Simple statistics should tell you that given two equivalent exploits for OS X and Windows, the exploit for Windows will affect around ten times as many machines, cause ten times the damage and be ten times more noticable
Actually it'd be greater than 10x. You shouldn't expect the relationship between popularity of a platform and the vulnerabilities researched for it to be linear. (By "researched" I mean attempted to discover. The number of discovered vulnerabilities will equal the number researched multiplied by some coefficient of the system's inherent security)
A better assumption would be a variation of the network effect: the number of vulnerabilities researched goes up with the square of the platform's popularity.
The number of hackers with access to the platform is linear with popularity. The incentive for an individual hacker to work on it is also linear with popularity. So the product of those two values will equal the amount of work put in to find exploitable flaws.
Following this reasoning, nearly all of Microsoft's apparent vulnerability could be accounted for by popularity.
That syntax is wrong. You won't get any answers- nobody will read/*text inside comments*/. It's by definition irrelevant to the actual behavior of the program, so we just/*tune it out*/
So Apple should do what? Design their systems not to work with DHCP, even though it is virtually universal and often required for network compatibility?
They should design them to use DHCP, but they shouldn't ship with a default configuration where the DHCP server on your network can takeover root on the Mac.
There are well-known, accepted vulernabilities with DHCP: anyone on the LAN who responds to your address request can man-in-the-middle any data you send. Everyone (who cares about security) knows this, and understands the risks.
But the OS X hole is much worse: simply powering on your the computer on a strange LAN, without attempting to run any network-based program, puts you at risk. (That can be hard to avoid! Powerbooks with built-in Airport will do it automatically!)
Apple would never have shipped it like this if they'd thought it through, and they'll surely turn it to a safer configuration for future releases. Of course, it'll still use DHCP- just correctly.
The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible.
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive.
I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
Absolutely not. "Open Source" (capitalized) is a trademark of OpenSource.org, and by their highly-publicized definition, it must allow the free redistribution of the code!
This license is closer to "shared source" (but maybe not as bad).
(I hardly need to point out that if you want to mislead people on Slashdot, you should pick a subject more difficult to research online)
No it doesn't. Privacy would be broader than that. If Amazon.com and Walmart write down everything you buy from them and publish it in a book, they've violated your privacy, but haven't searched your person, house, or papers.
It instead outlines what the government is allowed to do and enumerates some rights which all humans are deemed to have from birth. The government does not grant rights; it can only act to constrain itself and others from violating them.
Sounds like "restrict" to me. constrain == restrict
in the same way as testimony from known criminals offered in exchange for reduction of sentence.
But that testimony is accepted in court very frequently. It's illegal, but DAs get away with it all the time. While defending counsel can sometimes get the jury to doubt compensated evidence, judges rarely seem to throw it out. And they certainly never have the DAs arrested!
(Which they could do, since offering something of value in exchange for sworn testimony is blatantly illegal. But it's a law that's never been enforced against the government)
Just when are RIAA employees acting on behalf of their employer, and when are they acting as agents of the government?
The definition of "agent" is very clear. If the person was selected by an agent of the government, then he too is an agent (when following directions from the first agent). The minor in your example is, a private investigator hired by someone who belives himself to be a crime victim is not.
it would be my bureau that would be a risk for any entrapment proceedings resulting if these untrained non-agents overstep the limits.
No... because they're non-agents, there can be no entrapment. (And there is no such thing as an "entrapment proceeding", in US law. It simply rejects some evidence from the trial). The worst that could happen is, if the feds repeatedly accepted evidence from the same guy, that a later defendant could argue that the guy has become a de-facto agent, because of his long-term relationship with the gov.
That still doesn't change anything, because a detective who can just run Kazaa and log who is sending him copyrighted files doesn't need to do anything resembling entrapment or privacy-infringing searches to collect his evidence.
PS. If an RIAA-sponsored detective installs a trojan onto your computer, that's illegal by the usual anti-hacking laws. But if he downloads from a Kazaa node you're willingly running, he's perfectly safe.
There are a lot of C-SPAN junkies, and I think there would be a similar interest
Nope. C-SPAN, already a legendary font of boredom, is tremendously more exciting than a hard science channel would be.
The daily routines of both politicians and scientists are boring to watch, but politicans have two big advantages in becoming successful TV-fodder.
1) Their job is already based on attracting the public. (At least when elections are upcoming) 2) Their behavior is based on conflict. Conflict leads to excitment. Excitment leads to anticipation. Anticipation leads to... ratings.
So 20 years ago, back when Sun was inventing Corba, they weren't a Unix company?
Your belief is just evidence that Windows developers tend to be Microsoft blinded and impervious to technologies from places other than Redmond.
Your belief is just evidence that Windows haters tend to be Microsoft blinded and assume every technology they don't approve of came from Redmond.
And, no belief I might hold could supply you any data about Windows developers.
X11 is a specific application protocol.
How can a "specific application protocol" be used by 8,000,000 different applications so far (and rising)?
For that particular application, a binary protocol make sense. It doesn't belong in this discussion.
If this was a discussion, it would absolutely belong. You have claimed that text-based interfaces are best for applications. Counter examples are entirely appropriate. (But unnecessary, since the own programs you demonstrated are already counterexamples)
even when developing small, one shot, shell commands.
s/even/only
Plain text interfaces are at the core of most of the +2000 binaries I have sitting in/usr/bin.
I doubt that's true. A view of the 3151 files in my own/usr/bin contradicts that viewpoint. But let's assume it's true for your personal computer.
Which Unix applications get the most use? Maybe apache, mozilla (or anything using X11), gcc (or any compiler), emacs (or anything using curses), oracle (or anything based on SQL), sshd (or any daemon).
None of those have "self documenting plain text interfaces" at their core. (Well, emacs does, but not via stdin/stdout)
This kind of power was never available to Microsoft OS users, and will probably never be.
Past: Microsoft sold the Xenix OS, which contained a/usr/bin much like your own. Present: Microsoft users can download cygwin if they want to. They rarely want to. Future: WSH, etc.
When people run out of arguments, they start nitpicking on details...
I didn't even bother to argue, since you'd already been contradicting yourself.
No you didn't. The decimal point should've been omitted completely, along with the two digits following it. That would be the most clear way to communicate.
RIAA agents posing as file sharers and enticing others to load and run trojans that compromise their PCs and privacy in order to look for and obtain incriminating evidence is blatant entrapment and such evidence would/should be inadmissable in a court case.
I see that you're not a lawyer... nor a citizen concerned enough to learn about his national laws. There used to be widespreah myths about entrapment, but I thought the illegal-drug culture in the US had spread the truth (as a defensive measure).
Here's a few little facts about entrapment:
It can only be committed by an agent of the government. (The RIAA is not the government)
Even if it's a cop or other gov. agent trying to trap you, there still is no "entrapment" defense if he can show evidence suggesting (not proving) that you had a pre-existing inclination to perform the offense. Not entrapment: "Here's $20, give me some cocaine". Entrapment: "Here's $20000, kill that guy"
It also looks like illegal search and seizure--and an unconstitutional invasion of privacy and misuse of private property.
The Constitution only restricts the actions of governments, not private groups like the RIAA. (And it doesn't guarantee privacy either.)
AC said: I think what he meant more was the competition between guilds for end-game content.
Sure, maybe that's what he meant. But still, the single biggest factor determining which guild gets the prize is whoever puts in the most hours per week.
The top players in any kind of game will all be of roughly the same level of skill and raw ability. If it's a competitive game, then those marginal advantages translate into victory or defeat. If a FPS player is 5% more fast and accurate than her opponent, she'll get a total victory (unless there's bad luck).
But if your EQ guild is 5% more skilled than mine, we can still beat you in the level-up race by playing for 11 hours each day, instead of just 10.
(Abilities tend to equalize even more quickly in MMORPGs, where much of "skill" is actually learning which spell/item combos are most optimal. That knowledge propagates quickly to those who care about it)
To say that a warcraft match between two human players is any harder or easier than an encounter between a guild in everquest and an epic mob (creature) is simply wrong.
And to say that killing an epic mob is "competitive" is 100 times more wrong. It's a fundamental violation of the English language.
It's not "competing"; there is no person you're beating. Only a pixelized punching-bag that was created soley to give an illusion of challenge before its corpse is looted. If the Mob was really trying, it'd have your character dead, your items re-sold, and your account cancelled before you even got a buff out.
You can no more reach a competitive level playing EQ than Solitare.
(It's possible to construct a competition on top of uncompetitive diversions, such as seeing who can solve a freecell hand faster, or who can reach level 5 most quickly starting from new EQ characters. But that's not how those games are normally played)
MMORPGs which encourage PvP are a somewhat different story, although they're not quite competitive games either (for weaker reasons).
The Slashdot operators claim they cannot do this because it'd be copyright infringement.
That's true, but it shouldn't stop them... they should just get the system ready to go, and email the webmaster of the victim page with a code he can use to authorized the shared distribution.
The average Zionist Israeli is more than 10x as wealthy as the average Palestinian.
70% of the fresh-water used by Israel comes from Palestine. The daily water use of a Zionist is six times that of a Palestinian. If the Jews had to pay for it, instead of taking it by force, the economic disparities would be reversed within a decade.
Arabs in Israel have orders of magnitude more rights than corresponding Jews in Arab countries.
Percentage of adult Jews born in Egypt who can vote: 100% Percentage of adult (non-Jewish) Arabs born in Israel who can vote: 19%
Look at Jordan. What is it's Jewish population? ZERO!
That's something Zionist Israel encouraged. They wanted to be the sole concentration of Jews in the Middle East. This was a goal both to increase their own population, but also to curry favor with the nonadjacent Arab states.
In fact, Jews are explicitly forbidden from becoming citizens of Jordan.
And non-Jews, born in Israel, are explicitly forbidden from becoming citizens of Israel. Until Israel stops giving special preference to one certain religion, that nation deserves no respect from any modern democracy.
I hate to mention Gentoo here, but, in this case I think it is appropriate...
Why? Gentoo isn't "big". Not many people use it.
Distributions with more users than Gentoo include: Redhat, debian, SUSE, Mandrake, and Slack.
Prehaps Gentoo seems more popular than it is, because it's users tend to be involved. Gentoo is not the "most supported big distrib", it is the "most vocal small distrib".
and I doubt Microsoft is going to let their customers compile their own binaries of MS products any time soon either.
They might. Microsoft would never let someone compile binaries and then use them, but if a large customer was insistent enough, they coudl arrange something.
For example, the customer's IT staff could visit Microsoft, watch WindowsXP compile (which takes probably 50+ hours), and then compare the just-compiled files with the contents of a store-bought disk.
That'll give them a greater sense of security (not enough, really, because we all know compilers can't be fully trusted)
when companies bought software, nobody could take it away from them.
The funny thing is, if you read the EULAs that have been issued with Microsoft(tm) software from about 1995 onwards, they could take it away, at a whim.
The "agreement" states that either party could terminate it at any time (by sending back either the money or the software). If EULAs were valid... (and that's a big "IF")
As near as I can determine, in OOo you have to pull up the character map if you ever want to type a diacritical mark.
They (OpenOffice developers) may be taking the perspective that inputting characters is not their job.
And they're right- how you input text should be handled by your OS, separate from the applications that use text. Anyone who wants to superimpose '+e should install an "international" or "european" keyboard configuration. That way, you just type "'e" and they're automatically joined into one symbol- and it works the same way for all your programs!
Simple statistics should tell you that given two equivalent exploits for OS X and Windows, the exploit for Windows will affect around ten times as many machines, cause ten times the damage and be ten times more noticable
Actually it'd be greater than 10x. You shouldn't expect the relationship between popularity of a platform and the vulnerabilities researched for it to be linear. (By "researched" I mean attempted to discover. The number of discovered vulnerabilities will equal the number researched multiplied by some coefficient of the system's inherent security)
A better assumption would be a variation of the network effect: the number of vulnerabilities researched goes up with the square of the platform's popularity.
The number of hackers with access to the platform is linear with popularity. The incentive for an individual hacker to work on it is also linear with popularity. So the product of those two values will equal the amount of work put in to find exploitable flaws.
Following this reasoning, nearly all of Microsoft's apparent vulnerability could be accounted for by popularity.
That syntax is wrong. You won't get any answers- nobody will read /*text inside comments*/. It's by definition irrelevant to the actual behavior of the program, so we just /*tune it out*/
So Apple should do what? Design their systems not to work with DHCP, even though it is virtually universal and often required for network compatibility?
They should design them to use DHCP, but they shouldn't ship with a default configuration where the DHCP server on your network can takeover root on the Mac.
There are well-known, accepted vulernabilities with DHCP: anyone on the LAN who responds to your address request can man-in-the-middle any data you send. Everyone (who cares about security) knows this, and understands the risks.
But the OS X hole is much worse: simply powering on your the computer on a strange LAN, without attempting to run any network-based program, puts you at risk. (That can be hard to avoid! Powerbooks with built-in Airport will do it automatically!)
Apple would never have shipped it like this if they'd thought it through, and they'll surely turn it to a safer configuration for future releases. Of course, it'll still use DHCP- just correctly.
Keep it up. That kind of gratuitous mathmatical digression is exactly what you need to master before cranking out Stephenson-like cyberpunk.
The time it takes to patch the problem is miniscule compared to the regression testing done to make sure the patch fucks up as little as possible.
If Microsoft employed better software design, IE wouldn't be entangled with the whole OS, and their testing workload wouldn't need to be so extensive.
I know damn well they haven't tested this as much as a corporation supporting 90% of the world's browser users would
Several times, 3rd party volunteers have demonstrated the ability to test Microsoft's software more thoroughly than the publisher ever did. (Server software though, which can be easily tested by software, not the browser)
Technically, it IS open source because
Absolutely not. "Open Source" (capitalized) is a trademark of OpenSource.org, and by their highly-publicized definition, it must allow the free redistribution of the code!
This license is closer to "shared source" (but maybe not as bad).
(I hardly need to point out that if you want to mislead people on Slashdot, you should pick a subject more difficult to research online)
It sounds like a right to privacy to me.
No it doesn't. Privacy would be broader than that. If Amazon.com and Walmart write down everything you buy from them and publish it in a book, they've violated your privacy, but haven't searched your person, house, or papers.
It instead outlines what the government is allowed to do and enumerates some rights which all humans are deemed to have from birth. The government does not grant rights; it can only act to constrain itself and others from violating them.
Sounds like "restrict" to me. constrain == restrict
in the same way as testimony from known criminals offered in exchange for reduction of sentence.
But that testimony is accepted in court very frequently. It's illegal, but DAs get away with it all the time. While defending counsel can sometimes get the jury to doubt compensated evidence, judges rarely seem to throw it out. And they certainly never have the DAs arrested!
(Which they could do, since offering something of value in exchange for sworn testimony is blatantly illegal. But it's a law that's never been enforced against the government)
Just when are RIAA employees acting on behalf of their employer, and when are they acting as agents of the government?
The definition of "agent" is very clear. If the person was selected by an agent of the government, then he too is an agent (when following directions from the first agent). The minor in your example is, a private investigator hired by someone who belives himself to be a crime victim is not.
it would be my bureau that would be a risk for any entrapment proceedings resulting if these untrained non-agents overstep the limits.
No... because they're non-agents, there can be no entrapment. (And there is no such thing as an "entrapment proceeding", in US law. It simply rejects some evidence from the trial). The worst that could happen is, if the feds repeatedly accepted evidence from the same guy, that a later defendant could argue that the guy has become a de-facto agent, because of his long-term relationship with the gov.
That still doesn't change anything, because a detective who can just run Kazaa and log who is sending him copyrighted files doesn't need to do anything resembling entrapment or privacy-infringing searches to collect his evidence.
PS. If an RIAA-sponsored detective installs a trojan onto your computer, that's illegal by the usual anti-hacking laws. But if he downloads from a Kazaa node you're willingly running, he's perfectly safe.
There are a lot of C-SPAN junkies, and I think there would be a similar interest
Nope. C-SPAN, already a legendary font of boredom, is tremendously more exciting than a hard science channel would be.
The daily routines of both politicians and scientists are boring to watch, but politicans have two big advantages in becoming successful TV-fodder.
1) Their job is already based on attracting the public. (At least when elections are upcoming)
2) Their behavior is based on conflict. Conflict leads to excitment. Excitment leads to anticipation. Anticipation leads to... ratings.
Corba isn't an Unix protocol.
/usr/bin.
/usr/bin contradicts that viewpoint. But let's assume it's true for your personal computer.
/usr/bin much like your own.
So 20 years ago, back when Sun was inventing Corba, they weren't a Unix company?
Your belief is just evidence that Windows developers tend to be Microsoft blinded and impervious to technologies from places other than Redmond.
Your belief is just evidence that Windows haters tend to be Microsoft blinded and assume every technology they don't approve of came from Redmond.
And, no belief I might hold could supply you any data about Windows developers.
X11 is a specific application protocol.
How can a "specific application protocol" be used by 8,000,000 different applications so far (and rising)?
For that particular application, a binary protocol make sense. It doesn't belong in this discussion.
If this was a discussion, it would absolutely belong. You have claimed that text-based interfaces are best for applications. Counter examples are entirely appropriate. (But unnecessary, since the own programs you demonstrated are already counterexamples)
even when developing small, one shot, shell commands.
s/even/only
Plain text interfaces are at the core of most of the +2000 binaries I have sitting in
I doubt that's true. A view of the 3151 files in my own
Which Unix applications get the most use?
Maybe apache, mozilla (or anything using X11), gcc (or any compiler), emacs (or anything using curses), oracle (or anything based on SQL), sshd (or any daemon).
None of those have "self documenting plain text interfaces" at their core. (Well, emacs does, but not via stdin/stdout)
This kind of power was never available to Microsoft OS users, and will probably never be.
Past: Microsoft sold the Xenix OS, which contained a
Present: Microsoft users can download cygwin if they want to. They rarely want to.
Future: WSH, etc.
When people run out of arguments, they start nitpicking on details...
I didn't even bother to argue, since you'd already been contradicting yourself.
cat /dev/sda1 | cdrecord
/dev/sda1 | cdrecord
You think so, huh?
% cdrecord -version
Cdrecord 1.10 (i686-pc-linux-gnu) Copyright (C) 1995-2001 Jorg Schilling
% cat
cdrecord: No tracks specified. Need at least one.
cdrecord: Usage: cdrecord [options] track1...trackn
(yes, I placed that decimal correctly)
.00 to the end of whole-dollar amounts.
No you didn't. The decimal point should've been omitted completely, along with the two digits following it. That would be the most clear way to communicate.
Don't tag
I see that you're not a lawyer... nor a citizen concerned enough to learn about his national laws. There used to be widespreah myths about entrapment, but I thought the illegal-drug culture in the US had spread the truth (as a defensive measure).
Here's a few little facts about entrapment:
Not entrapment: "Here's $20, give me some cocaine".
Entrapment: "Here's $20000, kill that guy"
It also looks like illegal search and seizure--and an unconstitutional invasion of privacy and misuse of private property.
The Constitution only restricts the actions of governments, not private groups like the RIAA. (And it doesn't guarantee privacy either.)
just one of several large open source projects are based in Boston
Heard of a little thing called GNU or FSF?
AC said:
I think what he meant more was the competition between guilds for end-game content.
Sure, maybe that's what he meant. But still, the single biggest factor determining which guild gets the prize is whoever puts in the most hours per week.
The top players in any kind of game will all be of roughly the same level of skill and raw ability. If it's a competitive game, then those marginal advantages translate into victory or defeat. If a FPS player is 5% more fast and accurate than her opponent, she'll get a total victory (unless there's bad luck).
But if your EQ guild is 5% more skilled than mine, we can still beat you in the level-up race by playing for 11 hours each day, instead of just 10.
(Abilities tend to equalize even more quickly in MMORPGs, where much of "skill" is actually learning which spell/item combos are most optimal. That knowledge propagates quickly to those who care about it)
break up a story over 3 or 4 pages to show you more adverts,
That's not the only reason. They also do it to get feedback on which stories people actually finish reading.
(It's a small step towards making a web page behave as a connectionful protocol)
To say that a warcraft match between two human players is any harder or easier than an encounter between a guild in everquest and an epic mob (creature) is simply wrong.
And to say that killing an epic mob is "competitive" is 100 times more wrong. It's a fundamental violation of the English language.
It's not "competing"; there is no person you're beating. Only a pixelized punching-bag that was created soley to give an illusion of challenge before its corpse is looted. If the Mob was really trying, it'd have your character dead, your items re-sold, and your account cancelled before you even got a buff out.
You can no more reach a competitive level playing EQ than Solitare.
(It's possible to construct a competition on top of uncompetitive diversions, such as seeing who can solve a freecell hand faster, or who can reach level 5 most quickly starting from new EQ characters. But that's not how those games are normally played)
MMORPGs which encourage PvP are a somewhat different story, although they're not quite competitive games either (for weaker reasons).
The Slashdot operators claim they cannot do this because it'd be copyright infringement.
That's true, but it shouldn't stop them... they should just get the system ready to go, and email the webmaster of the victim page with a code he can use to authorized the shared distribution.
'rich Jews, poor exploited Palestinians'
The average Zionist Israeli is more than 10x as wealthy as the average Palestinian.
70% of the fresh-water used by Israel comes from Palestine. The daily water use of a Zionist is six times that of a Palestinian. If the Jews had to pay for it, instead of taking it by force, the economic disparities would be reversed within a decade.
Arabs in Israel have orders of magnitude more rights than corresponding Jews in Arab countries.
Percentage of adult Jews born in Egypt who can vote: 100%
Percentage of adult (non-Jewish) Arabs born in Israel who can vote: 19%
Look at Jordan. What is it's Jewish population? ZERO!
That's something Zionist Israel encouraged. They wanted to be the sole concentration of Jews in the Middle East. This was a goal both to increase their own population, but also to curry favor with the nonadjacent Arab states.
In fact, Jews are explicitly forbidden from becoming citizens of Jordan.
And non-Jews, born in Israel, are explicitly forbidden from becoming citizens of Israel. Until Israel stops giving special preference to one certain religion, that nation deserves no respect from any modern democracy.
I hate to mention Gentoo here, but, in this case I think it is appropriate...
Why? Gentoo isn't "big". Not many people use it.
Distributions with more users than Gentoo include: Redhat, debian, SUSE, Mandrake, and Slack.
Prehaps Gentoo seems more popular than it is, because it's users tend to be involved. Gentoo is not the "most supported big distrib", it is the "most vocal small distrib".
and I doubt Microsoft is going to let their customers compile their own binaries of MS products any time soon either.
They might. Microsoft would never let someone compile binaries and then use them, but if a large customer was insistent enough, they coudl arrange something.
For example, the customer's IT staff could visit Microsoft, watch WindowsXP compile (which takes probably 50+ hours), and then compare the just-compiled files with the contents of a store-bought disk.
That'll give them a greater sense of security (not enough, really, because we all know compilers can't be fully trusted)
Israel is at WAR
Why yes, when you start a WAR, it should be no surpise to be at WAR.
when companies bought software, nobody could take it away from them.
The funny thing is, if you read the EULAs that have been issued with Microsoft(tm) software from about 1995 onwards, they could take it away, at a whim.
The "agreement" states that either party could terminate it at any time (by sending back either the money or the software). If EULAs were valid... (and that's a big "IF")
As near as I can determine, in OOo you have to pull up the character map if you ever want to type a diacritical mark.
They (OpenOffice developers) may be taking the perspective that inputting characters is not their job.
And they're right- how you input text should be handled by your OS, separate from the applications that use text. Anyone who wants to superimpose '+e should install an "international" or "european" keyboard configuration. That way, you just type "'e" and they're automatically joined into one symbol- and it works the same way for all your programs!