I'm sorry... I try hard not to let the libertarian, anti-government urges take over, but there IS a line we should not cross. I DO NOT want the government legislating how I must configure my servers. Not ANY government. It's a technical problem, best solved by technical resources.
Please.
Because what OTHER mandates might the legislators throw into the same bill?
By the way, the reason that hand-cranked laptops aren't widely available is simply that laptops take hundreds of times the amount of power that radios take. The windup radio is REAL, it can be purchased at www.freeplay.net. The conspiracy stories about running a car on seawater are, of course, not real.
You raise the problem that "moderation" is a difficult problem (eg:/.) and that using it on a search site would not work well because "too many people" moderating would "pull a ranking in [doo many directions".
There IS a solution to this problem. It WOULD work, and it would make an AWESOME search engine (once enough people used the rating system). The only weakness is that it requires some sort of log-in to the search site -- which might actually be GOOD for the search site's bottom line.
Consider Amazon. They don't make book recomendations by finding the "most popular books in the world" and suggesting them to everyone... instead they recomend the books that are similar to what YOU like to read. The technology behind it is a technique called "collaborative filtering". Basically (to strip off a whole bunch of marketing designed to make it seem complicated), the idea is to look at the rankings YOU have already made, and then use the pool of people who's rankings are SIMILAR to yours as the pool of people from which to draw on when deciding how "popular" a book (or, for web search engines, a website) is.
So here's how it would work. You start with a basic set of search criteria... maybe start with Google's, for instance. Then, when people sign up for your search engine, you invite them to submit a list of their favorite/most-used websites. This gives a starting place, and from the very beginning, search order can be modified slightly by giving a slight + to the score of those sites which are frequently mentioned in favorites-lists for people whose favorites-lists are very similar to your own. (There should be an option to exclude sites on your own favorites-list from showing up in queries. Some would want it, some wouldn't.)
This gets things started, but favorites-lists won't provide enough data for a really good, web-wide ranking of sites, and it will get stale fairly quickly. The real trick is to develop a "clicked-on" list for each user as well, and use the clicked-on-lists, as well as the favorites-lists, for modifying the ranking of new sites. The clicked-on-lists could be gathered by making the links to the website go to the search site for a redirect, along the way they can be counted.
So, once the system was up and running, new users would have to create an ID when they signed in. Then they could create a favorites list, which would result in immediate "customized results", or they could just use the search site for a while, and their results would gradually become more personalized as they built up a clicked-on-list. Most importantly, a large portion of the ranking of sites would be determined by what users had listed or clicked on, rather than by keyword, linked-to-rating, or other factors more easily manipulated. And it would customize itself to your own searching preferences.
Now, one final thing. I know that this is a GOOD idea. I've been thinking about it for a long time. If anyone else reads this and agrees, please let me know... because I'd be very interested in doing it. (This is a bit long for an elevator speech, but I figure the/. readers I'm interested in have longer attention spans.) In fact, if you even just READ THIS, but AREN'T interested, could you drop me an email to let me know? Thanks.
Michael Chermside
michael.chermside@destiny.com
5715 North Ridge Ave
Chicago IL 60660
Many people have responded to this (5 rating) comment by describing possible ways to build code that's "flexible enough for translation but not open to attack". I could add my own way of doing it. But everyone is missing the point. The question asked (or intended) was "how do you write your code". So far, everyone has been speaking in the hypothetical, and that masks a VERY important point... we're clearly CAPABLE of writing code that is safe from this exploit, but (because of the faulty behavior of default libraries) we're not doing it!.
So I'll try to answer the original question. Most of MY code lately has been written in Java. Java doesn't have this particular vulnerability, because it's not subject to stack over/underflows (normally). I HAVE written pleanty of code in C/C++, but nothing that used i18n. So other than suggesting "try a different language" (not always a useful suggestion) my answer is that I DON'T have a solution... at least not one thats so convenient that I use it in real life.
So... this is a community forum... anyone willing to step up and address this problem? New libraries for Linux? It wouldn't be too difficult to build something that automatically checks the format strings in a string catalog against those in a standard catalog and refuses to load the string catalog if it's not validated. If a couple of other people will help me (because I'm not a linux hacker and would need the help of someone with more i18n experience) I'm willing to work on writing something like this!. Any takers?
If I get no responses, I'll have to assume that the community is not interested (or that they just didn't see my post because it wasn't moderated up;-) ), and I'll forget the whole issue.
-- Michael Chermside
michael.chermside@destiny.com
I fully agree with you. Whenever the majority is "content with a service" they should under no circumstances "be deprived of it because [others] have a problem with it".
For instance, the policies that extend benefits like health insurance to opposite sex spouses, but not long-term commited homosexual partners -- after all, the majority of people are hetrosexual. Or the policies posting the 10 commandments and other religious icons in public places in the US -- after all, the majority of people in this country are some variety of christians. We should even extend the principle to defend those laws requiring race-specific water fountains and bathrooms -- after all, the majority of people in this country are still white!
All in all, a policy saying that anything goes so long as the majority agrees is a good policy. In this instance, the majority are pleased with the service, and are not being asked to change their names, so why ask for "special accomodations" (like allowing you to use your own name) for the minority?
-- Michael Chermside
PS: For those who didn't notice the sarcasm in the above piece and who think that I really believe it... I pity you. Really.
A posting such as that is nothing more than a troll without including a link to website detailing the results of this security audit. With such a link, it's a valuable contribution to the discussion.
Yours has no link. It's a troll. Next time, back it up with evidence.
I know I shouldn't post "me too" comments, but I'm doing it anyhow.
Hear hear! This is exactly the right attitude. There's nothing wrong with selling copies of a thesis... but there's nothing wrong with giving it away either!
Do you truely believe that it's better for the kids to simply not have any internet access at all than to be using some sort of censorware?
I find that apalling.
When I ran the computer-science lab at a middle school and high school, I DID throw myself into this issue, and our school's policy that there was supervision, but no censorware.
That was the policy while I was there. Right after I left, they changed the policy. The new policy was: No internet use permitted at all (except during class for a class project).
I believe that under the new policy really harmed these kids (at least the ones without access at home... quite a few, since we many lived on campus). Not knowing how to use the internet in today's world isn't quite like being illiterate, but it's pretty darn close. I think they will perform more poorly in college, and possibly in the work world afterward.
My first choice would be supervision and no censorware (obviously... I fought HARD for that when I was there). But my second choice would be censorware... even poorly configured dumb censorware... even censorware that blocked all sites on breast cancer and all sites criticizing [fill-in-your-least-favorite-political-group-here] . This would still be better than no access.
And look at what we're talking about here... "Should this laundrymat have censored internet or none". My impression is that this laundrymat is in a neighborhood that's underserved, and where many have no internet exposure at all. Don't you think that there's a much greater good at stake here... that of allowing everyone (even those in the inner city or who don't have their own washing machines at home) to participate in the community of the net -- even if it is a censored version of the net?
A java garbage collecter may (not must) garbage
collect any objects that are unreachable. But
unreachable from where? The "starting point" for
reachability is defined to be all executing non-daemon Threads.
So in your example, the ListenerServer's would NOT be garbage collected, because they're Threads. Basically, this rule means that any memory which could possibly be reached by any code executing anywhere can NOT be garbage collected -- ie, nothing you could possibly care about can disapear.
All of this, of course, leaves out the "new" (well... not so new anymore) soft, weak, and virtual references that were introduced to allow more flexible garbage collection behavior. These allow all kinds of fancier GC behavior if you want to develop for it.
I don't know about today, but in 1988, I had an old "Ohio Scientific C1P", which I wanted to get rid of, so I donated it to a science museum in Ohio (it seemed, somehow, appropriate). Anyone else remember that computer?
As a "lowlowly engineer in grad school", what you probably are not familiar with is the degree to which so-called "business types" can be incredibly bullheaded and blind.
Now, I'm not knocking every person out there who can't code assembler and doesn't have an engineering degree. I've had my share of extremely competent, insightful, managers and business partners -- but "my share" is an extremely small number. And I'm sure that if I were asked to write a company's business plan, or negotiate a contract, I'd do a terrible job. But the truth is, there are an incredibly large number of "business types" who are astonishingly uncreative and close-minded.
And open source is one of those issues where these uncreative people are likely to miss a real opportunity. "Why give something away for free?", they might say. As you point out, it's a valid question... and the answer may be (yeah, I know this is heretical on/.) that you shouldn't. In a particular case. But in my mind, it's quite clear that there are times when there is a significant advantage to releasing as open source.
So... suppose that MEconomy went to the "business-types", and proposed that they release the code open-source. They fire back with the (reasonable) question "How does that benefit us?". Now suppose that MEconomy comes back with a whole list of different benefits: it will accelerate the acceptance of our product by the user community, it will provide increased sales to those who had concerns about our continued support for the product, it will allow us to locate and repair bugs much faster, it will increase the "buzz factor" of our product, etc etc. What WILL happen next, is that 70% of the "business types" in the room will say "Yeah, but we can't give something away for free." MEconomy just told them why you COULD, but they just don't get it. (You may not believe that it would really be 70%... you're right. It's likely to be higher. Really. No... I don't understand why either.) So MEconomy's only chance is to really blow away the other 30% of the businessfolk in the room by highly convincing arguments and having really done his homework beforehand. And it better work out the first time it's tried.
And that is why he posts to/. before taking it to his own company. So he can make the best possible case, because he probably only gets one chance... even though this might (and, as you point out, also might not) be the best possible thing his company could do.
Someone with moderator points, please mark up the comment I'm replying to (I'm outa points cause they keep expiring, cause I so rarely find something this worthy of up-moderation). It's insightful, well reasoned, and a lot of the hotheads at/. really need to read this and use it to moderate their knee-jerk reactions.
There is one small logical flaw in your suggestion that this issue crosses state borders, and thus should be regulated by the "feds" not the state.
It crosses the "feds" boundaries too. What if I (a US citizen) order something on the net from.au? Do I have to pay national sales tax (I know... there's no such thing, but JordoCrouse is essentially suggesting one)? Do I have to save all my receipts, and hand them in on April 15? How likely am I to actually do this?
Remember: the internet is NOT national... it's bigger than that!
-- Michael Chermside
Re:Spread the message, brothers
on
Copyrant
·
· Score: 1
Orpheus:
I wish I had moderator points right now, I would up-moderate this as much as possible.
I have read several of your posts recently and been impressed with everything I have read. You are well-informed on these issues, and you contribute well to the discussions.
I have one request, which you might be able to help me with. I have been becoming quite interested, of late, in IP issues, particularly as relates to technology in both the legislative and legal branches. I am currently trying to find some good materials on these subjects that I can subscribe to. There must be a newsletter or two, maybe a legal journal on the topic... maybe a website (besides/., which isn't bad itself!) which will help me get informed -- on a serious level -- about these issues.
Do you have anything like this to recommend? If so, please let me know by email (mike.chermside@destiny.com). Thanks very much, mostly for your contributions to these discussions, and also for any info you may have for me.
Now wait a minute. Suppose company X instituted a policy that employees could ONLY use certain software packages or (god forbid) certain brands of OS. Most of the/. readership would get fairly annoyed by this. "Why do they restrict the tools I can use, for no good reason? I'm a professional; just let me use the tools I need to get my job done!"
Now consider the whole group of secretaries, managers, engineers, and other non-IT employees. They spend (many of them) much of their days creating documents. Can't you just hear them saying "Why do they restrict the formats I can use in creating my documents for no good reason? I'm a professional, jsut let me use the tools I need to get my job done!".
Be careful what you offer. Suppose I were to develop a proof that P=NP, but it was an existance proof... proved that they were equivalent without showing how to achieve that equality. Or suppose that I discovered an algorithm to actually perform NP problems in polynomial time... specifically in time proportional to 1*N^(100000000) + 100000000*N^2. This is polynomial time, but it is SO BAD, that the size of N at which it becomes better then exponential is SO LARGE, that it is still not useful for real-world problems.
I guess my point is that you shouldn't make the assumption that a mathematical proof automatically has immediately applicable consequences. And you shouldn't run around offering $10M USD unless you mean it.
Slashdot Mirror
Please.
Because what OTHER mandates might the legislators throw into the same bill?
-- Michael Chermside
-- Michael Chermside
> pain caused by reading this. If you read
> this, you agree to send me all your property
> and money.
Darn. You got me. Ok, what's the address I need to send it to?
(Damn those "glance-wrap" liscenses!)
-- Michael Chermside
Good one. I vote for the dead horse.
-- Michael Chermside
There IS a solution to this problem. It WOULD work, and it would make an AWESOME search engine (once enough people used the rating system). The only weakness is that it requires some sort of log-in to the search site -- which might actually be GOOD for the search site's bottom line.
Consider Amazon. They don't make book recomendations by finding the "most popular books in the world" and suggesting them to everyone... instead they recomend the books that are similar to what YOU like to read. The technology behind it is a technique called "collaborative filtering". Basically (to strip off a whole bunch of marketing designed to make it seem complicated), the idea is to look at the rankings YOU have already made, and then use the pool of people who's rankings are SIMILAR to yours as the pool of people from which to draw on when deciding how "popular" a book (or, for web search engines, a website) is.
So here's how it would work. You start with a basic set of search criteria... maybe start with Google's, for instance. Then, when people sign up for your search engine, you invite them to submit a list of their favorite/most-used websites. This gives a starting place, and from the very beginning, search order can be modified slightly by giving a slight + to the score of those sites which are frequently mentioned in favorites-lists for people whose favorites-lists are very similar to your own. (There should be an option to exclude sites on your own favorites-list from showing up in queries. Some would want it, some wouldn't.)
This gets things started, but favorites-lists won't provide enough data for a really good, web-wide ranking of sites, and it will get stale fairly quickly. The real trick is to develop a "clicked-on" list for each user as well, and use the clicked-on-lists, as well as the favorites-lists, for modifying the ranking of new sites. The clicked-on-lists could be gathered by making the links to the website go to the search site for a redirect, along the way they can be counted.
So, once the system was up and running, new users would have to create an ID when they signed in. Then they could create a favorites list, which would result in immediate "customized results", or they could just use the search site for a while, and their results would gradually become more personalized as they built up a clicked-on-list. Most importantly, a large portion of the ranking of sites would be determined by what users had listed or clicked on, rather than by keyword, linked-to-rating, or other factors more easily manipulated. And it would customize itself to your own searching preferences.
Now, one final thing. I know that this is a GOOD idea. I've been thinking about it for a long time. If anyone else reads this and agrees, please let me know... because I'd be very interested in doing it. (This is a bit long for an elevator speech, but I figure the /. readers I'm interested in have longer attention spans.) In fact, if you even just READ THIS, but AREN'T interested, could you drop me an email to let me know? Thanks.
Michael Chermside
michael.chermside@destiny.com
5715 North Ridge Ave
Chicago IL 60660
-- Michael Chermside
So I'll try to answer the original question. Most of MY code lately has been written in Java. Java doesn't have this particular vulnerability, because it's not subject to stack over/underflows (normally). I HAVE written pleanty of code in C/C++, but nothing that used i18n. So other than suggesting "try a different language" (not always a useful suggestion) my answer is that I DON'T have a solution... at least not one thats so convenient that I use it in real life.
So... this is a community forum... anyone willing to step up and address this problem? New libraries for Linux? It wouldn't be too difficult to build something that automatically checks the format strings in a string catalog against those in a standard catalog and refuses to load the string catalog if it's not validated. If a couple of other people will help me (because I'm not a linux hacker and would need the help of someone with more i18n experience) I'm willing to work on writing something like this!. Any takers?
If I get no responses, I'll have to assume that the community is not interested (or that they just didn't see my post because it wasn't moderated up ;-) ), and I'll forget the whole issue.
-- Michael Chermside
michael.chermside@destiny.com
For instance, the policies that extend benefits like health insurance to opposite sex spouses, but not long-term commited homosexual partners -- after all, the majority of people are hetrosexual. Or the policies posting the 10 commandments and other religious icons in public places in the US -- after all, the majority of people in this country are some variety of christians. We should even extend the principle to defend those laws requiring race-specific water fountains and bathrooms -- after all, the majority of people in this country are still white!
All in all, a policy saying that anything goes so long as the majority agrees is a good policy. In this instance, the majority are pleased with the service, and are not being asked to change their names, so why ask for "special accomodations" (like allowing you to use your own name) for the minority?
-- Michael Chermside
PS: For those who didn't notice the sarcasm in the above piece and who think that I really believe it... I pity you. Really.
A posting such as that is nothing more than a troll without including a link to website detailing the results of this security audit. With such a link, it's a valuable contribution to the discussion.
Yours has no link. It's a troll. Next time, back it up with evidence.
-- Michael Chermside
Hear hear! This is exactly the right attitude. There's nothing wrong with selling copies of a thesis... but there's nothing wrong with giving it away either!
-- Michael Chermside
I find that apalling.
When I ran the computer-science lab at a middle school and high school, I DID throw myself into this issue, and our school's policy that there was supervision, but no censorware.
That was the policy while I was there. Right after I left, they changed the policy. The new policy was: No internet use permitted at all (except during class for a class project).
I believe that under the new policy really harmed these kids (at least the ones without access at home... quite a few, since we many lived on campus). Not knowing how to use the internet in today's world isn't quite like being illiterate, but it's pretty darn close. I think they will perform more poorly in college, and possibly in the work world afterward.
My first choice would be supervision and no censorware (obviously... I fought HARD for that when I was there). But my second choice would be censorware... even poorly configured dumb censorware... even censorware that blocked all sites on breast cancer and all sites criticizing [fill-in-your-least-favorite-political-group-here] . This would still be better than no access.
And look at what we're talking about here... "Should this laundrymat have censored internet or none". My impression is that this laundrymat is in a neighborhood that's underserved, and where many have no internet exposure at all. Don't you think that there's a much greater good at stake here... that of allowing everyone (even those in the inner city or who don't have their own washing machines at home) to participate in the community of the net -- even if it is a censored version of the net?
PLEASE consider the ramifications.
-- Michael Chermside
A java garbage collecter may (not must) garbage collect any objects that are unreachable. But unreachable from where? The "starting point" for reachability is defined to be all executing non-daemon Threads.
So in your example, the ListenerServer's would NOT be garbage collected, because they're Threads. Basically, this rule means that any memory which could possibly be reached by any code executing anywhere can NOT be garbage collected -- ie, nothing you could possibly care about can disapear.
All of this, of course, leaves out the "new" (well... not so new anymore) soft, weak, and virtual references that were introduced to allow more flexible garbage collection behavior. These allow all kinds of fancier GC behavior if you want to develop for it.
-- Michael Chermside
Michael Chermside
mike.chermside@destiny.com
Now, I'm not knocking every person out there who can't code assembler and doesn't have an engineering degree. I've had my share of extremely competent, insightful, managers and business partners -- but "my share" is an extremely small number. And I'm sure that if I were asked to write a company's business plan, or negotiate a contract, I'd do a terrible job. But the truth is, there are an incredibly large number of "business types" who are astonishingly uncreative and close-minded.
And open source is one of those issues where these uncreative people are likely to miss a real opportunity. "Why give something away for free?", they might say. As you point out, it's a valid question... and the answer may be (yeah, I know this is heretical on /.) that you shouldn't. In a particular case. But in my mind, it's quite clear that there are times when there is a significant advantage to releasing as open source.
So... suppose that MEconomy went to the "business-types", and proposed that they release the code open-source. They fire back with the (reasonable) question "How does that benefit us?". Now suppose that MEconomy comes back with a whole list of different benefits: it will accelerate the acceptance of our product by the user community, it will provide increased sales to those who had concerns about our continued support for the product, it will allow us to locate and repair bugs much faster, it will increase the "buzz factor" of our product, etc etc. What WILL happen next, is that 70% of the "business types" in the room will say "Yeah, but we can't give something away for free." MEconomy just told them why you COULD, but they just don't get it. (You may not believe that it would really be 70%... you're right. It's likely to be higher. Really. No... I don't understand why either.) So MEconomy's only chance is to really blow away the other 30% of the businessfolk in the room by highly convincing arguments and having really done his homework beforehand. And it better work out the first time it's tried.
And that is why he posts to /. before taking it to his own company. So he can make the best possible case, because he probably only gets one chance... even though this might (and, as you point out, also might not) be the best possible thing his company could do.
Sorry for the cynicism, but it's reality.
Michael Chermside
Michael Chermside
-- Michael Chermside
Can't slashdoters even do BASIC math these days?
You meant to say "You get $21."
0**0 = 1
-- Michael Chermside
Former cs & math teacher before I gave in to the x2.5 salary and turned to the "dark side" (computer consulting)
> than a year old, so we can have the same
> discussion over and over again
Wait.. isn't that how it works?
-- Michael Chermside
It crosses the "feds" boundaries too. What if I (a US citizen) order something on the net from .au? Do I have to pay national sales tax (I know... there's no such thing, but JordoCrouse is essentially suggesting one)? Do I have to save all my receipts, and hand them in on April 15? How likely am I to actually do this?
Remember: the internet is NOT national... it's bigger than that!
-- Michael Chermside
I wish I had moderator points right now, I would up-moderate this as much as possible.
I have read several of your posts recently and been impressed with everything I have read. You are well-informed on these issues, and you contribute well to the discussions.
I have one request, which you might be able to help me with. I have been becoming quite interested, of late, in IP issues, particularly as relates to technology in both the legislative and legal branches. I am currently trying to find some good materials on these subjects that I can subscribe to. There must be a newsletter or two, maybe a legal journal on the topic... maybe a website (besides /., which isn't bad itself!) which will help me get informed -- on a serious level -- about these issues.
Do you have anything like this to recommend? If so, please let me know by email (mike.chermside@destiny.com). Thanks very much, mostly for your contributions to these discussions, and also for any info you may have for me.
-- Michael Chermside
My email address is "mike.chermside@destiny.com". Anyone brave enough to organize this can count me in.
Now consider the whole group of secretaries, managers, engineers, and other non-IT employees. They spend (many of them) much of their days creating documents. Can't you just hear them saying "Why do they restrict the formats I can use in creating my documents for no good reason? I'm a professional, jsut let me use the tools I need to get my job done!".
-- Michael Chermside
-- Michael Chermside
I guess my point is that you shouldn't make the assumption that a mathematical proof automatically has immediately applicable consequences. And you shouldn't run around offering $10M USD unless you mean it.
-- Michael Chermside