Many states in the US now license software engineers because the national organization now has criteria. A problem is that you need sign-off from an existing PE who knows your work, so there is a bootstrapping problem. A new software PE has to be approved by an existing PE, but there are virtually no existing software PEs to approve the first generation.
Of course, it's always been possible to work under the same ethical guidelines voluntarily. More than once I've told a client I won't do something because it would be akin to malpractice.
Yes, it does, pretty well. I've used a PE (Professional Engineer) for exactly that reason - they "sell" trustworthiness, objectivity. The person I bought my house from and I paid the PE precisely because we know they sell the truth, rather than telling either of us what we want to hear.
That's the same thing CPAs sell - the market pays Price Waterhouse Coopers to find the truth, rather than skewing things.
You obviously know what you're talking about, you are very good at ignoring evidence. For example, just recently in Egypt, archeologists discovered Egyptian documents several thousand years old. These ancient Egyptian records show pharoah's army chasing the Jews out of Egypt after the Jews' worship of a false god brought great suffering to Egypt - plagues and the like.
The scene by the Egyptians looks strikingly like another account of the Jews' exodus from Egypt, for the same reasons. The only difference is which side is described as the "bad guys". The same story told, described the same way by the opposing parties - you think that might be evidence that they're describing something that actually occurred?
If you've ever played the telephone game, or been alive on earth for more than five years, you know that anything that gets repeated from person to person to person gets distorted along the way. For you to then purposely distort it further in order to claim the event must not have occurred isn't a belief in evidence - it's a pitiful, transparent attempt to protect an obviously very wounded ego.
> OpenSSL should have been near, if not at the top of, the list of groups contacted.
Absolutely. In the case I mentioned where I found the vulnerability, the FIRST contact I made was the development team.
As to the fact that people can't be protected on every site until the updated packages are out, how does that mean they should NOT be protected when possible? Are you sad that it's "unfair" that they are protected on some sites and not others? So you'd like to remedy that by exposing their data ALL the time? Is that more fair, to have all of their data vulnerable instead?
> My point is that there is probably some dollar value at which the cost to find the next vuln would never increase beyond that -- in other words, the Apache web server could never reach a state at which you could not find a new vuln for less than $10 million.
And that's GUARANTEED to be wrong. We know for certain that after all vulnerabilities are found, spending $100,000,000,000,000,000 still won't find another one. We can reason that the last vulnerability may well be either a) very hard to find (not worth it) or b) fairly to find (in which case $1000 bounty is perfect.). We can guarantee that at some point infinite resources would be wasted, because there are no more findable vulnerabilities severe enough to be worth finding.
Aside from the obvious ethical reason, I see two reasons more important than the $1,000 to go "white hat" rather than "black hat". When a potential employer Googles my name, I want them to find my name on CVEs, Github commits, etc. - demonstrable proof that I do in fact find and fix real-world issues. I'm working on that. Right now, I'd have to point out my contributions, they aren't easily found via Google. For that, having a company or other organization publicly acknowledge my work is much more valuable than $1,000, if it helps me land a great job.
On the other hand, selling it on the black market could put me in federal prison. If the god guys offer me $1,000 plus a reputation boost, while the bad guys offer me $5,000 plus a possible prison sentence, I think I'll take the good guys' offer. That $1,000 could, in some cases, be enough to pay someone's past-due rent so they don't feel they have HAVE to capitalize on it in a bad way.
The other scenario I see is that several times per year I notify a smaller company of some security hole I noticed in passing. I haven't thoroughly probed it, just noticed "gee, it throws an error on O'Doole, it's probably not escaping the input and therefore vulnerable to SQL injection". Sometimes I don't bother to track down the proper person to notify and go notify them. Sometimes, I send an email to the only readily available email address, customer service, and the $8 drone on the other end replies with a form letter wholly inappropriate to the situation, so they obviously don't understand what I told them. In those cases, I'll likely not spend much time trying to find another person at the company. If most companies paid even $100 for a bug bounty, that would make it worth my time to spend a few minutes finding their report form and use it. Heck, at $100 per SQL injection vulnerability I could make a good living finding and reporting those for six hours per day.
There is no option that's going to protect those tax returns. Telling the bad guys about it will certainly endanger the tax return data, though. Since many (most?) people use the same or similar password for Facebook as they use for their tax service, protecting Facebook traffic actually protects a few tax returns.
What clearly isn't an effective option would be to announce the vulnerability to hundreds of tax-preparer sites before a updated package is available, expecting them to manually (and correctly) patch the code, without leaking the vulnerability so that it becomes widely known to the bad guys.
If you're going to try to protect people in the time between discovery and the fix being widely distributed, you can only do that by keeping it relatively secret, by limiting details to a small number of trusted people. Once you tell a lot of people, you've told a lot of bad guys. There's no need to do that before the updates are available and people can protect their customers.
> Isn't that assumption where the whole argument for notifying selected parties in advance breaks down?... > it will often be applied when their distro's mirrors pick it up, but that was typically within a couple of hours for Heartbleed
How do you think those packages get on the mirrors? Do their servers magically patch the code, rebuild the packages, and set it as a high priority update? The fix gets on the mirrors as a result of "notifying selected parties in advance".
> they had a whole day to attack everyone who wasn't blessed with the early knowledge, instead of a couple of hours
Years, not hours. Assuming the bad guys knew about it, they had two YEARS to attack people. If we told people that there was an issue on Monday, that doesn't protect them - they just know that their vulnerable. They couldn't do anything about it until the update packages were available on Tuesday.
On the other hand, had we made it public on Monday, we would have GUARANTEED that lots of bad guys knew about it, during a period in which everyone was vulnerable.
I'm talking about what we did here. It appears to me that Google definitely screwed up by not telling the right people on the OpenSSL team much sooner. (Apparently they told _someone_ involved with OpenSSL right away, but not the right soemone.)
> you protect some large sites, but those large sites are run by large groups of people. For one thing, they probably have full time security staff who will get the notification as soon as it's published, understand its significance, and act on it immediately.
ROTFL. Yep, large corporate bureaucracies, they ALWAYS do exactly the right thing, in a matter of hours.
This was handled similarly to a flaw I discovered, and I think it makes sense. Facebook, for example, has about a billion users. If you have a colleague you trust at Facebook, informing that one colleague can protect Facebook's billion users.
The risk is of a leak before a fix is widely deployed is dependent on a) the number of people you inform and b) how trustworthy those people are to keep quiet for a couple of days. It's quite reasonable to minimize the risk of a leak by keeping it low profile for a few days, while minimizing the damage by protecting as many people as possible.
For CVE-2012-0206 , developers knew that wikimedia was the largest user. Wikipedia and related properties account for over half the the end-users that could be affected. So by letting just one person know about it ahead of time, we could protect millions of wikipedia users. That seems like a good trade, so we let wikipedia have the patch 24 hours before the main distros like Red Hat put the patch out publicly and the vulnerability became well known. Nobody was harmed by hearing about it on Tuesday rather than on Monday, and all of wikipedia's users were protected from being affected by keeping it secret for a day while wikipedia's servers were patched.
> Indeed, who would review other people's code for free or for fun?
Some people do, of course. I have, specifically for security issues, because that's a major resume point in the security world - having actually found and fixed real-world security issues.
99% of the time, I'm being paid to review and improve open source code. All of those companies that use open source, including Google, have a vested interest in making sure that the code they use is good. Since it's open source, the Google techs can actually dig into the code and find issues like this, then fix it, just like they did in this case. They didn't do it for free and for fun, they did it because Google relies on OpenSSL.
My employer also relies on OSS. My job is to administer, maintain, and improve the OSS software we use. I've found and fixed security issues. Not for free and for fun, but because we want our systems to be secure, and having the source allows me to do that.
When I craft an improvement, at LEAST three people have to look at it before it's committed upstream. Typically, five or six people will comment on it and suggest improvements or state their approval before it's finalized.
> Although evolution isn't an explanation of how life began, it does introduce some constrictions on what that explanation can include. > For instance, all life on earth today is descended from a single common ancestor. Plants, animals and humans were not created apart from each other, one at a time.
We know that the iPhone "evolved" from early cell phones via natural selection aka market selection. We know that the latest cars similarly "evolved" via a process analogous to biological evolution. We also know that cars and phones don't share a common ancestor - they evolved separately. We know that one type of bird evolves into another, while on the other side of the planet one type of rodent evolves into another, separately.
How does biological evolution introduce the constraint that there must be a single common ancestor? I see you have the belief that there may have been a single common ancestor, but I don't see how that's required for evolution to occur.
> Humans are descended from Apes. Without explaining how that process began, > the evolutionary evidence about this constraint is emphatic and undeniable. > This flies in the face of one obvious prominent creation myth.
One very narrow interpretation, perhaps, one that few people hold. Most people, I think, realize that the ancient wisdom in Genesis says things happened in this order:
0. There was nothing - the universe was without form. 1. Space (the stars and the heavens) 2. Earth. 3. Oceans and land masses 4. Sea life 5. Animals of the land and air 6. Lastly, humans
For hundreds of years, scientists said that was wrong. Today, we know that Genesis has the sequence correct, and has been correct for thousands of years. Yeah, if you assume that the "yom" between land animals and humans was 24 hours, that's not consistent with evolution. That's not the only meaning of yom, though.
Evolution doesn't try to explain how life began. It is therefore funny to me thatsome people think there's a contradiction between evolution and ancient stories about how it began. Even more odd, some people assume the HOW is incompatible with ideas about WHY life exists. Those are three separate questions.
When the government spends a million dollars on MS Office, let's guess that something like 1/3rd of those resources go to marketing, 1/3rd go to development, and 1/3rd to administration. So for $1,000,000 in spending, $300,000 of utility (goodness) is produced, the economy has $300,000 more utility in it that gets divided up between people.
If instead, the government spent the same million on OpenOffice, 80% would go to development, 20% to administration, and 0% to marketing. Therefore, $800,000 of development work would be done, adding $800,000 of utility which gets spread around. We see that spending the same money on OpenOffice results in over twice as much utility being added to the economy, meaning twice as much good stuff is available to be spread around.
Int he more likely case, the government would spend only 1/10th as much on OpenOffice. That leaves $900,000 either in the hands of taxpayers to spend on good stuff they want, or for the government to spend on things like literacy and job training programs. Which provides more value to the economy - handing money to Microsoft, or using it to increase literacy and job skills?
> When a bug does show and people look at the source
That's when the quote comes into play, "given enough eyeballs all bugs are shallow... the fix will be obvious to someone". A shallow bug, one where the fix is obvious, is obvious when eyeballs are looking. The question of how many bugs exist is a separate issue. Also:
> When a bug does show and people look at the source
For most of my contributions to open source, at least three people looked at the code before it was distributed - me, the module maintainer (who is expert on that section of the code), and the integrator (who is expert on the project as a whole). For my closed source code, most of what I write has been seen by exactly one person - me.
That's an interesting thought. Had it been typed, it might be a typo. I was thinking of a guy who said that, out loud, face-to-face. That's not the only comment that made it clear he was claiming four times as much as he in fact knew.
Of course, in a interview I give someone leeway - my mind went blank once in an interview when I was asked "what are the four pillars of object oriented programming?". At the time, I could have implemented objects in C using the preprocessor*, but interview stress caused a brainfart. This guy was obviously clueless and trying to BS his way through it, though. Perhaps hoping he'd only be interviewed by a manager who wasn't a programmer.
* thanks to Perl for teaching me objects from the inside out. Understanding Perl's implementation of objects, I could see that language support for objects in 98% syntactic sugar, object.method() is the same thing as function(* object), where "object" is an associative array aka namespace aka lookup table, plus a list of class names it has.
Your four-sentence comment has five glaring errors that make it obvious that you have absolutely no idea what you're talking about. You very much remind me of the job applicant who told me he has experience in C, C+, and C++.
That would be: Given enough eyeballs, all bugs are shallow... the fix will be obvious to someone.
Eric S Raymond
Although ESR called it " Linus' Law", it's ESR's writing, from CATB. Linus has a completely different concept that he calls "Linus' Law". Linus talks about motivations for what we do.
> (and to the GP, you threw away that 100/mo TV subscription, that is only $1200 - where does the 5k come from?)
Starbucks. Making a pot of coffee at home instead of buying Starbucks is another $1,200 / year. The point is ditch the stuff, LIKE THE $100 / MONTH TV, that is less important than a comfortable retirement.
Just be sure to hide the money you're saving by giving up the deluxe cable package and the Starbucks. In a few years, you'll have enough money to pay your bills for 25 years of retirement. At that point, there will be millions of people who spent their money on crap screaming "he's a greedy millionaire! Tax that away from him and give it to me, because I don't have squat!"
Money invested grows. First, the money you put in grows, then the growth grows. Then that "free" money you got from growth itself grows some more money. This is the magic of compounding. With average returns, $500 per month for 32 years will grow to $1 million.
> Sun + focusing device + black metal + thermoelectric = cheap electricity.
With a four foot diameter focusing lens, you could almost power an iPod. With a lens a mile across, you could power a house. Of course the lens would cost $XX million. Rather than "cheap electricity", this would be "outrageously expensive electricity".
> Why not use this in place of expensive solar panels?
Indeed, why not. The idea has a lot in common with typical c-Si solar panels: extremely expensive, and provides power for several hours per day, but only on sunny days. I bet you can get the government to give you half a billion dollars to start thinking about maybe someday producing them.
> of course you conveniently ignored that manufacturers do not even want a liability with an upper bound at the sale price.
Of course they WANT no liability. They WANT Jessica Biel, wearing nothing but whipped cream, too. Neither of those is reality, so I don't know how that's relevant.
Yrs, under current law in India, anyone providing any products or services to a can be held liable. Anyone includesanyone who sells them batteries for their smoke detector. If something scary were to happen, the lawyers may well sue everyone and see what sticks. It's clear you don't run a business. The most worrisome thing isn't that you actually screw up and ARE liable. Most if the cost is that someone sues you and you have to spend millions s prove that you aren't liable, then hope that the jury doesn't decide "someone needs to pay".
> no company is ready to undertake that including the risk even at twice market rates, this is a serious argument against it being ridiculously easy to not cause accident, right?
Twice market rates would be $200 ($120 profit). Is is smart to risk $200 million in order to make $120? No.
And, they do need to buy batteries from somewhere, and right now it would be stupid for anyone to sell batteries to them.
The article you linked to isn't as clear as it should be, but it does indicate the problem with the law in India. If I manufacture AA batteries, or example, and I sell $300 of batteries that end up at a nuclear power station, I'd be liable for $300,000,000 in case of an accident. Why would anyone take on a $300,000,000 liability to make a $300 sale? It would be kind of dumb to provide any of the odds and ends needed for a nuclear reactor in India, until their law is "tweaked". Suppose you have the contract to mow the grass at the power station. That contract pays $100 / week. If one of your guys bumps into the wrong thing with the mower, you're liable for a nuclear accident. It's not worth it, so nobody would take the lawn contract at a an Indian power plant.
Many states in the US now license software engineers because the national organization now has criteria. A problem is that you need sign-off from an existing PE who knows your work, so there is a bootstrapping problem. A new software PE has to be approved by an existing PE, but there are virtually no existing software PEs to approve the first generation.
Of course, it's always been possible to work under the same ethical guidelines voluntarily. More than once I've told a client I won't do something because it would be akin to malpractice.
Yes, it does, pretty well. I've used a PE (Professional Engineer) for exactly that reason - they "sell" trustworthiness, objectivity. The person I bought my house from and I paid the PE precisely because we know they sell the truth, rather than telling either of us what we want to hear.
That's the same thing CPAs sell - the market pays Price Waterhouse Coopers to find the truth, rather than skewing things.
You obviously know what you're talking about, you are very good at ignoring evidence. For example, just recently in Egypt, archeologists discovered Egyptian documents several thousand years old. These ancient Egyptian records show pharoah's army chasing the Jews out of Egypt after the Jews' worship of a false god brought great suffering to Egypt - plagues and the like.
The scene by the Egyptians looks strikingly like another account of the Jews' exodus from Egypt, for the same reasons. The only difference is which side is described as the "bad guys". The same story told, described the same way by the opposing parties - you think that might be evidence that they're describing something that actually occurred?
If you've ever played the telephone game, or been alive on earth for more than five years, you know that anything that gets repeated from person to person to person gets distorted along the way. For you to then purposely distort it further in order to claim the event must not have occurred isn't a belief in evidence - it's a pitiful, transparent attempt to protect an obviously very wounded ego.
> OpenSSL should have been near, if not at the top of, the list of groups contacted.
Absolutely. In the case I mentioned where I found the vulnerability, the FIRST contact I made was the development team.
As to the fact that people can't be protected on every site until the updated packages are out, how does that mean they should NOT be protected when possible? Are you sad that it's "unfair" that they are protected on some sites and not others? So you'd like to remedy that by exposing their data ALL the time? Is that more fair, to have all of their data vulnerable instead?
> My point is that there is probably some dollar value at which the cost to find the next vuln would never increase beyond that -- in other words, the Apache web server could never reach a state at which you could not find a new vuln for less than $10 million.
And that's GUARANTEED to be wrong. We know for certain that after all vulnerabilities are found, spending $100,000,000,000,000,000 still won't find another one. We can reason that the last vulnerability may well be either a) very hard to find (not worth it) or b) fairly to find (in which case $1000 bounty is perfect.). We can guarantee that at some point infinite resources would be wasted, because there are no more findable vulnerabilities severe enough to be worth finding.
Aside from the obvious ethical reason, I see two reasons more important than the $1,000 to go "white hat" rather than "black hat".
When a potential employer Googles my name, I want them to find my name on CVEs, Github commits, etc. - demonstrable proof that I do in fact find and fix real-world issues. I'm working on that. Right now, I'd have to point out my contributions, they aren't easily found via Google. For that, having a company or other organization publicly acknowledge my work is much more valuable than $1,000, if it helps me land a great job.
On the other hand, selling it on the black market could put me in federal prison. If the god guys offer me $1,000 plus a reputation boost, while the bad guys offer me $5,000 plus a possible prison sentence, I think I'll take the good guys' offer. That $1,000 could, in some cases, be enough to pay someone's past-due rent so they don't feel they have HAVE to capitalize on it in a bad way.
The other scenario I see is that several times per year I notify a smaller company of some security hole I noticed in passing. I haven't thoroughly probed it, just noticed "gee, it throws an error on O'Doole, it's probably not escaping the input and therefore vulnerable to SQL injection". Sometimes I don't bother to track down the proper person to notify and go notify them. Sometimes, I send an email to the only readily available email address, customer service, and the $8 drone on the other end replies with a form letter wholly inappropriate to the situation, so they obviously don't understand what I told them. In those cases, I'll likely not spend much time trying to find another person at the company. If most companies paid even $100 for a bug bounty, that would make it worth my time to spend a few minutes finding their report form and use it. Heck, at $100 per SQL injection vulnerability I could make a good living finding and reporting those for six hours per day.
Thesis is essentially that fixing a bug doesn't increase security because the software still has an infinite number of bugs.
Obviously, this is false. A software package may have 6 security bugs. Fixing 3 of them reduces by 50% the chance that the bad guy will find one.
There is no option that's going to protect those tax returns. Telling the bad guys about it will certainly endanger the tax return data, though.
Since many (most?) people use the same or similar password for Facebook as they use for their tax service, protecting Facebook traffic actually protects a few tax returns.
What clearly isn't an effective option would be to announce the vulnerability to hundreds of tax-preparer sites before a updated package is available, expecting them to manually (and correctly) patch the code, without leaking the vulnerability so that it becomes widely known to the bad guys.
If you're going to try to protect people in the time between discovery and the fix being widely distributed, you can only do that by keeping it relatively secret, by limiting details to a small number of trusted people. Once you tell a lot of people, you've told a lot of bad guys. There's no need to do that before the updates are available and people can protect their customers.
> Isn't that assumption where the whole argument for notifying selected parties in advance breaks down? ...
> it will often be applied when their distro's mirrors pick it up, but that was typically within a couple of hours for Heartbleed
How do you think those packages get on the mirrors? Do their servers magically patch the code, rebuild the packages, and set it as a high priority update? The fix gets on the mirrors as a result of "notifying selected parties in advance".
> they had a whole day to attack everyone who wasn't blessed with the early knowledge, instead of a couple of hours
Years, not hours. Assuming the bad guys knew about it, they had two YEARS to attack people. If we told people that there was an issue on Monday, that doesn't protect them - they just know that their vulnerable. They couldn't do anything about it until the update packages were available on Tuesday.
On the other hand, had we made it public on Monday, we would have GUARANTEED that lots of bad guys knew about it, during a period in which everyone was vulnerable.
I'm talking about what we did here. It appears to me that Google definitely screwed up by not telling the right people on the OpenSSL team much sooner. (Apparently they told _someone_ involved with OpenSSL right away, but not the right soemone.)
> you protect some large sites, but those large sites are run by large groups of people. For one thing, they probably have full time security staff who will get the notification as soon as it's published, understand its significance, and act on it immediately.
ROTFL. Yep, large corporate bureaucracies, they ALWAYS do exactly the right thing, in a matter of hours.
This was handled similarly to a flaw I discovered, and I think it makes sense. Facebook, for example, has about a billion users. If you have a colleague you trust at Facebook, informing that one colleague can protect Facebook's billion users.
The risk is of a leak before a fix is widely deployed is dependent on a) the number of people you inform and b) how trustworthy those people are to keep quiet for a couple of days. It's quite reasonable to minimize the risk of a leak by keeping it low profile for a few days, while minimizing the damage by protecting as many people as possible.
For CVE-2012-0206 , developers knew that wikimedia was the largest user. Wikipedia and related properties account for over half the the end-users that could be affected. So by letting just one person know about it ahead of time, we could protect millions of wikipedia users. That seems like a good trade, so we let wikipedia have the patch 24 hours before the main distros like Red Hat put the patch out publicly and the vulnerability became well known. Nobody was harmed by hearing about it on Tuesday rather than on Monday, and all of wikipedia's users were protected from being affected by keeping it secret for a day while wikipedia's servers were patched.
> Indeed, who would review other people's code for free or for fun?
Some people do, of course. I have, specifically for security issues, because that's a major resume point in the security world - having actually found and fixed real-world security issues.
99% of the time, I'm being paid to review and improve open source code. All of those companies that use open source, including Google, have a vested interest in making sure that the code they use is good. Since it's open source, the Google techs can actually dig into the code and find issues like this, then fix it, just like they did in this case. They didn't do it for free and for fun, they did it because Google relies on OpenSSL.
My employer also relies on OSS. My job is to administer, maintain, and improve the OSS software we use. I've found and fixed security issues. Not for free and for fun, but because we want our systems to be secure, and having the source allows me to do that.
When I craft an improvement, at LEAST three people have to look at it before it's committed upstream. Typically, five or six people will comment on it and suggest improvements or state their approval before it's finalized.
> Although evolution isn't an explanation of how life began, it does introduce some constrictions on what that explanation can include.
> For instance, all life on earth today is descended from a single common ancestor. Plants, animals and humans were not created apart from each other, one at a time.
We know that the iPhone "evolved" from early cell phones via natural selection aka market selection.
We know that the latest cars similarly "evolved" via a process analogous to biological evolution.
We also know that cars and phones don't share a common ancestor - they evolved separately.
We know that one type of bird evolves into another, while on the other side of the planet one type of rodent evolves into another, separately.
How does biological evolution introduce the constraint that there must be a single common ancestor?
I see you have the belief that there may have been a single common ancestor, but I don't see how that's required for evolution to occur.
> Humans are descended from Apes. Without explaining how that process began,
> the evolutionary evidence about this constraint is emphatic and undeniable.
> This flies in the face of one obvious prominent creation myth.
One very narrow interpretation, perhaps, one that few people hold. Most people, I think, realize that the ancient wisdom in Genesis says things happened in this order:
0. There was nothing - the universe was without form.
1. Space (the stars and the heavens)
2. Earth.
3. Oceans and land masses
4. Sea life
5. Animals of the land and air
6. Lastly, humans
For hundreds of years, scientists said that was wrong. Today, we know that Genesis has the sequence correct, and has been correct for thousands of years. Yeah, if you assume that the "yom" between land animals and humans was 24 hours, that's not consistent with evolution. That's not the only meaning of yom, though.
+1
Evolution doesn't try to explain how life began.
It is therefore funny to me thatsome people think there's a contradiction between evolution and ancient stories about how it began. Even more odd, some people assume the HOW is incompatible with ideas about WHY life exists. Those are three separate questions.
When the government spends a million dollars on MS Office, let's guess that something like 1/3rd of those resources go to marketing, 1/3rd go to development, and 1/3rd to administration. So for $1,000,000 in spending, $300,000 of utility (goodness) is produced, the economy has $300,000 more utility in it that gets divided up between people.
If instead, the government spent the same million on OpenOffice, 80% would go to development, 20% to administration, and 0% to marketing. Therefore, $800,000 of development work would be done, adding $800,000 of utility which gets spread around. We see that spending the same money on OpenOffice results in over twice as much utility being added to the economy, meaning twice as much good stuff is available to be spread around.
Int he more likely case, the government would spend only 1/10th as much on OpenOffice. That leaves $900,000 either in the hands of taxpayers to spend on good stuff they want, or for the government to spend on things like literacy and job training programs. Which provides more value to the economy - handing money to Microsoft, or using it to increase literacy and job skills?
> When a bug does show and people look at the source
That's when the quote comes into play, "given enough eyeballs all bugs are shallow ... the fix will be obvious to someone".
A shallow bug, one where the fix is obvious, is obvious when eyeballs are looking. The question of how many bugs exist is a separate issue.
Also:
> When a bug does show and people look at the source
For most of my contributions to open source, at least three people looked at the code before it was distributed - me, the module maintainer (who is expert on that section of the code), and the integrator (who is expert on the project as a whole). For my closed source code, most of what I write has been seen by exactly one person - me.
That's an interesting thought. Had it been typed, it might be a typo. I was thinking of a guy who said that, out loud, face-to-face. That's not the only comment that made it clear he was claiming four times as much as he in fact knew.
Of course, in a interview I give someone leeway - my mind went blank once in an interview when I was asked "what are the four pillars of object oriented programming?". At the time, I could have implemented objects in C using the preprocessor*, but interview stress caused a brainfart. This guy was obviously clueless and trying to BS his way through it, though. Perhaps hoping he'd only be interviewed by a manager who wasn't a programmer.
* thanks to Perl for teaching me objects from the inside out. Understanding Perl's implementation of objects, I could see that language support for objects in 98% syntactic sugar, object.method() is the same thing as function(* object), where "object" is an associative array aka namespace aka lookup table, plus a list of class names it has.
Your four-sentence comment has five glaring errors that make it obvious that you have absolutely no idea what you're talking about. You very much remind me of the job applicant who told me he has experience in C, C+, and C++.
That would be: ... the fix will be obvious to someone.
Given enough eyeballs, all bugs are shallow
Eric S Raymond
Although ESR called it " Linus' Law", it's ESR's writing, from CATB. Linus has a completely different concept that he calls "Linus' Law". Linus talks about motivations for what we do.
> (and to the GP, you threw away that 100/mo TV subscription, that is only $1200 - where does the 5k come from?)
Starbucks. Making a pot of coffee at home instead of buying Starbucks is another $1,200 / year. The point is ditch the stuff, LIKE THE $100 / MONTH TV, that is less important than a comfortable retirement.
Just be sure to hide the money you're saving by giving up the deluxe cable package and the Starbucks. In a few years, you'll have enough money to pay your bills for 25 years of retirement. At that point, there will be millions of people who spent their money on crap screaming "he's a greedy millionaire! Tax that away from him and give it to me, because I don't have squat!"
Money invested grows. First, the money you put in grows, then the growth grows.
Then that "free" money you got from growth itself grows some more money.
This is the magic of compounding. With average returns, $500 per month for 32 years will grow to $1 million.
> Sun + focusing device + black metal + thermoelectric = cheap electricity.
With a four foot diameter focusing lens, you could almost power an iPod.
With a lens a mile across, you could power a house. Of course the lens would cost $XX million. Rather than "cheap electricity", this would be "outrageously expensive electricity".
> Why not use this in place of expensive solar panels?
Indeed, why not. The idea has a lot in common with typical c-Si solar panels: extremely expensive, and provides power for several hours per day, but only on sunny days. I bet you can get the government to give you half a billion dollars to start thinking about maybe someday producing them.
> of course you conveniently ignored that manufacturers do not even want a liability with an upper bound at the sale price.
Of course they WANT no liability. They WANT Jessica Biel, wearing nothing but whipped cream, too. Neither of those is reality, so I don't know how that's relevant.
Yrs, under current law in India, anyone providing any products or services to a can be held liable. Anyone includesanyone who sells them batteries for their smoke detector. If something scary were to happen, the lawyers may well sue everyone and see what sticks. It's clear you don't run a business. The most worrisome thing isn't that you actually screw up and ARE liable. Most if the cost is that someone sues you and you have to spend millions s prove that you aren't liable, then hope that the jury doesn't decide "someone needs to pay".
> no company is ready to undertake that including the risk even at twice market rates, this is a serious argument against it being ridiculously easy to not cause accident, right?
Twice market rates would be $200 ($120 profit). Is is smart to risk $200 million in order to make $120? No.
And, they do need to buy batteries from somewhere, and right now it would be stupid for anyone to sell batteries to them.
The article you linked to isn't as clear as it should be, but it does indicate the problem with the law in India. If I manufacture AA batteries, or example, and I sell $300 of batteries that end up at a nuclear power station, I'd be liable for $300,000,000 in case of an accident. Why would anyone take on a $300,000,000 liability to make a $300 sale? It would be kind of dumb to provide any of the odds and ends needed for a nuclear reactor in India, until their law is "tweaked". Suppose you have the contract to mow the grass at the power station. That contract pays $100 / week. If one of your guys bumps into the wrong thing with the mower, you're liable for a nuclear accident. It's not worth it, so nobody would take the lawn contract at a an Indian power plant.