some study that showed that programmers writing ASM produced the same LOC as those using some early HLL (PL/1?).
Makes sense, if you consider what the programmer sees at one time as one page. You have to get to the right page. Once on that page, you have to be able to see what is relevant. Seems like this stuff is measured more consistently and accurately by lines of code than by tokens or by non-whitespace characters.
From going back over my own stuff, I've found that the easiest and most useful commenting device has been blank lines separating dense globs of code. If I don't have to mess with the innards, the fewer lines the better. One aspect of a dense glob of code is that to the programmer it functions as a long name for the glob which has the further advantage of not having to be stored elsewhere.
LOC is a lousy measure, but I suspect that all other measures are worse. It's probably a better measure of complexity than it "should" be because there will be tendencies to optimize style and content per line to minimize the effort of dealing with it.
measure is the generalization of the length of a set of points. If A and B are disjoint, measure(A+B) = measure(A) + measure(B). Unit interval has length (measure) of 1. Remove any finite (or countable) set of points and you still have meansure 1. There exists Cantor's Perfect Set which has an uncountable number of points but has measure 0. He would be talking about sets so nasty that it is impossible to define a measure on them that doesn't lead to logical impossibilities. (For real hairy stuff check out algebraic topology;)
The utility of measure theory is that you can combine discrete statistics and continuous statistics into just statistics.
Anything you need to quanitfy can be measured in some way that is superior to not measuring it at all.
Correct, but the problem is in the assumption that the measurement means more than it does. But this is also a problem with any measurement with any degree of imprecision. I see these references to programming languages that assume that a language is somehow representative of the level of the stuff written in them.
You measure A. You measure B. Is A bigger than B? The numeric values give a precise answer but with a significance related to the error margins around the values. Say it's about 1000 miles to the sea coast. You go aproximately 999.5 miles in that direction. It is now exactly half a mile to the coast?
Is A bigger than B? Both have large errors, but if they have the same large errors, then something useful can be said about the difference.
The measurements are useful, just not as useful as one would like.
I think he meant that MSN Search is already the IE default but still has a lower share than Google, hence MS need to do something truly revolutionary to overtake Google's lead with its good reputation with accurate searches.
IE to a numeric ip which happens to be down at the moment. We can't find "blah-blah/blah" Link to Check availability or register the domain name "blah-blah/blah" Powered by MSN Search. Who's this "We"? What's to find? I can register a numberic ip? I can register a page on a numeric ip? In their rush to stick something in my face they come off as obnoxious idiots. I see no reason to expect that to change.
because the intersection of protein dynamics and hydrodynamics wasn't somewhere he wanted to go.
Hydrodynamics at a molecular level has to be mean, real mean. The only thing I really know about hydrodynamics is that it's a very bad place to trust your intuition. If you have something on a balance-point, tiny input changes make big output changes. Balance the Washington Monument on its point and make it fall one way or the other with a feather.
From left field, is this at all related to the human taboo against cannibalism? If something comes in and never leaves, very slight traces eventually become a cumulative poison.
opening the source for inspection is not the same as the source actually being inspected. In fact it takes some time and skill to inspect source for vulnerabilities, and it's a distinctly unglamourous job.
There seems to be some sort of assumption that everybody has to read and inspect the open source for it to have any value. There seems to be some sort of assumption that vulnerabilites are the only bugs worth looking for. Hardly.
Source downloaded and never looked at again. Saves hours if not days if you should ever actually need it. Having it in the hands of someone who actually knows what (s)he's doing is even better.
Source downloaded and put into compile/test harness without looking. This dramatically shortens the time from discovering something curious and maybe finding out why. It also dramatically shortens the response time to yet unencountered problems. Lot of insurance for little effort.
Vulnerabilities are just bugs, but bugs that can be made to show themselves in a spectacular fashion. Actually I'd be much more worried about the bugs that do hidden damage than those that make spectacles of themselves without doing any real damage.
Perfect? No, but pretty damned close considering the required effort. If I don't the odds are somebody else will. If nobody else does, then at least I can.
"'Security' is hard to formalize, hard to design (and design for), hard to implement, hard to verify, hard to configure, and hard to use. It is particularly hard to use on a platform such as Windows, which is evolving, security-wise, along with its representative user-base." ! Security is hard to bolt on to an existing design. It's not that difficult to design at the beginning.
He seems to be saying that windows security is evolving and its users are also 'security-evolving', and as as a result, windows security is getting worse. Well, wait a minute. Maybe he's right on that one... Build a security fence around your property by evolving. Evolution will sometimes add a bit to cope with problems, but the general trend is for evolution to add more and more holes. You make a seive by punching holes in a container. You do not make a container by plugging holes in a seive.
Good insight. The root/administrator bit is mostly a red herring.
You still tend to put a bit better protection around the small amount of root-stuff, primarily because it's relatively simple to do.
The fat non-root stuff, even on servers, is really the important stuff. The stuff that actually helps with security is that Unix things tend to think that it's a good idea if the user is aware of what is going on, and will go to a bit of extra trouble to be informative whenever and wherever possible.
[ ] Always trust Microsoft [ ] Always trust Red Hat [ ] Always trust OpenBSD Reactions?
But seriously, the OS does a lot to implicitly set the tone for everything that will be run under. If game developers have admin access, their games will require admin access. To the extent that game developers think they need admin access, it is Microsoft's fault.
Yesterdays article on "Phish" scams links to a "test". One of the examples has the marks of a scam but is considered "legitimate". It is from MSN.
I think a lot has to do with expectations and attitudes. I would expect many if not most games on Unix to just refuse to run as root. An intentional segfault is even more fun. NT may have more elaborate security mechanisms but they are too hard to get at. With Unix you tend to get a mess of rwx in your face. Anybody know how to put group permissions to their limits?
Hiding file extensions probably does much more damage than administrator access.
Unix has an unfair advantage with the name "root". "Administrator", just by the name, makes a much more attractive target. I was smart enough to rename the domain admin to "root". If I leave some user's machine logged on as root their natural reaction is to get their stuff back as fast as possible.
Unix software tends to be as informative as it can as to where the problem resides. Microsoft software tends to try to shift the blame elsewhere if at all possible. The latest XP did not allow me to assign LPT1 to a remote printer. Kept coming with login prompt for the remote resource which never works. Finally disabled the hardware port in the bios. If you can confuse your enemy as to what the problem is, seems like you've got a considerable advantage.
i read in the jargon file once that you cannot "become" a hacker
If you decide to become a hacker, you won't make it. If you are compulsively driven to make the damned computer work, you probably will make it. Skill doesn't hurt, but it's not the primary requisite.
Overall I find it rude that one would instantly judge someone's programming skill and ability depending on what language they choose to use.
Like English or French or Latin or German or Portugese or Chinese.
Different languages can be and are used at different skill levels. Now it may be essential to posess a certain skill level before anything useful can be done in that language, but that doesn't really speak well of the design of the language.
Hmm, I thought it was a good way to see how well you can tell based on the content of the email itself.
Agreed. 90%, and I challenge that 10%. The link on the MSN "Don't lose your MSN Hotmail account!" is addressed To: johndoe@fraudtest.com not to the MSN Hotmail account. has no mention as to what Hotmail account is This is a fishing expedition. That it "legitimately" comes from Microsoft's MSN is really more telling than anyone's scores. Microsoft getting serious about security? Not a chance.
It's not particularly good at anything (but not particularly bad), nor is it a good all-rounder.
I see Java and I see gaggles of mainframes. What you describe sounds perfectly suited. The overall effeciency is dominated more by how bad the worst is rather than how good the best is. It's always possible to do 90% much better provided you can afford to ignore the remaining 10%. I think the relevant comparison is to the great masses of COBOL.
There is a meaning to this word confirm. If they list the information they wish to confirm, it might be legitimate. If they list no information that is to be confirmed, it's a scam. There is a problem if several pieces of information with one of them wrong.
"your account has been hacked, verify your account details" Which account has been hacked?
You know the account has been hacked. You know the account is mine. You will not tell me which account, how you know it is hacked, and how you know it is mine. It's not the misspellings, bad grammar, etc. There's something missing that any legitimate message of that sort would have. Essentially it's insider information pertinent to why this comes from you to me.
What's key here is the amount of processing power you get for a given dollar. Clusters of general purpose systems may not be as efficient as a vector system, but in the end, the price makes up for the inefficiencies.
In general, no. The inefficiencies are structural, orders of magnitude, not percentage.
Where, how, when you apply the processing power is what matters, and there are no valid rules of thumb.
Re:I got bored just after Kazaa came out.
on
P2P Leaks Surprises
·
· Score: 2, Insightful
The problem with such as Echelon and Carnivore is that they attract people who find dumb people fascinating.
wouldn't it make more sense to invest heavily in R&D to solve the cluster's problems and remove its limitations
Yes, like finding some new 2-digit numbers that come after 99. The limitations of a cluster are because it is a cluster.
Of the problems that should be worth solving, a few will be embarassingly parallel many will be extremely parallel many many will be moderately parallel many many many will be somewhat parallel too many will be highly convoluted.
As an example to see how this can be so, consider an old mainframe with a bunch of old green-eyed monsters. The screens have enough intelligence so that the entire screen can be filled in and submitted at one shot. Take the same system and have the mainframe react to each keypress/release and the mainframe will be crippled. Now have each users keypress/release affect all other users concurrently. Now scale it bigger.
When I think about it, the most CPU-heavy problems that occur to me are highly parallelizable.
CPU-heavy implies that internal-internal interactions dominate internal-external interactions. This is the opposite of mainframe processing. CPU-heavy implies that something internal must be highly parallelizable. It does not imply exactly what or how. This depends on the nature of the required internal-internal interactions.
The super-computer applications which are feasible (conceivable?) are determined by the tools and paradigms which are available. If these are too limited (are there is no way to know a priori) then you are cut off from much which should be feasible.
One thing I had never realized before. C was a transition from existing stuff on a WORD addressed machine to a BYTE addressed machine. When everything is cramped, it helps immensely if you can keep all the magic numbers exactly the same. The C mechanism for what looks like strings and arrays is a brilliant hack to address thingees by their number with no additional supporting machinery. A C pointer is "typed" to the extent of having a width so that pointer p + 1 points to the next such thing. As a side effect, 2[array] is precisely as meaningful as array[2].
It's possible, even easy, to do things better than C. I don't think it's possible to do better without assuming something that C does not assume. If you do not have that stuff you have to assume, the "better" way is much worse.
"how would a good virus tell another good virus from a bad one?"
Easy. They're all bad, including the good.
It might be justified if "enough is enough!", but if you have to ask, it is never justified. It might be good at the moment, but once the moment is past, it is a bad virus.
Slashdot Mirror
some study that showed that programmers writing ASM produced the same LOC as those using some early HLL (PL/1?).
Makes sense, if you consider what the programmer sees at one time as one page.
You have to get to the right page.
Once on that page, you have to be able to see what is relevant.
Seems like this stuff is measured more consistently and accurately by lines of code than by tokens or by non-whitespace characters.
From going back over my own stuff, I've found that the easiest and most useful commenting device has been blank lines separating dense globs of code. If I don't have to mess with the innards, the fewer lines the better. One aspect of a dense glob of code is that to the programmer it functions as a long name for the glob which has the further advantage of not having to be stored elsewhere.
LOC is a lousy measure, but I suspect that all other measures are worse.
It's probably a better measure of complexity than it "should" be because there will be tendencies to optimize style and content per line to minimize the effort of dealing with it.
measure is the generalization of the length of a set of points.
If A and B are disjoint, measure(A+B) = measure(A) + measure(B).
Unit interval has length (measure) of 1.
Remove any finite (or countable) set of points and you still have meansure 1.
There exists Cantor's Perfect Set which has an uncountable number of points but has measure 0.
He would be talking about sets so nasty that it is impossible to define a measure on them that doesn't lead to logical impossibilities. (For real hairy stuff check out algebraic topology;)
The utility of measure theory is that you can combine discrete statistics and continuous statistics into just statistics.
Anything you need to quanitfy can be measured in some way that is superior to not measuring it at all.
Correct, but the problem is in the assumption that the measurement means more than it does.
But this is also a problem with any measurement with any degree of imprecision.
I see these references to programming languages that assume that a language is somehow representative of the level of the stuff written in them.
You measure A. You measure B.
Is A bigger than B?
The numeric values give a precise answer but with a significance related to the error margins around the values.
Say it's about 1000 miles to the sea coast. You go aproximately 999.5 miles in that direction. It is now exactly half a mile to the coast?
Is A bigger than B?
Both have large errors, but if they have the same large errors, then something useful can be said about the difference.
The measurements are useful, just not as useful as one would like.
I think he meant that MSN Search is already the IE default but still has a lower share than Google, hence MS need to do something truly revolutionary to overtake Google's lead with its good reputation with accurate searches.
IE to a numeric ip which happens to be down at the moment.
We can't find "blah-blah/blah"
Link to Check availability or register the domain name "blah-blah/blah"
Powered by MSN Search.
Who's this "We"? What's to find?
I can register a numberic ip?
I can register a page on a numeric ip?
In their rush to stick something in my face they come off as obnoxious idiots.
I see no reason to expect that to change.
Sorry about that.
because the intersection of protein dynamics and hydrodynamics wasn't somewhere he wanted to go.
Hydrodynamics at a molecular level has to be mean, real mean.
The only thing I really know about hydrodynamics is that it's a very bad place to trust your intuition.
If you have something on a balance-point, tiny input changes make big output changes. Balance the Washington Monument on its point and make it fall one way or the other with a feather.
From left field, is this at all related to the human taboo against cannibalism?
If something comes in and never leaves, very slight traces eventually become a cumulative poison.
Common decency appears to be growing much less common.
Seems to be a lot like stiffing the waitress.
opening the source for inspection is not the same as the source actually being inspected. In fact it takes some time and skill to inspect source for vulnerabilities, and it's a distinctly unglamourous job.
There seems to be some sort of assumption that everybody has to read and inspect the open source for it to have any value. There seems to be some sort of assumption that vulnerabilites are the only bugs worth looking for. Hardly.
Source downloaded and never looked at again. Saves hours if not days if you should ever actually need it. Having it in the hands of someone who actually knows what (s)he's doing is even better.
Source downloaded and put into compile/test harness without looking. This dramatically shortens the time from discovering something curious and maybe finding out why. It also dramatically shortens the response time to yet unencountered problems. Lot of insurance for little effort.
Vulnerabilities are just bugs, but bugs that can be made to show themselves in a spectacular fashion. Actually I'd be much more worried about the bugs that do hidden damage than those that make spectacles of themselves without doing any real damage.
Perfect? No, but pretty damned close considering the required effort.
If I don't the odds are somebody else will.
If nobody else does, then at least I can.
Could you please elaborate on how 95/98/ME users have more access than NT admins?
Direct access to the hardware.
"'Security' is hard to formalize, hard to design (and design for), hard to implement, hard to verify, hard to configure, and hard to use. It is particularly hard to use on a platform such as Windows, which is evolving, security-wise, along with its representative user-base." !
Security is hard to bolt on to an existing design. It's not that difficult to design at the beginning.
He seems to be saying that windows security is evolving and its users are also 'security-evolving', and as as a result, windows security is getting worse. Well, wait a minute. Maybe he's right on that one...
Build a security fence around your property by evolving.
Evolution will sometimes add a bit to cope with problems, but the general trend is for evolution to add more and more holes.
You make a seive by punching holes in a container.
You do not make a container by plugging holes in a seive.
Good insight. The root/administrator bit is mostly a red herring.
You still tend to put a bit better protection around the small amount of root-stuff, primarily because it's relatively simple to do.
The fat non-root stuff, even on servers, is really the important stuff.
The stuff that actually helps with security is that Unix things tend to think that it's a good idea if the user is aware of what is going on, and will go to a bit of extra trouble to be informative whenever and wherever possible.
[ ] Always trust Microsoft
[ ] Always trust Red Hat
[ ] Always trust OpenBSD
Reactions?
Isn't it the game writers fault, not M$'s?
It's always someone else's fault.
But seriously, the OS does a lot to implicitly set the tone for everything that will be run under. If game developers have admin access, their games will require admin access. To the extent that game developers think they need admin access, it is Microsoft's fault.
Well, I'd like to think anyhow :)
Yesterdays article on "Phish" scams links to a "test". One of the examples has the marks of a scam but is considered "legitimate". It is from MSN.
I think a lot has to do with expectations and attitudes. I would expect many if not most games on Unix to just refuse to run as root. An intentional segfault is even more fun. NT may have more elaborate security mechanisms but they are too hard to get at. With Unix you tend to get a mess of rwx in your face. Anybody know how to put group permissions to their limits?
Hiding file extensions probably does much more damage than administrator access.
Unix has an unfair advantage with the name "root". "Administrator", just by the name, makes a much more attractive target. I was smart enough to rename the domain admin to "root". If I leave some user's machine logged on as root their natural reaction is to get their stuff back as fast as possible.
Unix software tends to be as informative as it can as to where the problem resides. Microsoft software tends to try to shift the blame elsewhere if at all possible. The latest XP did not allow me to assign LPT1 to a remote printer. Kept coming with login prompt for the remote resource which never works. Finally disabled the hardware port in the bios. If you can confuse your enemy as to what the problem is, seems like you've got a considerable advantage.
i read in the jargon file once that you cannot "become" a hacker
If you decide to become a hacker, you won't make it.
If you are compulsively driven to make the damned computer work, you probably will make it.
Skill doesn't hurt, but it's not the primary requisite.
Overall I find it rude that one would instantly judge someone's programming skill and ability depending on what language they choose to use.
Like English or French or Latin or German or Portugese or Chinese.
Different languages can be and are used at different skill levels.
Now it may be essential to posess a certain skill level before anything useful can be done in that language, but that doesn't really speak well of the design of the language.
Rude? Stupid seems more accurate.
Hmm, I thought it was a good way to see how well you can tell based on the content of the email itself.
Agreed.
90%, and I challenge that 10%.
The link on the MSN "Don't lose your MSN Hotmail account!"
is addressed To: johndoe@fraudtest.com
not to the MSN Hotmail account.
has no mention as to what Hotmail account is
This is a fishing expedition.
That it "legitimately" comes from Microsoft's MSN is really more telling than anyone's scores.
Microsoft getting serious about security? Not a chance.
It's not particularly good at anything (but not particularly bad), nor is it a good all-rounder.
I see Java and I see gaggles of mainframes.
What you describe sounds perfectly suited. The overall effeciency is dominated more by how bad the worst is rather than how good the best is.
It's always possible to do 90% much better provided you can afford to ignore the remaining 10%. I think the relevant comparison is to the great masses of COBOL.
"confirm my information".
There is a meaning to this word confirm.
If they list the information they wish to confirm, it might be legitimate.
If they list no information that is to be confirmed, it's a scam.
There is a problem if several pieces of information with one of them wrong.
"your account has been hacked, verify your account details"
Which account has been hacked?
You know the account has been hacked.
You know the account is mine.
You will not tell me which account, how you know it is hacked, and how you know it is mine.
It's not the misspellings, bad grammar, etc. There's something missing that any legitimate message of that sort would have. Essentially it's insider information pertinent to why this comes from you to me.
What's key here is the amount of processing power you get for a given dollar. Clusters of general purpose systems may not be as efficient as a vector system, but in the end, the price makes up for the inefficiencies.
In general, no.
The inefficiencies are structural, orders of magnitude, not percentage.
Where, how, when you apply the processing power is what matters, and there are no valid rules of thumb.
The problem with such as Echelon and Carnivore is that they attract people who find dumb people fascinating.
wouldn't it make more sense to invest heavily in R&D to solve the cluster's problems and remove its limitations
Yes, like finding some new 2-digit numbers that come after 99.
The limitations of a cluster are because it is a cluster.
Of the problems that should be worth solving,
a few will be embarassingly parallel
many will be extremely parallel
many many will be moderately parallel
many many many will be somewhat parallel
too many will be highly convoluted.
As an example to see how this can be so, consider an old mainframe with a bunch of old green-eyed monsters. The screens have enough intelligence so that the entire screen can be filled in and submitted at one shot. Take the same system and have the mainframe react to each keypress/release and the mainframe will be crippled.
Now have each users keypress/release affect all other users concurrently.
Now scale it bigger.
When I think about it, the most CPU-heavy problems that occur to me are highly parallelizable.
CPU-heavy implies that internal-internal interactions dominate internal-external interactions. This is the opposite of mainframe processing.
CPU-heavy implies that something internal must be highly parallelizable. It does not imply exactly what or how. This depends on the nature of the required internal-internal interactions.
The super-computer applications which are feasible (conceivable?) are determined by the tools and paradigms which are available. If these are too limited (are there is no way to know a priori) then you are cut off from much which should be feasible.
One thing I had never realized before. C was a transition from existing stuff on a WORD addressed machine to a BYTE addressed machine. When everything is cramped, it helps immensely if you can keep all the magic numbers exactly the same. The C mechanism for what looks like strings and arrays is a brilliant hack to address thingees by their number with no additional supporting machinery. A C pointer is "typed" to the extent of having a width so that pointer p + 1 points to the next such thing. As a side effect, 2[array] is precisely as meaningful as array[2].
It's possible, even easy, to do things better than C. I don't think it's possible to do better without assuming something that C does not assume. If you do not have that stuff you have to assume, the "better" way is much worse.
"how would a good virus tell another good virus from a bad one?"
Easy. They're all bad, including the good.
It might be justified if "enough is enough!", but if you have to ask, it is never justified. It might be good at the moment, but once the moment is past, it is a bad virus.