Posts by Michael Wojcik

Re: You sure must love driving

Also I think you are thinking more of Kansas, Nebraska or Oklahoma than the mountain west.

Oklahoma has lots of nice scenery, particularly in the east, though there's a good bit to see in the west, too (eg the Gloss Mountains). I agree about Kansas and Nebraska, though. Everything west of the Flint Hills in Kansas on I-70 is nightmarishly dull. (Things perk up a bit if you get off the Interstate and on to more-local roads.)

Re: You sure must love driving

I've never done the entire drive from Denver to T or C, but I've driven pretty extensively in northern New Mexico. Some of the scenery is beautiful. I'd take the scenic route: Denver to Colorado Springs to Raton, Taos, Santa Fe (stop in Española for lunch; the food's much better), Cline's Corners, Encino, then west on US 60 to T or C.

Or, if you want to make it a bit faster (but to my thinking less interesting), go from Santa Fe straight down I-25 through Albuquerque to Truth or Consequences. There's some stuff to see in Albuquerque's older districts. I'd rather detour down US 285, though.

To my mind it's a much better drive than, say, going through central Kansas on I-70, or central Nebraska on I-80. When I head out that way I drive the Oklahoma panhandle just to avoid I-80 in Kansas.

Re: Fast Food Recommendation

No Blake's I've been to puts "green chile sauce" on their burgers. They take sliced green chiles, slap them on the grill to heat 'em a bit, and put them on the burger. As it should be.

(In New Mexico, "green chile" can refer to the chile peppers themselves, or a stew - not to be confused with "chili"¹ - made from green chiles, often with ground pork, and sometimes other ingredients. Green chile the stew, properly prepared, is also delicious, but doesn't work well on a burger because it's too loose.² Thus green-chile-the-pepper is used directly for that purpose.)

¹Chili, though also any of a wide variety of stews featuring chile peppers, traditionally contains tomatoes and always employs some starchy thickener - not generally part of New Mexico red or green chile.

²One can of course make a sort of open-faced sandwich, to be eaten with utensils, from the combination. Along these lines we have the legendary Poor Man's Benedict at Michael's Kitchen in Taos: Fresh bakery roll, sliced; shaved ham; poached eggs; cheese; and green chile stew (made with ground pork) ladled liberally over the whole. You can also get it red or Christmas, of course, and with other variations.

Re: If it works, don't fix it.

Ok, so there should have been a parallel system to failover to.

There is a parallel system, and NATS failed over to it successfully when the initial problem occurred.

There wouldn't have been a publicly-visible incident at all, except for a second failure, this time restoring the network link between the two systems, and an aggravating factor, which is that once NATS downtime reaches a small critical threshold (I think the earlier Reg article said it's about 8 minutes), the overhead of delayed and diverted flights cascades into a major air-traffic interruption.

You can of course argue that there should have been a parallel network link. Or, perhaps better, two backup systems and redundant links among all of them.

There are three problems with that line of reasoning:

- Empirical research shows partitions will still continue to happen, and applications will still have downtime. There's a good article in the September issue of CACM on this topic.

- More components means more complexity and more opportunity for harder-to-diagnose failures.

- Greater costs, in physical assets and staffing.

The underlying issues are 1) air travel is oversubscribed - too many planes in the air, too many flights scheduled, too many people traveling for the system to have much margin for accommodating transient errors. And 2) complex systems are complex. They're expensive to change, particularly when you want the result to be better, by various metrics, than the one it replaces.

There's no simple fix. "They should have a parallel system" is just pointless hand-waving. (On the other hand, Vince Cable is clearly an ignorant jackass, since his diagnosis is orders of magnitude less accurate and useful.)

Google should not be manipulating anything, including search results

Without manipulation there are no search results. They're the results of human-designed, machine-implemented algorithms operating on data. They don't exist in nature.

And, of course, the entire value of Google's search results to the end user is in their "manipulation" (i.e., ranking).

Re: Region Locks

Why would you even need a BluRay player these days?

Good question. I've never figured out why I'd need a BluRay player any day. To play BluRay disks, I suppose, but I've never felt the urge to do that. Seems like on the rare occasions that I want to watch recorded video, it's available on DVD, or on-demand from my cable provider.

Re: .immo

How disappointing. I thought we finally had gTLDs for asteroids. Or obscure bishops.

Either of those would be as useful and sensible as all the other gTLDs I've seen. Or the concept of gTLDs in general.

Re: Driverless internet gypsy cab? What could go wrong?

There's an aviation gag about modern planes being designed for a pilot and a dog. The dog's there to make sure nobody touches the controls, the pilot's there to feed the dog.

I remember seeing this joke¹ in a press release from Lawson Software in the mid-1990s. Wikiquote suggests Warren Bennis coined it around 1991.

Personally, I think the challenges facing driverless cars are rather greater than those faced by human-supervised fly-by-wire planes. Even given the dismal safety performance of human drivers, I'm in no hurry to try the former. Once they have a record of good performance in widespread deployment over several years, perhaps.

¹I use the term loosely.

Re: problem...

wouldn't that be legally considered as entrapment?

IANAL, and who knows how courts would interpret it; but I can see an argument that it's not entrapment. You're not enticing someone to commit a crime. First, you're not communicating with the driver directly - you're just publishing a notice via the app. Second, they've already agreed, in principle, to commit a crime, and you're merely suggesting where it might occur.

Re: billion?

it's an app, some developers, and a yacht

Based on the behavior of Uber devs and execs, I'd guess they also have a tidy amount of alcoholic beverages available.

Re: Maintenance

They won't repair themselves but if your taxi driver repairs their car you probably should be looking for another taxi driver.

Good luck with that. In the US, at least, apparently it's quite common for taxi companies to hire drivers as independent contractors and make them repair their own vehicles.

The one thing that bothers me in general about this is that these corporations are not people

This is the US. Corporations are people here.

Re: Use the tools, Jules!

I'm sure it would have generated an "unchecked possible use of null pointer" report on the mentioned bug line.

That's a very bad thing to be sure of.

Anyone with extensive experience with static-analysis tools for C knows that they suffer from a lot of false positives, a lot of false negatives, or both. Some are better (sometimes much better) than others, and most are worth using. But they will not catch everything, unless they emit so many spurious warnings that they're useless; and using them against a large, old codebase is a major project.

Dynamic-analysis tools have their own limitations too, of course.

That doesn't mean analysis tools shouldn't be used. As Peter van der Linden wrote in Expert C Programming, one of the worst decisions in C's history was deciding to make lint a separate program; that applies even more for more modern analyzers, including free ones like splint and cppcheck. But they're no silver bullet.

How does a large critical opensource project not use free tools?

But all such projects do use those tools - unless, of course, none of the unpaid volunteer developers who work largely without supervision on projects that interest them personally take the time to do it.

How does anyone drive a car without checking the tires and lights before every journey? It's free, after all.

They're open source. Are you volunteering to do the analysis?

Re: No worries...

I'm always wary of stories of how much some people claim to be involved with computers in the early to mid 80's, most of these stories are BS...

And you know that how?

There's some BS here, all right, but it's not from those of us who were programming in the '80s.

Re: No worries...

1987? I don't think there was anything we could call the internet then.

There most certainly were both internets and the Internet in 1987. The IP Internet had existed since 1984, and the NCP Internet before then.

No, there was no HTTP, much less graphical browsers. But the Internet is not the web. Hell, we even had SMTP in '87.

Re: No worries...

X's biggest problem stems from the era it existed in. Back in the days when the Internet was entirely inhabited by academics and military people.

Neither of those statements is particularly accurate.

X was a product of Project Athena, and was incorporated into the Andrew Project as well. It was initially used by highly-knowledgeable students at MIT and CMU, who were both capable of and motivated to find security holes (if only for their own amusement). X11R1 included quite a range of security features, and there was much discussion of their relative merits. Don't forget it was contemporaneous with Kerberos, also a product of Project Athena; PA made network security a primary goal.

And while the NSFNet backbone prohibited commercial traffic in the '80s, there were other Internet backbones, and some commercial entities used NSFNet for non-commercial traffic. There very definitely were commercial users on the Internet in '87.

According to the announcement linked to in the article, the '87 core protocol bugs are all integer overflows. That class of bug was not visible as a security issue in 1987 (at least in public discussions; who knows what the spooks might have been up to?).

Prior to Levy's "Smashing the Stack for Fun and Profit" article in '96, stack-smashing in general was not broadly seen as a major security threat - despite the Morris worm using a stack overflow as one of its attacks. (There was a perception that stack-smashing was too difficult to leverage in general.) Integer overflow attacks, as a special case of stack-smashing, didn't become prominent until the early 2000s.

Re: "X Windows"?

Argh gonna drown myself in bleach.

No no no. Retcon it as a successful attempt to troll old X hands. Success!

(That said, I admit I upvoted the original post too, since I've been using X11 since, oh, 1988 I think. Probably still have the protocol and xlib reference books around somewhere.)

Re: Android

It's tough to compromise software that never runs.

IE settings

This used to be a tick box option in IE IIRC.

You've neatly identified a number of the problems with a typical X.509 PKI implementation:

- IE had multiple checkbox options for PKI, buried in the "advanced settings" where few dared to tread. Some were for CRLs; some were for OCSP. How many people knew what they all meant, and knew how in practice they were likely to interact with real-world threats? Almost none.

- IE settings are per-user, so to use them to improve organizational security, you have to enforce them with group policies or the like. How many system administrators get around to doing that - assuming they understand the problem in the first place?

- IE PKI settings don't control what Windows does with code-signing certificates, so they wouldn't have helped with this attack anyway.

Putting a GUI on top of end-user PKI configuration does not significantly improve security.

Or is connected to the net when the malware is run.

When Windows updates its copy of the relevant CRL, you mean. CRL updates aren't necessarily done at time-of-use.

Now, had you been talking about OCSP...

Of course, the broader point remains. The commercial X.509 PKI system is wildly broken, and revocation is one of the areas in which it's especially wildly broken. Neither CRLs nor OCSP work very well. The mechanisms are fragile, many of the failure modes are unsafe and silent, the incentives are perverse, and most users have not a fucking clue how the whole horrible mess is supposed to work (and why should they?).

Re: Changes in circadian rhythms

We are not fruit flies

Tut tut. On the Internet, nobody knows you're a fruit fly.

Re: @User McUser

How does the presence of reflectors on the Moon prove humans personally put them there? The argument is not that we haven't landed things on the Moon, but that we haven't landed people on the Moon.

Obviously the Moon landings were faked to cover up the fact that aliens put the mirrors there, shortly before crashing into New Mexico.

(On a slightly more serious note, I have to say this thread is pretty entertaining, with several people arguing earnestly over the most basic issues in epistemology as if they'd never been considered. Folks, there's no way to prove, beyond all doubt, that the Moon even exists, much less that a handful of dudes kicked about the place. Descartes among others demonstrated that centuries ago. The best we can do is pick an epistemology that seems relatively robust and reduce the amount of trust we have to place in our senses and mental faculties. That's called "science".)

Re: You can't use science to disprove theories not based on science

Oh yes you can.

No, you can't. A proof under one epistemological regime isn't applicable under another.

Of course, "prove" and "disprove" are at best terms of art (if not informal infelicities) under scientific epistemology. What the present study has shown (apparently - I haven't read it) is that there's strong evidence against the hypothesis that a particular mechanism might have a carcinogenic effect in humans. That's all well and good,¹ but it says nothing about the myth that mobile phones, power lines, etc cause cancer. The latter is not a scientific hypothesis and is not subject to scientific argument.²

Now, one may on occasion convince someone to exchange a non-empirical belief like that for a similar scientific hypothesis, and then present evidence against the latter. Usually we hope to do these two things in the course of a single argument, felling the presumed-false belief in one swoop. We like to imagine this happens rather more often than it actually does (according to methodologically-sound psychological studies). In point of fact, people are rarely convinced to abandon beliefs they hold dear.

¹I've never found any of the "EMF causes cancer" hypotheses plausible, personally, but "sounds dubious to me" doesn't carry much weight in scientific epistemology, and for testable hypotheses, that's the best epistemology we have.

²Some will argue that such beliefs don't deserve the label "theory". They're free to take that position, but since they have no means of enforcing it and "theory" is a word in common use as well as a term of art in some disciplines, they haven't much of an argument to make either.

Re: Children under 12 should be playing

They should be earning their keep being stuffed up chimneys surely?

Are they allowed to smoke there? Is it considered "indoors"?

Re: clop clop clop

Rainbow Dash is kinda hot.

Well, yeah, from air friction. Mach 5 will warm you right up.

But Rainbow Dash isn't a unicorn, so she's ineligible for this category. (The judges would allow Twilight Sparkle, from her pre-alicorn days.)

Re: $41 Billion of nothingness

Indeed. I don't even see any significant IP here. At least with Instagram and some of the other hyper-valued app companies, there was some reason to believe a good portion of the user base would remain loyal customers if someone else bought the app. I can't see any reason why Uber users wouldn't switch to another app and firm if Uber crashed - there's no special user experience with the app, as far as I know. (I admit I haven't used it myself, as I have no desire to ever use Uber or the like.)

I admit I've never encountered it, but that's because I found NuGet so awful the first time I tried it, I never went back.