People are still writing code vulnerable to SQL injection attacks?
Yes, they are. It doesn't help when lots of online tutorials give crappy information, like saying to use mysql_real_escape_string in PHP instead of a proper parameterized query. (Using the escape function is better than nothing, but it's not foolproof and is needlessly convoluted.)
This tutorial, which ranks first on Google when I search for 'php sql', uses the escape method and does not mention parameterized queries at all. (The correct method is described here.)
Otherwise known as "the only sane way to simulate exceptions in C". Seriously. Read up on how "goto" is used in low-level code bases such as OS kernels, instead of citing some vague memory of a 1960s paper without understanding its criticisms.
I agree that using the goto statement is about the only sensible way to simulate a try/throw/catch block in C (of course, you can wrap this in macros to simplify). But that's a serious flaw in the C language, and it means that the maintainers of the C standard should have updated the standard with conditional execution methods that allows this to be handled in a more elegant manner – maybe something like Windows structured exception handling.
But 6,740 of them? Really? I find it hard to believe that all were necessary, unless OpenSSL's code base is even more bloated than I've been led to believe.
Otherwise known as "making the thing go fast". Yes, I want the bignum library, or hashing algorithms, to use assembly. Things like SIMD make these tasks really effing fast and that is a good thing...
These days it's usually recommended to handle SIMD with compiler intrinsics, not inline assembly. You get the added power without having to do the whole inner loop on bare metal, or worry about your register usage conflicting with that of the compiler. (GCC's inline assembly syntax is almost incomprehensible.) Maybe, maybe, there are a tiny handful of inner loop situations where you need actual inline assembly, but don't jump to that conclusion ahead of time. They should have first written the algorithms in C, then tested and profiled, then if there were areas where more speed would be helpful, try compiler intrinsics to speed up and/or parallelize the bit-twiddling; and only then resort to inline assembly if that wasn't good enough. But OpenSSL was full of premature optimizations like their crappy fake malloc that was designed for unspecified systems that allegedly had poor performance with the system malloc. Why should we all have to put up with poor security because some idiot is still running a 386?
the fact that it was authored by someone who's more expert in security than you and has had more eyes to review it than your ad-hoc solution.
You may be right. Still... isn't that what most people were thinking when they used OpenSSL? It's a bad idea to roll your own crypto, we all know that, but we assumed that OpenSSL was written by people who understood security and that lots of eyes made bugs shallow. Turns out, that was completely wrong: OpenSSL was written by poorly trained monkeys, and however many eyes may have been scanning it, it obviously wasn't enough.
And thay changes things, how? C++ allows all the same "unsafe" things as C does. Have you ever used C++ before?
Since C++ is a superset of standard C, yes, you can write the same kind of unsafe code in C++ that you would in C. And indeed many programmers do this.
But C++ gives you the tools to automatically catch various kinds of errors and memory leaks. If you use class destructors correctly, you can ensure that an object is automatically closed properly when it goes out of scope. There are a lot of standard classes such as smart pointers that are specifically designed with this kind of programming in mind. It's not 100% foolproof but it is a lot more reliable than having to remember to do it all manually in C (or C masquerading as C++).
It took me 10 years, a degree, tons of hours of work, to get my salary up to that level and I am sure I could have been running some RG-58 pretty efficiently for the past 10 years.
Do you want to be digging trenches, fishing wires through walls, and squeezing yourself into tiny crawlspaces and/or attics full of sharp points, mold, and vermin?
Electricians get paid good money, too, and for the same reason – it's a difficult trade job that requires both physical dexterity and a reasonable level of intelligence. You can't really compare a job like this with a white-collar job where you sit behind a desk at a computer all day.
Tech industry jobs that do not require a four-year degree and may only need on-the-job training include customer services representatives, at $18.50 an hour, telecom line installer, $37.60 an hour, and sales representatives, $33.60 an hour.
There seems to be some confusion here. What exactly constitutes a "tech industry job"? I wouldn't consider any of the above three positions to be that. Customer service (as opposed to technical support) is a low-paid non-technical job that usually involves reading off a script. In most parts of the country it will pay a lot worse than $18.50 an hour (maybe as little as half as much). Telecom line installer sounds like a blue-collar trades job – not necessarily a bad thing if it pays well, but not the kind of thing that someone gets into the "IT industry" to do. And sales is, well, sales – the average techie isn't going to be at all suited for this.
The question really should be how important a college degree is for real IT jobs like programmer, network admiinistrator, or DBA.
Then it is analyzed by genius hackers who are paid top dollar for the job.
"Top dollar"? This is a government agency. They pay based on the GS scale. Even if the NSA's security hackers were classified at GS-15 (the highest rate), that's about $120K a year to begin – if they really are "geniuses" then they could do better in Silicon Valley, and probably feel better about their jobs as well.
In general, the GS scale pays somewhat more than typical private-sector rate for low-end jobs, but considerably less for high-end jobs.
Government contractors rake in the dough, but that money goes to politically-connected businessmen, not rank-and-file employees.
If you're crashing out on reads, then every malloc(1) that crashes if you read 2 requires 4096 bytes of real RAM to store 1 byte of data--we get into costs.
4096 bytes of RAM as an unacceptable cost? Seriously? Besides, how often are you repeatedly allocating really tiny buffers like this? If you have to do that, then maybe there's a more fundamental problem with the way your code flow is designed.
A lot of large performance-sensitive projects implement custom allocators in the form of arenas and freelists. Lots of platforms have a fast malloc implementation these days, but none of them will be as fast as this for the simple reason that the program knows more about its memory usage patterns than any general-purpose allocator ever could.
This is security software. You don't sacrifice the library's core functionality to make it run a bit faster on the old Celeron 300 running Windows 98.
This is not a problem with OpenSSL, or the C Language or the Malloc implementation, this is a problem because everyone is relying on the same black box they do not understand.
That's a cop-out. Any kind of advanced economy needs division of labor. This is no less true of the IT industry than anywhere else. The people building the "black box" need to know what they're doing and it needs to work. Period.
The Intel Galileo board has 8 GPIO pins, but these are not nearly as useful as on an Arduino or Raspberry Pi because they are actually multiplexed through I2C rather than connected directly to the processor, and thus are much slower to read or toggle than on other project boards. Is the same true of the MinnowBoard Max, or does it have real GPIO? This might not matter if you're going to use it as a router or NAS, but for embedded projects it can make a big difference.
What if he had said, "blacks don't deserve the right to vote"?
If someone said that in Alabama in 1957, would it be justified to deny them employment for the rest of their life even if they changed their mind after the Civil Rights Act passed?
Publicly acceptable positions on gay marriage are changing quickly. In 1996, Congress overwhelmingly passed, and President Clinton signed, a bill (DOMA) banning recognition of gay marriage across state lines. 10 years after that, few Democratic politicians, at least outside the most conservative states, would defend that position. But views changed slowly. In 2004, when running for the Senate, Barack Obama said that he thought marriage should be between a man and a woman. He said in 2010 that his views were "evolving", and at that point said he supported civil unions. Shortly afterward he came down on the side of supporting gay marriage without reservations.
The point is that this is an issue on which decent, well-meaning people have disagreed. To the extent that there is a majority consensus, it has only formed recently. Going back and retroactively persecuting people for their views before the consensus formed seems grossly unfair.
I'm not clear. When did freedom of speech extend to the operations of a private business?
A majority of people in modern-day America work for corporate entities of some kind. If you argue that free speech should only be protected against the government and not against employers, then you are in effect saying that a majority of people shouldn't have any free speech protections at all.
Who really killed the EV? It was the "consumer" who was beating down the manufacturer's door for an EV but never put down their cash when the manufacturer delivered on that demand.
Tesla is, in fact, a highly profitable company. They paid off their $465 million Department of Energy loan nine years early. So the rest of your rant is irrelevant. Tesla is profitably making electric vehicles that actual customers are buying. And they already have designs coming up that will be considerably less expensive than the Model S, and will almost certainly see much higher sales figures as a result.
I constantly see the focus on improving the car. Making it safer, adding more air bags, ABS brakes, avoidance features. All to address what has become a simple fact of people not being good drivers. Its like handing out flake vests because we have too many shooters out there. Maybe at some point the government could focus on improving driving skills and teaching people to actually drive their vehicle and use the tools like side mirrors already on their vehicles? Does anyone thing camera's will be any more effective? I think not.
Your error is that you think it's easier to improve human behavior (across a diverse population of millions of people) than to improve technology. It's not.
Keep in mind that the average person has a median IQ of 100. And half the population is even dumber than that. Keep in mind that human drivers will inevitably be distracted by various events and emotions during the time that they are driving, so even an otherwise intelligent and conscientious driver is going to have weak moments now and again – and it only takes a brief lapse of concentration to risk an accident.
The truth is that driving is just too hard a task for most humans to perform reliably and consistently. In the next 10-30 years, manual driving will be replaced by self-driving cars. And some day we will look back on the era of manual driving the same way we now look upon previous eras without antibiotics or sanitation.
These are already in several cars. It doesn't solve this problem, it solves a different problem.
How so? The purpose of side-view and rear-view mirrors in cars is to allow the driver to see objects that would otherwise not be visible. If you have a full 360-degree overhead realtime view of everything surrounding the car, then you don't need any mirrors, because that display gives you a superset of the information you'd get by looking at mirrors.
They made the desktop unappealing on purpose. If you like "shiny" you're supposed to switch to the metro apps and interface.
The Metro apps are just as flat and dull. It's really a widespread design trend. Designers consider it to be moving away from "skeuomorphism". I consider it to be the UI equivalent of the Brutalist architectural style (those bare concrete box buildings from the 70s).
This still creates a coverage gap for XP users. If 8.1 had a sane UI today, I'd go XP-to-8.1. It's just an announcement though. With XP support going tits up in just a few days, there's no way to fill the gap without doing something transitional that you might want to throw away in a few months.
Just upgrade to Windows 7. It's a proven solution and it has extended support (security patches) up until mid-2020.
Windows 9 looks like it's going to fix the worst suckage of Win8, but I don't see it as being a "must-have" any time soon.
turning tvs into smart tv's might make sense but eventually...everyone will just have a smart tv.
That might work on the low end, but if you buy a $1000+ TV, you probably don't want to have to buy another one to replace it in a few years when the company stops updating the firmware or the SoC can't handle the latest video codec or whatever. Much better to use the expensive TV as a video monitor alone, and keep the fast-obsoleting stuff on a cheap external box.
or you can hook up an old PC that you have around.
The average PC is a big clunky box that doesn't fit in well in this environment. It's also a lot more expensive than these $99 streamers. An older or cheaper PC might not even have the HDMI output you need for connecting to a typical flat-panel TV. And a standard Windows PC is set up with a user interface that is designed to be used with a keyboard and mouse at close range, not a remote control from 5-15 feet. Yes, there are ways around all these things, but the average user would rather buy a purpose-built device than spend all that time tinkering with something they barely understand.
So, BY DEFINITION, what they were doing was producing a reality show, since there is no way you could call this a documentary.
No, I think they did expect it to be a documentary. And that is what they were led to believe that it was.
And it appears from the various descriptions of this event that it was Maker Studios that signed up the developers. Pepsi was brought in later. Why should this contract, which the developers weren't even directly a party to, mean that the devs have to do a completely different job than the one they signed up for?
The problem here is that it looks like someone – maybe Maker, but that isn't quite clear – pulled a bait and switch on both sides.
The event was sold to the programmers as a "Game Jam", a contest of skill. But it was sold to Pepsi as a "reality show" – a heavily edited event that focuses primarily on playing up drama. These two expectations were mutually contradictory, and inevitably led to the clash that happened, and to the whole thing falling apart.
When the developers refused to sign the contracts until the boilerplate "reality show" language was removed or at least modified, this should have been a warning sign to Maker and Pepsi that this wasn't going to work out the way they wanted. But they didn't take the hint.
You can't be that dense. This is a media production. You don't get to sign up to play Hamlet, and then demand to be able to drink Pepsi while the cameras are rolling. That's the line between being a programmer and being an actor. These guys signed up to be actors, but they don't want to follow the rules.
But that's the problem: they didn't sign up to be actors. They were under the impression that this was going to be an actual contest of skill, and it was changed into a "reality show" without their knowledge or consent. This problem first came up when the contracts were signed – a lot of the standard "reality show" boilerplate had to be removed because the devs refused to go along with it. That should have been a heads-up to the studio, but it wasn't.
Slashdot Mirror
People are still writing code vulnerable to SQL injection attacks?
Yes, they are. It doesn't help when lots of online tutorials give crappy information, like saying to use mysql_real_escape_string in PHP instead of a proper parameterized query. (Using the escape function is better than nothing, but it's not foolproof and is needlessly convoluted.)
This tutorial, which ranks first on Google when I search for 'php sql', uses the escape method and does not mention parameterized queries at all. (The correct method is described here.)
Otherwise known as "the only sane way to simulate exceptions in C". Seriously. Read up on how "goto" is used in low-level code bases such as OS kernels, instead of citing some vague memory of a 1960s paper without understanding its criticisms.
I agree that using the goto statement is about the only sensible way to simulate a try/throw/catch block in C (of course, you can wrap this in macros to simplify). But that's a serious flaw in the C language, and it means that the maintainers of the C standard should have updated the standard with conditional execution methods that allows this to be handled in a more elegant manner – maybe something like Windows structured exception handling.
But 6,740 of them? Really? I find it hard to believe that all were necessary, unless OpenSSL's code base is even more bloated than I've been led to believe.
Otherwise known as "making the thing go fast". Yes, I want the bignum library, or hashing algorithms, to use assembly. Things like SIMD make these tasks really effing fast and that is a good thing...
These days it's usually recommended to handle SIMD with compiler intrinsics, not inline assembly. You get the added power without having to do the whole inner loop on bare metal, or worry about your register usage conflicting with that of the compiler. (GCC's inline assembly syntax is almost incomprehensible.) Maybe, maybe, there are a tiny handful of inner loop situations where you need actual inline assembly, but don't jump to that conclusion ahead of time. They should have first written the algorithms in C, then tested and profiled, then if there were areas where more speed would be helpful, try compiler intrinsics to speed up and/or parallelize the bit-twiddling; and only then resort to inline assembly if that wasn't good enough. But OpenSSL was full of premature optimizations like their crappy fake malloc that was designed for unspecified systems that allegedly had poor performance with the system malloc. Why should we all have to put up with poor security because some idiot is still running a 386?
the fact that it was authored by someone who's more expert in security than you and has had more eyes to review it than your ad-hoc solution.
You may be right. Still... isn't that what most people were thinking when they used OpenSSL? It's a bad idea to roll your own crypto, we all know that, but we assumed that OpenSSL was written by people who understood security and that lots of eyes made bugs shallow. Turns out, that was completely wrong: OpenSSL was written by poorly trained monkeys, and however many eyes may have been scanning it, it obviously wasn't enough.
And thay changes things, how? C++ allows all the same "unsafe" things as C does. Have you ever used C++ before?
Since C++ is a superset of standard C, yes, you can write the same kind of unsafe code in C++ that you would in C. And indeed many programmers do this.
But C++ gives you the tools to automatically catch various kinds of errors and memory leaks. If you use class destructors correctly, you can ensure that an object is automatically closed properly when it goes out of scope. There are a lot of standard classes such as smart pointers that are specifically designed with this kind of programming in mind. It's not 100% foolproof but it is a lot more reliable than having to remember to do it all manually in C (or C masquerading as C++).
It took me 10 years, a degree, tons of hours of work, to get my salary up to that level and I am sure I could have been running some RG-58 pretty efficiently for the past 10 years.
Do you want to be digging trenches, fishing wires through walls, and squeezing yourself into tiny crawlspaces and/or attics full of sharp points, mold, and vermin?
Electricians get paid good money, too, and for the same reason – it's a difficult trade job that requires both physical dexterity and a reasonable level of intelligence. You can't really compare a job like this with a white-collar job where you sit behind a desk at a computer all day.
Tech industry jobs that do not require a four-year degree and may only need on-the-job training include customer services representatives, at $18.50 an hour, telecom line installer, $37.60 an hour, and sales representatives, $33.60 an hour.
There seems to be some confusion here. What exactly constitutes a "tech industry job"? I wouldn't consider any of the above three positions to be that. Customer service (as opposed to technical support) is a low-paid non-technical job that usually involves reading off a script. In most parts of the country it will pay a lot worse than $18.50 an hour (maybe as little as half as much). Telecom line installer sounds like a blue-collar trades job – not necessarily a bad thing if it pays well, but not the kind of thing that someone gets into the "IT industry" to do. And sales is, well, sales – the average techie isn't going to be at all suited for this.
The question really should be how important a college degree is for real IT jobs like programmer, network admiinistrator, or DBA.
Then it is analyzed by genius hackers who are paid top dollar for the job.
"Top dollar"? This is a government agency. They pay based on the GS scale. Even if the NSA's security hackers were classified at GS-15 (the highest rate), that's about $120K a year to begin – if they really are "geniuses" then they could do better in Silicon Valley, and probably feel better about their jobs as well.
In general, the GS scale pays somewhat more than typical private-sector rate for low-end jobs, but considerably less for high-end jobs.
Government contractors rake in the dough, but that money goes to politically-connected businessmen, not rank-and-file employees.
If you're crashing out on reads, then every malloc(1) that crashes if you read 2 requires 4096 bytes of real RAM to store 1 byte of data--we get into costs.
4096 bytes of RAM as an unacceptable cost? Seriously? Besides, how often are you repeatedly allocating really tiny buffers like this? If you have to do that, then maybe there's a more fundamental problem with the way your code flow is designed.
A lot of large performance-sensitive projects implement custom allocators in the form of arenas and freelists. Lots of platforms have a fast malloc implementation these days, but none of them will be as fast as this for the simple reason that the program knows more about its memory usage patterns than any general-purpose allocator ever could.
This is security software. You don't sacrifice the library's core functionality to make it run a bit faster on the old Celeron 300 running Windows 98.
This is not a problem with OpenSSL, or the C Language or the Malloc implementation, this is a problem because everyone is relying on the same black box they do not understand.
That's a cop-out. Any kind of advanced economy needs division of labor. This is no less true of the IT industry than anywhere else. The people building the "black box" need to know what they're doing and it needs to work. Period.
The Intel Galileo board has 8 GPIO pins, but these are not nearly as useful as on an Arduino or Raspberry Pi because they are actually multiplexed through I2C rather than connected directly to the processor, and thus are much slower to read or toggle than on other project boards. Is the same true of the MinnowBoard Max, or does it have real GPIO? This might not matter if you're going to use it as a router or NAS, but for embedded projects it can make a big difference.
What if he had said, "blacks don't deserve the right to vote"?
If someone said that in Alabama in 1957, would it be justified to deny them employment for the rest of their life even if they changed their mind after the Civil Rights Act passed?
Publicly acceptable positions on gay marriage are changing quickly. In 1996, Congress overwhelmingly passed, and President Clinton signed, a bill (DOMA) banning recognition of gay marriage across state lines. 10 years after that, few Democratic politicians, at least outside the most conservative states, would defend that position. But views changed slowly. In 2004, when running for the Senate, Barack Obama said that he thought marriage should be between a man and a woman. He said in 2010 that his views were "evolving", and at that point said he supported civil unions. Shortly afterward he came down on the side of supporting gay marriage without reservations.
The point is that this is an issue on which decent, well-meaning people have disagreed. To the extent that there is a majority consensus, it has only formed recently. Going back and retroactively persecuting people for their views before the consensus formed seems grossly unfair.
I'm not clear. When did freedom of speech extend to the operations of a private business?
A majority of people in modern-day America work for corporate entities of some kind. If you argue that free speech should only be protected against the government and not against employers, then you are in effect saying that a majority of people shouldn't have any free speech protections at all.
Who really killed the EV? It was the "consumer" who was beating down the manufacturer's door for an EV but never put down their cash when the manufacturer delivered on that demand.
Tesla is, in fact, a highly profitable company. They paid off their $465 million Department of Energy loan nine years early. So the rest of your rant is irrelevant. Tesla is profitably making electric vehicles that actual customers are buying. And they already have designs coming up that will be considerably less expensive than the Model S, and will almost certainly see much higher sales figures as a result.
There is already one production car (sort of) that does away with the side mirrors: the Volkswagen XL1.
(I say "sort of" because they're only making 250 of them, and they are not available in the United States, probably due to the mirror regulations.)
I constantly see the focus on improving the car. Making it safer, adding more air bags, ABS brakes, avoidance features. All to address what has become a simple fact of people not being good drivers. Its like handing out flake vests because we have too many shooters out there. Maybe at some point the government could focus on improving driving skills and teaching people to actually drive their vehicle and use the tools like side mirrors already on their vehicles? Does anyone thing camera's will be any more effective? I think not.
Your error is that you think it's easier to improve human behavior (across a diverse population of millions of people) than to improve technology. It's not.
Keep in mind that the average person has a median IQ of 100. And half the population is even dumber than that. Keep in mind that human drivers will inevitably be distracted by various events and emotions during the time that they are driving, so even an otherwise intelligent and conscientious driver is going to have weak moments now and again – and it only takes a brief lapse of concentration to risk an accident.
The truth is that driving is just too hard a task for most humans to perform reliably and consistently. In the next 10-30 years, manual driving will be replaced by self-driving cars. And some day we will look back on the era of manual driving the same way we now look upon previous eras without antibiotics or sanitation.
These are already in several cars. It doesn't solve this problem, it solves a different problem.
How so? The purpose of side-view and rear-view mirrors in cars is to allow the driver to see objects that would otherwise not be visible. If you have a full 360-degree overhead realtime view of everything surrounding the car, then you don't need any mirrors, because that display gives you a superset of the information you'd get by looking at mirrors.
They made the desktop unappealing on purpose. If you like "shiny" you're supposed to switch to the metro apps and interface.
The Metro apps are just as flat and dull. It's really a widespread design trend. Designers consider it to be moving away from "skeuomorphism". I consider it to be the UI equivalent of the Brutalist architectural style (those bare concrete box buildings from the 70s).
This still creates a coverage gap for XP users. If 8.1 had a sane UI today, I'd go XP-to-8.1. It's just an announcement though. With XP support going tits up in just a few days, there's no way to fill the gap without doing something transitional that you might want to throw away in a few months.
Just upgrade to Windows 7. It's a proven solution and it has extended support (security patches) up until mid-2020.
Windows 9 looks like it's going to fix the worst suckage of Win8, but I don't see it as being a "must-have" any time soon.
turning tvs into smart tv's might make sense but eventually...everyone will just have a smart tv.
That might work on the low end, but if you buy a $1000+ TV, you probably don't want to have to buy another one to replace it in a few years when the company stops updating the firmware or the SoC can't handle the latest video codec or whatever. Much better to use the expensive TV as a video monitor alone, and keep the fast-obsoleting stuff on a cheap external box.
or you can hook up an old PC that you have around.
The average PC is a big clunky box that doesn't fit in well in this environment. It's also a lot more expensive than these $99 streamers. An older or cheaper PC might not even have the HDMI output you need for connecting to a typical flat-panel TV. And a standard Windows PC is set up with a user interface that is designed to be used with a keyboard and mouse at close range, not a remote control from 5-15 feet. Yes, there are ways around all these things, but the average user would rather buy a purpose-built device than spend all that time tinkering with something they barely understand.
So, BY DEFINITION, what they were doing was producing a reality show, since there is no way you could call this a documentary.
No, I think they did expect it to be a documentary. And that is what they were led to believe that it was.
And it appears from the various descriptions of this event that it was Maker Studios that signed up the developers. Pepsi was brought in later. Why should this contract, which the developers weren't even directly a party to, mean that the devs have to do a completely different job than the one they signed up for?
The problem here is that it looks like someone – maybe Maker, but that isn't quite clear – pulled a bait and switch on both sides.
The event was sold to the programmers as a "Game Jam", a contest of skill. But it was sold to Pepsi as a "reality show" – a heavily edited event that focuses primarily on playing up drama. These two expectations were mutually contradictory, and inevitably led to the clash that happened, and to the whole thing falling apart.
When the developers refused to sign the contracts until the boilerplate "reality show" language was removed or at least modified, this should have been a warning sign to Maker and Pepsi that this wasn't going to work out the way they wanted. But they didn't take the hint.
Rule #1: Always read the contract carefully.
If you read the articles, you'll see that not only did they read the contracts, they re-negotiated several provisions that were clearly unacceptable.
You can't be that dense. This is a media production. You don't get to sign up to play Hamlet, and then demand to be able to drink Pepsi while the cameras are rolling. That's the line between being a programmer and being an actor. These guys signed up to be actors, but they don't want to follow the rules.
But that's the problem: they didn't sign up to be actors. They were under the impression that this was going to be an actual contest of skill, and it was changed into a "reality show" without their knowledge or consent. This problem first came up when the contracts were signed – a lot of the standard "reality show" boilerplate had to be removed because the devs refused to go along with it. That should have been a heads-up to the studio, but it wasn't.