Do people actually still give credit card numbers over the phone? I can't think of one time in the last 8 years that I've had a credit card that I've ever given it out over the phone. And not out of fear, either. The situation has just never come up.
I suspect they're talking about strings of touch-tone numbers that are dialed during a phone call. If the string is long enough, an application can infer that it's a credit card number.
This happens all the time with over-the-phone payment systems. True, many of these systems are being supplanted by online payment methods, but many niche services (debt collection, carry-out order, etc.) still use smaller automated phone-based systems.
Is there a good source for a technically in-depth list of the mistakes, rather than the vague "ignored several known techniques" summary crap the article discusses?
Google is obviously betting that WebM in Chrome and Firefox can carry enough weight to compete against H.264 in MSIE, Opera, and Safari.
Google, obviously, has enough web-surfing based data to factor into this judgement call. Whether or not Google is right on this call, one thing is certain: Google wouldn't do this unless they were fairly confident in WebM's chances against the looming patent trolls.
This, I think, is the noteworthy aspect of this bit of news. A patent troll going after WebM will now have to expect to have to deal with Google's well-funded lawyers.
It also helps that Google runs one of the (if not the) largest video streaming site. They control a sizable portion of the consuming application, as well as the majority of the supply.
So when can I get a cryptographically secure national ID card with multi-factor authentication? I'm as much a fan of the government tracking and cataloging me as the next guy, but this isn't exactly a slippery slope; we already have national IDs in the form of social security numbers and driver's licenses: Government-issued numbers required for identification and backed by a central database.
It's just that the current system is about as poorly-implemented as it can be (and justifiably so, since it was never meant to be used like it is). Not only are SSNs weak, predictable, and easily-forged; there is no way to protect or limit their usage by authoritzed or unauthorized parties. There also no way to protect how those parties store and safeguard them.
So while I hate the idea of our government issuing IDs, its too late to really change that. But please for the good of every citizen do it right.
So if I am the only company that offers a service, I risk a monopoly investigation? Intel isn't trying to squash competition, nor are they trying to obtain market exclusivity. They have included a feature that they think will be appealing to people / industry. Nothing's stopping AMD or any other manufacturer from introducing a similar feature (save, perhaps, patents?).
Now, granted, a stream destined for an Intel Insider system will not work on an AMD equivalent, but there's nothing in there to preclude the same source from providing an identical stream targeting the AMD equivalent as well. It's only when content providers refuse to provide such a stream, or when Intel attempts to prevent AMD from offering such a service, that monopolistic behavior comes into play.
No, seriously. Groklaw should become a patent consortium run by open source software folks. It should use its resources to fund patent applications by open source projects and should hold those patents collectively so that they can be used defensively if any of the member projects are attacked by software patents.
There are a lot of important questions that would have to be answered in order for this idea to actually work. Off the top of my head:
Who will fund this? It costs money to review and file patents, maintain and defend a portfolio, and actually litigate.
Who gets protected? Patent lawsuits occur against companies as a whole, not specific projects. To what degree of open-source friendliness / compliance does an entity have to operate in order to not be on the receiving side of this?
Who will manage it? Obviously, some coalition of trustworthy individuals is needed both to ensure internal integrity as well as to entice developers to sign over their intellectual property.
What's to stop unfriendly companies from sneaking into the coalition? Because this is exactly what I'd try to do if this project ever gained momentum.
What would provoke such a consortium into attacking an entity? Seems like defensively, any company that patent-trolls, especially against open-source, is candidate, but there's the question of whether or no to be proactive, and how proactive to be.
Would licenses to use the patents be GPL-style or BSD-style? Specifically, would these patents be granted to the public domain, or would some form of patent compliance on behalf of an organization be required to license them?
Personally, I think a diverse group of people from (but not limited to) the EFF and Groklaw would make great board members. There would have to be a soliciting arm that identifies potential patentable material in a given open-source project and raises the possibility of patenting it to the developer(s) of that project. There would also have to be a very powerful license backing them, else nobody would trust them. Conditions on governing the board of trustees and options to prevent its corruption would be critical.
All-in-all this would be an excellent idea. Protect open-source and independent development and provide some teeth to the open-source side of the craziness that is patent law. As it gains power and grows large enough to stand next to major corporations, the consortium could get proactive and start making a case for serious patent reform or the abolishment of software patents altogether.
Re:Okay, here's a question ...
on
New IE Zero Day
·
· Score: 2
Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers,
Wha? Since when did Microsoft "lock out" other browsers?
Sorry for the ambiguity; I was referring to locking them out of the browser market via aggressive pushing, default installation in the most popular operating system, IE-only web sites due to standards deviations, inseparable integration with the host operating system, and use of (at the time) Microsoft-only APIs for optimizations, plug-ins, and media capabilities. People always have had a choice, but Microsoft used every bit of their considerable influence and position to make that choice for them, causing an effective "lock out".
I didn't use the term appropriately, and I would retract if it I could; s/locking out/thoroughly defeating/g. My point was that by becoming the dominant product in the market and accepting that role, Microsoft also inherited the responsibility for operating as a major player in securing that market, and they have grossly failed in this role.
I thought that zero day means that somebody uses it in a attack and it appears that it hasn't been known before the said attack. Public Disclosure automatically disqualifies it as zero-day.
Zero-day generally indicates that the attack is in-use (by bad guys) at the time that it becomes known by the vendor and/or the public (e.g., zero days for anyone to take steps to mitigate the damage). This is as opposed to a vulnerability that is only known to the public after it has been addressed by the software maintainer. "Zero-day" can also mean an attack that is still viable at the time of disclosure, though there is less significance in the specific choice of term.
Re:Okay, here's a question ...
on
New IE Zero Day
·
· Score: 4, Insightful
And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.
Firstly, a serious security vulnerability in a popular (for whatever reason) software tool is always noteworthy, if just for the fact that it's interesting. Secondly, the overall state of IE is large enough to affect everyone in some way or another. And finally, numerous people here administer systems or have friends and family that may run or require Internet Explorer, and such a bulletin could certainly prove useful to them to prevent this attack from damaging those they (are paid to) care about.
It irks me that there are better options than Explorer readily available, but so many people just don't care enough about their own security and privacy to avail themselves of those options. It's not like paying through the nose for an anti-virus product: these things are free to use! I feel less and less sorry for Explorer users every day, having heard all the excuses ("it doesn't look like Explorer, my favorite free-malware-site doesn't like it, it's too hard to install, I'm too stupid to use a computer, and so on ad infinitum.) It's not as if the likes of Firefox, Chrome and Opera are hard to find, or aren't in the public's eye nowadays. Hell, a few months ago a major U.S. bank issued a warning recommending that its customers eschew Explorer in favor of anything else and further recommended that any online banking be done in anything but Windows (preferably Linux/Unix.) Of course, the month after that they made another public statement to the effect that they would only support Internet Explorer (note: they didn't follow through on that threat. I got the distinct impression that it was a "left hand doesn't know what the right hand is doing" situation.)
I've met smart people who think that Internet Explorer is the Internet. They don't know or care what a browser is. Technology, Internet included, is just another tool, and it needs to work correctly. To tell someone like this to get another browser is not feasible; without a long explanation, they will never like the idea of switching from something that is (or appears to be) working to something different.
Approaching someone and taking the time to explain the situation and answer their questions is the only way to make a transition sit comfortably with them. Unfortunately, people "in-the-know" don't have the time or desire to address the remaining population. The best effort I've seen to address the non-technical public is Google's "get a faster browser" button on their home page, and even then I've heard those who say "well, mine is fast enough". Someone has to explain things and answer their questions.
I've encountered pretty popular attitude that viruses only exist on shady websites (e.g., gambling, and porn) and that caring about or addressing security is not only unnecessary, but also an admission of one's intention to visit such sites. Once again, the only way to break past this is to take the time to sit down, explain things, and answer questions.
Short of prosthelytizing nerd squads going door-to-door, there's not much that can be done. Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers, and they are wholly responsible for keeping their shit together. Maybe someone should sue them for damages.
Also, keep in mind that serious flaws have been found in Firefox, Safari, and Chrome. IE, like Windows, is targeted more heavily than other browsers due to its market share. If IE is ditched en masse, I would bet money on the number of flaws in other browsers growing significantly higher. This doesn't absolve Microsoft (see previous paragraph), but it does suggest that the problem is larger than IE and attitude.
I know it's a crazy thing to say around here, but owners of the telecommunication companies are just as deserving of having their needs served by government as the consumers of telecommunications services.
Why would this be the case? It's a government of the people, for the people. The needs of the people ought to be the first and only priority of the government. The needs of corporations should be met only because doing so meets the greater needs of the people. If the telecommunication companies want to have their needs met, they ought to align those needs with the greater public good, and I have yet to see compelling evidence that they are trying to do this. Instead, I see evidence of physical infrastructure monopolies, government subsidies, anti-competitive behaviors, poor bandwidth and service (relative to other major nations), spotty coverage, and absurdly-high fixed prices. How does any of this warrant my government's support?
The larger players in telecommunications industry exist to create de facto monopolies and leverage those to milk the consumer market. This is evident in all major carrier policies and quality of service. There is no free market here, so consumers have no weight and voice. My government should not be supporting these corporations.
Quantum computing could break known asymmetric cyphers, not symmetric. I'm not aware of any quantum solution to breaking any modern popular symmetric algorithms.
If the 27-character password that they used protected an asymmetric key, then the FBI had to break into their house to recover more than the 216-bit password... they had to recover the password and the encrypted key that it protected.
If, on the other hand, the 27-character password generated a symmetric key, then the entire discussion of quantum computing is irrelevant.
Also worth mentioning is that there's really no way the FBI could have known exactly what they'd find. They broke into a home and recovered lots of information, one piece of which proved useful to decrypting messages. If they hadn't found that, who knows what they would have done? Point is don't lower your guard yet - this isn't proof that encryption is rock solid so much as evidence in that direction.
In the end, let's assume unbreakable encryption is readily available. The weakness is in the human factor, since (ultimately) humans have to, at some point, interact with that encryption for it to contain useful information. Looking at the direction England and other countries are going, a government's solution isn't to invest in supercomputers to attack the cryptography; it's to create a set of laws criminalizing a failure to decrypt. Such a failure would be penalized by as much (or more, given the absurd magnitude of criminal damages associated with most modern electronic-targeting laws) as the charges against you for which the cyphertext is relevant. Your information could be protected until the end of the universe while your corpse rots away for some form of electronic obstruction of justice.
There is a pervasive attitude of "If you have done nothing wrong, you have nothing to hide" that seems to be driving a lot of the thrust behind modern laws and solutions. A jury could be (and has been) biased against you just for possession of encrypted material. Why would a legitimate person need to encrypt their documents? Why wouldn't they decrypt them for authorities? "Because they're mine, not yours, and not the government's" isn't something a lot of people sympathize with. I suppose the point I'm trying to make is, while progress on the cryptographic front to stay ahead of authorities (and "bad guys", and the intersection of the two) is critical, it's also critical to enforce a right to innocently encrypt data in the first place.
But sorry to be predominantly negative - overall, a great article that exposes the world of cryptography (and its importance) in terms a layman could understand.
Anonymous is not a secret hacker organization. It is the literal definition of the word. It is not a proper noun. It is just individuals acting without large-scale coordination, all pissed off for their own reasons, acting in semi-cohesion, and participating in groupthink. It is people either trolling for lulz, or lulzing for lulzing.
People downloading music are like anonymous. There is not a collective group organizing the individual downloaders. They just do it. The people "at the other end of the stick" view it as us against "them", and to have a proper OMGSCANDAL, you need a perpetrator, so they made one. And if they didn't cognitively make one for the purposes of degrading freedom on the internet, then it's more lulz for us and more idiot points for you.
I'm not so sure of this. Long-term members or not, the term "Anonymous" is being used by the media to refer to the collective group of individuals who (anonymously) participate, at any given point in time, in attacks claimed under the pseudonym. To claim that "Anonymous" is not an organization is disingenuous. They have a website, a common cause, and some degree of leadership involved in coordination. Just because leadership, members, and activities are impromptu and decentralized doesn't mean that the tag is invalid. It refers to exactly what it should refer to: the coordinated goals, members, and efforts, however temporal, of people who rally under that banner. And hey, if it's informal, it's as good a name as any.
People on the other end don't just view it as "them". They, including news agencies, generally know exactly what "Anonymous" refers to. If someone posts a sign in the dead of night calling for a rally, the collective group of people who join the rally, despite a lack of formal affiliation and leadership, can rightfully be referred to as "those guys who rallied" or "the rallyers". In this case, rather than "the Wikileaks DDoSers", participants have chosen anonymity and the pseudonym "Anonymous" as an identity, and the press is well within its rights to follow suit. Furthermore, just like any organization, there is leadership, however, informal. Someone makes the software, someone rallies participation, someone fans the flames of anger, someone chooses the target, and someone keeps the weapon honed and pointed in a meaningful direction. Just because these individuals are not defined, known, or consistent doesn't make them any less real. Those operating as "anonymous" are a full-fledged structured organization at any given point in time.
There are differing levels of legal culpability. I feel sorry for those who don't understand that their willing participation in the DDoS is being logged and likely will be used against them. DDoS, by its very nature, is not something that can be anonymous. If you filter it through a proxy or anonymizing network, your offensive capability is constrained by that of the network. To be effective against any serious target, the DDoS must be direct, which means that your anonymity is completely forfeit (these obvious facts pointed out very vividly in a previous Slashdot article). The packets are traceable, there are permanent records, and you will be prosecuted. This isn't a revolution of the people, where, ultimately, citizens can rely on the fact that one's government cannot (generally) kill or arrest a majority and remain functional. There is no implicit safety, and there are no hard limits to prosecution. You're vandalizing a sign by writing your name and address on it.
...by making it easier for them to end their enemies' lives. You haven't saved any net lives, just switched which side lost the lives.
Wow, you're deep *rolls eyes*. But wait, maybe killing more enemies ends up saving more lives in the long run? Or maybe one of the saved soldiers goes home and ends up being the next Norman Borlaug and saves millions (and counting)? How do we know this isn't the single most important life-saving technology ever invented, in some "butterfly effect" fashion?
Or you could just silence your snarky pseudo-intellectualism and enjoy the damned article.
You make a pretty stupid point... poorly. The two have nothing relevant in common.
I'm sure the same people calling for Assange to be hanged are the same people that also say "if you've got nothing to hide..." about going through an airport scanner. They want to have that nice cozy feeling that the nanny state is protecting *them*.
So, they don't want to hear about Wikileaks, and they want to be seen naked at the airport *if* they think that'll make them sleep soundly at night.
This is pure speculation. There's no necessary relationship between those who feel individuals who knowingly receive and publish state information should be prosecuted and those who are willing to trade their inalienable rights for an unproven state-mandated security theater... aside from a possible "moran" overlap. Imagining a strong correlation between the two just marks you as someone as equally clueless and judgmental as your hypothetical masses.
So Wikileaks and Airport scanners. Two great tastes that taste great together! Too bad the government doesn't get the irony of being so upset about Assange while they strip away our rights. Too bad the media doesn't get it either. These two events are happening at the same time and both are about an expectation of privacy.
Maybe if the government got rid of the scanners, Wikileaks would calm down.
State-protected secrets have nothing to do with an US citizen's inalienable rights. Associating the two actually trivializes the latter. A citizen's rights are an entirely different class of untouchable entity; the US should put everything on the line, including its secrets, to protect those rights. Its failure to do so in some cases (DUI, TSA, etc.) is worthy of a substantial amount of criticism.
Your tone of "hypocritical American pundits getting their just desserts" is another pathetic symptom of the disdain, disrespect, and political infighting that compromised our rights in the first place.
Hear Hear. Rather than fixing the flaws in their browser, MS has chosen to add even more code that blocks the code that exploits those flaws. Talk about wallpapering over the sledgehammer holes in their drywall - and blaming the paper-er for their flaws - not the hammer-er - in the process.
Have you ever heard of defense in depth? Microsoft will (likely) continue to fix bugs in their browser, just like everyone else, and will hopefully learn from their mistakes and improve their process for doing so. However, you cannot patch a bug you don't know about. Having something intelligent enough to block un-patched exploits until the bug is fixed seems worthwhile.
Then again, if this tool is ever distributed to users, malware authors will just revise their code until until the tool can't detect it. This tool, if ever distributed, will just make malware authors' life harder (which I'm fine with). Microsoft's idea seems poorly-thought-out, but so is your comment.
Definitely. I expect them to be free and I don't want to see ads. It's not my problem how Youtube or free TV will make an income.
If they don't have a clue how to make a living then they cease to exists, that is what free market is all about.
It kind of is; if you like their service, and they can't support it, it will go away or change for the worse. If they had to choose between going out of business and revising their profit system in such a way as to target a profitable demographic at your expense (e.g., paywall, mandatory ads, capping number of videos per day, etc.), they almost certainly would choose the latter, and that would affect you. If you enjoy their service, you should want them to find a way to profit from you.
That's also why I oppose copyright and patents. There should be no right to make money, if you want to make money it's your problem but don't make the state grand you a monopoly. If I choose to not to watch ads I'm not hurting anyone but a state granted monopoly is hurting everybody else.
If you choose not to watch ads, then YouTube is paying money (via bandwidth, maintenance, etc.) to deliver you content, and you are giving them nothing back in return. In effect, you are freeloading. This is fine - free market and whatnot - but at least understand that your behaviors are only possible because they're subsidized by other more-profitable viewers. You're the Internet's equivalent of a welfare family. I agree with you in some ways - there should be no right to make money. However, it goes both ways. They have no right to make money, and you have no right to use their service. Unless you're willing to participate in some form of quid pro quo arrangement with a service provider, don't be surprised if you find yourself excluded from their service in favor of profitable users. With free services, meeting them halfway is the name of the game.
FWIW, copyright and patents are not as simple as state-granted monopolies. At their heart lies a desire to encourage inventors to disseminate their trade secrets to the government and public, for state and public good, as opposed to hoarding their trade secrets or spending countless effort devising ways to obfuscate them. Their current state and implementation is just significantly perverted from that original intention.
PEBCAK. KDE is useful in its default settings. As a rank n00b, you probably should try to get to know it before fiddling with settings you don't understand.
Really? This is the attitude you chose to go with?
What we have here is an OP who gave an honest and accurate critique of his/her experience with KDE. Simple as that. They thought it was too complicated, and that the complexity wasn't valuable. It didn't work in a manner that they desired, and that resulted in them disliking the software. This is exactly the kind of feedback the KDE team wants. All of the OP's problems should not exist - that's one of the KDE team's design goals. The OP's impressions, experiences, and feedback could, if funneled down to the right people, result in a superior desktop experience for everyone.
Instead you are quick to dismiss and blame the OP as incompetent and useless. This valuable feedback, while dismaying in the sense that it depicts a KDE team failure, is extremely useful for both parties. The user seems open and interested in thoroughly using the product, and the design team wants to create a product the user wishes to use. A person with the slightest (a) intuition, or (b) training in psychology and human-computer interfaces would tell you that this type of cooperation between developer and end-user is priceless. But here we have you, whose attitude is one of the stronger cancers on the open-source community.
Not every product is for everyone, but mainstream desktop environments and window managers are the exception. Creating a central piece of software as complex and feature-rich as KDE is extremely challenging. For any given use-case scenario, KDE has to provide a direct and obvious path to an end-goal while ensuring that every other feature keeps a low profile. This is hard stuff, and KDE is groundbreaking in their approach. Their team has developers, artists, engineers, managers, and designers all striving for this goal. The OP is a critical piece in that puzzle.
And as a disclaimer, I do, and probably always will, love KDE. KDE4 started out weak (by design) and is building towards an amazing desktop environment. Every subsequent release provides marked progress towards that ideal. I hope we get an entire gamut of feedback from every possible class of user, because that gives the KDE developers the kind of information they need to make good design decisions towards an ideal desktop environment.
Assholes like you really need to stop getting in the way of that ideal.
A good way to avoid ending up in that position is not to actively place yourself in that position. Don't bid for jobs you can't do. Don't agree to do jobs you can't do. Don't tell people you can do jobs you can't do.
The problem here isn't that he's asking slashdot. It's that he isn't asking slashdot with any apparent knowledge of the subject to support his questions There's no indication that he understands his clients actual needs, nor any indication that he could figure out any aspect of the job he is being paid to do, without slashdotters to get him started.
I read that more as him opening the field to all sorts of responses. Nowhere in his posited question did I read a hint of incompetence. I think, rather, he was trying to mention that he'd like to hear any advice about anything someone thinks might be relevant to his 20-person client. He wants to be inundated with a flood of ideas from across the IT scene - cloud computing solutions, hosted products, or roll-your-own. He wants to put all of those thoughts on the table, alongside his own ideas, and use his expertise to sort out the best approach to the problem. That's exactly how good decisions are made.
Seriously, don't be so quick to judge. Nothing he said is stupid or ignorant. Acting as one of those guys who "knows everything" will always get you in trouble sooner or later - sooner, if you're accountable to others. His attitude and approach to solving this problem speaks towards his competence and a drive to deliver the best possible solution. Hell, these are exactly the traits I look for in people; I'd totally hire him:)
Ask Slashdot: Why do your job when you can ask others to do it for you?
Why indeed?What reasonable motivation could he have to poll a well-established base of computer experts for advise? Could it be that an infrastructure is a hard thing to get perfectly right? Maybe up-front decisions made right will negate hours of work and wasted productivity down the line? Remember those security and infrastructure failings we've been so critical about all these years? Those clueless IT guys who screwed up royally and condemned employees and management to countless hardships? Maybe he doesn't want to end up in that position... maybe he wants to do things right?
Unless I'm missing something, this seems like a relatively-useless tool. There are better ways to do everything that it does.
I can see this being useful in two specific cases:
I want to run an application on a different system without any hassles.
I want to create a perfectly-reproducible execution
In the former case, CDE is just an extreme form of static linking. You produce a distributable package that contains the full set of libraries, files, etc. that are needed to run the application. That's useful, I suppose, but how does it compare to a regular Linux package? It's heavier, for sure; every CDE package contains a full set of system libraries, binaries, data files, and executables needed to perform an operation. It's also slower, as CDE execution has to re-create the original environment (in-memory or on disk, either way). All to... what? Cut down on the difficulty of dependency management? Almost every modern Linux distro has an advanced package management system that can easily handle these cases. In some cases it's as easy as declaring dependencies and producing the appropriate source / binary package via a build wrapper. In others, you may have to do a little architecture, but it's still relatively straightforward. Any existing Linux package, by design, seamlessly integrates into the current system and is quite minimal.
I understand the desire for reproducible behavior, but this is easily obtainable with a package-based solution across the same distro. The only practical cases (even including cloud deployment) that involve multiple different distros requiring reproducible behavior are fringe cases, and even then a build-from-source solution is likely adequate.
So now to the other case... I require absolutely perfectly reproducible behavior that I can provide to other people. That sounds like the perfect use-case scenario for a virtual machine. Packaging a VM up and distributing it provides not only the CDE convenience, but additional guarantees as well. For example, a modification in kernel behavior between minor versions could affect the runtime performance of a CDE-distributed application across various platforms; a VM with the exact same setup would be able to guarantee that this is not a problem. In cases where perfect reproducibility really matters, a VM is far more compelling than an execution environment wrapper.
Don't get me wrong; I appreciate the coolness factor. The interior mechanisms that CDE uses to operate are very well-thought-out and interesting, for sure. I am just very skeptical as to the practical usefulness of the tool. It seems too light and incomplete for serious academic reproducibility, and too heavy to solve real-world distribution issues. YMMV, but I don't see this as a real game-changer in any capacity.
Writing bulletproof code isn't really all that hard, but it does take discipline. Discipline to use only those constucts which have been verified with both the compiler and linker.
Some simple things that coders can do:
- avoid the use of pointers.
Pointers aren't themselves bad; they just add some layers of complication to the otherwise stack-oriented game. The only reason the stack is nicer than pointers is because they're implicitly managed for you.
Rather than avoid pointers, what you need is good code structure. Design functions that either manage the lifecycle of a pointer or are explicitly clear about how and what the pointer is going to be used as. Use const aggressively, and avoid typecasting as much as possible. Using good pointer naming techniques and management functions also dissipate the burden. Pointers are too useful to avoid religiously... rather, build pointer security and management techniques into your coding style from the ground up. Choose descriptive names and try and constrain each pointer to its specific type (this lets the compiler help you keep your pointers straight).
Initialize all variables to known values.
Meh, I'm divided on this one. It's one thing to explicitly initialize global variables to either zero (which costs nothing, since they just end up in BSS sections) or non-zero (which puts them statically in the data segment). Stack variables, on the other hand, only really need to be initialized before they're used the first time. Pre-initializing them could lead to wasted instructions initializing them multiple times or cause them to be initialized in all code paths when they're only used in a few. My general rule of thumb is to be smart about it and, once again, naming conventions.
Perform comparisons with the LHS using a static variable, so you don't accidentally get an assignment instead of a comparison
Great tip; it's weird at first writing "if( NULL != p )", and you get a few funny stares, but after seeing enough "if( i = 10 )"s lying within seemingly-functional code, it's an easy selling point to make.
- When you are done with a value, reset it to a "known" value. Zero is usually good.
Definitely do this with pointers, descriptors, and other handle types. It also makes cleanup and pointer management easier. Less important to do with things like iterators and intermediate variables.
- Keep functions less than 1 page long. If you can't see the entire function on a single editor page, it is too long.
It's a good rule of thumb. I would like to add "any time you can't do this, make absolutely certain that you're not doing it for a good reason."
Good tips, though. One thing I'd like to add: -Wall -Wextra -Werror (or your language's equivalent). If your code can't compile without a single warning, then you need to re-write your code and either manually disarm situations (e.g., override the compiler's common-sense with an assurance that you know what you're doing) or fix the warnings, which are actually bugs and errors. It's always fun to take someone's "bulletproof" code and turn on these flags and watch the crap spill out. Warnings are amazing, and they are absolutely your friend when it comes to writing bug-free and secure code.
I see a lot of posts with hate for DST.. that's fine, I'd be happy if it were abolished as well.
But now back to there being a bug in how the alarm thing is handled on the iPhone. How does that bug even exist?
If the alarm is set for a particular time, say "7am".. then what does it matter whether or not the clock went back an hour at 3am?
I can understand the alarm app going a bit batty if the clock went back at 8am (essentially the alarm going off -twice- that day), but given the actual circumstances... how did the alarm decide that it should instead be going off at 8am? The clock, presumably, does give the correct time.. so it's not like its internal time functions don't know what time it actually is. I'm confused. Is this just some manner of shoddy coding going on?
I'll venture a guess:
Applications, especially ones using phone APIs, usually aren't running 24/7. At a high level, what they will do is, in some manner, register for an event with the operating system. They will then idle indefinitely until that event occurs, at which point the operating system will give the application execution time and it will respond to that event. The event can be several things, including "when the user taps the screen" and "if the phone is powered on", and notably (for this discussion) can be based off of time, such as "8 hours from now".
My guess is that, when an alarm is set, the alarm calculates the amount of time in the future until it needs to be sounded, then registers with the OS to be woken that much time later (probably via some form of nanosleep iOS API derivative). If the alarm fails to factor in DST when calculating that time difference, then it'll get its event later (or earlier, or whatever) than it was expecting, and sound (and then probably calculate the next time difference and sleep until then).
On the surface, an alarm application could register for more periodic events (clock ticks, UI update loop iterations, or just sleep for seconds at a time) and evaluate if it should sound periodically. This would have easily avoided the DST issue. The problem here is that each time the event gets dispatched, the phone has to wake up to handle it, and such periodic waking would cost unnecessary battery. In fact, the OS knows how / when / for how long to sleep based on scheduler details derived from some form of these event registrations. Applications in general (and especially on battery-consuming devices) should attempt to register for the least number of events as possible, hence (I'm guessing) why they chose the time delay calculation option instead of a periodic one.
Slashdot Mirror
Do people actually still give credit card numbers over the phone? I can't think of one time in the last 8 years that I've had a credit card that I've ever given it out over the phone. And not out of fear, either. The situation has just never come up.
I suspect they're talking about strings of touch-tone numbers that are dialed during a phone call. If the string is long enough, an application can infer that it's a credit card number.
This happens all the time with over-the-phone payment systems. True, many of these systems are being supplanted by online payment methods, but many niche services (debt collection, carry-out order, etc.) still use smaller automated phone-based systems.
http://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not-amazing/
Sorry for the delay; just wanted to say "thank you" :)
Is there a good source for a technically in-depth list of the mistakes, rather than the vague "ignored several known techniques" summary crap the article discusses?
Google is obviously betting that WebM in Chrome and Firefox can carry enough weight to compete against H.264 in MSIE, Opera, and Safari.
Google, obviously, has enough web-surfing based data to factor into this judgement call. Whether or not Google is right on this call, one thing is certain: Google wouldn't do this unless they were fairly confident in WebM's chances against the looming patent trolls.
This, I think, is the noteworthy aspect of this bit of news. A patent troll going after WebM will now have to expect to have to deal with Google's well-funded lawyers.
It also helps that Google runs one of the (if not the) largest video streaming site. They control a sizable portion of the consuming application, as well as the majority of the supply.
So when can I get a cryptographically secure national ID card with multi-factor authentication? I'm as much a fan of the government tracking and cataloging me as the next guy, but this isn't exactly a slippery slope; we already have national IDs in the form of social security numbers and driver's licenses: Government-issued numbers required for identification and backed by a central database.
It's just that the current system is about as poorly-implemented as it can be (and justifiably so, since it was never meant to be used like it is). Not only are SSNs weak, predictable, and easily-forged; there is no way to protect or limit their usage by authoritzed or unauthorized parties. There also no way to protect how those parties store and safeguard them.
So while I hate the idea of our government issuing IDs, its too late to really change that. But please for the good of every citizen do it right.
Patenting fans? Not cool, Microsoft... not cool.
So if I am the only company that offers a service, I risk a monopoly investigation? Intel isn't trying to squash competition, nor are they trying to obtain market exclusivity. They have included a feature that they think will be appealing to people / industry. Nothing's stopping AMD or any other manufacturer from introducing a similar feature (save, perhaps, patents?).
Now, granted, a stream destined for an Intel Insider system will not work on an AMD equivalent, but there's nothing in there to preclude the same source from providing an identical stream targeting the AMD equivalent as well. It's only when content providers refuse to provide such a stream, or when Intel attempts to prevent AMD from offering such a service, that monopolistic behavior comes into play.
No, seriously. Groklaw should become a patent consortium run by open source software folks. It should use its resources to fund patent applications by open source projects and should hold those patents collectively so that they can be used defensively if any of the member projects are attacked by software patents.
There are a lot of important questions that would have to be answered in order for this idea to actually work. Off the top of my head:
Personally, I think a diverse group of people from (but not limited to) the EFF and Groklaw would make great board members. There would have to be a soliciting arm that identifies potential patentable material in a given open-source project and raises the possibility of patenting it to the developer(s) of that project. There would also have to be a very powerful license backing them, else nobody would trust them. Conditions on governing the board of trustees and options to prevent its corruption would be critical.
All-in-all this would be an excellent idea. Protect open-source and independent development and provide some teeth to the open-source side of the craziness that is patent law. As it gains power and grows large enough to stand next to major corporations, the consortium could get proactive and start making a case for serious patent reform or the abolishment of software patents altogether.
Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers,
Wha? Since when did Microsoft "lock out" other browsers?
Sorry for the ambiguity; I was referring to locking them out of the browser market via aggressive pushing, default installation in the most popular operating system, IE-only web sites due to standards deviations, inseparable integration with the host operating system, and use of (at the time) Microsoft-only APIs for optimizations, plug-ins, and media capabilities. People always have had a choice, but Microsoft used every bit of their considerable influence and position to make that choice for them, causing an effective "lock out".
I didn't use the term appropriately, and I would retract if it I could; s/locking out/thoroughly defeating/g. My point was that by becoming the dominant product in the market and accepting that role, Microsoft also inherited the responsibility for operating as a major player in securing that market, and they have grossly failed in this role.
I thought that zero day means that somebody uses it in a attack and it appears that it hasn't been known before the said attack. Public Disclosure automatically disqualifies it as zero-day.
Zero-day generally indicates that the attack is in-use (by bad guys) at the time that it becomes known by the vendor and/or the public (e.g., zero days for anyone to take steps to mitigate the damage). This is as opposed to a vulnerability that is only known to the public after it has been addressed by the software maintainer. "Zero-day" can also mean an attack that is still viable at the time of disclosure, though there is less significance in the specific choice of term.
And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.
Firstly, a serious security vulnerability in a popular (for whatever reason) software tool is always noteworthy, if just for the fact that it's interesting. Secondly, the overall state of IE is large enough to affect everyone in some way or another. And finally, numerous people here administer systems or have friends and family that may run or require Internet Explorer, and such a bulletin could certainly prove useful to them to prevent this attack from damaging those they (are paid to) care about.
It irks me that there are better options than Explorer readily available, but so many people just don't care enough about their own security and privacy to avail themselves of those options. It's not like paying through the nose for an anti-virus product: these things are free to use! I feel less and less sorry for Explorer users every day, having heard all the excuses ("it doesn't look like Explorer, my favorite free-malware-site doesn't like it, it's too hard to install, I'm too stupid to use a computer, and so on ad infinitum.) It's not as if the likes of Firefox, Chrome and Opera are hard to find, or aren't in the public's eye nowadays. Hell, a few months ago a major U.S. bank issued a warning recommending that its customers eschew Explorer in favor of anything else and further recommended that any online banking be done in anything but Windows (preferably Linux/Unix.) Of course, the month after that they made another public statement to the effect that they would only support Internet Explorer (note: they didn't follow through on that threat. I got the distinct impression that it was a "left hand doesn't know what the right hand is doing" situation.)
I've met smart people who think that Internet Explorer is the Internet. They don't know or care what a browser is. Technology, Internet included, is just another tool, and it needs to work correctly. To tell someone like this to get another browser is not feasible; without a long explanation, they will never like the idea of switching from something that is (or appears to be) working to something different.
Approaching someone and taking the time to explain the situation and answer their questions is the only way to make a transition sit comfortably with them. Unfortunately, people "in-the-know" don't have the time or desire to address the remaining population. The best effort I've seen to address the non-technical public is Google's "get a faster browser" button on their home page, and even then I've heard those who say "well, mine is fast enough". Someone has to explain things and answer their questions.
I've encountered pretty popular attitude that viruses only exist on shady websites (e.g., gambling, and porn) and that caring about or addressing security is not only unnecessary, but also an admission of one's intention to visit such sites. Once again, the only way to break past this is to take the time to sit down, explain things, and answer questions.
Short of prosthelytizing nerd squads going door-to-door, there's not much that can be done. Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers, and they are wholly responsible for keeping their shit together. Maybe someone should sue them for damages.
Also, keep in mind that serious flaws have been found in Firefox, Safari, and Chrome. IE, like Windows, is targeted more heavily than other browsers due to its market share. If IE is ditched en masse, I would bet money on the number of flaws in other browsers growing significantly higher. This doesn't absolve Microsoft (see previous paragraph), but it does suggest that the problem is larger than IE and attitude.
I know it's a crazy thing to say around here, but owners of the telecommunication companies are just as deserving of having their needs served by government as the consumers of telecommunications services.
Why would this be the case? It's a government of the people, for the people. The needs of the people ought to be the first and only priority of the government. The needs of corporations should be met only because doing so meets the greater needs of the people. If the telecommunication companies want to have their needs met, they ought to align those needs with the greater public good, and I have yet to see compelling evidence that they are trying to do this. Instead, I see evidence of physical infrastructure monopolies, government subsidies, anti-competitive behaviors, poor bandwidth and service (relative to other major nations), spotty coverage, and absurdly-high fixed prices. How does any of this warrant my government's support?
The larger players in telecommunications industry exist to create de facto monopolies and leverage those to milk the consumer market. This is evident in all major carrier policies and quality of service. There is no free market here, so consumers have no weight and voice. My government should not be supporting these corporations.
Quantum computing could break known asymmetric cyphers, not symmetric. I'm not aware of any quantum solution to breaking any modern popular symmetric algorithms.
Also worth mentioning is that there's really no way the FBI could have known exactly what they'd find. They broke into a home and recovered lots of information, one piece of which proved useful to decrypting messages. If they hadn't found that, who knows what they would have done? Point is don't lower your guard yet - this isn't proof that encryption is rock solid so much as evidence in that direction.
In the end, let's assume unbreakable encryption is readily available. The weakness is in the human factor, since (ultimately) humans have to, at some point, interact with that encryption for it to contain useful information. Looking at the direction England and other countries are going, a government's solution isn't to invest in supercomputers to attack the cryptography; it's to create a set of laws criminalizing a failure to decrypt. Such a failure would be penalized by as much (or more, given the absurd magnitude of criminal damages associated with most modern electronic-targeting laws) as the charges against you for which the cyphertext is relevant. Your information could be protected until the end of the universe while your corpse rots away for some form of electronic obstruction of justice.
There is a pervasive attitude of "If you have done nothing wrong, you have nothing to hide" that seems to be driving a lot of the thrust behind modern laws and solutions. A jury could be (and has been) biased against you just for possession of encrypted material. Why would a legitimate person need to encrypt their documents? Why wouldn't they decrypt them for authorities? "Because they're mine, not yours, and not the government's" isn't something a lot of people sympathize with. I suppose the point I'm trying to make is, while progress on the cryptographic front to stay ahead of authorities (and "bad guys", and the intersection of the two) is critical, it's also critical to enforce a right to innocently encrypt data in the first place.
But sorry to be predominantly negative - overall, a great article that exposes the world of cryptography (and its importance) in terms a layman could understand.
Slashdotters,
Anonymous is not a secret hacker organization. It is the literal definition of the word. It is not a proper noun. It is just individuals acting without large-scale coordination, all pissed off for their own reasons, acting in semi-cohesion, and participating in groupthink. It is people either trolling for lulz, or lulzing for lulzing.
People downloading music are like anonymous. There is not a collective group organizing the individual downloaders. They just do it. The people "at the other end of the stick" view it as us against "them", and to have a proper OMGSCANDAL, you need a perpetrator, so they made one. And if they didn't cognitively make one for the purposes of degrading freedom on the internet, then it's more lulz for us and more idiot points for you.
I'm not so sure of this. Long-term members or not, the term "Anonymous" is being used by the media to refer to the collective group of individuals who (anonymously) participate, at any given point in time, in attacks claimed under the pseudonym. To claim that "Anonymous" is not an organization is disingenuous. They have a website, a common cause, and some degree of leadership involved in coordination. Just because leadership, members, and activities are impromptu and decentralized doesn't mean that the tag is invalid. It refers to exactly what it should refer to: the coordinated goals, members, and efforts, however temporal, of people who rally under that banner. And hey, if it's informal, it's as good a name as any.
People on the other end don't just view it as "them". They, including news agencies, generally know exactly what "Anonymous" refers to. If someone posts a sign in the dead of night calling for a rally, the collective group of people who join the rally, despite a lack of formal affiliation and leadership, can rightfully be referred to as "those guys who rallied" or "the rallyers". In this case, rather than "the Wikileaks DDoSers", participants have chosen anonymity and the pseudonym "Anonymous" as an identity, and the press is well within its rights to follow suit. Furthermore, just like any organization, there is leadership, however, informal. Someone makes the software, someone rallies participation, someone fans the flames of anger, someone chooses the target, and someone keeps the weapon honed and pointed in a meaningful direction. Just because these individuals are not defined, known, or consistent doesn't make them any less real. Those operating as "anonymous" are a full-fledged structured organization at any given point in time.
There are differing levels of legal culpability. I feel sorry for those who don't understand that their willing participation in the DDoS is being logged and likely will be used against them. DDoS, by its very nature, is not something that can be anonymous. If you filter it through a proxy or anonymizing network, your offensive capability is constrained by that of the network. To be effective against any serious target, the DDoS must be direct, which means that your anonymity is completely forfeit (these obvious facts pointed out very vividly in a previous Slashdot article). The packets are traceable, there are permanent records, and you will be prosecuted. This isn't a revolution of the people, where, ultimately, citizens can rely on the fact that one's government cannot (generally) kill or arrest a majority and remain functional. There is no implicit safety, and there are no hard limits to prosecution. You're vandalizing a sign by writing your name and address on it.
...by making it easier for them to end their enemies' lives. You haven't saved any net lives, just switched which side lost the lives.
Wow, you're deep *rolls eyes*. But wait, maybe killing more enemies ends up saving more lives in the long run? Or maybe one of the saved soldiers goes home and ends up being the next Norman Borlaug and saves millions (and counting)? How do we know this isn't the single most important life-saving technology ever invented, in some "butterfly effect" fashion?
Or you could just silence your snarky pseudo-intellectualism and enjoy the damned article.
My botnet's version is over 9000!
You make a pretty stupid point ... poorly. The two have nothing relevant in common.
I'm sure the same people calling for Assange to be hanged are the same people that also say "if you've got nothing to hide..." about going through an airport scanner. They want to have that nice cozy feeling that the nanny state is protecting *them*.
So, they don't want to hear about Wikileaks, and they want to be seen naked at the airport *if* they think that'll make them sleep soundly at night.
This is pure speculation. There's no necessary relationship between those who feel individuals who knowingly receive and publish state information should be prosecuted and those who are willing to trade their inalienable rights for an unproven state-mandated security theater... aside from a possible "moran" overlap. Imagining a strong correlation between the two just marks you as someone as equally clueless and judgmental as your hypothetical masses.
So Wikileaks and Airport scanners. Two great tastes that taste great together! Too bad the government doesn't get the irony of being so upset about Assange while they strip away our rights. Too bad the media doesn't get it either. These two events are happening at the same time and both are about an expectation of privacy.
Maybe if the government got rid of the scanners, Wikileaks would calm down.
State-protected secrets have nothing to do with an US citizen's inalienable rights. Associating the two actually trivializes the latter. A citizen's rights are an entirely different class of untouchable entity; the US should put everything on the line, including its secrets, to protect those rights. Its failure to do so in some cases (DUI, TSA, etc.) is worthy of a substantial amount of criticism.
Your tone of "hypocritical American pundits getting their just desserts" is another pathetic symptom of the disdain, disrespect, and political infighting that compromised our rights in the first place.
Hear Hear. Rather than fixing the flaws in their browser, MS has chosen to add even more code that blocks the code that exploits those flaws. Talk about wallpapering over the sledgehammer holes in their drywall - and blaming the paper-er for their flaws - not the hammer-er - in the process.
Have you ever heard of defense in depth? Microsoft will (likely) continue to fix bugs in their browser, just like everyone else, and will hopefully learn from their mistakes and improve their process for doing so. However, you cannot patch a bug you don't know about. Having something intelligent enough to block un-patched exploits until the bug is fixed seems worthwhile.
Then again, if this tool is ever distributed to users, malware authors will just revise their code until until the tool can't detect it. This tool, if ever distributed, will just make malware authors' life harder (which I'm fine with). Microsoft's idea seems poorly-thought-out, but so is your comment.
Definitely. I expect them to be free and I don't want to see ads. It's not my problem how Youtube or free TV will make an income.
If they don't have a clue how to make a living then they cease to exists, that is what free market is all about.
It kind of is; if you like their service, and they can't support it, it will go away or change for the worse. If they had to choose between going out of business and revising their profit system in such a way as to target a profitable demographic at your expense (e.g., paywall, mandatory ads, capping number of videos per day, etc.), they almost certainly would choose the latter, and that would affect you. If you enjoy their service, you should want them to find a way to profit from you.
That's also why I oppose copyright and patents. There should be no right to make money, if you want to make money it's your problem but don't make the state grand you a monopoly. If I choose to not to watch ads I'm not hurting anyone but a state granted monopoly is hurting everybody else.
If you choose not to watch ads, then YouTube is paying money (via bandwidth, maintenance, etc.) to deliver you content, and you are giving them nothing back in return. In effect, you are freeloading. This is fine - free market and whatnot - but at least understand that your behaviors are only possible because they're subsidized by other more-profitable viewers. You're the Internet's equivalent of a welfare family. I agree with you in some ways - there should be no right to make money. However, it goes both ways. They have no right to make money, and you have no right to use their service. Unless you're willing to participate in some form of quid pro quo arrangement with a service provider, don't be surprised if you find yourself excluded from their service in favor of profitable users. With free services, meeting them halfway is the name of the game.
FWIW, copyright and patents are not as simple as state-granted monopolies. At their heart lies a desire to encourage inventors to disseminate their trade secrets to the government and public, for state and public good, as opposed to hoarding their trade secrets or spending countless effort devising ways to obfuscate them. Their current state and implementation is just significantly perverted from that original intention.
PEBCAK. KDE is useful in its default settings. As a rank n00b, you probably should try to get to know it before fiddling with settings you don't understand.
Really? This is the attitude you chose to go with?
What we have here is an OP who gave an honest and accurate critique of his/her experience with KDE. Simple as that. They thought it was too complicated, and that the complexity wasn't valuable. It didn't work in a manner that they desired, and that resulted in them disliking the software. This is exactly the kind of feedback the KDE team wants. All of the OP's problems should not exist - that's one of the KDE team's design goals. The OP's impressions, experiences, and feedback could, if funneled down to the right people, result in a superior desktop experience for everyone.
Instead you are quick to dismiss and blame the OP as incompetent and useless. This valuable feedback, while dismaying in the sense that it depicts a KDE team failure, is extremely useful for both parties. The user seems open and interested in thoroughly using the product, and the design team wants to create a product the user wishes to use. A person with the slightest (a) intuition, or (b) training in psychology and human-computer interfaces would tell you that this type of cooperation between developer and end-user is priceless. But here we have you, whose attitude is one of the stronger cancers on the open-source community.
Not every product is for everyone, but mainstream desktop environments and window managers are the exception. Creating a central piece of software as complex and feature-rich as KDE is extremely challenging. For any given use-case scenario, KDE has to provide a direct and obvious path to an end-goal while ensuring that every other feature keeps a low profile. This is hard stuff, and KDE is groundbreaking in their approach. Their team has developers, artists, engineers, managers, and designers all striving for this goal. The OP is a critical piece in that puzzle.
And as a disclaimer, I do, and probably always will, love KDE. KDE4 started out weak (by design) and is building towards an amazing desktop environment. Every subsequent release provides marked progress towards that ideal. I hope we get an entire gamut of feedback from every possible class of user, because that gives the KDE developers the kind of information they need to make good design decisions towards an ideal desktop environment.
Assholes like you really need to stop getting in the way of that ideal.
A good way to avoid ending up in that position is not to actively place yourself in that position. Don't bid for jobs you can't do. Don't agree to do jobs you can't do. Don't tell people you can do jobs you can't do.
The problem here isn't that he's asking slashdot. It's that he isn't asking slashdot with any apparent knowledge of the subject to support his questions There's no indication that he understands his clients actual needs, nor any indication that he could figure out any aspect of the job he is being paid to do, without slashdotters to get him started.
I read that more as him opening the field to all sorts of responses. Nowhere in his posited question did I read a hint of incompetence. I think, rather, he was trying to mention that he'd like to hear any advice about anything someone thinks might be relevant to his 20-person client. He wants to be inundated with a flood of ideas from across the IT scene - cloud computing solutions, hosted products, or roll-your-own. He wants to put all of those thoughts on the table, alongside his own ideas, and use his expertise to sort out the best approach to the problem. That's exactly how good decisions are made.
Seriously, don't be so quick to judge. Nothing he said is stupid or ignorant. Acting as one of those guys who "knows everything" will always get you in trouble sooner or later - sooner, if you're accountable to others. His attitude and approach to solving this problem speaks towards his competence and a drive to deliver the best possible solution. Hell, these are exactly the traits I look for in people; I'd totally hire him :)
Ask Slashdot: Why do your job when you can ask others to do it for you?
Why indeed?What reasonable motivation could he have to poll a well-established base of computer experts for advise? Could it be that an infrastructure is a hard thing to get perfectly right? Maybe up-front decisions made right will negate hours of work and wasted productivity down the line? Remember those security and infrastructure failings we've been so critical about all these years? Those clueless IT guys who screwed up royally and condemned employees and management to countless hardships? Maybe he doesn't want to end up in that position... maybe he wants to do things right?
That lazy bastard!
Unless I'm missing something, this seems like a relatively-useless tool. There are better ways to do everything that it does.
I can see this being useful in two specific cases:
In the former case, CDE is just an extreme form of static linking. You produce a distributable package that contains the full set of libraries, files, etc. that are needed to run the application. That's useful, I suppose, but how does it compare to a regular Linux package? It's heavier, for sure; every CDE package contains a full set of system libraries, binaries, data files, and executables needed to perform an operation. It's also slower, as CDE execution has to re-create the original environment (in-memory or on disk, either way). All to ... what? Cut down on the difficulty of dependency management? Almost every modern Linux distro has an advanced package management system that can easily handle these cases. In some cases it's as easy as declaring dependencies and producing the appropriate source / binary package via a build wrapper. In others, you may have to do a little architecture, but it's still relatively straightforward. Any existing Linux package, by design, seamlessly integrates into the current system and is quite minimal.
I understand the desire for reproducible behavior, but this is easily obtainable with a package-based solution across the same distro. The only practical cases (even including cloud deployment) that involve multiple different distros requiring reproducible behavior are fringe cases, and even then a build-from-source solution is likely adequate.
So now to the other case... I require absolutely perfectly reproducible behavior that I can provide to other people. That sounds like the perfect use-case scenario for a virtual machine. Packaging a VM up and distributing it provides not only the CDE convenience, but additional guarantees as well. For example, a modification in kernel behavior between minor versions could affect the runtime performance of a CDE-distributed application across various platforms; a VM with the exact same setup would be able to guarantee that this is not a problem. In cases where perfect reproducibility really matters, a VM is far more compelling than an execution environment wrapper.
Don't get me wrong; I appreciate the coolness factor. The interior mechanisms that CDE uses to operate are very well-thought-out and interesting, for sure. I am just very skeptical as to the practical usefulness of the tool. It seems too light and incomplete for serious academic reproducibility, and too heavy to solve real-world distribution issues. YMMV, but I don't see this as a real game-changer in any capacity.
Writing bulletproof code isn't really all that hard, but it does take discipline. Discipline to use only those constucts which have been verified with both the compiler and linker.
Some simple things that coders can do: - avoid the use of pointers.
Pointers aren't themselves bad; they just add some layers of complication to the otherwise stack-oriented game. The only reason the stack is nicer than pointers is because they're implicitly managed for you.
Rather than avoid pointers, what you need is good code structure. Design functions that either manage the lifecycle of a pointer or are explicitly clear about how and what the pointer is going to be used as. Use const aggressively, and avoid typecasting as much as possible. Using good pointer naming techniques and management functions also dissipate the burden. Pointers are too useful to avoid religiously ... rather, build pointer security and management techniques into your coding style from the ground up. Choose descriptive names and try and constrain each pointer to its specific type (this lets the compiler help you keep your pointers straight).
Initialize all variables to known values.
Meh, I'm divided on this one. It's one thing to explicitly initialize global variables to either zero (which costs nothing, since they just end up in BSS sections) or non-zero (which puts them statically in the data segment). Stack variables, on the other hand, only really need to be initialized before they're used the first time. Pre-initializing them could lead to wasted instructions initializing them multiple times or cause them to be initialized in all code paths when they're only used in a few. My general rule of thumb is to be smart about it and, once again, naming conventions.
Perform comparisons with the LHS using a static variable, so you don't accidentally get an assignment instead of a comparison
Great tip; it's weird at first writing "if( NULL != p )", and you get a few funny stares, but after seeing enough "if( i = 10 )"s lying within seemingly-functional code, it's an easy selling point to make.
- When you are done with a value, reset it to a "known" value. Zero is usually good.
Definitely do this with pointers, descriptors, and other handle types. It also makes cleanup and pointer management easier. Less important to do with things like iterators and intermediate variables.
- Keep functions less than 1 page long. If you can't see the entire function on a single editor page, it is too long.
It's a good rule of thumb. I would like to add "any time you can't do this, make absolutely certain that you're not doing it for a good reason."
Good tips, though. One thing I'd like to add: -Wall -Wextra -Werror (or your language's equivalent). If your code can't compile without a single warning, then you need to re-write your code and either manually disarm situations (e.g., override the compiler's common-sense with an assurance that you know what you're doing) or fix the warnings, which are actually bugs and errors. It's always fun to take someone's "bulletproof" code and turn on these flags and watch the crap spill out. Warnings are amazing, and they are absolutely your friend when it comes to writing bug-free and secure code.
I see a lot of posts with hate for DST.. that's fine, I'd be happy if it were abolished as well.
But now back to there being a bug in how the alarm thing is handled on the iPhone. How does that bug even exist?
If the alarm is set for a particular time, say "7am".. then what does it matter whether or not the clock went back an hour at 3am? I can understand the alarm app going a bit batty if the clock went back at 8am (essentially the alarm going off -twice- that day), but given the actual circumstances... how did the alarm decide that it should instead be going off at 8am? The clock, presumably, does give the correct time.. so it's not like its internal time functions don't know what time it actually is. I'm confused. Is this just some manner of shoddy coding going on?
I'll venture a guess:
Applications, especially ones using phone APIs, usually aren't running 24/7. At a high level, what they will do is, in some manner, register for an event with the operating system. They will then idle indefinitely until that event occurs, at which point the operating system will give the application execution time and it will respond to that event. The event can be several things, including "when the user taps the screen" and "if the phone is powered on", and notably (for this discussion) can be based off of time, such as "8 hours from now".
My guess is that, when an alarm is set, the alarm calculates the amount of time in the future until it needs to be sounded, then registers with the OS to be woken that much time later (probably via some form of nanosleep iOS API derivative). If the alarm fails to factor in DST when calculating that time difference, then it'll get its event later (or earlier, or whatever) than it was expecting, and sound (and then probably calculate the next time difference and sleep until then).
On the surface, an alarm application could register for more periodic events (clock ticks, UI update loop iterations, or just sleep for seconds at a time) and evaluate if it should sound periodically. This would have easily avoided the DST issue. The problem here is that each time the event gets dispatched, the phone has to wake up to handle it, and such periodic waking would cost unnecessary battery. In fact, the OS knows how / when / for how long to sleep based on scheduler details derived from some form of these event registrations. Applications in general (and especially on battery-consuming devices) should attempt to register for the least number of events as possible, hence (I'm guessing) why they chose the time delay calculation option instead of a periodic one.