Reminds me of the myth going around last winter about the government spraying some chemical into the air which was creating unmeltable snow. All kinds of YouTube videos of people holding up a cigarette lighter to snow, and it "not melting" and "turning black as the chemicals burn." Yes, it was bullshit, but people could go outside and grab their own snow and do the experiment, and when they got the same results, they were all like "OMG, it's true!"

My sister had enough sense to realize it was bullshit and brought it to my attention for an explaination. The snow melts, it just doesn't melt quickly because melting isn't as simple as "raise it from 31 degrees to 33 degrees" as the amount of heat required to do that is the same amount of heat required to heat it from 33 degrees to 177 degrees, and so it isn't going to happen as instantly as people expect. As for the black, that's from the chemicals in the lighter flame, as the cold and the moisture cause incomplete combustion, depositing carbon onto the snow.

...or, as the mythbusters did, one might set up an experiment where you toss a little extra CO2 into a cubic meter of air and observe that it now captures more heat than the control, completely ignoring that the environment is a complex system with feedback loops and regulation mechanisms that make it incredibly difficult to model.

I remember years ago when I first set up MythTV, and set it to record MythBusters. It eventually recorded the episodes from the first season, when they still did several myths per show, but finished one before starting on the next one. Watching those episodes was like heaven compared to the newer format. No "this is coming up later" and "this happened earlier" segments both before and after each commercial break. You have to wonder how much interesting footage they're leaving out so that they have time for all of those recaps.

Sounds like quite an overestimate to me, just not so far over that it is patently obvious.

Vacuuming isn't something people enjoy doing. It's a "get it done" activity. So, what, a few minutes on each floor in the house? So 15 minutes for the whole house? Then we have to figure that several people live in that house. Also, I'm not sure about every ten days. I'm sure some people vacuum that often, but others probably don't vacuum at all. (no carpet in my house, also, some people with carpet just don't care to vacuum more than once every six months) So, every three weeks maybe? So, 0.25 hours / 5 citizens / 21 days * 356 days/year = 0.9 hours/citizen/year.

I think it's a serious over-estimate, but obviously, without either of us knowing the actual numbers, neither of us really knows.

...and they'd do good to emphasize that, and also, avoid exaggerating other claims.

Part of the problem with CFLs ten years ago was that the packaging advertised that you'd save $230/year and that they would last for a decade. Then, some of the early ones would go bad within a few months, leaving people to feel like they were a complete waste of money.

The smart thing would be to have a table on the back of the box, showing "if you use a bulb ___ hours a day" and indicate both how long it takes to pay back the initial investment for the bulb and how much you'll save after that and how long the bulb will last being used that much. I use my bulbs eight hours a day at least, which means using a 25 watt CFL vs. a 100 watt incandescent saves me $2.34/month, and so even when the bulbs were $5 a piece and dying a few months after purchase, they were still saving me money. ...but the box didn't say that, because it was focused on something ridiculous like one hour a day of use, just so that they could claim the things would last 20 years. Maybe in sunny California people only use their bulbs one hour a day, but where I live, the skies are overcast all winter long and so if you don't turn on some lights in your house during the day you're going to end up with a sleep disorder. So people buy the bulbs which claim to last at least 10 years, use them 10 times as much as the people who wrote the info on the box assumed, and when the things die in six months (still earlier than indicated even in terms of lifetime hours, because just like the manufacturer underestimated daily usage, they also overestimated how many hours the bulb would last), they assume the bulbs were a waste of money and don't buy more.

Education only works if you're completely honest with people. Otherwise they detect some of your bullshit and assume everything else you said was bullshit too. Give them an expensive bulb that they're already adverse to buying due to the cost, tell them it'll last 10 years, then have it last not even as long as a cheap incandescent, and they're going to instantly forget any claims you made about it also saving them money on their electric bill. You already lied to them once, so they're not going to continue to trust other claims you make.

I imagine the reason this shit always comes down to passing a new law is because people just aren't that interested in education and choice. When they try education, they're not honestly wanting to educate so that people can choose what's best for them, they're trying to force someone to make the decision they want. So they exaggerate all of the positive features and completely fail to tell people what negative features to expect. It's manipulation, perhaps manipulation that is everyone's own best interest, but manipulation none the less. People don't like being manipulated, and so as soon as they catch on, they resist the "education" and go back to doing what they were doing before. So, having failed to control people with manipulation, they resort to controlling people with laws. It's the logical next step.

...and how does one use ps to detect malware? There's 272 processes running on my system right now. Ten years ago, when there were only 20, I knew what they all were. Now? No way in hell. So I don't even look at it anymore, and malware could just call itself "malware" in the process list and I'd never notice it.

However, even if it were still only 20 processes, here's some questions:

1. What prevents malware from choosing a legitimate-looking name. Like how in Windows there's a dozen "svchost" running, and so malware would be smart to simply name itself "svchost," as most people are unlikely to notice that there are now 7 of them when there should be only 6. On my system, malware could hide itself pretty well just by calling itself "xterm" as there's always at least a dozen of them in there.

2. What forces traditional viruses to show up? You know, the ones where they infect an ordinary program, thereby being executed every time that program is executed. Threads don't show up in the process list, so just infect a program and make it spawn a thread to run your malware, and now the CPU time even shows up in 'top' as being used by some legitimate application you've used for years and totally trust, even if it does occasionally do weird things like use a little more CPU time than you think it should be using.

However, this is all moot anyway. My problem with forcing people to run applications non-root is that it only makes sense if there's some root application that is able to detect malware. When you download Linux and install it, what do you get? You get a system that will prompt you for your fucking password all the time, but otherwise not complain about a damn thing any application does. Does an application constantly use half of your internet bandwidth sending spam? Well, Linux won't tell you it's doing that. Is it indexing your files and sending them to a remote server? Linux won't tell you. Is it recording your keystrokes as you log in to your online banking web site? Linux won't tell you. ...but god-forbid you attempt to set the system time, because Linux will intervene to stop you, and insist that you authenticate yourself before you do something so bloody dangerous, because, you know, it might be malware attempting to set the system time, and we can't allow that.

It's just retarded. Linux is 100% obsessed with protecting the Linux system itself, but doesn't give a fuck about protecting the user.

So this whole thread started with me suggesting that a better solution is application sandboxing, since aside from utilities that come with the OS anyway (like file browsers, archive tools, etc.) there are very few applications that need complete access to everything the user running the application has access to. So if you run an office application, the first time you run it, Linux asks what you expect it to do. You click "modify the occasional file I ask it to modify" and so Linux restricts its file I/O to what you give it access to via a file open/save dialogue provided by the OS, and also gives it its own little folder somewhere to store whatever data it needs to store, but doesn't grant it access to every file the user is allowed to access. It also allows it to present GUI windows and accept input from the user through them, but doesn't allow it full GUI access so that it can intercept keystrokes to other applications. If the application attempts network access, Linux tells you what it's trying to access, and you can approve or deny. If you deny, it tells the application that you did, and the application can try to make a case for why it needs that access, but you're still free to just say 'no' and the application can just not implement whatever feature it needs that network access for since apparently the user isn't interested. This is how real security works. You can download malware intentionally, run it in such sandboxing, and be in full control of what the malware does, rather than the malware being in full control of what your computer does. It's how it should be, and it pisses me off that everyone thinks that telling everyone "just don't run appliactions as root" and "don't run untrusted applications" and apparently now "just examine your process list now and then" is somehow good enough. It's not. People buy computers so that they can run software. Any solution that tells them not to run software is a solution that is not going to work, and I think everyone knows that and that's why they say "well, just don't run the software as root," but they're in denial about the problem if they think that is any sort of solution.

It's not that you're not running as root that is keeping your computer secure. It's that you're essentially not using it to its full potential. I mean, if you left it in the box, it'd be perfectly secure. Don't connect it to the internet? Still pretty secure. Connect it, but just don't ever run any software that didn't come with it? Not quite as secure, but still not too bad. Download only well-known software? Less secure, but not the worst. Download anything that claims to do anything you're interested in doing? Now you're almost doomed to get malware.

Current security advice is essentially "use your computer, but don't use it too much." It's bullshit. The purpose of computers is to run software, and our operating systems should be able to do that without it being a huge security risk. It's like running a prison. You can build individual cells, or you can house everyone in one huge room and just tell the warden "to keep your prison secure, you should keep only trusted prisoners, and avoid taking in just any random prisoner off the street." Then you build a little "root" tower in the center, and you put a good secure door on that, and indeed you manage to keep all of the prisoners out of the tower, but they're still shanking everyone in sight and climbing the prison walls to escape. ...but hey, it's all good as long as they don't get into the "root" tower, right? ...and besides, it isn't that the prison's security is poor, it's that damn warden who failed to properly screen the prisoners he accepted. So, I guess we'll just shoot all of the prisoners from the safety of the "root" tower, then pretend like the situation isn't doomed to repeat itself, because expecting the warden to screen prisoners and determine which will and won't be a problem before they're even in the prison is a perfectly acceptable thing to expect. I mean, it isn't like he bought the prison to keep prisoners, and so he expects to be able to do so, and telling him not to is essentially telling him to not use his prison for the only thing it is good for because it quite frankly isn't engineered well enough to be able to do it. It's just insecure to expect to be able to keep dangerous prisoners, and besides, everyone knows that as long as the "root" tower is protected, the prison is perfectly secure.

Yes, because anyone who disagrees with you is clearly just ignorant.

Very true.

...and they can do that without root, because frankly, there's nothing to hide from. How am I going to know there's malware on my Linux system?

I've heard of it. ...but it would seem to presume the machine has been rooted, in which case, like you said, stuff can hide itself if it's root. (I also remember it being rather useless for the average user due to too many false positives, but that's beside the point.)

Where's the virus scanner that every Linux user runs, which runs as root and detects the stuff that can't hide itself because the user didn't execute it as root?

In my experience, it's usually people just repeating junk they've heard but don't really understand, assuming that they know something when they don't.

What, just because something is a popular meme means that it is good security advice? I suppose kids drown if they go swimming after eating too. I mean, if everyone says it, it must be true, right?

I actually run everything as root. First thing I do with every Linux install is configure automatic logins, then log out, delete my home directory, symlink it to /root/, and change my username's user ID to 0. Tricks most of the software that pointlessly refuses to run as root into thinking that I'm not.

Never had anything go wrong. However, if I had, I don't see how not running as root would have made a damn bit of difference. So, what, the malware wouldn't be able to affect the system? Fuck the system, I can reinstall it. What I care about are all of my personal files which are 100% accessible to my user account.

...and what's more, everything malware cares about is accessible from my user account. It wants to send spam? My user account has network access. It wants to participate in a DDOS? My user account has network access. It wants to scan my personal files for sensitive information? My user account has access to my personal files. It wants to act as a keylogger to capture my banking password? My user account has the necessary access to do that. What exactly is malware missing out on by not being run as root?

So I always run as root. That way I don't have to play "simon says" with the command line, where I type "do something" and it replies "you didn't say 'sudo'" and so I type "sudo do something" and it finally does it. It's a pointless game as it doesn't protect me from anything, especially with the default settings where, after I type in my password, any sudo executions for the next five minutes get a free pass. Seems like any malware could just keep trying to run sudo until it works, assuming it had any reason whatsoever to give a fuck about the root account.

I'm really beginning to notice a trend with people who can't back up what they're saying simply telling me that I need to learn more.

I've made some arguments that support my belief that whether you run as root is irrelevant. Can you make some arguments that support your belief that it matters?

I don't mean sandboxing within Flash, I mean sandboxing at the OS level.

Executing a script is kind of sandboxing anyway. If the Flash developers screw that up, then that they also screw up a sandbox they tossed around it isn't much of a surprise. I'm sure they could add a few more sandboxes around that and still have things slip through.

What I mean is like how Linux is very good at preventing me from changing the system time without root permissions, perhaps when an ordinary user runs an application, it could be just as good at not letting that application open random files without the user's permission.

OSs are unforunately designed to serve applications, not users. If a program wants to intercept keystrokes sent to other applications so that it can catch your passwords, there's an API call for that. If a program wants to scan your entire filesystem looking for sensitive information, there's an API for that. If a program wants to run continuously without showing up in the GUI so that the user doesn't realize it's running, well, it doesn't even need an API call for that, as that's quite sadly the default.

Meanwhile, users have no easy way to see what the applications they're running are up to. Want to know if a program decides to access your personal files? Too bad, as not only does your OS not allow you to protect those files from random applications, it doesn't even offer you a way to see that an application is accessing those files. Want to know if any programs are currently piping data out to the internet? Hope you have a router with a useful link activity indicator, because your OS isn't going to tell you when your network is being used at all, never mind which programs are using it and how much they're using it, and it certainly isn't going to let you configure which programs can and cannot access the internet when you first run them, and it especially isn't going to give you easy-to-use fine-grained control over what the application is allowed to do (like blocking SMTP access to all programs by default, making it very difficult for any random software to become part of a spam botnet). Nope, the way you're supposed to ensure the security of your computer is to psychically know which programs are trustworthy and which are not.

To make this even more absurd, they then go to signed executables, so that we can trust that code came from someone we trust, because even if we honestly do trust Adobe to do nothing bad to our computers, and we're not simply using Adobe's code because we bought our computers because we need to get shit done and we can't get shit done if we don't run software, we've still go the issue that the completely trustworthy Adobe is rather incompetent and so even if they didn't intend for their software to do bad things, it will do bad things just as soon as someone figures out how to exploit it.

Obviously there's always the possibility for exploits, and so sandboxing won't be a perfect solution, but I think the kernel authors have a better track record in that regard than Adobe does. ...and of course, failing to do something at all isn't any better than trying to do it and being only 99% successful.

I've heard that Android almost did this correctly, with the list of app permissions you have to approve for each new app. The problem is that you then have to wonder why apps want each permission. So do you reject the app because it's asking for something you think it doesn't need, or do you assume (possibly correctly) that it has some feature which you haven't thought of that requires that permission and so it does have a legitimate reason to ask for it? If it were done correctly, you could just say no to any permission you don't want to grant, and the application would simply be told that it doesn't have it. Then if you go to use that feature, the application could tell you "I can't do that unless I have permission to access ____" at which point it either makes sense that it now needs that permission, or it still doesn't make sense and you can continue to say no while continuing to use the application for whatever else it is good for.

I mean, people buy computers to run software. It's dumb as fuck that they're then told "don't run software" because their operating systems are inadequately designed to deal with anything besides perfectly well-behaved software.

The saddest part of the whole deal is when I'm talking with kids about software programming and they want me to check out some program they've written and I then have to wonder "has this kid just discovered how to delete files and thinks it'd be a hilarious prank to delete them all?" Why can't I just run that program and trust that my OS isn't going to let it delete every file I own? I mean, just how many programs outside of my system's file manager do I want to have that kind of unrestricted access to my filesystem? It just doesn't make any sense that that kind of unrestricted access is the default, as I can think of very few pieces of software that need it, and every single one of them came with my OS, and so nothing I download needs that kind of access when I run it.

I'm not sure why you're imagining that this would be hard to do.

Granted, I haven't done video output, but I have done OpenGL output, and the OpenGL API is quite simple and there's nothing about it that enables one to take over the computer. I can have unrestricted access to the whole OpenGL API and all I'll be able to do with it is draw graphics on the screen, and being unable to do other things like read/write random files and capture keystrokes sent to other applications isn't going to affect my rendering speed at all.

Maybe the video APIs aren't presently designed the same way, but obviously for an idea to work well it has to be done right. I'm not suggesting we do it wrong.

I don't think Flash was ever about performance. If it was, someone forgot to tell its developers. I always thought its purpose was to fill in what some people thought were deficiencies in what web browsers were able to render, thus the vector graphic animations, and more recently, video support.

Would you even know? Perhaps if it's like Windows malware, where you end up with so much of it that the computer is unusable, but what if you only end up with one piece of malware which is careful to do things covertly?

Ten years ago you may have been able to spot malware with a simple "ps -A" but I don't even look at the output of that command anymore. There's so many processes running on my computer that any of them could be malware and I'd have no idea. ...and that's talking about malware that doesn't bother to hide itself by infecting another executable or at least adopting the same executable name as a daemon that's supposed to be running.

I'm curious why everyone thinks this matters. The only way I could see it making any difference is if you had a virus scanner, which could then run as root and be immune to any BS that the malware attempted as a normal user. ...but who has a Linux virus scanner? I know there's ClamAV, but I get the feeling it isn't for finding malware in Linux, it's for finding malware in email that passes through Linux. So what exactly do you prevent malware from doing by not allowing it access to the root account? Does it prevent it from accessing the internet to send spam? Does it prevent it from recording your keystrokes and sending them to someone else? Does it prevent it from accessing your microphone and bugging your house? Last I checked, I could record audio without 'sudo' and so I'm pretty sure a non-root piece of malware could do it too.

Telling people not to run processes as root is just ignoring real security solutions. Every application should be sandboxed, no matter what it is. For example, when I use a word processing application, why should it be able to read/write any file anywhere on my hard disk that I'm allowed to access? If it wants to read or write a file, it can make an API call that brings up a file open/save dialogee provided by the OS, which ensures that I'm giving it permission to access the files it reads or writes. As for storing settings and other random bits of data, the OS can provide it with a folder on the filesystem it has free access to, but to access anything outside of that, it needs to use the API for the file open/save dialogue. With this kind of security, you can open documents with all kinds of stupid scripting that takes over the entire application, but it's largely stopped right there, and can't access anything on the computer that you don't give that application permission to access. ...and it's all entirely transparent to the user, because they already open/save their files via a file open/save dialogue provided by the OS. The only thing that changes is that the open() system call is limited to a specific directory for each application to store it's settings/history data in. Very few applications need that sort of free access to the computer, and essentially all of them are provided by the OS itself, like the basic file manager, file archive/compression tools, etc. So it'd be easy to do, it'd provide real security, and yet rather than do that, all we do is tell people "as long as you don't run as root, you'll be perfectly secure" as if that makes any difference at all.

I mean, just imagine how secure Adobe Flash would be if it were sandboxed such that all it can do is get the web browser to perform HTTP requests on its behalf, and output audio and video? What would any exploit for it be able to do, besides make HTTP requests and display audio and video? ...but that's not how our computers work. For some reason our OSs allow applications we run to do anything at all that we ourselves are allowed to do on our computers, and everyone thinks that's not a problem.

If any modern OS had real security, you'd be able to download malware intentionally, run it just like you'd run any other application you want to use, and still remain safe since the malware would be unable to access anything you don't want it to access.

Do you win arguments like this?

I wrote a reply to everything you said, but as I was doing so, something kept telling me that I was just wasting my time. Then I saw that last comment and realized what it was. Nothing I say will change your mind. Can't quite figure out why I'm wrong? Well, just make logical errors like conflating distinct concepts like "occasionally required" with "popularity not declining," and where that doesn't feel like enough, just attack your opponent as well.

I imagine it might seem like you do win arguments that way, when people have the good sense to not bother to reply, and so you get the last word.

So we're stuck with email because people refuse to move on? Yeah, I'll agree with that.

Email will eventually die though. The young ones have already quit using it to communicate with friends. Newer businesses use newer protocols like RSS to distribute their news feeds. I'd have already ditched email entirely, except that too many people assume that an email address is something everyone has, and so without one you're a second-class citizen on the internet, barred from participating in online forums and from making online purchases.

Email is almost dead. I know too many people who, while they have an email account, it really isn't something they check every day. They just check it when they sign up for a web site account, or when they order something online, but otherwise ignore it as if it doesn't exist because it just isn't the best solution for anything it does, making it worthless for anything besides communicating with people who haven't yet figured that out.

Let me guess:

You often wake up to go to the bathroom, only to find once you're there that you really didn't need to go that badly. (Remember when you were a kid and you'd wake up in the morning almost ready to burst? That's normal. Waking up several times a night to empty a half-full bladder is not.)

Also, you sometimes have nightmares where you're running away from something, or doing anything that's physically exhausting, and then you wake up and breathe heavily for a while to catch your breath? (Guess what: Dreams are just imagination, they don't make you out of breath.)

I think you may have a sleep disorder. Specifically, either sleep apnea or upper airway resistance syndrome. In either event, lack of breathing will cause you to awaken, but by the time you're conscious, the problem is gone, so your mind doesn't know why you woke up. So it just blames the most annoying thing it can note at the moment: some really-not-that-loud noise, your not-that-uncomfortable matress, your half-full bladder, your kind-of-hungry stomach, or whatever. If it's bad enough, you'll end up so awake that you can't fall asleep again for hours.

The delayed sleep phase is due to your body having to make up some extra sleep, due to the poor quality. It wants to stay awake for 16 hours then sleep for 8, but ends up sleeping 9 or 10, and that just screws everything up.

You might also be able to get a guy with a broken foot to run if you chase him with a baseball bat, but no one would say that is because there's really nothing wrong with his foot. Cognitive behavioral therapy is bullshit. For those who aren't aware, it literally means "talk to the patient and figure out what they're doing wrong and tell them how to change it." So you keep suggesting shit until pure coincidence cures them (or merely makes them think they're cured) and take credit as obviously it was your advice that changed things, or you offer new advice every week until you're eventually forced to offer advice the patient just can't follow (like "get up in the morning anyway") at which point you can blame the therapy's failure on the patient's non-compliance. Like most of psychology, it's bullshit.

ADHD, though, is real. It just isn't what most doctor's think it is. There is one I saw on a television show who started testing kids with ADHD for sleep apnea, and cured quite a few of them of their ADHD with some oral surgery. Apparently he's the only person to think that poor sleep might result in kids who can't concentrate and who are hyperactive because being hyperactive is the only thing keeping them awake.

I actually think that most psychological problems are sleep disorders. Tired all the time, such that you can't improve your life or even enjoy it? That might make you depressed, right? ...and maybe, since your brain can't do sleep-things while you're asleep, it starts doing them while you're awake, and so you start having hallucinations. Then your sense of logic goes out the window, as it often does when people are asleep, and so everyone says you're delusional. I mean, just how many psychological conditions aren't known to be associated with sleep disturbances? Are there any?

...and then the drug of choice to treat ADHD is a stimulant. It's like we're just trying to keep the kids awake, to improve their concentration, and to make it so that they don't have to be so hyperactive in order to avoid falling asleep.

My guess is that the problem is that they sold out.

Simple fact is that the type of person Slashdot used to appeal to is like 1% of the population. The moment a web site catering to 1% of the population decides to become profitable, it's faced with a choice: Continue to serve that 1%, or change your content and appeal to a different but larger 2%, and after that, change it even more and appeal to 4% of the population. Never mind that you lost that original 1%, since you're only in it for the money.

Can't say I blame them. If I had a cool web site, and got to choose between having a cool web site or having a lot of money, I'd probably choose the money too. Of course, I'd probably also just go make another cool web site so that I could have both. It'd be nice if the Slashdot editors would do that so that the small portion of that original 1% which remains here can stop reading BS like this and just read their new site. It probably wouldn't even be any extra work for them, they could just take the Slashdot submissions they normally discard for being too intellectual and insufficiently emotional and just post them to their own site at the end of the day.