I initially intended to use the analogy to show why extraordinary claims require extraordinary evidence. It had enough parallels with the topic at hand, though, that I used it to further clarify my argument. I did this not because I don't understand the realities of computer security (in fact, my livelihood depends on my expertise on the subject), but because the person I was addressing seemed to be having trouble grasping the subject.
Avoiding all analogies, the best mathematical model I can come up with is that the damage inflicted due to a vulnerability is proportional to the number of people who have the knowledge required to exploit it multiplied by the amount of time each person has knowledge required to exploit it.
So... more people knowing = more damage. More time unpatched (while at least 1 person has the knowledge) = more damage. 0-day disclosure increases the #ofPeople factor dramatically. So dramatically that it dwarfs the risk exposure caused by a few weeks of increased time.
A security bug is only a problem when someone knows how to exploit it. While no person knows how to exploit it, it is not a problem, and no problem is persisting.
Bzzt. Wrong. Bugs are not at all like pathogens. The exploitation of bugs is like a pathogen. Exploitation only occurs with knowledge. If you can't see that, you're far too simple to be worth talking to. Of course, you probably realize your mental limitations, which is why you are too cowardly to put a name to your statements.
Yes, I don't give evidence to back up my claim because it is... obvious. You made an outrageous claim that flies in the face of common sense and reason. No one would take such an unlikely claim seriously unless there was evidence to back it up.
Here's an example: Which is going to cause more damage: a) releasing a contagious pathogen into a population before a vaccine has been developed and distributed b) releasing a contagious pathogen into a population after a vaccine has been developed and distributed
I don't need to provide evidence for b). It's self-evident. I would consider the possibility that a) is true only with strong evidence.
The pathogen is similar to the situation in discussion here. "public knowledge of a security vulnerability" is analogous to the distributed pathogen.
Even though it is possible that the pathogen exists somewhere, it obviously isn't doing much damage or else it would have been noticed. If you're going to start spreading it around to everyone, it's best to wait for the vaccine.
So yeah, I don't care what your intent was. The part of your message I quoted flies in the face of common sense, yet you state it confidently as if it were a fact.
The problem with setting any reasonably lengthy period of time is that it results in that much more infection and use.
Wow. Do you have any evidence whatsoever to back that claim up? Or did you just see it on IRC somewhere?
Back in reality, it is almost universally assumed that published exploit for which no patch exists will lead to much more damage than a published exploit for which a patch is widely available. In fact, it is so obvious (to almost everyone but you) that such a study has never even been performed.
The security community shuns researchers who publish exploits without allowing vendors a chance to patch. Security researchers who practice "full disclosure" instead of "responsible disclosure" are widely considered malicious and immoral.
"Sentient" computers are likely to arise from emergent intelligence--not direct programming. Think genetic algorithms. Most likely, nobody will really totally understand just what "it's programmed to want."
Some good scientists want to be celebrities for the sake of making the world a better place and freeing people from ignorance. See Richard Dawkins for an example. Look at his scientific publications. You can't say he is a bad scientist, yet he certainly is a celebrity.
Can you please list one method for discovering the truth about the natural universe that is better than the scientific method?
I didn't think so. Do you want your public policy to be based on the best approximation of truth about the natural universe we have, or do you want it to be based on something else? If you think it should be based on something else, will you please do the world a favor stop voting? And breeding?
Nope. You're wrong on both counts. See "GE Reveal" incandescent lights to see why you are wrong on the first one, and see "sunlight" to see why you are wrong on the second.
They must teach neither physics nor logic in Finland.
I have a very small apartment, and when I have the computers turned on, they keep my room so warm I don't need to use the gas heater. In fact, even in winter, I sometimes have to open the window because the computers are so good at heating. The truth is, many electrical devices provide the benefit of heating for free. Ignoring this fact is a bit silly.
CFLs have a different spectrum from incandescents. You can't directly compare the brightness.
Personally, I would rather spend more energy to have a wider spectrum. Light from CFLs makes a lot of things look uglier to me. My own skin seems to look pale and sickly under CFL, but well and healthy under sunlight or incandescent light. You won't see me buying CFLs for my home.
I'm glad to see you decided to respect my patent on the tag. If you are interested in using this tag in the future, contact me for licensing rights.
Re:It Left a Hole in the Clouds
on
UFOs In the News
·
· Score: 1
My grandfather was in the US air force. One of his many many stories involves himself and several friends distracting a guard and stealing a plane to take for a joyride. They landed it at a different base and made their way back via other methods. They were never even busted for it. He says he's always wondered what happened to the poor sap who was supposed to be guarding the plane.
Anyway, I'm not saying it's likely that some test pilot ran off with a research craft. But it is possible, and much more likely than the appearance of an interstellar spacecraft.
It sounds to me like you work with an annoying guy who is obsessed with coffee, but instead of complaining to him about it, you bitch on the Internet about nerds. Who's being macho, now?
People often wear clothing to express themselves. If I like rowing, I might wear a rowing t-shirt. If I like new york, I might wear an I 3 NY t-shirt. If I like both programming and coffee, I might wear a "coffee into code" shirt. "Macho" doesn't enter in to it. It's just expression.
Do people still maintain the facade of loyalty? In a capitalist economy, a worker provides his services to whichever employer provides him the best compensation (however he defines it). The worker who turns down jobs with significantly better compensation due to "loyalty" is failing to play by the rules of capitalism, and will limit his success in our capitalist economy.
When I buy shares in a company, I expect its management to fire employees who are not profitable. If management were to operate a division at a loss--with no or little projected future profitability--because of loyalty, I would consider them inept and keep that in mind when voting. Loyalty doesn't enter in to management decisions. The perception of loyalty may be an issue if that is one of the tricks being used to keep people working for less than they are worth, but that is entirely different.
It is not the responsibility of for-profit companies to provide a social safety net. Whether it is the responsibility of the individual or the government is up for debate, though:-)
I had a boss that was verbally abusive. Sometimes he would yell, but mostly he would just quietly berate you. After a couple of years of working for him he had convinced me that I was of no worth to any other company and that I was lucky to have the job.
Did your manager also have a feathered hat, wear a long, purple fur coat, and carry a cane?
I first heard of calorific restriction as the result of a study on monkeys. It was publicized so much that there were follow-up articles about people who intended to follow such a diet. I'm surprised you missed all that publicity.
Your "appeal to authority" bit made me laugh. It is obvious to the intelligent person that if compelling information existed which demonstrates that a meatless diet significantly extended human lifespan, then a noticeable number of persons whose careers are dedicated to extending human lifespan (physicians) would practice such a diet.
I know several physicians. They all eat meat. They feed meat to their children. They recommend others eat meat.
If you think expert opinions regarding extremely complex subjects, such as human metabolism, are meaningless, you must have a hard time functioning in the world. I admire your sense of skepticism, but scoff at your lack of pragmatism.
You assume being natural implies being better. That is a false statement for which anyone can provide numerous counterexamples. Your reasoning based on this false assumption is, therefore, absurd.
I encourage you not to spread this errant meme to other people. Popular misconceptions, like yours, hinder social progress, especially in democracies.
Primates (tested on monkeys, very likely true for humans) who subsist at near-starvation levels of calorie intake life significantly longer than those that eat "normal" amounts of calories. Why aren't you starving yourself?
Also, if meatless diets are so obviously better for your health, why do so few health experts choose meatless diets for themselves? Perhaps the evidence is not as clear as you think it is.
If you don't know pointers, then you don't know how the machine works. I would never use a doctor that didn't know how my body worked.
Have you ever asked a GP physician about microbiology? They know surprisingly little. Doctors work at a higher level and get a lot done without knowing the lower level details.
I initially intended to use the analogy to show why extraordinary claims require extraordinary evidence. It had enough parallels with the topic at hand, though, that I used it to further clarify my argument. I did this not because I don't understand the realities of computer security (in fact, my livelihood depends on my expertise on the subject), but because the person I was addressing seemed to be having trouble grasping the subject.
Avoiding all analogies, the best mathematical model I can come up with is that the damage inflicted due to a vulnerability is proportional to the number of people who have the knowledge required to exploit it multiplied by the amount of time each person has knowledge required to exploit it.
So... more people knowing = more damage. More time unpatched (while at least 1 person has the knowledge) = more damage. 0-day disclosure increases the #ofPeople factor dramatically. So dramatically that it dwarfs the risk exposure caused by a few weeks of increased time.
What a charming oversimplification!
A security bug is only a problem when someone knows how to exploit it. While no person knows how to exploit it, it is not a problem, and no problem is persisting.
Bzzt. Wrong. Bugs are not at all like pathogens. The exploitation of bugs is like a pathogen. Exploitation only occurs with knowledge. If you can't see that, you're far too simple to be worth talking to. Of course, you probably realize your mental limitations, which is why you are too cowardly to put a name to your statements.
Yes, I don't give evidence to back up my claim because it is... obvious. You made an outrageous claim that flies in the face of common sense and reason. No one would take such an unlikely claim seriously unless there was evidence to back it up.
Here's an example:
Which is going to cause more damage:
a) releasing a contagious pathogen into a population before a vaccine has been developed and distributed
b) releasing a contagious pathogen into a population after a vaccine has been developed and distributed
I don't need to provide evidence for b). It's self-evident. I would consider the possibility that a) is true only with strong evidence.
The pathogen is similar to the situation in discussion here. "public knowledge of a security vulnerability" is analogous to the distributed pathogen.
Even though it is possible that the pathogen exists somewhere, it obviously isn't doing much damage or else it would have been noticed. If you're going to start spreading it around to everyone, it's best to wait for the vaccine.
So yeah, I don't care what your intent was. The part of your message I quoted flies in the face of common sense, yet you state it confidently as if it were a fact.
Wow. Do you have any evidence whatsoever to back that claim up? Or did you just see it on IRC somewhere?
Back in reality, it is almost universally assumed that published exploit for which no patch exists will lead to much more damage than a published exploit for which a patch is widely available. In fact, it is so obvious (to almost everyone but you) that such a study has never even been performed.
The security community shuns researchers who publish exploits without allowing vendors a chance to patch. Security researchers who practice "full disclosure" instead of "responsible disclosure" are widely considered malicious and immoral.
"Sentient" computers are likely to arise from emergent intelligence--not direct programming. Think genetic algorithms. Most likely, nobody will really totally understand just what "it's programmed to want."
Yes, calling someone "macho" for wearing a shirt which expresses his interests demonstrates an stunning logical sophistication. Good for you!
I have studied formal logic and discrete math. They were may favorite classes, actually.
They do have that right.
Some good scientists want to be celebrities for the sake of making the world a better place and freeing people from ignorance. See Richard Dawkins for an example. Look at his scientific publications. You can't say he is a bad scientist, yet he certainly is a celebrity.
Can you please list one method for discovering the truth about the natural universe that is better than the scientific method?
I didn't think so. Do you want your public policy to be based on the best approximation of truth about the natural universe we have, or do you want it to be based on something else? If you think it should be based on something else, will you please do the world a favor stop voting? And breeding?
Nope. You're wrong on both counts. See "GE Reveal" incandescent lights to see why you are wrong on the first one, and see "sunlight" to see why you are wrong on the second.
They must teach neither physics nor logic in Finland.
I have a very small apartment, and when I have the computers turned on, they keep my room so warm I don't need to use the gas heater. In fact, even in winter, I sometimes have to open the window because the computers are so good at heating. The truth is, many electrical devices provide the benefit of heating for free. Ignoring this fact is a bit silly.
Please explain Brownian motion to us then, Mr. Clever.
CFLs have a different spectrum from incandescents. You can't directly compare the brightness.
Personally, I would rather spend more energy to have a wider spectrum. Light from CFLs makes a lot of things look uglier to me. My own skin seems to look pale and sickly under CFL, but well and healthy under sunlight or incandescent light. You won't see me buying CFLs for my home.
Is privacy in a public place considered an "essential liberty?" I don't think your quote applies here.
I'm glad to see you decided to respect my patent on the tag. If you are interested in using this tag in the future, contact me for licensing rights.
My grandfather was in the US air force. One of his many many stories involves himself and several friends distracting a guard and stealing a plane to take for a joyride. They landed it at a different base and made their way back via other methods. They were never even busted for it. He says he's always wondered what happened to the poor sap who was supposed to be guarding the plane.
Anyway, I'm not saying it's likely that some test pilot ran off with a research craft. But it is possible, and much more likely than the appearance of an interstellar spacecraft.
And rowing websites don't have coder shirts. So what?
Yep, I'm missing the point I guess, but I doubt I'm missing out on much.
It sounds to me like you work with an annoying guy who is obsessed with coffee, but instead of complaining to him about it, you bitch on the Internet about nerds. Who's being macho, now?
People often wear clothing to express themselves. If I like rowing, I might wear a rowing t-shirt. If I like new york, I might wear an I 3 NY t-shirt. If I like both programming and coffee, I might wear a "coffee into code" shirt. "Macho" doesn't enter in to it. It's just expression.
Do people still maintain the facade of loyalty? In a capitalist economy, a worker provides his services to whichever employer provides him the best compensation (however he defines it). The worker who turns down jobs with significantly better compensation due to "loyalty" is failing to play by the rules of capitalism, and will limit his success in our capitalist economy.
:-)
When I buy shares in a company, I expect its management to fire employees who are not profitable. If management were to operate a division at a loss--with no or little projected future profitability--because of loyalty, I would consider them inept and keep that in mind when voting. Loyalty doesn't enter in to management decisions. The perception of loyalty may be an issue if that is one of the tricks being used to keep people working for less than they are worth, but that is entirely different.
It is not the responsibility of for-profit companies to provide a social safety net. Whether it is the responsibility of the individual or the government is up for debate, though
Did your manager also have a feathered hat, wear a long, purple fur coat, and carry a cane?
I first heard of calorific restriction as the result of a study on monkeys. It was publicized so much that there were follow-up articles about people who intended to follow such a diet. I'm surprised you missed all that publicity.
Your "appeal to authority" bit made me laugh. It is obvious to the intelligent person that if compelling information existed which demonstrates that a meatless diet significantly extended human lifespan, then a noticeable number of persons whose careers are dedicated to extending human lifespan (physicians) would practice such a diet.
I know several physicians. They all eat meat. They feed meat to their children. They recommend others eat meat.
If you think expert opinions regarding extremely complex subjects, such as human metabolism, are meaningless, you must have a hard time functioning in the world. I admire your sense of skepticism, but scoff at your lack of pragmatism.
You assume being natural implies being better. That is a false statement for which anyone can provide numerous counterexamples. Your reasoning based on this false assumption is, therefore, absurd.
I encourage you not to spread this errant meme to other people. Popular misconceptions, like yours, hinder social progress, especially in democracies.
Primates (tested on monkeys, very likely true for humans) who subsist at near-starvation levels of calorie intake life significantly longer than those that eat "normal" amounts of calories. Why aren't you starving yourself?
Also, if meatless diets are so obviously better for your health, why do so few health experts choose meatless diets for themselves? Perhaps the evidence is not as clear as you think it is.
Have you ever asked a GP physician about microbiology? They know surprisingly little. Doctors work at a higher level and get a lot done without knowing the lower level details.