* Posts by Michael Wojcik

12131 publicly visible posts • joined 21 Dec 2007

Super Cali goes ballistic – Uber says it's bogus (even though its contract is something quite atrocious)

Michael Wojcik Silver badge

Re: Choices

Laws are standards, so of course the usual results apply.

Michael Wojcik Silver badge

Re: frank ly

yes, we did sing it out loud

Youtube or it didn't happen.

Michael Wojcik Silver badge

Re: Lessons for techies: the law is like duck typing, not static typing

That, and the appropriate XKCD.

That one has a great hover comment, too. (Alternate version: Here's one weird way to upgrade your vacation!)

BOOM! Stephen Elop shuffled out of Microsoft door

Michael Wojcik Silver badge

Re: "However this strategy has completely failed

If you haven't tried a Windows phone recently you really ought to get out more.

If you think playing with a smartphone is "get[ting] out", I don't think there's any profit in taking advice from you.

And even that aside, I don't understand the warrant for this argument. Suppose Windows Phone was the greatest damn phone OS ever. If my phone does what I want, why should I care?

Frankly, if my Symbian S60 phone were still working, I'd still be using it. I only switched to Android because the Symbian one died and various Android models with similar capabilities were by far the cheapest choice.

AT&T fined about 3 days of profit ($100m) for limiting 'unlimited' plans

Michael Wojcik Silver badge

Re: Didn't they get fined before?

I wonder what next agency AT&T hopes will save them.

The NSA, of course.

YOU ARE THE DRONE in Amazon's rumoured new parcel delivery plan

Michael Wojcik Silver badge

Re: Well, it did work for Uber..

I buy my prime numbers elsewhere.

Yeah. The prices they charge for a lot of polynomial roots are irrational, too.

Michael Wojcik Silver badge

Re: Drone uniform?

Amazon logistics, like most of the low cost final stage delivery services aren't uniformed

Around these parts, our Amazon deliveries are nearly always made by FedEx Ground, which most certainly is uniformed. Of course, it's a low-paying franchise job and the "independent contractors" have to purchase the uniforms out of pocket, just like everything else they use for the job.

Last-mile delivery services are already exploitative. Personally, I'm not willing to help Amazon make them worse.

Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X

Michael Wojcik Silver badge

Re: Missing a major point?

The reason people say there's no malware in the App Store, and that you only get malware if you jailbreak, is because of Apple's sandboxing system, which has seemed pretty darned robust until just now.

I dare say most of the people who say that have no idea the sandbox even exists, and are just repeating what they've heard.

Certainly most of the people that I've heard claim the iOS App Store is free of malware are not software security experts, or even vaguely familiar with the field.

Michael Wojcik Silver badge

Re: Worrying @boltar

"Personally I'd hope that my computer just stores a salted hash of my password note the password itself :-)"

The OS yes, not browsers , they store the actual encrypted password otherwise they wouldn't be able to auto complete password fields.

That was rather the OP's point. The OS can store a non-reversible password verifier (a hash, a ZKP verifier as with SRP or PAK-RY, etc). The browser needs to store a reversible encrypted password. So not using the browser's autocomplete feature removes a significant branch of the attack tree, and your post about the OS "storing the main password" is irrelevant.

On the other hand, not using the browser's autocomplete feature or other "password safe" technologies means the user types the password more frequently, increasing the attack surface for e.g. keyloggers and some forms of phishing attacks. It's a trade-off. Personally, I don't use a password safe and disable many other sorts of credential caching, as that's the less risky option under my threat model. It means I type my (38-character) Windows domain password half a dozen times each day, but I'm a fast typist.

Michael Wojcik Silver badge

Re: But shirley...

They can also attach to running processes. At least on Unix, no idea about Windows.

Windows as well. The design of the Windows protection model for userland processes is different from the UNIX one, but the result is broadly a similar protection model.

Windows has a more thorough use of object ACLs so the access determination is more complex and nuanced than just "source uid == target uid == target euid", but to a first approximation it's the same sort of thing. Particularly when you compare it with the whole universe of commercial OSes, some of which are significantly different (e.g. System i) or very different (e.g. Orange Book A1 systems like SNS).

Michael Wojcik Silver badge

Re: But shirley...

No, modern (post 1990s multi-user system) operating systems should manage the memory space for applications to prevent this.

This is simply wrong. Take Linux, for example. From the ptrace(2) man page:

EPERM The specified process cannot be traced. This could be because the parent has insufficient privileges (the required capability is CAP_SYS_PTRACE); non-root processes cannot trace processes that they cannot send signals to or those running set-user-ID/set-group-ID programs, for obvious reasons. Alternatively, the process may already be being traced, or be init (PID 1).

Consider in particular the bit about "non-root processes". Processes with normal privileges (non-superuser, without CAP_SYS_PTRACE) can trace processes running with the same uid and euid. That includes reading and write process private memory.

On Windows, similarly, a normal-privilege process can open a handle to another process running with the same security token, and through that handle manipulate process memory and even do things like creating threads in the target.

Security models for multiuser operating systems typically impose access-control requirements at user and system granularity: that is, access controls must protect resources owned by a user from other users, and system resources from invalid access by user-mode code. That's essentially how the Orange Book (which came out in 1983, by the way - your "post 1990s" date is way off) defines the C2 level, for example.

Michael Wojcik Silver badge

Re: But shirley...

... if you have 2 processes running under the same user id on a system, then 1 process can attach to the other and scan its memory anyway

That depends on the operating system. But I'll assume we're talking about UNIX-family OSes here.

That's why the resource isolation model in iOS doesn't simply run apps as conventional UNIX processes under the same ID. There's more information in the paper, or elsewhere.

Under Android, according to the paper, each app runs under a different UID. (I haven't bothered trying to confirm this from other sources.)

Michael Wojcik Silver badge

Re: What are all these papers good for ?

True, but I'm not even sure if this that much about programming. It sounds a lot more like design, especially Apple's much flaunted app sandboxing that seems to have been undermined.

Have you read the paper? It does discuss specific issues for app developers, even though the general problem probably can't be solved entirely at the app level.

In any case, saying this sort of research isn't useful for programmers is like saying research into the performance of building materials isn't useful for house builders. Yes, programmers are able to continue writing crap code. That doesn't mean it's impossible for them to learn to do better.

Michael Wojcik Silver badge

Re: What are all these papers good for ?

We need an easy-to-read overview of good security practices that does not just say "check your inputs" but details what to check and how to make sure. Is that available somewhere ?

All over the place.

If you're programming in traditional procedural languages, try Howard et al., 24 Deadly Sins of Software Security. Originally 19 Deadly Sins.... I think the first edition came out in 2005, so it's been available for the past decade.

Organizations like SANS and OWASP have been publishing "top ten" vulnerability lists for years. The main SANS list goes back at least to 2000. The OWASP list is specifically for web applications, though some of the concepts are applicable elsewhere. OWASP has a good wiki and other materials that describe specific remediation steps. There are many, many online articles that discuss these lists and remediation steps for the vulnerabilities they describe.

There are the Security Focus mailing lists. Bugtraq is the most famous, but they have a "Security Basics" list, and in the early 2000s there was a "Security Programming" (SecProg) list; the archives are still available at securityfocus.com/archives, along with those for VulnDev and others. Back in the day there was plenty of activity on Usenet groups like comp.unix.security.

And of course there are any number of more-general treatments that will actually teach developers how to think about security and develop with it in mind, rather than simply following a list of rules. There's the O'Reilly Computer Security Basics book (Russell & Gangemi), for example, or Anderson's Security Engineering - which is available free online.

Version 0.1 super-stars built the universe – and they lived all the way over there, boffins point

Michael Wojcik Silver badge

Re: God is bigger than the Bible

"Like morality, the subject of God's existence or lack thereof is a matter for philosophy, not science"

Seriously, you believe that?

Go on, explain how scientific epistemology applies to supernatural hypotheses.

Here's a hint to get you started: It doesn't. By definition. That's what "supernatural" means. There are phenomena that obey a set of what we hope are objective, consistent principles; those are the natural phenomena, and they submit to testing protocols that are designed to eliminate subjective bias. We call the set of such protocols "science".

There also may or may not be other phenomena which don't obey those principles. It's impossible, by definition, to prove or disprove the existence of such phenomena.

We can collect and analyze evidence for and against1 specific claimed descriptions of such phenomena; and we can induce from that the probability of specific forms of such phenomena. So a scientific Bayesian reasoner can say, the evidence so far indicates the probability of these various claimed forms of supernatural phenomena is low. But that's as close as science gets to the question.

And some claims of supernatural phenomena are so rarified that even those claiming them don't believe there should be any discernible direct evidence. The demiurge posited by the Deists, for example, is a "watchmaker god" that created the universe but does not intercede after creation. That is a supernatural thesis that is always and irretrievably beyond the reach of science, because it is a priori orthogonal to any possible empirical test or formal model of the consistency of reality.

(This is basic epistemology. What do they teach kids in school these days?)

1Thus far, pretty much solidly against.

How to hijack MILLIONS of Samsung mobes with man-in-the-middle diddle

Michael Wojcik Silver badge

Re: The Fix

Out of curiosity (my phone isn't one of the ones mentioned, and doesn't appear to have Swiftkey), I tried adding that to /etc/hosts using Terminal - my phone's rooted - but the root filesystem is mounted read-only, so I couldn't change it directly using the shell.

Haven't bothered trying to remount the filesystem or anything like that. I haven't spent any time learning about Android hacking; one of those things I might get into if I ever have any spare time. (I have Terminal installed because a computing device without a command line makes Baby Jesus cry.)

British banks consider emoji as password replacement

Michael Wojcik Silver badge

The division sign is an emoji?

Well, I suppose there are times I feel divided. Very well, carry on.

Michael Wojcik Silver badge

Re: I'm still trying to wrap my head around

This must be some new meaning of 'communicate' which I'm not familiar with.

You have plenty of company. Most folks here are broadly ignorant of the meanings of "communicate".

Michael Wojcik Silver badge

Re: I'm still trying to wrap my head around

It's not like complex sentences and refined thoughts are _always_ required to count as communication. A simple yes/no can be represented in a thousand ways, and many quick texts consist of nothing more.

Very true. Apparently many of the posters here don't understand how written communication works. But it's traditional for Reg commentators to complain about things they don't understand.

On the other hand, I always use complete sentences and preferred usage and punctuation in my text messages. It's worth dozens of curmudgeon points and bolsters my (already robust) feeling of smug superiority. It's the main reason why I only buy phones with physical QWERTY keyboards.

Hating on 'Like Farms': boffins trawl for Facebook fakes

Michael Wojcik Silver badge

Re: The Question Remains

It'd certainly be disappointing if a Reg article covering some research result didn't elicit at least one anti-intellectual whinge questioning its utility.

There's an arms race between "bot" automated and semi-automated manipulation of online reputation networks and similar resources (product reviews, etc), on one side, and detection of such manipulation on the other. It involves a number of interesting issues in information security, natural-language processing, and weak AI, not to mention higher-level disciplines like rhetoric and lower-level implementation details such as graph theory. So there are ample grounds for useful primary research.

Widely-used reputation networks like Facebook have economic consequences, regardless of whether you personally find them interesting. So there's motivation for applied research as well.

Microsoft finally finishes its PowerPC emulator

Michael Wojcik Silver badge

Re: Rosetta

Conversely, as an optional LPP for AIX 3.1, IBM offered an x86 PC emulator - RIOS POWER emulating x86. It wasn't terribly fast (it was an actual emulator, not a translator, if memory serves), but it worked. That was in 1991.

Emulating a '486 under RIOS POWER is a lot simpler than emulating a recent PPC generation, of course, particularly when performance isn't a major concern.

Michael Wojcik Silver badge

Re: What about the original XBox

A couple of months back I was playing Final Fantasy V on my Playstation 2. FFV was released in 1992; the US PSX port (part of FF Anthology) came out in '99. So it's around 23 years old now, and the binary I was running is 16 years old.

And yes, that's one reason why I'm not eager to "upgrade" to a "modern" console. There are still plenty of PS2 titles (and even some PSX ones) that I haven't gotten to that look interesting to me. A thousand indistinguishable FPS games, on the other hand, just bore me to tears.

Intel inside: Six of the best affordable PC laptops

Michael Wojcik Silver badge

Isometric pointer controls

instead of a trackpad it only has one of those clumsy nipple-pointers

"Clumsy"? Bite your tongue. Isometric pointers might not be to everyone's taste, but that doesn't make them clumsy.

I cannot abide trackpads, but I don't go around claiming they're a poor design.

Ah, well. Looks like the Reg has found another reviewer who can't see past his own prejudices and thus can be safely ignored.

Hey kids, who wants to pwn a million BIOSes?

Michael Wojcik Silver badge

Re: O RLY?

Indeed. One of the first things I did with my Lenovo Thinkpad L512 when it first arrived, I think four years ago, was pull updates from Lenovo. One was a BIOS update. Their installer hung and bricked the motherboard. Had to send the machine back and have it replaced under warranty.

That's a recent, stock-configuration laptop from a major manufacturer.

I haven't tried updating the BIOS on that machine since. (None of the fixes mentioned in the release notes for subsequent updates looked particularly compelling.)

I've flashed a couple dozen BIOSes over the years, mostly on Thinkpads. That was the first failure. But it only takes one.

Wikipedia to go all HTTPS, all the time

Michael Wojcik Silver badge

Re: Hmm...

With ANY in-the-clear transmission, your stuff can be altered in-flight by any relay.

And MY threat model is the BEST threat model and everyone must subscribe to it.

But, sure, use HTTPS for everything. Given the hundreds of dodgy CA certificates present in the popular browsers, and the constant stream of other HTTPS vulnerabilities, all you'll accomplish is slowing things down for everyone. And gaining an opportunity for vapid self-congratulation and corporate PR, of course.

Michael Wojcik Silver badge

Re: Playing to the gallery

caching would actually work against you rather than for you since there's a chance you'll miss an edit

If only HTTP/1.1 had a dozen mechanisms to address that issue. Oh, wait....

Michael Wojcik Silver badge

Re: Playing to the gallery

my initial thoughts are simply "Why?"

Because all-HTTPS is the religion of the month, as the many downvotes to your post attest.

The cryptofanatics brand all threat models but their own as heresy. Everything must be encrypted! Do not question it!

But... I... like... the... PAIN! Our secret addiction to 'free' APIs

Michael Wojcik Silver badge

Re: Report of Silverlight's death is an exaggeration

Nothing I use anywhere is based on Silverlight. No web site I use makes any mention of it.

Thanks! I always find your personal anecdotes are compelling evidence for the general case. Indeed, when faced with any question, I simply ask myself, "What does Monett say?".

Michael Wojcik Silver badge

Re: Not an OO world

Abstraction of interfaces to avoid hard dependencies on third party software is a concept that predates OO by some considerable time span

Here's a computing-folklore debate: how far back does it go?

Clearly abstraction in software development was a concern in some sense at least as far back as LISP (1958), and arguably for FORTRAN (original design 1954, implementation a couple years later) and AUTOCODER (first implementation 1955). AUTOCODER, for example, introduced the idea of assembly macros, which are certainly an abstraction mechanism.

But when did programmers start saying, hey, it'd be a good idea to create interfaces that abstract away from implementation details in other components, to insulate us from changes to those components? According to El Wiki, JOVIAL introduced the idea of separate data definitions used by multiple components (the "COMPOOL") in '59. Early FORTRAN and COBOL had some concept of modularity (FORTRAN subprograms and COBOL programs), but there wasn't much abstraction - it was basically a matter of "switch control flow and fire some data at the recipient and hope our definitions match".

Simula introduced OO encapsulation in the late 1960s. So we can probably say that the idea of using abstraction to insulate a program from changes to its partners originated in the mid- to late-1950s, and was elaborated during the 1960s.

So, roughly speaking, we can say that programmers who haven't learned that are about half a century behind the state of the art.

Facebook: Your code sucks, and we don't even have to run it to tell

Michael Wojcik Silver badge

Re: There would be a very simple metric

Researchers studying software engineering have devised dozens of such metrics. Surprisingly, not one has proven to be a silver bullet.

Michael Wojcik Silver badge

Re: "Please do our homework for us"

If you'd read (and understood) the linked material on separation logic and bi-abduction, you'd know how wrong you are. But I realize it's easier to be rude than correct.

Michael Wojcik Silver badge

Re: Scientific code is often VERY ugly

I'll let you in on a secret: business code is often very ugly, too. There might be a lower incidence of one-off programs that end up reused after all, but all the other ills of poorly-written software are common.

Writing maintainable software is in some respects like every other sort of writing: doing it well means a lot of additional work, including organizing, drafting, rewriting (anathema to many programmers), and so on. In fact, you can take many models for the text-writing process, or similar models such as Aristotle's rhetorical canons, and find close equivalents for aspects of creating maintainable software.

In other ways, of course, writing software is very different from writing prose. But programmers often forget that when they write software, they're writing for two audiences - machine and human - and neglect the latter.

Michael Wojcik Silver badge

Re: Nothing like reinventing the wheel...

Even the fastest static-code analyzers for C-family procedural languages can't offer the kind of speed Facebook is claiming for Infer on large code bases. That's rather the point of what they're claiming as innovative (separation logic and bi-abduction; read the materials linked in the article). Static checkers like cppcheck are plenty fast enough for a separate check stage, but not really fast enough for continuous near-real-time operation while programmers are writing code. Infer might be.

Personally, I'm not terribly fond of real-time error detection in the IDE while I'm writing code, but a lot of developers seem to like it. So that appears to be fairly novel and valuable to some people.

And Findbugs is for Java, and PMD only does source analysis on Java, Javascript, and a few other targets, so they're really not comparable anyway. Splint or cppcheck would have been better examples.

Michael Wojcik Silver badge

Well, you can have a "potential bug" if you have a code path containing an invalid operation that's not reachable in the system as it now exists, but could be made reachable by a future change, for example. I see a lot of these in real-world code, particularly in rarely-exercised branches like error handling for failure modes that are difficult to reproduce. You can also find them in partly-implemented features that aren't enabled yet and so forth.

Another example is code that relies on unspecified behavior which may change, e.g. due to a toolchain upgrade or changes in build configuration. Use of uninitialized variables in C programs is a typical example - often the actual run-time behavior will be different in "debug" and "optimized" builds.

One of the benefits of static analysis (over dynamic analysis1) is that it can identify possible bugs in such dormant code, before they're activated by changes during maintenance and enhancement.

1Which of course has its own advantages over static analysis.

Teaching kids to code is self-defence, not a vocational skill

Michael Wojcik Silver badge

Kids must be taught construction

When children born this year graduate from high school, most of them will be living in buildings. It's vitally important that they understand carpentry, plumbing, and electrical work.

In the future most young adults will eat food. Food presents a tremendous range of attack surfaces, from poor nutrition to food allergies to food-borne diseases to slipped mickeys. It's vital that children be taught to cook.

The children of today will almost inevitably wear clothing. If they don't know how to sew, they won't be able to correct even the simplest of wardrobe malfunctions.

Many people, at some point in their lives, will cross bodies of water, ravines, etc on bridges. Without a solid grounding in engineering, how will they know whether those bridges are safe?

And, really, how can we continue to let our children breathe without teaching them basic atmospheric chemistry? It's madness, I tell you.

Au-mazing! Cornwall sold GOLD to Ireland back in the Bronze Age

Michael Wojcik Silver badge

Selling? Trading?

Because while raiding works, in the long run commerce generally proves to be more profitable. It requires less labor and involves less risk, and it's open to a wider range of entrepreneurs because it doesn't emphasize personal physical capabilities. And it can (and will) be done in stages. Even barter societies usually come to recognize this eventually.

And that's why we find, for example, copper sourced from the Great Lakes in artifacts from ancient cultures in what's now Mexico. Salable goods were traded along the river systems of the Midwest until they reached the Mississippi (where they could be concentrated in Cahokia, for the period when that was a thing), and gradually made their way south. It would have been absurd for, say, the Aztec to try to raid Michigan - completely impractical. But trade along that route is entirely feasible.

ROBOTS in sinister public-relations push ahead of coming WAR ON HUMANS

Michael Wojcik Silver badge

Re: To many Robots already

Lazy stinking robots. Just sitting around running off the free government electricity. They should all cut their nonexistent hair, polish themselves up, and get a damn job.

Chips can kill: Official

Michael Wojcik Silver badge

Re: Acrylamide toxicity is nothing new

Yet so essential for sustaining life. That's one hell of a paradox.

I suppose it is, in a poetic sense. But it's really not surprising. Life depends on a wide variety of chemical reactions to 1) store and release energy and 2) build and dismantle complex molecules (for purposes other storing and releasing energy, such as creating physical structures and managing information). That means it depends on having reactive elements available.

As atmospheric oxygen concentrations increased, it was highly improbable that something wouldn't evolve to tolerate and make use of the stuff, because once some mutation permitted that, it gave the organism a significant advantage in that niche. A bigger bang for its buck, shall we say.

And, yes, the gradual change from a reducing atmosphere to an oxygen-rich one was tough on the early microbes that had evolved to live in the former. But such, as they say, is life.

Michael Wojcik Silver badge

Re: Concentration

Not only that, tap water is quite lethal even consumed the usual way. In sufficient quantity, that is. And no, I'm not kidding at all - people died.

Yup. Browsing various sources at the NIH and CDC website suggests hyponatremia mortality is most often seen in post-operative patients during hospital recovery, but there are a number of documented cases among athletes (e.g. marathon runners) and in the military.

Deaths due to dehydration are still a lot more common than those due to overhydration (not surprisingly, since there are many causes of dehydration - illness, infirmity, and not having any water around), but hyponatremia is definitely a real thing.

Mainframe staffing dilemma bedevils CIO dependents

Michael Wojcik Silver badge

Re: Why aren't people learning about mainframes?

how is someone going to gain experience with a mainframe if they are unaffordable and generally unavailable?

Get a copy of Bob DuCharme's Fake Your Way Through MVS. Free as a PDF, or you can get a bound copy from Lulu (I think it's still available there).

Download and set up Hercules. Free.

Read the relevant IBM manuals. Free.

Want to learn COBOL too? There are free compilers, including the MF personal edition and OpenCOBOL. Used and remaindered copies of various textbooks can be had cheaply.

As Derek noted, there are also a number of colleges and universities offering relevant courses.

Michael Wojcik Silver badge

The anecdotes I've heard aren't encouraging. (Note that I'm not really in this particular field myself, though I occasionally write code that runs on zOS.) From what I've seen, some folks do find organizations that admit the problem and are willing to pay appropriately for the relevant skills, but other people only get offers with unreasonable terms, from organizations that think they can just outsource the work.

I suspect that attitude will gradually change, as the mainframe skilled-labor market continues to tighten and organizations want more new features for their mainframe applications. On the other hand, I'm also seeing - again, anecdotally - improvements in skill sets from the outsourcing firms working in this area. So competition won't disappear.

Michael Wojcik Silver badge

Re: pay

Not so much a lack of money, as an unwillingness to spend it until the situation becomes critical, I think.

Michael Wojcik Silver badge

You say this as if it were a bad thing.

Surliness is an indispensable asset for a zOS systems programmer.

Online identity woes can only be solved through the medium of GIF

Michael Wojcik Silver badge

Oh, I'm sure they're being taken into account, as an excellent example of how not to do this sort of thing.

X.509 is a beautiful demonstration that however complicated and unwieldy a problem is, you can approach it with a solution that is even more complicated and unwieldy.

Michael Wojcik Silver badge

Surely this comment demands a link to the useful Wikipedia section on how GIF is pronounced.

(JFTR, I use the soft-g pronunciation myself. But teach the controversy!)

Config file wipe blunder caused deadly Airbus A400M crash – claim

Michael Wojcik Silver badge

Re: Lack of imagination when thinking up things that can go wrong.

"Soulless, emotionless, remorseless, unfeeling, unthinking drones" maybe. But that's being very, very polite about it.

Certainly abuses by the TSA are legion, and actual threats caught by them rather difficult to identify.1 Yes, they confiscate all manner of stupid dangerous crap from passengers, but we went for decades with people bringing that junk on planes without widespread disaster.

And while TSA personnel are not Federal officers or LEOs of any sort, many often act as if they are; and many have a penchant for getting local LEOs (particularly the petty-martinet sort which plagues the US police state) to do their dirty work for them.

But that said, I have to say that my experiences with the TSA at my local airport have been, I believe, universally pleasant. That's because I fly out of a small regional airport, where crowds and queues are almost nonexistent and folks are generally relaxed and in a good mood. I avoid flying out of hubs whenever possible - and when I do, I try go to a less-busy security checkpoint (like the Concourse E/F checkpoint at O'Hare). It makes a world of difference.

And, for what it's worth, when I have a good experience with the TSA, I do thank them. Nothing wrong with returning courtesy for courtesy, regardless of what I think of the institution.

1As documented by any number of sources. Schneier has a number of pieces on the subject. Kevin Underhill collects idiotic legal moves by the TSA in his delightful Lowering the Bar blog. And there are various more rigorous studies.

Nobel bro-ffin: 'Girls in the lab fall in love with me ... then start crying'

Michael Wojcik Silver badge

Re: Non-subjuncitivist feminists

AC is certainly not literate. "as if" requires to be followed by the subjunctive

So - you're an idiot prescriptivist who doesn't understand linguistics or English usage, and you can't come up with a less awkward phrasing than "requires to be followed".

Maybe you should come back after you've learned to write in a marginally articulate fashion.

Or, better, just stay away.

Michael Wojcik Silver badge

Re: Why Paris

Winnie from the wonder years has turned out to be a rather lovely looking lady and has the maths cred as well

Well, it's one paper she's known for, really, and co-authored with two other people. But it's a good paper on the statistical mechanics of magnetic domains and, AIUI, an important result in that area, even if it's only for the 2D case.

(There are a few pieces online that explain the theorem without going into all the gritty details, and it's worth a look if you're at all curious about what goes on in the world of statistical mechanics, which is interesting in terms of scientific epistemology. Statistical mechanics is basically a way of saying, look, we can't model all this stuff individually - it's infeasible - so let's consider the average, aggregate behavior. Then work like this proves formal consequences of those approximate models. It's a much more sophisticated view of scientific thinking than grade-school explanations of "the scientific method" and other middlebrow glosses.)

HP coughs up $100 MEEELLION to settle Autonomy lawsuit

Michael Wojcik Silver badge

Re: the hp way long gone

Also don't forget the billions HP will make when the memristor comes out in 2014. Oh wait.

Yup. HP's messiah component is delayed again.

Of course, some IT technologies have taken a long time to mature, and then became commonplace. LCD screens, for example - TFT was invented in '74, but we didn't have good IPS-based color LCD screens for another 22 years. Now they're everywhere. Or flash memory: Toshiba introduced NOR flash commercially in '94, but it took another 11 years for NAND-flash removable memory products to appear. Again, they're now ubiquitous.

But more often, these much-heralded technologies stumble along for a while but never become more than niche products. And NV memory certainly has its share of losers - remember bubble memory? HP's memristor chips sound good on paper, but until they have usable product available it's hard to be optimistic.

MONSTER GALAXY spotted hiding behind IMMENSE BLACK HOLE

Michael Wojcik Silver badge

Re: Our location...

(Not sure if that's a sincere question or a joke...)

By definition, we're exactly in the middle of our Hubble Volume, which is the same as the knowable universe. Whatever we find out about the knowable universe becomes part of the "known universe".

And nothing we do can ever have an effect outside our Hubble Volume, so "knowable universe" is a suitable proxy for "entire universe" for nearly all purposes.

That's one possible answer to the question of "where are we in the universe"?

Another interpretation is "given what we believe we know about the universe, or think is the most plausible among various theories, how are we situated among much-larger-scale structures"? I don't really follow the field, but the latest I've seen is that the Milky Way is part of a galactic supercluster astrophysicists call "Laniakea", which is really quite large, and that is part of a larger arrangement of superclusters that's so big that "where are we inside it" isn't meaningful.