This isn't an issue of "two different currencies". What other time in history has a government issued a new currency, exchanged the "old currency" for the "new currency", and *let you keep* the "old currency" when handing you new currency?
The inability to deal with prolonged netsplits sanely is a fundamental limitation of the Bitcoin protocol.
Erm. That is not even approximately what's happening here. There is no old or new currency, no exchanging happening, and no inability to deal with "netsplits" as you put it -- there is a built-in algorithm that is used to resolve cases of chain forks. It is unfortunate that some of the older mining software out there won't recognised the existence of the fork and will therefore happily carry on working on the broken incorrect chain, which may therefore cause some buggy older clients to report transaction success or failure inaccurately, but the chance of this actually affecting anyone's actual money is actually tiny. Other than the miners who haven't updated, who will lose their mining fees. But as they're the equivalent of bankers in this system, nobody actually cares about them...
The Boston Bomber victims. The three kidnapped girls. But never mind them, obviously your pain is greater. Please tell us more.
As a technical community, there is little we can do about events that occurred in the past short of inventing a time machine (and I think there would be worse atrocities to prevent than those if we did). But ongoing problems caused by short-sighted technical ideas are right up our street. They're things that are in our line of professional thought (for a large proportion of the community here) and that a few here might have direct influence over (don't try telling me none of facebook's dev team reads/., because I just won't believe you).
Yes, there are different levels of problems and some people always have it worse. But we shouldn't let that stop us addressing the smaller scale problems, because those are often the things that we can actually fix.
It's only a vulnerability if it allows you to do something that you wouldn't normally be able to do. AFAICT, there are no security guarantees involved here that can be violated, so this is not a vulnerability. It's a bug.
Yep. "0-day" is just security talk for "newly discovered"
No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.
All vulnerabilities are not public knowledge when they are newly discovered. You're drawing distinctions that don't make a difference.
what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
Seriously - do you think people download and install WoW mods who wouldn't run executable code from the same source? For all I know, WoW mods *are* executable code... I know they're (usually) written in LUA, which I believe is a general purpose language, and I've no idea whether there's any kind of sandbox involved. And I've never installed one, but I'm going to guess they're at least sometimes distributed either as.exe files or as.msi files, both of which are executable or can trivially contain executable code. Here's an example of an apparently popular WoW mod whose installation instructions suggest the user runs a.bat file -- how many do you think read that file first?
Have you considered using abort()? It should send your process a SIGABRT, which unless you've configured it otherwise will generate a core dump, and is rather more readable to other programmers.
Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability
Disagree.
It is only a security vulnerability if it allows the user to perform an action they are not authorized to perform. Just allowing them to execute code in the context of your application doesn't count, because frankly they could just open up the application's.exe file in a binary editor and inject the code they wanted to run. In order to be a vulnerability, there must be some security guarantee (or just expectation) that is violated.
Possibilities are:
1. The program runs with greater privileges than the user would normally have (e.g. setuid on a Unix system, or on a public-facing kiosk system) 2. The program accepts input from an external source, e.g. over a network connection from a user that has not been authenticated to have permission to execute code on the local system 3. The program accepts input from a source that would normally be considered a "safe" file that a user is likely to download from the Internet, e.g. document files.
If none of these 3 conditions are true, then IMO it is not a security vulnerability. It's just a different way for the user to make their application do something unexpected. Which, honestly, appears to be the case for the "exploit" presented in TFA: games don't typically run in a privileged environment that their user does not have access to, do not generally accept console commands over their network connections, and people don't usually consider game mods as safe files, because they often (or even usually) include executable content that would have access to fuck their system over if the designer wanted anyway.
DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.
Situation fitting the bill: you're writing a quick utility command-line program that is intended for local non-setuid use, and which needs to generate a sequence of files, but you need the user to be able to control the formatting of the filenames. Filenames are generated using the following approach:
User uses the program with a command like "generatefiles output%04d.dat". Providing this kind of flexibility *without* using snprintf is rather time consuming and is not worth it for the majority of cases. Sure, the user could potentially exploit the program to make it execute whatever code they want, but they could just execute whatever code they want... it would be somewhat simpler.
Oh, and your idea of not allowing unescaped '%' characters completely negates the only point in ever doing this, so it seems a little ridiculous on the face of it.
ITAR may overrule other legislation as it is I believe an implementation of an international treaty (?) and such things are held to have a kind of quasi-constitutional effect.
What are these archaic "day" and "year" units you're using? I haven't felt the need for units based on the orbital mechanics of one single planet for a significant fraction of a gigasecond. And besides, 10*PI megaseconds is a much more interesting period of time.:)
... the question is more why they stopped coming. WoW (like most MMOs) has always had a large number of players leaving every year. This hasn't changed; what has changed is that in the past they've always been able to attract new players at a pretty fast rate so they can continue to grow.
So why are the new players not joining up any more? I blame the pandas. From an outside perspective, they make the game look silly.
The main objections would be practical -- the neck of the bottle can be used to catch sediment while you're pouring and because you can see it you know when to stop pouring. Your filter idea may work, but I'd be concerned about the filter affecting the taste (it would almost certainly pull CO2 out of solution at the very least).
Allow an H1B visa holder to change jobs freely within the 6-year timeframe of their visa.
You're missing the point: why do we need the program at all? Why fix something that isn't even necessary in the first place?
Because if it worked as it was originally intended, allowing hiring of candidates with truly rare skills as and when they are needed from wherever in the world those candidates might be found, it would be a net asset to your country's economy without costing the existing citizens anything. Allowing it to be used to shortchange the existing citizens who are perfectly capable of filling the jobs but just want more money/better conditions/more training/whatever is a product of poor implementation, not something that was a bad idea in the first place.
A conspiracy is (by definition) an agreement between two or more people to commit a crime in the future.
Your definition disagrees with mine:
3 fig. Union or combination (of persons or things) for one end or purpose; harmonious action or effort
(OED 4th Edition)
Even if we confine the discussion to legal defintions, they vary from place to place. Here's OED's second defintion, which is tagged as relating to law:
2.a (with a and pl.) A combination of persons for an evil or unlawful purpose; an agreement between two or more persons to do something criminal, illegal, or reprehensible (especially in relation to treason, sedition, or murder); a plot.
So even in this definition, the act need only be reprehensible and not strictly illegal to qualify.
You do know that the Z80 has 16-bit memory access and is thus limited to 64 kilobyte banks, and more than 4 banks (with the right extenders and drivers!) is unheard-of?
I do recall reading about a company that was offering a memory extender for the spectrum that would accept up to 4MB (i.e. 64 full address space banks - I think they were actually using 256 x 16K banks for software convenience). Don't know how many they sold, though...
Move to Europe. Then your government will subsidise you to install solar cells on your roof that provide essentially free energy (modulo not getting the premium for selling back to the network, which is less than 7c/kWh).
Go try and make your own bitcoins. You can't: the network makes them at a predictable and (over the long term) fixed rate, and gives them as a reward to users who provide a particular service to the network. You can do all the mining you want, but it won't cause a bitcoin to be created that would not otherwise have been created anyway.
Slashdot Mirror
This isn't an issue of "two different currencies". What other time in history has a government issued a new currency, exchanged the "old currency" for the "new currency", and *let you keep* the "old currency" when handing you new currency?
The inability to deal with prolonged netsplits sanely is a fundamental limitation of the Bitcoin protocol.
Erm. That is not even approximately what's happening here. There is no old or new currency, no exchanging happening, and no inability to deal with "netsplits" as you put it -- there is a built-in algorithm that is used to resolve cases of chain forks. It is unfortunate that some of the older mining software out there won't recognised the existence of the fork and will therefore happily carry on working on the broken incorrect chain, which may therefore cause some buggy older clients to report transaction success or failure inaccurately, but the chance of this actually affecting anyone's actual money is actually tiny. Other than the miners who haven't updated, who will lose their mining fees. But as they're the equivalent of bankers in this system, nobody actually cares about them...
Fortunately, it's only mining software that needs to be updated. Anyone just handling ordinary transactions doesn't really need to worry.
The Boston Bomber victims. The three kidnapped girls. But never mind them, obviously your pain is greater. Please tell us more.
As a technical community, there is little we can do about events that occurred in the past short of inventing a time machine (and I think there would be worse atrocities to prevent than those if we did). But ongoing problems caused by short-sighted technical ideas are right up our street. They're things that are in our line of professional thought (for a large proportion of the community here) and that a few here might have direct influence over (don't try telling me none of facebook's dev team reads /., because I just won't believe you).
Yes, there are different levels of problems and some people always have it worse. But we shouldn't let that stop us addressing the smaller scale problems, because those are often the things that we can actually fix.
+1
It's only a vulnerability if it allows you to do something that you wouldn't normally be able to do. AFAICT, there are no security guarantees involved here that can be violated, so this is not a vulnerability. It's a bug.
Yep. "0-day" is just security talk for "newly discovered"
No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.
All vulnerabilities are not public knowledge when they are newly discovered. You're drawing distinctions that don't make a difference.
what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
Seriously - do you think people download and install WoW mods who wouldn't run executable code from the same source? For all I know, WoW mods *are* executable code... I know they're (usually) written in LUA, which I believe is a general purpose language, and I've no idea whether there's any kind of sandbox involved. And I've never installed one, but I'm going to guess they're at least sometimes distributed either as .exe files or as .msi files, both of which are executable or can trivially contain executable code. Here's an example of an apparently popular WoW mod whose installation instructions suggest the user runs a .bat file -- how many do you think read that file first?
Have you considered using abort()? It should send your process a SIGABRT, which unless you've configured it otherwise will generate a core dump, and is rather more readable to other programmers.
Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability
Disagree.
It is only a security vulnerability if it allows the user to perform an action they are not authorized to perform. Just allowing them to execute code in the context of your application doesn't count, because frankly they could just open up the application's .exe file in a binary editor and inject the code they wanted to run. In order to be a vulnerability, there must be some security guarantee (or just expectation) that is violated.
Possibilities are:
1. The program runs with greater privileges than the user would normally have (e.g. setuid on a Unix system, or on a public-facing kiosk system)
2. The program accepts input from an external source, e.g. over a network connection from a user that has not been authenticated to have permission to execute code on the local system
3. The program accepts input from a source that would normally be considered a "safe" file that a user is likely to download from the Internet, e.g. document files.
If none of these 3 conditions are true, then IMO it is not a security vulnerability. It's just a different way for the user to make their application do something unexpected. Which, honestly, appears to be the case for the "exploit" presented in TFA: games don't typically run in a privileged environment that their user does not have access to, do not generally accept console commands over their network connections, and people don't usually consider game mods as safe files, because they often (or even usually) include executable content that would have access to fuck their system over if the designer wanted anyway.
DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.
Situation fitting the bill: you're writing a quick utility command-line program that is intended for local non-setuid use, and which needs to generate a sequence of files, but you need the user to be able to control the formatting of the filenames. Filenames are generated using the following approach:
for (int file = 0; [...]; file ++)
{
char filename[MAXPATH];
snprintf (filename, MAXPATH, argv[1], file);
[...]
}
User uses the program with a command like "generatefiles output%04d.dat". Providing this kind of flexibility *without* using snprintf is rather time consuming and is not worth it for the majority of cases. Sure, the user could potentially exploit the program to make it execute whatever code they want, but they could just execute whatever code they want... it would be somewhat simpler.
Oh, and your idea of not allowing unescaped '%' characters completely negates the only point in ever doing this, so it seems a little ridiculous on the face of it.
I regularly run Rome TW on Win7 as an admin-enabled user but without elevating it via UAC and it works just fine.
All applications use zero resources when they're not running. Why does Steam run constantly?
ITAR may overrule other legislation as it is I believe an implementation of an international treaty (?) and such things are held to have a kind of quasi-constitutional effect.
What are these archaic "day" and "year" units you're using? I haven't felt the need for units based on the orbital mechanics of one single planet for a significant fraction of a gigasecond. And besides, 10*PI megaseconds is a much more interesting period of time. :)
The first amendment covers distribution of instructions for performing an act, whether that act is legal or not.
it will be interesting to see how two pieces of contradictory legislation hold up against each other.
Not especially. Such things are generally settled now -- the newer legislation supersedes the older, except where the older has constitutional effect.
... the question is more why they stopped coming. WoW (like most MMOs) has always had a large number of players leaving every year. This hasn't changed; what has changed is that in the past they've always been able to attract new players at a pretty fast rate so they can continue to grow.
So why are the new players not joining up any more? I blame the pandas. From an outside perspective, they make the game look silly.
Allwinters most popular chip at the moment is quad Cortex-A7.
Really? Because when I look at alibaba et al, what I see is mostly A13 based, which is a single-core Cortex-A8.
The main objections would be practical -- the neck of the bottle can be used to catch sediment while you're pouring and because you can see it you know when to stop pouring. Your filter idea may work, but I'd be concerned about the filter affecting the taste (it would almost certainly pull CO2 out of solution at the very least).
We were in the Catskills in what was then called a bungalow colony.
Like an ant colony, only much bigger?
You've obviously never read flatland. Perceiving a shape in flatland involves moving around it so you can see it from multiple sides.
Allow an H1B visa holder to change jobs freely within the 6-year timeframe of their visa.
You're missing the point: why do we need the program at all? Why fix something that isn't even necessary in the first place?
Because if it worked as it was originally intended, allowing hiring of candidates with truly rare skills as and when they are needed from wherever in the world those candidates might be found, it would be a net asset to your country's economy without costing the existing citizens anything. Allowing it to be used to shortchange the existing citizens who are perfectly capable of filling the jobs but just want more money/better conditions/more training/whatever is a product of poor implementation, not something that was a bad idea in the first place.
A conspiracy is (by definition) an agreement between two or more people to commit a crime in the future.
Your definition disagrees with mine:
(OED 4th Edition)
Even if we confine the discussion to legal defintions, they vary from place to place. Here's OED's second defintion, which is tagged as relating to law:
So even in this definition, the act need only be reprehensible and not strictly illegal to qualify.
You do know that the Z80 has 16-bit memory access and is thus limited to 64 kilobyte banks, and more than 4 banks (with the right extenders and drivers!) is unheard-of?
I do recall reading about a company that was offering a memory extender for the spectrum that would accept up to 4MB (i.e. 64 full address space banks - I think they were actually using 256 x 16K banks for software convenience). Don't know how many they sold, though...
Move to Europe. Then your government will subsidise you to install solar cells on your roof that provide essentially free energy (modulo not getting the premium for selling back to the network, which is less than 7c/kWh).
A $150 ASIC box is reported to produce 100x as much as a dedicated Videocard
Where are these mythical cheap ASICs? I don't see anyone selling them for short of $1300.
Also:
Go try and make your own $20 bills.
Go try and make your own bitcoins. You can't: the network makes them at a predictable and (over the long term) fixed rate, and gives them as a reward to users who provide a particular service to the network. You can do all the mining you want, but it won't cause a bitcoin to be created that would not otherwise have been created anyway.