Except he did not stop there. That's the problem. Allow me to re-state his original premise.
For a currency "X" there exists an amount "Y" at which (or below) no one will sell accurate bug reports to you.
When X = "pennies" and Y = "2" you can see how it works. Would you spend your time looking for bugs and reporting them for a possible payout of two cents per report? So at that point I can agree with him.
BUT THEN HE TRIES FOR A FALSE COROLLARY.
For a currency "X" there exists an amount "Z" at which (or above) people will sell accurate bug reports to you.
He uses X = "dollars" and Z = "10 million" there.
The reason it is a false corollary is that it depends upon a bug's existence being based upon the amount offered to find it.
All of the people talking as if I had said there were "literally infinite" bugs in a product are missing the point.
No. They understand and they are explaining to YOU where YOU are wrong.
I said, very clearly, that of course the number of bugs is not literally infinite, but I was considering the case where there are so many bugs which can be found for $X worth of effort, that it's unrealistic to find and fix them all in the time frame before the product becomes obsolete anyway.
And that is where you are wrong. YOU are claiming that a very specific HYPOTHETICAL situation is same as the general ACTUAL situation.
Your HYPOTHETICAL situation is 100% divorced from the ACTUAL situation.
In the ACTUAL situation there are a finite number of buffer overflow bugs in any specific program and those buffer overflow bugs can be found and fixed WITHOUT another buffer overflow bug appearing. And it is EASY to find the MAXIMUM number of buffer overflow bugs by searching the source code for every instance of a buffer being used.
Finite AND countable AND fixable.
The fact that there are dozens of people responding as if I had said "literally infinitely many bugs" does not make their point any more valid.
No. They are pointing out that YOU have made that assumption even though YOU keep denying it.
Because once you admit that the number of buffer overflow bugs is finite AND countable then there exists a point where they can ALL be fixed. And you keep denying that that is possible.
But do you think that Apache could ever reach a state in practice, in the world we actually live in, where you couldn't find a new vulnerability in it for $10 million worth of effort?
Emphasis added.
So now you're conflating a real-world situation with a hypothetical situation... no. You do not get to mix real-world and hypotheticals in the same sentence. No one is offering $10 million and no one is likely to offer $10 million.
IF someone would offer $10 million for buffer overflow bugs in Apache then a lot of people would comb through the code and check each instance of a buffer for an overflow bug. All the buffer overflow bugs would be found.
After that, finding ANOTHER buffer overflow bug would not be possible IN THAT CODE BASE. No matter how much money was offered. Because all the instances should have been checked and identified.
Someone would have to submit code that included a NEW buffer overflow bug in order for a NEW buffer overflow bug to be discovered.
No matter how much money was being offered. No "theoretically" about it. It's Computer SCIENCE.
Do you really believe that if you offered a $10 million prize to anyone who could find a vulnerability in the Apache web server, that you would reach the point where people weren't finding and reporting new ones...
From your inclusion of "really believe" I'd say that your question was rhetorical.
And wrong.
At $10 million per buffer overflow? Yes. There would be a finite number of buffer overflows that would be found and fixed.
At $10 million per X category of bug? Yes. There would be a finite number X's that would be found and fixed.
Therefore, unless you assume an infinite number of categories of bugs, all the bugs would eventually be fixed.
Because the code base comprises a finite number of bits and there is a finite number of ways that those bits can be run.
My point is that if there are (effectively) infinitely many bugs...
No need to read any further because that is an incorrect assumption.
There cannot be an infinite number of bugs (effectively or otherwise) because there is not an infinite about of code NOR an infinite number of ways to run the finite amount of code.
From TFA:
(He confirmed to me afterwards that in his estimation, once the manufacturer had fixed that vulnerability, he figured his same team could have found another one with the same amount of effort.)
Then he was wrong as well.
There are a finite number of times that buffers are used in that code base. Therefore there are a finite number of times that buffers could be overflowed. If someone went through the code and checked each instance and ensured that an overflow situation was not possible then it would not be possible.
Is there a statement in the article that you think is incorrect?
You missed the point of the post that you are replying to. But since you asked...
You can visualize it even more starkly this way: A stranger approaches a company like Microsoft holding two envelopes, one containing $1,000 cash, and the other containing an IE security vulnerability which hasn't yet been discovered in the wild, and asks Microsoft to pick one envelope.
That makes no sense. Why would a security-researcher offer to pay MICROSOFT for NOTHING?
Microsoft should be paying the security-researcher.
It would sound short-sighted and irresponsible for Microsoft to pick the envelope containing the cash â" but when Microsoft declines to offer a $1,000 cash prize for vulnerabilities, it's exactly like choosing the envelope with the $1,000.
Wrong again.
Not PAYING $1,000 is NOT the same as getting an ADDITIONAL $1,000.
If I have $1,000 and I do not buy something for $1,000 I still have $1,000. But if someone gives me an envelope with $1,000 then I have TWO THOUSAND DOLLARS.
You might argue that it's "not exactly the same" because Microsoft's hypothetical $1,000 prize program would be on offer for bugs which haven't been found yet, but I'd argue that's a distinction without a difference.
No. It's wrong because in your example Microsoft ends up with an ADDITIONAL $1,000 from a security-researcher.
If you want to see it on a small scale, well ask yourself why the US has been unable to secure Afghanistan or Iraq. They had considerably more forces than your silly "1 aircraft carrier" scenario, it was hardly the whole population fighting, yet after years and years, they have been unable to secure the countries.
Mod parent up.
Anyone who thinks that modern, asymmetrical warfare means trading blows with similar weapon systems hasn't been paying attention to the last DECADE PLUS of our history.
There isn't a Taliban air force yet the Taliban is still around despite our air force bombing them for years.
Creationism isn't the topic of this thread, so what would you call the introduction of an unrelated topic, if not a strawman?
Learn what straw man means. It does not mean anything you do not like.
Besides, you're not really pretending you didn't say that, are you?
I've quoted the portion where you brought up "moron". I've linked to your quote where you brought up "moron".
No "pretending" needed. You said it. Then you objected to it. That's a straw man.
For the record, here is my actual argument:
For the record, I posted a direct quote from you and the link to that quote.
Here is your quote, again:
No, I mean like people who "point out" the evidence for evolution by looking at Creationists and saying things like, "goddamn but you're a moron! How is it that you're allowed to breed? Someone should put you down for the good of society!"
You brought up "moron" and then you objected to it.
Since you're not going to bother scrolling back up the page to see what I mean, I'll go ahead and say it - that comment was in response to your strawman about Creationists.
That statement was from you but you attempted to imply that it was from me.
That is a straw man.
Pointing out that Jenny McCarthy and Creationists BOTH ignore scientific evidence is not a straw man.
You were the one who started talking about "morons". Let me quote you and provide a link:
No, I mean like people who "point out" the evidence for evolution by looking at Creationists and saying things like, "goddamn but you're a moron! How is it that you're allowed to breed? Someone should put you down for the good of society!"
That is your comment and that is you making a straw man about "moron" claims.
Look, Brah, I don't care what you think about feelings, or damage, or strawmen, or whatever.
Except that you do and that has been your entire argument. I need to be nicer about pointing out that some people ignore all the scientific evidence that contradicts them. Then you go off on a straw man.
My mistake for assuming that I was talking to someone who understands what the words he uses means. Words like "straw man."
That would be your hypothetical straw man friends whom you claimed were calling Jenny McCarthy a "moron".
What I said was that she (and the anti-vaccine people like her) do not have any evidence to support their claims.
FWIW, I'm not the hypocrite who's putting up strawmen and accusing others of doing the same thing when they make the apparent mistake of responding.
Yes you are. And you are "tone trolling".
Like I keep saying, measles does not care about your feelings.
Herd immunity has precisely dick to do with how you present your argument.
And, again, measles does not care about your feelings.
And now there are outbreaks of measles because of the anti-vaccination people. Real people. Real diseases. Real damage. None of your hypothetical straw men needed.
No, I mean like people who "point out" the evidence for evolution by looking at Creationists and saying things like, "goddamn but you're a moron! How is it that you're allowed to breed? Someone should put you down for the good of society!"
Well that's good. Maybe you should take all your hypothetical straw man friends on a party cruise.
Make all the excuses for anti-social behavior that you want, but the fact is if you're being an asshole to someone for being wrong, you're only serving to make the problem worse, not better.
You might want to look up some of the outbreaks of diseases that have happened recently.
Oh, you won't, will you. Because actual damage to actual people doesn't fit your hypothetical straw man.
Anyone who refuses to get their children vaccinated BECAUSE I SAID THAT JENNY MCCARTHY DOES NOT UNDERSTAND BASIC SCIENCE is not going to change because I don't state that.
That is what a "zealot" is about.
Jenny McCarthy isn't stopping you from getting your kids vaccinated, and being a dick to her and her kind for holding a certain viewpoint is only going to make them grasp it even harder.
Look up "herd immunity". They're increasing the risk by NOT getting the vaccinations.
Which is why there are outbreaks of diseases such as measles now.
Facts. Not feelings. Measles will not care about your feelings.
No, I'm pretty sure the use of zealots here refers to those who are so fanatically devoted to their position that they'll inevitably drive people away from the truth, due to their overbearing assholishness.
You mean like people who keep pointing out the evidence for evolution when Creationists insist that humans were riding dinosaurs 6,000 years ago?
If the basis for your understanding of the world is who is nicer to you then you have a problem.
Jenny McCarthy can talk all she wants about how "mommies" have a special understanding of medicine and science that equals or surpasses that of people who have spent years studying it. And there are a lot of people who will believe her. Because they want to FEEL special.
But an epidemic of measles does not care about their FEELINGS.
I think she is wrong to connect vaccines to autism.
That is her whole point. She claimed that vaccines cause autism. If you don't want to risk giving your children autism then do not vaccinate them.
But attacking her personally is not necessary or relevant.
Pointing out that she has NO medical training is NOT "attacking her personally".
She is making specific medical claims. She is doing so without any evidence.
Her general position that she is not against vaccines in general but only against un-safe vaccines is a valid position.
Bullshit!
If that is so then you should be able to show which vaccines she claims are "safe". AND what her MEDICAL evidence is for those being "safe" versus the "un-safe" vaccines.
The only issue is: Are existing vaccines safe and could they be made safer?
That is MORE bullshit.
The issue is whether "existing vaccines" cause autism or not.
So far, there is NO medical evidence to support her claims.
Whats worse, a AG who doesn't know or AG who knows and ignores it anyways.
It's not an autocracy.
You vote in the least problematic option and then you work with the other branches to limit the problems.
I voted for Obama. Twice. Because I thought the other options were worse. And now I oppose many of Obama's policies. And I let my Senators and Representatives know my opinions.
But you keep thinking that a extremely brilliant and accomplished individual, having obtained her Masters degree at age 20, isn't smart enough to ask the right questions or able to go toe to toe with Cheney or Rumsfeld....
The problem is that, while she is smart, she is also ideological.
If her ideology conflicts with the facts, the ideology wins.
Not only was she NOT willing to ask question, she WAS willing to give press interviews with WRONG information. Because that WRONG information suited her ideology. Even though it would cost lives.
NOT the kind of person YOU want on the Board of Directors of a company tasked with providing access to YOUR data.
She didn't care enough about the lives that would be lost to ask any questions. And she cared so little for those lives that she provided wrong information to support the drive to war. Do you think that your DATA will mean more to her than that?
Anyone that thought the Iraq War was a good idea, should not be described as "pretty sharp".
That depends upon whether you mean "good idea... for the USofA" or "good idea... for me and my friends".
A lot of companies made a lot of money off of that war.
She is female (and black), and promoted to the highest levels, despite the failure of nearly all her policies. She is proof that you no longer have to be male to be both successful and incompetent.
I don't agree with that. I think that anyone, regardless of race, creed, religion, etc, will always have a job publicly supporting the existing power structure.
She wasn't elected. She was appointed by the people who were elected. And those were white men.
Which is why I think that she's now at DropBox. She still has those political connections. And DropBox wants to pay her for access to them.
The solution is the paper allows a weak authentication before the threshold is hit, so the server could allow "slightly wrong" passwords for the first 30-60 seconds after it starts up.
Yeah, I think that's a problem. There shouldn't be any way to tell a "slightly wrong" password from any other wrong password.
That brings up the question of how you authenticate those first N users.
Which is a different problem with that approach.
They could have also had the server admin type in the formula for the line that the system will use.
About the only issue this "solves" is having ONE secret that has to be shared between the admins. So you won't have the "disgruntled" problem. Each admin gets his/her own portion of the secret.
More like you have the hashes for all the passwords (you downloaded it when you cracked their server).
And you have ONE password that you created on their system. So you have a password and a hash for that password. From which you can probably deduce the "salt" used.
But you cannot get the passwords from the other hashes because they each use a different "salt".
The problem is that the "salt" for each password is calculated by that machine based upon "special" accounts providing correct passwords that provide the information needed to generate the line that is used instead of a traditional "salt".
Which means that those "special" accounts are now ONE SET of keys to cracking that entire system. And they have to be secured.
And I'm still not convinced that, given enough passwords, their system does not fail anyway. And password re-use is a major problem with users and their passwords.
It won't work because it will be, successfully, argued that you're getting paid in miles rather than cash.
And there will need to be a central authority where you can redeem miles and register to participate. And at that point the government can set a value on each mile.
Just because YOU don't set a value on something does NOT mean the government CANNOT.
And no, sex-work is NOT the same as a girlfriend who borrows money from you.
Slashdot Mirror
Except he did not stop there. That's the problem. Allow me to re-state his original premise.
For a currency "X" there exists an amount "Y" at which (or below) no one will sell accurate bug reports to you.
When X = "pennies" and Y = "2" you can see how it works. Would you spend your time looking for bugs and reporting them for a possible payout of two cents per report? So at that point I can agree with him.
BUT THEN HE TRIES FOR A FALSE COROLLARY.
For a currency "X" there exists an amount "Z" at which (or above) people will sell accurate bug reports to you.
He uses X = "dollars" and Z = "10 million" there.
The reason it is a false corollary is that it depends upon a bug's existence being based upon the amount offered to find it.
No. They understand and they are explaining to YOU where YOU are wrong.
And that is where you are wrong. YOU are claiming that a very specific HYPOTHETICAL situation is same as the general ACTUAL situation.
Your HYPOTHETICAL situation is 100% divorced from the ACTUAL situation.
In the ACTUAL situation there are a finite number of buffer overflow bugs in any specific program and those buffer overflow bugs can be found and fixed WITHOUT another buffer overflow bug appearing. And it is EASY to find the MAXIMUM number of buffer overflow bugs by searching the source code for every instance of a buffer being used.
Finite AND countable AND fixable.
No. They are pointing out that YOU have made that assumption even though YOU keep denying it.
Because once you admit that the number of buffer overflow bugs is finite AND countable then there exists a point where they can ALL be fixed. And you keep denying that that is possible.
"Theoretically". Got it.
Emphasis added.
So now you're conflating a real-world situation with a hypothetical situation ... no. You do not get to mix real-world and hypotheticals in the same sentence. No one is offering $10 million and no one is likely to offer $10 million.
IF someone would offer $10 million for buffer overflow bugs in Apache then a lot of people would comb through the code and check each instance of a buffer for an overflow bug. All the buffer overflow bugs would be found.
After that, finding ANOTHER buffer overflow bug would not be possible IN THAT CODE BASE. No matter how much money was offered. Because all the instances should have been checked and identified.
Someone would have to submit code that included a NEW buffer overflow bug in order for a NEW buffer overflow bug to be discovered.
No matter how much money was being offered. No "theoretically" about it. It's Computer SCIENCE.
From your inclusion of "really believe" I'd say that your question was rhetorical.
And wrong.
At $10 million per buffer overflow? Yes. There would be a finite number of buffer overflows that would be found and fixed.
At $10 million per X category of bug? Yes. There would be a finite number X's that would be found and fixed.
Therefore, unless you assume an infinite number of categories of bugs, all the bugs would eventually be fixed.
Because the code base comprises a finite number of bits and there is a finite number of ways that those bits can be run.
No need to read any further because that is an incorrect assumption.
There cannot be an infinite number of bugs (effectively or otherwise) because there is not an infinite about of code NOR an infinite number of ways to run the finite amount of code.
From TFA:
Then he was wrong as well.
There are a finite number of times that buffers are used in that code base. Therefore there are a finite number of times that buffers could be overflowed. If someone went through the code and checked each instance and ensured that an overflow situation was not possible then it would not be possible.
"Infinite" does not mean what you think it does.
You missed the point of the post that you are replying to. But since you asked ...
That makes no sense. Why would a security-researcher offer to pay MICROSOFT for NOTHING?
Microsoft should be paying the security-researcher.
Wrong again.
Not PAYING $1,000 is NOT the same as getting an ADDITIONAL $1,000.
If I have $1,000 and I do not buy something for $1,000 I still have $1,000. But if someone gives me an envelope with $1,000 then I have TWO THOUSAND DOLLARS.
No. It's wrong because in your example Microsoft ends up with an ADDITIONAL $1,000 from a security-researcher.
Mod parent up.
Anyone who thinks that modern, asymmetrical warfare means trading blows with similar weapon systems hasn't been paying attention to the last DECADE PLUS of our history.
There isn't a Taliban air force yet the Taliban is still around despite our air force bombing them for years.
I'd pay extra to have humans working instead of insecure Internet connections being used.
If nothing else it would get rid of these stupid stories all the time.
Learn what straw man means. It does not mean anything you do not like.
I've quoted the portion where you brought up "moron". I've linked to your quote where you brought up "moron".
No "pretending" needed. You said it. Then you objected to it. That's a straw man.
For the record, I posted a direct quote from you and the link to that quote.
Here is your quote, again:
You brought up "moron" and then you objected to it.
That is a straw man.
That statement was from you but you attempted to imply that it was from me.
That is a straw man.
Pointing out that Jenny McCarthy and Creationists BOTH ignore scientific evidence is not a straw man.
You were the one who started talking about "morons". Let me quote you and provide a link:
http://slashdot.org/comments.pl?sid=5028117&threshold=1&commentsort=0&mode=thread&cid=46749487
That is your comment and that is you making a straw man about "moron" claims.
Except that you do and that has been your entire argument. I need to be nicer about pointing out that some people ignore all the scientific evidence that contradicts them. Then you go off on a straw man.
Measles does not care about feelings.
That would be your hypothetical straw man friends whom you claimed were calling Jenny McCarthy a "moron".
What I said was that she (and the anti-vaccine people like her) do not have any evidence to support their claims.
Yes you are. And you are "tone trolling".
Like I keep saying, measles does not care about your feelings.
And, again, measles does not care about your feelings.
And now there are outbreaks of measles because of the anti-vaccination people. Real people. Real diseases. Real damage. None of your hypothetical straw men needed.
Well that's good. Maybe you should take all your hypothetical straw man friends on a party cruise.
You might want to look up some of the outbreaks of diseases that have happened recently.
Oh, you won't, will you. Because actual damage to actual people doesn't fit your hypothetical straw man.
Anyone who refuses to get their children vaccinated BECAUSE I SAID THAT JENNY MCCARTHY DOES NOT UNDERSTAND BASIC SCIENCE is not going to change because I don't state that.
That is what a "zealot" is about.
Look up "herd immunity". They're increasing the risk by NOT getting the vaccinations.
Which is why there are outbreaks of diseases such as measles now.
Facts. Not feelings. Measles will not care about your feelings.
You mean like people who keep pointing out the evidence for evolution when Creationists insist that humans were riding dinosaurs 6,000 years ago?
If the basis for your understanding of the world is who is nicer to you then you have a problem.
Jenny McCarthy can talk all she wants about how "mommies" have a special understanding of medicine and science that equals or surpasses that of people who have spent years studying it. And there are a lot of people who will believe her. Because they want to FEEL special.
But an epidemic of measles does not care about their FEELINGS.
Yes, and by "zealots" you mean people who understand basic science.
Because the anti-vaccination people have not been able to provide any evidence to support their claims.
But the medical scientists have been able to.
That is her whole point. She claimed that vaccines cause autism. If you don't want to risk giving your children autism then do not vaccinate them.
Pointing out that she has NO medical training is NOT "attacking her personally".
She is making specific medical claims. She is doing so without any evidence.
Bullshit!
If that is so then you should be able to show which vaccines she claims are "safe". AND what her MEDICAL evidence is for those being "safe" versus the "un-safe" vaccines.
That is MORE bullshit.
The issue is whether "existing vaccines" cause autism or not.
So far, there is NO medical evidence to support her claims.
It's not an autocracy.
You vote in the least problematic option and then you work with the other branches to limit the problems.
I voted for Obama. Twice. Because I thought the other options were worse. And now I oppose many of Obama's policies. And I let my Senators and Representatives know my opinions.
The problem is that, while she is smart, she is also ideological.
If her ideology conflicts with the facts, the ideology wins.
Not only was she NOT willing to ask question, she WAS willing to give press interviews with WRONG information. Because that WRONG information suited her ideology. Even though it would cost lives.
NOT the kind of person YOU want on the Board of Directors of a company tasked with providing access to YOUR data.
She didn't care enough about the lives that would be lost to ask any questions. And she cared so little for those lives that she provided wrong information to support the drive to war. Do you think that your DATA will mean more to her than that?
Seriously. Who would look at her record and think "Yep! My data is safe with that company. They're 100% supportive of my security and privacy."
That depends upon whether you mean "good idea ... for the USofA" or "good idea ... for me and my friends".
A lot of companies made a lot of money off of that war.
I don't agree with that. I think that anyone, regardless of race, creed, religion, etc, will always have a job publicly supporting the existing power structure.
She wasn't elected. She was appointed by the people who were elected. And those were white men.
Which is why I think that she's now at DropBox. She still has those political connections. And DropBox wants to pay her for access to them.
False dichotomy. Rejecting A does not mean accepting B.
See above.
Just because someone is paid to do something does not mean that anyone has to support that.
Since Cuba is not a threat to the USofA in any way that statement is incorrect. There are many ways Cuba could be "a more deserving target".
Circular reasoning. And you even admit that Cuba is not doing the same to the USofA.
That entirely depends upon how YOU define YOUR "morality".
Yeah, I think that's a problem. There shouldn't be any way to tell a "slightly wrong" password from any other wrong password.
Which is a different problem with that approach.
They could have also had the server admin type in the formula for the line that the system will use.
About the only issue this "solves" is having ONE secret that has to be shared between the admins. So you won't have the "disgruntled" problem. Each admin gets his/her own portion of the secret.
Just like requiring two keys to launch a missile.
More like you have the hashes for all the passwords (you downloaded it when you cracked their server).
And you have ONE password that you created on their system. So you have a password and a hash for that password. From which you can probably deduce the "salt" used.
But you cannot get the passwords from the other hashes because they each use a different "salt".
The problem is that the "salt" for each password is calculated by that machine based upon "special" accounts providing correct passwords that provide the information needed to generate the line that is used instead of a traditional "salt".
Which means that those "special" accounts are now ONE SET of keys to cracking that entire system. And they have to be secured.
And I'm still not convinced that, given enough passwords, their system does not fail anyway. And password re-use is a major problem with users and their passwords.
All of the above!
Wheaton's Star Trek character takes on the role of Rod Serling/The Crypt Keeper and presents ghostly stories from alien races across the galaxy.
Episode 1 - The Kowardly Klingon. A Klingon who hides from battle is tormented by the ghosts of those who died. Or is it just his conscience?
And there will need to be a central authority where you can redeem miles and register to participate. And at that point the government can set a value on each mile.
Just because YOU don't set a value on something does NOT mean the government CANNOT.
And no, sex-work is NOT the same as a girlfriend who borrows money from you.
Read TFA about heart attacks increasing on the Monday after the change.