Forgot your password?
typodupeerror

Comment: Buy an axe. (Score 1) 227

by khasim (#46822497) Attached to: 'The Door Problem' of Game Design

When I walk to my own frontdoor (to which I do have the key) I encounter dozens of doors for which I have no key and which will remain forever locked to me.
Why couldn't this be true for a game as well?

You stated that incorrectly.

Those doors are locked but can be opened. Usually with equipment that an RPG character carries around "in-game". Whether that equipment is "lock picks" or "an axe" or "a rocket launcher".

What stops you from opening them is that you do not try to. Why you do not try to is because you do not want to go to jail.

Criminals "open" doors you consider to be "locked" in the real-world all the time.

Comment: Mod parent up. (Score 2) 161

by khasim (#46817571) Attached to: Ask Slashdot: How Can We Create a Culture of Secure Behavior?

The people that understand the risks generally don't represent a problem, but the people that don't understand them often also don't benefit from an explanation in a way that would change their behavior.

And in the corporate world there is the problem of status. People higher on the hierarchy do not like being told that they cannot do something by people lower on the hierarchy.

And if something goes wrong then it is YOUR fault because "security" was YOUR responsibility.

Computers are not magic, but many people believe that they are.

The problem there is that software has all the problems of a magical system. If you do A, B and C and then expect D to happen ... maybe it will, maybe it won't. Had you previously done X, Y or Z without rebooting?

There was a CAD program that had a problem with memory fragmentation. Even if you closed the previous files, eventually you ran out of contiguous memory and then your computer would complain about "issues" when you tried to open a file larger than your available contiguous memory. So first thing in the morning everything was fine. But around lunchtime things got weird. And the weirdness wasn't evenly distributed. On Monday, Alice would have a problem but Bob would work fine. On Tuesday Bob would have a problem but Alice would be fine. Etc. .....

And that was a problem that I could diagnose. There are hundreds more where all I can say is "perform the rite of reboot" and only open the app you have trouble with right now and let me know if it's still having trouble my god what are all those apps that are loading on start-up.

Comment: Re:I've grappled with the ethics of CS for 20 year (Score 2) 169

by khasim (#46810381) Attached to: The Ethical Dilemmas Today's Programmers Face

It's worse because while YOUR post actually reflects an ethical/moral issue, TFA does not.

Here's their #1 item:

Ethical dilemma No. 1: Log files -- what to save and how to handle them
Programmers are like pack rats. They keep records of everything, often because it's the only way to debug a system. But log files also track everything users do, and in the wrong hands, they can expose facts users want kept secret.

90%+ or whatever of the programmers out there are working on in-house code for in-house projects used by in-house people. Stuff that will never ship. So it does not matter how much stuff is logged.

For those coders who are working on code to ship, the issue becomes more about where to save the huge log files.

Log everything and store it locally? Why is your app taking up 20 GB of space?

Log everything and store it remotely? Why is your app sending 20 GB of traffic?

The ethics/morality is more "how badly do you want to be the punchline to a joke when it is discovered".

Comment: Re:When did slashdot become a blog for Bennett? (Score 1) 235

by khasim (#46791205) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Except he did not stop there. That's the problem. Allow me to re-state his original premise.

For a currency "X" there exists an amount "Y" at which (or below) no one will sell accurate bug reports to you.

When X = "pennies" and Y = "2" you can see how it works. Would you spend your time looking for bugs and reporting them for a possible payout of two cents per report? So at that point I can agree with him.

BUT THEN HE TRIES FOR A FALSE COROLLARY.

For a currency "X" there exists an amount "Z" at which (or above) people will sell accurate bug reports to you.

He uses X = "dollars" and Z = "10 million" there.

The reason it is a false corollary is that it depends upon a bug's existence being based upon the amount offered to find it.

Comment: No, they are not. (Score 1) 235

by khasim (#46790893) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

All of the people talking as if I had said there were "literally infinite" bugs in a product are missing the point.

No. They understand and they are explaining to YOU where YOU are wrong.

I said, very clearly, that of course the number of bugs is not literally infinite, but I was considering the case where there are so many bugs which can be found for $X worth of effort, that it's unrealistic to find and fix them all in the time frame before the product becomes obsolete anyway.

And that is where you are wrong. YOU are claiming that a very specific HYPOTHETICAL situation is same as the general ACTUAL situation.

Your HYPOTHETICAL situation is 100% divorced from the ACTUAL situation.

In the ACTUAL situation there are a finite number of buffer overflow bugs in any specific program and those buffer overflow bugs can be found and fixed WITHOUT another buffer overflow bug appearing. And it is EASY to find the MAXIMUM number of buffer overflow bugs by searching the source code for every instance of a buffer being used.

Finite AND countable AND fixable.

The fact that there are dozens of people responding as if I had said "literally infinitely many bugs" does not make their point any more valid.

No. They are pointing out that YOU have made that assumption even though YOU keep denying it.

Because once you admit that the number of buffer overflow bugs is finite AND countable then there exists a point where they can ALL be fixed. And you keep denying that that is possible.

Comment: Re:Bennett's Ego (Score 1) 235

by khasim (#46790713) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Well, theoretically yes.

"Theoretically". Got it.

But do you think that Apache could ever reach a state in practice, in the world we actually live in, where you couldn't find a new vulnerability in it for $10 million worth of effort?

Emphasis added.

So now you're conflating a real-world situation with a hypothetical situation ... no. You do not get to mix real-world and hypotheticals in the same sentence. No one is offering $10 million and no one is likely to offer $10 million.

IF someone would offer $10 million for buffer overflow bugs in Apache then a lot of people would comb through the code and check each instance of a buffer for an overflow bug. All the buffer overflow bugs would be found.

After that, finding ANOTHER buffer overflow bug would not be possible IN THAT CODE BASE. No matter how much money was offered. Because all the instances should have been checked and identified.

Someone would have to submit code that included a NEW buffer overflow bug in order for a NEW buffer overflow bug to be discovered.

No matter how much money was being offered. No "theoretically" about it. It's Computer SCIENCE.

Comment: Re:That's where you are wrong. (Score 1) 235

by khasim (#46789043) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Do you really believe that if you offered a $10 million prize to anyone who could find a vulnerability in the Apache web server, that you would reach the point where people weren't finding and reporting new ones...

From your inclusion of "really believe" I'd say that your question was rhetorical.

And wrong.

At $10 million per buffer overflow? Yes. There would be a finite number of buffer overflows that would be found and fixed.

At $10 million per X category of bug? Yes. There would be a finite number X's that would be found and fixed.

Therefore, unless you assume an infinite number of categories of bugs, all the bugs would eventually be fixed.

Because the code base comprises a finite number of bits and there is a finite number of ways that those bits can be run.

Comment: That's where you are wrong. (Score 1) 235

by khasim (#46788717) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

My point is that if there are (effectively) infinitely many bugs...

No need to read any further because that is an incorrect assumption.

There cannot be an infinite number of bugs (effectively or otherwise) because there is not an infinite about of code NOR an infinite number of ways to run the finite amount of code.

From TFA:

(He confirmed to me afterwards that in his estimation, once the manufacturer had fixed that vulnerability, he figured his same team could have found another one with the same amount of effort.)

Then he was wrong as well.

There are a finite number of times that buffers are used in that code base. Therefore there are a finite number of times that buffers could be overflowed. If someone went through the code and checked each instance and ensured that an overflow situation was not possible then it would not be possible.

"Infinite" does not mean what you think it does.

Comment: Re:Bennett's Ego (Score 0) 235

by khasim (#46788573) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Is there a statement in the article that you think is incorrect?

You missed the point of the post that you are replying to. But since you asked ...

You can visualize it even more starkly this way: A stranger approaches a company like Microsoft holding two envelopes, one containing $1,000 cash, and the other containing an IE security vulnerability which hasn't yet been discovered in the wild, and asks Microsoft to pick one envelope.

That makes no sense. Why would a security-researcher offer to pay MICROSOFT for NOTHING?

Microsoft should be paying the security-researcher.

It would sound short-sighted and irresponsible for Microsoft to pick the envelope containing the cash â" but when Microsoft declines to offer a $1,000 cash prize for vulnerabilities, it's exactly like choosing the envelope with the $1,000.

Wrong again.

Not PAYING $1,000 is NOT the same as getting an ADDITIONAL $1,000.

If I have $1,000 and I do not buy something for $1,000 I still have $1,000. But if someone gives me an envelope with $1,000 then I have TWO THOUSAND DOLLARS.

You might argue that it's "not exactly the same" because Microsoft's hypothetical $1,000 prize program would be on offer for bugs which haven't been found yet, but I'd argue that's a distinction without a difference.

No. It's wrong because in your example Microsoft ends up with an ADDITIONAL $1,000 from a security-researcher.

Comment: Mod parent up. (Score 1) 1608

by khasim (#46770271) Attached to: Retired SCOTUS Justice Wants To 'Fix' the Second Amendment

If you want to see it on a small scale, well ask yourself why the US has been unable to secure Afghanistan or Iraq. They had considerably more forces than your silly "1 aircraft carrier" scenario, it was hardly the whole population fighting, yet after years and years, they have been unable to secure the countries.

Mod parent up.

Anyone who thinks that modern, asymmetrical warfare means trading blows with similar weapon systems hasn't been paying attention to the last DECADE PLUS of our history.

There isn't a Taliban air force yet the Taliban is still around despite our air force bombing them for years.

Comment: Re:Found one! (Score 1) 588

by khasim (#46757409) Attached to: Jenny McCarthy: "I Am Not Anti-Vaccine'"

Creationism isn't the topic of this thread, so what would you call the introduction of an unrelated topic, if not a strawman?

Learn what straw man means. It does not mean anything you do not like.

Besides, you're not really pretending you didn't say that, are you?

I've quoted the portion where you brought up "moron". I've linked to your quote where you brought up "moron".

No "pretending" needed. You said it. Then you objected to it. That's a straw man.

For the record, here is my actual argument:

For the record, I posted a direct quote from you and the link to that quote.

Here is your quote, again:

No, I mean like people who "point out" the evidence for evolution by looking at Creationists and saying things like, "goddamn but you're a moron! How is it that you're allowed to breed? Someone should put you down for the good of society!"

You brought up "moron" and then you objected to it.

That is a straw man.

Comment: Re:Found one! (Score 1) 588

by khasim (#46751273) Attached to: Jenny McCarthy: "I Am Not Anti-Vaccine'"

Since you're not going to bother scrolling back up the page to see what I mean, I'll go ahead and say it - that comment was in response to your strawman about Creationists.

That statement was from you but you attempted to imply that it was from me.

That is a straw man.

Pointing out that Jenny McCarthy and Creationists BOTH ignore scientific evidence is not a straw man.

You were the one who started talking about "morons". Let me quote you and provide a link:

No, I mean like people who "point out" the evidence for evolution by looking at Creationists and saying things like, "goddamn but you're a moron! How is it that you're allowed to breed? Someone should put you down for the good of society!"

http://slashdot.org/comments.pl?sid=5028117&threshold=1&commentsort=0&mode=thread&cid=46749487

That is your comment and that is you making a straw man about "moron" claims.

Look, Brah, I don't care what you think about feelings, or damage, or strawmen, or whatever.

Except that you do and that has been your entire argument. I need to be nicer about pointing out that some people ignore all the scientific evidence that contradicts them. Then you go off on a straw man.

Measles does not care about feelings.

Comment: Re:Found one! (Score 1) 588

by khasim (#46750573) Attached to: Jenny McCarthy: "I Am Not Anti-Vaccine'"

My mistake for assuming that I was talking to someone who understands what the words he uses means. Words like "straw man."

That would be your hypothetical straw man friends whom you claimed were calling Jenny McCarthy a "moron".

What I said was that she (and the anti-vaccine people like her) do not have any evidence to support their claims.

FWIW, I'm not the hypocrite who's putting up strawmen and accusing others of doing the same thing when they make the apparent mistake of responding.

Yes you are. And you are "tone trolling".

Like I keep saying, measles does not care about your feelings.

Herd immunity has precisely dick to do with how you present your argument.

And, again, measles does not care about your feelings.

And now there are outbreaks of measles because of the anti-vaccination people. Real people. Real diseases. Real damage. None of your hypothetical straw men needed.

Comment: Re:Found one! (Score 1) 588

by khasim (#46750199) Attached to: Jenny McCarthy: "I Am Not Anti-Vaccine'"

No, I mean like people who "point out" the evidence for evolution by looking at Creationists and saying things like, "goddamn but you're a moron! How is it that you're allowed to breed? Someone should put you down for the good of society!"

Well that's good. Maybe you should take all your hypothetical straw man friends on a party cruise.

Make all the excuses for anti-social behavior that you want, but the fact is if you're being an asshole to someone for being wrong, you're only serving to make the problem worse, not better.

You might want to look up some of the outbreaks of diseases that have happened recently.

Oh, you won't, will you. Because actual damage to actual people doesn't fit your hypothetical straw man.

Anyone who refuses to get their children vaccinated BECAUSE I SAID THAT JENNY MCCARTHY DOES NOT UNDERSTAND BASIC SCIENCE is not going to change because I don't state that.

That is what a "zealot" is about.

Jenny McCarthy isn't stopping you from getting your kids vaccinated, and being a dick to her and her kind for holding a certain viewpoint is only going to make them grasp it even harder.

Look up "herd immunity". They're increasing the risk by NOT getting the vaccinations.

Which is why there are outbreaks of diseases such as measles now.

Facts. Not feelings. Measles will not care about your feelings.

You can not get anything worthwhile done without raising a sweat. -- The First Law Of Thermodynamics

Working...