Forgot your password?

Comment: Re:they couldn't have just read Dilbert? (Score 1) 171

by Tablizer (#46792207) Attached to: California Utility May Replace IT Workers with H-1B Workers

It's so universal it's seen everywhere.

Managers should also be formally judged by their underlings. If they score low or fail to improve in problem categories, they get docked pay.

It can be an anonymous survey with 20 or so categories such as "Shows respect to me (employee)", "Explains my tasks clearly", "Listens to and thoughtfully considers my opinion", "Gives me meaningful and relevant work", "Explains the purpose of my work in terms of organizational goals", etc.

Comment: Re:Outsourcing! Management Sux! What?!? (Score 1) 171

by Tablizer (#46792161) Attached to: California Utility May Replace IT Workers with H-1B Workers

But third-world labor is often cheaper because those countries don't have and/or enforce labor, safety, and pollution laws. Should we trash the USA in order to compete with those used to living in trashy country?

Further, individuals here don't have the ability to change their entire country even if they personally wanted the trade-offs offered by such an Ayn Rand "paradise".

And why reward trashy countries for being trashy by giving them our jobs? We should encourage them to get civilized.

Comment: Dilbert is Real (Score 5, Funny) 171

by Tablizer (#46792075) Attached to: California Utility May Replace IT Workers with H-1B Workers

SCE's management culture may be particularly primed for firing its IT workers...One observation in this report...was that 'employees perceive managers to be more concerned about how they 'look' from above, and less concerned about how they are viewed by their subordinates.

PHB1: "This survey shows our employees think we in management are clueless superficial jerks. What do we do about it?"

PHB2: "I got it! Fire them all and outsource their work to new people who don't yet know we are clueless superficial jerks."

PHB1: "Brilliant! Let's vote ourselves a raise for this plan!"

Comment: Re:When did slashdot become a blog for Bennett? (Score 1) 228

by khasim (#46791205) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Except he did not stop there. That's the problem. Allow me to re-state his original premise.

For a currency "X" there exists an amount "Y" at which (or below) no one will sell accurate bug reports to you.

When X = "pennies" and Y = "2" you can see how it works. Would you spend your time looking for bugs and reporting them for a possible payout of two cents per report? So at that point I can agree with him.


For a currency "X" there exists an amount "Z" at which (or above) people will sell accurate bug reports to you.

He uses X = "dollars" and Z = "10 million" there.

The reason it is a false corollary is that it depends upon a bug's existence being based upon the amount offered to find it.

Comment: No, they are not. (Score 1) 228

by khasim (#46790893) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

All of the people talking as if I had said there were "literally infinite" bugs in a product are missing the point.

No. They understand and they are explaining to YOU where YOU are wrong.

I said, very clearly, that of course the number of bugs is not literally infinite, but I was considering the case where there are so many bugs which can be found for $X worth of effort, that it's unrealistic to find and fix them all in the time frame before the product becomes obsolete anyway.

And that is where you are wrong. YOU are claiming that a very specific HYPOTHETICAL situation is same as the general ACTUAL situation.

Your HYPOTHETICAL situation is 100% divorced from the ACTUAL situation.

In the ACTUAL situation there are a finite number of buffer overflow bugs in any specific program and those buffer overflow bugs can be found and fixed WITHOUT another buffer overflow bug appearing. And it is EASY to find the MAXIMUM number of buffer overflow bugs by searching the source code for every instance of a buffer being used.

Finite AND countable AND fixable.

The fact that there are dozens of people responding as if I had said "literally infinitely many bugs" does not make their point any more valid.

No. They are pointing out that YOU have made that assumption even though YOU keep denying it.

Because once you admit that the number of buffer overflow bugs is finite AND countable then there exists a point where they can ALL be fixed. And you keep denying that that is possible.

Comment: Re:Bennett's Ego (Score 1) 228

by khasim (#46790713) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Well, theoretically yes.

"Theoretically". Got it.

But do you think that Apache could ever reach a state in practice, in the world we actually live in, where you couldn't find a new vulnerability in it for $10 million worth of effort?

Emphasis added.

So now you're conflating a real-world situation with a hypothetical situation ... no. You do not get to mix real-world and hypotheticals in the same sentence. No one is offering $10 million and no one is likely to offer $10 million.

IF someone would offer $10 million for buffer overflow bugs in Apache then a lot of people would comb through the code and check each instance of a buffer for an overflow bug. All the buffer overflow bugs would be found.

After that, finding ANOTHER buffer overflow bug would not be possible IN THAT CODE BASE. No matter how much money was offered. Because all the instances should have been checked and identified.

Someone would have to submit code that included a NEW buffer overflow bug in order for a NEW buffer overflow bug to be discovered.

No matter how much money was being offered. No "theoretically" about it. It's Computer SCIENCE.

Comment: Re:That's where you are wrong. (Score 1) 228

by khasim (#46789043) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Do you really believe that if you offered a $10 million prize to anyone who could find a vulnerability in the Apache web server, that you would reach the point where people weren't finding and reporting new ones...

From your inclusion of "really believe" I'd say that your question was rhetorical.

And wrong.

At $10 million per buffer overflow? Yes. There would be a finite number of buffer overflows that would be found and fixed.

At $10 million per X category of bug? Yes. There would be a finite number X's that would be found and fixed.

Therefore, unless you assume an infinite number of categories of bugs, all the bugs would eventually be fixed.

Because the code base comprises a finite number of bits and there is a finite number of ways that those bits can be run.

Comment: That's where you are wrong. (Score 1) 228

by khasim (#46788717) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

My point is that if there are (effectively) infinitely many bugs...

No need to read any further because that is an incorrect assumption.

There cannot be an infinite number of bugs (effectively or otherwise) because there is not an infinite about of code NOR an infinite number of ways to run the finite amount of code.

From TFA:

(He confirmed to me afterwards that in his estimation, once the manufacturer had fixed that vulnerability, he figured his same team could have found another one with the same amount of effort.)

Then he was wrong as well.

There are a finite number of times that buffers are used in that code base. Therefore there are a finite number of times that buffers could be overflowed. If someone went through the code and checked each instance and ensured that an overflow situation was not possible then it would not be possible.

"Infinite" does not mean what you think it does.

Comment: Re:Bennett's Ego (Score 0) 228

by khasim (#46788573) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Is there a statement in the article that you think is incorrect?

You missed the point of the post that you are replying to. But since you asked ...

You can visualize it even more starkly this way: A stranger approaches a company like Microsoft holding two envelopes, one containing $1,000 cash, and the other containing an IE security vulnerability which hasn't yet been discovered in the wild, and asks Microsoft to pick one envelope.

That makes no sense. Why would a security-researcher offer to pay MICROSOFT for NOTHING?

Microsoft should be paying the security-researcher.

It would sound short-sighted and irresponsible for Microsoft to pick the envelope containing the cash â" but when Microsoft declines to offer a $1,000 cash prize for vulnerabilities, it's exactly like choosing the envelope with the $1,000.

Wrong again.

Not PAYING $1,000 is NOT the same as getting an ADDITIONAL $1,000.

If I have $1,000 and I do not buy something for $1,000 I still have $1,000. But if someone gives me an envelope with $1,000 then I have TWO THOUSAND DOLLARS.

You might argue that it's "not exactly the same" because Microsoft's hypothetical $1,000 prize program would be on offer for bugs which haven't been found yet, but I'd argue that's a distinction without a difference.

No. It's wrong because in your example Microsoft ends up with an ADDITIONAL $1,000 from a security-researcher.

Comment: Re:Tesla needs just a few more things (Score 1) 338

by Grishnakh (#46788109) Attached to: Mercedes Pooh-Poohs Tesla, Says It Has "Limited Potential"

What are you talking about? It's not at all uncommon for married couples to have two cars which are wildly different from each other. Haven't you seen couples where the wife drives some nice, new(er), fancy car, and the husband drives some old POS beater to work? Or where one drives a small econo or sporty car, and the other drives a van or SUV? Why wouldn't it be normal for (while EVs still have limited range and recharging on trips is a PITA) couples to have one nice EV for driving around town, and one possibly somewhat older gas car for the occasional long trip and for one of the partners to drive?

Or, they could have 2 EVs, and a third gas car reserved solely for longer trips. It's not that uncommon for families to have a third car. I knew a bunch of middle-class families while growing up who had three, one rarely used. Or, people could just rent a car. How often do you drive that far away anyway? A few times a year? Enterprise will even bring your rental car to you.

"If value corrupts then absolute value corrupts absolutely."