The North pole melting won't add to sea levels, because all the ice is already in the water, however if the South pole starts melting, it most certainly will raise the water levels due to the simple fact that there is land underneath most of it.
You're of course assuming that a race that can live 10^33 years would be unable to find a workaround in that timeframe? Consider how much science has advanced so far, I'd say chances are pretty good they'd find something. I particularly liked the solution Fredrick Pohl used in the Heechee saga: What if one has the ability to shelter oneself from the know universe, make the universe start contracting, and causing a new big bang, then reentering the universe afterwards? The scientific advances of 10^33 years uninterrupted by such annoying things as people dying in their prime or getting senile when they finally start reaching the depths of their area of research would be far beyond what we can fathom. Surely some interesting potential solutions would come out of it.
Look at it this way: Microsoft has 40-50 billion USD in the bank. If Microsoft gets hit too hard by software patents, Microsoft will start seeing software patents as a problem. 40-50 billion means you can afford quite a bit of lobbying and "industry" associations and "public" outcry to make lawmakers see your point.
Bzzzt. Wrong. Free movement of labor let companies push salaries down, because the pool of available workers with the right skills increase. Why do you think free movement of labor has been one of the corner stones of the EU since the start, despite the EU's start as a purely economic cooperation to further European industry?
Personally I think it looks more like they are trying to end up in a remake of the USA. Still got a few civil liberties to abridge before we get there, but if Bush doesn't get reelected next time around perhaps we'll manage to close in.
What do you mean "remains relatively free"? I wouldn't ever consider moving to a country where people can be held without legal representation, without charge and without a civil trial indefinently with no legal protections, and where you already have a law almost as excessive as this directive in place (the DMCA).
Keep in mind that this is a directive that first have to be approved by EU centrally, then it has to be enacted in local legislation, which leaves plenty of time to get rid of it or at least tone it down (via creative interpretations in the adaptations to local law).
The US is already stuck with the DMCA in effect, and a long string of "security" measures limiting your "freedom" to a level that starts to make even several dictatorships look more and more free by the day.
One can say a whole lot of bad things about the governing bodies of the EU, but I could say a whole lot worse things about the current US government, most of which are not suitable even for Slashdot:-)
Which means you miss the problem entirely. If it is illegal to make a machine for making tyres that can identify themselves as Ford tyres, then exactly how can a consumer prevent his Ford car from refusing to start when tyres don't identify themselves as Ford tyres?
If you allow anyone to make any machine readable identification without either expressly forbidding them to use it to limit consumer choice OR expressly allow the identification to be cloned, you ARE opening for exactly what the "people scaremongering" have suggested.
We've seen this clearly enough illustrated with the lawsuits against clone inkjet cartridge makers, where the printer manufacturers have hid behind the DMCA, trade secrets and patents to try to limit consumer choice.
So, if I work for company A and don't like company B, I can e-mail out 10 million messages purporting to be advertizing company B's website in the sleasiest way possible, and company B will be hit with thousands of compaints and a massive bandwidth bill.
I've worked for a mail provider, and we regularly had cases where spammers had done things like this, including one really nasty case where a spammer hit back at an anti-spammer by mailing out millions of ads for child porn giving the full contact details of the anti-spammer. Within hours, he had 30.000 complaints in his mailbox, and had had to disconnect his phone and get the police involved because he feared for his security. A few million machines running up his bandwidth bill to something he couldn't ever pay off would have been a nice icing on the cake for the spammer he was trying to expose, I guess...
The problem is that you CAN NOT EVER ASSUME that the site advertised, or the address in the From: or Reply-To: fields etc. are in any way related to the spammer, because you don't know the motivation for the spam. You need to spend time checking and double checking that you're going after the right person or you WILL end up going after innocent bystanders, and if you cause them realy problems (like in the above mentioned case) or financial losses, you can safely assume that somebody WILL sue you, and sooner or later someone WILL win.
Newsflash: Groundbreaking devices based on new technology that cost a lot to develop almost always cost much until some of the costs have been recouped, and volume and reengineering allows for cost cuts.
It's as if I'd been bitching about VCRs because they were expensive when they were launched, instead of wanting one but staying away until prices came down to reasonable levels.
I used to sort of like the Gimp, because I thought it had great promise. That was back in '98 or so. It's still mostly stuck with a UI that blows big time.
Something as basic as drawing lines is still ridiculously unintuitive. Do you seriously think that the amount of money they spent on getting Photoshop running on Linux would make much difference to the quality of the Gimp?
And if you'd read the article, you'd known that the article is about how Disney footed the bill to get Codeweavers to spend resources on getting Photoshop to work properly.
Why do people keep assuming that running Wine will cause a lot of overhead? And why don't people READ the article, including the part about performance? And what does clustering technologies like OpenMosix have to do with running an application that is intended for usage on workstations, not render farms?
And why, oh, why don't people read the article, especially the part of how the real benefit for Disney was that they a) saved money and b) could standarize on Linux instead of having part of their team stuck with Windows?
There is an artificial heart being tested that use induction. Without charging it only lasts for 45 minutes. With a battery belt and an induction charger the patient can move around for about 3 hours without charging.
Yeah, but that doesn't make it a prerequisite to assume that the audience is braindead. The only way they can save that ridiculous storyline (I'm not that good at suspending my disbelief - got to draw the line somewhere...) and make it even remotely plausible is if it turns out that the whole "humans as batteries" thing is just fiction inside another matrix.
It may seem ridiculous, but it wasn't until Georg Cantors work on infinite series in the 19th century mathematicians had a way of providing a proof to solve Zeno's paradox.
The thing is, you might "solve" Zeno's paradox as much as you want by referring to examples, but most attempts at attacking Zeno's paradox via "logical" examples doesn't do anything to explain it, but merely points at motions and declares the matter solved.
Look at your answer again - you just restated the paradox
If you keep taking increasingly smaller steps, you will never reach your goal.
That is the core of the paradox: During the race, you will always have an infinite number of "half-distances" left.
Yet, the paradox as stated is correct in stating that to move from point A to B (provided they are not the same:), you have to cover every "half-distance" in between - an infinite number of them.
So how do you prove that covering an infinite number of half distance is possible to do in finite time?
1. Many false positives, as apparently insecure constructs are totally secure given knowledge the programmer has about the source of inputs. E.g. a static buffer may appear prone to overflows, but maybe it's copying data with a known fixed size.
If the data is part of the executable, it will be available to a good static analyser, and there's no reason there should be a false positive. If the data is not part of the executable, the programmer may think he "knows" that it is secure as much as he wants, he'd still be WRONG, unless the properties he relies on are being verified in some other part of the code, in which case it a good statical analyzer would still have plenty of opportunity to prevent false positives.
Making assumptions about data, even data that is actually part of the executable, makes the code less secure. An adversary could possibly have found a way to modify even part of the executable itself, so using "apparently insecure" constructs might still be a security risk even in the face of formal proof that the program is "safe" (for some definition of safe) if the executable remains unmodified.
It's all a matter of how secure you need your application to be. Do you simply need to prevent buffer overflow and filesystem race conditions, or does your system need the kind of security that require you to overwrite certain variables immediately after you're done with them to reduce the chance of accidental or intentional data leaks, check inputs to ALL functions even when you "know" the inputs, etc?
Most often you don't need to care that much. Sometimes you do.
I agree with you that you need a way of tuning what will trigger an error report, but not because there will be that many false positives, but because there may be a lot of reports that is irellevant for your application - it would be ridiculous to assume that a developer would spend as much time and effort on securing a recipe database and a credit card clearing system, for instance.
If you could write a program that gave you the right lotto numbers 1% of the time, would you consider it useless because it hardly ever worked? Or would you use it because 1% is would be good enough to make you filthy rich in a couple of years?
The question is: Does this program find enough security problems to pay for itself? The answer obviously depends on what kind of analysis it does, and what the potential cost of a breakin would be for you.
That it is impossible to find a perfect solution is irellevant. If the rewards are high enough, a partial solution is often still good enough to be worth significant effort.
Scanning for commonly abused functions, such as gets() would be one method. Scanning for buffer overflows is another check that would be highly useful and that is fairly easy to do. If you do complex flow analysis and couple that with a database of information about legal ranges of inputs and outputs from various system calls etc., you could catch a lot of problems.
Even if you do have access to source, consider that it's not uncommon for a developer to cost their employer well above 300 USD a day. It doesn't take bugs found automatically to justify a fairly hefty price tag if it means less time spent debugging.
I mean, what use is this? If you do not have the source, you may use this tool to check for potential security vulnerabilities. The result will leave you with a binary which you cannot change because you don't have the source, and with a list of potential vulnerabilities, which you can't validate without a great deal more of work which you would need to create working exploits. Failure to produce an exploit does not prove that there is no vulnerability, though.
It's useful because you can a) call your vendor and ask them to explain why your tool tells you their product is junk, b) look for another vendor with fewer reported problems, c) a basis on which to do the type of vulnerability testing any security conscious company would be doing on software they use for mission critical, high security systems anyway, but with the bonus that you have additional information on particularly interesting targets for your testing.
a and b are important because they provide customers with information they classically haven't been able to obtain for closed source programs.
And if you happen to have the source, what use is this tool? There are better tools to find this class of errors on source level.
And which tools would that be? First of all, there are a few statical analysers available that works on source, but have you evaluated what classes of security problems they catch compared to this product?
Secondly, this product has the potential to catch problems that source level statical analysers CAN'T: Problems introduced by buggy compilers. Granted, it's not a high risk, but modern compilers are huge, and DO frequently have bugs in code generation, and on when compiling a huge program it certainly isn't impossible that code generation bugs might trigger security problems in code that would otherwise be "safe".
If you consider Canadian SF - The cube didn't have a big budget.
About half a million, AFAIK, though I don't remember whether that was US or Canadian dollars...
But then The Cube (which you SHOULD SEE if you haven't), had the advantage of only needing one small set consisting of one and a half cube and some different colored lights, and a very small number of actors... Not exactly typical.
If India will be next? Newsflash: India have been building super computers for a long time now, mostly to avoid the US export limitations imposed due to their little "mine is bigger than yours" game with Pakistan (involving nuclear tests).
You're not. However these days anyone with a technical inclinations, lots of ordinary PC's, and free software can put a super computer together themselves. So in other words, trying to limit it have become meaningless.
although the question is: why do such things attract mates?
Because they signify a variety of things, two of which are that you are intelligent and that you are successful enough to have time to pursue things that are not vital for your survivial, both of which show that you are more likely to provide a high likelihood of success for any offspring.
Why would you need to grasp meaning to write good poetry? After seeing how teachers at school butchered poems and invented meanings for poems that were directly opposite of how any sane person would read them, I am forced to conclude that having meaning is not a prerequisite for a good poem. A good poem evoke ideas in the reader - sometimes a poet has specific ideas he or she want to convey, other times feelings that you won't neccesarily find any basis for in the words alone, but very often the reader will get something completely different from the poems.
I'm reminded by an occasion where a serious reviewer was interviewing a famous author about a work that was seen as a masterpiece about a specific scene in his work, and went on at great lengths about the symbolism of the scene. Then he asked the author why he wrote it like that. The answer was "because it sounded good".
Good poetry is what works for the reader, regardless of intent by the poet. A good poet is one that can write good poems that convey at least part of what he or she had to say. But good poems doesn't have to come from good poets.
Yes, some people do like to try to figure out what the poet meant and intended, and sometimes that does have value, because it adds to the experience of the poem. But that is by no means a prerequisite to enjoying a poem. Personally I feel that a poem should be "self contained" - I shouldn't need to understand the poet to get something from the poem. From that perspective, there doesn't have to have been a meaning intended.
There is one very compelling reason to restrict media ownership: Freedom of speech. Freedom of speech is irellevant if it is impossible to get speech that deviate from the mainstream out there.
The US media coverage during the Iraq war, for instance, fully demonstrated how one sided the US media already is - following the war in US and European media (even pro-war European media) one could be excused for thinking one were following two different wars.
On some issues, "freedom" of speech in the US is like being allowed to whisper while ten people are standing around you screaming through megaphones.
Allowing more media consolidation means allowing narrow economic interests to control even more of what the public hear, see and read. Talk all you want about how people can choose to read something else - fact is most people don't know whats available outside the mainstream because they're never told about it and never see it, and effectively don't have an opportunity to make the choice because of that.
Slashdot Mirror
The North pole melting won't add to sea levels, because all the ice is already in the water, however if the South pole starts melting, it most certainly will raise the water levels due to the simple fact that there is land underneath most of it.
You're of course assuming that a race that can live 10^33 years would be unable to find a workaround in that timeframe? Consider how much science has advanced so far, I'd say chances are pretty good they'd find something. I particularly liked the solution Fredrick Pohl used in the Heechee saga: What if one has the ability to shelter oneself from the know universe, make the universe start contracting, and causing a new big bang, then reentering the universe afterwards? The scientific advances of 10^33 years uninterrupted by such annoying things as people dying in their prime or getting senile when they finally start reaching the depths of their area of research would be far beyond what we can fathom. Surely some interesting potential solutions would come out of it.
Look at it this way: Microsoft has 40-50 billion USD in the bank. If Microsoft gets hit too hard by software patents, Microsoft will start seeing software patents as a problem. 40-50 billion means you can afford quite a bit of lobbying and "industry" associations and "public" outcry to make lawmakers see your point.
Bzzzt. Wrong. Free movement of labor let companies push salaries down, because the pool of available workers with the right skills increase. Why do you think free movement of labor has been one of the corner stones of the EU since the start, despite the EU's start as a purely economic cooperation to further European industry?
Personally I think it looks more like they are trying to end up in a remake of the USA. Still got a few civil liberties to abridge before we get there, but if Bush doesn't get reelected next time around perhaps we'll manage to close in.
Keep in mind that this is a directive that first have to be approved by EU centrally, then it has to be enacted in local legislation, which leaves plenty of time to get rid of it or at least tone it down (via creative interpretations in the adaptations to local law).
The US is already stuck with the DMCA in effect, and a long string of "security" measures limiting your "freedom" to a level that starts to make even several dictatorships look more and more free by the day.
One can say a whole lot of bad things about the governing bodies of the EU, but I could say a whole lot worse things about the current US government, most of which are not suitable even for Slashdot :-)
If you allow anyone to make any machine readable identification without either expressly forbidding them to use it to limit consumer choice OR expressly allow the identification to be cloned, you ARE opening for exactly what the "people scaremongering" have suggested.
We've seen this clearly enough illustrated with the lawsuits against clone inkjet cartridge makers, where the printer manufacturers have hid behind the DMCA, trade secrets and patents to try to limit consumer choice.
I've worked for a mail provider, and we regularly had cases where spammers had done things like this, including one really nasty case where a spammer hit back at an anti-spammer by mailing out millions of ads for child porn giving the full contact details of the anti-spammer. Within hours, he had 30.000 complaints in his mailbox, and had had to disconnect his phone and get the police involved because he feared for his security. A few million machines running up his bandwidth bill to something he couldn't ever pay off would have been a nice icing on the cake for the spammer he was trying to expose, I guess...
The problem is that you CAN NOT EVER ASSUME that the site advertised, or the address in the From: or Reply-To: fields etc. are in any way related to the spammer, because you don't know the motivation for the spam. You need to spend time checking and double checking that you're going after the right person or you WILL end up going after innocent bystanders, and if you cause them realy problems (like in the above mentioned case) or financial losses, you can safely assume that somebody WILL sue you, and sooner or later someone WILL win.
To me, my roller blades are the toys, just as I'd consider roller skates, a scooter, or a skateboard toys. On the other hand I'd love a Segway.
It's as if I'd been bitching about VCRs because they were expensive when they were launched, instead of wanting one but staying away until prices came down to reasonable levels.
I used to sort of like the Gimp, because I thought it had great promise. That was back in '98 or so. It's still mostly stuck with a UI that blows big time. Something as basic as drawing lines is still ridiculously unintuitive. Do you seriously think that the amount of money they spent on getting Photoshop running on Linux would make much difference to the quality of the Gimp?
And if you'd read the article, you'd known that the article is about how Disney footed the bill to get Codeweavers to spend resources on getting Photoshop to work properly.
Why do people keep assuming that running Wine will cause a lot of overhead? And why don't people READ the article, including the part about performance? And what does clustering technologies like OpenMosix have to do with running an application that is intended for usage on workstations, not render farms? And why, oh, why don't people read the article, especially the part of how the real benefit for Disney was that they a) saved money and b) could standarize on Linux instead of having part of their team stuck with Windows?
There is an artificial heart being tested that use induction. Without charging it only lasts for 45 minutes. With a battery belt and an induction charger the patient can move around for about 3 hours without charging.
Yeah, but that doesn't make it a prerequisite to assume that the audience is braindead. The only way they can save that ridiculous storyline (I'm not that good at suspending my disbelief - got to draw the line somewhere...) and make it even remotely plausible is if it turns out that the whole "humans as batteries" thing is just fiction inside another matrix.
The thing is, you might "solve" Zeno's paradox as much as you want by referring to examples, but most attempts at attacking Zeno's paradox via "logical" examples doesn't do anything to explain it, but merely points at motions and declares the matter solved.
Look at your answer again - you just restated the paradox
If you keep taking increasingly smaller steps, you will never reach your goal.
That is the core of the paradox: During the race, you will always have an infinite number of "half-distances" left.
Yet, the paradox as stated is correct in stating that to move from point A to B (provided they are not the same :), you have to cover every "half-distance" in between - an infinite number of them.
So how do you prove that covering an infinite number of half distance is possible to do in finite time?
That's where the aforementioned limits of infinite series comes in.
Today, this is pretty basic maths, but it had people stumped for a proof for more than two thousand years.
If the data is part of the executable, it will be available to a good static analyser, and there's no reason there should be a false positive. If the data is not part of the executable, the programmer may think he "knows" that it is secure as much as he wants, he'd still be WRONG, unless the properties he relies on are being verified in some other part of the code, in which case it a good statical analyzer would still have plenty of opportunity to prevent false positives.
Making assumptions about data, even data that is actually part of the executable, makes the code less secure. An adversary could possibly have found a way to modify even part of the executable itself, so using "apparently insecure" constructs might still be a security risk even in the face of formal proof that the program is "safe" (for some definition of safe) if the executable remains unmodified.
It's all a matter of how secure you need your application to be. Do you simply need to prevent buffer overflow and filesystem race conditions, or does your system need the kind of security that require you to overwrite certain variables immediately after you're done with them to reduce the chance of accidental or intentional data leaks, check inputs to ALL functions even when you "know" the inputs, etc?
Most often you don't need to care that much. Sometimes you do.
I agree with you that you need a way of tuning what will trigger an error report, but not because there will be that many false positives, but because there may be a lot of reports that is irellevant for your application - it would be ridiculous to assume that a developer would spend as much time and effort on securing a recipe database and a credit card clearing system, for instance.
The question is: Does this program find enough security problems to pay for itself? The answer obviously depends on what kind of analysis it does, and what the potential cost of a breakin would be for you.
That it is impossible to find a perfect solution is irellevant. If the rewards are high enough, a partial solution is often still good enough to be worth significant effort.
Scanning for commonly abused functions, such as gets() would be one method. Scanning for buffer overflows is another check that would be highly useful and that is fairly easy to do. If you do complex flow analysis and couple that with a database of information about legal ranges of inputs and outputs from various system calls etc., you could catch a lot of problems.
Even if you do have access to source, consider that it's not uncommon for a developer to cost their employer well above 300 USD a day. It doesn't take bugs found automatically to justify a fairly hefty price tag if it means less time spent debugging.
It's useful because you can a) call your vendor and ask them to explain why your tool tells you their product is junk, b) look for another vendor with fewer reported problems, c) a basis on which to do the type of vulnerability testing any security conscious company would be doing on software they use for mission critical, high security systems anyway, but with the bonus that you have additional information on particularly interesting targets for your testing.
a and b are important because they provide customers with information they classically haven't been able to obtain for closed source programs.
And if you happen to have the source, what use is this tool? There are better tools to find this class of errors on source level.
And which tools would that be? First of all, there are a few statical analysers available that works on source, but have you evaluated what classes of security problems they catch compared to this product?
Secondly, this product has the potential to catch problems that source level statical analysers CAN'T: Problems introduced by buggy compilers. Granted, it's not a high risk, but modern compilers are huge, and DO frequently have bugs in code generation, and on when compiling a huge program it certainly isn't impossible that code generation bugs might trigger security problems in code that would otherwise be "safe".
About half a million, AFAIK, though I don't remember whether that was US or Canadian dollars...
But then The Cube (which you SHOULD SEE if you haven't), had the advantage of only needing one small set consisting of one and a half cube and some different colored lights, and a very small number of actors... Not exactly typical.
If India will be next? Newsflash: India have been building super computers for a long time now, mostly to avoid the US export limitations imposed due to their little "mine is bigger than yours" game with Pakistan (involving nuclear tests).
You're not. However these days anyone with a technical inclinations, lots of ordinary PC's, and free software can put a super computer together themselves. So in other words, trying to limit it have become meaningless.
Because they signify a variety of things, two of which are that you are intelligent and that you are successful enough to have time to pursue things that are not vital for your survivial, both of which show that you are more likely to provide a high likelihood of success for any offspring.
I'm reminded by an occasion where a serious reviewer was interviewing a famous author about a work that was seen as a masterpiece about a specific scene in his work, and went on at great lengths about the symbolism of the scene. Then he asked the author why he wrote it like that. The answer was "because it sounded good".
Good poetry is what works for the reader, regardless of intent by the poet. A good poet is one that can write good poems that convey at least part of what he or she had to say. But good poems doesn't have to come from good poets.
Yes, some people do like to try to figure out what the poet meant and intended, and sometimes that does have value, because it adds to the experience of the poem. But that is by no means a prerequisite to enjoying a poem. Personally I feel that a poem should be "self contained" - I shouldn't need to understand the poet to get something from the poem. From that perspective, there doesn't have to have been a meaning intended.
The US media coverage during the Iraq war, for instance, fully demonstrated how one sided the US media already is - following the war in US and European media (even pro-war European media) one could be excused for thinking one were following two different wars.
On some issues, "freedom" of speech in the US is like being allowed to whisper while ten people are standing around you screaming through megaphones.
Allowing more media consolidation means allowing narrow economic interests to control even more of what the public hear, see and read. Talk all you want about how people can choose to read something else - fact is most people don't know whats available outside the mainstream because they're never told about it and never see it, and effectively don't have an opportunity to make the choice because of that.