But everyone damn well knows they likely wouldn't have gotten 1.5 million downloads otherwise. This is exactly why intellectual property is actually valuable and is vigorously protected. I have a hard time thinking they'd be so stupid as to think they'd get away with this*. It's got to be about the publicity.
* I could be wrong. People always manage to surprise me on this point.
To clarify, I haven't turned off my ad-blocker on the Slashdot site. Third-party ads are still blocked. I'm talking about the ads Slashdot serves itself, like the Slashdot deal ads. This is actually a method of serving ads I'd like to encourage, and so I don't take any special action to block those ads.
Basically, I agree with everything you said about the dangers of third-party Javascript, especially when used for nothing but serving ads and tracking us.
Safe is not a binary yes or no. It's more of a spectrum.
At one end, we have static HTML with no scripting, and a modern browser with robust content interpreters, hardened over the last two decades. We're not likely to get infected with a jpeg file or random HTML parsing flaws anymore (although it's not impossible more flaws will be found - look at Android's StageFright bugs). Besides, you notice that article was written in 2004, right? If you're using a circa 2004 browser or unpatched OS, it's your own damned fault for whatever happens.
On the other end of the web browsing safety spectrum, you have Flash and random ads that may or may not be served from an unvetted server in Bosnia, that have full access to a very powerful interpreted scripting engine, and with one tiny flaw, can infect your computer. Or, they'll bombard the user with scamware or phishing attacks to trick them into giving them access. It ends up the same either way.
Given that allowing ads or running Flash exposes us to significant risk for no gains, it's a pretty simple choice to make for informed folks. Oh, and I'm not vehemently anti-ad. For instance, I don't mind the ads on Slashdot, and have never turned them off. I figure they're safe enough and hopefully make the site a bit of money.
If I'm going to lambast people for appearing to talk out their ass, I can't very well exclude myself, right? Consider me lambasted, and my own snark retracted. Most of the other facts still should stand.
The only reason to scrape all of LinkedIn's public data is to compile and sell it as a database, probably to some shady advertising network that doesn't care where the data comes from. So... I'm not exactly sympathetic to whoever is doing this.
That being said, it doesn't strike me as being illegal either. LinkedIn has every right to try to block mass access, but I agree, it seems like they're on shaky ground, legally speaking (not that I'm a lawyer). Maybe a judge will disagree. We'll have to keep an eye on this one.
Apparently, someone has no idea what the hell "HoloLens" is, yet felt the need to comment with ignorant snark and is even modded "insightful" for it. Nice.
For those that have no idea, HoloLens is augmented reality, not virtual reality. You see the real world through the viewfinder, and computer generated imagery is placed into the real world, and is lock-synced perfectly, so that it fools your brain into believing you're really seeing a "hologram" in real space. I've heard it's an amazing experience, for those that have seen it. And no, augmented reality won't make you sick, because there's no brain-image disconnect. Think of Pokemon Go as the perfect videogame for this technology, imposing "creatures" in the real world, as one example use case. MS is targeting corporate applications first, though. This isn't even a consumer device.
The biggest problem is that to make it portable (unlike most VR that's powered by desktop machines), the screen had to be reduced in size, so that it's sort of like looking through a mail slot. It's definitely not a full field-of-view sort of experience. My expectation is that as processing and battery power improves, you'll eventually have an experience closer to vision-correcting glasses, and eventually a full field of view.
Let's be clear about this. LinkedIn is upset because that collection of professional data is extremely valuable. Microsoft just paid billions of dollars for it, and someone else just grabbed a lot of it for free. While having a static copy of the data isn't valuable as owning the network, there's still a lot of value of it, especially while the data is still reasonably fresh.
In short, individual users have nothing to fear from this, as they've already made all this data public, presumably because they want the world to see it. This is only an issue for MS and Linked-In.
Using whiz-bang features sparingly is, in my opinion, one of the cornerstones of working in C++ and not shooting your own foot off with over-complexity.
It could definitely be an anti-pattern if used incorrectly, but honestly, I've been programming in C++ for about twenty years, and do you know how many times I've seen co-workers abuse operator overloading? Precisely ZERO. Seriously... never seen it. Apparently, I work with people who weren't stupid to flagrantly abuse operator overloading for no good reason, even among those who didn't exactly produce the cleanest or more elegant code.
On the other hand, this is the type of code I typically work with:
Vector3 posDelta = position - lastPosition;
Or this:
Matrix m = m1 * m2;
Overloading operators is best done in an absolutely literal sense. For instance, if you're doing matrix multiplication or subtracting two positions to get a delta value, the intent and what's happening in the code is 100% clear to everyone.
I chuckle sometimes at how C programmers believe that there's some evil overloaded operator lurking behind every multiply or addition. Uh, yeah... you can also obfuscate the crap out of your C programs too (pretty sure I've heard about some sort of contest too *cough*), but you just don't do that.
Cutting the code is pretty easy once someone decides what they really really want. Until they change their mind....
I think that greatly depends on what sort of work you do.
I work in game development, which is both technically challenging as well as chasing after that elusive "fun factor", changing specs at a designer's or artist's whim. It's actually quite challenging work - squeezing real-time virtual world performance out of commodity hardware. For me, a large part of the challenge is figuring out how robustly to design a system to allow inevitable designer-required changes to occur versus potentially over-engineering that system, costing both time and run-time efficiency - something we have to be very aware of, unlike many programmers.
All too often, when talking with designers, they'll ask for the impossible. I try not to immediately say "we can't do that", or "that's impossible". Instead, I'll tell them "I can't think of a way to do that.", and will think on the problem. Sometimes I succeed, sometimes I fail, but... damn... pure joy when I do actually pull off the "impossible". There's a special delight when the rare opportunity comes to implement something no one's ever tried before, or at least something *you've* never done, and for which there's no how-to anywhere to be found, and you have to puzzle it out yourself and with your teammates. That sort of thing is what I live for as a programmer.
It sounds like this is what the fourth and fifth generation programming languages were supposed to be all about - describing the problem rather than writing specific code to solve it, I think. Or something like that.
And still, people keep writing code in boring old third gen languages that actually solve the problems through hand-crafted algorithms. As it turns out, 4GL and 5GL work pretty well within the problem sets imagined by the designers of those languages, but the real world has to deal with issues that may fall outside those boundaries, or perhaps with performance constrains (memory, speed, etc). Or perhaps you can't hire programmers for more esoteric languages... whatever.
I think perhaps the new 4GL and 5GL are actually reuseable frameworks, rather than new languages.
3) Complex life does survive, but for some reason doesn't communicate or colonize other worlds (a "Prime Directive", or perhaps they "sublime" in the Ian Banks/Culture sense)
Or because no one has found a way around that pesky speed-of-light barrier, and the vast distances simply make inter-species communication, let alone travel, utterly impractical. This has always seemed, at least to me, the least romantic but most pragmatic answer to the question of why we don't meet aliens, or even hear from them.
It's not like they're Bethesda, shipping a game that's 95% done and expecting modders to fix the rest.
Bethesda tends to get a pass because their games (specifically their Elder Scrolls games) are so ridiculously big, complex, and ambitious, that gamers tend to be somewhat forgiving when the inevitable bugs are found - so long as they're not too persistent and/or game-breaking. Hello Games *may* get the same sort of treatment if they respond to these issues promptly, because this is a pretty ambitious game for an indie studio.
I've been developing professional games for quite a while now, and even pros can struggle with optimization issues. There's a bit of a black art to getting games running fast and smoothly, and if there are systemic issues in their code that don't follow good real-time coding practices, it's going to be hard for them to deal with after the fact.
BTW, if you guys at Hello Studios are reading this, get a copy of RAD Game Tools' Telemetry NOW. You should have been using it all through development (it's especially important with your own engine), but better late than never. It's fantastic at finding those real-time hotspots in code.
Oh, also, I'll also be giving them money at some point I'm sure, because I'm an 'explorer archetype' gamer. This is definitely my type of game, no doubt. But I'll probably either wait until it's released on Xbox One or I eventually get a PS4, as I don't have a very good PC gaming rig right now. For some reason, as I get older, I seem to be migrating more towards console gaming.
During the height of the cold war, spies didn't actually kill each other, contrary to Hollywood and myths. Putin is a nasty guy, but I just don't see any motivation for him to start offing people like that.
The big problem with all these conspiracy theories is that it only takes one secretly recorded message, or one witness that remains alive, to blow the whole thing wide open. Unless you believe that *everyone* is in on the conspiracy, of course, which makes a great movie plot, but isn't terribly realistic.
This is a failure of API design then. If the location can't be localized, there should be no specific location returned AT ALL. Or shit like this happens.
I worry far more about the costs of an excessively litigious society than the alleged trauma of a first-world man-child over not seeing specific a few expected scenes in a movie.
I'd really prefer that federal agencies be secure against hackers. If they use open source, hostile countries like Iran and North Korea will be able to look for vulnerabilities in the code and more easily hack into the federal government. The source code should be secret, which will help keep out hostile countries. Security should be the primary goal, and therefore the source must be closed.
All this means is that you don't understand software security. There's no guarantee that open source is free of security issues, of course. But at the very least, it does mean that you're not depending on some "secret" in the code to remain secure, which is NOT any sort of security at all.
The most widely used security algorithms in the world are open specifications and have open source reference implementations, in case you aren't aware. These algorithms and implementations can never be proven secure except by their resistance to determined attacks over time, and this can only occur when they are publicly available for researches to work on ways to crack them.
That's because, from Google's perspective, you have to read that line: "money injectors, money generating hijackers, system utilities, anti-virus, and major brands."
You can understand how they'd have trouble seeing those first two items as a bad thing.
Personally, I've never understood why people pick sides and root for 500 billion dollar corporation X versus 500 billion dollar corporation Y like they're a sports team. Console vs console or console vs PC wars are equally inane to me. Where's the virtue in being wedded to a single platform? Is being techo-polygamous a bad thing?
Anyhow... considering that this requires installing a malicious app, the chances of most people getting hit with this are pretty low, especially now that app stores know what to look for. These sorts of issues are only a real problem when you can get infected with a drive-by SMS message or something like that.
True, but by the time you need to be building that level of security into the system you're going to need to be a domain expert anyway.
God, I only wish that were true. All the evidence seems to show otherwise, because so many of these IoT companies are making *unbelievable* ham-handed security mistakes. These companies are going through the exact same long, painful security learning curve that OS-makers and library writers went through a decade ago (and not that they're finished either).
Offering "proof" in the guise of a random internet screenshot doesn't say much. I've seen the same sort of thing accusing women of faking death threats against themselves, and it's always just screenshots with no way of validating them as genuine. And I've viewed that "proof" with equal suspicion. Someone could just have easily photoshopped that delete button IN. You can make screenshots say and look however you want them to, as I'm sure you well know.
Again, I don't know the guy, so maybe he did what you said. You think he deserved a lifetime ban from Twitter? That this wasn't politically motivated at all? If Twitter investigated and found evidence of this, then maybe that would explain it. If that's the case, why haven't they explained themselves, as it seems to be a somewhat controversial decision?
"Validate your inputs" is a good start, but doesn't really cover all cases, because you may not simply be parsing data coming from untrusted sources. Say, for example, that you need your IoT hardware device to talk to a user's smartphone. That probably involves a round-trip though the user's router, to a remote server, and then back to the user's phone, and there are many, many mistakes you can make here - probably in the name of "simplicity" or "economy". I'm not sure building potentially vulnerable internet-facing systems is as rare as you think, as more and more software and hardware is going online.
The more you learn about crypto and security, the more you realize it's unbelievably hard to get it right. I'm also skeptical of the notion that "only a few people in the world know how to do x" is any sort of protection. These sorts of exploits tend to get publicized, and once they're known and put into convenient exploit kits, any script-kiddie can deploy them.
Also, that's precisely why you have to rely on well-trusted crypto libraries and vetted standards. For instance, one side-channel attack involves listening to CPU hardware as it takes different branches based on secret key input. Researchers have actually been able to determine secret keys in that manner, with nothing but physical access to a machine's ethernet cable, or listening to a CPU in one VM from another VM. Even though this is still a laboratory-only attack at the moment, well-known crypto libraries still take active steps to mitigate it by ensuring no branching is done based on input data.
Slashdot Mirror
But everyone damn well knows they likely wouldn't have gotten 1.5 million downloads otherwise. This is exactly why intellectual property is actually valuable and is vigorously protected. I have a hard time thinking they'd be so stupid as to think they'd get away with this*. It's got to be about the publicity.
* I could be wrong. People always manage to surprise me on this point.
or disbarred for being a majorly disingenuous douchebag and outright lying.
So, she should be disbarred for being a lawyer?
To clarify, I haven't turned off my ad-blocker on the Slashdot site. Third-party ads are still blocked. I'm talking about the ads Slashdot serves itself, like the Slashdot deal ads. This is actually a method of serving ads I'd like to encourage, and so I don't take any special action to block those ads.
Basically, I agree with everything you said about the dangers of third-party Javascript, especially when used for nothing but serving ads and tracking us.
Safe is not a binary yes or no. It's more of a spectrum.
At one end, we have static HTML with no scripting, and a modern browser with robust content interpreters, hardened over the last two decades. We're not likely to get infected with a jpeg file or random HTML parsing flaws anymore (although it's not impossible more flaws will be found - look at Android's StageFright bugs). Besides, you notice that article was written in 2004, right? If you're using a circa 2004 browser or unpatched OS, it's your own damned fault for whatever happens.
On the other end of the web browsing safety spectrum, you have Flash and random ads that may or may not be served from an unvetted server in Bosnia, that have full access to a very powerful interpreted scripting engine, and with one tiny flaw, can infect your computer. Or, they'll bombard the user with scamware or phishing attacks to trick them into giving them access. It ends up the same either way.
Given that allowing ads or running Flash exposes us to significant risk for no gains, it's a pretty simple choice to make for informed folks. Oh, and I'm not vehemently anti-ad. For instance, I don't mind the ads on Slashdot, and have never turned them off. I figure they're safe enough and hopefully make the site a bit of money.
Well, looks like you're right about this point.
If I'm going to lambast people for appearing to talk out their ass, I can't very well exclude myself, right? Consider me lambasted, and my own snark retracted. Most of the other facts still should stand.
The only reason to scrape all of LinkedIn's public data is to compile and sell it as a database, probably to some shady advertising network that doesn't care where the data comes from. So... I'm not exactly sympathetic to whoever is doing this.
That being said, it doesn't strike me as being illegal either. LinkedIn has every right to try to block mass access, but I agree, it seems like they're on shaky ground, legally speaking (not that I'm a lawyer). Maybe a judge will disagree. We'll have to keep an eye on this one.
Apparently, someone has no idea what the hell "HoloLens" is, yet felt the need to comment with ignorant snark and is even modded "insightful" for it. Nice.
For those that have no idea, HoloLens is augmented reality, not virtual reality. You see the real world through the viewfinder, and computer generated imagery is placed into the real world, and is lock-synced perfectly, so that it fools your brain into believing you're really seeing a "hologram" in real space. I've heard it's an amazing experience, for those that have seen it. And no, augmented reality won't make you sick, because there's no brain-image disconnect. Think of Pokemon Go as the perfect videogame for this technology, imposing "creatures" in the real world, as one example use case. MS is targeting corporate applications first, though. This isn't even a consumer device.
The biggest problem is that to make it portable (unlike most VR that's powered by desktop machines), the screen had to be reduced in size, so that it's sort of like looking through a mail slot. It's definitely not a full field-of-view sort of experience. My expectation is that as processing and battery power improves, you'll eventually have an experience closer to vision-correcting glasses, and eventually a full field of view.
Let's be clear about this. LinkedIn is upset because that collection of professional data is extremely valuable. Microsoft just paid billions of dollars for it, and someone else just grabbed a lot of it for free. While having a static copy of the data isn't valuable as owning the network, there's still a lot of value of it, especially while the data is still reasonably fresh.
In short, individual users have nothing to fear from this, as they've already made all this data public, presumably because they want the world to see it. This is only an issue for MS and Linked-In.
Using whiz-bang features sparingly is, in my opinion, one of the cornerstones of working in C++ and not shooting your own foot off with over-complexity.
It could definitely be an anti-pattern if used incorrectly, but honestly, I've been programming in C++ for about twenty years, and do you know how many times I've seen co-workers abuse operator overloading? Precisely ZERO. Seriously... never seen it. Apparently, I work with people who weren't stupid to flagrantly abuse operator overloading for no good reason, even among those who didn't exactly produce the cleanest or more elegant code.
On the other hand, this is the type of code I typically work with:
Vector3 posDelta = position - lastPosition;
Or this:
Matrix m = m1 * m2;
Overloading operators is best done in an absolutely literal sense. For instance, if you're doing matrix multiplication or subtracting two positions to get a delta value, the intent and what's happening in the code is 100% clear to everyone.
I chuckle sometimes at how C programmers believe that there's some evil overloaded operator lurking behind every multiply or addition. Uh, yeah... you can also obfuscate the crap out of your C programs too (pretty sure I've heard about some sort of contest too *cough*), but you just don't do that.
Cutting the code is pretty easy once someone decides what they really really want. Until they change their mind ....
I think that greatly depends on what sort of work you do.
I work in game development, which is both technically challenging as well as chasing after that elusive "fun factor", changing specs at a designer's or artist's whim. It's actually quite challenging work - squeezing real-time virtual world performance out of commodity hardware. For me, a large part of the challenge is figuring out how robustly to design a system to allow inevitable designer-required changes to occur versus potentially over-engineering that system, costing both time and run-time efficiency - something we have to be very aware of, unlike many programmers.
All too often, when talking with designers, they'll ask for the impossible. I try not to immediately say "we can't do that", or "that's impossible". Instead, I'll tell them "I can't think of a way to do that.", and will think on the problem. Sometimes I succeed, sometimes I fail, but... damn... pure joy when I do actually pull off the "impossible". There's a special delight when the rare opportunity comes to implement something no one's ever tried before, or at least something *you've* never done, and for which there's no how-to anywhere to be found, and you have to puzzle it out yourself and with your teammates. That sort of thing is what I live for as a programmer.
It sounds like this is what the fourth and fifth generation programming languages were supposed to be all about - describing the problem rather than writing specific code to solve it, I think. Or something like that.
And still, people keep writing code in boring old third gen languages that actually solve the problems through hand-crafted algorithms. As it turns out, 4GL and 5GL work pretty well within the problem sets imagined by the designers of those languages, but the real world has to deal with issues that may fall outside those boundaries, or perhaps with performance constrains (memory, speed, etc). Or perhaps you can't hire programmers for more esoteric languages... whatever.
I think perhaps the new 4GL and 5GL are actually reuseable frameworks, rather than new languages.
3) Complex life does survive, but for some reason doesn't communicate or colonize other worlds (a "Prime Directive", or perhaps they "sublime" in the Ian Banks/Culture sense)
Or because no one has found a way around that pesky speed-of-light barrier, and the vast distances simply make inter-species communication, let alone travel, utterly impractical. This has always seemed, at least to me, the least romantic but most pragmatic answer to the question of why we don't meet aliens, or even hear from them.
It's not like they're Bethesda, shipping a game that's 95% done and expecting modders to fix the rest.
Bethesda tends to get a pass because their games (specifically their Elder Scrolls games) are so ridiculously big, complex, and ambitious, that gamers tend to be somewhat forgiving when the inevitable bugs are found - so long as they're not too persistent and/or game-breaking. Hello Games *may* get the same sort of treatment if they respond to these issues promptly, because this is a pretty ambitious game for an indie studio.
I've been developing professional games for quite a while now, and even pros can struggle with optimization issues. There's a bit of a black art to getting games running fast and smoothly, and if there are systemic issues in their code that don't follow good real-time coding practices, it's going to be hard for them to deal with after the fact.
BTW, if you guys at Hello Studios are reading this, get a copy of RAD Game Tools' Telemetry NOW. You should have been using it all through development (it's especially important with your own engine), but better late than never. It's fantastic at finding those real-time hotspots in code.
Oh, also, I'll also be giving them money at some point I'm sure, because I'm an 'explorer archetype' gamer. This is definitely my type of game, no doubt. But I'll probably either wait until it's released on Xbox One or I eventually get a PS4, as I don't have a very good PC gaming rig right now. For some reason, as I get older, I seem to be migrating more towards console gaming.
Disabling the auto-steering feature when the driver's hands aren't on the wheel doesn't sound like a good idea to me.
During the height of the cold war, spies didn't actually kill each other, contrary to Hollywood and myths. Putin is a nasty guy, but I just don't see any motivation for him to start offing people like that.
The big problem with all these conspiracy theories is that it only takes one secretly recorded message, or one witness that remains alive, to blow the whole thing wide open. Unless you believe that *everyone* is in on the conspiracy, of course, which makes a great movie plot, but isn't terribly realistic.
er... "if a specific location can't be specified", I meant to say.
This is a failure of API design then. If the location can't be localized, there should be no specific location returned AT ALL. Or shit like this happens.
I worry far more about the costs of an excessively litigious society than the alleged trauma of a first-world man-child over not seeing specific a few expected scenes in a movie.
I'd really prefer that federal agencies be secure against hackers. If they use open source, hostile countries like Iran and North Korea will be able to look for vulnerabilities in the code and more easily hack into the federal government. The source code should be secret, which will help keep out hostile countries. Security should be the primary goal, and therefore the source must be closed.
All this means is that you don't understand software security. There's no guarantee that open source is free of security issues, of course. But at the very least, it does mean that you're not depending on some "secret" in the code to remain secure, which is NOT any sort of security at all.
The most widely used security algorithms in the world are open specifications and have open source reference implementations, in case you aren't aware. These algorithms and implementations can never be proven secure except by their resistance to determined attacks over time, and this can only occur when they are publicly available for researches to work on ways to crack them.
That's because, from Google's perspective, you have to read that line: "money injectors, money generating hijackers, system utilities, anti-virus, and major brands."
You can understand how they'd have trouble seeing those first two items as a bad thing.
Personally, I've never understood why people pick sides and root for 500 billion dollar corporation X versus 500 billion dollar corporation Y like they're a sports team. Console vs console or console vs PC wars are equally inane to me. Where's the virtue in being wedded to a single platform? Is being techo-polygamous a bad thing?
Anyhow... considering that this requires installing a malicious app, the chances of most people getting hit with this are pretty low, especially now that app stores know what to look for. These sorts of issues are only a real problem when you can get infected with a drive-by SMS message or something like that.
True, but by the time you need to be building that level of security into the system you're going to need to be a domain expert anyway.
God, I only wish that were true. All the evidence seems to show otherwise, because so many of these IoT companies are making *unbelievable* ham-handed security mistakes. These companies are going through the exact same long, painful security learning curve that OS-makers and library writers went through a decade ago (and not that they're finished either).
Offering "proof" in the guise of a random internet screenshot doesn't say much. I've seen the same sort of thing accusing women of faking death threats against themselves, and it's always just screenshots with no way of validating them as genuine. And I've viewed that "proof" with equal suspicion. Someone could just have easily photoshopped that delete button IN. You can make screenshots say and look however you want them to, as I'm sure you well know.
Again, I don't know the guy, so maybe he did what you said. You think he deserved a lifetime ban from Twitter? That this wasn't politically motivated at all? If Twitter investigated and found evidence of this, then maybe that would explain it. If that's the case, why haven't they explained themselves, as it seems to be a somewhat controversial decision?
"Validate your inputs" is a good start, but doesn't really cover all cases, because you may not simply be parsing data coming from untrusted sources. Say, for example, that you need your IoT hardware device to talk to a user's smartphone. That probably involves a round-trip though the user's router, to a remote server, and then back to the user's phone, and there are many, many mistakes you can make here - probably in the name of "simplicity" or "economy". I'm not sure building potentially vulnerable internet-facing systems is as rare as you think, as more and more software and hardware is going online.
The more you learn about crypto and security, the more you realize it's unbelievably hard to get it right. I'm also skeptical of the notion that "only a few people in the world know how to do x" is any sort of protection. These sorts of exploits tend to get publicized, and once they're known and put into convenient exploit kits, any script-kiddie can deploy them.
Also, that's precisely why you have to rely on well-trusted crypto libraries and vetted standards. For instance, one side-channel attack involves listening to CPU hardware as it takes different branches based on secret key input. Researchers have actually been able to determine secret keys in that manner, with nothing but physical access to a machine's ethernet cable, or listening to a CPU in one VM from another VM. Even though this is still a laboratory-only attack at the moment, well-known crypto libraries still take active steps to mitigate it by ensuring no branching is done based on input data.