] Hand crafted in the USA, this limited edition rubber band
] machine gun is about as over the top as it gets. Using a
] mechanism similar to the famous Gatling Gun of the old
] west, it stands 44 inches from the handle to the tip of
] its barrels.
]
] The turret spins effortlessly through 360 degrees, and
] will tilt from 45 degrees up to 22 degrees down, so
] tracking a fast moving target is a breeze. Winding the
] handle spins the barrels and fires off the bands, and it
] has a fire rate of 560 rounds per minute, though you can
] fire off all 144 rounds in just 12 seconds if the mood
] takes you. Re-loading takes between 10 to 30 minutes -
] there's a lot of bands to load.

Hmmmm. I wonder how tought this would be to build.

Rubber Band Gatling Gun

I got a reply from Jeff today about his C/C++ article. My comments are at the end

From: Jeff Duntemann (jduntemann - @ - copperwood.com)
To: Acidus (acidus@yak.net)
Date: Tue, 9 Nov 2004 09:50:57 -0700
Subject: Re: C/C++ responsible for Buffer Overflows

Billy--

Thanks for writing. The kicker isn't the C language per se--when I write C it looks (and works) pretty much like Pascal, which everybody in the C world seems to hate. The real problem lies in two areas:

1. The C "I can do anything I want or I'll hold my breath until I turn purple!" culture. Getting C programmers to adhere to coding standards is pure hell.

2. The standard C library. There's no real reason to use the string functions as they currently exist. There are numerous other functions (and rewrites of the canonican C string functions) that have built-in protections against overflows, e.g. strncpy(), strncmp(), and snprint(). My favorite is:

size_t strlcpy (char *dst, const char *src, size_t size);

This isn't part of standard clib, but if people used it, we'd see a LOT less of this sort of thing. The fact that people DON'T use it tells me that down on the front lines, programmers really don't care about buffer overflows. This is the C culture again. I'd really like to see a total rewrite of clib, with an eye toward preventing what we now know of hacker exploits. The damned thing is what, 25 years old now? I think it's way past time for an overhaul. But when I suggest it, you'd think I was saying we should torture newborn kittens. The truth is that C and clib are inseparable in the current C culture. To me, that means that we have to dump both.

I agree that an executable stack is a bad idea--but it's easier to change CLIB than to make a major change in existing hardware. Since we're unlikely to be able to change clib, I've been pushing for managed languages like Java and C#.

Lots of things to do today so I'll have to stop here. Again, thanks for writing and good luck.

--73--

--JD--

While I agree that programmers will always make mistakes, there is a balance between smart languages and smart people. I choose requiring smart people every day, because besides performance issues, a language that is too smart can prevent an experienced coder from doing what they need to do. By Jeff's logic, a seg fault is the languages fault, because the language didn't prevent it. Some languages, such as Java and C++ allows for users to catch and handle errors, which is a nice compromise to an all out smart language. If you compile a C program using gets(), you will get a warning, telling you to use fgets(). In the same way, the compiler could warn about "dangerous" string functions. Organizations can put rules into their make and build commands, refusing to let them go into production code. The point is their are other options them simply saying "this is a bad language." Its not bad, its just not being used/managed in an intelligent fashion.

I called around today to the big OEMs seeing who offered systems with Linux pre-installed.

Gateway only offered SUSE 8, and only on certain servers. The highend systems had SUSE 8 available, but it didn't come pre-installed. You get a blank machine and Linux on CDs. Even rack mounted systems won't come with Linux pre-installed. Lower end servers do have a "No OS" as an option, so you can avoid the Microsoft tax. No 64bit chips or OSes here, even in your rack-mounted servers.

The HP representative seemed thrilled when I asked about Linux. They offer Redhat on their higher end laptops and workstations, though SUSE, Mandrake, and other are certified to work as well (with nifty certification matrixes too). The regular HP people can't help you, you must order through their Small-Medium business group (1-800-888-0292). Sadly no 64bit chips or OSes here.

Dell... Well, the home-office person actually knew what Linux was, but said she thought only the small business group had systems with Linux pre-installed. A transfer later I talked to the small business rep. I said I was interested in quotes on laptops or desktops with Linux pre-installed. Her reply: "OK, I think we can do that... just one thing, whats Linux?" I even had to spell it. She then had to check with Tech support to see if Linux was available, and it is only available on their nSeries of workstations, as Redhat. These are fairly nice machines, with SATA RAID built in for even the lowest model (sub $1000). I guess Dell needs to better train their reps about what they offer, though they do have a nice website about Linux. (http://linux.dell.com/desktops.shtml). Again no 64bit chips or OSes

The biggest surprise was IBM. They do not offer Linux pre-installed on any of their Laptops or Desktops. They do have documentation on their site about installing Linux on different models of Thinkpads and desktops. IBM certainly made up for the lack of desktops/laptops with their Intellistation workstations. They have 2 lines of 64 bit 1 or 2 way SMP systems. The first line is based on AMD Opteron chips, with 64bit Redhat Linux or 32bit Windows XP available (though lesser models with Intel Xeons are available). The 2nd line is based on IBM's 64bit POWER chips. With hotswapable SCSI drives and other featuress, these are beasts and the high end model starts at $15,0000. Interestingly enough, only AIX is available on these, even though Linux runs fine on IBM's POWER-based servers. Linux is of course an option on all of IBM's eServers.

All in all, I was happy that the OEMs offered Linux. I was a little disappointed about how well the advertised it on their websites however. Another surprised was the lack of lower end systems with Linux pre-installed. Aside from the occasional thin client with a 2.4 kernel, I couldn't find any sub $600 dollar machines running Linux from the major OEMs. Let face it, this is where Mom and Pop shop, and for Linux on the desktop to take off, the major OEMs need to push it more. Finally, IBM is the only choice if you want a 64bit system with Linux.

Gateway Servers with Linux:
http://www.gateway.com/work/products/cp_srv_catalog.shtml

HP Workstations and Notebooks with Linux:
http://www.hp.com/workstations/pws/index.html

Dell nSeries Workstations with Linux:
http://www1.us.dell.com/content/products/compare.aspx/precn_n?c=us&cs=04&l=en&s=bsd

IBM Intellistation workstations with Linux:
http://www-132.ibm.com/content/home/store_IBMPublicUSA/en_US/IntelliStation_workstations.html

] Why is IBM supporting Linux?
] Because we admire it, we believe in it, we need it and
] it's good for customers. And, well...it's a lot of fu

Some fun little animations about Linux. Some are... well... a little strange.

IBM: Fun Linux Animations

Different scaled maps representing election results by county and state, in propotions ro population

Election result maps

] After all these years "it's a fairly well-oiled machine,"
] observed Smith. Actors who are out of town, like Azaria,
] can record their lines at a convenient studio.
]
] When the cast is finished the animators step in. The Los
] Angeles-area animation house Film Roman creates a
] black-and-white draft, called an animatic, which reveals
] what works and what doesn't, Jean said.
]
] "Sometimes we do a considerable rewrite with the
] animatic. Once it's in color, the cost of changing too
] much is prohibitive," he said.
]
] The revised animatic is sent to South Korea for creation
] of the final version -- or almost final. If a line
] remains troublesome, the characters' lip movements
] provide enough leeway for another phrase to be subbed in.

The making of a Simpsons episode

Note: Jeff Duntemann replied to this email. See it and my comments on this meme: http://www.memestreams.net/users/acidus/blogid4583591

] If you give reports of recently discovered security holes
] in all major products (not merely Microsoft's) a
] very close read, you'll find a peculiar similarity
] in the bugs themselves. Most of them are "buffer
] overflow exploits," and these are almost entirely
] due to the shortcomings of a single programming language:
] C/C++. (C and C++, are really the same language at the
] core, where these sorts of bugs happen.) Virtually all
] software written in the United States is written in C/C++.

Mr Duntemann. (jduntemann - @ - coppertown.com)

I was completely very confused by your editorial in Software Development Times, " The Lessons of Software Monoculture. As a computer engineer student at a major university, as well as a published author in the same "black hat" publications you refer to, I don't understand any of your claims about C/C++. Any language that makes function calls can have buffer overflows. Its is not something inherent in a language. If anyone is to blame, it is Intel for allowing an executable stack. As I'm sure you know, buffer overflows stem from writing beyond a buffer to overwrite the Stack Pointer and Frame pointer, thus changing the flow of execution to hostile code, usually inside the allocated buffer.

Yes, C and C++ in their base do not have a mechanism to test if a pointer operation is happening beyond the bounds of the allocated memory. In C++, smart pointer classes exist that keep track of things like that, and also will automatically free memory once no more pointers point to it. C/C++ are built for speed. Global pointer checking would drastically slow down the language. The problem is solved by programmers simply doing a check. Macros should even be defined to do it all for you.

My point is your claim that Buffer Overflows are the language's fault is false. It's not like the language is a mystery: it'd well known thatC/C++ has no bounds checking or no garbage collection. Any programmer who uses the language without taking the appropriate steps to protect against out of bounds access is at fault. They have no business coding applications if they don't understand what they are doing. IE: 2 year associates degrees or bullshit certifications do not a good programmer make, and all the security hazards written into the code is not only the"programmers" fault, but also the management structure that would let such an under qualified person write important applications. Further you claim this "problem" with C/C++ makes switching to something other than Microsoft "problematic." Certainly buffer overflows exists in BSD, Linux, and other alternatives. However a buffer overflow on a non-Microsoft has limited damage potential, due to the structuring of the security model.

I thank you for your time, and look forward to hearing your views on these matters.

C/C++, not Microsoft, to blame for Window's Bugs!

First off let me say I am pleased we are having such an open and frank debate on this topic, and I am pleased it is so civil.

] The concept of marriage isn't just about Christianity or
] religion or conservative politics -- marriage is pretty much
] as intense a personal decision as a human being can make, and
] if many people want to defend the sanctity of that concept, I
] can't blame them.

Does 2 people of the same sex getting married in some way reduce or detract from sanctity of your marriage?

If gay marriage somehow cheapens the sanctity of your marriage, you didn't have a very good marriage to begin with. If gay marriage doesn't cheapen your marriage, then why the hell are we having this discussion? Yes, it really is that simple.

My parents wrote their own wedding vows. They were Moody Blues' lyrics. Slim to nil in the religous department. Not very sanctified is it? So should we have a law that defines wedding vows, to make sure vows are always holy and pure? What about a ban on Vegas Wedding Chapels, so a hung-over Brittany Spears can't have another 56 hour marriage? Her being a skank doesn't reduce the feeling my parents have for each other, or their marriage, anymore than my parents using Moody Blues' lyrics as wedding vows reduces my grandparents love for each other.

This entire "sanctity of marriage" arguement fails, for all the reasons you listed as marriage being so emotional and personal.

RE: The Values-Vote Myth

] As more personal information is collected into databases,
] computers have been handed increasing power to make
] decisions about our everyday lives. The technological
] systems intend to solve costly and important business
] problems, but the proliferation of these so-called
] electronic blacklists has alarmed consumer and privacy
] advocacy groups who say many databases have incomplete,
] incorrect or misleading information.
]
] "Technology has made it cheap to do all kinds of
] surveillance and watch over people and make sure they
] obey the rules. But when a system makes a mistake, what
] can you do?" said Richard Smith, an Internet security and
] privacy consultant.

Databases used by companies to blacklist consumers

Its been 4 or 5 years since I've used yahoo to search, so maybe everyone else has noticed this. Yahoo's search page looks just like Google.

Yahoo! Search - Looks like Google