In the winning entry there is no cast or "conversion" per se. It has one C file that calls a function and another C file that implements the function, with a mismatch between the types of the call and the implementation. Neither file by itself is performing any conversion or doing something wrong that can be caught by static analysis; the bug is caused by a mismatch between the code in two object files. This would only be caught by a tool that would examine the two files together, but it would not be caught by the compilation of either part.
We've actually seen a number of past entries that used this same basic trick to mismatch a call and an implementation. A previous winning entry managed to redefine the time() function as time_t time(void) instead of time_t time(time_t *ptr), avoiding a compiler warning by using the extern keyword. That's a neat trick because barely anyone uses the argument to time(), and after writing t=time(NULL) hundreds of times, it's easy to completely miss a call like t=time(). This caused a call to time() with the wrong number of arguments, so that another variable on the stack was used to hilarious effect.
I didn't mention it on the page, but the C file that #includes that header doesn't #include math.h, so there is no typedef overridden. A second C file #includes math.h without #including that header.
They added a feature to the filesystem that let you insert a music CD and see the tracks as WAV files, so you could rip the CD simply by dragging them to your desktop.
I remember that because I tried to play a CD by selecting all the tracks in the folder and double-clicking, only to hear the OS play all the CD tracks at the same time.
That's not a defunct link to previous entries, but a defunct link to a previous version of the contest site. I've un-defuncteded it to more recent previous version of the contest site, but soon that will also be defunctitated or defunctified, or defunctored.
You can see the previous entries by scrolling down, or by selecting "past years" from the menu bar on the web page.
I mostly used BeOS in grad school because I liked alternative operating systems, but several times I'd try to port my work to Windows or Windows NT and find myself astonished at how impossible my this stuff was to do on other computers at the time (late 1990s.) NT's architecture and event processing often prohibited the sort of real-time audio and video apps I was writing, and the API standing between me and the data was much more restrictive.
In retrospect, I think a number of my research successes were accidentally due to using an OS that would let me implement some really nutty ideas.
Is it really appropriate to use average wages, instead of median wages? The average wage doesn't change if everyone takes a huge pay cut while a CEO ends up giving himself a 1000-percent raise.
Java is an OK language, but it's kind of bureaucratic and boring. I can't think of a better way to suck all the magic out of a fantasy game than to have the spells written in Java---except maybe having the kids produce an ER diagram and a set of tables in Boyce-Codd normal form.
At the very least, they could do without the pointless punctuation. Does a spell really have to have semicolons and empty parentheses to denote that the spell is imperative?
Baby boomers or not, the number of PhD graduates far exceeds the number of professors due to the simple logistics of teaching.
Suppose you start a professorship at 30, and retire at 70. How many PhD students do you advise per year? Let's say 1.5 just to be on the low side. And suppose they each take 5 years to graduate. You just cranked out a dozen PhDs, and created one faculty opening by retiring.
One should expect an advanced degree to increase one's job prospects, but it's numerically silly to expect, specifically, a faculty position. This is why every university hires people with degrees from an even better university---not because NIU frowns on NIU grads, but because the market for the teacher's job is so competitive that only the best CVs get in.
No matter how sophisticated the algorithm, the set of strings that get graded an A is bound to contain some weird and illegible elements. They probably won't be too hard to find by inspection of the algorithm and its training data.
It will only take a few widely publicized examples of meaningless essays with a high auto-grade to cast doubts on this method of grading, no matter how effective it is in the common case.
Hi,
I was not aware of this. I will announce an alternate prize for people outside the US, if we can figure out what web site is friendly with gift certificates in other countries (Amazon?)
It is indeed a terribly redundant use of cat, but not useless: it makes it easier to read, by placing the command line invocation by itself at the end of the line.
Billy doesn't have the choice between (a) saving up or (b) financing the whole dang thing with loans.
Most of us will (c) take out loans to pay for part of college, and cover the rest by working before and throughout college, including summer internships; by choosing an affordable school, rather than one that costs over 20K/year; by making choices like not living in a dorm for all four years; and by not paying for graduate school out of your own pocket (it is rarely economical to do so.) I did these things, and ultimately got as far as a Ph.D. with a total loan burden on the order of 20K.
As I said, it seems like a cultural problem: people don't seem to understand that they can and must do these things if they are broke. Instead they think their only choice is a massive loan sufficient to finance an entire four-year degree.
Maybe it's because you're borrowing over 80,000 dollars for a college education.
5 minutes with a spreadsheet would tell you how much and for how long you have just screwed yourself, and by borrowing that kind of money you prove that you can't or won't spend even that much effort to think before borrowing.
I think part of the problem is cultural: I was broke back when I went to college, and I needed loans; but I also knew that you should never borrow anywhere near enough to pay your whole tuition bill. That's far too much money to borrow even if you aren't dead broke. Poverty forces you into indebtedness, but it also makes you paranoid about accumulated debt, and you understand that something that costs tens of thousands of dollars will require you to eat Ramen, work multiple jobs, and make affordable choices even if someone will extend you credit.
But now I hear horror stories about students who borrow enough money to buy a house in much of the USA, and use that to pay for an entire four-year degree plus graduate school. It's like the kids don't understand that they're poor; they get a credit line and stop acting like people who have to work for a living.
True, but let's not conflate "what conservatives don't like" with "what was prevented." Conservatives don't like the destruction of embryos, period.
The federally funded variety was just the one type that the Bush administration had the political will to stop.
On top of that, conservatives tend to be wary of other acts that don't involve the destruction of an embryo, but are conceptually close. For example, conservatives often oppose emergency contraception, some even regular contraception. I would not be surprised if many conservatives were opposed to research on existing embryonic stem cell lines.
On top of this, access levels have little to do with it. Suppose you have an OS that runs at user level, requires a password to install software, but still keeps the install script at user privs, isolating downloaded applications as much as possible. Would that stop this attack?
You are downloading, installing and running a program. It secretly does malicious things that only require user-level privileges (emailing someone spam, for example, or participating in a DDoS attack.) You will not prevent that with restrictions on account privileges alone.
To blame the privilege model when someone installs contaminated software is like blaming your burglar alarm when a dinner guest turns out to be a kleptomaniac.
You might have missed the last 25 years where Macs claim to be more user friendly and cater to a less technologically inclined user-base, lending significant support to his suggestion.
They replaced the operating system between then and now.
The old MacOS was engineered with the goal of being user-friendly to ordinary people. The new OS is actually a repackaging of NextStep, which was originally engineered with the goal of being user-friendly to programmers.
I found the original MacOS extremely confining but idiot-proof; the new OSX has all the power tools but is less user-friendly than Windows. For example, if you plug in a thumb drive, Windows gives you a pop-up with options and suggestions; OSX just mounts it. The OS tends to behave in the hands-off way a programmer expects, and sometimes leaves the novice user in the dark.
I am the organizer of the UCC, and I apologize for the delay.
We are normally pretty relaxed with our schedule, being academics; but this year I think more so, because the student who assists me with UCC is currently in deep hack mode on his own research project.
I assure you, however, that we will have the results up within a month, or else we will lap the next contest!
We've had "auto-tune" on some musical instruments for hundreds of years. A piano, for example, is bang-on in tune regardless of how inexpertly you hit a key. It was engineered that way. Is piano music inauthentic, because some technology made it easy to play perfectly in tune every time without any skill?
"Of course their proof was done only as a computer simulation...."
Rather than, say, setting fire to a real 40-story skyscraper? Wow, those scientists and engineers sure are underachievers.
Also, it takes a considerable amount of scientific illiteracy to look at new experimental findings and declare that scientists are "changing their story." Truly, 9/11 truthers are the creationists of the 21st century.
When I was in college, a little-known feature of the mainframe system allowed anyone with an MVS account (every CS major and anyone who took a CS class) to send a bulk instant message to everyone on campus.
Astonishingly, this had the effect of shutting down all administrative offices, from payroll to the registrar to the financial aid office. This was because all the line printers had accounts too, and would choke on an improperly formatted input. Anyone with an account could do this. Of course it would be tied to your name, so in theory you'd want to use someone else's account.
About every couple years a student would learn about the feature and innocently TELL EVERYONE HI without realizing that they were about to enter a dimension consisting entirely of pain. I do not think that even this transgression would result in a suspension---the chair might have you murdered, but no suspension.
Slashdot Mirror
Hi,
In the winning entry there is no cast or "conversion" per se. It has one C file that calls a function and another C file that implements the function, with a mismatch between the types of the call and the implementation. Neither file by itself is performing any conversion or doing something wrong that can be caught by static analysis; the bug is caused by a mismatch between the code in two object files. This would only be caught by a tool that would examine the two files together, but it would not be caught by the compilation of either part.
We've actually seen a number of past entries that used this same basic trick to mismatch a call and an implementation. A previous winning entry managed to redefine the time() function as time_t time(void) instead of time_t time(time_t *ptr), avoiding a compiler warning by using the extern keyword. That's a neat trick because barely anyone uses the argument to time(), and after writing t=time(NULL) hundreds of times, it's easy to completely miss a call like t=time(). This caused a call to time() with the wrong number of arguments, so that another variable on the stack was used to hilarious effect.
Hi,
I didn't mention it on the page, but the C file that #includes that header doesn't #include math.h, so there is no typedef overridden. A second C file #includes math.h without #including that header.
They added a feature to the filesystem that let you insert a music CD and see the tracks as WAV files, so you could rip the CD simply by dragging them to your desktop.
I remember that because I tried to play a CD by selecting all the tracks in the folder and double-clicking, only to hear the OS play all the CD tracks at the same time.
That's not a defunct link to previous entries, but a defunct link to a previous version of the contest site. I've un-defuncteded it to more recent previous version of the contest site, but soon that will also be defunctitated or defunctified, or defunctored.
You can see the previous entries by scrolling down, or by selecting "past years" from the menu bar on the web page.
I mostly used BeOS in grad school because I liked alternative operating systems, but several times I'd try to port my work to Windows or Windows NT and find myself astonished at how impossible my this stuff was to do on other computers at the time (late 1990s.) NT's architecture and event processing often prohibited the sort of real-time audio and video apps I was writing, and the API standing between me and the data was much more restrictive.
In retrospect, I think a number of my research successes were accidentally due to using an OS that would let me implement some really nutty ideas.
Is it really appropriate to use average wages, instead of median wages? The average wage doesn't change if everyone takes a huge pay cut while a CEO ends up giving himself a 1000-percent raise.
Java is an OK language, but it's kind of bureaucratic and boring. I can't think of a better way to suck all the magic out of a fantasy game than to have the spells written in Java---except maybe having the kids produce an ER diagram and a set of tables in Boyce-Codd normal form.
At the very least, they could do without the pointless punctuation. Does a spell really have to have semicolons and empty parentheses to denote that the spell is imperative?
If they don't email me a phone number attached as a word document, then they're more welcome than the usual idiots I have to see on my computer.
Baby boomers or not, the number of PhD graduates far exceeds the number of professors due to the simple logistics of teaching. Suppose you start a professorship at 30, and retire at 70. How many PhD students do you advise per year? Let's say 1.5 just to be on the low side. And suppose they each take 5 years to graduate. You just cranked out a dozen PhDs, and created one faculty opening by retiring. One should expect an advanced degree to increase one's job prospects, but it's numerically silly to expect, specifically, a faculty position. This is why every university hires people with degrees from an even better university---not because NIU frowns on NIU grads, but because the market for the teacher's job is so competitive that only the best CVs get in.
No matter how sophisticated the algorithm, the set of strings that get graded an A is bound to contain some weird and illegible elements. They probably won't be too hard to find by inspection of the algorithm and its training data. It will only take a few widely publicized examples of meaningless essays with a high auto-grade to cast doubts on this method of grading, no matter how effective it is in the common case.
I put the contest rules in a pdf, at http://bingweb.binghamton.edu/~scraver/underhanded/ until the main site is back up again.
This is a mistake, and I will fix it when the site is up again.
Thanks. I fixed that, so at least one thing is online.
Hi, I was not aware of this. I will announce an alternate prize for people outside the US, if we can figure out what web site is friendly with gift certificates in other countries (Amazon?)
It is indeed a terribly redundant use of cat, but not useless: it makes it easier to read, by placing the command line invocation by itself at the end of the line.
Billy doesn't have the choice between (a) saving up or (b) financing the whole dang thing with loans.
Most of us will (c) take out loans to pay for part of college, and cover the rest by working before and throughout college, including summer internships; by choosing an affordable school, rather than one that costs over 20K/year; by making choices like not living in a dorm for all four years; and by not paying for graduate school out of your own pocket (it is rarely economical to do so.) I did these things, and ultimately got as far as a Ph.D. with a total loan burden on the order of 20K.
As I said, it seems like a cultural problem: people don't seem to understand that they can and must do these things if they are broke. Instead they think their only choice is a massive loan sufficient to finance an entire four-year degree.
Maybe it's because you're borrowing over 80,000 dollars for a college education.
5 minutes with a spreadsheet would tell you how much and for how long you have just screwed yourself, and by borrowing that kind of money you prove that you can't or won't spend even that much effort to think before borrowing.
I think part of the problem is cultural: I was broke back when I went to college, and I needed loans; but I also knew that you should never borrow anywhere near enough to pay your whole tuition bill. That's far too much money to borrow even if you aren't dead broke. Poverty forces you into indebtedness, but it also makes you paranoid about accumulated debt, and you understand that something that costs tens of thousands of dollars will require you to eat Ramen, work multiple jobs, and make affordable choices even if someone will extend you credit.
But now I hear horror stories about students who borrow enough money to buy a house in much of the USA, and use that to pay for an entire four-year degree plus graduate school. It's like the kids don't understand that they're poor; they get a credit line and stop acting like people who have to work for a living.
True, but let's not conflate "what conservatives don't like" with "what was prevented." Conservatives don't like the destruction of embryos, period.
The federally funded variety was just the one type that the Bush administration had the political will to stop.
On top of that, conservatives tend to be wary of other acts that don't involve the destruction of an embryo, but are conceptually close. For example, conservatives often oppose emergency contraception, some even regular contraception. I would not be surprised if many conservatives were opposed to research on existing embryonic stem cell lines.
On top of this, access levels have little to do with it. Suppose you have an OS that runs at user level, requires a password to install software, but still keeps the install script at user privs, isolating downloaded applications as much as possible. Would that stop this attack?
You are downloading, installing and running a program. It secretly does malicious things that only require user-level privileges (emailing someone spam, for example, or participating in a DDoS attack.) You will not prevent that with restrictions on account privileges alone.
To blame the privilege model when someone installs contaminated software is like blaming your burglar alarm when a dinner guest turns out to be a kleptomaniac.
They replaced the operating system between then and now.
The old MacOS was engineered with the goal of being user-friendly to ordinary people. The new OS is actually a repackaging of NextStep, which was originally engineered with the goal of being user-friendly to programmers.
I found the original MacOS extremely confining but idiot-proof; the new OSX has all the power tools but is less user-friendly than Windows. For example, if you plug in a thumb drive, Windows gives you a pop-up with options and suggestions; OSX just mounts it. The OS tends to behave in the hands-off way a programmer expects, and sometimes leaves the novice user in the dark.
I am the organizer of the UCC, and I apologize for the delay. We are normally pretty relaxed with our schedule, being academics; but this year I think more so, because the student who assists me with UCC is currently in deep hack mode on his own research project. I assure you, however, that we will have the results up within a month, or else we will lap the next contest!
We've had "auto-tune" on some musical instruments for hundreds of years. A piano, for example, is bang-on in tune regardless of how inexpertly you hit a key. It was engineered that way. Is piano music inauthentic, because some technology made it easy to play perfectly in tune every time without any skill?
"Of course their proof was done only as a computer simulation...."
Rather than, say, setting fire to a real 40-story skyscraper? Wow, those scientists and engineers sure are underachievers.
Also, it takes a considerable amount of scientific illiteracy to look at new experimental findings and declare that scientists are "changing their story." Truly, 9/11 truthers are the creationists of the 21st century.
It sounds like the professors are more butthurt she got their email addresses than interested in responding to the concern she expressed.
As a professor, I doubt it: most of us couldn't care less if we get one more unsolicited email from a student.
More likely she is the victim of some jobsworth in an administrative office who was on the mailing list and has nothing more important to do.
When I was in college, a little-known feature of the mainframe system allowed anyone with an MVS account (every CS major and anyone who took a CS class) to send a bulk instant message to everyone on campus.
Astonishingly, this had the effect of shutting down all administrative offices, from payroll to the registrar to the financial aid office. This was because all the line printers had accounts too, and would choke on an improperly formatted input. Anyone with an account could do this. Of course it would be tied to your name, so in theory you'd want to use someone else's account.
About every couple years a student would learn about the feature and innocently TELL EVERYONE HI without realizing that they were about to enter a dimension consisting entirely of pain. I do not think that even this transgression would result in a suspension---the chair might have you murdered, but no suspension.