Meanwhile, Microsoft has announced that a new version of Windows Mobile including Pocket Internet Explorer and Pocket Windows Media Player will be available for motherboard manufacturers in the third quarter. "The initial release will be limited to a 320x240 screen resolution and controlled by tapping the "reset" and "power" buttons to simulate mobile phone controls, but we think people will find this a big improvement over those messy mice and keypads".
The point is, that no matter how anti-ad we are or how concerned we are about our privacy, how is it that Google gets a pass on slashdot
Google doesn't get a pass from me when they don't deserve one. I can't speak for other people, just myself. If these situations were comparable, and Google was doing something similar to what Charter is talking about, I wouldn't defend them.
But they're not, and I've explained why they're not. If you think I missed something, then I would appreciate it if you'd go back and explain my error, but just repeating "Google's getting a pass" doesn't do the job.
I understand Microsoft built a software monopoly by mixing Window System management and a GUI toolkit together (and transferring it to.NET ensures that monopoly), but isn't.NET supposed to be one of the most advanced toolkits out there?
I think you answered your own question.
I don't know about "one of the most advanced toolkits out there", but it's an environment developed for a company that's been so reluctant to consider doing anything that might hurt their moneymaker that they've crippled project after project to keep them locked in to Windows. Ask people who had Windows CE clamshells and tablets in 2000 about Pocket PC, if you want to find some people who share your pain.
So, anyway, maybe you can help me understand something. A lot of people have ragged on me because I've been saying that Mono is the camel's nose under the tent, the first step in supplanting the UNIX API with Microsoft-derived ones. Oh no, they insist, that stuff only shows up in Winforms, MONO applications on UNIX are UNIX applications, the MONO API on UNIX is a real UNIX API, and Mono GUI applications on UNIX are going to use Gtk and other UNIX-based toolkits (setting aside the fact that Trolltech has been isolating and marginalizing the UNIX API for some time).
OK, now Mono's got Winforms in it. But, that's not what my question's about.
Here's what I want to know: you know the Windows environment, would you describe MONO, without Winforms, as more like Windows or like UNIX?
The price is high, but the limited product line makes the high price for Macs a much bigger problem.
This low market share is often attributed to the relatively high prices of Apple computers.
They're only about 40% more than comparable PCs, and sometimes less. But if you are looking for a conventional desktop then the "entry level" is over two grand.
Yes, I've heard all the arguments about how an all-in-one provides a better "experience", and how you don't "need" the expansion slots, and for people who like the iMac... I'm happy for you, fellas, I really am. But most people buying home computers don't buy a set-top style box like the Mac mini, or an all-in-one like the iMac, they buy a mini-tower or fat slab with expansion slots, drive bays, and room to grow. Whether they USE it or not, that's beside the point, that's what they buy. Companies look at Apple's high margins and come out with "iMac killers" and "Mac mini killers" and, well, they don't STAY on the market. Now I suppose they could just be selling out and they don't want to cut into their less profitable lines, but I suspect that they just don't sell well.
People aren't buying Macs because of the hardware "experience", they're buying them because of OS X, and they're often buying them despite the hardware "experience".
The cheapest Mac that really competes head-to-head with the average PC, on a hardware level, is the Mac Pro. For the rest of the line, you have an all-in-one with almost no upgradability, and a crippled desktop with even less than the all-in-one (the putty knife problem). Now I will go along (for the sake of argument) with the claim that mostly don't upgrade their PCs, but even granting that the reason is that you can generally get any combination of stuff you WANT in a PC, because there's so many of them. Apple can't do that, upgrades are the only route to fine-tuning the box, and Apple doesn't even let you upgrade the one thing that's top on people's list of upgrades these days... the video card.
And in the mini, you can't put a full sized hard drive in there, you're limited to low power low performance laptop drives, or higher latency external drives.
The mini, currently, may be the MOST overpriced Mac. For $600 you get a 1.83 GHz dual-core CPU, 1GB RAM, 80GB 5400 RPM hard drive, and Intel integrated graphics... and firewire 400 and wifi. For $300 from HP you get a 1.8 GHz dual-core CPU, 1GB RAM, 320 GB 7200 RPM hard drive, and nVidia integrated graphics, but no wifi or firewire.
Well, you may say that the small size, the wifi, and the firewire is worth $300.
But you can't upgrade the mini to match the specs of the entry level HP for any amount of money, and adding wifi and firewire to the HP costs you $30 from HP and about $20 from Fry's.
So, setting aside the size, after upgrades, the Mac mini is 70% more expensive, and you have to give up 3/4 of your disk, you get a much slower disk, you get a USB port that can't even charge an iPod Shuffle, you get a far inferior graphics chip, and to get no "comfort headroom".
The size? If that mattered to most people then you can bet HP would have an "a6400z mini" out there. They're not going to leave money lying on the ground. The hardware "experience" doesn't move boxes.
Apple has to sell Macs to people for whom Apple's hardware is a huge stumbling block. Buying a Mac is like buying a car... and finding the only options are a decked out luxury SUV, a souped up Civic, or a motorbike.
They're selling laptops like mad because everyone's laptops have the same kind of limitations that APple imposes on all their computers, but desktops are languishing because they're simply not in the race for most people.
I go back to the first point somebody made saying I have the option NOT to use Google.
You have the option to not use sites that serve Google ads. If you care THAT much about them, then that's a choice you can make.
I don't care about Google ads, but I used to boycott sites that sold advertising to X10, and I turned them down as a potential advertiser on my own site, because of their obtrusive popups. I understand that a lot of people did the same thing, and they eventually went out of business. It's a pity, the products themselves were pretty good and pretty good value... they didn't need to turn to the dark side.
When your only broadband service is a single ISP that's a bit harder.
Until Google Streets View adds real time audio pickups, I'm not going to worry about some transproxy snooping what I say in a public place.
Eventually we'll be in a transparent society, with smart pebbles and smart dust and confetti-scale spybots making it necessary to use direct neural links to keep personal information private, but we're not there yet.
I was trying to explain what happened by putting you in the place of the OpenSSL developers.
I'm not nearly obdurate enough to write security software. You gotta be a hard boy for that stuff, so I can't wear those shoes no matter what.
OK, so the code didn't confuse them, and the bloke waffling about the minor advantage of using the stack frome for extra randomness was deliberately blowing smoke, that's fine, that was a side issue anyway. The main issue is that you put a note up saying "OH HAI, I'M NOT A BUG!" next to code that might look like a bug (especially when you've already to #ifdef it out to get it to pass a bug checker).
I've seen way too much of this cleverly stupid stuff over the past 30 years, I've even done some of it back in the day when I was younger and less familiar with the traps that lay in wait for the stupidly clever. And I wouldn't have even commented about it except that this fella decided to explain how the original code was clever enough to put a tail on and call it a weasel. It ain't. That's all.
That's what I thought originally, but the whole business about the randomness of the stack frame is a red herring. The randomness in the stack frame isn't being used for anything, it's just that there's no reason to care what was in the buffer, so it didn't matter that it wasn't initialized.
I think that is a silly optimization, but it didn't hurt. What hurt was not documenting it, leaving a big old tiger trap with an illusionary bug as bait for a careless bug-hunter to fall into.
The waffling about the minor improvement in randomness from the stack frame is just blowing smoke to distract attention from the fact that they didn't write "this is not a bug" on the bait they accidentally left by the hole. It's "oops" all around this time.
Hashing newly received random data with the existing contents of a buffer is a completely standard cryptographic idiom.
That's not the cleverly stupid bit. But I've already pointed that out.
You say, I don't care, it's not important so go ahead and fix it.
You're pointing at the wrong bloke: I didn't say "fix it", I said "document it".
If you take a gun and aim it at your foot and pull the trigger, and it goes off, I'll give you a Darwin award (albeit with a nervous laugh). But if the guy who loaded the gun doesn't at least feel bad about leaving a loaded gun around, well, he's taking the Darwin awards too seriously. This kind of thing isn't "funny haha", it's "funny sheesh" (as Daffy Duck says, or is that Sylvester?).
I'm not defending the guy who shot himself in the foot... the discussion on the mailing list about not putting in a protective #ifdef because they didn't want to compile it twice to get it past the checker makes it clear that they were deliberately aiming at their feet when they pulled the trigger... I'm attacking the guy who loaded the gun.
There's nothing wrong with writing code that does something unusual, so long as you document it.
Been there, not done that, got to stand up at a code review and wear the dunce hat.
Like I said about four messages back, there's plenty of guilt to go round.
I once worked with a moron who insisted upon nulling every object in a language where it was not only unnecessary, it was actually detrimental.
What, you mean that wasn't "C" code? Damn, I must be slipping.
There was nothing, whatsoever, dodgy about their code.
It did something that was counter to normal coding conventions without documenting it.
It's pretty clear that OpenSSH code isn't for tourists, and they have no obligation to coddle a tourist along through every line
"My code is too clever to be properly documented."
I've worked with a number of developers who had attitudes like that. One had two pages of tricky code for which the only documentation was a reference to a page in a textbook. When I looked it up, and compared the comments in the code he'd copied with the code he submitted, it turned out that the bug I was looking for would have been avoided if he'd just copied the comments over... AND he's the one who committed the bug.
NOBODY is so clever that they don't need to document their code.
If nothing else, the stranger who needs the comments may well be themselves in five years.
imagine if he had guideposts along the way...
Well, for one thing, he probably wouldn't have screwed up... or at least when he submitted the change it wouldn't have been OK-ed by someone from the OpenSSH team, as this one apparently was.
Because, you know, the LAST thing I want to happen when I'm out on a public street is to be seen by millions of invisible people hiding in the Google van.
They didn't depend on it: They needed a buffer to do some XORing to, and there was no need to initialize it. So they didn't initialize. That choice offered a potentially minor increase in entropy, and saved the admittedly minor computational cost of initializing the memory.
Ah, the light dawns. All that faffing about the "benefit" of using the uninitialised data was a smoke screen. The problem is that they saw an opportunity for a minor optimization that made the code a lot less clear, and didn't explain why they were doing it. They didn't even put in a "you're not expected to understand this" line.
They screwed up by writing dodgy code, and the Debian blokes screwed up by commenting out the code instead of initializing buf[]. They loaded the gun, and Debian shot themselves in the foot with it. Both sides should be embarrassed, not self-righteous.
I don't use Google, yet they seem to have no problem inundating my web experience with ads.
If you don't like the site you visit using Google Ads, tell them that. When they come back and tell you that they're paying for the site with Google Ads, see if that helps clarify the difference between Google Ads and Charter Ads.
(1) I don't enter that kind of data over an unencrypted link. (2a) Google tracks my online activity when I'm not using Google's servers? (2b) Charter pays the site that's getting their "deep inspection" ads inserted?
I mean, I've used some crude user interfaces before, but it's rare to find one that looks as polished as Blender's but is quite as actively hostile to use. When I started working with Blender the only thing I could figure out was that the guy who designed the UI really really hated people and wanted to cause as much pain for his users as possible.
However as mentioned, that's not the only or main source of randomness, and getting rid of that randomness was not the bug. It was getting rid of other sources of randomness in the process, because they -resembled- the function that used uninitialized memory.
My crypto-fu wasn't good enough to tell that from a few minutes of browsing the code. Can you elaborate?
Well, the first thing they should be using is/dev/random. If that isn't trusted enough, then waiting for the user to enter a page of random "lkjhfoip mef4nbfkuln3xo8897 69hj8y8363t8iowemj67 8h6&O*H8T87gn9p9U90 786bionnng" is traditional. Alternatively, see my suggestion in http://slashdot.org/comments.pl?sid=551636&cid=23393904 (which actually picks up a few of the things/dev/random is commonly seeded from).
Obviously I need to upgrade my bifocals, thanks.
Perhaps the link only shows up if you're using the new YouTube Beta?
Meanwhile, Microsoft has announced that a new version of Windows Mobile including Pocket Internet Explorer and Pocket Windows Media Player will be available for motherboard manufacturers in the third quarter. "The initial release will be limited to a 320x240 screen resolution and controlled by tapping the "reset" and "power" buttons to simulate mobile phone controls, but we think people will find this a big improvement over those messy mice and keypads".
"The discovery addresses a lack of recent supernova in our galaxy."
This makes it sound like the galaxy's going to suffer incontinence or flaking nebulae if it doesn't get enough supernovae.
(disclaimer: this is a joke, I know what he means. I shouldn't have to add this, but this is slashdot)
The point is, that no matter how anti-ad we are or how concerned we are about our privacy, how is it that Google gets a pass on slashdot
Google doesn't get a pass from me when they don't deserve one. I can't speak for other people, just myself. If these situations were comparable, and Google was doing something similar to what Charter is talking about, I wouldn't defend them.
But they're not, and I've explained why they're not. If you think I missed something, then I would appreciate it if you'd go back and explain my error, but just repeating "Google's getting a pass" doesn't do the job.
I understand Microsoft built a software monopoly by mixing Window System management and a GUI toolkit together (and transferring it to .NET ensures that monopoly), but isn't .NET supposed to be one of the most advanced toolkits out there?
I think you answered your own question.
I don't know about "one of the most advanced toolkits out there", but it's an environment developed for a company that's been so reluctant to consider doing anything that might hurt their moneymaker that they've crippled project after project to keep them locked in to Windows. Ask people who had Windows CE clamshells and tablets in 2000 about Pocket PC, if you want to find some people who share your pain.
So, anyway, maybe you can help me understand something. A lot of people have ragged on me because I've been saying that Mono is the camel's nose under the tent, the first step in supplanting the UNIX API with Microsoft-derived ones. Oh no, they insist, that stuff only shows up in Winforms, MONO applications on UNIX are UNIX applications, the MONO API on UNIX is a real UNIX API, and Mono GUI applications on UNIX are going to use Gtk and other UNIX-based toolkits (setting aside the fact that Trolltech has been isolating and marginalizing the UNIX API for some time).
OK, now Mono's got Winforms in it. But, that's not what my question's about.
Here's what I want to know: you know the Windows environment, would you describe MONO, without Winforms, as more like Windows or like UNIX?
The price is high, but the limited product line makes the high price for Macs a much bigger problem.
... I'm happy for you, fellas, I really am. But most people buying home computers don't buy a set-top style box like the Mac mini, or an all-in-one like the iMac, they buy a mini-tower or fat slab with expansion slots, drive bays, and room to grow. Whether they USE it or not, that's beside the point, that's what they buy. Companies look at Apple's high margins and come out with "iMac killers" and "Mac mini killers" and, well, they don't STAY on the market. Now I suppose they could just be selling out and they don't want to cut into their less profitable lines, but I suspect that they just don't sell well.
This low market share is often attributed to the relatively high prices of Apple computers.
They're only about 40% more than comparable PCs, and sometimes less. But if you are looking for a conventional desktop then the "entry level" is over two grand.
Yes, I've heard all the arguments about how an all-in-one provides a better "experience", and how you don't "need" the expansion slots, and for people who like the iMac
People aren't buying Macs because of the hardware "experience", they're buying them because of OS X, and they're often buying them despite the hardware "experience".
The cheapest Mac that really competes head-to-head with the average PC, on a hardware level, is the Mac Pro. For the rest of the line, you have an all-in-one with almost no upgradability, and a crippled desktop with even less than the all-in-one (the putty knife problem). Now I will go along (for the sake of argument) with the claim that mostly don't upgrade their PCs, but even granting that the reason is that you can generally get any combination of stuff you WANT in a PC, because there's so many of them. Apple can't do that, upgrades are the only route to fine-tuning the box, and Apple doesn't even let you upgrade the one thing that's top on people's list of upgrades these days... the video card.
And in the mini, you can't put a full sized hard drive in there, you're limited to low power low performance laptop drives, or higher latency external drives.
The mini, currently, may be the MOST overpriced Mac. For $600 you get a 1.83 GHz dual-core CPU, 1GB RAM, 80GB 5400 RPM hard drive, and Intel integrated graphics... and firewire 400 and wifi. For $300 from HP you get a 1.8 GHz dual-core CPU, 1GB RAM, 320 GB 7200 RPM hard drive, and nVidia integrated graphics, but no wifi or firewire.
Well, you may say that the small size, the wifi, and the firewire is worth $300.
But you can't upgrade the mini to match the specs of the entry level HP for any amount of money, and adding wifi and firewire to the HP costs you $30 from HP and about $20 from Fry's.
So, setting aside the size, after upgrades, the Mac mini is 70% more expensive, and you have to give up 3/4 of your disk, you get a much slower disk, you get a USB port that can't even charge an iPod Shuffle, you get a far inferior graphics chip, and to get no "comfort headroom".
The size? If that mattered to most people then you can bet HP would have an "a6400z mini" out there. They're not going to leave money lying on the ground. The hardware "experience" doesn't move boxes.
Apple has to sell Macs to people for whom Apple's hardware is a huge stumbling block. Buying a Mac is like buying a car... and finding the only options are a decked out luxury SUV, a souped up Civic, or a motorbike.
They're selling laptops like mad because everyone's laptops have the same kind of limitations that APple imposes on all their computers, but desktops are languishing because they're simply not in the race for most people.
Freedom of the press, baybee.
I go back to the first point somebody made saying I have the option NOT to use Google.
You have the option to not use sites that serve Google ads. If you care THAT much about them, then that's a choice you can make.
I don't care about Google ads, but I used to boycott sites that sold advertising to X10, and I turned them down as a potential advertiser on my own site, because of their obtrusive popups. I understand that a lot of people did the same thing, and they eventually went out of business. It's a pity, the products themselves were pretty good and pretty good value... they didn't need to turn to the dark side.
When your only broadband service is a single ISP that's a bit harder.
Until Google Streets View adds real time audio pickups, I'm not going to worry about some transproxy snooping what I say in a public place.
Eventually we'll be in a transparent society, with smart pebbles and smart dust and confetti-scale spybots making it necessary to use direct neural links to keep personal information private, but we're not there yet.
Thanks for the pointer. Appreciate it.
I was trying to explain what happened by putting you in the place of the OpenSSL developers.
I'm not nearly obdurate enough to write security software. You gotta be a hard boy for that stuff, so I can't wear those shoes no matter what.
OK, so the code didn't confuse them, and the bloke waffling about the minor advantage of using the stack frome for extra randomness was deliberately blowing smoke, that's fine, that was a side issue anyway. The main issue is that you put a note up saying "OH HAI, I'M NOT A BUG!" next to code that might look like a bug (especially when you've already to #ifdef it out to get it to pass a bug checker).
I've seen way too much of this cleverly stupid stuff over the past 30 years, I've even done some of it back in the day when I was younger and less familiar with the traps that lay in wait for the stupidly clever. And I wouldn't have even commented about it except that this fella decided to explain how the original code was clever enough to put a tail on and call it a weasel. It ain't. That's all.
That's what I thought originally, but the whole business about the randomness of the stack frame is a red herring. The randomness in the stack frame isn't being used for anything, it's just that there's no reason to care what was in the buffer, so it didn't matter that it wasn't initialized.
I think that is a silly optimization, but it didn't hurt. What hurt was not documenting it, leaving a big old tiger trap with an illusionary bug as bait for a careless bug-hunter to fall into.
The waffling about the minor improvement in randomness from the stack frame is just blowing smoke to distract attention from the fact that they didn't write "this is not a bug" on the bait they accidentally left by the hole. It's "oops" all around this time.
Hashing newly received random data with the existing contents of a buffer is a completely standard cryptographic idiom.
That's not the cleverly stupid bit. But I've already pointed that out.
You say, I don't care, it's not important so go ahead and fix it.
You're pointing at the wrong bloke: I didn't say "fix it", I said "document it".
If you take a gun and aim it at your foot and pull the trigger, and it goes off, I'll give you a Darwin award (albeit with a nervous laugh). But if the guy who loaded the gun doesn't at least feel bad about leaving a loaded gun around, well, he's taking the Darwin awards too seriously. This kind of thing isn't "funny haha", it's "funny sheesh" (as Daffy Duck says, or is that Sylvester?).
man, don't defend this guy. He is undefensible
I'm not defending the guy who shot himself in the foot... the discussion on the mailing list about not putting in a protective #ifdef because they didn't want to compile it twice to get it past the checker makes it clear that they were deliberately aiming at their feet when they pulled the trigger... I'm attacking the guy who loaded the gun.
There's nothing wrong with writing code that does something unusual, so long as you document it.
Been there, not done that, got to stand up at a code review and wear the dunce hat.
Like I said about four messages back, there's plenty of guilt to go round.
Inconceivable!
I once worked with a moron who insisted upon nulling every object in a language where it was not only unnecessary, it was actually detrimental.
What, you mean that wasn't "C" code? Damn, I must be slipping.
There was nothing, whatsoever, dodgy about their code.
It did something that was counter to normal coding conventions without documenting it.
It's pretty clear that OpenSSH code isn't for tourists, and they have no obligation to coddle a tourist along through every line
"My code is too clever to be properly documented."
I've worked with a number of developers who had attitudes like that. One had two pages of tricky code for which the only documentation was a reference to a page in a textbook. When I looked it up, and compared the comments in the code he'd copied with the code he submitted, it turned out that the bug I was looking for would have been avoided if he'd just copied the comments over... AND he's the one who committed the bug.
NOBODY is so clever that they don't need to document their code.
If nothing else, the stranger who needs the comments may well be themselves in five years.
imagine if he had guideposts along the way...
Well, for one thing, he probably wouldn't have screwed up... or at least when he submitted the change it wouldn't have been OK-ed by someone from the OpenSSH team, as this one apparently was.
Because, you know, the LAST thing I want to happen when I'm out on a public street is to be seen by millions of invisible people hiding in the Google van.
O HI, I FIXED UR POST, KTHX.
They didn't depend on it: They needed a buffer to do some XORing to, and there was no need to initialize it. So they didn't initialize. That choice offered a potentially minor increase in entropy, and saved the admittedly minor computational cost of initializing the memory.
Ah, the light dawns. All that faffing about the "benefit" of using the uninitialised data was a smoke screen. The problem is that they saw an opportunity for a minor optimization that made the code a lot less clear, and didn't explain why they were doing it. They didn't even put in a "you're not expected to understand this" line.
They screwed up by writing dodgy code, and the Debian blokes screwed up by commenting out the code instead of initializing buf[]. They loaded the gun, and Debian shot themselves in the foot with it. Both sides should be embarrassed, not self-righteous.
I don't use Google, yet they seem to have no problem inundating my web experience with ads.
If you don't like the site you visit using Google Ads, tell them that. When they come back and tell you that they're paying for the site with Google Ads, see if that helps clarify the difference between Google Ads and Charter Ads.
(1) I don't enter that kind of data over an unencrypted link.
(2a) Google tracks my online activity when I'm not using Google's servers?
(2b) Charter pays the site that's getting their "deep inspection" ads inserted?
I mean, I've used some crude user interfaces before, but it's rare to find one that looks as polished as Blender's but is quite as actively hostile to use. When I started working with Blender the only thing I could figure out was that the guy who designed the UI really really hated people and wanted to cause as much pain for his users as possible.
The one thing that comes to mind there is a hardware entropy source.
/etc/rc.conf?
Like, oh, building a FreeBSD system with 'rand_irqs' set in
Looks like turning that on triggered some problems with OpenSSL support in PHP for some people, a few years back.
Oh, the irony.
However as mentioned, that's not the only or main source of randomness, and getting rid of that randomness was not the bug. It was getting rid of other sources of randomness in the process, because they -resembled- the function that used uninitialized memory.
My crypto-fu wasn't good enough to tell that from a few minutes of browsing the code. Can you elaborate?
What would be a better source of randomness?
/dev/random. If that isn't trusted enough, then waiting for the user to enter a page of random "lkjhfoip mef4nbfkuln3xo8897 69hj8y8363t8iowemj67 8h6&O*H8T87gn9p9U90 786bionnng" is traditional. Alternatively, see my suggestion in http://slashdot.org/comments.pl?sid=551636&cid=23393904 (which actually picks up a few of the things /dev/random is commonly seeded from).
Well, the first thing they should be using is