Comment Sum of all fears (Score 1) 165
Tom Clancy told us this in the Sum of All Fears, the great book; not the horribly butchered movie...
Tom Clancy told us this in the Sum of All Fears, the great book; not the horribly butchered movie...
press strike! that's brilliant.
I wonder why kim jong il never thought of putting the press on strike.
yeah it's pretty old hat as a feature.
it's getting to the point with fb that if they add ANY feature that adds any connectivity possibility or something then someone will quickly write about how it enables stalking, surveillance or something else.
well..
the mayor shouldn't been giving orders to the police in the first place.
anyways, that's how it's supposed to be in democratic countries. the mayor can make a report of a crime and the police could just then say that "hey man, that's not a crime."
Thank you for your answer. There is almost no end to the FUD stream, and as I said, it's hard to pick out the signal from the noise.
Many Interneted Thingies work fine on your own cloud. You can find alternatives that don't feed the big Googly database, but you have to shop carefully. Fitbit and Nest don't give you the option; but some of the home automation systems like Vera need no clouds at all.
Password: hedgehog, no doubt.
Would you like your food data shared with your insurance company? How about your weight? Your BMI went above 22 this month. Not good, lower it or else. Your running? You didn't meet your jogging goals for the week. That's it, we're raising your health care premiums. That's a lot of beer you're drinking, and you put a lot of miles on your car, so it looks like we'll have to cancel your auto policy because statistically you're likely a drunk driver.
If you say "OK, share my data", it can go a lot of places you may not intend.
Except he did not stop there. That's the problem. Allow me to re-state his original premise.
For a currency "X" there exists an amount "Y" at which (or below) no one will sell accurate bug reports to you.
When X = "pennies" and Y = "2" you can see how it works. Would you spend your time looking for bugs and reporting them for a possible payout of two cents per report? So at that point I can agree with him.
BUT THEN HE TRIES FOR A FALSE COROLLARY.
For a currency "X" there exists an amount "Z" at which (or above) people will sell accurate bug reports to you.
He uses X = "dollars" and Z = "10 million" there.
The reason it is a false corollary is that it depends upon a bug's existence being based upon the amount offered to find it.
All of the people talking as if I had said there were "literally infinite" bugs in a product are missing the point.
No. They understand and they are explaining to YOU where YOU are wrong.
I said, very clearly, that of course the number of bugs is not literally infinite, but I was considering the case where there are so many bugs which can be found for $X worth of effort, that it's unrealistic to find and fix them all in the time frame before the product becomes obsolete anyway.
And that is where you are wrong. YOU are claiming that a very specific HYPOTHETICAL situation is same as the general ACTUAL situation.
Your HYPOTHETICAL situation is 100% divorced from the ACTUAL situation.
In the ACTUAL situation there are a finite number of buffer overflow bugs in any specific program and those buffer overflow bugs can be found and fixed WITHOUT another buffer overflow bug appearing. And it is EASY to find the MAXIMUM number of buffer overflow bugs by searching the source code for every instance of a buffer being used.
Finite AND countable AND fixable.
The fact that there are dozens of people responding as if I had said "literally infinitely many bugs" does not make their point any more valid.
No. They are pointing out that YOU have made that assumption even though YOU keep denying it.
Because once you admit that the number of buffer overflow bugs is finite AND countable then there exists a point where they can ALL be fixed. And you keep denying that that is possible.
Well, theoretically yes.
"Theoretically". Got it.
But do you think that Apache could ever reach a state in practice, in the world we actually live in, where you couldn't find a new vulnerability in it for $10 million worth of effort?
Emphasis added.
So now you're conflating a real-world situation with a hypothetical situation
IF someone would offer $10 million for buffer overflow bugs in Apache then a lot of people would comb through the code and check each instance of a buffer for an overflow bug. All the buffer overflow bugs would be found.
After that, finding ANOTHER buffer overflow bug would not be possible IN THAT CODE BASE. No matter how much money was offered. Because all the instances should have been checked and identified.
Someone would have to submit code that included a NEW buffer overflow bug in order for a NEW buffer overflow bug to be discovered.
No matter how much money was being offered. No "theoretically" about it. It's Computer SCIENCE.
Do you really believe that if you offered a $10 million prize to anyone who could find a vulnerability in the Apache web server, that you would reach the point where people weren't finding and reporting new ones...
From your inclusion of "really believe" I'd say that your question was rhetorical.
And wrong.
At $10 million per buffer overflow? Yes. There would be a finite number of buffer overflows that would be found and fixed.
At $10 million per X category of bug? Yes. There would be a finite number X's that would be found and fixed.
Therefore, unless you assume an infinite number of categories of bugs, all the bugs would eventually be fixed.
Because the code base comprises a finite number of bits and there is a finite number of ways that those bits can be run.
My point is that if there are (effectively) infinitely many bugs...
No need to read any further because that is an incorrect assumption.
There cannot be an infinite number of bugs (effectively or otherwise) because there is not an infinite about of code NOR an infinite number of ways to run the finite amount of code.
From TFA:
(He confirmed to me afterwards that in his estimation, once the manufacturer had fixed that vulnerability, he figured his same team could have found another one with the same amount of effort.)
Then he was wrong as well.
There are a finite number of times that buffers are used in that code base. Therefore there are a finite number of times that buffers could be overflowed. If someone went through the code and checked each instance and ensured that an overflow situation was not possible then it would not be possible.
"Infinite" does not mean what you think it does.
Is there a statement in the article that you think is incorrect?
You missed the point of the post that you are replying to. But since you asked
You can visualize it even more starkly this way: A stranger approaches a company like Microsoft holding two envelopes, one containing $1,000 cash, and the other containing an IE security vulnerability which hasn't yet been discovered in the wild, and asks Microsoft to pick one envelope.
That makes no sense. Why would a security-researcher offer to pay MICROSOFT for NOTHING?
Microsoft should be paying the security-researcher.
It would sound short-sighted and irresponsible for Microsoft to pick the envelope containing the cash â" but when Microsoft declines to offer a $1,000 cash prize for vulnerabilities, it's exactly like choosing the envelope with the $1,000.
Wrong again.
Not PAYING $1,000 is NOT the same as getting an ADDITIONAL $1,000.
If I have $1,000 and I do not buy something for $1,000 I still have $1,000. But if someone gives me an envelope with $1,000 then I have TWO THOUSAND DOLLARS.
You might argue that it's "not exactly the same" because Microsoft's hypothetical $1,000 prize program would be on offer for bugs which haven't been found yet, but I'd argue that's a distinction without a difference.
No. It's wrong because in your example Microsoft ends up with an ADDITIONAL $1,000 from a security-researcher.
A lot of the animosity towards Monsanto comes from their overall behavior. Creating the terminator gene is first to mind. Next are the numerous allegations about misconduct: complaints that they do inadequate studies, they hire certain researchers expecting certain study outcomes, that they tamper with study results, and that they have bribed government officials. However, most of those reports come from the wacko anti-GMO crowd (who are really a bunch of anti-anything idiots), so it's hard to know if there's a shred of truth to any of the complaints.
The biggest gripe I have is their drive to produce pest- and herbicide-resistant crops. Every one of these is putting other farmers' crops at risk, because they're creating pesticide-resistant super-bugs and herbicide-resistant super-weeds. Those bugs and weeds don't limit themselves to Monsanto-seeded fields, they're natural organisms that spread, and those bugs are now attacking non-Monsanto crops, and the weeds are infesting non-Monsanto fields. Monsanto knew this was going to happen from the start of the program, they estimated it would take about 20 years for it to happen (it actually took less than 10 for the corn rootworm to evolve Bt resistance), yet they went ahead and did it anyway.
Had they focused their modifications only on creating high yield and high nutrition crops, instead of trying to fight the resistance battle, their overall agricultural activities would have been a lot more responsible.
For God's sake, stop researching for a while and begin to think!
