find all mallocs / frees and replace with smart pointers
Firstly, I want to highlight my limited experience with C (tons of experience in modern C-based languages though) and this comment being a honest concern. After that short introduction, here I go: I am currently developing a plain-C application and, as a way to adapt my modern-language expertise to the C peculiarities, I have come up with a set of methods simplifying things like memory management and array instantiation. That application is meant to systematically deal with strings of virtually any size what, together with the aforementioned methods expected to define a consistent overall structure, explains why that code mostly rely on malloc (+ free). Consider the following code snippet:
stringVariable = StringAction_m(stringVariable, "literal to do whatever"); //do all what is required with StringVariable free(stringVariable);
The basic structure depicted by the aforementioned sample is applied everywhere in the referred code (string/array instantiation, string/array copy, etc.). All the methods including an ending "_m" return a variable which has been malloced and not freed. The first argument of all these methods (stringVariable in the sample) is the output variable. If that variable is different than NULL, the given method would free it before performing the corresponding allocation; what means that these methods might be called to instantiate a variable for the first time or to further modify a previous malloc-instantiated variable.
I am quite comfortable with that approach, even despite my limited C experience. This seems a quite problem-free structure and, in the worst scenario, easy to be debugged; for example, I can immediately know whether a free statement is wrong by looking at the (ending "_m" in the name of the) function where the given variable was instantiated; note that there isn't a single malloc outside these functions. I am not planning to move to C++ or even to appreciably change that approach, but I do recognise my limited expertise in all this and would like to know whether I am missing something, perhaps not even for that specific development but for the future. You seem to not like malloc/free at all, so I guess that you are in an excellent position to tell me what might be wrong with that approach. What do you think?
What do you know... computer security does matter when it comes to specific days of the week and religion defined celebrations.
You are getting my statement out of context. I meant when trying to come up with a good enough password regardless of anything else. In other situations, that information might certainly be relevant. Everything is a matter of (properly understanding the given) context.
But since Quantum uses Rust, it has better memory GC than the old FF written in C++, right?
I haven't ever used Rust, but apparently it allows manual memory management, unlikely a big proportion of modern programming languages. The memory allocation in C (whose features can be fully enjoyed in C++) is completely manual and, consequently, the given programmer is the only one to blame for any problem on this front. GC is a feature of managed memory (apparently, also present in Rust) and implies pretty much the opposite to the aforementioned manual memory management. So, you can certainly use C/C++ to build the most efficiently-memory-managed piece of software ever; not sure what you can do with Rust and its manual+GC memory management.
An immediate conclusion of Earth being flat is it having edges. Where these people think that these parts are located and how are they picturing them? It would make much more sense to believe in it being a cube or any other 3D geometry avoiding that 2D limitation of having boundaries/edges/end. You don't even need to ever find such boundaries to understand that they are extremely incompatible with things like seas; or how should seas deal with the edges of the world? Water systematically falling down? To where? And how could seas recover from losing so much water? You might even just look at all what surrounds you to understand that spheres are an extremely common shape in nature, unlikely planes or other 2D forms.
Some people might think that my comment is extremely evident and nobody in their right mind can think that the Earth is flat. I have personally never met a flat-earther, but have seen a relevant amount of (online) ignorance blindly defended/attacked by people who have a similarly bad understanding about what they are attacking/defending; and even becoming extremely aggressive in doing so, true fanatics of what they don't even understand.
When you start replacing adequately understanding something with blind trust in it being in certain way, you enter in the realm of faith/beliefs; it doesn't matter the formal name of that field or how many people (you think that) think the same, all what matters is your (un)willingness to properly understand and behave accordingly (= "don't talk if you don't know"). If you go one step forward in that direction and start trying to impose your views on others and to attack anyone thinking differently than you, you would become a fanatic. I do respect everyone's beliefs, even in-denial attitude regarding what their actual knowledge/contribution is; at least, for as long as they don't become fanatics seriously expecting me to accept their truths. Any personality defined by "I believe in X and am happy with that" is very respect-worthy for me; on the other hand, "things have to be in that way" actions don't deserve any kind of tolerance.
?! How could I argue against such a powerful argument?! I don't know... I will continue reading your post to see if I can find any weakness in your perfect-so-far speech. LOL (-> to help you understand that I am joking, because you seem so stupid that might not get that point without some help).
This kind of analysis is exactly what computers are best at doing.
Seriously? Can you please explain then why all the speech recognition systems out there output ridiculous interpretations on a more or less regular basis and under virtually any scenario? Can you also explain me why you cannot make almost any of those systems (certainly not the ones I tested) recognise non-valid words? If I say to you "var1" or "functionA" or "asdaf" you would understand it, why these systems cannot? I look forward to reading a new sample of your wisdom helping me understand these issues better. Please, illustrate me, wise one. LOL.
Entire countries have been using voice prints for access to government services for years.
I am not sure what is exactly wrong with all the commentators in this thread, but none of you seemed to have read/understood my original comment. I will repeat it once again: the whole point I have been trying to make since the very first moment is that associating a specific set of words with certain person seems reasonably easier, way easier than random speech/word recognition. Even though, this is a quite problematic format: sound is a much more complex input than text and is provided in a much more uncontrolled/problematic/trickable environment than just typing whatever.
In any case and despite my aforementioned ideas of assuming that this specific implementation is relatively easy, I seriously doubt that these systems have been deployed at a relevant level, much less when talking about high-security, governmental bodies (which are usually late adopters of new technologies mainly of those not providing any noticeable improvement). As second or third level security confirmation under highly controlled conditions? Why not? Governments doing that? Without any publicity ("look how modern we are")? Very unlikely. This is, by definition, a less secure system; it doesn't even add a relevant level of comfortability for users. It is mostly meant to look cool/modern. Basically, what happens in (James Bond) movies. Might perhaps your wise knowledge come from that source, wise AC? Are you bringing to this conversation all what you know from your dreams, someone-told-me-so and the last spy movie you watched? LOL
For example, we captured the sound signatures of all submarines we could, especially Russian.
These are completely different scenarios. On one hand, you are analysing a set of more or less clearly defined situations (noises made by submarines) under quite favourable conditions (silent sea) and outputting a simplistic conclusion (submarine or not). On the other hand, you have a huge variety of different possibilities (words, accents, pronunciations, voices, etc.) under potentially very negative conditions (bad-quality audio, person not talking clearly or being ill, typical-modern-society random noises, etc.) and outputting the best match out of a huge number of options some of them being very similar to each other (the exact word). Even though the underlying theory might be somehow similar, detecting submarines and accurately recognising speech/words are completely different beasts.
Sound recognition has come a long way since then.
There have been lots of improvements there and in many other fronts. All what is related to computers/software is systematically evolving, much faster than anything else. The problem here is that you are over-simplifying the reality by assuming that "sound recognition" is a well defined problem accepting a binary solution (already solved or not). You can take any voice recognition system out there and see it for yourself: there are lots of limitations and even the most advanced approaches are still very far away from doing what a person does.
Some months ago, I wrote here some posts about the problems I faced while trying to rely on existing voice recognition systems to perform certain development. Even though I knew that voice recognition was very difficult (that's why I looked for an already done piece of software rather than developing this part myself), I was honestly expecting a higher accuracy than what I found. In fact, there was an issue which forced me to stop that development: it was impossible to recognise meaningless words (e.g., "var1") because most of current approaches are dictionary-based (can recognise English words if English is enabled, Spanish words if Spanish is enabled, etc.). In any case, I insist in the fact that my original post was meant to highlight that this specific specific situation of recognising a person based on how certain words are said seems quite easy; way easier than random speech/word recognition.
It may or may not be *difficult*, but it's definitely *possible*
I never said that it was impossible. In fact, the whole point of my original post was highlighting that it was easier than it might look like. Current voice recognition software (just recognising each word as a person would do) has lots of limitations; on the other hand, developing an acceptably reliable approach determining whether certain words were said by a given person or not doesn't look too difficult.
Whenever a friend or family member calls me, I can recognize their voice even WITHOUT them telling me who it is
But you aren't a computer! Your perception and understanding systems are waaaaaaay better than the ones of any machine. Computers and software are good for (quickly) performing a high number of simple tasks, but not for complicated ones (at least, not practically in the sense of nobody being able/willing to develop all the required algorithms). Recognising the voice of someone under random conditions is a quite complex action. There are many things that are extremely simple for you, but extremely difficult for a computer.
Further filtering eliminates the constant, repetitive, background noise.
Background noise/low quality sound is a tremendous problem when dealing with any kind of automated sound recognition. You always try to filter/remove, but can do that mostly in easy scenarios (all what is constant or regular is usually easy) not everywhere. Additionally, the most fine-tuned the recognition, the more relevant become these aspects. In any case, I only said that I wasn't sure about how well a system on these lines could handle these issues (how easy the implementation would be), not categorically stating whether it could (not) deal with them.
The summary specifically says that this eliminates the use of a password
I would never suggest to implement this system for any serious matter, much less without including a password or further security. All what I said is that it seems technically doable and easier than what it might look.
All you need to do is get a recording of the person using those words
But this is pretty much the same than saying that you can type the password of the person. Logically, those words have to be secret. Also not too sure whether a recording could trick a properly-built system. Again, my post was about what I think that is an easy and reasonably accurate approach to face this, not about recommending its implementation.
This could be used to harden existing security measures, but it shouldn't replace them.
Recognising random words with random accents and under random conditions is difficult, but a list of specially-selected words said by the same person might allow to relatively easily and accurately recognise someone. I am not sure regarding their claims of everything working fine even when the person has a cold or similar; same thing when dealing with background noise or low quality sound. In any case, it seems a quite problematic format which, unless being deployed for a very good reason and always used under good conditions, should be avoided.
Yep, the two or three or four files I change are no longer identical. The other 4,997 files
This is explained in other comments in the thread: GitHub doesn't seem to internally care about the non-modified forked files (it only shows everything to the user) and, in any case, the counting methodology has to forcibly care about this issue, otherwise the proportion of duplicate files would be extremely high (easily over 99%) and not descriptive of the real usage of the platform. For example, I have a couple of forks to the public.NET repositories, each of them might contain millions of files and I only modified 2 or 3 (reasonably relevant modifications though); if you count all these files in my dupe counter, I would have over 99.99% duplicates just because of this what doesn't make sense.
And as far as I am clarifying issues which should be evident to virtually anyone, also note that "my public-source activity" represents a net loss for me (potentially beneficial in the long term, logically). It is a mere self-promotion where I don't earn a penny; in fact, I lose a lot via time/effort investment and having to worry about addressing the most clueless concerns of random idiots (the sensible, knowledgeable people truly interested in properly understanding, learning, contributing, etc., on technical aspects or, eventually, to properly use my activity to determine my suitability for whatever project seem to be a minority!). The idea of me only earning money via being hired as a (remotely-working) programmer to work on whatever development (although being quite picky with clients/projects) seems particularly difficult to understand for some people, despite my multiple repetitions in many places (+ the evidence that a remotely-working programmer is usually mostly interested in working as a programmer). This is another aspect which puzzles/bothers/tires me a lot about a big part of the online programming (or whatever you want to call it) community: how are these people exactly working/getting money if I have to systematically explain them so evident issues?! Anyway, I guess that this is more than enough on the evident over-clarification front for today.
With "I will be notably reducing my activity on this front", I logically meant my public-source activity. I have already lots of public codes which can help anyone interested in (and capable of) understanding my programming skills and working attitude. I will most likely continue having a quite relevant programming-related online activity, but will not be wasting my time in over-commenting and making codes everyone-friendly to be ignored or cluelessly misassessed by those only knowing how to count stars/lines of code and to run ready-to-be-used programs. In any case, I do look forward to the current ridiculously-bad-for-everyone situation to gradually change and to modify my behaviour accordingly. Under equivalent conditions, I will always prefer to share/show/give/contribute/help than to keep everything to myself.
Maybe the most important is so that other people can see your pull requests.
But this makes lots of sense. This is precisely the whole point of forking: actively and publicly contributing in others' code. It doesn't matter if the PR is accepted or not, you have already modified the original version. What doesn't make sense is forking something which you don't touch at all; perhaps temporarily and under very specific conditions, but not that being the general rule.
Additionally, "enjoy on your own machine" brings up the question which of my machines?
I meant this in case you weren't interested in modifying the original code (what the forks/PRs are for), but just in using it.
At my current job, our *company* has forks that our *team* works on before submitting a pull request upstream. Which local computer would you save our copy on that our whole team could see it and work with it?
Exactly the same than the previous scenarios: in the moment you perform whatever modification and save it in GitHub, the corresponding file stops being identical to the original one. It doesn't matter if you do a PR or not, that scenario shouldn't count as a duplicate anyway.
Correct me if I am wrong, but isn't the whole point of a fork to perform some, ideally relevant enough modifications on the original code? By assuming that the conclusion of 70% of duplicate code was output by a sensible and reliable methodology, this would mean that most of the forked files are identical to their original version! So, what is the point of forking or having a repository exactly replicating the contents of another one? You can clone/download all what you wish and enjoy it on your own machine, but why having publicly accessible codes which have been basically developed by other people? This doesn't seem to be compatible with what open source, GitHub, etc. is expected to be. You should be creating something by your own or modifing/improving/extending what others did, but why having a repository with code which has nothing to do with you? There is another also quite negative issue which might somehow explain all this: inefficiently developed algorithms where the same code chunks are repeated over and over; everyone relies on this kind of quicker, easier approaches for temporary, intermediate, preliminary, etc. reasons, but why publicly sharing bad code? Nothing of this makes sense to me.
Honestly, I thought that you were also kidding in your first post. Perhaps this wasn't the case, so I will better clarify that the peculiarities of prime numbers only make sense within a very specific context (similarly to what happens with pretty much any other thing), namely divisions. In some algorithms and for whatever reasons you might prefer to make sure that a given number isn't divisible by others and this is where prime numbers are useful. The fact that prime numbers are being used in a relevant number of encryption algorithms (I cannot tell for sure right away, but in principle it doesn't look like an absolutely unavoidable requirement) has to be understood as those algorithms providing the aforementioned meaningful context for them (= divisions where having a reminder different than zero matters or not).
In general terms and when choosing any given number, all of them are identically good. The right context for choosing a safe password is it to be difficult for other person to guess. Thinking that specific numbers or days of the week or years or similar are intrinsically better than others only makes sense within magic-like expectations (superstition, religion or things on these lines), what is pretty much the opposite to what empirical and deterministic maths/programming/engineering/science everything is supposed to be.
People don't care about analysing code properly, learning from it or even adequately adapting it to whatever other situation. In fact, I think that a big proportion of programming-related people aren't even able to analyse/understand random pieces of slightly complex code. There is an (ignorant) tendency towards ridiculously-specific specialisations and a systematic promotion of copy-pasting, absolute-truth-repetition and arbitrary, group-based assessments; and this is precisely why you see so many problems in software everywhere: many people with lots to say in the industry not doing it properly, not knowing how to do it properly and not even able to recognise who does (not) do it properly. Personally and after having been releasing my biggest open-source code so far during the last months, I will be notably reducing my activity on this front. It is very discouraging seeing how a so lost system misuses and misinterprets my work.
DISCLAIMER: I am the sole author of all my public code (including associated resources like comments, documentation, etc.), in the sense that I have developed it completely from scratch. Additionally, note that I release all of it as public domain and that's why I am not precisely concerned about random people using it or referring me. I am exclusively interested in knowledgeable programmers analysing it to get a good idea about my skills.
14389 is a prime with uneven digits in even positions
In a zero-based position counting, yes; but this is the convention only in some (well, most of) programming languages. In an informal chat, the most common interpretation is to assume 1-based positions. Anyway, I was evidently joking: all the numbers are equally secure and random, except 4. LOL.
There isn't much information, but it seems quite clear that all this is only applicable to Russia. I am currently testing yandex.com to see what it can do and, although the results are a bit different and kind of Russian-sites prone, it should be quite independent from yandex.ru (a quite random guess anyway, as far as I don't speak Russian and cannot really test it). In any case, these news shouldn't affect yandex.com or other international versions of Russian sites.
not in the spam itself. Basically a spamming service
Interesting theory. It seems to make more sense than any other version. In any case and as said, I am not too concerned about anything of this for various reasons. I don't get almost any spam and ignore/make fun of the little amount which I get. I have never spammed anyone (unless when fighting back some spammer:)) and, in fact, consider that "technique" extremely negative for any business/activity. My work has never been even slightly related to spam or any other generic, invasive, crappy, lazy, dishonest, etc. way to earn money; note that I am person eminently concerned about the means rather than the final goal and being very proud of what I do and how I do is way much more important for me than money (although I do expect my work to be fairly rewarded). I have never been contacted by a spammer or similar to develop whatever piece of software and will certainly reject any request on these lines; much more now, when I am extremely demanding regarding the kind of projects/clients I want. It was a kind of interesting chat anyway.
Apparently, there is some other people also thinking that that nonsense is logical. They have even written quite a lot about this in the corresponding Wikipedia page. The text there (lots of generic talking and not many practical examples because well there is none) seems quite descriptive of the worst case scenario of this "threat" and the kind of partiality and fanaticism that, unfortunately, it is too common within the software development industry, following whatever daily trend, over-concerned about what is irrelevant and ignoring what really matters. Anyway, I will write my impressions about these contents to properly illustrate my point.
Logically (and unlikely what some people suggested here in the aforementioned article some months ago), you cannot directly access/modify whatever information is in a pointer/memory location of a running program. Apparently, the way to "exploit" this "weakness" is to hope that a random value (within a huge potential range) might have any kind of effect on the given application. So, imagine that in a given method (out of the potential thousands, even millions of methods in a piece of software about which you know nothing), a variable (out of the potential thousands, millions, etc.) is expected to get the value "123456"; but the given code performs the required memory allocation wrongly and provokes a buffer overflow, what changes that value to whatever other one might be associated with said memory position. Under the most likely conditions (around 99.99999999999% of the cases, I guess), the resulting value would be crazily wrong and an error would be triggered. But, in some very specific case, it might happen that the resulting value might be good enough to not provoke a crash. So, in that virtually-impossible case, you would have accomplished the marvelous result of having modified the value of a variable, out of many, about which you know nothing to a different value about which you know nothing!
And this is your breach of security! This is what makes you think that it is a good reason for stopping using a given programming language!! Are you being serious?? Have people forgotten about self-respect, objectivity and professionalism or what on the hell is wrong here?? As commented in that other thread some months ago, I did find a way much more relevant problem with applications used by open.NET to compile their public code! It was possible to directly affect the pure source code of a running executable!! And my conclusion was that this couldn't be seen as a threat because of being extremely unlikely to be exploitable under virtually any real scenario! But this was (Microsoft changed it a short while later) orders of magnitude much more dangerous than the aforementioned nonsense! And they have a whole Wikipedia page and apparently some fans! All what I got with that analysis I made was the problem to be fixed (no idea if because of me; nobody told me anything), having to update the text to reflect that change in the conditions and not even a single comment!! I don't expect anything else, because I don't see the true relevance of all that, but why these people do all that! And then you get millions of records stolen on a regular basis because of not performing the most basic actions; but rather than focusing on performing said evident actions, you get completely paranoid and start seeing problems in the air!!! I am not trying to criticise certain people or sub-field or "experts", but an attitude, very relevant for this specific thread: how can you complain about software having lots of problems with this kind of things! What person really wanting to fix/improve/help could give even half a shit about what I am describing here? I don't even think that these people have developed even the simplest piece of software in C/C++; otherwise, I can honestly not imagine anyone feeling like spending their time on such a nonsense. This is another cancer of software development: generically talking, prohibiting, fearing, guessing, blaming, etc. most of the times with low-to-no relevant expertise! Pfff... Well, I guess that this has been an excellent epilogue to my previous post and my ideas on these fronts.
With "The only thing that you can get after a memory overflow is the certainty that that program will crash, perhaps right away or perhaps after some seconds." I meant that the corresponding error might appear right after executing the faulty part of the code which provokes the memory overflow or a bit later. After a memory overflow, the error-message/crash is immediate.
Thanks to C/C++, tiniest bug anywhere in any software, allows a hacker to take control of a computer system.
What are you talking about? A very important proportion of all the software in existence (including quite a few other programming languages) are written in one of these two languages. When talking about basic/core infrastructure they even don't have any relevant competition! And I am saying that despite not using any of them too much myself, unless under very specific conditions! The only reason why a given programming language might be (un)safe is a bug in its code, what is thousands of times easier to happen in newer programming languages which have been used much less.
Some months ago, I read here an extremely ignorant concern about a memory overflow being a way to manipulate how the given program might behave!? The only thing that you can get after a memory overflow is the certainty that that program will crash, perhaps right away or perhaps after some seconds. C (and to a lesser extent C++) are definitively much less programmer friendly than newer languages; but even this is a quite partial statement as far as some people might feel more comfortable working with them. Other than that and the evident performance differences on some fronts (C being really quick), there is absolutely no problem with these languages. The corresponding developer + surrounding "issues" (e.g., clueless manager setting unreasonable constraints) is the sole responsible for whatever problem, including having relied on certain programming language without the required knowledge/experience.
Slashdot Mirror
find all mallocs / frees and replace with smart pointers
Firstly, I want to highlight my limited experience with C (tons of experience in modern C-based languages though) and this comment being a honest concern. After that short introduction, here I go: I am currently developing a plain-C application and, as a way to adapt my modern-language expertise to the C peculiarities, I have come up with a set of methods simplifying things like memory management and array instantiation. That application is meant to systematically deal with strings of virtually any size what, together with the aforementioned methods expected to define a consistent overall structure, explains why that code mostly rely on malloc (+ free). Consider the following code snippet:
stringVariable = StringAction_m(stringVariable, "literal to do whatever");
//do all what is required with StringVariable
free(stringVariable);
The basic structure depicted by the aforementioned sample is applied everywhere in the referred code (string/array instantiation, string/array copy, etc.). All the methods including an ending "_m" return a variable which has been malloced and not freed. The first argument of all these methods (stringVariable in the sample) is the output variable. If that variable is different than NULL, the given method would free it before performing the corresponding allocation; what means that these methods might be called to instantiate a variable for the first time or to further modify a previous malloc-instantiated variable.
I am quite comfortable with that approach, even despite my limited C experience. This seems a quite problem-free structure and, in the worst scenario, easy to be debugged; for example, I can immediately know whether a free statement is wrong by looking at the (ending "_m" in the name of the) function where the given variable was instantiated; note that there isn't a single malloc outside these functions. I am not planning to move to C++ or even to appreciably change that approach, but I do recognise my limited expertise in all this and would like to know whether I am missing something, perhaps not even for that specific development but for the future. You seem to not like malloc/free at all, so I guess that you are in an excellent position to tell me what might be wrong with that approach. What do you think?
What do you know... computer security does matter when it comes to specific days of the week and religion defined celebrations.
You are getting my statement out of context. I meant when trying to come up with a good enough password regardless of anything else. In other situations, that information might certainly be relevant. Everything is a matter of (properly understanding the given) context.
But since Quantum uses Rust, it has better memory GC than the old FF written in C++, right?
I haven't ever used Rust, but apparently it allows manual memory management, unlikely a big proportion of modern programming languages. The memory allocation in C (whose features can be fully enjoyed in C++) is completely manual and, consequently, the given programmer is the only one to blame for any problem on this front. GC is a feature of managed memory (apparently, also present in Rust) and implies pretty much the opposite to the aforementioned manual memory management. So, you can certainly use C/C++ to build the most efficiently-memory-managed piece of software ever; not sure what you can do with Rust and its manual+GC memory management.
An immediate conclusion of Earth being flat is it having edges. Where these people think that these parts are located and how are they picturing them? It would make much more sense to believe in it being a cube or any other 3D geometry avoiding that 2D limitation of having boundaries/edges/end. You don't even need to ever find such boundaries to understand that they are extremely incompatible with things like seas; or how should seas deal with the edges of the world? Water systematically falling down? To where? And how could seas recover from losing so much water? You might even just look at all what surrounds you to understand that spheres are an extremely common shape in nature, unlikely planes or other 2D forms.
Some people might think that my comment is extremely evident and nobody in their right mind can think that the Earth is flat. I have personally never met a flat-earther, but have seen a relevant amount of (online) ignorance blindly defended/attacked by people who have a similarly bad understanding about what they are attacking/defending; and even becoming extremely aggressive in doing so, true fanatics of what they don't even understand.
When you start replacing adequately understanding something with blind trust in it being in certain way, you enter in the realm of faith/beliefs; it doesn't matter the formal name of that field or how many people (you think that) think the same, all what matters is your (un)willingness to properly understand and behave accordingly (= "don't talk if you don't know"). If you go one step forward in that direction and start trying to impose your views on others and to attack anyone thinking differently than you, you would become a fanatic. I do respect everyone's beliefs, even in-denial attitude regarding what their actual knowledge/contribution is; at least, for as long as they don't become fanatics seriously expecting me to accept their truths. Any personality defined by "I believe in X and am happy with that" is very respect-worthy for me; on the other hand, "things have to be in that way" actions don't deserve any kind of tolerance.
You are a fucking idiot.
?! How could I argue against such a powerful argument?! I don't know... I will continue reading your post to see if I can find any weakness in your perfect-so-far speech. LOL (-> to help you understand that I am joking, because you seem so stupid that might not get that point without some help).
This kind of analysis is exactly what computers are best at doing.
Seriously? Can you please explain then why all the speech recognition systems out there output ridiculous interpretations on a more or less regular basis and under virtually any scenario? Can you also explain me why you cannot make almost any of those systems (certainly not the ones I tested) recognise non-valid words? If I say to you "var1" or "functionA" or "asdaf" you would understand it, why these systems cannot? I look forward to reading a new sample of your wisdom helping me understand these issues better. Please, illustrate me, wise one. LOL.
Entire countries have been using voice prints for access to government services for years.
I am not sure what is exactly wrong with all the commentators in this thread, but none of you seemed to have read/understood my original comment. I will repeat it once again: the whole point I have been trying to make since the very first moment is that associating a specific set of words with certain person seems reasonably easier, way easier than random speech/word recognition. Even though, this is a quite problematic format: sound is a much more complex input than text and is provided in a much more uncontrolled/problematic/trickable environment than just typing whatever.
In any case and despite my aforementioned ideas of assuming that this specific implementation is relatively easy, I seriously doubt that these systems have been deployed at a relevant level, much less when talking about high-security, governmental bodies (which are usually late adopters of new technologies mainly of those not providing any noticeable improvement). As second or third level security confirmation under highly controlled conditions? Why not? Governments doing that? Without any publicity ("look how modern we are")? Very unlikely. This is, by definition, a less secure system; it doesn't even add a relevant level of comfortability for users. It is mostly meant to look cool/modern. Basically, what happens in (James Bond) movies. Might perhaps your wise knowledge come from that source, wise AC? Are you bringing to this conversation all what you know from your dreams, someone-told-me-so and the last spy movie you watched? LOL
For example, we captured the sound signatures of all submarines we could, especially Russian.
These are completely different scenarios. On one hand, you are analysing a set of more or less clearly defined situations (noises made by submarines) under quite favourable conditions (silent sea) and outputting a simplistic conclusion (submarine or not). On the other hand, you have a huge variety of different possibilities (words, accents, pronunciations, voices, etc.) under potentially very negative conditions (bad-quality audio, person not talking clearly or being ill, typical-modern-society random noises, etc.) and outputting the best match out of a huge number of options some of them being very similar to each other (the exact word). Even though the underlying theory might be somehow similar, detecting submarines and accurately recognising speech/words are completely different beasts.
Sound recognition has come a long way since then.
There have been lots of improvements there and in many other fronts. All what is related to computers/software is systematically evolving, much faster than anything else. The problem here is that you are over-simplifying the reality by assuming that "sound recognition" is a well defined problem accepting a binary solution (already solved or not). You can take any voice recognition system out there and see it for yourself: there are lots of limitations and even the most advanced approaches are still very far away from doing what a person does.
Some months ago, I wrote here some posts about the problems I faced while trying to rely on existing voice recognition systems to perform certain development. Even though I knew that voice recognition was very difficult (that's why I looked for an already done piece of software rather than developing this part myself), I was honestly expecting a higher accuracy than what I found. In fact, there was an issue which forced me to stop that development: it was impossible to recognise meaningless words (e.g., "var1") because most of current approaches are dictionary-based (can recognise English words if English is enabled, Spanish words if Spanish is enabled, etc.). In any case, I insist in the fact that my original post was meant to highlight that this specific specific situation of recognising a person based on how certain words are said seems quite easy; way easier than random speech/word recognition.
It may or may not be *difficult*, but it's definitely *possible*
I never said that it was impossible. In fact, the whole point of my original post was highlighting that it was easier than it might look like. Current voice recognition software (just recognising each word as a person would do) has lots of limitations; on the other hand, developing an acceptably reliable approach determining whether certain words were said by a given person or not doesn't look too difficult.
Whenever a friend or family member calls me, I can recognize their voice even WITHOUT them telling me who it is
But you aren't a computer! Your perception and understanding systems are waaaaaaay better than the ones of any machine. Computers and software are good for (quickly) performing a high number of simple tasks, but not for complicated ones (at least, not practically in the sense of nobody being able/willing to develop all the required algorithms). Recognising the voice of someone under random conditions is a quite complex action. There are many things that are extremely simple for you, but extremely difficult for a computer.
Further filtering eliminates the constant, repetitive, background noise.
Background noise/low quality sound is a tremendous problem when dealing with any kind of automated sound recognition. You always try to filter/remove, but can do that mostly in easy scenarios (all what is constant or regular is usually easy) not everywhere. Additionally, the most fine-tuned the recognition, the more relevant become these aspects. In any case, I only said that I wasn't sure about how well a system on these lines could handle these issues (how easy the implementation would be), not categorically stating whether it could (not) deal with them.
The summary specifically says that this eliminates the use of a password
I would never suggest to implement this system for any serious matter, much less without including a password or further security. All what I said is that it seems technically doable and easier than what it might look.
All you need to do is get a recording of the person using those words
But this is pretty much the same than saying that you can type the password of the person. Logically, those words have to be secret. Also not too sure whether a recording could trick a properly-built system. Again, my post was about what I think that is an easy and reasonably accurate approach to face this, not about recommending its implementation.
This could be used to harden existing security measures, but it shouldn't replace them.
Fully agree.
Recognising random words with random accents and under random conditions is difficult, but a list of specially-selected words said by the same person might allow to relatively easily and accurately recognise someone. I am not sure regarding their claims of everything working fine even when the person has a cold or similar; same thing when dealing with background noise or low quality sound. In any case, it seems a quite problematic format which, unless being deployed for a very good reason and always used under good conditions, should be avoided.
Yep, the two or three or four files I change are no longer identical. The other 4,997 files
This is explained in other comments in the thread: GitHub doesn't seem to internally care about the non-modified forked files (it only shows everything to the user) and, in any case, the counting methodology has to forcibly care about this issue, otherwise the proportion of duplicate files would be extremely high (easily over 99%) and not descriptive of the real usage of the platform. For example, I have a couple of forks to the public .NET repositories, each of them might contain millions of files and I only modified 2 or 3 (reasonably relevant modifications though); if you count all these files in my dupe counter, I would have over 99.99% duplicates just because of this what doesn't make sense.
And as far as I am clarifying issues which should be evident to virtually anyone, also note that "my public-source activity" represents a net loss for me (potentially beneficial in the long term, logically). It is a mere self-promotion where I don't earn a penny; in fact, I lose a lot via time/effort investment and having to worry about addressing the most clueless concerns of random idiots (the sensible, knowledgeable people truly interested in properly understanding, learning, contributing, etc., on technical aspects or, eventually, to properly use my activity to determine my suitability for whatever project seem to be a minority!). The idea of me only earning money via being hired as a (remotely-working) programmer to work on whatever development (although being quite picky with clients/projects) seems particularly difficult to understand for some people, despite my multiple repetitions in many places (+ the evidence that a remotely-working programmer is usually mostly interested in working as a programmer). This is another aspect which puzzles/bothers/tires me a lot about a big part of the online programming (or whatever you want to call it) community: how are these people exactly working/getting money if I have to systematically explain them so evident issues?! Anyway, I guess that this is more than enough on the evident over-clarification front for today.
With "I will be notably reducing my activity on this front", I logically meant my public-source activity. I have already lots of public codes which can help anyone interested in (and capable of) understanding my programming skills and working attitude. I will most likely continue having a quite relevant programming-related online activity, but will not be wasting my time in over-commenting and making codes everyone-friendly to be ignored or cluelessly misassessed by those only knowing how to count stars/lines of code and to run ready-to-be-used programs. In any case, I do look forward to the current ridiculously-bad-for-everyone situation to gradually change and to modify my behaviour accordingly. Under equivalent conditions, I will always prefer to share/show/give/contribute/help than to keep everything to myself.
Maybe the most important is so that other people can see your pull requests.
But this makes lots of sense. This is precisely the whole point of forking: actively and publicly contributing in others' code. It doesn't matter if the PR is accepted or not, you have already modified the original version. What doesn't make sense is forking something which you don't touch at all; perhaps temporarily and under very specific conditions, but not that being the general rule.
Additionally, "enjoy on your own machine" brings up the question which of my machines?
I meant this in case you weren't interested in modifying the original code (what the forks/PRs are for), but just in using it.
At my current job, our *company* has forks that our *team* works on before submitting a pull request upstream. Which local computer would you save our copy on that our whole team could see it and work with it?
Exactly the same than the previous scenarios: in the moment you perform whatever modification and save it in GitHub, the corresponding file stops being identical to the original one. It doesn't matter if you do a PR or not, that scenario shouldn't count as a duplicate anyway.
it's called a fork
Correct me if I am wrong, but isn't the whole point of a fork to perform some, ideally relevant enough modifications on the original code? By assuming that the conclusion of 70% of duplicate code was output by a sensible and reliable methodology, this would mean that most of the forked files are identical to their original version! So, what is the point of forking or having a repository exactly replicating the contents of another one? You can clone/download all what you wish and enjoy it on your own machine, but why having publicly accessible codes which have been basically developed by other people? This doesn't seem to be compatible with what open source, GitHub, etc. is expected to be. You should be creating something by your own or modifing/improving/extending what others did, but why having a repository with code which has nothing to do with you? There is another also quite negative issue which might somehow explain all this: inefficiently developed algorithms where the same code chunks are repeated over and over; everyone relies on this kind of quicker, easier approaches for temporary, intermediate, preliminary, etc. reasons, but why publicly sharing bad code? Nothing of this makes sense to me.
Honestly, I thought that you were also kidding in your first post. Perhaps this wasn't the case, so I will better clarify that the peculiarities of prime numbers only make sense within a very specific context (similarly to what happens with pretty much any other thing), namely divisions. In some algorithms and for whatever reasons you might prefer to make sure that a given number isn't divisible by others and this is where prime numbers are useful. The fact that prime numbers are being used in a relevant number of encryption algorithms (I cannot tell for sure right away, but in principle it doesn't look like an absolutely unavoidable requirement) has to be understood as those algorithms providing the aforementioned meaningful context for them (= divisions where having a reminder different than zero matters or not).
In general terms and when choosing any given number, all of them are identically good. The right context for choosing a safe password is it to be difficult for other person to guess. Thinking that specific numbers or days of the week or years or similar are intrinsically better than others only makes sense within magic-like expectations (superstition, religion or things on these lines), what is pretty much the opposite to what empirical and deterministic maths/programming/engineering/science everything is supposed to be.
People don't care about analysing code properly, learning from it or even adequately adapting it to whatever other situation. In fact, I think that a big proportion of programming-related people aren't even able to analyse/understand random pieces of slightly complex code. There is an (ignorant) tendency towards ridiculously-specific specialisations and a systematic promotion of copy-pasting, absolute-truth-repetition and arbitrary, group-based assessments; and this is precisely why you see so many problems in software everywhere: many people with lots to say in the industry not doing it properly, not knowing how to do it properly and not even able to recognise who does (not) do it properly. Personally and after having been releasing my biggest open-source code so far during the last months, I will be notably reducing my activity on this front. It is very discouraging seeing how a so lost system misuses and misinterprets my work.
DISCLAIMER: I am the sole author of all my public code (including associated resources like comments, documentation, etc.), in the sense that I have developed it completely from scratch. Additionally, note that I release all of it as public domain and that's why I am not precisely concerned about random people using it or referring me. I am exclusively interested in knowledgeable programmers analysing it to get a good idea about my skills.
14389 is a prime with uneven digits in even positions
In a zero-based position counting, yes; but this is the convention only in some (well, most of) programming languages. In an informal chat, the most common interpretation is to assume 1-based positions. Anyway, I was evidently joking: all the numbers are equally secure and random, except 4. LOL.
prime numbers are more secure so I changed it.
But this only works with prime numbers whose digits in even positions are uneven. Except on Tuesday when any prime number is fine except 5. LOL.
There isn't much information, but it seems quite clear that all this is only applicable to Russia. I am currently testing yandex.com to see what it can do and, although the results are a bit different and kind of Russian-sites prone, it should be quite independent from yandex.ru (a quite random guess anyway, as far as I don't speak Russian and cannot really test it). In any case, these news shouldn't affect yandex.com or other international versions of Russian sites.
not in the spam itself. Basically a spamming service
Interesting theory. It seems to make more sense than any other version. In any case and as said, I am not too concerned about anything of this for various reasons. I don't get almost any spam and ignore/make fun of the little amount which I get. I have never spammed anyone (unless when fighting back some spammer :)) and, in fact, consider that "technique" extremely negative for any business/activity. My work has never been even slightly related to spam or any other generic, invasive, crappy, lazy, dishonest, etc. way to earn money; note that I am person eminently concerned about the means rather than the final goal and being very proud of what I do and how I do is way much more important for me than money (although I do expect my work to be fairly rewarded). I have never been contacted by a spammer or similar to develop whatever piece of software and will certainly reject any request on these lines; much more now, when I am extremely demanding regarding the kind of projects/clients I want. It was a kind of interesting chat anyway.
Apparently, there is some other people also thinking that that nonsense is logical. They have even written quite a lot about this in the corresponding Wikipedia page. The text there (lots of generic talking and not many practical examples because well there is none) seems quite descriptive of the worst case scenario of this "threat" and the kind of partiality and fanaticism that, unfortunately, it is too common within the software development industry, following whatever daily trend, over-concerned about what is irrelevant and ignoring what really matters. Anyway, I will write my impressions about these contents to properly illustrate my point.
.NET to compile their public code! It was possible to directly affect the pure source code of a running executable!! And my conclusion was that this couldn't be seen as a threat because of being extremely unlikely to be exploitable under virtually any real scenario! But this was (Microsoft changed it a short while later) orders of magnitude much more dangerous than the aforementioned nonsense! And they have a whole Wikipedia page and apparently some fans! All what I got with that analysis I made was the problem to be fixed (no idea if because of me; nobody told me anything), having to update the text to reflect that change in the conditions and not even a single comment!! I don't expect anything else, because I don't see the true relevance of all that, but why these people do all that! And then you get millions of records stolen on a regular basis because of not performing the most basic actions; but rather than focusing on performing said evident actions, you get completely paranoid and start seeing problems in the air!!! I am not trying to criticise certain people or sub-field or "experts", but an attitude, very relevant for this specific thread: how can you complain about software having lots of problems with this kind of things! What person really wanting to fix/improve/help could give even half a shit about what I am describing here? I don't even think that these people have developed even the simplest piece of software in C/C++; otherwise, I can honestly not imagine anyone feeling like spending their time on such a nonsense. This is another cancer of software development: generically talking, prohibiting, fearing, guessing, blaming, etc. most of the times with low-to-no relevant expertise! Pfff... Well, I guess that this has been an excellent epilogue to my previous post and my ideas on these fronts.
Logically (and unlikely what some people suggested here in the aforementioned article some months ago), you cannot directly access/modify whatever information is in a pointer/memory location of a running program. Apparently, the way to "exploit" this "weakness" is to hope that a random value (within a huge potential range) might have any kind of effect on the given application. So, imagine that in a given method (out of the potential thousands, even millions of methods in a piece of software about which you know nothing), a variable (out of the potential thousands, millions, etc.) is expected to get the value "123456"; but the given code performs the required memory allocation wrongly and provokes a buffer overflow, what changes that value to whatever other one might be associated with said memory position. Under the most likely conditions (around 99.99999999999% of the cases, I guess), the resulting value would be crazily wrong and an error would be triggered. But, in some very specific case, it might happen that the resulting value might be good enough to not provoke a crash. So, in that virtually-impossible case, you would have accomplished the marvelous result of having modified the value of a variable, out of many, about which you know nothing to a different value about which you know nothing!
And this is your breach of security! This is what makes you think that it is a good reason for stopping using a given programming language!! Are you being serious?? Have people forgotten about self-respect, objectivity and professionalism or what on the hell is wrong here?? As commented in that other thread some months ago, I did find a way much more relevant problem with applications used by open
With "The only thing that you can get after a memory overflow is the certainty that that program will crash, perhaps right away or perhaps after some seconds." I meant that the corresponding error might appear right after executing the faulty part of the code which provokes the memory overflow or a bit later. After a memory overflow, the error-message/crash is immediate.
Thanks to C/C++, tiniest bug anywhere in any software, allows a hacker to take control of a computer system.
What are you talking about? A very important proportion of all the software in existence (including quite a few other programming languages) are written in one of these two languages. When talking about basic/core infrastructure they even don't have any relevant competition! And I am saying that despite not using any of them too much myself, unless under very specific conditions! The only reason why a given programming language might be (un)safe is a bug in its code, what is thousands of times easier to happen in newer programming languages which have been used much less.
Some months ago, I read here an extremely ignorant concern about a memory overflow being a way to manipulate how the given program might behave!? The only thing that you can get after a memory overflow is the certainty that that program will crash, perhaps right away or perhaps after some seconds. C (and to a lesser extent C++) are definitively much less programmer friendly than newer languages; but even this is a quite partial statement as far as some people might feel more comfortable working with them. Other than that and the evident performance differences on some fronts (C being really quick), there is absolutely no problem with these languages. The corresponding developer + surrounding "issues" (e.g., clueless manager setting unreasonable constraints) is the sole responsible for whatever problem, including having relied on certain programming language without the required knowledge/experience.