Managed C++ is type and bounds safe. Unsafe C# and/or C++ allow type inference, but not bounds checking, and therefore allow a major class of exploits that aren't possible within the standard portions of the dialects. A call into C/C++ from within CLR requires PInvoke, just as a call into C/C++ from Java requires JNI.
Normal programmers writing in C#/Managed C++ use C/C++ less frequently than "normal" Java programmers do, actually, because they have access to the intermediate "unsafe" calls, through which most perf sensitive enumerations can be run without moving "down to the metal".
Basically, Gosling said it, and you fell for it. In/.-speak, they say "YHBT, YHL, HAND."
How stupid do you think it would be to put explosives in the gas tank! The gasoline would react with the oxidizer and destroy the engine! Not to mention, the explosion wouldn't be very visible -- there wouldn't be enough oxygen around the gas tank to make a spectacular fire ball.
You put the explosives in the fenders. Everyone knows that.
Nope. They wouldn't -- proof being that they never did. This isn't a new problem; every geographical information system has exactly this problem, and none of them ever came up with a solution. They all use the clumsy and verbose lat=, long= representation.
That fact is sufficient to establish one of the standard legal tests for non-obviousness: an invention is non-obvious if it fills long-standing and unfilled need. For what it's worth, that same argument would establish not only US Patentability, but also Eurasian Patentability, under the more restrictive Eurasian patent treaty of 1995.
Well, as to whether you've checked or not, that's why we pay patent examiners. As to your invocation of tinyurl, again, the patent's author talks about it. This representation requires no server intervention -- it's purely stateless, and therefore scales better. TinyUrl requires a database table, which is a maintenance and scaling nightmare.
What you've just shown, though, is that there was a major unmet need for a stateless representation of large URL contents. TinyUrl proves that there was a need for compression, and anyone who works on web service or large site architectures will tell you in tedious and mind-numbing detail why statelessness is critical.
Smart people had worked on getting that combination, and that they had not succeeded. That is one of the operational definitions of non-obviousness, as it is applied in US Patent law.
Actually, base 64 encoding isn't a compact representation. It was designed as a less compact representation of octet sequences which could be sent using only visible characters through a seven-bit Internet.
In this case, the patent includes a precise discussion of why base 30 is used. URLs are case-insensitive, so base 64 won't work, and
The parent's an AC, so most people won't see the comment, which says
Converting numbers to convinent bases is not only obvious, but so obvious that the ancient greeks figgured it out.
It may be a novel way to encode GPS location data, but it's very obvious, and trivial.
You're making two different errors. First, you're confusing the mathematical notion of radix representation with the technological notion of using radix notation, and, second, you're confusing elegance with obviousness.
The first is why computer programs are patentable in the United States and in most of Europe. An algorithm is a mechanism -- a fact is not. The fact that all numbers admit of an arbitrary radix expression is not patentable, but an algorithm for converting between two radices would have been. In this case, the patent's author found a quite elegant use for the fact that all numbers have a compact expression in multiple radices.
The second confusion is between elegance and obviousness. Something is non-obvious if there's an established unmet need for it, and this is something for which that's clearly true. That this is the kind of solution which leads people to say "Oh, that's obviously the solution to use" marks it as elegant. The fact that nobody came up with it before marks it as non-obvious.
(By the way, your history is wrong. Radix notation requires the use of the placeholder zero, which wasn't invented until about 1000 CE. Radix notation for bases other than 10 is a nineteenth cetury invention which arose as a side effect of the study of modular groups.)
You need to read the patent itself. The text talks, in great detail, about the precise reasons that the less readable notation is useful -- specifically, it talks about access from mobile devices and about URL length limitations on HTTP GET requests.
Pretty smart idea, but I don't know if it's really worth a patent.
On the contrary, you, as an expert in the field, just said that it was worth a patent.
An invention doesn't need to be ground-breaking to be patententable, merely novel and non-obvious. This one is not only novel and non-obvious, it's even a clever way to solve a real problem. That's exactly what patents are for.
You're quite right to compare Guantanamo to the current French legal system, and if I were an American, I might have hurt feelings. Of course, an American might point out that the detentions in Guantanamo are consciously extra-judicial, and that the question of whether, if so when, persons captured while engagning in illegal warfare are subject to trial is a subject of considerable debate worldwide. Somehow, M. Mitterand didn't ever face a Court, for instance. Unfortunately, the American Administration seems to have taken its cues from the French anti-terror statutes rather than from its own Constitutional history.
I must confess that I found your interpretation of French law touching in its naivete, you know. The Civil Code is a wonderful thing -- given rights with one hand, while simultaneously stealing them away with the other.
For instance, your claim that the presumption of innocence is protected in French law? Please explain to me how that jibes with Art 9-1 of the French Civil Code?
Everyone has the right to respect of the presumption of innocence.
(Act n 2000-516 of 15 June 2000) Where, before any sentence, a person is publicly shown as being guilty of facts under inquiries or preliminary investigation, the court, even by interim order and without prejudice to compensation for injury suffered, may prescribe any measures, such as the insertion of a rectification or the circulation of a communiqué, in order to put an end to the infringement of the presumption of innocence, at the expenses of the natural or juridical person liable for that infringement.
That is, a "citizen" of France has the right to be presumed innocent. Except when an administrative procedure, in which he or she may not have been present and at which no witnesses were presented, holds otherwise.
As far as the American notion of a jury is concerned, French law has no equivalent. From the civil code translation as legifrance.wouv.fr:
Article 12
(Conseil d'Etat No. 1975, 1905, 1948 to 1951 of 12 October 1979, Rassemblement des nouveaux avocats de France et autres, JCP 1980, II, 19288)
A judge shall determine a dispute in accordance with the rules of law applicable thereto.
Yup -- I sure see trial by jury there. A jury of one, who works for the government. Hardly a disinterested party.
And public trials? Again, from the civil code:
Article 22
Oral arguments shall be held in public, save where the law allows or directs that they be held in chambers.
That's almost Orwellian. "All animals are created equal, but some are more equal than others."
How true. Americans have gotten used to ridiculous notions like public trials, double jeopardy, the right to confront the witnesses testifying in a trial, juries untainted by the need to preserve their own jobs, and even such bizarre concepts as the notion that an individual is considered to not be liable until the converse is demonstrated.
I can't tell you how deeply grateful I am to France and her people for establishing the democratic traditions of justice that led to such pinnacles of achievement as L'Affaire Dreyfuss and the reign of terror.
Mod parent up. That's exactly what AdWords does. The yellow pages are ads, nothing more, yet people treat them as informative. As a result, a Mazda dealership can't advertise as a Honda dealership in the yellow pages, and shouldn't be able to do the equivalent thing through AdWords.
The point is that you're wrong about type safety. Type inference is a purely syntactic operation, which is why languages like ML don't need explicit typing. The problem with unsafe IL code isn't type inference, but bounds checking.
The Microsoft CLR is also type-safe at the VM level. If you choose to use pointers in Managed C++, though, you lose any ability to assert heap access safety, and therefore must mark your code as unsafe, because you can perform pointer arithmetic.
What a wierd result. I don't think it's a "sponsored link" effect, though. It looks, instead, like the ordering algorithm clusters sites, so that sites with lots of pictures of Spears show up near the front, and sites with fewer images show up later. If you hack the query to look at pages around 200, you find many more sources on each page.
There are two different kinds of canaries, stack canaries and heap canaries. The heap canaries are the ones that this PoC claims to attack, which is relevant because heap overruns are much harder to exploit than stack overruns, not to mention less common.
The article description is a bit deceptive. NX is independent of DEP here. The alleged exploit only works for the small heap on machines without NX, not for machines with NX. NX stops this exploit cold.
A monopoly, in the economic sense, is a vendor which can set its own prices without fear of competition. It really has nothing to do with the complete absence of competition -- just the complete absence of meaningful competition. In that regard, Microsoft is absolutely a monopoly in the PC-compatible desktop operating system market and the Office productivity suite market. The presence of Linux in the first and OpenOffice.org in the second, for instance, have absolutely no effect on Microsoft's ability to charge whatever it wants in both markets.
Actually, AC, you're wrong. The accountants expect H&E to be profitable by FY 2007. FY 2007 starts 1 July 2006. My guess, though, is that they're being pessimistic -- good accountant are, after all -- and that break even will occur a little earlier.
You need to go back and look at the Microsoft financial statements. Home and Entertainment (which is basically XBox) has been trending towards profitability for quite a while. This quarter's profit was due to Halo2, but without H2, my estimate is that H&E would have only lost about 30M. Given the current trend, I expect H&E to become persistently profitable within about a year.
You didn't read what I wrote. Yes, C has [][] allocators, but it does not have multidimensional dereference. If you want to iterate through the elements in the array that you allocate using
char x[5][10]
you have to do it by hand
for (i = 0; i < 4; i++) for (j = 0; j < 10; j++) { *((char *) (&x[0][0])+ 10 * i + j) = '\\n'; }
That's why people talk about writing custom libraries to support scientific caculations in C.
The point of multidimensional arrays in FORTRAN is simple and straightforward: they're contiguous blocks of storage. In C, multidimensional arrays are a fiction, because a[i][j] is given exactly the semantics of *(*(a + i) + j), instead of *(a + i * second_dim + j). That extra dereference takes away a huge number of optimization opportunities.
Pointers are useful in systems programming, but K&R made C a much less useful scientific language by not including the multidimensional array dereference operator. That's fine -- they weren't writing a language for scientific computation. I even think they made the right design choice, since there was already one around; it was called "FORTRAN".
The reason this is a Windows issue is that the worm drops a Windows executable on the box and spawns it (in binary). The exact same mechanism would have worked against Linux.
Non-windows machines are not vulnerable to attacks using Windows executables, yes. However, the same attack would work perfectly well against a non-Windows box; the only difference would be in the executable dropped.
Slashdot Mirror
Managed C++ is type and bounds safe. Unsafe C# and/or C++ allow type inference, but not bounds checking, and therefore allow a major class of exploits that aren't possible within the standard portions of the dialects. A call into C/C++ from within CLR requires PInvoke, just as a call into C/C++ from Java requires JNI.
/.-speak, they say "YHBT, YHL, HAND."
Normal programmers writing in C#/Managed C++ use C/C++ less frequently than "normal" Java programmers do, actually, because they have access to the intermediate "unsafe" calls, through which most perf sensitive enumerations can be run without moving "down to the metal".
Basically, Gosling said it, and you fell for it. In
How stupid do you think it would be to put explosives in the gas tank! The gasoline would react with the oxidizer and destroy the engine! Not to mention, the explosion wouldn't be very visible -- there wouldn't be enough oxygen around the gas tank to make a spectacular fire ball.
You put the explosives in the fenders. Everyone knows that.
Nope. They wouldn't -- proof being that they never did. This isn't a new problem; every geographical information system has exactly this problem, and none of them ever came up with a solution. They all use the clumsy and verbose lat=, long= representation.
That fact is sufficient to establish one of the standard legal tests for non-obviousness: an invention is non-obvious if it fills long-standing and unfilled need. For what it's worth, that same argument would establish not only US Patentability, but also Eurasian Patentability, under the more restrictive Eurasian patent treaty of 1995.
Well, as to whether you've checked or not, that's why we pay patent examiners. As to your invocation of tinyurl, again, the patent's author talks about it. This representation requires no server intervention -- it's purely stateless, and therefore scales better. TinyUrl requires a database table, which is a maintenance and scaling nightmare.
What you've just shown, though, is that there was a major unmet need for a stateless representation of large URL contents. TinyUrl proves that there was a need for compression, and anyone who works on web service or large site architectures will tell you in tedious and mind-numbing detail why statelessness is critical.
Smart people had worked on getting that combination, and that they had not succeeded. That is one of the operational definitions of non-obviousness, as it is applied in US Patent law.
Actually, base 64 encoding isn't a compact representation. It was designed as a less compact representation of octet sequences which could be sent using only visible characters through a seven-bit Internet.
In this case, the patent includes a precise discussion of why base 30 is used. URLs are case-insensitive, so base 64 won't work, and
You're making two different errors. First, you're confusing the mathematical notion of radix representation with the technological notion of using radix notation, and, second, you're confusing elegance with obviousness.
The first is why computer programs are patentable in the United States and in most of Europe. An algorithm is a mechanism -- a fact is not. The fact that all numbers admit of an arbitrary radix expression is not patentable, but an algorithm for converting between two radices would have been. In this case, the patent's author found a quite elegant use for the fact that all numbers have a compact expression in multiple radices.
The second confusion is between elegance and obviousness. Something is non-obvious if there's an established unmet need for it, and this is something for which that's clearly true. That this is the kind of solution which leads people to say "Oh, that's obviously the solution to use" marks it as elegant. The fact that nobody came up with it before marks it as non-obvious.
(By the way, your history is wrong. Radix notation requires the use of the placeholder zero, which wasn't invented until about 1000 CE. Radix notation for bases other than 10 is a nineteenth cetury invention which arose as a side effect of the study of modular groups.)
You need to read the patent itself. The text talks, in great detail, about the precise reasons that the less readable notation is useful -- specifically, it talks about access from mobile devices and about URL length limitations on HTTP GET requests.
An invention doesn't need to be ground-breaking to be patententable, merely novel and non-obvious. This one is not only novel and non-obvious, it's even a clever way to solve a real problem. That's exactly what patents are for.
I must confess that I found your interpretation of French law touching in its naivete, you know. The Civil Code is a wonderful thing -- given rights with one hand, while simultaneously stealing them away with the other.
For instance, your claim that the presumption of innocence is protected in French law? Please explain to me how that jibes with Art 9-1 of the French Civil Code?That is, a "citizen" of France has the right to be presumed innocent. Except when an administrative procedure, in which he or she may not have been present and at which no witnesses were presented, holds otherwise.
As far as the American notion of a jury is concerned, French law has no equivalent. From the civil code translation as legifrance.wouv.fr:
Yup -- I sure see trial by jury there. A jury of one, who works for the government. Hardly a disinterested party.
And public trials? Again, from the civil code:That's almost Orwellian. "All animals are created equal, but some are more equal than others."
How true. Americans have gotten used to ridiculous notions like public trials, double jeopardy, the right to confront the witnesses testifying in a trial, juries untainted by the need to preserve their own jobs, and even such bizarre concepts as the notion that an individual is considered to not be liable until the converse is demonstrated.
I can't tell you how deeply grateful I am to France and her people for establishing the democratic traditions of justice that led to such pinnacles of achievement as L'Affaire Dreyfuss and the reign of terror.
Mod parent up. That's exactly what AdWords does. The yellow pages are ads, nothing more, yet people treat them as informative. As a result, a Mazda dealership can't advertise as a Honda dealership in the yellow pages, and shouldn't be able to do the equivalent thing through AdWords.
The point is that you're wrong about type safety. Type inference is a purely syntactic operation, which is why languages like ML don't need explicit typing. The problem with unsafe IL code isn't type inference, but bounds checking.
You're wrong.
The Microsoft CLR is also type-safe at the VM level. If you choose to use pointers in Managed C++, though, you lose any ability to assert heap access safety, and therefore must mark your code as unsafe, because you can perform pointer arithmetic.
What a wierd result. I don't think it's a "sponsored link" effect, though. It looks, instead, like the ordering algorithm clusters sites, so that sites with lots of pictures of Spears show up near the front, and sites with fewer images show up later. If you hack the query to look at pages around 200, you find many more sources on each page.
Is "algorhyme" a form of the misspelling system which gives back a rhyme for the incorrectly spelled word?
There are two different kinds of canaries, stack canaries and heap canaries. The heap canaries are the ones that this PoC claims to attack, which is relevant because heap overruns are much harder to exploit than stack overruns, not to mention less common.
The article description is a bit deceptive. NX is independent of DEP here. The alleged exploit only works for the small heap on machines without NX, not for machines with NX. NX stops this exploit cold.
By god, someone payed attention in Econ 101!
A monopoly, in the economic sense, is a vendor which can set its own prices without fear of competition. It really has nothing to do with the complete absence of competition -- just the complete absence of meaningful competition. In that regard, Microsoft is absolutely a monopoly in the PC-compatible desktop operating system market and the Office productivity suite market. The presence of Linux in the first and OpenOffice.org in the second, for instance, have absolutely no effect on Microsoft's ability to charge whatever it wants in both markets.
Actually, AC, you're wrong. The accountants expect H&E to be profitable by FY 2007. FY 2007 starts 1 July 2006. My guess, though, is that they're being pessimistic -- good accountant are, after all -- and that break even will occur a little earlier.
You need to go back and look at the Microsoft financial statements. Home and Entertainment (which is basically XBox) has been trending towards profitability for quite a while. This quarter's profit was due to Halo2, but without H2, my estimate is that H&E would have only lost about 30M. Given the current trend, I expect H&E to become persistently profitable within about a year.
The point of multidimensional arrays in FORTRAN is simple and straightforward: they're contiguous blocks of storage. In C, multidimensional arrays are a fiction, because a[i][j] is given exactly the semantics of *(*(a + i) + j), instead of *(a + i * second_dim + j). That extra dereference takes away a huge number of optimization opportunities.
Pointers are useful in systems programming, but K&R made C a much less useful scientific language by not including the multidimensional array dereference operator. That's fine -- they weren't writing a language for scientific computation. I even think they made the right design choice, since there was already one around; it was called "FORTRAN".
The reason this is a Windows issue is that the worm drops a Windows executable on the box and spawns it (in binary). The exact same mechanism would have worked against Linux.
Non-windows machines are not vulnerable to attacks using Windows executables, yes. However, the same attack would work perfectly well against a non-Windows box; the only difference would be in the executable dropped.