When you see someone get hit in the neck in a street fight with a baseball bat, crook their head sideways to catch it and then take it away, you may become a believer.
A baseball bat is only as dangerous as the guy swinging it. Movies make them look worse than they are. If the bat hits your skull, you're dead because you can't do much with bone, but "properly" conditioned muscle can take a baseball bat. It isn't sharp and spreads the impact along its surface. Muscle as it turns out, is *very* good at handling impact.
In a street fight, you never hit muscle. You punch ribs or pound the face. If you have a good sized neck, ~18 inches, and the guy swinging the bat doesn't have enough to take your head off, you can handle it.
People who have never been in a fight always seem to think it is easy to win a fight if you are big enough. It isn't the movies, people almost never go down in one punch. It usually ends when someone gives up or runs away, almost never a knock out or something dramatic like that.
The mixing of "data" and "program" goes much deeper than just Windows because ever since the Intel 8080 modern commodity processors, with a few exceptions, have made no clear distinction between data and programmatic instructions
STOP RIGHT THERE!!! Yes, the Intel 8080, the zylog Z80 as well as most primitive micro CPUs from the 70s that was basically true.
On "real mode" 8086, 8088, 80186, and V20 code was indexed by the "cs" register and data by "ds" register. The tools to separate code and data existed in DOS 1.0.
Starting with the 80286 protected mode, code and data are separated further in that code physical memory has to be defined withing a selector number in the CS register. To load data into memory and execute it, you need to create a CS to DS alias for the CPU to be able to jump to it. You could not jump to code in a "data selector" without causing an exception. You could not write to a code selector without creating an exception. You HAD to load into data and then convert that data into code. It did not happen by accident and a typical program had to call a privileged instruction or an API routine to do it.
In 386 "flat" model, the CS and DS registers STILL define the difference between code and data. The fact that they usually point to the same area is not a flaw of the processor.
Computer users (yourself included, me too!) have demanded more automation,
Speak for yourself. I don't want "automation" and most of my family and friends get confused by it, "Hey, why is it doing that?" is the typical response.
they want less user interaction, thus MS and everybody else will develop for these wants.
You are confusing "wanting it to work" and "automation." Clicking, or double clicking, on an icon in a window and having the correct player pop up and play the file correctly is what people want. That is, in fact, *all* they want. No one asked for media files that would "automate" anything.
User's don't even understand computers at the level where they could ask for such a thing. If they did, they wouldn't even ask. I submit that much of the push for programmatic content within media is from the *IAA types looking to extend control.
I remember when email was just that data!, had to uuencode/uudecode anything binary
There is no reason why an email message has to contain programmatic content for an email program to be able to properly decode an attachment. That's what MIME types are all about.
He could take on 5 guys, and did on more than one occasion. Would confront gangs of punks well into his 60s.
Well, I don't want to tarnish the image of a grandfather, but stories and tall tales get more and more interesting as people get older. I plan on my stories growing to 5 or so guys by the time I'm 60.
Seriously, "take on" 5 guys is doable. Winning? I don't think so.
I worked as a bouncer and security guard before I started working as an engineer, subduing someone is *very* difficult. Dragging a person who wishes not to be is very hard. The whole batman thing is ridiculous.
Alzheimer's is a hard way to go. You have my deepest sympathy for him. He sounds like my dad.
Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.
A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.
Let's see some hands: How many people have been in a street fight? Against one person? Against two?
When I was young, I was sort of a bad ass. I was a "baby huey" sort of kid. Without working out, I was 6' 210lbs in high school. 32 inch waste 46 inch jacket. I was pretty strong. When I started working out, for football, I started bench press at 210lbs, my weight.
I hung out in Dorchester and South Boston and got in a lot of fights. 1:1 I could hold my own against almost anyone, even the kids who took karate. 2:1, I would usually get my ass kicked unless I could get rid of the first guy quickly. 3:1, no f-ning way you're getting out without serious bruises or broken bones.
Batman is a myth. It can't happen. Kung Foo movies are a joke. Guns are popular because you *can* take on a bunch of people at once. Hand to hand, no matter how big and strong you are, two or three guys are stronger than you.
If I may make an analogy, it seems like the difference between a flaming campy queer, and an everyday gay guy who doesn't flaunt his sexuality
Neither of which is any less gay. If you intend to change the language in a way to make the real meaning less clear, that is, by definition, obfuscation. You may be arguing relativity, I am arguing an absolute fact.
At what point does Linus start saying, this obfuscation thing isn't working and *ONLY* vetted kernel contributors may see the change logs of unreleased kernels? It is within his rights and possible.
He's not saying obfuscate security reports, he's just saying he's not going to stick a large flag on the changelog that gets published when the patch does saying SECURITY BUG EXPLOIT ME NOW BEFORE THE SYSADMIN READS THIS!
I understand what you are saying, but it is a disingenuous use of the English language to propose that titles and descriptions be less descriptive so as to not call attention to the real issue, and NOT call that obfuscation.
In the old argument, freedom requires responsibility, this is a prime example of the conflict.
In a truly freedom based model, you assume and rely on the fact that Linux users are responsible for their systems, and thus WARNING SECURITY BUG FIX NOW is a good title to an important patch.
In the less free "sharecropper" future of Linux where user's rely on upstream vendors to "take care of them" and take no responsibility for their systems, hiding such warning is great security theater to make them feel more secure. They are not more secure, we all know, but they FEEL that they are and the kernel guys pretend to act more responsibly in this "post 9-11" fear based world.
Its all bullshit and everyone who knows anything knows it. What surprised me was Vixie just saying "patch and trust us" without explaining, with specificity, why.
When even the proponents of freedom start to fear freedom, we are in deep shit.
Your recollection is based on years of urban legend. My recollection is based on actually studying the facts.
Sigh, and which "facts" are these? Seriously, it happened a LONG time ago and while I actually watched the live broadcast, what has been written and documenting since has, at best, been contradictory.
But facts don't seem to be your long suit - you prefer bias. Don't be an idiot, you know absolutely nothing about me or my preferences.
Going back to your original post, who do you think prepared the proposal for the 'suits' ("a committee of military contractors and NASA administrators")?
You must know that there are NO public reports that aren't carefully edited and re-written for public consumption. I'd be surprised that there was any meaningful engineering input.
In the Reagan years, as today, public agencies like NASA were under a lot of pressure.
In reality, O-ring erosion was occurring from the first static firings of the SRB - and the engineers told management that it was OK as the ring hadn't completely eroded through.
It was an off the cuff remark, I based it on my own recollection. From my personal memory, the engineers were concerned but the administrators used the argument that they hadn't burned through so that there was a "margin of safety." The engineers were told to shut up or lose their jobs.
We can debate the facts, and while I believe my recollection is more accurate, it isn't worth a debate. The point was that I believe that competent engineers with an idea are more likely to be right than a bunch of suits.
Yeah. The EXACT same people infact. Fuck you clown.
I wasn't going to respond, but lets just say that military contractors and NASA administrators have a different set of objectives and motivations than a set of engineers and scientists. ESPECIALLY under this administration.
Apple is exactly what Microsoft would be if Bill Gate's father wasn't already a wealthy man. Do you think that Jobs or Gates are very much different?
One interesting note, however, Apple uses the courts as an offensive mechanism more often than Microsoft. Microsoft tends to bombard problems with cash projectiles until resistance is bought off. Apple sues you for even talking about them.
for(int i=0; num_objects-i !=0; i++)
new (&foo[i]) Object(....)
(if you overload new and delete appropriately. The num_objects-i instead of a less than sign in the for loop is just for HTML crap.)
If you want to create 1,000,000 objects, there is NO WAY java can beat well coded C++.
In a threaded system, each malloc locks the heap. In this example only one such lock is ever encountered. Just make sure you overload delete as well. If there is no cleanup needed, just call free(foo);
JIT's can actually produce code that runs faster than statically compiled C++, as jits have the opportunity to generate statistics on how the software is being used at run time and optimize the compile around that data.
I have heard this claim, oh so, many times and have never seen it come to fruition except for exceptionally trivial examples.
After getting most prized "first post" position, I have one more...
I would trust a set of napkin drawings from dedicated engineers more than I'd trust a polished proposal from a committee of military contractors and NASA administrators.
Think of it this way, the latter said the O rings were safe, the former tried to warn everyone of the danger.
If you need a recognized code of ethics to tell you that sabotaging your ex-employer's system isn't right, then no code of ethics can help you.
Integrity and reputation is typically more profitable than malice and destruction.
I've been in the business a few years, and as you get older, you acquire positions of trust. You have too, you can't be "starting out" your whole career. This sort of behavior is a deal breaker. No one will hire him.
When laid off or fired. Collect your stuff, shake hands with your boss, tell them what is left to be completed, politely and with insight, try to be constructive with any discussions on the exit interview. Even a complete moron will leave a better impression than the greatest genius.
Once out, have a beer or two. Calm down. If you'r any good at all, when they are picking up the pieces of the layoff, they'll remember you attitude and professionalism and probably pay you contractor wages to do stuff while you collect unemployment and look for a new job.
I used to work at a bank. I was the "cash control teller" which means that I counted every single cash shipment into and out of the bank branch. Sometimes 1/2 million dollars.
You know what? It isn't worth it. It isn't enough to live a good life on. If you get caught, the benefits do not out weight the risks.
The same thing with this sort of hack. The guy screwed himself. He's ruined and will serve time in prison. "Everyone" (with any skills) knows you can get into any system you can physically touch.
What is he going to get for his trouble? Will they pay him off and set him free? HA! no way. The worst that will happen is that they'll employ someone's 12 year old nephew to crack the system. Pay him off with a couple XBox games or a new PS3.
Remember that interpreting turns 1 instruction into hundreds of real machine instructions.
That is more of an academic argument as most code, java, visual basic, Windows, what ever, seldom spend much time in the glue. Most of the code is done in the binary libraries.
When you examine the cost of a web hit, you have to look at it systemically. Web servers are toasters, they cost $2k up front and maybe $200 a year to run. The "real" performance bottleneck isn't the web environment, but the databases, back-end services, and so on.
I agree JVMs are a toy, but then again, I don't have much respect for java either. You would know what I mean if you had a system that would regularly create and destroy a few million objects quickly. It is simply not possible to do it on Java without a HUGE machine and a lot of RAM.
I can do it in C++ easily and quickly. I can expose a C API to access it. At that point Java, PHP, perl, or ruby don't care. It works where they don't. No matter how good the JIT is, it can't really beat native code on non-trivial applications.
Slashdot Mirror
You have a pretty complex example, but lets not confuse a malicious attack with a normal practice.
For instance:
void myfunction()
{
printf("This is a test");
}
int main()
{
void *p = (void *) myfunction;
printf("%X\n", p);
int *pn = (int *) p;
*pn = 0;
}
This will cause a segmentation fault. The code is read-only. (On linux) You can't jump to a static location or a stack location.
Try it.
There are many was to affect the CS,DS,SS,ES and other "selector" registers and depending on operation may cause an exception.
The tools to secure an x[n]86 type processor have been there since protected mode. The holes in the security are software.
When you see someone get hit in the neck in a street fight with a baseball bat, crook their head sideways to catch it and then take it away, you may become a believer.
A baseball bat is only as dangerous as the guy swinging it. Movies make them look worse than they are. If the bat hits your skull, you're dead because you can't do much with bone, but "properly" conditioned muscle can take a baseball bat. It isn't sharp and spreads the impact along its surface. Muscle as it turns out, is *very* good at handling impact.
In a street fight, you never hit muscle. You punch ribs or pound the face. If you have a good sized neck, ~18 inches, and the guy swinging the bat doesn't have enough to take your head off, you can handle it.
People who have never been in a fight always seem to think it is easy to win a fight if you are big enough. It isn't the movies, people almost never go down in one punch. It usually ends when someone gives up or runs away, almost never a knock out or something dramatic like that.
I love my AMD systems. What the hell? How can you have a GREAT product, market share, and blow it as often as AMD has.
I hope they can come back. ATI was such a mistake, EVERYONE knew it was, I shake my head at what passes for management or vision these days.
You just know the guys that destroy good companies get many millions of dollars while the stock holders get shafted and the stake holders get ignored.
The mixing of "data" and "program" goes much deeper than just Windows because ever since the Intel 8080 modern commodity processors, with a few exceptions, have made no clear distinction between data and programmatic instructions
STOP RIGHT THERE!!! Yes, the Intel 8080, the zylog Z80 as well as most primitive micro CPUs from the 70s that was basically true.
On "real mode" 8086, 8088, 80186, and V20 code was indexed by the "cs" register and data by "ds" register. The tools to separate code and data existed in DOS 1.0.
Starting with the 80286 protected mode, code and data are separated further in that code physical memory has to be defined withing a selector number in the CS register. To load data into memory and execute it, you need to create a CS to DS alias for the CPU to be able to jump to it. You could not jump to code in a "data selector" without causing an exception. You could not write to a code selector without creating an exception. You HAD to load into data and then convert that data into code. It did not happen by accident and a typical program had to call a privileged instruction or an API routine to do it.
In 386 "flat" model, the CS and DS registers STILL define the difference between code and data. The fact that they usually point to the same area is not a flaw of the processor.
Computer users (yourself included, me too!) have demanded more automation,
Speak for yourself. I don't want "automation" and most of my family and friends get confused by it, "Hey, why is it doing that?" is the typical response.
they want less user interaction, thus MS and everybody else will develop for these wants.
You are confusing "wanting it to work" and "automation." Clicking, or double clicking, on an icon in a window and having the correct player pop up and play the file correctly is what people want. That is, in fact, *all* they want. No one asked for media files that would "automate" anything.
User's don't even understand computers at the level where they could ask for such a thing. If they did, they wouldn't even ask. I submit that much of the push for programmatic content within media is from the *IAA types looking to extend control.
I remember when email was just that data!, had to uuencode/uudecode anything binary
There is no reason why an email message has to contain programmatic content for an email program to be able to properly decode an attachment. That's what MIME types are all about.
He could take on 5 guys, and did on more than one occasion. Would confront gangs of punks well into his 60s.
Well, I don't want to tarnish the image of a grandfather, but stories and tall tales get more and more interesting as people get older. I plan on my stories growing to 5 or so guys by the time I'm 60.
Seriously, "take on" 5 guys is doable. Winning? I don't think so.
I worked as a bouncer and security guard before I started working as an engineer, subduing someone is *very* difficult. Dragging a person who wishes not to be is very hard. The whole batman thing is ridiculous.
Alzheimer's is a hard way to go. You have my deepest sympathy for him. He sounds like my dad.
Microsoft has a SERIOUS design pathology. They too often confused "data" with "program." Every G.D. thing in Windows can, in some way, initiate an action. This is a problem.
A "music" file should be data. E-mail should be DATA! This is absolutely crazy. Making everything capable of being interpreted as programmatic content is at best a security flaw.
Let's see some hands: How many people have been in a street fight? Against one person? Against two?
When I was young, I was sort of a bad ass. I was a "baby huey" sort of kid. Without working out, I was 6' 210lbs in high school. 32 inch waste 46 inch jacket. I was pretty strong. When I started working out, for football, I started bench press at 210lbs, my weight.
I hung out in Dorchester and South Boston and got in a lot of fights. 1:1 I could hold my own against almost anyone, even the kids who took karate. 2:1, I would usually get my ass kicked unless I could get rid of the first guy quickly. 3:1, no f-ning way you're getting out without serious bruises or broken bones.
Batman is a myth. It can't happen. Kung Foo movies are a joke. Guns are popular because you *can* take on a bunch of people at once. Hand to hand, no matter how big and strong you are, two or three guys are stronger than you.
If I may make an analogy, it seems like the difference between a flaming campy queer, and an everyday gay guy who doesn't flaunt his sexuality
Neither of which is any less gay. If you intend to change the language in a way to make the real meaning less clear, that is, by definition, obfuscation. You may be arguing relativity, I am arguing an absolute fact.
At what point does Linus start saying, this obfuscation thing isn't working and *ONLY* vetted kernel contributors may see the change logs of unreleased kernels? It is within his rights and possible.
He's not saying obfuscate security reports, he's just saying he's not going to stick a large flag on the changelog that gets published when the patch does saying SECURITY BUG EXPLOIT ME NOW BEFORE THE SYSADMIN READS THIS!
I understand what you are saying, but it is a disingenuous use of the English language to propose that titles and descriptions be less descriptive so as to not call attention to the real issue, and NOT call that obfuscation.
In the old argument, freedom requires responsibility, this is a prime example of the conflict.
In a truly freedom based model, you assume and rely on the fact that Linux users are responsible for their systems, and thus WARNING SECURITY BUG FIX NOW is a good title to an important patch.
In the less free "sharecropper" future of Linux where user's rely on upstream vendors to "take care of them" and take no responsibility for their systems, hiding such warning is great security theater to make them feel more secure. They are not more secure, we all know, but they FEEL that they are and the kernel guys pretend to act more responsibly in this "post 9-11" fear based world.
Its all bullshit and everyone who knows anything knows it. What surprised me was Vixie just saying "patch and trust us" without explaining, with specificity, why.
When even the proponents of freedom start to fear freedom, we are in deep shit.
I think we need to change the expression "Power corrupts, absolute power corrupts absolutely" to "Success corrupts, real success creates real evil."
Jobs is just as evil as Bill Gates ever was, Bill just had the advantage of wealth.
Your recollection is based on years of urban legend. My recollection is based on actually studying the facts.
Sigh, and which "facts" are these? Seriously, it happened a LONG time ago and while I actually watched the live broadcast, what has been written and documenting since has, at best, been contradictory.
But facts don't seem to be your long suit - you prefer bias.
Don't be an idiot, you know absolutely nothing about me or my preferences.
Going back to your original post, who do you think prepared the proposal for the 'suits' ("a committee of military contractors and NASA administrators")?
You must know that there are NO public reports that aren't carefully edited and re-written for public consumption. I'd be surprised that there was any meaningful engineering input.
In the Reagan years, as today, public agencies like NASA were under a lot of pressure.
In reality, O-ring erosion was occurring from the first static firings of the SRB - and the engineers told management that it was OK as the ring hadn't completely eroded through.
It was an off the cuff remark, I based it on my own recollection. From my personal memory, the engineers were concerned but the administrators used the argument that they hadn't burned through so that there was a "margin of safety." The engineers were told to shut up or lose their jobs.
We can debate the facts, and while I believe my recollection is more accurate, it isn't worth a debate. The point was that I believe that competent engineers with an idea are more likely to be right than a bunch of suits.
Yes Jobs is different.
He wants to make cool stuff.
Then why is Apple suing?
Yeah. The EXACT same people infact. Fuck you clown.
I wasn't going to respond, but lets just say that military contractors and NASA administrators have a different set of objectives and motivations than a set of engineers and scientists. ESPECIALLY under this administration.
Apple is exactly what Microsoft would be if Bill Gate's father wasn't already a wealthy man. Do you think that Jobs or Gates are very much different?
One interesting note, however, Apple uses the courts as an offensive mechanism more often than Microsoft. Microsoft tends to bombard problems with cash projectiles until resistance is bought off. Apple sues you for even talking about them.
All multi-national corporations suck.
Our first version was in C++, the second in Java. The performance of the two were similar.
Then you aren't using C++ very efficiently.
Object *foo = malloc(sizeof(Object) * num_objects)
assert(foo);
for(int i=0; num_objects-i !=0; i++)
new (&foo[i]) Object(....)
(if you overload new and delete appropriately. The num_objects-i instead of a less than sign in the for loop is just for HTML crap.)
If you want to create 1,000,000 objects, there is NO WAY java can beat well coded C++.
In a threaded system, each malloc locks the heap. In this example only one such lock is ever encountered. Just make sure you overload delete as well. If there is no cleanup needed, just call free(foo);
JIT's can actually produce code that runs faster than statically compiled C++, as jits have the opportunity to generate statistics on how the software is being used at run time and optimize the compile around that data.
I have heard this claim, oh so, many times and have never seen it come to fruition except for exceptionally trivial examples.
After getting most prized "first post" position, I have one more...
I would trust a set of napkin drawings from dedicated engineers more than I'd trust a polished proposal from a committee of military contractors and NASA administrators.
Think of it this way, the latter said the O rings were safe, the former tried to warn everyone of the danger.
All I can think of is, in the TV show "Big Bang" was Sheldon's embarrassment when his sister says he's a "rocket scientist or something."
LOL. literal "Rocket Science" isn't figurative "rocket science."
That a "napkin drawing" by engineers never amount to anything.
If you need a recognized code of ethics to tell you that sabotaging your ex-employer's system isn't right, then no code of ethics can help you.
Integrity and reputation is typically more profitable than malice and destruction.
I've been in the business a few years, and as you get older, you acquire positions of trust. You have too, you can't be "starting out" your whole career. This sort of behavior is a deal breaker. No one will hire him.
When laid off or fired. Collect your stuff, shake hands with your boss, tell them what is left to be completed, politely and with insight, try to be constructive with any discussions on the exit interview. Even a complete moron will leave a better impression than the greatest genius.
Once out, have a beer or two. Calm down. If you'r any good at all, when they are picking up the pieces of the layoff, they'll remember you attitude and professionalism and probably pay you contractor wages to do stuff while you collect unemployment and look for a new job.
I used to work at a bank. I was the "cash control teller" which means that I counted every single cash shipment into and out of the bank branch. Sometimes 1/2 million dollars.
You know what? It isn't worth it. It isn't enough to live a good life on. If you get caught, the benefits do not out weight the risks.
The same thing with this sort of hack. The guy screwed himself. He's ruined and will serve time in prison. "Everyone" (with any skills) knows you can get into any system you can physically touch.
What is he going to get for his trouble? Will they pay him off and set him free? HA! no way. The worst that will happen is that they'll employ someone's 12 year old nephew to crack the system. Pay him off with a couple XBox games or a new PS3.
No, not with Java. Java actually has most of its real functionality written in Java;
I submit that you should download the Java source and a take a good look at it.
Remember that interpreting turns 1 instruction into hundreds of real machine instructions.
That is more of an academic argument as most code, java, visual basic, Windows, what ever, seldom spend much time in the glue. Most of the code is done in the binary libraries.
When you examine the cost of a web hit, you have to look at it systemically. Web servers are toasters, they cost $2k up front and maybe $200 a year to run. The "real" performance bottleneck isn't the web environment, but the databases, back-end services, and so on.
I agree JVMs are a toy, but then again, I don't have much respect for java either. You would know what I mean if you had a system that would regularly create and destroy a few million objects quickly. It is simply not possible to do it on Java without a HUGE machine and a lot of RAM.
I can do it in C++ easily and quickly. I can expose a C API to access it. At that point Java, PHP, perl, or ruby don't care. It works where they don't. No matter how good the JIT is, it can't really beat native code on non-trivial applications.