Yes, please do. The reality is far more complicated (and far more interesting!) than the simplistic "the church persecuted Galileo for teaching heliocentrism" myth that everyone's heard since grade school.
We found that officers routinely fired their Tasers, which discharge 50,000 volts of electricity,
I really wish people would stop sensationalizing this. I take 50,000 volt discharges on a daily basis, because of the carpet in the office where I work, and I'm fine. If you've ever touched a door handle and gotten a shock that you could feel, see and hear, that was at the very least 40,000 volts of electricity, and probably more.
On the other hand, a 120 volt current from wall power can kill you dead, because voltage is irrelevant. Amps kill, and Tasers have a very low amperage.
As you have said no amount of 'programming language change' can stop human errors.
Yes, but it can mitigate the damage they do. Tony Hoare knew how to make this sort of thing impossible waaaay back in 1960: design the language so that if someone tries to go outside the bounds of an array, the program crashes instead.
A better question: when did the programming community know about the problem?
The answer? Over a quarter-century ago. In 1988, the Morris Worm brought the Internet to its knees, taking down about 10% of all existing servers at the time. It got in through a buffer exploit in a piece of system software written in C.
That should have put the programming community on notice. The C language should have been dead by 1990, because this class of security hole (buffer exploits) is inherent in the design of the language and can't be fixed. Some people say "you just have to be careful and get it right," but to err is human, and it's an easy mistake to make. This means that the language is at odds with reality itself. Something has to give, and it's not going to be human nature.
They say those who don't learn from history are doomed to repeat it. Well, here we have it again, a major buffer exploit in a piece of software written in C, affecting between 10% (there's that figure again) and 66% of all servers on the Internet, depending on which estimate you listen to.
We know better than this. We have known better than this since before the Morris Worm ever happened, and indeed for longer than most people reading this post have been alive. I quote from Tony Hoare, one of the great pioneers in computer science, talking in 1980 about work he did in 1960:
A consequence of this principle [designing a language with checks against buffer overruns built in] is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interest of efficiency on production runs. Unanimously, they urged us not to—they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law.
Maybe now that it's happened again we'll finally wise up and give this toxic language its long-overdue funeral?
On top of the publicity rights claim, Heigl claims that this is a form of "false advertising," but one could reasonably argue that (a) it's not false and (b) it's not advertising. The latter claim may be a little trickier, but where is the line between an advertisement, and some social media jockey at Duane Reade just tweeting out a photo. That line may become... very important to the outcome of this particular lawsuit.
I don't see how that works. This is unquestionably advertising, but the fact that it's not false, in and of itself, invalidates the "false advertising" complaint, so how does "the line between advertising and not advertising" have any relevance?
Go back to 50 years ago, and tell people that someone wants to produce a new, genetically-engineered type of seeds that will:
1) be sterile and not yield new seeds for the next year's crop 2) contain dominant genes, such that they can be cross-pollinated into nearby fields and render that crop sterile as well 3) be the only seeds that are not adversely affected by a special poison sold by the same person
...they would never believe it. They'd think you were talking about the script to the next James Bond movie or something! The fact that we are discussing whether or not a contract makes this sort of Bond-villainy legitimate, rather than whether or not Monsanto execs should be rounded up and put on trial for crimes against humanity just underscores how far down the rabbit hole we've gone in the last few decades.
Re: startssl.com declares intention to commit corporate suicide
When the Morris Worm hit, about 25 years ago, we all put aside our differences and our squabbles to patch things up, but we didn't learn our lesson.
The Morris Worm used a buffer exploit to break into all those computers, an inherent security hole in the C language in which the language does not ensure that the space you're trying to put data into is large enough to accept the data you're putting in, and so if the programmer forgets to check this manually, the data can get written to other areas of memory and end up being used to hack the system.
This should have put the programming community on notice, but it didn't. A quarter-century later, people are still getting hacked by buffer overruns, including Heartbleed, for one very simple reason: people are still writing C code that's vulnerable to buffer overruns.
Make no mistake; this is inherently a problem in the C language. You don't hear about buffer overruns in Java or Pascal or Ruby or Python because the languages are designed in such a way that that's impossible. But Windows and *nix systems have to issue critical security patches on a regular basis because they're written in C, or in C++ or Objective-C, which are closely related and share C's flaws.
We know better than this. We have known better than this for longer than most people reading this post have been alive. I quote from Tony Hoare, one of the great pioneers in computer science, talking in 1980 about work he did in 1960:
A consequence of this principle [designing a language with checks against buffer overruns built in] is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interest of efficiency on production runs. Unanimously, they urged us not to—they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law.
And he's right; it should be. The Morris Worm put us all on notice, and the Heartbleed bug serves as a stark reminder that those who do not learn from history are doomed to repeat it. 34 years after Hoare's warning, and nearly a quarter-century after the Morris Worm, it's still not considered an act of criminal negligence by the law--or even generally considered a shameful act by one's peers in the computer programming community--to build an operating system, browser, or other network-facing software, or other software that has an inherent security requirement, in C.
One mistake: please stop calling abusive publishers "content creators." These guys creating the content are very rarely the problem; the ones distributing it are, and they're generally completely distinct from the content creators.
That's the thing that far too many people don't understand about copyright, and it gives undeserved legitimacy to the current system: if people think it's sticking up for the rights of content creators, then it's a good thing, right? But when people understand that it's actually enabling publishers to exploit the content creators along with all the rest of us, their attitude changes fast.
I honestly don't know why they didn't respond "OK, let's settle this like businessmen," and initiate a hostile takeover of whatever studio tried to sue them first. Surely they've got enough money, and if a tech company owned a major movie studio and started distributing films in a way that actually makes sense, and making profits on it, it would completely undermine the MPAA.
People who think that scientists are in some sort of conspiracy to suppress the truth and enshrine the established consensus viewpoint don't know the first thing abut science.
Who's the most famous scientist of all time, the guy who was widely recognized as being so brilliant that, even almost a century later, his name is still synonymous with "genius" in the colloquial lexicon, even by people who don't know anything about science? Yeah, I'm talking about Albert Einstein. But do you know what he actually did to earn that?
He proved that something that everyone had believed was correct--Newton's laws of motion--were actually wrong. He took the solidly established consensus, found a hole it it, and became the most famous scientist in history. What scientist wouldn't want to be the next Einstein?
But here's the truly interesting thing about it: Newton really wasn't all that wrong. For essentially anything at all that you would want to do on Earth, Newton's laws still hold, and you'd use them rather than Einstein's equations in engineering calculations, because they're simpler. Einstein's Relativity only becomes relevant in extreme situations, such as space travel.
Applying this logic to the analogous situation, even if "the next Einstein" found an Einstein-sized hole in the science of global warming, this suggests that most of the scientific consensus would still be understood to be valid! So denial simply doesn't work at all to anyone with even a cursory understanding of science.
For the first time in eighteen years, there are many bills that seek to put the rights of users at the same level as those of the authors.
That's cool, but still missing the point. Authors are all too often at the same level already: getting screwed over along with the rest of us. This perception, that copyright is working as it should and protecting authors, is one of the biggest factors lending legitimacy to it in the eyes of the general public. If more people understood that the creators are being exploited as much as everyone else by the publishers, things would change real fast.
I wish I could find this now, but I once saw a really insightful article by Orson Scott Card, urging new authors not to sign over their copyrights to their publishers as a part of their contracts. He said, essentially, that their publishers are trying to gain the rights under "work made for hire" doctrine, but that unless the story was actually commissioned, signing a legal document stating that it was made for hire is not only acting against your own best interests, but also committing perjury.
Yes, this. Everyone talks about Orwellian dystopia, but if you want to see the screwed-up world people really should be worried about, read Jennifer Government sometime.
Agreed. I'm no fan of overenthusiastic IP enforcement, but this is clearly a derivative of the Mickey Mouse silhouette and designed to bring it to mind at the very least.
On the post: Yes, Net Neutrality Is A Solution To An Existing Problem
Re: A prediction
Yes, that's exactly the problem.
When you sell something you don't have, that's usually called fraud, and is highly illegal... unless you're an ISP or an airline, apparently.
On the post: Even If NSA Didn't Use Heartbleed In The Past, It Still Could Be Making Use Of It
Re: Come again?
It worked pretty well for Cliff Stoll.
Of course, that was back in the 80s.
On the post: That Time A Star Trek Captain And A Physicist Got Tricked Into Doing A Documentary On Geocentrism
Re: Re:
On the post: DOJ Issues Scathing Review Of Albuquerque Police Department' Use Of Force, Tempers It By Prioritizing Officer Safety
I really wish people would stop sensationalizing this. I take 50,000 volt discharges on a daily basis, because of the carpet in the office where I work, and I'm fine. If you've ever touched a door handle and gotten a shock that you could feel, see and hear, that was at the very least 40,000 volts of electricity, and probably more.
On the other hand, a 120 volt current from wall power can kill you dead, because voltage is irrelevant. Amps kill, and Tasers have a very low amperage.
On the post: The Big Question: When Did The NSA Know About Heartbleed?
Re: Re: Re:
Yes, but it can mitigate the damage they do. Tony Hoare knew how to make this sort of thing impossible waaaay back in 1960: design the language so that if someone tries to go outside the bounds of an array, the program crashes instead.
On the post: The Big Question: When Did The NSA Know About Heartbleed?
Re: Re: Re: Re: Re: Re:
On the post: The Big Question: When Did The NSA Know About Heartbleed?
The answer? Over a quarter-century ago. In 1988, the Morris Worm brought the Internet to its knees, taking down about 10% of all existing servers at the time. It got in through a buffer exploit in a piece of system software written in C.
That should have put the programming community on notice. The C language should have been dead by 1990, because this class of security hole (buffer exploits) is inherent in the design of the language and can't be fixed. Some people say "you just have to be careful and get it right," but to err is human, and it's an easy mistake to make. This means that the language is at odds with reality itself. Something has to give, and it's not going to be human nature.
They say those who don't learn from history are doomed to repeat it. Well, here we have it again, a major buffer exploit in a piece of software written in C, affecting between 10% (there's that figure again) and 66% of all servers on the Internet, depending on which estimate you listen to.
We know better than this. We have known better than this since before the Morris Worm ever happened, and indeed for longer than most people reading this post have been alive. I quote from Tony Hoare, one of the great pioneers in computer science, talking in 1980 about work he did in 1960:
Maybe now that it's happened again we'll finally wise up and give this toxic language its long-overdue funeral?
On the post: Katherine Heigl Wants Six Mil-Do After Drugstore Tweets Picture Of Her Shopping There
I don't see how that works. This is unquestionably advertising, but the fact that it's not false, in and of itself, invalidates the "false advertising" complaint, so how does "the line between advertising and not advertising" have any relevance?
On the post: Comcast Ignores 'World's Worst Company' Award, Misleads About Bogus 'World's Most Admired Company' Award
On the post: Bracket Watch: EA Upset Early, Comcast Beats Monsanto For 'Worst Company' Award
Re: Re: Re: Re: Re:
What rules? You can't violate a contract you didn't sign in the first place.
On the post: Bracket Watch: EA Upset Early, Comcast Beats Monsanto For 'Worst Company' Award
Re:
Go back to 50 years ago, and tell people that someone wants to produce a new, genetically-engineered type of seeds that will:
1) be sterile and not yield new seeds for the next year's crop
2) contain dominant genes, such that they can be cross-pollinated into nearby fields and render that crop sterile as well
3) be the only seeds that are not adversely affected by a special poison sold by the same person
...they would never believe it. They'd think you were talking about the script to the next James Bond movie or something! The fact that we are discussing whether or not a contract makes this sort of Bond-villainy legitimate, rather than whether or not Monsanto execs should be rounded up and put on trial for crimes against humanity just underscores how far down the rabbit hole we've gone in the last few decades.
On the post: Bracket Watch: EA Upset Early, Comcast Beats Monsanto For 'Worst Company' Award
Re:
On the post: Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable To Heartbleed
Re: startssl.com declares intention to commit corporate suicide
The Morris Worm used a buffer exploit to break into all those computers, an inherent security hole in the C language in which the language does not ensure that the space you're trying to put data into is large enough to accept the data you're putting in, and so if the programmer forgets to check this manually, the data can get written to other areas of memory and end up being used to hack the system.
This should have put the programming community on notice, but it didn't. A quarter-century later, people are still getting hacked by buffer overruns, including Heartbleed, for one very simple reason: people are still writing C code that's vulnerable to buffer overruns.
Make no mistake; this is inherently a problem in the C language. You don't hear about buffer overruns in Java or Pascal or Ruby or Python because the languages are designed in such a way that that's impossible. But Windows and *nix systems have to issue critical security patches on a regular basis because they're written in C, or in C++ or Objective-C, which are closely related and share C's flaws.
We know better than this. We have known better than this for longer than most people reading this post have been alive. I quote from Tony Hoare, one of the great pioneers in computer science, talking in 1980 about work he did in 1960:
And he's right; it should be. The Morris Worm put us all on notice, and the Heartbleed bug serves as a stark reminder that those who do not learn from history are doomed to repeat it. 34 years after Hoare's warning, and nearly a quarter-century after the Morris Worm, it's still not considered an act of criminal negligence by the law--or even generally considered a shameful act by one's peers in the computer programming community--to build an operating system, browser, or other network-facing software, or other software that has an inherent security requirement, in C.
It's about time that changes.
On the post: The Cost Of Permission Culture: Or Why Netflix Streaming Library Sucks Compared To Its DVD Library
Re: Re:
That's the thing that far too many people don't understand about copyright, and it gives undeserved legitimacy to the current system: if people think it's sticking up for the rights of content creators, then it's a good thing, right? But when people understand that it's actually enabling publishers to exploit the content creators along with all the rest of us, their attitude changes fast.
On the post: Sony And YouTube Take Down Sintel; Blender's Open Source, Creative Commons, Crowdfunded Masterpiece
Re: Re: Re: Re: Re: Re: Re: The price of a favor...
On the post: Sony And YouTube Take Down Sintel; Blender's Open Source, Creative Commons, Crowdfunded Masterpiece
Re: Re: Re: Re: Re: The price of a favor...
On the post: Chilling Effects: Climate Change Deniers Have Scientific Paper Disappeared
Re: Re: Re: peer review
Who's the most famous scientist of all time, the guy who was widely recognized as being so brilliant that, even almost a century later, his name is still synonymous with "genius" in the colloquial lexicon, even by people who don't know anything about science? Yeah, I'm talking about Albert Einstein. But do you know what he actually did to earn that?
He proved that something that everyone had believed was correct--Newton's laws of motion--were actually wrong. He took the solidly established consensus, found a hole it it, and became the most famous scientist in history. What scientist wouldn't want to be the next Einstein?
But here's the truly interesting thing about it: Newton really wasn't all that wrong. For essentially anything at all that you would want to do on Earth, Newton's laws still hold, and you'd use them rather than Einstein's equations in engineering calculations, because they're simpler. Einstein's Relativity only becomes relevant in extreme situations, such as space travel.
Applying this logic to the analogous situation, even if "the next Einstein" found an Einstein-sized hole in the science of global warming, this suggests that most of the scientific consensus would still be understood to be valid! So denial simply doesn't work at all to anyone with even a cursory understanding of science.
On the post: Yet Another Music Collection Society Corruption Scandal May Lead To Real Copyright Reform In Peru
That's cool, but still missing the point. Authors are all too often at the same level already: getting screwed over along with the rest of us. This perception, that copyright is working as it should and protecting authors, is one of the biggest factors lending legitimacy to it in the eyes of the general public. If more people understood that the creators are being exploited as much as everyone else by the publishers, things would change real fast.
I wish I could find this now, but I once saw a really insightful article by Orson Scott Card, urging new authors not to sign over their copyrights to their publishers as a part of their contracts. He said, essentially, that their publishers are trying to gain the rights under "work made for hire" doctrine, but that unless the story was actually commissioned, signing a legal document stating that it was made for hire is not only acting against your own best interests, but also committing perjury.
On the post: Bay Of Tweets: How US Gov't Secretly Built A Twitter For Cuba, Then Freaked Out When It Became Too Successful
Re: Re: what next?
On the post: Hot Mouse On Mau5 Action! Disney To Challenge Deadmau5's Latest Trademark Filing
Re:
Next >>