Also, an exception to that principle could be allowed for trivial tasks that are really quick to implement and where searching for an existing solution might cost more than implementing it yourself but be really careful applying that exception rule, it is an open door that leads to trying to reinvent the wheel sometimes
I think you just reinvented the principle of marginal gains in utility of information gathering. It's in every Microeconomy 101 text book, in the paragraph about asymmetry of information.
It is impossible to prove that your escape sequence for PHP will proper escape any given input for a given field
Do you have a proof of this?
If finite state (or pushdown) transducers are anything like their counterpart automatons, it should be perfectly possible to prove theorems about them.
In particular, it might be possible to prove that a particular transducer always outputs strings which satisfy a certain property (i.e. valid SQL where all characters besides literals are identical for all inputs).
just look at how many tries the developers behind PHP had at escaping a simple query string for MySQL - and still failed - why?
Because they're incompetent. Or because they were drunk. Or because they didn't have a big enough budget. Or [...].
Pointing to previous failures isn't a proof of the failure of all potential future attempts: the failures might have been for the wrong reasons, those not having to do with whether the task is possible.
I think you are confusing argumenting correctness and proving correctness.
That doesn't surprise me, given how well you appear to grasp the difference.
Having programmers imagine every way that their program may be attacked is impossible.
Fortunately, that's typically not required for software security. In a lot of cases, you can prove that for all inputs, the software does the intended thing.
For instance, if you know that the username variable will always be properly escaped, you don't care whether the user is called "bobby" or "bobby tables" (http://xkcd.com/327/).
It takes a lot of discipline, though, to always consider who the origin of a particular piece of data is, to decide (based on that) exactly what amount of trust to place in it, and how to handle semi- or untrusted data.
Socialism is likely why you grew up poor in material wealth.
No, it's because my parents don't value money as much as certain other things. Most of my (e.g.) classmates grew up with what I consider "material riches typical of the western world".
So we've tried your socialist ideas and they've been a complete failure.
How come the Danish are among the happiest people on the planet?
And by your post, you didn't even try out our socialist ideas: you talk about student loans. How about giving everybody free tuition, and welfare handouts to boot?
Possibly because some races are over-represented in the lower economic stratas, are unable to afford tertiary educations at top-tier institutions and thus, even though they may be competitively intelligent, aren't able to make the most of it.
Well said. I think this is true too.
That's why I'm happy that here in Soviet Denmark, the government (i.e. the taxpayer base) provide an education to everyone who's able*, for free, and even gives the students money to live off of while studying.
(*) Allocation of students to studies is based on student preferences, their high school grades, and whether they have taken certain subjects at a high enough level in high school (e.g. comp. sci. requires higher level math; medicine might require higher level math and chemistry, etc.)
I come from a family that's poor in material wealth. Despite that, I'm able to make the most of my programming talent and provide more value to society (based on my guesstimated future wages) than if hadn't been able to afford an education.
(Oh yeah, the couple of times I went to the hospital, I got a really great treatment and it didn't bankrupt my family. How I love the people who gave up a part of their material wealth for the common good. I hope I can repay that debt to their children and grandchildren.)
You should try some of that over there in the states. Think of the higher taxes you'll be paying as an investment in the health and skill of the future labour force; the one who'll be working for your children and your grandchildren. And feel free to think of yourself as a person who is willing to help his fellow countrymen when they're down on their luck.
Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?
This is a HTTP issue and server side security issue. It is trivial to grep a Flash file for the raw SWF download location most times.
Or you can monitor the HTTP traffic you send to see which URL you're requesting. Or run the Flash in a rigged virtual machine which captures this information.
Whatever server-side test is done to see whether a request comes from someone visiting the server itself or a third party can be fooled; the third party just sends the data that'll make the server say "You're visiting me".
It's an unsolvable problem; any solution is at odds with how the internet works.
You'll find a lot of telecommunication services, but nothing to do with selling telephones.
Aren't the telecommunication service providers in the business of (duh) providing a telecommunication service? The phones are just a marketing gimmick they give you so you'll lock yourself into a highly overpriced subscription for two years (in the US, at least; in Denmark it's six months, and you can get really cheap subscriptions if you bring your own phone: 4 cents/sms, 13 cents/minute, 50 free sms and minutes per month).
The principle being that we don't have infinite resources, so you have to be able to justify their allocation. In capitalism, this is done on the free market. Socialism advocates political allocation.
It is up to the reader to do some research and decide which is generally more efficient.
I encourage the reader who takes up that challenge to also research which is specifically more efficient.
In a particular mathematical model, free markets solves an optimization problem. They also seem to work well in practice in many situations.
However, they work less well the more barriers to entry and exit there are in a given market. Having to build a large amount of infrastructure (factories, cell towers) in order to start producing is a barrier to entry. Having to fight a monopolist or cartel is a barrier to entry. Network effects (where present) means the free market will converge towards a monopoly or cartel situation.
Particularly for cell phone communication, there's the infrastructure problem, network effects, plus you need some radio frequency spectrum allocation mechanism. It looks like it's a good case for allocation through public policy.
Of course, feel free to compare the US against Canada and your favourite European countries if you feel empirical today; but you may also want to control for corru^Wlobbying influence (if able).
I think the small part of my brain that handles irony just segfaulted
If you're at a cocktail party and need to take a core dump, it is considered good manners to excuse yourself, explain where you are going but not in any great detail what you are doing there, and then taking said core dump in private.
In other words: printf("Sorry, I'll have to go to the bathroom\n"); while(not at_bathroom()) move_to_bathroom(); mutex_lock(bathroom_door);// TODO: skip the wait queue? char *p = 0; *p = 0;// FEATURE: dumps core mutex_unlock(bathroom_door);// BUG: never reached return;
This is precisely the kind of argument you become susceptible to if you think that an attribute of software (security) is more important than your freedom.
I'm a person with an @gnu.org email address, and I approve of this message!;-)
I will go out and say that the quality aspects of software are important too.
But freedom helps that along. You're more secure against Linux Genuine Advantage, because free software doesn't have activation shenanigans going on (although I do have a perl script I'd like to give you if you like). If enough people want a feature that goes against corporate gatekeepers' interests, someone who's able to code it up might go do it. Hopefully (and likely?) the many eyeballs are a bigger benefit than they're a detriment; it does take time to weed out the amateurish---which is different from amateur---patches and bug reports, though.
And in our current software landscape where the dominant free OS is unix-like, the hackers (and power users) enjoy a different kind of freedom too: they're more free to tweak their computer so it performs the way they like it to. As I recall, when I was using proprietary (non-unix-like) OSes I couldn't as easily automate things and write small nifty shell scripts to help me make my computers run just right. I think this is a valuable (but different) form of empowerment that may be useful to illustrate to people the free software ideas: "now imagine that the software didn't have the knob you wanted to twist; why, you could add that yourself, or if enough people want it they might. [etc.]"
But to recap my first point: even if free software isn't automagically more secure and less crash-prone, we can make it so, and due to its nature it is secure from some of the annoyances seen in proprietary software. That alone is a big win; and I hear here on slashdot that the headaches had and salaries spent when ensuring license compliance make free software a good value proposition from the get-go.
FireGPG and others make encrypting webmail easy, and PGP/GPG and SMIME have been integrated into most mail clients for years.
Does FireGPG make it easy to create a public key for my non-technical, non-paranoid friend? Does it make it easy for me to set up his mail client to automatically decrypt mail?
Because he is not going to do that. And without him doing that, there is no decryption. And without decryption it's a waste of my time to encrypt.
This system is my voice and my window to the world
My first gut reaction says I'd want to have a redundant one, so that if one gets hosed I can use the other to call out to the world and ask for help.
There is no Linux availability at all (oh how I wish).
Can you run control Linux running in a virtual machine? Is the IR eye tracking like a separate input device (but how would the applications know to handle it?), or is there some software translating your eye movements into mouse motion and key presses? If so, maybe you can drive a VM with it, or use Synergy (software key/vid/mouse switch) to "leap" over to a Linux machine with it?
I must admit I don't think I can imagine very well what your situation is like. So maybe my ideas are all useless. In that case, I hope you can see past that and realise I'm doing this not just in a vain attempt at having my knowledge be useful and me being "the hero who saves the day" (although I must admit to that playing a role), but also because I genuinely hope you get more value out of your time.
Ah well. I take it you use Dvorak (the s/n typo suggests it); good on you.
For the rest of you: you all know the value of good tools; that's why you use emacs/vim/vs/$EDITOR and linux/bsd/osx/emacs/$OS. Apply the same high standards to anything that touches your hands, and to the arrangement of letters on your keyboard---your hands will love you for it.
I can recommend it. You'll find the reviewer has more character than you can find in TPM, more comic relief than Jar-Jar, and tells a side-story with a more coherent plot than any of the prequels.
Plus, he has some well-articulated and well-argued criticisms of the film.
(Now someone needs to review my meta-review, just for the recursive fun)
When I turn 18, I am inheriting over two million dollars and will be more than happy to pay as many lawyers as it takes. [...] Moral of the story
Moral of the story: justice for the rich.
Now, don't get me wrong. I think it's great you won your victory there. A three-digit settlement (in dollars) isn't a huge deal financially; I'd be angry to pay it but I'd be able to manage it (heck, I just bought a new phone for high three digits even though my current one works just fine), and I'd been able to afford it even when I was on state welfare for students (in socialist Denmark, the government pays you to study...). Symmetrically, I'd be happy to receive a three-digit settlement---zomfg free monies!!
And I'm not speaking out of envy for that large wad of dough. Sure, I'd love to have two million dollars, but I think I'd just be putting them in a savings account just like I am my doing to my money now.
It's just striking to me that you backed up your threat of litigation with "I have a large amount of money" rather than "I have a very strong case". That speaks volumes.
Money payed for foreign company is money lost for your country, while money payed to local developers stays and works.
And what is the foreign country going to do with your numbered paper slips?
If the money never comes back to your country, you have gotten the thing you bought in exchange for a slip of paper. Paper's pretty cheap, software isn't. Just print some new money and move on.
If it does come back, well, then it'll create some jobs and do all the other good things locally when it comes back, right?
But know this: having a good economy isn't about creating jobs. It's about people doing something worthwhile with their time and the resources available.
Here's a silly example: I can create any number of jobs. Have half the unemployed dig ditches and the other half fill the ditches back up again. There you go, job machine. And the taxpayers' money you gave them for doing it stays local, and you're supporting local construction industry and contributing to your own GDP. How about if everybody did that?! That'd be... in fact, that'd be a disaster. That'd make the community (county, state, country) dependent on donations from the outside, because no one's making food, houses, clothes, cars or anything else that the people want.
Don't get me wrong, I love unix (despite its warts, and it has its shares), *deep breath* but...
Computer Science isn't about any particular OS. CS is about algorithms, not java.util.Collection.sort. It's about relational algebra, not MySQL. It's about automata theory, not grep or sed. It's about context-free grammars, type checking, name ambiguity resolution, Rice's theorem and all the other goodies that go into compilers, not about gcc.
Yes, a lot of people study a science because they wanted to learn a craft. A lot of them are better craftsmen for doing so, I'd guess---I know I am. But the study is about the theoretical underpinnings of the craft, not about perfecting the craft itself.
(Unless of course you talk, if you will, about the craft of science; then you're really an apprentice studying at the science master's workplace)
cost(assessing) > cost(software) where cost(assessing) > 0 and cost(software) = 0
What they really should look at is whether cost(assessing open source) + cost(switching to open source) + cost(using open source per year)*(number of years) < cost(using proprietary software per year)*(number of years), and for which values of (number of years)
Slashdot Mirror
That thing got four arms. Come on, that is cheating.
Have it compete twice against a wookie...
Also, an exception to that principle could be allowed for trivial tasks that are really quick to implement and where searching for an existing solution might cost more than implementing it yourself but be really careful applying that exception rule, it is an open door that leads to trying to reinvent the wheel sometimes
I think you just reinvented the principle of marginal gains in utility of information gathering. It's in every Microeconomy 101 text book, in the paragraph about asymmetry of information.
And I just reinvented the exploding irony-meter.
It is impossible to prove that your escape sequence for PHP will proper escape any given input for a given field
Do you have a proof of this?
If finite state (or pushdown) transducers are anything like their counterpart automatons, it should be perfectly possible to prove theorems about them.
In particular, it might be possible to prove that a particular transducer always outputs strings which satisfy a certain property (i.e. valid SQL where all characters besides literals are identical for all inputs).
just look at how many tries the developers behind PHP had at escaping a simple query string for MySQL - and still failed - why?
Because they're incompetent. Or because they were drunk. Or because they didn't have a big enough budget. Or [...].
Pointing to previous failures isn't a proof of the failure of all potential future attempts: the failures might have been for the wrong reasons, those not having to do with whether the task is possible.
I think you are confusing argumenting correctness and proving correctness.
That doesn't surprise me, given how well you appear to grasp the difference.
And it is still cheaper than cleaning up the costs of exposing your customer's banking information to hackers
Not if you have insurance.
Having programmers imagine every way that their program may be attacked is impossible.
Fortunately, that's typically not required for software security. In a lot of cases, you can prove that for all inputs, the software does the intended thing.
For instance, if you know that the username variable will always be properly escaped, you don't care whether the user is called "bobby" or "bobby tables" (http://xkcd.com/327/).
It takes a lot of discipline, though, to always consider who the origin of a particular piece of data is, to decide (based on that) exactly what amount of trust to place in it, and how to handle semi- or untrusted data.
Socialism is likely why you grew up poor in material wealth.
No, it's because my parents don't value money as much as certain other things. Most of my (e.g.) classmates grew up with what I consider "material riches typical of the western world".
So we've tried your socialist ideas and they've been a complete failure.
How come the Danish are among the happiest people on the planet?
Danish Socialism can't suck all that badly.
And by your post, you didn't even try out our socialist ideas: you talk about student loans. How about giving everybody free tuition, and welfare handouts to boot?
Possibly because some races are over-represented in the lower economic stratas, are unable to afford tertiary educations at top-tier institutions and thus, even though they may be competitively intelligent, aren't able to make the most of it.
Well said. I think this is true too.
That's why I'm happy that here in Soviet Denmark, the government (i.e. the taxpayer base) provide an education to everyone who's able*, for free, and even gives the students money to live off of while studying.
(*) Allocation of students to studies is based on student preferences, their high school grades, and whether they have taken certain subjects at a high enough level in high school (e.g. comp. sci. requires higher level math; medicine might require higher level math and chemistry, etc.)
I come from a family that's poor in material wealth. Despite that, I'm able to make the most of my programming talent and provide more value to society (based on my guesstimated future wages) than if hadn't been able to afford an education.
(Oh yeah, the couple of times I went to the hospital, I got a really great treatment and it didn't bankrupt my family. How I love the people who gave up a part of their material wealth for the common good. I hope I can repay that debt to their children and grandchildren.)
You should try some of that over there in the states. Think of the higher taxes you'll be paying as an investment in the health and skill of the future labour force; the one who'll be working for your children and your grandchildren. And feel free to think of yourself as a person who is willing to help his fellow countrymen when they're down on their luck.
Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?
This is a HTTP issue and server side security issue. It is trivial to grep a Flash file for the raw SWF download location most times.
Or you can monitor the HTTP traffic you send to see which URL you're requesting. Or run the Flash in a rigged virtual machine which captures this information.
Whatever server-side test is done to see whether a request comes from someone visiting the server itself or a third party can be fooled; the third party just sends the data that'll make the server say "You're visiting me".
It's an unsolvable problem; any solution is at odds with how the internet works.
No extra credit will be awarded for guessing what technology allows us to know what he said on the subject...
Well, once I was reading a book I stumbled upon a song titled "The Printing Press is for porn", and Plato wasn't into that.
Could it have Project Gutenberg? ;-)
So he chose to release his findings in the exact form of what was 'overloading people with information'? A printed book?
Boy I'd like to design that back cover:
I think this fits well with your signature:
Surgeon General's Warning: Reading this [book] may cause death
(s/[book]/signature/ for the signature as it really was at the time of my posting)
Their business is telephones, not software.
Let's look at AT&T's revenue: http://www.wikinvest.com/stock/AT&T_(T)/Data/Revenue_Breakdown
You'll find a lot of telecommunication services, but nothing to do with selling telephones.
Aren't the telecommunication service providers in the business of (duh) providing a telecommunication service? The phones are just a marketing gimmick they give you so you'll lock yourself into a highly overpriced subscription for two years (in the US, at least; in Denmark it's six months, and you can get really cheap subscriptions if you bring your own phone: 4 cents/sms, 13 cents/minute, 50 free sms and minutes per month).
The principle being that we don't have infinite resources, so you have to be able to justify their allocation. In capitalism, this is done on the free market. Socialism advocates political allocation.
It is up to the reader to do some research and decide which is generally more efficient.
I encourage the reader who takes up that challenge to also research which is specifically more efficient.
In a particular mathematical model, free markets solves an optimization problem. They also seem to work well in practice in many situations.
However, they work less well the more barriers to entry and exit there are in a given market. Having to build a large amount of infrastructure (factories, cell towers) in order to start producing is a barrier to entry. Having to fight a monopolist or cartel is a barrier to entry. Network effects (where present) means the free market will converge towards a monopoly or cartel situation.
Particularly for cell phone communication, there's the infrastructure problem, network effects, plus you need some radio frequency spectrum allocation mechanism. It looks like it's a good case for allocation through public policy.
Of course, feel free to compare the US against Canada and your favourite European countries if you feel empirical today; but you may also want to control for corru^Wlobbying influence (if able).
I think you forgot to mark the (TM). ;-)
Oh crap, they'll sue the living daylights out of me now :D
I think the small part of my brain that handles irony just segfaulted
If you're at a cocktail party and need to take a core dump, it is considered good manners to excuse yourself, explain where you are going but not in any great detail what you are doing there, and then taking said core dump in private.
In other words: // TODO: skip the wait queue? // FEATURE: dumps core // BUG: never reached
printf("Sorry, I'll have to go to the bathroom\n");
while(not at_bathroom()) move_to_bathroom();
mutex_lock(bathroom_door);
char *p = 0; *p = 0;
mutex_unlock(bathroom_door);
return;
This is precisely the kind of argument you become susceptible to if you think that an attribute of software (security) is more important than your freedom.
I'm a person with an @gnu.org email address, and I approve of this message! ;-)
I will go out and say that the quality aspects of software are important too.
But freedom helps that along. You're more secure against Linux Genuine Advantage, because free software doesn't have activation shenanigans going on (although I do have a perl script I'd like to give you if you like). If enough people want a feature that goes against corporate gatekeepers' interests, someone who's able to code it up might go do it. Hopefully (and likely?) the many eyeballs are a bigger benefit than they're a detriment; it does take time to weed out the amateurish---which is different from amateur---patches and bug reports, though.
And in our current software landscape where the dominant free OS is unix-like, the hackers (and power users) enjoy a different kind of freedom too: they're more free to tweak their computer so it performs the way they like it to. As I recall, when I was using proprietary (non-unix-like) OSes I couldn't as easily automate things and write small nifty shell scripts to help me make my computers run just right. I think this is a valuable (but different) form of empowerment that may be useful to illustrate to people the free software ideas: "now imagine that the software didn't have the knob you wanted to twist; why, you could add that yourself, or if enough people want it they might. [etc.]"
But to recap my first point: even if free software isn't automagically more secure and less crash-prone, we can make it so, and due to its nature it is secure from some of the annoyances seen in proprietary software. That alone is a big win; and I hear here on slashdot that the headaches had and salaries spent when ensuring license compliance make free software a good value proposition from the get-go.
FireGPG and others make encrypting webmail easy, and PGP/GPG and SMIME have been integrated into most mail clients for years.
Does FireGPG make it easy to create a public key for my non-technical, non-paranoid friend? Does it make it easy for me to set up his mail client to automatically decrypt mail?
Because he is not going to do that. And without him doing that, there is no decryption. And without decryption it's a waste of my time to encrypt.
Have we entered a new era where plagiarism is not just tolerated, but seen as normal?
It was the best of times, it was the worst of times;
It was a dark and stormy night.
Burma Shave
This system is my voice and my window to the world
My first gut reaction says I'd want to have a redundant one, so that if one gets hosed I can use the other to call out to the world and ask for help.
There is no Linux availability at all (oh how I wish).
Can you run control Linux running in a virtual machine? Is the IR eye tracking like a separate input device (but how would the applications know to handle it?), or is there some software translating your eye movements into mouse motion and key presses? If so, maybe you can drive a VM with it, or use Synergy (software key/vid/mouse switch) to "leap" over to a Linux machine with it?
I must admit I don't think I can imagine very well what your situation is like. So maybe my ideas are all useless. In that case, I hope you can see past that and realise I'm doing this not just in a vain attempt at having my knowledge be useful and me being "the hero who saves the day" (although I must admit to that playing a role), but also because I genuinely hope you get more value out of your time.
you're Boss
Meet the new boss, same as the old boss.
Windown
You just had to sneak it in there, didn't you? ;-)
Ah well. I take it you use Dvorak (the s/n typo suggests it); good on you.
For the rest of you: you all know the value of good tools; that's why you use emacs/vim/vs/$EDITOR and linux/bsd/osx/emacs/$OS. Apply the same high standards to anything that touches your hands, and to the arrangement of letters on your keyboard---your hands will love you for it.
if you haven't seen the 7-part, 1+-hour-long review of the Phantom Menace on youtube, go now and find it
As a public service, here's the link: http://www.youtube.com/watch?v=FxKtZmQgxrI&feature=PlayList&p=1C22FB1EC9D3C45E&index=0&playnext=1
I can recommend it. You'll find the reviewer has more character than you can find in TPM, more comic relief than Jar-Jar, and tells a side-story with a more coherent plot than any of the prequels.
Plus, he has some well-articulated and well-argued criticisms of the film.
(Now someone needs to review my meta-review, just for the recursive fun)
When I turn 18, I am inheriting over two million dollars and will be more than happy to pay as many lawyers as it takes. [...] Moral of the story
Moral of the story: justice for the rich.
Now, don't get me wrong. I think it's great you won your victory there. A three-digit settlement (in dollars) isn't a huge deal financially; I'd be angry to pay it but I'd be able to manage it (heck, I just bought a new phone for high three digits even though my current one works just fine), and I'd been able to afford it even when I was on state welfare for students (in socialist Denmark, the government pays you to study...). Symmetrically, I'd be happy to receive a three-digit settlement---zomfg free monies!!
And I'm not speaking out of envy for that large wad of dough. Sure, I'd love to have two million dollars, but I think I'd just be putting them in a savings account just like I am my doing to my money now.
It's just striking to me that you backed up your threat of litigation with "I have a large amount of money" rather than "I have a very strong case". That speaks volumes.
Money payed for foreign company is money lost for your country, while money payed to local developers stays and works.
And what is the foreign country going to do with your numbered paper slips?
If the money never comes back to your country, you have gotten the thing you bought in exchange for a slip of paper. Paper's pretty cheap, software isn't. Just print some new money and move on.
If it does come back, well, then it'll create some jobs and do all the other good things locally when it comes back, right?
But know this: having a good economy isn't about creating jobs. It's about people doing something worthwhile with their time and the resources available.
Here's a silly example: I can create any number of jobs. Have half the unemployed dig ditches and the other half fill the ditches back up again. There you go, job machine. And the taxpayers' money you gave them for doing it stays local, and you're supporting local construction industry and contributing to your own GDP. How about if everybody did that?! That'd be... in fact, that'd be a disaster. That'd make the community (county, state, country) dependent on donations from the outside, because no one's making food, houses, clothes, cars or anything else that the people want.
they actually funded real Unix CS.
Don't get me wrong, I love unix (despite its warts, and it has its shares), *deep breath* but...
Computer Science isn't about any particular OS. CS is about algorithms, not java.util.Collection.sort. It's about relational algebra, not MySQL. It's about automata theory, not grep or sed. It's about context-free grammars, type checking, name ambiguity resolution, Rice's theorem and all the other goodies that go into compilers, not about gcc.
Yes, a lot of people study a science because they wanted to learn a craft. A lot of them are better craftsmen for doing so, I'd guess---I know I am. But the study is about the theoretical underpinnings of the craft, not about perfecting the craft itself.
(Unless of course you talk, if you will, about the craft of science; then you're really an apprentice studying at the science master's workplace)
cost(assessing) > cost(software) where cost(assessing) > 0 and cost(software) = 0
What they really should look at is whether cost(assessing open source) + cost(switching to open source) + cost(using open source per year)*(number of years) < cost(using proprietary software per year)*(number of years), and for which values of (number of years)