Logically 3 does equal 3.00. In any reasonable language if one compares the two with a simple equality operator it will return true.
Umm, depends on what you consider a "reasonable" language.
C says 3 == 3.0
Lisp says (= 3 3.0) but not (eq 3 3.0)
Forth will just compare the most-significant word of 3.0 to 3, though you have to bend over backwords to get a floating point number on the data stack to begin with
The ML family will throw a type error
Scripting languages will for the most part either promote 3 or demote 3.0
I think there's a lot of variety in what a "reasonable" language will do in such a situation.
I think he was talking about useful exceptions. Java has a real nice way of handling exceptions, and since it is GC'd you don't have the same hideous problems that you do in C/C++ with memory allocation.
OK, that's a fair point. I never used C's exception capability; I've always kludged up signals for that sort of thing.
* No macro system
* No closures (you _can_ do closures w/ objects, but it's REALLY UGLY)
* No continuations
* No tuple-returning functions (this increases code size by about 50%)
Let me just say a thousand times "Amen", especially about closures. I honestly have no idea how people get by without them. Closures and tuple returns are why I do all my work in either Lisp or Forth depending on how much I need to control memory allocation and how little I need to manipulate character strings.
You're exactly right about multiple return values and code size: single-return-only languages require you to either design a structure or class (increasing program size) or pass an alterable reference (increasing program fragility) any time a function has a more interesting answer than a single primitive type.
Personally, what I can't seem to program well without are:
Closures
Either manifest typing or absolutely no type-checking (ie, a value should either be exactly "what it is" or only be what I say it is, nothing in between -- this is why I can't stand ML or Haskell despite my love for functional languages in theory)
First class functions and anonymous functions
Multiple dispatch for methods if I'm using OO (sorry guys, but Smalltalk and therefore java simply got it wrong by dispatching only on the implicit "this" argument)
I'm not sure whether that speaks more to the kind of work I do or my particular weaknesses as a programmer...
Java is not more secure than Ruby or Python. They all check the access to arrays, are object oriented, have exceptions support
Interesting points but I'm not sure what that has to do with your assertion.
Checking access to arrays: this is good for preventing a programmer from shellcoding himself, but very few user / remote exploits are based on overwriting a statically-allocated array (those attacks are relics from older C libraries).
Object-orientation: You only think Java is OO because you've never tried CLOS. Once you've used multiple-dispatch you never look back. At any rate, object-orientation just means that data structures contain or point to their own algorithms, and has little if anything to do with program security.
Exceptions. I'm trying to think of a modern language without exceptions. Hell, even C and Forth have exceptions.
At any rate, I think you're missing the main security concern: yes, VM languages like Java have some security features, but the security concerns should not be about the application but about the vm itself. I probaby cannot corrupt the virtual heap or stack of a java application since the code is managed, but I can corrupt the heap or stack of the VM itself, and in fact that's what the java exploits I've seen do.
For example: People want to get a job as a programmer so they write a software package to prove they aren't total code monkeys doesn't apply any longer if there is no such thing as a software job.
Why would there be no software jobs? Nobody "pays" for HR or project management but there are HR and project management jobs whose cost is just part of overhead. Why is it assumed that software would need to be any different?
Re:The correct pricing structure for most software
on
Pricing a Software Product
·
· Score: 3, Insightful
If all software was free, why would anyone bother developing it?
But seriously, there are several reasons people would write software whose price is 0:
People want better software to do $WHATEVER (for values of $WHATEVER that make money, which is most of them), so they write it
People want to get a job as a programmer so they write a software package to prove they aren't total code monkeys
People like fame; they like being admired and appreciated
An industry consortium decides they need an open, standard, free way to do $WHATEVER
Some people have a political motivation to undermine proprietary software (we may not have that same motivation; but it is a real driving force for some people)
Some people like to help others (ditto)
Your company might want to make your product universally (or nearly so) used in order to be able to charge money for training, certification, etc.
I mentioned 15 high-profile products that are competitive with best-of-breed and are available for $0 (and not all of it is Free as in speech). All of them were written because one of the above bullet points (or one I forgot) applied.
There are lots of motivations for people's actions besides money.
These people encounter Dutch people on occasion, but just refer to them, and all non-natives, as foreigners.
Oddly enough, that's pretty much how the word "Dutch" got into English: it's a corruption of "Deutsch" (one of the things Germans call themselves) -- the assumption at the time being all non-French continentals were the same people.
Back on topic, you can't take the "one -- two -- many" thing too far: almost every language shows at some stage of its development a "one two many" noun declension. Old English had specific dual endings; as did all the Germanic languages; dual was present in Proto Indo European and survived into most of the child languages.
Many semitic languages show vestiges of a 1 2 many number system (Arabic and Hebrew still retain a dual declension for some nouns). Swahili retains a separate noun class entirely for objects that come naturally in pairs (maono rather than *nyono, for instance).
I think all this points towards the fact that the distinction between one and two, and the distinction between two and many, is simply more important to people than the distinctions among various numbers greater than two, and that "one two many" is a natural linguistic response to the conditions of human life throughout most of human history -- people only develop more complex plural systems when agriculture and trade make it neccessary to develop them.
If Apple is solely supported (which I know you did not claim) by people unwilling to change their stance, and not in any way by the products they sell, then Apple should literally be able to package dog dookie in a box and sell it.
The point was the amount of MSoffice users you will have to retrain to relearn how to use a "so-called" simple office software.
Umm... no. GP was referring to the "hundreds of custom office applications", which is PHB-speak for VBA macros some intern wrote. GP brought that up after it was pointed out that it didn't cost anything to train people to (mis)use MS Office so it won't cost anything to train them to use OpenOffice.
IANA Spaniard, but I thought most Spanish voters were pissed that the government immediately blamed those Basque people when their own intel sources were saying it was Al Qaeda.
i.e., the election was not about "caving" or "standing up" to the terrorists; it was about standing up to a government that was putting ideology ahead of solid intel.
I got it too, though thunderbird marked it as spam and my anti-phishing tool in firefox told me "you are at 31337.h4x0rz.cn" or wherever. I'm not sure what good it would do to report it to citi since there's nothing they can do about it except maybe send out emails to everyone in the world telling them not to believe emails claiming to be from them.
How many MS exploits are there for ports above 1024? No really, name one.
Well, just off the top of my head:
Terminal services (3389)
kerberos (4444)
rlogin (2105)
not to mention the fact that most trojans listen on a port > 1024
But again, your question misses the point: there are actually zero exploits for any port. You can't exploit a port. You exploit a service. Services traditionally run on certain ports but there's nothing magical about a given port that requires a given service to run on it: I can run https on port 80 and http on port 443 if I want to. Attackers compromise services, not ports.
At least in the way it was intended, ports below 1024 could only be opened by root. Therefore, if I can hit a buffer overflow on a service on your machine on a port below 1024, then I'll be gaining root privileges; if it's >=1024, then it's likely that I'll just end up as joe user.
Huh? That's not true at all. Root has to open the port, that doesn't mean the process runs as root. I mean, apache runs on port 80, I sure as hell hope your apache doesn't run as root (God help you if it does).
Actually, I'd have been happier if they just blocked access to the ports that MS left open for ease of use, not all ports. That generally means well known ports under 1024.
There's a common misconception that the ports above 1024 are somehow "safer" than the lower-numbered ports. As far as an attacker is concerned any tcp port is as good as any other if there's a service listening on it.
One time pads. If the pad's bits are generated by truly stochastic events (say, radioactive decay) and the pad is longer than the plaintext, there is provably no way to ever ever ever ever recover the plaintext without the key; the only method is to simply guess all possible plaintexts.
I didn't say I don't mind the extortion (it's extortion, incidentally, of which blackmail is merely a special case which does not apply in this circumstance).
I merely recognize that just like everyone else, the poor and destitute will act in their own economic interest and, if they can't get stuff of their own, will take my stuff.
What you are talking about is an intranet, not an internet.
"Intranet" is a buzzword that was made up for suits and somehow managed to catch on. All intranets are internets.
This is why there can be only one Internet unless you make a completely separate other network between networks that doesn't talk to the first one at all.
Nope, if I route 192.168.0.0/24 and 10.0.0.0/8 in my house, that's an internet. Since I route 192.168.0.0/24 to 0.0.0.0/0, that's also an internet.
I thought the point was that my 192.168.1.0/24 behind my linksys access point is "an internet". The 66.35.250.0/24 slashdot is on is "an internet" (unlike mine, a publicly routeable one). An internet is any network that uses, surprise surprise, the "internet protocol".
The largest internet, the one consisiting of all publicly routeable internets, was (until today at least) called "the Internet". Like most proper nounse, it is (was) capitalized.
Other then the actual developers and people doing mods how many other people do you really think that read through all the source code for the open source products they use?
Attackers.
My point was that Ingres was not developed in public view and in my experience that leads to different development practices and security models (not neccessarily "worse"; just "different). I'm wondering how much vetting it takes to prepare a mature closed-source internally-developed product for the scrutiny of being a much-used open-source product.
Most big open-source projects (apache, linux, etc.) started out as open-source and have had a million eyes on them from the beginning. Ingres, on the other hand, is just getting all those eyeballs now after it is already a very mature product.
Have there been any difficulties relating to moving a mature closed-source project to an open-source model? Any caveats or lessons learned for others who want to make a similar migration?
Well, I guess I'm a little more pragmatic. While I agree in a perfect world people shouldn't do that, the fact is that they do. And I don't want those people being so poor and destitute that they riot and take my stuff. So, I don't mind paying to support their kids, since that's cheaper than having their kids break into my house and take my X-box.
Slashdot Mirror
Umm, depends on what you consider a "reasonable" language.
C says 3 == 3.0
Lisp says (= 3 3.0) but not (eq 3 3.0)
Forth will just compare the most-significant word of 3.0 to 3, though you have to bend over backwords to get a floating point number on the data stack to begin with
The ML family will throw a type error
Scripting languages will for the most part either promote 3 or demote 3.0
I think there's a lot of variety in what a "reasonable" language will do in such a situation.
Well, judging from your sig I'd guess you agree that the answer is manifest typing...
OK, that's a fair point. I never used C's exception capability; I've always kludged up signals for that sort of thing.
Let me just say a thousand times "Amen", especially about closures. I honestly have no idea how people get by without them. Closures and tuple returns are why I do all my work in either Lisp or Forth depending on how much I need to control memory allocation and how little I need to manipulate character strings.
You're exactly right about multiple return values and code size: single-return-only languages require you to either design a structure or class (increasing program size) or pass an alterable reference (increasing program fragility) any time a function has a more interesting answer than a single primitive type.
Personally, what I can't seem to program well without are:
I'm not sure whether that speaks more to the kind of work I do or my particular weaknesses as a programmer...
Interesting points but I'm not sure what that has to do with your assertion.
At any rate, I think you're missing the main security concern: yes, VM languages like Java have some security features, but the security concerns should not be about the application but about the vm itself. I probaby cannot corrupt the virtual heap or stack of a java application since the code is managed, but I can corrupt the heap or stack of the VM itself, and in fact that's what the java exploits I've seen do.
Why would there be no software jobs? Nobody "pays" for HR or project management but there are HR and project management jobs whose cost is just part of overhead. Why is it assumed that software would need to be any different?
Gee, I can't think of anyone who would develop software without getting paid for it...
But seriously, there are several reasons people would write software whose price is 0:
There are lots of motivations for people's actions besides money.
Oddly enough, that's pretty much how the word "Dutch" got into English: it's a corruption of "Deutsch" (one of the things Germans call themselves) -- the assumption at the time being all non-French continentals were the same people.
Back on topic, you can't take the "one -- two -- many" thing too far: almost every language shows at some stage of its development a "one two many" noun declension. Old English had specific dual endings; as did all the Germanic languages; dual was present in Proto Indo European and survived into most of the child languages.
Many semitic languages show vestiges of a 1 2 many number system (Arabic and Hebrew still retain a dual declension for some nouns). Swahili retains a separate noun class entirely for objects that come naturally in pairs (maono rather than *nyono, for instance).
I think all this points towards the fact that the distinction between one and two, and the distinction between two and many, is simply more important to people than the distinctions among various numbers greater than two, and that "one two many" is a natural linguistic response to the conditions of human life throughout most of human history -- people only develop more complex plural systems when agriculture and trade make it neccessary to develop them.
...and run an automated nessus/metasploit system for whoever takes me up on my generosity...
you insensitive clod...
...all I have to do is send spam advertising his website?
Great idea, England!
Funny you should mention that...
Umm... no. GP was referring to the "hundreds of custom office applications", which is PHB-speak for VBA macros some intern wrote. GP brought that up after it was pointed out that it didn't cost anything to train people to (mis)use MS Office so it won't cost anything to train them to use OpenOffice.
Whatever. Some ambitious intern wrote some VBA macros. I'm sure he'll be happy to port them to javascript or whatever OOo uses now for automation.
IANA Spaniard, but I thought most Spanish voters were pissed that the government immediately blamed those Basque people when their own intel sources were saying it was Al Qaeda.
i.e., the election was not about "caving" or "standing up" to the terrorists; it was about standing up to a government that was putting ideology ahead of solid intel.
Hmmm... why does that sound familiar?...
I got it too, though thunderbird marked it as spam and my anti-phishing tool in firefox told me "you are at 31337.h4x0rz.cn" or wherever. I'm not sure what good it would do to report it to citi since there's nothing they can do about it except maybe send out emails to everyone in the world telling them not to believe emails claiming to be from them.
Well, just off the top of my head:
- Terminal services (3389)
- kerberos (4444)
- rlogin (2105)
not to mention the fact that most trojans listen on a port > 1024But again, your question misses the point: there are actually zero exploits for any port. You can't exploit a port. You exploit a service. Services traditionally run on certain ports but there's nothing magical about a given port that requires a given service to run on it: I can run https on port 80 and http on port 443 if I want to. Attackers compromise services, not ports.
Huh? That's not true at all. Root has to open the port, that doesn't mean the process runs as root. I mean, apache runs on port 80, I sure as hell hope your apache doesn't run as root (God help you if it does).
There's a common misconception that the ports above 1024 are somehow "safer" than the lower-numbered ports. As far as an attacker is concerned any tcp port is as good as any other if there's a service listening on it.
One time pads. If the pad's bits are generated by truly stochastic events (say, radioactive decay) and the pad is longer than the plaintext, there is provably no way to ever ever ever ever recover the plaintext without the key; the only method is to simply guess all possible plaintexts.
I didn't say I don't mind the extortion (it's extortion, incidentally, of which blackmail is merely a special case which does not apply in this circumstance).
I merely recognize that just like everyone else, the poor and destitute will act in their own economic interest and, if they can't get stuff of their own, will take my stuff.
"Intranet" is a buzzword that was made up for suits and somehow managed to catch on. All intranets are internets.
Nope, if I route 192.168.0.0/24 and 10.0.0.0/8 in my house, that's an internet. Since I route 192.168.0.0/24 to 0.0.0.0/0, that's also an internet.
I thought the point was that my 192.168.1.0/24 behind my linksys access point is "an internet". The 66.35.250.0/24 slashdot is on is "an internet" (unlike mine, a publicly routeable one). An internet is any network that uses, surprise surprise, the "internet protocol".
The largest internet, the one consisiting of all publicly routeable internets, was (until today at least) called "the Internet". Like most proper nounse, it is (was) capitalized.
Attackers.
My point was that Ingres was not developed in public view and in my experience that leads to different development practices and security models (not neccessarily "worse"; just "different). I'm wondering how much vetting it takes to prepare a mature closed-source internally-developed product for the scrutiny of being a much-used open-source product.
Most big open-source projects (apache, linux, etc.) started out as open-source and have had a million eyes on them from the beginning. Ingres, on the other hand, is just getting all those eyeballs now after it is already a very mature product.
Have there been any difficulties relating to moving a mature closed-source project to an open-source model? Any caveats or lessons learned for others who want to make a similar migration?
Well, I guess I'm a little more pragmatic. While I agree in a perfect world people shouldn't do that, the fact is that they do. And I don't want those people being so poor and destitute that they riot and take my stuff. So, I don't mind paying to support their kids, since that's cheaper than having their kids break into my house and take my X-box.