Forgot your password?

Comment: Underlying assumptions are false (Score 1) 232

by jd (#46793425) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Ok, the envelope game. You can rework it to say the second envelope contains the next vulnerability in the queue of vulnerabilities. An empty queue is just as valid as a non-empty one, so if there are no further flaws then the envelope is empty. That way, all states are handled identically. What you REALLY want to do though is add a third envelope, also next item inquire, from QA. You do NOT know which envelope contains the most valuable prize but unless two bugs are found simultaneously (in which case you have bigger problems than game theory), you absolutely know two of the envelopes contain nothing remotely as valuable as the third. If no bugs are known at the time, or no more exist - essentially the same thing as you can't prove completeness and correctness at the same time, then the thousand dollars is the valuable one.

Monty Hall knows what is in two of the envelopes, but not what is in the third. Assuming simultaneous bug finds can be ignored, he can guess. Whichever envelope you choose, he will pick the least valuable envelope and show you that it is empty. Should you stick with your original choice or switch envelopes?

Clearly, this outcome will differ from the scenario in the original field manual. Unless you understand why it is different in outcome, you cannot evaluate a bounty program.

Now, onto the example of the car automotive software. Let us say that locating bugs is in constant time for the same effort. Sending the software architect on a one-way trip to Siberia is definitely step one. Proper encapsulation and modularization is utterly fundamental. Constant time means the First Law of Coding has been broken, a worse misdeed than breaking the First Law of Time and the First Law of Robotics on a first date. You simply can't produce enough similar bugs any other way.

It also means the architect broke the Second Law of Coding - ringfence vulnerable code and validate all inputs to it. By specifically isolating dangerous code in this way, a method widely used, you make misbehaviour essentially impossible. The dodgy code may be there but it can't get data outside the range for which it is safe.

Finally, it means the programmers failed to read the CERT Secure Coding guidelines, failed to test (unit and integrated!) correctly, likely didn't bother with static checkers, failed to enable compiler warning flags and basically failed to think. Thoughtlessness qualifies them for the Pitcairn Islands. One way.

With the Pitcairns now overrun by unemployed automotive software engineers, society there will collapse and Thunderdome v1.0a will be built! With a patchset to be released, fixing bugs in harnesses and weapons, in coming months.

Comment: Wrong question (Score 1) 307

by jd (#46654623) Attached to: Should NASA Send Astronauts On Voluntary One-Way Missions?

Google up on articles on the Lazarus Doctor (he works on patients who have nominally died of hypothermia) and on the new experimental saline blood substitute for potentially fatal injuries (the paramedics swap the patient's blood for the solution, deep-freeze the patient and reverse the process at hospital, eliminating all stress and trauma to the body in transit).

The theoretical duration you can perform suspended animation in real life is unknown, but is estimated to be many months.

The practical duration is only a few hours, so far.

The cost of improving on the practical duration (since the former method is really only limited by how long you can artificially keep O2 levels in the brain over 45%) is far, far less than the cost of a mission to Mars. Ergo, that is the logical solution. Fund medical research into the two methods. Put 100% of NASA funding for a manned Mars mission into those two techniques for at least the next couple of years.

That should accelerate development of the necessary technologies. By doing it this way, you need absolutely bugger all new rocketry technology. The N months food needed for the journey by live astronauts can be replaced with radiation shielding of the same total mass.

This leaves you with radiation on Mars. But only if you land on the surface. What you want to do is land in a deep narrow gorge or chasm. There are some, that is where the methane was reported. That increases the thickness of atmosphere, which is good for radiation. It is unexplored, which is even better. There is a chance of a cave network, absolutely ideal for looking for water, life and/or a good location for settlers.

Oh, and doing things this way improves life on Earth, the very thing all the anti-space people demand NASA prove they can do.

Everyone's happy, apart from, well, everyone. NASA doing a better job of health than the NIH will upset people. A workable mission will upset futurologists because the future will be done rather than talked about, putting them out of a job. Eliminating the radiation problem will infuriate the buggers who say the mission can't be done. Eliminating any issues with transit time mean you can launch the mission the day after the medical stuff is sorted, leaving those talking about a 2030-2050 timeframe looking as stupid as they really are.

So, yeah, it'll get the job done, but expect those involved in a mission to be lynched by a mob of respectable plutocrats.

Comment: Re:Privacy nutjobs take note (Score 1) 149

by badzilla (#46523621) Attached to: Facebook's Face Identification Project Is Accurate 97.25% of the Time
Not so sure about "years later". I have an Asus laptop that I bought three or so years ago and it has facial recognition login. That was cool at the time and I figured what the hell I paid for it already so I trained it to login using my face. It worked really well.

That was three years ago, I haven't changed the configuration but now it doesn't work any more :(

Comment: Re:School is boring smart kids (Score 1) 529

by badzilla (#46505553) Attached to: The Poor Neglected Gifted Child

I was a smart kid at school and in my country they did, at that time, attempt to fast-track such children. This was many years ago and these days they have learnt from their mistakes and handle the whole thing much more sensitively.

It was a disaster for me however - they just advanced me into the next academic year. I could still learn the material with no effort and was still bored, but now I was also the smallest (important when you're age 7 and nobody wants you on their informal games team) and although I was smarter my shaky social skills were now a year behind everyone else's.

Coupled with a few other factors (poverty at home relative to others) it set me back *a lot* in life and I was 30 or so before I really got over it.

tl;dr Teacher, leave them smart kids alone

Comment: Re:Chip & Pin (Score 1) 106

by badzilla (#46071633) Attached to: Michaels Stores Investigating Possible Data Breach
Chip and PIN has seen widespread use for years now and would probably stop this kind of attack. Remember you have hardware-based encryption happening not only in the card reader but also in the card itself. An amazing amount of crypto happens at step one just so that the card can satisfy itself that it is indeed inside a valid reader. Then some more so that the reader can be confident it has a real card. Once all the authorisation and monetary amounts are complete then the reader finally dumps out an encrypted blob. Malware that had got root in the POS terminal could deny the transaction from happening but could not change the amount or snarf any of the card information. The only time I have heard of any cracks in this scheme was a murky story of collusion with employees at the card reader manufacturing facility, which is a lot less of a risk than poorly-configured POS.

You can tell how far we have to go, when FORTRAN is the language of supercomputers. -- Steven Feiner