"you mean "must've" or "must have". (I've seen this in... several other Slashdot posts, and it irritates the heck out of me!"
I see this in freaking books and it irritates the heck out of me. I can see how someone could make the mistake in a forum type setting (like/. ), but aren't books supposed to have editors to catch spelling mistakes?
"most regular open relays, for instance, are mal-configured Microsoft and Sendmail SMTP servers"
Open relays are very 90s. Open relay blacklists have made it much more difficult for open relays to be used. They have moved on to open proxies and virus zombies for exactly that reason: to avoid giving up their unique info. Yes, some still use open relays, but the majority of spammers do not (especially the *successful* spammers; open relay spammers are low impact to the end user because they are usually blocked at the MTA level).
"do you think that adding $50 ($20 for an ISP, $30 for a domain name) seriously adds that much to the cost of sending spam?"
Yes. Costs to spam:
Software: $300, amortized over many spams to become less than $1 per spam. Assumes that more than 300 spams can be sent with the same software (at 1 spam per day, that's less than two years).
Hardware: $1000, amortized over many spams to become less than $3 per spam. Assumes that over 300 spams can be sent with the same hardware.
Bandwidth: $40 per month, amortized over a month of spams to less than $2 per spam. Assumes that at least 20 spams can be sent each month (one each workday).
So for less than $6, one can send out 2,000,000 emails a day (100,000 per hour easily achievable with minimal hardware). Adding $50 to this would substantially increase their costs. Further, if the honeypot blacklists within the hour, that's only 100,000 emails for the $50, not 2,000,000.
Even if the spammer uses a T1 line, that's still only $1000 per month or $50 per spam. Adding $50 to this would still double their costs.
"Sure, they'll have to know Linux, how to use the tools, and maybe even be good."
If you replace Linux with MS Windows in that statement, it is almost as true. MS Windows is not actually easier to administer *well*. It's roughly the same difficulty as Linux (easier with some tasks; harder with others). The biggest difference is that it is much easier to administer MS Windows *badly* but well enough that things work. With Linux, one has a much better chance of finding a good admin, because the bad admins are more obvious.
"Outsourced US companies would have no more of a tax disadvantage than domestic US companies"
But they would still have a disadvantage against *foreign* companies (with lower tax rates) selling in the US or elsewhere.
Something that people tend to miss in these discussions: the trade deficit is not determined by the cost of goods (which is what this would affect). Goods can increase or decrease in cost without affecting the trade deficit. The trade deficit is caused by the desire for other countries to accumulate American *dollars*.
So long as other countries find accumulation of dollars useful, they will send us goods in exchange for those dollars. If their goods are overpriced, then exchange rates will fall until their goods are competitively priced. Thus, fiddling with relative prices is never going to provide the results that they desire, as exchange rate effects will eliminate the results of the fiddling. There are only three choices here:
1. Accept the trade deficit.
2. Give the dollars to other countries without asking goods in return (i.e. foreign aid; incidentally, this was the path followed in the 1950s).
3. Remove the reasons why other countries want to accumulate dollars.
Note that 2 and 3 would cause the American standard of living to fall, as it would require us to make the stuff rather than merely receive it. Further, it is worth noting that the American cost to produce the equivalent goods is often much more expensive than what we are paying other countries (i.e. that $500 billion trade deficit might require $2 trillion of production if we did it). Finally, many of those who are unemployed are not suitable to produce the relevant goods (e.g. VCRs and RAM chips); we would still have to undertake worker retraining, etc.
In campaigning, both Kerry and Bush ignore these realities. However, I will vote for Kerry because there is at least a chance that he will address the real current problem: many of our most productive and hard working citizens have been activated from reserve status and shipped to Iraq. Thus, we have lost their production during the war. Even if Kerry does not bring this war to a close faster, he is more likely to avoid other wars at the same time.
Also French (as verified by a girl who transferred to my high school which had French classes from a school which had Latin classes), Portuguese, and Romanian. Learning Latin makes it very easy to learn the other five Romance (Latin-based) languages.
It can also improve one's English, since English has many words that derive from Latin.
"Right now, spammers have to afford to buy a new Internet account for any spam they send."
How do you figure? This is only true if the spammer is sending from some legitimate source. Very little spam is sent from legitimate sources.
You seem to be claiming that spam can be tracked back to the sender. This is manifestly untrue. Most spam can only be traced back to a proxy (which may be a compromised machine). Sure, you can shut down the proxy, but the spammer is not associated with the proxy (at least not in any trackable fashion). The actual spammer can continue to use the same internet account, no need to change.
"That is fair and I agree... but when it is the majority of the world outside of the US that is expressing these opinions, don't you think something strange is happening?"
Maybe. What would worry me more though is the recent news that Iran (a likely next Bush target) favors Bush over Kerry. What's next? 9 out of 10 terrorists endorse Bush?
"the virus writers will just go to the extra effort of sending spam out the zombie PC through the owners' ISP mail server, and to your inbox"
And then you will know whose PCs are infected. Further, you can complain to the sending ISP's abuse department and get their email sending capability pulled. Not to mention that many ISPs do virus checks that would catch outgoing viruses, limiting the utility of the emails.
Why do you think they weren't *already* doing this? Remember that you can send a message to 100 recipients with a single message, and the ISP would do all the work of splitting it out to them.
"sophisticated enough that they've installed an SPF-aware mail client"
SPF is intended to be implemented at the MTA level. I.e. it is an ISP thing, not a user thing. Even if the user is "naive enough to click on an executable," an SPF MTA will prevent them from having the chance.
Btw, SPF proponents believe that domains can be blacklisted within the first hour through the use of honey pot addresses. Further, purchase of a domain requires control of a credit card. The credit card can be traced. If nothing else, this can cost the purchaser use of that credit card (which may be stolen).
"The current best solution to AIDS is to give people a cocktail of drugs"
Err...no. The current best solution to AIDS is not to share bodily fluids with someone who has AIDS. In particular, do not have sex with someone who has AIDS. Drug cocktails are not a "solution" to AIDS; they are merely a response.
"The times I've been inside a Sony store, it seems like everything is priced at retail."
This is deliberate. Remember, most of their sales are going to be through third parties. If they undercut their resellers, they may lose the reseller. Think of the store as offering you a chance to demo their products while hanging out at the mall. They will sell you the product if you really want it, but they are just as happy to have you buy it elsewhere.
"A PC store is just not going to have the volume of sales in a mall setting to support it."
Neither Sony nor Gateway need to get sales *in* the store to support them. If people visit the store impulsively while in the mall, become convinced that the product is worthwhile, and go home to buy online (or to another store to buy), that's almost as good from Sony's perspective. They manufacture the full line of products, so they make money off anything in the store even if you buy it from a third party. The stores are marketing expenses.
Gateway had several problems that Sony won't:
1. They only manufactured computers, which aren't generally high margin (unlike the high end electronics available from Sony). Anything high margin was something they bought from someone else (i.e. Sony makes the manufacturer and retail margins on a plasma TV; Gateway only makes retail markup and only if you buy from them; Sony makes the manufacturer's margin even if you buy from Circuit City or Sears).
2. Their original model was custom built for a reasonable price. You don't need to go to a store to get something custom built. They couldn't feed that itch for someone who was ready to buy right now. That person would buy an HP (or similar brand) from a retailer (Circuit City, Office Max, Wal-Mart, etc.) instead.
Computer stores do not have a good model for brick and mortar sales. It's a nice adjunct to TV and stereo sales (or a basis for selling services), but not a good solo model. Computers are better sold over the internet or in department stores, where their low margins are more acceptable. Local computer stores will tend to make their money from service rather than consumer sales.
Re:Not gonna work if encumbered
on
Replacing TCP?
·
· Score: 1
"MySQL works quite nicely under a dual license."
Yes, but that is two *separate* licenses. This would be a single, modified version of the GPL that is not compatible with the regular GPL (which allows commercial use). MySQL *adds* options; this reduces them.
"The problem wasn't voters misreading the ballots, it was that they didn't read the ballots."
No. Once again, the problem was that only some voters were affected. If *both* Bush voters and Gore voters had been subject to the same problem, it wouldn't have been a major problem. I suspect that just as many Bush voters as Gore voters failed to read the instructions; it's just that the Bush voters still punched out the hole that they wanted, even without reading the instructions.
Anyway, how did a ballot get complicated enough that it needed instructions?
"I'm almost tempted to say that the prompt() function should simply fail with an error if the page it's called from isn't in the active window or tab."
That would mess with the way people use tabbed browsing. It is a deliberate feature that page load will continue while you look at another page; otherwise, people would have to wait for the page to load without switching to another page in the meantime (or lose the javacript functionality). The bug is that it can interfere with you while the tab is not active. It should wait until you switch back. Generating an error would preclude this in most cases.
"Hardware platform inspected, using standards comparable to the Nevada Gaming Control Board's standards for slot machines."
What happens if you find a problem? Casinos eat the loss or recover from the tamperer. How do you recover votes? They are not priceable. All your solutions are about minimizing and accepting loss, but I can work around all of them without compromising the polling place (or subsequent vote storage). However, I can easily enough develop a paper based system that can *only* be compromised at the polling place or after. If we add the simple system of having the voters scan their ballots prior to dropping them in the lockbox, we can verify that the actual votes are being cast as intended.
If you are not confident of the security of your polling places, it is easy enough to become a vote observer. It's a volunteer position after all. Further, due to the transparency of paper based systems, a single "good" poll worker can prevent an entire polling place from compromise. By contrast, a single "bad" person with access to the machines can compromise an entire set of machines. Further, the machines are themselves susceptible to simple error. As Firefox has repeatedly demonstrated, open source will still contain errors. What happens when the error is only noticed after the election?
Securing a system by adding complexity is foolish. The way to increase security and reliability is to layer simplicity. Complexity counteracts more things but also offers more points of attack. I.e. there are more things that can go wrong.
[If people using voting machines are tending to make a common kind of error, the response shouldn't be "it's user error, it's not a design problem", it's "let's examine the error, and see if there's a way to modify the design and make it less likely to happen".]
Especially if the error is consistently favoring one candidate over the other (e.g. debit favored over credit in your scenario or Bush favored over Gore in the last presidential election). If 1% of Bush votes are being counted for Kerry and 1% of Kerry votes are being counted for Bush, that's not a big deal. However, if an error causes 4% of Bush voters to vote for Bush and 4% of Kerry voters to vote for Nader, then that is a problem.
"I think the question is will a vast majority of the drooling idiots be trying to vote for Bush or Kerry."
No, the drooling idiots themselves will get wiped off and offered a chance to vote on another machine. The question is who is more likely to have already voted on that machine (the votes now lost)? IIRC, Republicans are more likely to vote in the early morning (on their way to work), so this would punish Bush more. Unless of course, the area was overwhelmingly democrat. If only democrat controlled areas use the vulnerable touch screens, this could hurt Kerry more.
" Sure, everyone (that is legal to vote) had the right to vote. But, at some point, individuals have to be responsible for knowing HOW to vote."
My only issue with the Florida ballot was that it only screwed up the votes of stupid Gore voters. If it had also screwed up the votes of stupid Bush voters, it would have been fair. However, it did not. Bush voters who read the ballot the same way that the Gore voters who miscast their votes (for Buchanan) did still cast their votes for Bush.
This is not an engineering problem. All vote systems will be susceptible to human error. What is important is to add a management system to catch the error and allow it to be rectified. The simple way to do this is to have the voter stick their ballot in the machine to be scored. Then, they could have seen that their vote was going to Buchanan rather than Gore and fixed the problem.
A system that kept people from voting if they couldn't understand the ballot would have been better than what actually happened. It would have cancelled the votes of stupid people voting for *both* Gore and Bush. Assuming equal numbers of both (or even Gore getting a slight edge), Gore would have won the election.
"They'd better make sure and get their technology right and make it possible to download the screwed-up part alone -- I'd be a bit pissed if I had to retry a whole download from scratch if it took that long."
Seeing as how that tech is already available for binary newsgroups, I suspect that Tivo could get their hands on it.
"My point is a browser that runs bad HTML code implies bad programing methods."
If Firefox, et. al. simply refused to render the page (i.e. said "HTML too ugly" and showed a blank page), that would be fine. That's not what they are doing. They are *crashing* on bad data. A program should never crash on bad data (no matter how bad); it should generate some kind of exception and take appropriate action.
To put this another way, Firefox is not recognizing that the data is bad. That's why it's a security hole.
"The fact that IE passes a test, while other's don't, that it was made to pass, that says somethign positive about IE's security, and is not to be blown off."
No, I disagree with that. It is reasonable to blow off that IE passes its own test cases. What is not reasonable is to blow off that other browsers do not.
IE still includes some basic security flaws due to faulty design. For example, there is phishing attack that displays http://www.bankname.com/ on mouseover but goes to http://ip.nu.mb.er on click. This is a security flaw in IE that should not exist (the same routine should be used to determine the URL for both mouseover and on click). Incidentally, this flaw does not exist in FireFox.
More relevant test cases are always good. New versions of Firefox, et. al. should be able to handle these test cases as well as those that they handle now that IE does not.
Not to rain on your joke, but you only get the $500 if there is an actual security hole, not a potential security hole. I.e. you need to write an exploit that utilizes the crash code. Unfortunately, he hasn't done that for us yet. We'd have to do that ourselves.
Slashdot Mirror
"you mean "must've" or "must have". (I've seen this in ... several other Slashdot posts, and it irritates the heck out of me!"
/. ), but aren't books supposed to have editors to catch spelling mistakes?
I see this in freaking books and it irritates the heck out of me. I can see how someone could make the mistake in a forum type setting (like
"most regular open relays, for instance, are mal-configured Microsoft and Sendmail SMTP servers"
Open relays are very 90s. Open relay blacklists have made it much more difficult for open relays to be used. They have moved on to open proxies and virus zombies for exactly that reason: to avoid giving up their unique info. Yes, some still use open relays, but the majority of spammers do not (especially the *successful* spammers; open relay spammers are low impact to the end user because they are usually blocked at the MTA level).
"do you think that adding $50 ($20 for an ISP, $30 for a domain name) seriously adds that much to the cost of sending spam?"
Yes. Costs to spam:
Software: $300, amortized over many spams to become less than $1 per spam. Assumes that more than 300 spams can be sent with the same software (at 1 spam per day, that's less than two years).
Hardware: $1000, amortized over many spams to become less than $3 per spam. Assumes that over 300 spams can be sent with the same hardware.
Bandwidth: $40 per month, amortized over a month of spams to less than $2 per spam. Assumes that at least 20 spams can be sent each month (one each workday).
So for less than $6, one can send out 2,000,000 emails a day (100,000 per hour easily achievable with minimal hardware). Adding $50 to this would substantially increase their costs. Further, if the honeypot blacklists within the hour, that's only 100,000 emails for the $50, not 2,000,000.
Even if the spammer uses a T1 line, that's still only $1000 per month or $50 per spam. Adding $50 to this would still double their costs.
"Sure, they'll have to know Linux, how to use the tools, and maybe even be good."
If you replace Linux with MS Windows in that statement, it is almost as true. MS Windows is not actually easier to administer *well*. It's roughly the same difficulty as Linux (easier with some tasks; harder with others). The biggest difference is that it is much easier to administer MS Windows *badly* but well enough that things work. With Linux, one has a much better chance of finding a good admin, because the bad admins are more obvious.
"Outsourced US companies would have no more of a tax disadvantage than domestic US companies"
But they would still have a disadvantage against *foreign* companies (with lower tax rates) selling in the US or elsewhere.
Something that people tend to miss in these discussions: the trade deficit is not determined by the cost of goods (which is what this would affect). Goods can increase or decrease in cost without affecting the trade deficit. The trade deficit is caused by the desire for other countries to accumulate American *dollars*.
So long as other countries find accumulation of dollars useful, they will send us goods in exchange for those dollars. If their goods are overpriced, then exchange rates will fall until their goods are competitively priced. Thus, fiddling with relative prices is never going to provide the results that they desire, as exchange rate effects will eliminate the results of the fiddling. There are only three choices here:
1. Accept the trade deficit.
2. Give the dollars to other countries without asking goods in return (i.e. foreign aid; incidentally, this was the path followed in the 1950s).
3. Remove the reasons why other countries want to accumulate dollars.
Note that 2 and 3 would cause the American standard of living to fall, as it would require us to make the stuff rather than merely receive it. Further, it is worth noting that the American cost to produce the equivalent goods is often much more expensive than what we are paying other countries (i.e. that $500 billion trade deficit might require $2 trillion of production if we did it). Finally, many of those who are unemployed are not suitable to produce the relevant goods (e.g. VCRs and RAM chips); we would still have to undertake worker retraining, etc.
In campaigning, both Kerry and Bush ignore these realities. However, I will vote for Kerry because there is at least a chance that he will address the real current problem: many of our most productive and hard working citizens have been activated from reserve status and shipped to Iraq. Thus, we have lost their production during the war. Even if Kerry does not bring this war to a close faster, he is more likely to avoid other wars at the same time.
Also French (as verified by a girl who transferred to my high school which had French classes from a school which had Latin classes), Portuguese, and Romanian. Learning Latin makes it very easy to learn the other five Romance (Latin-based) languages.
It can also improve one's English, since English has many words that derive from Latin.
"Right now, spammers have to afford to buy a new Internet account for any spam they send."
How do you figure? This is only true if the spammer is sending from some legitimate source. Very little spam is sent from legitimate sources.
You seem to be claiming that spam can be tracked back to the sender. This is manifestly untrue. Most spam can only be traced back to a proxy (which may be a compromised machine). Sure, you can shut down the proxy, but the spammer is not associated with the proxy (at least not in any trackable fashion). The actual spammer can continue to use the same internet account, no need to change.
"That is fair and I agree... but when it is the majority of the world outside of the US that is expressing these opinions, don't you think something strange is happening?"
Maybe. What would worry me more though is the recent news that Iran (a likely next Bush target) favors Bush over Kerry. What's next? 9 out of 10 terrorists endorse Bush?
"the virus writers will just go to the extra effort of sending spam out the zombie PC through the owners' ISP mail server, and to your inbox"
And then you will know whose PCs are infected. Further, you can complain to the sending ISP's abuse department and get their email sending capability pulled. Not to mention that many ISPs do virus checks that would catch outgoing viruses, limiting the utility of the emails.
Why do you think they weren't *already* doing this? Remember that you can send a message to 100 recipients with a single message, and the ISP would do all the work of splitting it out to them.
"sophisticated enough that they've installed an SPF-aware mail client"
SPF is intended to be implemented at the MTA level. I.e. it is an ISP thing, not a user thing. Even if the user is "naive enough to click on an executable," an SPF MTA will prevent them from having the chance.
Btw, SPF proponents believe that domains can be blacklisted within the first hour through the use of honey pot addresses. Further, purchase of a domain requires control of a credit card. The credit card can be traced. If nothing else, this can cost the purchaser use of that credit card (which may be stolen).
"Contrast that with Microsoft, last quarter they earnt $9.19 billion with a profit of $2.9 billion! That's over 30% profit for software!"
Think how much better that could have been if they cut out the unprofitable divisions: maybe $4 billion profit on $6 billion in revenues?
"The current best solution to AIDS is to give people a cocktail of drugs"
Err...no. The current best solution to AIDS is not to share bodily fluids with someone who has AIDS. In particular, do not have sex with someone who has AIDS. Drug cocktails are not a "solution" to AIDS; they are merely a response.
"The times I've been inside a Sony store, it seems like everything is priced at retail."
This is deliberate. Remember, most of their sales are going to be through third parties. If they undercut their resellers, they may lose the reseller. Think of the store as offering you a chance to demo their products while hanging out at the mall. They will sell you the product if you really want it, but they are just as happy to have you buy it elsewhere.
"A PC store is just not going to have the volume of sales in a mall setting to support it."
Neither Sony nor Gateway need to get sales *in* the store to support them. If people visit the store impulsively while in the mall, become convinced that the product is worthwhile, and go home to buy online (or to another store to buy), that's almost as good from Sony's perspective. They manufacture the full line of products, so they make money off anything in the store even if you buy it from a third party. The stores are marketing expenses.
Gateway had several problems that Sony won't:
1. They only manufactured computers, which aren't generally high margin (unlike the high end electronics available from Sony). Anything high margin was something they bought from someone else (i.e. Sony makes the manufacturer and retail margins on a plasma TV; Gateway only makes retail markup and only if you buy from them; Sony makes the manufacturer's margin even if you buy from Circuit City or Sears).
2. Their original model was custom built for a reasonable price. You don't need to go to a store to get something custom built. They couldn't feed that itch for someone who was ready to buy right now. That person would buy an HP (or similar brand) from a retailer (Circuit City, Office Max, Wal-Mart, etc.) instead.
Computer stores do not have a good model for brick and mortar sales. It's a nice adjunct to TV and stereo sales (or a basis for selling services), but not a good solo model. Computers are better sold over the internet or in department stores, where their low margins are more acceptable. Local computer stores will tend to make their money from service rather than consumer sales.
"MySQL works quite nicely under a dual license."
Yes, but that is two *separate* licenses. This would be a single, modified version of the GPL that is not compatible with the regular GPL (which allows commercial use). MySQL *adds* options; this reduces them.
"The problem wasn't voters misreading the ballots, it was that they didn't read the ballots."
No. Once again, the problem was that only some voters were affected. If *both* Bush voters and Gore voters had been subject to the same problem, it wouldn't have been a major problem. I suspect that just as many Bush voters as Gore voters failed to read the instructions; it's just that the Bush voters still punched out the hole that they wanted, even without reading the instructions.
Anyway, how did a ballot get complicated enough that it needed instructions?
"like crossing starbucks with the local library."
My local library already has a Starbucks clone inside.
"I'm almost tempted to say that the prompt() function should simply fail with an error if the page it's called from isn't in the active window or tab."
That would mess with the way people use tabbed browsing. It is a deliberate feature that page load will continue while you look at another page; otherwise, people would have to wait for the page to load without switching to another page in the meantime (or lose the javacript functionality). The bug is that it can interfere with you while the tab is not active. It should wait until you switch back. Generating an error would preclude this in most cases.
"Hardware platform inspected, using standards comparable to the Nevada Gaming Control Board's standards for slot machines."
What happens if you find a problem? Casinos eat the loss or recover from the tamperer. How do you recover votes? They are not priceable. All your solutions are about minimizing and accepting loss, but I can work around all of them without compromising the polling place (or subsequent vote storage). However, I can easily enough develop a paper based system that can *only* be compromised at the polling place or after. If we add the simple system of having the voters scan their ballots prior to dropping them in the lockbox, we can verify that the actual votes are being cast as intended.
If you are not confident of the security of your polling places, it is easy enough to become a vote observer. It's a volunteer position after all. Further, due to the transparency of paper based systems, a single "good" poll worker can prevent an entire polling place from compromise. By contrast, a single "bad" person with access to the machines can compromise an entire set of machines. Further, the machines are themselves susceptible to simple error. As Firefox has repeatedly demonstrated, open source will still contain errors. What happens when the error is only noticed after the election?
Securing a system by adding complexity is foolish. The way to increase security and reliability is to layer simplicity. Complexity counteracts more things but also offers more points of attack. I.e. there are more things that can go wrong.
[If people using voting machines are tending to make a common kind of error, the response shouldn't be "it's user error, it's not a design problem", it's "let's examine the error, and see if there's a way to modify the design and make it less likely to happen".]
Especially if the error is consistently favoring one candidate over the other (e.g. debit favored over credit in your scenario or Bush favored over Gore in the last presidential election). If 1% of Bush votes are being counted for Kerry and 1% of Kerry votes are being counted for Bush, that's not a big deal. However, if an error causes 4% of Bush voters to vote for Bush and 4% of Kerry voters to vote for Nader, then that is a problem.
"I think the question is will a vast majority of the drooling idiots be trying to vote for Bush or Kerry."
No, the drooling idiots themselves will get wiped off and offered a chance to vote on another machine. The question is who is more likely to have already voted on that machine (the votes now lost)? IIRC, Republicans are more likely to vote in the early morning (on their way to work), so this would punish Bush more. Unless of course, the area was overwhelmingly democrat. If only democrat controlled areas use the vulnerable touch screens, this could hurt Kerry more.
" Sure, everyone (that is legal to vote) had the right to vote. But, at some point, individuals have to be responsible for knowing HOW to vote."
My only issue with the Florida ballot was that it only screwed up the votes of stupid Gore voters. If it had also screwed up the votes of stupid Bush voters, it would have been fair. However, it did not. Bush voters who read the ballot the same way that the Gore voters who miscast their votes (for Buchanan) did still cast their votes for Bush.
This is not an engineering problem. All vote systems will be susceptible to human error. What is important is to add a management system to catch the error and allow it to be rectified. The simple way to do this is to have the voter stick their ballot in the machine to be scored. Then, they could have seen that their vote was going to Buchanan rather than Gore and fixed the problem.
A system that kept people from voting if they couldn't understand the ballot would have been better than what actually happened. It would have cancelled the votes of stupid people voting for *both* Gore and Bush. Assuming equal numbers of both (or even Gore getting a slight edge), Gore would have won the election.
"They'd better make sure and get their technology right and make it possible to download the screwed-up part alone -- I'd be a bit pissed if I had to retry a whole download from scratch if it took that long."
Seeing as how that tech is already available for binary newsgroups, I suspect that Tivo could get their hands on it.
"My point is a browser that runs bad HTML code implies bad programing methods."
If Firefox, et. al. simply refused to render the page (i.e. said "HTML too ugly" and showed a blank page), that would be fine. That's not what they are doing. They are *crashing* on bad data. A program should never crash on bad data (no matter how bad); it should generate some kind of exception and take appropriate action.
To put this another way, Firefox is not recognizing that the data is bad. That's why it's a security hole.
"The fact that IE passes a test, while other's don't, that it was made to pass, that says somethign positive about IE's security, and is not to be blown off."
No, I disagree with that. It is reasonable to blow off that IE passes its own test cases. What is not reasonable is to blow off that other browsers do not.
IE still includes some basic security flaws due to faulty design. For example, there is phishing attack that displays http://www.bankname.com/ on mouseover but goes to http://ip.nu.mb.er on click. This is a security flaw in IE that should not exist (the same routine should be used to determine the URL for both mouseover and on click). Incidentally, this flaw does not exist in FireFox.
More relevant test cases are always good. New versions of Firefox, et. al. should be able to handle these test cases as well as those that they handle now that IE does not.
Not to rain on your joke, but you only get the $500 if there is an actual security hole, not a potential security hole. I.e. you need to write an exploit that utilizes the crash code. Unfortunately, he hasn't done that for us yet. We'd have to do that ourselves.