) an artifact not of what you are saying but of how you are saying it.
There was nothing emotional in my post. I challenge you to list something that was emotional. What's more, even if you will assert that were was a scintilla of emotion in it, you completely ignored the bulk of the argument in favor of some niggardly point, despite the fact that the meaning (and even arguably phrasing) was very clear. Lastly, you were the ones that came forth with the ad hominem attacks. Pot Kettle Black.
I said:
Put bluntly, if you wish to hold up viruses as an example of the frequency of "trojans" in closed source software, then you should make a strong distinction between the virus' very generic attacks and the often far more dangerous and subtle trojan attacks of humans on specific code and installations.
That was a very clear statement, yet you spewed:
Stripped of all the heat/emotional language, your statement boils down to: "to use viruses as example of trojans you should distiguish virus attacks and trojan attacks." In other words, if I want to say "A is an example of B" I should say "A is not B"--which is not a valid statement about categorical inclusion.
Wrong. That is not what I said. What I said, in essence, is that, although viruses are a subset of trojans [which they are: according to the popular definition; according to your hero's post in this thread; and especially according to the stricter definition of the Jargon File], for the purpose of this discussion, an argument concerning the relative resistance against trojaning of open source vs closed source, you should make a distinction between the capabilities of the generic virus (e.g., stick this destructive code to destroy all files at the end of every executable) and that of the purposely coded human trojan (e.g., transfer every 100th transaction into my bank account). In other words, while you might technically be able to say that both are trojans equally well, ignoring the difference in the context of this discussion is disingenious.
Even if it was true in general, it wouldn't apply in this case since "trojan" is a means of acting ("trojan" code is code that lies hidden inside a seemingly innocent program, and therefore is executed by an unsuspecting user) while "virus" is a means of propogation ("virus" code is code that spreads by using the resources of infected machines to make copies of itself). To put them in opposition is a silly as contrasting "things that swim" with "things that lay eggs".
More of the same nonsense. Again, I did not say that.
If I try to guess what your real point is, the best I can come up with is "viruses are easier to detect than trojans, because you can spot them by looking at the binaries instead of digging through the source". While this sounds a little more reasonable on the surface, it is also flawed. Yes, it is easy to spot a virus by compairing an infected binary with an uninfected binary (if you know which one is which). But it would be just as easy to detect a trojaned program by compairing it to an untrojaned copy (again, assuming that one was labled "suspected" and the other was labeled "known good").
No, this is not what I was referring to either. Perhaps your trouble is simply your shallow understanding of the structure of the various executable files and the limitations on what any program can do, baring some major advances in AI, versus that of a human's creativity. You are not going to see a virus that can selectively go into any program and do something specific to that program itself like, say, transferring every 5th charge to my bank account. In other words, the fact that viruses can spread successfully is a result of the fact that they limit themselves to the trivial appending of code and other such non-specific attacks. Outside of those easily detectable sorts of attacks, a closed source binary is far far harder to trojan.
As for contrasting open source and closed source (which seems to be the main axe you are grinding), the advantage of open source is that, in the case where you don't have a "known good" copy) it is much easier to find suspicious code by looking at the source than by looking at the binary.
I disagree. It is easier to formulate an attack than it is a defence. While you are empowered to more easily look for bugs and backdoors in the code with the availability of source code, you are also put in a position where thousands of people can even more easily insert their own malicious code (completely ignoring the fact that few people in the real world do or even have the time). The bad guys only need to inject a couple lines of code, but you need to fully understand what each and every line does and that is far less trivial. Open source auditors may easily detect code such as if strcmp(passwd,"l33tpass") backdoor(); but the backdoor may consist of infinitely more subtle attacks. For instance, the hacker may introduce a hard to reproduce buffer overflow vulnerability, without using one of the many known insecure functions, especially in places that people are unlikely to be looking at intensely. Besides the fact that these open source development efforts generally involve more programmers, rather then a select few, and therefore increase the exposure to "bad" people, the risks do not end when the distribution is finalized. When you have open source code you make it easier for any hacker that may happen to intercept the code in transit, so to speak. When you have open source code, you make it easier to create a backdoor in the system for a hacker... and so on. In short, if you are going to claim that open source is easier to validate, then you should also admit that it at least makes it easier to write malicious code for, both because you can trivially add code in a high level fashion and because your ability to understand the fundamentals of the program is greater (e.g., you don't have to reverse engineer file formats).
I could. Almost in exactly the same way I would do adding a backdoor to an open-source program. From my evil code at the beginning I can read files and databases, redirect/duplicate network trafic, and so on. Truly, I might not be able to interact with the original code (not without some clever trick, anyway), but this is not needed to steal secrets: a password is not generated inside the program: it comes from outside (and I can intercept that) and often go outside(and I can intercept that).
While I admit that you would have some flexibility there, it is not all that you crack it up to be. For instance, on a multiuser system where you're connecting to a remote database you would have a hard time intercepting keystrokes, asking the user to follow a subtly different path (i.e., enter their administrator password) or what have you. Even on a database that is local and that you have read access to, you would have to either have legitimate access through the daemon or know how to parse it (or just send the whole damn thing)...but you get the point. It's often more complicated than just grepping/etc/passwd.
On the other hand, cleverness shall be applied also to place a backdoor in open source programs: or do you think that something like: gets(password); send(socket, password, strlen(password)) would not be spotted the same second in which it is submitted in the CVS of some open source program?
I recognize that it would require some cleverness to bypass significant skilled human inspection. However, there are many areas of many open source programs that are not that closely inspected. I would venture to say the programs that are inspected closely are but a select few and those that aren't are at real risk. The existence of number of exploitable (supposed) bugs in reasonably popular open source code for an extended period of time is about all the confirmation that one needs that it can be done (if a true, but grave, mistake can pass inspection, then certainly someone actively decieving could go further). Furthermore, even if the code is 100% clean when it leaves the distribution servers, the very open source nature of that code, whether or not it came with a backdoor, still presents a much softer target for the disgruntled sysadmin, hacker, or what have you that wishes to install one of their own. In other words, just because the official code is clean does not mean that the binary is. (Although one can certainly say the same for proprietary/binary code, there is a much higher barier to entry...at least to do anything non-trivial and non-obvious with)
rename the target binary 'program' as 'program.lib' Make a C program that first does the evil you want to do, then execv program.lib Compile your program and put it instead of the original program executable.
It's not that simple. Sure, if all you're looking to do is execute some code and THEN give the user their expected interface, then that will work half-acceptably. However, you could not use this as a way to, say, discretely intercept logins and passwords, transfer account balances, read someone's database, or what have you since all of that requires you to intercept things and still provide the user with acceptable responses (at least if you wish to avoid detection for more than a couple runs). Now you might attempt to come up with some elaborate scheme to act as an interactive go-between between the actual application and the your trojan, but then you've greatly increased the complexity and the odds of detection.
So, you see, there is no difference security-wise.
What a nit. You say riddled and yet you can only name one supposed inconsistency which really is not and it is not even apropos to the question at at hand. No where did I say that a human did not author viruses originally. What I was referring to, is that, while a virus is ultimately derived from a human, the application is, of necessity, so generic that it does not substantively interact with code in the program which it is infecting. In other words, an actual human can produce code for a specific application, but the virus, by definition not a human, does not. For instance, it may insert a block or two of binary code into at a couple locations, but its sole purpose is to propogate itself further and to, possibly, carry some malicious code (e.g, destroy sector 0, look it up if you don't know where the MBR in DOS is located). Contrast this with a trojan that was authored by a human for a specific purpose to intercept particular functions or what have you and do them in a way that is not easy to detect. [Note: while it may be technically possible to make that kind of specific virus, these are practically unheard of, and does not in any way mean that open source is any less easy to trojan]
Put bluntly, if you wish to hold up viruses as an example of the frequency of "trojans" in closed source software, then you should make a strong distinction between the virus' very generic attacks and the often far more dangerous and subtle trojan attacks of humans on specific code and installations.
Uh, I'm not so sure. How do you check binaries to see if they have been trojaned? You run a virus scanner. What do viruses do? Most of them trojan a binary with a copy of themselves.
Oh give me a break. There's a world of difference between a virus that blindly inserts malicious code (e.g., destroy sector 0) into any binary it can get its hands onto and a true trojan that was written for a special purpose by an actual human being. Although it's technically possible to insert a trojan into a binary file it is at least as hard as open source code is easy to audit. For instance, your average disgruntled sysadmin could modify, say, an open source financial software package pretty damn easily (not to mention the fact that he also has the means to place it) to, say, deposit a fraction of every deposit into his account (ok, that's not original), but that same person is unlikely to have the skill or the patience to make a truly undetectable trojan in a binary/proprietary package. Likewise, a hacker (yes, I know) can easily trojan an open source login program, but not a closed source one. Empirically speaking, there are a couple dozen complete backdoor packages for Linux and other open source systems, but none that I know of for Windows (well certainly not a lot). Now maybe windows can be backdoored in other ways, but the point still stands. This is especially true when the software is updated with newer versions; the open source backdoor can be trivially modified for relatively minor changes while the closed source backdoor cannot be so easily modified. If you are going to assert that open source is easier to audit, then you must also admit that it is easier to trojan. The two go hand in hand.
Within acceptable levels - which is why we have venture capitilists, limited companys, and so on.
Which is still why we have this thing called capitalism. They're not funding you to be charitable. They're absorbing some of the risk, because they're going to take at least a proportionate share of the eventual profits when and if they ever occur. Venture capitalists exist primarily because they HAVE the funds that you do not. Contrary to popular opinion, they do NOT exist to take levels of risk that you (well your average entreprenuer) are not willing to take. VCs are, in fact, rather risk averse and rarely invest substantial sums in early stage companies that do not have something in pipeline already (except for where they're deluded enough to think that they can essentially play an arbitrage game as in the case of the DotComs).
Firstly, Amazon is not presently in the black. They are in the red and by a large margin. They managed to pull themselves into the black for a tune for 5m or so one quarter. However, that sounds to me to be more like an accounting slight of hand than anything else (mind you, that is chump change when you look at the size of their reported revenues...it doesn't take much). Secondly, there is very little net equity left in the company because they've loaded themselves with debt in the process. Thirdly, just because a company is nominally profitable (and they're not) does not mean that they are a "real" business. It simply means that they _might_ have the ability to continue operating in the future. When many millions of dollars are invested into a company you expect a hell of a lot more than a trickle of profits. In short, I still would not invest in Amazon.com, especially not at its current 7b dollar market cap.
That said, I do believe there are "real" internet businesses, but Amazon is just not one of them.
Why should I risk my own money for an idea with say an 80% chance of working?
This is why we have this thing called CAPITALISM where the risk takers can actually profit off of their risk taking (whether that means spending time, risking capital, taking a job at a reduced salary, or even simply working harder than the next fellow.)
Nope, I didn't filter him out. Also if you look at www.slashdot.ort/~jonkatz he clearly hasn't posted any comments in awhile. Maybe he posted stories though? SHrug
Did Katz really stop posting to slashdot? Permanently? Did he say why? I haven't seen him for awhile, but I'm not sure if this is because he's on sabbatical or what have you. Please do tell! I rather detest his drivel.
While I am normally strongly opposed to the various forms of corporate welfare, e.g., subsidies, protectionist policies, etc., the ATP is one government program that I strongly support.
Firstly, unlike those other programs, aka government welfare, these funds are used to pay for the basic research that will lead to economic production, rather than inefficiency.
Secondly, this program is primarily about defraying RISK, not the COST per se (as would be the case if they were subsidizing production or what have you). What you fail to realize is that many projects are not viable for but a handful of the largest corporations because the level of risk is so high that they cannot afford to even do the research. Who wants to invest in a company, where before they can do anything or make any money, they need to invest 5m (purely for research) for, say, 5 years, with only a 10% probability of success? Would you? Very few investors are willing to incur this kind of risk, even when the potential payout is multiplies higher whatever the initial investment is. Btw, the venture capital community is generally NOT willign to for a number of reasons. There is a reason why the only successful drug producers are
Thirdly, the NIST prevents companies from engaging in total crapshots on the governmentsdollar by requiring the company to pay for 50% (and in the case of larger companies 60%) of the research.
Fourthly, there are many additional costs that the companies must pay for to commercialize the technology.
Fifthly, working for a company that received a grant from the NIST last year, I can tell you that most of awards are NOT to large companies, so the rich getting richer complaint does not hold water.
Sixthly, the successful investments will yield additional tax receipts that far exceed the grant amounts, especially when secondary beneficiaries are taken into consideration.
Seventhly, this is a meritocracy. Although it's not perfect, they select the best of the best, at least in theory. The researchers that hope to essentially live off of perpetual research do not get funded. You really have to convince them that it can and will be commercialized.
Eightly, the companies sole opportunity to really benefit comes from making it into a commercial success, i.e., they're not allowed to pocket the money.
Anyways-I support it and that's enough for now, I'm going home.
Sorry, but I work in a related industry and must disagree with your theory that a cure must be less profitable than a mere treatment.
Firstly, it is a FACT that quite a few medication plans cost more than 10k a year. 10k up front is chump change actually. I can name quite a few medical devices that cost this much and they're all up front. So to say that people would necessarily not accept a one time treatment payment plan following a similar payment schedule would be to ignore the evidence.
Secondly, the insurance companies who generally cover almost ALL of these kinds of treatments would look at this fact a lot more rationally. Although the the insurers may far prefer dragging payments out from a cash flow perspective, a perfect cure greater than the sum of the cost of the treatments up front could easily be highly desirable to them. (and if it's too burdensome a mutually agreeable payment plan could be arranged). For one, the costs associated with side effects (in terms of cost to them), imperfect treatments, costs of repeated approval of medical expenditures, and so on can easily outweigh the cost of the "cure." In other words, it could be a lot cheaper. Diabetes comes to mind.
Thirdly, a good cure for any given ailment would almost surely represent 100% market penetration which would be a large increase for the drug company in almost every case. Remember: each successive treatment (even if only an incremental improvement) for the same problem costs a lot of money to develop, each problem has a number of different competing solutions (none the same, patents have limited lifes (especially once you finally clear all the regulatory hurdles), establish the brand, etc...but a cure would presumably take them all) The drug company would be far better off with 5x as many sales, even if they only sell it at half the price of their previous treatments.
Fourthly, a cure would allow the drug companies to cut out the middlemen a lot more easily, thereby improving profitability.
Fifthly, a cure would drastically reduce the marketing costs (because it would sell itself to a much greater degree), which would increase profitability in a major way.
Sixthly, it is possible to practice discriminative pricing. In fact it is done all the time today. In other words, medicare patients will often pay a fraction of what someone with a good PPO will pay. To the extent that someone is unable to pay, the drug company can tailor its prices reasonably well and the government can also step in and help subsidize costs.
Sixthly, make up your mind. You guys want to say that corporations are driven entirely by the short term, yet you contradict yourself by saying that they wouldn't do this for the long term. To the extent that they care about the short term, they would certainly go for the cure because their revenues would surely be much larger in the first 2-3 years.
Seventhly, it is a highly competetive market and in any given market, there are a lot of companies that have almost NO market share. You can be sure that if they were sitting on a cure that they would exploit it. This is especially true for those companies that are desperate for growth today.
Bah. I won't bother any more, I've got stuff to do. Bye
Tell me precisely what the difference is, in reality, between the so-called white hats that publish exploit code that allows script kiddies across the world to execute arbitrary code (w/o any modification) on remote machines and the so-called black hat that does the same thing only does not require the same number of script kiddies (because it is self-perpetuating)? Neither necessarily use or commence the attack themselves, but they enable thousands of machines to be hacked just the same. Maybe you can argue that proof of the concept does not require self-perpetuation or the installation of a backdoor (as in the case of the worm), but nor does it require the execution of code that is desirable to the script kiddy (as in the case of many so-called white hat advisories)
There are several real-life examples of remote root exploits being held by a (relatively large) group of "black hat" hackers for several years before leaking out to the community at large. For example, there was a Solaris statd exploit that circulated for, IIRC, three years before it "leaked", resulting in a functional patch from Sun.
Sorry, but I think you're wrong. I knew of statd exploits many years ago. The statd exploits were publically known vulnerabilities for a long time, most admins were just too lazy to patch their systems. Please be more specific if you wish to use this example. Which group? How many people? When did they have it? Which versions of solaris were affected? When was the vulnerability (not necessarily the exploit) made public?
It only takes one.
Sure, and it only takes one person to leak. You can hardly have a group of 30 people or more and not have a leak after a week or two. So the question is something like this: Would you rather have 30 hackers attacking the same number of vulnerable targets for a slightly longer period of time or 20000 script kiddies (plus assorted people that have more skills) of them for slightly less? You do the math. I'd certainly take the 30 and that's assuming that the vendors are significantly less responsive (a premise that I disagree)...by the mere fact that you give them, say, a 2 day lead time.
There are some very intelligent people coding for black hats. Many of the brightest people on the legitimate side of network security honed their skills as a black hat, then had a change of heart in the past few years as the threat of criminal charges grew larger, or after suddenly realizing that having a house, a wife, and kids changes your priorities.
Well this can quickly unravel into a semantic argument, but I disagree. Very few people that are not disclosing to the public or to the vendors have the ability to write their own exploits. What ever hat you wish to put on them is an entirely different argument that I'm not interested in. I won't debate that many sophisticated people had their start in hacking, but the more sophisticated people quickly outgrow hacking into other people's servers for the sake of it as their skills develop. What fun is it to hack a bunch of servers with already known exploits (even if you created them) when you can you do something that is actually intellectually challenging (e.g., discovering your own) and do it mostly above board while you're at it, not to mention profit from your legitimate fame. (Sure, someone on the fringes may engage in the occassional hack, but not en masse) Yes, there are some undeniable blackhat codes, but they're generally lacking in originality.
Restricting public exposure of holes has been tried, and found wanting. Limited distribution of the details of holes was the unwritten law in the 1980's and early 1990s (anybody remember the 'core' list?). This is why the creation of Bugtraq in 1993 was such a big deal. Prior to that, vulnerability information was carefully controlled, distributed to a limited pool of "trusted" admins... including the "daytime personas" of a number of black hats.
This approach did little to keep the black hats from learning about new vulnerabilities and writing exploits, and put little pressure on vendors to patch their software or pro-actively work to limit security holes.
In much the same way (as you and others argue this point) "democracy" was tried by, and subsequently failed for, the Greeks (and others), so therefore it could have been (and was) argued that it was the wrong path and should have been avoided in favor of monarchy, dictatorship, or the other extremes. Of course, we all know the United States and other democracies have since succeed magnificently. The reason? Subtle and important differences in the governence and a different situation (class, geography, economics, etc). You can't neglect these important differences:
Firstly, what I'm asking for is not the same as the policy with CERT and other bodies. These people pretty much gave CERT the information and then walked away from it. Instead, I'm giving the vendor a reasonable period of time to respond. If they fail to respond in that alloted time, then the hacker always has the option of making the same disclosure that they do today, only a day or two later. The vendor has every incentive to respond before the hacker does this. Secondly, you can hardly compare the situation today with the growth of the internet (and lists devoted to distributing this sort of information to the public) and the increased interests in security with that of 10+ years ago. It's an apples and oranges comparison. Thirdly, I've yet to see any objective evidence that full disclosure has been any more effective in practice (and yes, I was around and quite aware then). Maybe you can argue that the sysadmins and/or users are a little better armed today with knowledge, but the script kiddies are also armed in that same stroke... The difference is that the script kiddies are armed first, with real weapons (well code at least) when the users only have knowledge that's of questionable value (even with this full disclosure and if the vendor tries as hard as they can, it may take more than a day to come out with a patch or an acceptable workaround).
I was really aiming at the legal arsenal wielded to discourage even attempting to find and disclose bugs - not saying that bugs should be immediately publically disclosed. Or at least not trying to say that.
I apologize for jumping the gun. I read into your post what many others were saying. I pretty much agree that corporations should not have the legal means to prevent disclosure since auditing the security of the software is a legitimate right of the consumer...as long as that publication is made to further the security and not to defeat the security (e.g., DRM) That said, I think that few companies are going to be willing to pursue a researcher that makes a sincere effort to notify the company in an appropriate amount of time since it is not in their best interest. Even if a few companies do decide to attack conscientious discoverers, they are unlikely to succeed in court.
Suits are scared of the public knowing about holes in their product, because that could erode trust in the product. That's the short term vision that motivates suit fear, and causes them to lash out with threats of lawsuits.
Unfortunately, this fear overwhelms the suit's intelligence, which would tell the suit that in the long term
I'm not a suit, I'm well aware of the arguments on all sides and I was once involved in the hacking community, but I don't agree that the the instant disclosure of new vulnerabilities (and especially the all too common practice of releasing corresponding exploit code with it) is good policy. Regardless of the speed of the vendor or development team to release an appropriate patch, the person that publishes a new vulnerability gives those that wish to hack (yes, I know and I don't care) into systems a huge advantage on the administrators of the world. With the publication of a new exploit to bugtraq or what have you, you instantly arm thousands of script kiddies with an attack that cannot be defended against (in the majority of cases anyways). Even in the best of situations, there is going to be some delay in the development team's response. Even in the best of situations, the sysadmin can only patch so many systems so quickly. Even in the best of situations, only so many admins are going to be available to update their systems in the first place. This is simply a totally unnecessary situation in the vast majority of cases. If the so-called hacker were a little more reasonable and a little less self-centered, then they would give the vendor at least a day or two to come out with a patch before announcing it to the world.
The argument that you need to publish to the whole world instantly is absurd. Sure, a couple vendors may not be responsive, but most are. Even in the cases where the vendor's response is not entirely adequate, the "harm" posed by waiting is negligable because it's rather unlikely that some unknown hacker will discover the same bug and start exploiting it before then. Few would argue that the developers of Linux and a couple other leading open source packages are slow to respond, yet we see this same instant disclosure of code, often without a patch (even in the cases where a patch is provided, it's not necessarily one that is suitable).
The reason for this publication in the majority of cases is pretty simple. The publisher wants some recognition for his discovery. While this is understandable, there are other ways to gain recognition. For instance, he could disclose the fundamental details of the exploit to the public and/or a trusted 3rd party on discovery and maybe attach a checksum or PGP signature of his official advisory that he sent to the vendor (in case someone else tries to take credit for the particulars, the corresponding document could be revealed and proven to be known by the discoverer at least when the first advisory was sent out). It may not bring him quite the same fame, but it would be something.
a climate where disclosing holes is discouraged merely limits access to the information to the so- called "black hats".
Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a large number of black hats to keep the exploit to themselves without it getting back to the security community. It's human nature to brag and to leak. What's more, I would argue that very few blackhats have the sophistication to come up with original exploits themselves. They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other words, the community of people having exploits over vulnerable machines would be far smaller.
I don't think it's quite fair to compare Webshots and Kazaa. Webshots may interfere with the operation of your computer in some circumstances, but no more than any other app that runs in the background like that. Webshots is not engineered to mess with your computer and it can be easily disabled. Granted, many users may bog down their systems with it, but it's a trade off between features and responsiveness that one can consciously make. Kazaa is an entirely different animal.
You're overlooking an important point. The production of racist literature does not violate the law.
Firstly, I was responding to the assertion that these people should be locked up because the mere viewing supposedly (postively) correlates with and/or encourages the sexual abuse of children. Secondly, even in the case where the media depicts the actual abuse of a child, these same tenuous assertions of "purpose" can be made for the racist literature and other publications. For instance, the hate magazine may depict the burning of a synogogue or what have you, yet they almost certainly recieve the same protections. Now maybe the courts will intervene in particular cases whereby the perpetrators of the act were paid or otherwise encouraged to commit the act by the publisher, but that must be shown, it's not just a blanket law. Thirdly, you can't just dismiss a legal challenge like this on the grounds that it happens to be the law of the land now. We have SCOTUS for a reason.
Behind every piece of child porn, there is a victimized child. Don't gloss over that with petty justifications.
Again, this is not necessarily true. While I absolutely agree that we should vigorously prosecute those that commit the abuse (where the child is made to engage in sexual activity), not everything that is defined as child porn has this element. For instance, it is quite possible that a photographer may simply photograph nude children at the beach and other public places, without encouraging or having any active role in the child's exposure, and when these photographs are collected by the admittedly twisted people that enjoy it, it is deemed as child pornography and the people that merely happen to download it are treated, by the law (not to mention the media, society, etc), as if they raped a child, despite the fact that its viewership cannot be reasonably argued to have anything to do with the child's acts (even if you define that as abuse...which can be very much of a stretch).
Slashdot Mirror
Isn't that redundant? :)
I disagree. While you're correct about the zen aspect, you wouldn't need to have a constant loop like that. You could launch the voice recognition app from Launcher as you would any other application and simply press have the user press a button and poll it every couple milliseconds (as in other applications) to determine whether or not you should be "listening." Presuming that the dragonball palms have enough processing power to handle (and a Mic) to handle this task in the first place, I see no reason why it'd need be unduly burdensome. It'd be pretty much a standard application.
Secondly, what do Australia's customers and/or tax payers pay to provide that level of coverage? If government is somehow subsidizing costs, then that is a very important factor here. I've seen data that shows that AU customers paid at least twice as much on average per minute than the US and Europe last year.
Thirdly, while Australia is much less dense than the US when taken as a whole, the vast majority of the land is not particularly useful and as such is almost completely unpopulated. In fact, the only part of Australia that really has a significant population is the South East edge, baring one or two rare/dense population pockets. (Do you really want to tell me that you get coverage outside of there??? And then do you want to explain to me why they might be providing coverage to something like 1 person per square mile?) Contrast this with the US where most of the land, except for perhaps in some parts of Alaska, has some industrious use that can sustain a population, whether that be a port, mining, agriculture, tourism, fishing, supporting interstate commerce or what have you. Just look at a population density map of the world that offers decent granularity if you don't believe me.
Fourthly, the US has experienced a rapid increase in cell phone penetration as prices have dropped steeply, even though it's still lower than AU or Europe. When you combine this information with the fact that the US has excellent land line coverage, this leads me to the reasonable hypothesis that many customers, who are basically satisfied with their land lines, are only willing to pay for the convenience of wireless coverage when the price is sufficiently low. This is relevant because it is foolish for the phone companies to invest billions into infrastructure when the demand in each cell is not quite there yet.
Lastly, it is not impossible that regional
You cannot merely excuse away the differences to make your point by saying that Europe has "both dense metro areas and sparsely populated areas." That ignores some not so subtle differences:
1) The overall population density of the US is far less. If we use the European Union as an example (which basically covers the area in question plus a few countries), then Europe (302p/m^2) is almost 4 times as dense as the United States (76p/m^2). That is a huge difference for a companies that have to provide coverage or support.
2) The population centers themselves are much more dispersed. In other words, the urban areas are significantly further away from each other more often in the US.
3) The residential areas, i.e., suburbs, also tend to be more widely dispersed. You do not have the same amount of long distance commuting in Europe that you do in US.
The point of 2 and 3 is that you cannot just merely throw out AK, MT, WY, etc. The real problem, in fact, is not so much the truly rural areas, but distant cities and the far reaching suburbs in areas that we do not think of as being particularly rural.
Look at http://www.ciesin.org/datasets/gpw/gppycpd-12in.g
Put bluntly, your assertion is unproven because you fail to isolate out differences in population density distributions and major external factors such as land line availability and quality. You assert that greater regulation is what we need, but that's just theory and it runs contrary to our experiences with deregulation. The countries you list as successful implementors of common standards are bad examples because most of the population lives in more dense and more contiguous areas (not mention that they tend to have historically poor landline service). Nor do you demonstrate that lack of standardization is the cause of alleged bad service in the US because you do not isolate it out. If a less dense country like Canada were able to provide better coverage at a lower price, then you might have an excellent point, but you don't offer any such examples.
My point is not that the rest of the world is wrong and we are right. My point is that you are making an apples and oranges comparison to support your conclusion that more or better regulation would solve these problems. Not only can it not be shown given my objections but it also calls into questions the conclusion itself. If GSM is not a viable technology in our many less dense areas, then you can hardly say that we should be using GSM to drive prices down. For instance: If all providers in the US were forced to adopt GSM that may well force them into fierce price wars would eliminate any profits that they make, but that does not mean that we would pay less or get better coverage than what we are receiving today, because we'd likely either sacrifice coverage outside of metro areas or have to somehow pay for its uneconomical use in the outlying areas (and no price war is going to cover that cost in the long run).
In summary, name a market that is similar enough to the US to truly demonstrate your point or prove that are truly expert on cell phone infrastructure and construct an actual plan that makes sense before you say that you can prove that this is the fault of the regulation (or lack thereof) and/or the wireless providers.
Anyways, even if you accept as fact that the US has substantively worse coverage in true metropolitan areas than the level of service throughout western europe (an assertion that I question), you still cannot ignore the importance of the overall density in the US. For instance, a significant city like, say, Seattle, may be relatively dense within city limits, but without having a cluster of other large cities nearby certain (meta-level) infrastructure considerations may not be economically viable. Unless you are intimately familiar with cell phone technology (more than just the summaries of CDMA, GSM, or what have you) to say otherwise, I don't think you can just ignore that. Furthermore, the fact that people in the US do often venture into less dense areas, whether they be suburbs, exurbs, vacation retreats, or even commuting to another population center, means that they will take the level of service outside their nearest metro area into great account. In other words, while GSM may make sense in Europe, that same technology may not make a great deal of sense, even in cities, BECAUSE it is not economically viable in outlying areas. This may well present the telecos with the choice of either: supporting multiple standards on a single service/phone (much more expensive), losing all customers that wish to have service outside of their city, or supporting a single standard that some may regard to be technically inferior (even though it's the only economically viable solution). Furthermore, besides just the density of the population, you must take into consideration the percentage of those customers that are willing to buy service. If the US has a lower overall adoption rate, then this must factor into the economic calculus of the telecos. I do not have the statistics on hand, but I would venture a guess, from my own experience in europe and in the US, that the US has a significantly lower percentage of the population using cell phone technology than the parts of western europe that you are comparing. Now you may assert that this is a result of poor service, but it cannot be held a priori, especially considering the fact that Europe's land lines have long been less reliable and most costly than the US (thereby encouraging the adoption of such new tech).
Lastly, if you want to argue that fragmentation of standards may be the root of the problem, then I can hardly see how you can ignore fragmentation of standards as a result of fundamental population differences. For instance, GSM hardly makes sense if it's not economically viable in less dense areas.
This is not necessarily true. Even if you accept as fact that the US has substantively worse coverage in true metropolitan areas than the level of service throughout western europe (an assertion that I question), you still cannot ignore the importance of the overall dispersion. For instance, a significant city like, say, Seattle, may be relatively dense within city limits, but without having a cluster of other large cities nearby certain (meta-level) infrastructure considerations may not be economically viable. Unless you are intimately familiar with cell phone technology (more than just the summaries of CDMA, GSM, or what have you) to say otherwise, I don't think you can just ignore that. Furthermore, the fact that people in the US do often venture into less dense areas, whether they be suburbs, exurbs, vacation retreats, or even commuting to another population center, means that they will take the level of service outside their nearest metro area into great account. In other words, while GSM may make sense in Europe, that same technology may not make a great deal of sense, even in cities, BECAUSE it is not economically viable in outlying areas. This may well present the telecos with the choice of either: supporting multiple standards on a single service/phone (much more expensive), losing all customers that wish to have service outside of their city, or supporting a single standard that some may regard to be technically inferior (even though it's the only economically viable solution). Furthermore, besides just the density of the population, you must take into consideration the percentage of those customers that are willing to buy service. If the US has a lower overall adoption rate, then this must factor into the economic calculus of the telecos. I do not have the statistics on hand, but I would venture a guess, from my own experience in europe and in the US, that the US has a significantly lower percentage of the population using cell phone technology than the parts of western europe that you are comparing. Now you may assert that this is a result of poor service, but it cannot be held a priori, especially considering the fact that Europe's land lines have long been less reliable and most costly than the US (thereby encouraging the adoption of such new tech)
I said:
Put bluntly, if you wish to hold up viruses as an example of the frequency of "trojans" in closed source software, then you should make a strong distinction between the virus' very generic attacks and the often far more dangerous and subtle trojan attacks of humans on specific code and installations.
That was a very clear statement, yet you spewed:
Wrong. That is not what I said. What I said, in essence, is that, although viruses are a subset of trojans [which they are: according to the popular definition; according to your hero's post in this thread; and especially according to the stricter definition of the Jargon File], for the purpose of this discussion, an argument concerning the relative resistance against trojaning of open source vs closed source, you should make a distinction between the capabilities of the generic virus (e.g., stick this destructive code to destroy all files at the end of every executable) and that of the purposely coded human trojan (e.g., transfer every 100th transaction into my bank account). In other words, while you might technically be able to say that both are trojans equally well, ignoring the difference in the context of this discussion is disingenious.
More of the same nonsense. Again, I did not say that.
No, this is not what I was referring to either. Perhaps your trouble is simply your shallow understanding of the structure of the various executable files and the limitations on what any program can do, baring some major advances in AI, versus that of a human's creativity. You are not going to see a virus that can selectively go into any program and do something specific to that program itself like, say, transferring every 5th charge to my bank account. In other words, the fact that viruses can spread successfully is a result of the fact that they limit themselves to the trivial appending of code and other such non-specific attacks. Outside of those easily detectable sorts of attacks, a closed source binary is far far harder to trojan.
I disagree. It is easier to formulate an attack than it is a defence. While you are empowered to more easily look for bugs and backdoors in the code with the availability of source code, you are also put in a position where thousands of people can even more easily insert their own malicious code (completely ignoring the fact that few people in the real world do or even have the time). The bad guys only need to inject a couple lines of code, but you need to fully understand what each and every line does and that is far less trivial. Open source auditors may easily detect code such as if strcmp(passwd,"l33tpass") backdoor(); but the backdoor may consist of infinitely more subtle attacks. For instance, the hacker may introduce a hard to reproduce buffer overflow vulnerability, without using one of the many known insecure functions, especially in places that people are unlikely to be looking at intensely. Besides the fact that these open source development efforts generally involve more programmers, rather then a select few, and therefore increase the exposure to "bad" people, the risks do not end when the distribution is finalized. When you have open source code you make it easier for any hacker that may happen to intercept the code in transit, so to speak. When you have open source code, you make it easier to create a backdoor in the system for a hacker... and so on. In short, if you are going to claim that open source is easier to validate, then you should also admit that it at least makes it easier to write malicious code for, both because you can trivially add code in a high level fashion and because your ability to understand the fundamentals of the program is greater (e.g., you don't have to reverse engineer file formats).
I recognize that it would require some cleverness to bypass significant skilled human inspection. However, there are many areas of many open source programs that are not that closely inspected. I would venture to say the programs that are inspected closely are but a select few and those that aren't are at real risk. The existence of number of exploitable (supposed) bugs in reasonably popular open source code for an extended period of time is about all the confirmation that one needs that it can be done (if a true, but grave, mistake can pass inspection, then certainly someone actively decieving could go further). Furthermore, even if the code is 100% clean when it leaves the distribution servers, the very open source nature of that code, whether or not it came with a backdoor, still presents a much softer target for the disgruntled sysadmin, hacker, or what have you that wishes to install one of their own. In other words, just because the official code is clean does not mean that the binary is. (Although one can certainly say the same for proprietary/binary code, there is a much higher barier to entry...at least to do anything non-trivial and non-obvious with)
It's not that simple. Sure, if all you're looking to do is execute some code and THEN give the user their expected interface, then that will work half-acceptably. However, you could not use this as a way to, say, discretely intercept logins and passwords, transfer account balances, read someone's database, or what have you since all of that requires you to intercept things and still provide the user with acceptable responses (at least if you wish to avoid detection for more than a couple runs). Now you might attempt to come up with some elaborate scheme to act as an interactive go-between between the actual application and the your trojan, but then you've greatly increased the complexity and the odds of detection.
No. There is a huge difference.
What a nit. You say riddled and yet you can only name one supposed inconsistency which really is not and it is not even apropos to the question at at hand. No where did I say that a human did not author viruses originally. What I was referring to, is that, while a virus is ultimately derived from a human, the application is, of necessity, so generic that it does not substantively interact with code in the program which it is infecting. In other words, an actual human can produce code for a specific application, but the virus, by definition not a human, does not. For instance, it may insert a block or two of binary code into at a couple locations, but its sole purpose is to propogate itself further and to, possibly, carry some malicious code (e.g, destroy sector 0, look it up if you don't know where the MBR in DOS is located). Contrast this with a trojan that was authored by a human for a specific purpose to intercept particular functions or what have you and do them in a way that is not easy to detect. [Note: while it may be technically possible to make that kind of specific virus, these are practically unheard of, and does not in any way mean that open source is any less easy to trojan]
Put bluntly, if you wish to hold up viruses as an example of the frequency of "trojans" in closed source software, then you should make a strong distinction between the virus' very generic attacks and the often far more dangerous and subtle trojan attacks of humans on specific code and installations.
Firstly, Amazon is not presently in the black. They are in the red and by a large margin. They managed to pull themselves into the black for a tune for 5m or so one quarter. However, that sounds to me to be more like an accounting slight of hand than anything else (mind you, that is chump change when you look at the size of their reported revenues...it doesn't take much). Secondly, there is very little net equity left in the company because they've loaded themselves with debt in the process. Thirdly, just because a company is nominally profitable (and they're not) does not mean that they are a "real" business. It simply means that they _might_ have the ability to continue operating in the future. When many millions of dollars are invested into a company you expect a hell of a lot more than a trickle of profits. In short, I still would not invest in Amazon.com, especially not at its current 7b dollar market cap.
That said, I do believe there are "real" internet businesses, but Amazon is just not one of them.
Nope, I didn't filter him out. Also if you look at www.slashdot.ort/~jonkatz he clearly hasn't posted any comments in awhile. Maybe he posted stories though? SHrug
Did Katz really stop posting to slashdot? Permanently? Did he say why? I haven't seen him for awhile, but I'm not sure if this is because he's on sabbatical or what have you. Please do tell! I rather detest his drivel.
While I am normally strongly opposed to the various forms of corporate welfare, e.g., subsidies, protectionist policies, etc., the ATP is one government program that I strongly support.
Firstly, unlike those other programs, aka government welfare, these funds are used to pay for the basic research that will lead to economic production, rather than inefficiency.
Secondly, this program is primarily about defraying RISK, not the COST per se (as would be the case if they were subsidizing production or what have you). What you fail to realize is that many projects are not viable for but a handful of the largest corporations because the level of risk is so high that they cannot afford to even do the research. Who wants to invest in a company, where before they can do anything or make any money, they need to invest 5m (purely for research) for, say, 5 years, with only a 10% probability of success? Would you? Very few investors are willing to incur this kind of risk, even when the potential payout is multiplies higher whatever the initial investment is. Btw, the venture capital community is generally NOT willign to for a number of reasons. There is a reason why the only successful drug producers are
Thirdly, the NIST prevents companies from engaging in total crapshots on the governmentsdollar by requiring the company to pay for 50% (and in the case of larger companies 60%) of the research.
Fourthly, there are many additional costs that the companies must pay for to commercialize the technology.
Fifthly, working for a company that received a grant from the NIST last year, I can tell you that most of awards are NOT to large companies, so the rich getting richer complaint does not hold water.
Sixthly, the successful investments will yield additional tax receipts that far exceed the grant amounts, especially when secondary beneficiaries are taken into consideration.
Seventhly, this is a meritocracy. Although it's not perfect, they select the best of the best, at least in theory. The researchers that hope to essentially live off of perpetual research do not get funded. You really have to convince them that it can and will be commercialized.
Eightly, the companies sole opportunity to really benefit comes from making it into a commercial success, i.e., they're not allowed to pocket the money.
Anyways-I support it and that's enough for now, I'm going home.
Sorry, but I work in a related industry and must disagree with your theory that a cure must be less profitable than a mere treatment.
Firstly, it is a FACT that quite a few medication plans cost more than 10k a year. 10k up front is chump change actually. I can name quite a few medical devices that cost this much and they're all up front. So to say that people would necessarily not accept a one time treatment payment plan following a similar payment schedule would be to ignore the evidence.
Secondly, the insurance companies who generally cover almost ALL of these kinds of treatments would look at this fact a lot more rationally. Although the the insurers may far prefer dragging payments out from a cash flow perspective, a perfect cure greater than the sum of the cost of the treatments up front could easily be highly desirable to them. (and if it's too burdensome a mutually agreeable payment plan could be arranged). For one, the costs associated with side effects (in terms of cost to them), imperfect treatments, costs of repeated approval of medical expenditures, and so on can easily outweigh the cost of the "cure." In other words, it could be a lot cheaper. Diabetes comes to mind.
Thirdly, a good cure for any given ailment would almost surely represent 100% market penetration which would be a large increase for the drug company in almost every case. Remember: each successive treatment (even if only an incremental improvement) for the same problem costs a lot of money to develop, each problem has a number of different competing solutions (none the same, patents have limited lifes (especially once you finally clear all the regulatory hurdles), establish the brand, etc...but a cure would presumably take them all) The drug company would be far better off with 5x as many sales, even if they only sell it at half the price of their previous treatments.
Fourthly, a cure would allow the drug companies to cut out the middlemen a lot more easily, thereby improving profitability.
Fifthly, a cure would drastically reduce the marketing costs (because it would sell itself to a much greater degree), which would increase profitability in a major way.
Sixthly, it is possible to practice discriminative pricing. In fact it is done all the time today. In other words, medicare patients will often pay a fraction of what someone with a good PPO will pay. To the extent that someone is unable to pay, the drug company can tailor its prices reasonably well and the government can also step in and help subsidize costs.
Sixthly, make up your mind. You guys want to say that corporations are driven entirely by the short term, yet you contradict yourself by saying that they wouldn't do this for the long term. To the extent that they care about the short term, they would certainly go for the cure because their revenues would surely be much larger in the first 2-3 years.
Seventhly, it is a highly competetive market and in any given market, there are a lot of companies that have almost NO market share. You can be sure that if they were sitting on a cure that they would exploit it. This is especially true for those companies that are desperate for growth today.
Bah. I won't bother any more, I've got stuff to do. Bye
Tell me precisely what the difference is, in reality, between the so-called white hats that publish exploit code that allows script kiddies across the world to execute arbitrary code (w/o any modification) on remote machines and the so-called black hat that does the same thing only does not require the same number of script kiddies (because it is self-perpetuating)? Neither necessarily use or commence the attack themselves, but they enable thousands of machines to be hacked just the same. Maybe you can argue that proof of the concept does not require self-perpetuation or the installation of a backdoor (as in the case of the worm), but nor does it require the execution of code that is desirable to the script kiddy (as in the case of many so-called white hat advisories)
Sure, and it only takes one person to leak. You can hardly have a group of 30 people or more and not have a leak after a week or two. So the question is something like this: Would you rather have 30 hackers attacking the same number of vulnerable targets for a slightly longer period of time or 20000 script kiddies (plus assorted people that have more skills) of them for slightly less? You do the math. I'd certainly take the 30 and that's assuming that the vendors are significantly less responsive (a premise that I disagree)...by the mere fact that you give them, say, a 2 day lead time.
Well this can quickly unravel into a semantic argument, but I disagree. Very few people that are not disclosing to the public or to the vendors have the ability to write their own exploits. What ever hat you wish to put on them is an entirely different argument that I'm not interested in. I won't debate that many sophisticated people had their start in hacking, but the more sophisticated people quickly outgrow hacking into other people's servers for the sake of it as their skills develop. What fun is it to hack a bunch of servers with already known exploits (even if you created them) when you can you do something that is actually intellectually challenging (e.g., discovering your own) and do it mostly above board while you're at it, not to mention profit from your legitimate fame. (Sure, someone on the fringes may engage in the occassional hack, but not en masse) Yes, there are some undeniable blackhat codes, but they're generally lacking in originality.
In much the same way (as you and others argue this point) "democracy" was tried by, and subsequently failed for, the Greeks (and others), so therefore it could have been (and was) argued that it was the wrong path and should have been avoided in favor of monarchy, dictatorship, or the other extremes. Of course, we all know the United States and other democracies have since succeed magnificently. The reason? Subtle and important differences in the governence and a different situation (class, geography, economics, etc). You can't neglect these important differences:
Firstly, what I'm asking for is not the same as the policy with CERT and other bodies. These people pretty much gave CERT the information and then walked away from it. Instead, I'm giving the vendor a reasonable period of time to respond. If they fail to respond in that alloted time, then the hacker always has the option of making the same disclosure that they do today, only a day or two later. The vendor has every incentive to respond before the hacker does this. Secondly, you can hardly compare the situation today with the growth of the internet (and lists devoted to distributing this sort of information to the public) and the increased interests in security with that of 10+ years ago. It's an apples and oranges comparison. Thirdly, I've yet to see any objective evidence that full disclosure has been any more effective in practice (and yes, I was around and quite aware then). Maybe you can argue that the sysadmins and/or users are a little better armed today with knowledge, but the script kiddies are also armed in that same stroke... The difference is that the script kiddies are armed first, with real weapons (well code at least) when the users only have knowledge that's of questionable value (even with this full disclosure and if the vendor tries as hard as they can, it may take more than a day to come out with a patch or an acceptable workaround).
The argument that you need to publish to the whole world instantly is absurd. Sure, a couple vendors may not be responsive, but most are. Even in the cases where the vendor's response is not entirely adequate, the "harm" posed by waiting is negligable because it's rather unlikely that some unknown hacker will discover the same bug and start exploiting it before then. Few would argue that the developers of Linux and a couple other leading open source packages are slow to respond, yet we see this same instant disclosure of code, often without a patch (even in the cases where a patch is provided, it's not necessarily one that is suitable).
The reason for this publication in the majority of cases is pretty simple. The publisher wants some recognition for his discovery. While this is understandable, there are other ways to gain recognition. For instance, he could disclose the fundamental details of the exploit to the public and/or a trusted 3rd party on discovery and maybe attach a checksum or PGP signature of his official advisory that he sent to the vendor (in case someone else tries to take credit for the particulars, the corresponding document could be revealed and proven to be known by the discoverer at least when the first advisory was sent out). It may not bring him quite the same fame, but it would be something.
Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a large number of black hats to keep the exploit to themselves without it getting back to the security community. It's human nature to brag and to leak. What's more, I would argue that very few blackhats have the sophistication to come up with original exploits themselves. They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other words, the community of people having exploits over vulnerable machines would be far smaller.
I don't think it's quite fair to compare Webshots and Kazaa. Webshots may interfere with the operation of your computer in some circumstances, but no more than any other app that runs in the background like that. Webshots is not engineered to mess with your computer and it can be easily disabled. Granted, many users may bog down their systems with it, but it's a trade off between features and responsiveness that one can consciously make. Kazaa is an entirely different animal.
Again, this is not necessarily true. While I absolutely agree that we should vigorously prosecute those that commit the abuse (where the child is made to engage in sexual activity), not everything that is defined as child porn has this element. For instance, it is quite possible that a photographer may simply photograph nude children at the beach and other public places, without encouraging or having any active role in the child's exposure, and when these photographs are collected by the admittedly twisted people that enjoy it, it is deemed as child pornography and the people that merely happen to download it are treated, by the law (not to mention the media, society, etc), as if they raped a child, despite the fact that its viewership cannot be reasonably argued to have anything to do with the child's acts (even if you define that as abuse...which can be very much of a stretch).