<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_02_17_2327253</id>
	<title>The 25 Most Dangerous Programming Errors</title>
	<author>samzenpus</author>
	<datestamp>1266414900000</datestamp>
	<htmltext><a href="http://hughpickens.com/" rel="nofollow">Hugh Pickens</a> writes <i>"The Register reports that experts from some 30 organizations worldwide have  compiled 2010's list of the <a href="http://www.theregister.co.uk/2010/02/17/top\_25\_programming\_errors/">25 most dangerous programming errors</a> along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications. The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users. The top 25 entries are prioritized using inputs from over 20 different organizations, who <a href="http://cwe.mitre.org/top25/#Listing">evaluated each weakness based on prevalence and importance</a>. Interestingly enough the classic buffer overflow ranked 3rd in the list while Cross-site Scripting and SQL Injection are considered the 1-2 punch of security weaknesses in 2010. Security experts say business customers have the means to foster safer products by demanding that vendors follow common-sense safety measures such as verifying that all team members successfully clear a background investigation and be trained in secure programming techniques. 'As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,' the introduction to the list states and <a href="http://www.sans.org/appseccontract/">includes a draft contract with the terms customers should request</a> to enable buyers of custom software to make code writers responsible for checking the code and for fixing security flaws before software is delivered."</i></htmltext>
<tokenext>Hugh Pickens writes " The Register reports that experts from some 30 organizations worldwide have compiled 2010 's list of the 25 most dangerous programming errors along with a novel way to prevent them : by drafting contracts that hold developers responsible when bugs creep into applications .
The 25 flaws are the cause of almost every major cyber attack in recent history , including the ones that recently struck Google and 33 other large companies , as well as breaches suffered by military systems and millions of small business and home users .
The top 25 entries are prioritized using inputs from over 20 different organizations , who evaluated each weakness based on prevalence and importance .
Interestingly enough the classic buffer overflow ranked 3rd in the list while Cross-site Scripting and SQL Injection are considered the 1-2 punch of security weaknesses in 2010 .
Security experts say business customers have the means to foster safer products by demanding that vendors follow common-sense safety measures such as verifying that all team members successfully clear a background investigation and be trained in secure programming techniques .
'As a customer , you have the power to influence vendors to provide more secure products by letting them know that security is important to you, ' the introduction to the list states and includes a draft contract with the terms customers should request to enable buyers of custom software to make code writers responsible for checking the code and for fixing security flaws before software is delivered .
"</tokentext>
<sentencetext>Hugh Pickens writes "The Register reports that experts from some 30 organizations worldwide have  compiled 2010's list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications.
The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users.
The top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance.
Interestingly enough the classic buffer overflow ranked 3rd in the list while Cross-site Scripting and SQL Injection are considered the 1-2 punch of security weaknesses in 2010.
Security experts say business customers have the means to foster safer products by demanding that vendors follow common-sense safety measures such as verifying that all team members successfully clear a background investigation and be trained in secure programming techniques.
'As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,' the introduction to the list states and includes a draft contract with the terms customers should request to enable buyers of custom software to make code writers responsible for checking the code and for fixing security flaws before software is delivered.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558</id>
	<title>Just Show Me the List!!</title>
	<author>QuantumG</author>
	<datestamp>1265038080000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>So much shit.  So much commentary.  Just gimme the list?  Here it is:</p><ol><li> <a href="http://cwe.mitre.org/top25/#CWE-79" title="mitre.org">Failure to Preserve Web Page Structure ('Cross-site Scripting')</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-89" title="mitre.org">Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-120" title="mitre.org">Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-352" title="mitre.org">Cross-Site Request Forgery (CSRF)</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-285" title="mitre.org">Improper Access Control (Authorization)</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-807" title="mitre.org">Reliance on Untrusted Inputs in a Security Decision</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-22" title="mitre.org">Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-434" title="mitre.org">Unrestricted Upload of File with Dangerous Type</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-78" title="mitre.org">Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-311" title="mitre.org">Missing Encryption of Sensitive Data</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-798" title="mitre.org">Use of Hard-coded Credentials</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-805" title="mitre.org">Buffer Access with Incorrect Length Value</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-98" title="mitre.org">Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-129" title="mitre.org">Improper Validation of Array Index</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-754" title="mitre.org">Improper Check for Unusual or Exceptional Conditions</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-209" title="mitre.org">Information Exposure Through an Error Message</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-190" title="mitre.org">Integer Overflow or Wraparound</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-131" title="mitre.org">Incorrect Calculation of Buffer Size</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-306" title="mitre.org">Missing Authentication for Critical Function</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-494" title="mitre.org">Download of Code Without Integrity Check</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-732" title="mitre.org">Incorrect Permission Assignment for Critical Resource</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-770" title="mitre.org">Allocation of Resources Without Limits or Throttling</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-601" title="mitre.org">URL Redirection to Untrusted Site ('Open Redirect')</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-327" title="mitre.org">Use of a Broken or Risky Cryptographic Algorithm</a> [mitre.org]</li><li> <a href="http://cwe.mitre.org/top25/#CWE-362" title="mitre.org">Race Condition</a> [mitre.org]</li></ol></htmltext>
<tokenext>So much shit .
So much commentary .
Just gim me the list ?
Here it is : Failure to Preserve Web Page Structure ( 'Cross-site Scripting ' ) [ mitre.org ] Improper Sanitization of Special Elements used in an SQL Command ( 'SQL Injection ' ) [ mitre.org ] Buffer Copy without Checking Size of Input ( 'Classic Buffer Overflow ' ) [ mitre.org ] Cross-Site Request Forgery ( CSRF ) [ mitre.org ] Improper Access Control ( Authorization ) [ mitre.org ] Reliance on Untrusted Inputs in a Security Decision [ mitre.org ] Improper Limitation of a Pathname to a Restricted Directory ( 'Path Traversal ' ) [ mitre.org ] Unrestricted Upload of File with Dangerous Type [ mitre.org ] Improper Sanitization of Special Elements used in an OS Command ( 'OS Command Injection ' ) [ mitre.org ] Missing Encryption of Sensitive Data [ mitre.org ] Use of Hard-coded Credentials [ mitre.org ] Buffer Access with Incorrect Length Value [ mitre.org ] Improper Control of Filename for Include/Require Statement in PHP Program ( 'PHP File Inclusion ' ) [ mitre.org ] Improper Validation of Array Index [ mitre.org ] Improper Check for Unusual or Exceptional Conditions [ mitre.org ] Information Exposure Through an Error Message [ mitre.org ] Integer Overflow or Wraparound [ mitre.org ] Incorrect Calculation of Buffer Size [ mitre.org ] Missing Authentication for Critical Function [ mitre.org ] Download of Code Without Integrity Check [ mitre.org ] Incorrect Permission Assignment for Critical Resource [ mitre.org ] Allocation of Resources Without Limits or Throttling [ mitre.org ] URL Redirection to Untrusted Site ( 'Open Redirect ' ) [ mitre.org ] Use of a Broken or Risky Cryptographic Algorithm [ mitre.org ] Race Condition [ mitre.org ]</tokentext>
<sentencetext>So much shit.
So much commentary.
Just gimme the list?
Here it is: Failure to Preserve Web Page Structure ('Cross-site Scripting') [mitre.org] Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') [mitre.org] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [mitre.org] Cross-Site Request Forgery (CSRF) [mitre.org] Improper Access Control (Authorization) [mitre.org] Reliance on Untrusted Inputs in a Security Decision [mitre.org] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [mitre.org] Unrestricted Upload of File with Dangerous Type [mitre.org] Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') [mitre.org] Missing Encryption of Sensitive Data [mitre.org] Use of Hard-coded Credentials [mitre.org] Buffer Access with Incorrect Length Value [mitre.org] Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [mitre.org] Improper Validation of Array Index [mitre.org] Improper Check for Unusual or Exceptional Conditions [mitre.org] Information Exposure Through an Error Message [mitre.org] Integer Overflow or Wraparound [mitre.org] Incorrect Calculation of Buffer Size [mitre.org] Missing Authentication for Critical Function [mitre.org] Download of Code Without Integrity Check [mitre.org] Incorrect Permission Assignment for Critical Resource [mitre.org] Allocation of Resources Without Limits or Throttling [mitre.org] URL Redirection to Untrusted Site ('Open Redirect') [mitre.org] Use of a Broken or Risky Cryptographic Algorithm [mitre.org] Race Condition [mitre.org]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31193712</id>
	<title>The icing on the cake...</title>
	<author>jamie(really)</author>
	<datestamp>1266500160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>In drafting their contract to encourage Customers to demand of the Developers that the code is bug free, they chose to provide this at the top:</p><p>"DISCLAIMER</p><p>THIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY. IT IS STRONGLY RECOMMENDED THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT.</p><p>Please be advised that there is no warranty, expressed or implied, and no assumption of any legal liability or responsibility for any third party's use, or the results of such use of this Document."</p><p>I guess code can be made 100\% accurate, but not legal contracts, huh?</p></htmltext>
<tokenext>In drafting their contract to encourage Customers to demand of the Developers that the code is bug free , they chose to provide this at the top : " DISCLAIMERTHIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY .
IT IS STRONGLY RECOMMENDED THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT.Please be advised that there is no warranty , expressed or implied , and no assumption of any legal liability or responsibility for any third party 's use , or the results of such use of this Document .
" I guess code can be made 100 \ % accurate , but not legal contracts , huh ?</tokentext>
<sentencetext>In drafting their contract to encourage Customers to demand of the Developers that the code is bug free, they chose to provide this at the top:"DISCLAIMERTHIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY.
IT IS STRONGLY RECOMMENDED THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT.Please be advised that there is no warranty, expressed or implied, and no assumption of any legal liability or responsibility for any third party's use, or the results of such use of this Document.
"I guess code can be made 100\% accurate, but not legal contracts, huh?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31185218</id>
	<title>Re:The most dangerous C programming error</title>
	<author>Quirkz</author>
	<datestamp>1266511680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>In PHP, my most dangerous error tends to be using = instead of == in IF statements. I suddenly make everything true all the time. It's perhaps comforting as a philosophy, but it's pretty bad for functionality.</htmltext>
<tokenext>In PHP , my most dangerous error tends to be using = instead of = = in IF statements .
I suddenly make everything true all the time .
It 's perhaps comforting as a philosophy , but it 's pretty bad for functionality .</tokentext>
<sentencetext>In PHP, my most dangerous error tends to be using = instead of == in IF statements.
I suddenly make everything true all the time.
It's perhaps comforting as a philosophy, but it's pretty bad for functionality.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181988</id>
	<title>Utter Bullshit</title>
	<author>Anonymous</author>
	<datestamp>1266490440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Whatever is made on human being's hands, is prone to have errors, simply put. It's no use to try this ridiculous contract, that'd only make the work-hour more expensive and still, the human factor denies the assurance of an error-free software.</p></htmltext>
<tokenext>Whatever is made on human being 's hands , is prone to have errors , simply put .
It 's no use to try this ridiculous contract , that 'd only make the work-hour more expensive and still , the human factor denies the assurance of an error-free software .</tokentext>
<sentencetext>Whatever is made on human being's hands, is prone to have errors, simply put.
It's no use to try this ridiculous contract, that'd only make the work-hour more expensive and still, the human factor denies the assurance of an error-free software.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179600</id>
	<title>Good Luck</title>
	<author>epp\_b</author>
	<datestamp>1265038560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Good luck actually finding a programmer that will give you code you want at the price you're paying.<br> <br>
Oh, and protection against SQL injection attacks?  That shouldn't be part of a contract; that should be implied.</htmltext>
<tokenext>Good luck actually finding a programmer that will give you code you want at the price you 're paying .
Oh , and protection against SQL injection attacks ?
That should n't be part of a contract ; that should be implied .</tokentext>
<sentencetext>Good luck actually finding a programmer that will give you code you want at the price you're paying.
Oh, and protection against SQL injection attacks?
That shouldn't be part of a contract; that should be implied.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410</id>
	<title>Background checks are awful and stupid</title>
	<author>Anonymous</author>
	<datestamp>1265037120000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>I am a competent and trustworthy programmer in his late 30s who will fail a background check because I was convicted of something in my mid 30s, something I did when I was a teenager (and still a minor).</p><p>I have, over the years, been given many responsibilities and opportunity to abuse the authority required to discharge those responsibilities. I never once have abused that authority.  If you ask previous co-workers if they consider me honest and trustworthy they will unanimously tell you that I'm one of the most trustworthy people they know.</p><p>I strongly resent the growing prevalence of background checks.  I wasn't convicted of any sort of fraud or theft, but I am rejected anyway.  The sad part is half the time I end up having to tell someone exactly what I was convicted of and why, and they wring their hands over their policy being so stupid but follow it anyway.</p><p>Background checks lead to stupid behavior.  The criminal justice system is only a mediocre to poor arbiter of who is and isn't trustworthy.  Like lie detector tests, you can never pass, only fail.</p></htmltext>
<tokenext>I am a competent and trustworthy programmer in his late 30s who will fail a background check because I was convicted of something in my mid 30s , something I did when I was a teenager ( and still a minor ) .I have , over the years , been given many responsibilities and opportunity to abuse the authority required to discharge those responsibilities .
I never once have abused that authority .
If you ask previous co-workers if they consider me honest and trustworthy they will unanimously tell you that I 'm one of the most trustworthy people they know.I strongly resent the growing prevalence of background checks .
I was n't convicted of any sort of fraud or theft , but I am rejected anyway .
The sad part is half the time I end up having to tell someone exactly what I was convicted of and why , and they wring their hands over their policy being so stupid but follow it anyway.Background checks lead to stupid behavior .
The criminal justice system is only a mediocre to poor arbiter of who is and is n't trustworthy .
Like lie detector tests , you can never pass , only fail .</tokentext>
<sentencetext>I am a competent and trustworthy programmer in his late 30s who will fail a background check because I was convicted of something in my mid 30s, something I did when I was a teenager (and still a minor).I have, over the years, been given many responsibilities and opportunity to abuse the authority required to discharge those responsibilities.
I never once have abused that authority.
If you ask previous co-workers if they consider me honest and trustworthy they will unanimously tell you that I'm one of the most trustworthy people they know.I strongly resent the growing prevalence of background checks.
I wasn't convicted of any sort of fraud or theft, but I am rejected anyway.
The sad part is half the time I end up having to tell someone exactly what I was convicted of and why, and they wring their hands over their policy being so stupid but follow it anyway.Background checks lead to stupid behavior.
The criminal justice system is only a mediocre to poor arbiter of who is and isn't trustworthy.
Like lie detector tests, you can never pass, only fail.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31184034</id>
	<title>Re:Yeah, right.</title>
	<author>Anonymous</author>
	<datestamp>1266507000000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Gross negligence should be penalized.  If you publish a critical, publicly accessible, internet-facing application without even considering any of these 25 issues, it's negligent.</p><p>Another problem is that anyone who can print a business card can call himself a software "developer" or "engineer".  So an additional step might be to stop allowing people who "don't know what they don't know" to publish applications by copying and pasting together code they don't even understand.</p><p>While observing that railroad tracks in my town had not gone underwater during a flood, my father told me they were built to 100-year flood standards.  As a software engineer, my first thought was "Wow, it sounds like someone competent actually designed the tracks. I never see this in software."  He explained that those engineers have to be licensed, which helps to filter out the totally clueless.</p></htmltext>
<tokenext>Gross negligence should be penalized .
If you publish a critical , publicly accessible , internet-facing application without even considering any of these 25 issues , it 's negligent.Another problem is that anyone who can print a business card can call himself a software " developer " or " engineer " .
So an additional step might be to stop allowing people who " do n't know what they do n't know " to publish applications by copying and pasting together code they do n't even understand.While observing that railroad tracks in my town had not gone underwater during a flood , my father told me they were built to 100-year flood standards .
As a software engineer , my first thought was " Wow , it sounds like someone competent actually designed the tracks .
I never see this in software .
" He explained that those engineers have to be licensed , which helps to filter out the totally clueless .</tokentext>
<sentencetext>Gross negligence should be penalized.
If you publish a critical, publicly accessible, internet-facing application without even considering any of these 25 issues, it's negligent.Another problem is that anyone who can print a business card can call himself a software "developer" or "engineer".
So an additional step might be to stop allowing people who "don't know what they don't know" to publish applications by copying and pasting together code they don't even understand.While observing that railroad tracks in my town had not gone underwater during a flood, my father told me they were built to 100-year flood standards.
As a software engineer, my first thought was "Wow, it sounds like someone competent actually designed the tracks.
I never see this in software.
"  He explained that those engineers have to be licensed, which helps to filter out the totally clueless.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179974</id>
	<title>Nice suggestion to...</title>
	<author>zullnero</author>
	<datestamp>1265042040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Hold devs responsible for bugs that creep into code.  Because, after all, we all know that developers always get to work on unlimited time constraints and NEVER have any pressure to cut corners and get something out fast...right?
<br> <br>
If they do that, there has to be a means to defend oneself in that situation, or they're suggesting that unlike any other production industry, the workers would be held accountable for a company's systematic failure to provide an operating environment and schedule that could produce success.  Work a developer 24 hours without paid overtime?  No problem.  After all, if they get delirious and check in some code they were using for testing and were too out of it to remove it and it gets into the final version...and poof...there's a bug, you can sue them for whatever they were paid during 8 hours of that shift.  Or a lot more.  Then, you end up with the legal problem of defining what a proper environment and schedule would be.  After the dust settles, all you'll have is a pile of bureaucracy and a legal mess that will just end up in shafting the developer, and not the management ultimately responsible for the release, in the end...after way too much money and time is spent trying to wade through that mess each time a bug is found in production code.  Ridiculous.</htmltext>
<tokenext>Hold devs responsible for bugs that creep into code .
Because , after all , we all know that developers always get to work on unlimited time constraints and NEVER have any pressure to cut corners and get something out fast...right ?
If they do that , there has to be a means to defend oneself in that situation , or they 're suggesting that unlike any other production industry , the workers would be held accountable for a company 's systematic failure to provide an operating environment and schedule that could produce success .
Work a developer 24 hours without paid overtime ?
No problem .
After all , if they get delirious and check in some code they were using for testing and were too out of it to remove it and it gets into the final version...and poof...there 's a bug , you can sue them for whatever they were paid during 8 hours of that shift .
Or a lot more .
Then , you end up with the legal problem of defining what a proper environment and schedule would be .
After the dust settles , all you 'll have is a pile of bureaucracy and a legal mess that will just end up in shafting the developer , and not the management ultimately responsible for the release , in the end...after way too much money and time is spent trying to wade through that mess each time a bug is found in production code .
Ridiculous .</tokentext>
<sentencetext>Hold devs responsible for bugs that creep into code.
Because, after all, we all know that developers always get to work on unlimited time constraints and NEVER have any pressure to cut corners and get something out fast...right?
If they do that, there has to be a means to defend oneself in that situation, or they're suggesting that unlike any other production industry, the workers would be held accountable for a company's systematic failure to provide an operating environment and schedule that could produce success.
Work a developer 24 hours without paid overtime?
No problem.
After all, if they get delirious and check in some code they were using for testing and were too out of it to remove it and it gets into the final version...and poof...there's a bug, you can sue them for whatever they were paid during 8 hours of that shift.
Or a lot more.
Then, you end up with the legal problem of defining what a proper environment and schedule would be.
After the dust settles, all you'll have is a pile of bureaucracy and a legal mess that will just end up in shafting the developer, and not the management ultimately responsible for the release, in the end...after way too much money and time is spent trying to wade through that mess each time a bug is found in production code.
Ridiculous.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31205896</id>
	<title>Re:Yeah, right.</title>
	<author>Anonymous</author>
	<datestamp>1266582540000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Accountability is also distributed in modern software development. What if the compiler or library has the bug? To what extent do you hold the customer-facing programmer accountable? One could argue that using the standard library is a choice. Yes, but writing your own is much worse. One could likewise argue that any bug is due to not enough testing. Yes, but how much testing will be paid for?</p><p>I have a proposal: programmer finishes solution with minimal testing. Then it's up to the customer to decide how much testing is necessary, what tests are necessary, (pays more accordingly.) The customer shares the accountability.</p></htmltext>
<tokenext>Accountability is also distributed in modern software development .
What if the compiler or library has the bug ?
To what extent do you hold the customer-facing programmer accountable ?
One could argue that using the standard library is a choice .
Yes , but writing your own is much worse .
One could likewise argue that any bug is due to not enough testing .
Yes , but how much testing will be paid for ? I have a proposal : programmer finishes solution with minimal testing .
Then it 's up to the customer to decide how much testing is necessary , what tests are necessary , ( pays more accordingly .
) The customer shares the accountability .</tokentext>
<sentencetext>Accountability is also distributed in modern software development.
What if the compiler or library has the bug?
To what extent do you hold the customer-facing programmer accountable?
One could argue that using the standard library is a choice.
Yes, but writing your own is much worse.
One could likewise argue that any bug is due to not enough testing.
Yes, but how much testing will be paid for?I have a proposal: programmer finishes solution with minimal testing.
Then it's up to the customer to decide how much testing is necessary, what tests are necessary, (pays more accordingly.
) The customer shares the accountability.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31183358</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182958</id>
	<title>THE most dangerous error....</title>
	<author>precaheed</author>
	<datestamp>1266501060000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Not commenting code adequately, especially ad hoc debugging fixes, leaving it near-unmaintainable....</p><p>I'm going through this right now..... Bugger. Why not document, please?</p><p>Hit: <a href="http://jamals-massive.blogspot.com/" title="blogspot.com" rel="nofollow">http://jamals-massive.blogspot.com/</a> [blogspot.com] </p></htmltext>
<tokenext>Not commenting code adequately , especially ad hoc debugging fixes , leaving it near-unmaintainable....I 'm going through this right now..... Bugger. Why not document , please ? Hit : http : //jamals-massive.blogspot.com/ [ blogspot.com ]</tokentext>
<sentencetext>Not commenting code adequately, especially ad hoc debugging fixes, leaving it near-unmaintainable....I'm going through this right now..... Bugger. Why not document, please?Hit: http://jamals-massive.blogspot.com/ [blogspot.com] </sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181140</id>
	<title>Number One Error?</title>
	<author>pipingguy</author>
	<datestamp>1266525180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Believing in output when input is garbage is the worst computer-related sin.<br> <br>
I think most of us here understand why this is true.</htmltext>
<tokenext>Believing in output when input is garbage is the worst computer-related sin .
I think most of us here understand why this is true .</tokentext>
<sentencetext>Believing in output when input is garbage is the worst computer-related sin.
I think most of us here understand why this is true.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180600</id>
	<title>Re:Lol @ Dangerous</title>
	<author>shutdown -p now</author>
	<datestamp>1265048940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>A classic buffer overflow is definitely not a "website programming bug", especially considering that most web applications are written in managed languages, in which buffer overflows are non-exploitable (all you get is an error/exception).</p></htmltext>
<tokenext>A classic buffer overflow is definitely not a " website programming bug " , especially considering that most web applications are written in managed languages , in which buffer overflows are non-exploitable ( all you get is an error/exception ) .</tokentext>
<sentencetext>A classic buffer overflow is definitely not a "website programming bug", especially considering that most web applications are written in managed languages, in which buffer overflows are non-exploitable (all you get is an error/exception).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31189434</id>
	<title>The 25 most dangerous programming errors</title>
	<author>metamatic</author>
	<datestamp>1266526500000</datestamp>
	<modclass>None</modclass>
	<modscore>2</modscore>
	<htmltext><p>1. PHP.<br>2. Visual BASIC.<br>3. Perl.<br>4. C.<br>5. C++.<nobr> <wbr></nobr>...better stop there before I get modded into oblivion.</p></htmltext>
<tokenext>1 .
PHP.2. Visual BASIC.3 .
Perl.4. C.5 .
C + + . ...better stop there before I get modded into oblivion .</tokentext>
<sentencetext>1.
PHP.2. Visual BASIC.3.
Perl.4. C.5.
C++. ...better stop there before I get modded into oblivion.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31193990</id>
	<title>don't sign that contract</title>
	<author>Anonymous</author>
	<datestamp>1266502080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I was once offered a contract for a software position with a paragraph claiming that I was responsible for making sure my code did not infringe on other companies IP or patents.</p><p>I told them I was not an expert on the matter and the responsibility was that of the company managers/lawyers. I returned the contract with a line through that paragraph and my initials. They did not hire me... maybe because of the contract changes. But who really cares? I wouldn't work for a company who offloads their legal liability onto their employees.</p><p>side tip: you can rewrite any contract handed to you... even bank account contracts (I have)... and usually they will accept it and file it away. If they don't then you have the option to walk away or suck it up. In that case: walk away!</p></htmltext>
<tokenext>I was once offered a contract for a software position with a paragraph claiming that I was responsible for making sure my code did not infringe on other companies IP or patents.I told them I was not an expert on the matter and the responsibility was that of the company managers/lawyers .
I returned the contract with a line through that paragraph and my initials .
They did not hire me... maybe because of the contract changes .
But who really cares ?
I would n't work for a company who offloads their legal liability onto their employees.side tip : you can rewrite any contract handed to you... even bank account contracts ( I have ) ... and usually they will accept it and file it away .
If they do n't then you have the option to walk away or suck it up .
In that case : walk away !</tokentext>
<sentencetext>I was once offered a contract for a software position with a paragraph claiming that I was responsible for making sure my code did not infringe on other companies IP or patents.I told them I was not an expert on the matter and the responsibility was that of the company managers/lawyers.
I returned the contract with a line through that paragraph and my initials.
They did not hire me... maybe because of the contract changes.
But who really cares?
I wouldn't work for a company who offloads their legal liability onto their employees.side tip: you can rewrite any contract handed to you... even bank account contracts (I have)... and usually they will accept it and file it away.
If they don't then you have the option to walk away or suck it up.
In that case: walk away!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182816</id>
	<title>Write the Right Stuff...</title>
	<author>hollinch</author>
	<datestamp>1266499860000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>I think most here agree to a certain point. Writing software is impossible without errors. I also feel that holding a gun at the head of a developer in order to 'persuade' him or her to write better code is not going to help. We are after all humans, we need motivation and stimulation in order to get better at what it is we need to do.<br>
<br>
However, what is more important is that the processes surrounding the software that needs to be produced, whether result of a client requirement or as part of a new idea, is sound and helps to avoid and remove errors.<br>
<br>
Developers have an obligation to take note of known exploits, known attack vectors, and make sure to avoid these pitfalls. But it is impossible to predict all types of attacks, so the processes that govern the requirement gathering, designing, development, testing and the continued maintenance on the software once released are equally important. The whole organisation is part of that quality and security process, not just the developer. Plus, the cost of the production of the software is a very important consideration.<br>
<br>
In light of this I found the old article about the space shuttle software development extremely interesting. It clearly shows that it IS possible to write near-perfect software, but that has its price. But a well-driven development organisation is in principle capable to produce solid, error-free code. By adjusting the mindset of people and modifying the processes that introduced errors.<br>
<br>
Read it if you don't know it yet, it is a very nice article that I keep in my bookmarks...<br>
<br>
<a href="http://www.fastcompany.com/node/28121/print" title="fastcompany.com" rel="nofollow">http://www.fastcompany.com/node/28121/print</a> [fastcompany.com]</htmltext>
<tokenext>I think most here agree to a certain point .
Writing software is impossible without errors .
I also feel that holding a gun at the head of a developer in order to 'persuade ' him or her to write better code is not going to help .
We are after all humans , we need motivation and stimulation in order to get better at what it is we need to do .
However , what is more important is that the processes surrounding the software that needs to be produced , whether result of a client requirement or as part of a new idea , is sound and helps to avoid and remove errors .
Developers have an obligation to take note of known exploits , known attack vectors , and make sure to avoid these pitfalls .
But it is impossible to predict all types of attacks , so the processes that govern the requirement gathering , designing , development , testing and the continued maintenance on the software once released are equally important .
The whole organisation is part of that quality and security process , not just the developer .
Plus , the cost of the production of the software is a very important consideration .
In light of this I found the old article about the space shuttle software development extremely interesting .
It clearly shows that it IS possible to write near-perfect software , but that has its price .
But a well-driven development organisation is in principle capable to produce solid , error-free code .
By adjusting the mindset of people and modifying the processes that introduced errors .
Read it if you do n't know it yet , it is a very nice article that I keep in my bookmarks.. . http : //www.fastcompany.com/node/28121/print [ fastcompany.com ]</tokentext>
<sentencetext>I think most here agree to a certain point.
Writing software is impossible without errors.
I also feel that holding a gun at the head of a developer in order to 'persuade' him or her to write better code is not going to help.
We are after all humans, we need motivation and stimulation in order to get better at what it is we need to do.
However, what is more important is that the processes surrounding the software that needs to be produced, whether result of a client requirement or as part of a new idea, is sound and helps to avoid and remove errors.
Developers have an obligation to take note of known exploits, known attack vectors, and make sure to avoid these pitfalls.
But it is impossible to predict all types of attacks, so the processes that govern the requirement gathering, designing, development, testing and the continued maintenance on the software once released are equally important.
The whole organisation is part of that quality and security process, not just the developer.
Plus, the cost of the production of the software is a very important consideration.
In light of this I found the old article about the space shuttle software development extremely interesting.
It clearly shows that it IS possible to write near-perfect software, but that has its price.
But a well-driven development organisation is in principle capable to produce solid, error-free code.
By adjusting the mindset of people and modifying the processes that introduced errors.
Read it if you don't know it yet, it is a very nice article that I keep in my bookmarks...

http://www.fastcompany.com/node/28121/print [fastcompany.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180062</id>
	<title>Actions speak louder than words</title>
	<author>nick\_davison</author>
	<datestamp>1265042880000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>"As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,"</p></div><p>And, as a consumer, you have the power to influence vendors to provide better employment and buying practices by letting them know that they are important to you.</p><p>Meanwhile, the vast majority of America continues to shop at Walmart whilst every competitor goes out of business.</p><p>"Does it get the job done? Now what's the cheapest I can get it for?" is most people's primary motivation.</p><p>Sellers, who listen to them saying, "I want security!" and deliver that, at the expense of greater cost, are then left wondering why the competitor who did just enough to avoid standing out on security but otherwise kept their product slightly cheaper is selling many times more copies.</p><p>So, yes, people can influence sellers with their actions. The problem is, it needs to be their actions, not their words. Even worse, they're already successfully doing just that - unfortunately, their actions are screaming something quite different to any words about, "Security is truly important to me."</p></div>
	</htmltext>
<tokenext>" As a customer , you have the power to influence vendors to provide more secure products by letting them know that security is important to you , " And , as a consumer , you have the power to influence vendors to provide better employment and buying practices by letting them know that they are important to you.Meanwhile , the vast majority of America continues to shop at Walmart whilst every competitor goes out of business .
" Does it get the job done ?
Now what 's the cheapest I can get it for ?
" is most people 's primary motivation.Sellers , who listen to them saying , " I want security !
" and deliver that , at the expense of greater cost , are then left wondering why the competitor who did just enough to avoid standing out on security but otherwise kept their product slightly cheaper is selling many times more copies.So , yes , people can influence sellers with their actions .
The problem is , it needs to be their actions , not their words .
Even worse , they 're already successfully doing just that - unfortunately , their actions are screaming something quite different to any words about , " Security is truly important to me .
"</tokentext>
<sentencetext>"As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,"And, as a consumer, you have the power to influence vendors to provide better employment and buying practices by letting them know that they are important to you.Meanwhile, the vast majority of America continues to shop at Walmart whilst every competitor goes out of business.
"Does it get the job done?
Now what's the cheapest I can get it for?
" is most people's primary motivation.Sellers, who listen to them saying, "I want security!
" and deliver that, at the expense of greater cost, are then left wondering why the competitor who did just enough to avoid standing out on security but otherwise kept their product slightly cheaper is selling many times more copies.So, yes, people can influence sellers with their actions.
The problem is, it needs to be their actions, not their words.
Even worse, they're already successfully doing just that - unfortunately, their actions are screaming something quite different to any words about, "Security is truly important to me.
"
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179426</id>
	<title>Oh, you mean VENDORs, not DEVELOPERs</title>
	<author>Jason Pollock</author>
	<datestamp>1265037240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>When you say "developer", I think individual employee.  However, the individual employee isn't around long enough, the project validation will more than likely happen after the majority of them have finished, taken their final pay and left.</p><p>As for the actual contract?  It reads like lawyer bait.</p><p>
&nbsp; &nbsp; Consistent with the provisions of this Contract, the Vendor shall use the highest applicable industry standards for sound secure software development practices to resolve critical<br>
&nbsp; &nbsp; security issues as quickly as possible. The "highest applicable industry standards" shall be defined as the degree of care, skill, efficiency, and diligence that a prudent person<br>
&nbsp; &nbsp; possessing technical expertise in the subject area and acting in a like capacity would exercise in similar circumstances.</p><p>And finally, background checks?  Seriously?  Only if you want it to take 6+ months for me to hire someone.</p></htmltext>
<tokenext>When you say " developer " , I think individual employee .
However , the individual employee is n't around long enough , the project validation will more than likely happen after the majority of them have finished , taken their final pay and left.As for the actual contract ?
It reads like lawyer bait .
    Consistent with the provisions of this Contract , the Vendor shall use the highest applicable industry standards for sound secure software development practices to resolve critical     security issues as quickly as possible .
The " highest applicable industry standards " shall be defined as the degree of care , skill , efficiency , and diligence that a prudent person     possessing technical expertise in the subject area and acting in a like capacity would exercise in similar circumstances.And finally , background checks ?
Seriously ? Only if you want it to take 6 + months for me to hire someone .</tokentext>
<sentencetext>When you say "developer", I think individual employee.
However, the individual employee isn't around long enough, the project validation will more than likely happen after the majority of them have finished, taken their final pay and left.As for the actual contract?
It reads like lawyer bait.
    Consistent with the provisions of this Contract, the Vendor shall use the highest applicable industry standards for sound secure software development practices to resolve critical
    security issues as quickly as possible.
The "highest applicable industry standards" shall be defined as the degree of care, skill, efficiency, and diligence that a prudent person
    possessing technical expertise in the subject area and acting in a like capacity would exercise in similar circumstances.And finally, background checks?
Seriously?  Only if you want it to take 6+ months for me to hire someone.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31195314</id>
	<title>Re:Therac-25</title>
	<author>Anonymous</author>
	<datestamp>1266510780000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I'm glad that you mentioned this. Very famous case where a bug caused actual *deaths*. Every software engineer should read about this story.</p><p>- Dominic Michael Salemno</p></htmltext>
<tokenext>I 'm glad that you mentioned this .
Very famous case where a bug caused actual * deaths * .
Every software engineer should read about this story.- Dominic Michael Salemno</tokentext>
<sentencetext>I'm glad that you mentioned this.
Very famous case where a bug caused actual *deaths*.
Every software engineer should read about this story.- Dominic Michael Salemno</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179678</id>
	<title>Wow! It's actually an accurate and useful list!</title>
	<author>deisama</author>
	<datestamp>1265039520000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>So, I clicked the link expecting something similar to the slashdot description and was shocked to find a real and relevant list!</p><p>Cross site scripting? sql injection? buffer overflow errors? Those are real problems and issues that any programmers would do well to learn about.</p><p>Really, presenting that information almost makes Slashdot seem, well<nobr> <wbr></nobr>... responsible and informative.</p><p>I wonder if I just went to the wrong site...</p></htmltext>
<tokenext>So , I clicked the link expecting something similar to the slashdot description and was shocked to find a real and relevant list ! Cross site scripting ?
sql injection ?
buffer overflow errors ?
Those are real problems and issues that any programmers would do well to learn about.Really , presenting that information almost makes Slashdot seem , well ... responsible and informative.I wonder if I just went to the wrong site.. .</tokentext>
<sentencetext>So, I clicked the link expecting something similar to the slashdot description and was shocked to find a real and relevant list!Cross site scripting?
sql injection?
buffer overflow errors?
Those are real problems and issues that any programmers would do well to learn about.Really, presenting that information almost makes Slashdot seem, well ... responsible and informative.I wonder if I just went to the wrong site...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179442</id>
	<title>They missed one</title>
	<author>sayfawa</author>
	<datestamp>1265037360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I didn't see <a href="http://www.boingboing.net/2009/10/09/c-graffiti.html" title="boingboing.net">this</a> [boingboing.net] one in there... I once typed it into some code by accident. It's more common than you'd expect.</htmltext>
<tokenext>I did n't see this [ boingboing.net ] one in there... I once typed it into some code by accident .
It 's more common than you 'd expect .</tokentext>
<sentencetext>I didn't see this [boingboing.net] one in there... I once typed it into some code by accident.
It's more common than you'd expect.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182796</id>
	<title>Re:The most dangerous C programming error</title>
	<author>omuls are tasty</author>
	<datestamp>1266499680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Here's a bulletproof way of fixing that:</p><p>

<tt>
typedef enum {red, yellow, green} color;
</tt></p></htmltext>
<tokenext>Here 's a bulletproof way of fixing that : typedef enum { red , yellow , green } color ;</tokentext>
<sentencetext>Here's a bulletproof way of fixing that:


typedef enum {red, yellow, green} color;
</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31197524</id>
	<title>Preventing buffer overruns in compiler</title>
	<author>dmhayden</author>
	<datestamp>1266581220000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>I believe that most buffer overrun exploits work by overwriting a function's return address on the stack.  These could be largely avoided by the compiler using either of two techniques.  First, it could grow the stack into higher numbered addresses and store the return address first.  Now if the code allows a buffer overrun, it will overrun the local variables and spill into the available stack space.  In both cases, the chances of finding a function pointer are small.  In contrast, if you grow the stack into smaller numbered addresses, then a buffer overrun has pretty much 100\% chance to overwrite a code pointer (the return address).</p><p>The other technique is to use two stacks, one for the return addresses and another for the parameters/return values. Same idea though: move the return address out of the way of the overflowed buffer.</p></htmltext>
<tokenext>I believe that most buffer overrun exploits work by overwriting a function 's return address on the stack .
These could be largely avoided by the compiler using either of two techniques .
First , it could grow the stack into higher numbered addresses and store the return address first .
Now if the code allows a buffer overrun , it will overrun the local variables and spill into the available stack space .
In both cases , the chances of finding a function pointer are small .
In contrast , if you grow the stack into smaller numbered addresses , then a buffer overrun has pretty much 100 \ % chance to overwrite a code pointer ( the return address ) .The other technique is to use two stacks , one for the return addresses and another for the parameters/return values .
Same idea though : move the return address out of the way of the overflowed buffer .</tokentext>
<sentencetext>I believe that most buffer overrun exploits work by overwriting a function's return address on the stack.
These could be largely avoided by the compiler using either of two techniques.
First, it could grow the stack into higher numbered addresses and store the return address first.
Now if the code allows a buffer overrun, it will overrun the local variables and spill into the available stack space.
In both cases, the chances of finding a function pointer are small.
In contrast, if you grow the stack into smaller numbered addresses, then a buffer overrun has pretty much 100\% chance to overwrite a code pointer (the return address).The other technique is to use two stacks, one for the return addresses and another for the parameters/return values.
Same idea though: move the return address out of the way of the overflowed buffer.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181818</id>
	<title>When I were a lad...</title>
	<author>Anonymous</author>
	<datestamp>1266488820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>At school we would write programs (mostly silly adventure game style things) in QBasic and share them with the whole school on an unsecured hard drive attatched to the main server. I once added a few lines of code that went something like 150 PRINT My name is Adam and I like willy 160 GOTO 150 to a friend's game. Happy times.</htmltext>
<tokenext>At school we would write programs ( mostly silly adventure game style things ) in QBasic and share them with the whole school on an unsecured hard drive attatched to the main server .
I once added a few lines of code that went something like 150 PRINT My name is Adam and I like willy 160 GOTO 150 to a friend 's game .
Happy times .</tokentext>
<sentencetext>At school we would write programs (mostly silly adventure game style things) in QBasic and share them with the whole school on an unsecured hard drive attatched to the main server.
I once added a few lines of code that went something like 150 PRINT My name is Adam and I like willy 160 GOTO 150 to a friend's game.
Happy times.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181014</id>
	<title>Re:Yeah, right.</title>
	<author>starfishsystems</author>
	<datestamp>1265054280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>This is why Bruce Schneier predicts that the pressure for code assurance will ultimately be brought by insurers, because it's a matter of risk management, which is what insurers offer.
<br> <br>
Just like an insurer will not offer a policy on an uncertified structure, the day may come when insurers will not indemnify for losses involving the use of uncertified software.</htmltext>
<tokenext>This is why Bruce Schneier predicts that the pressure for code assurance will ultimately be brought by insurers , because it 's a matter of risk management , which is what insurers offer .
Just like an insurer will not offer a policy on an uncertified structure , the day may come when insurers will not indemnify for losses involving the use of uncertified software .</tokentext>
<sentencetext>This is why Bruce Schneier predicts that the pressure for code assurance will ultimately be brought by insurers, because it's a matter of risk management, which is what insurers offer.
Just like an insurer will not offer a policy on an uncertified structure, the day may come when insurers will not indemnify for losses involving the use of uncertified software.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179408</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180000</id>
	<title>Did any of these kill?? Re:Just Show Me the List!!</title>
	<author>davidwr</author>
	<datestamp>1265042340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Any bugs that resulted in a human death move to the front of the line.</p><p>Defective automobile braking and accelerator systems perhaps?  Medical equipment that delivered too much radiation due to a software error (vs. machine-operator error)?</p></htmltext>
<tokenext>Any bugs that resulted in a human death move to the front of the line.Defective automobile braking and accelerator systems perhaps ?
Medical equipment that delivered too much radiation due to a software error ( vs. machine-operator error ) ?</tokentext>
<sentencetext>Any bugs that resulted in a human death move to the front of the line.Defective automobile braking and accelerator systems perhaps?
Medical equipment that delivered too much radiation due to a software error (vs. machine-operator error)?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181046</id>
	<title>Heh, got em!</title>
	<author>Anonymous</author>
	<datestamp>1266523800000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I'm in the process of building a web site.  Based on past experience, I wanted to make sure that I could knock out SQL injection.  I also made sure that covered buffer overflows and cross site scripting.  Then along comes this Slashdot article and BANG!  I realise I've covered the top 3.  Now all I need to worry about are 4-49, and I'm good to go.</p></htmltext>
<tokenext>I 'm in the process of building a web site .
Based on past experience , I wanted to make sure that I could knock out SQL injection .
I also made sure that covered buffer overflows and cross site scripting .
Then along comes this Slashdot article and BANG !
I realise I 've covered the top 3 .
Now all I need to worry about are 4-49 , and I 'm good to go .</tokentext>
<sentencetext>I'm in the process of building a web site.
Based on past experience, I wanted to make sure that I could knock out SQL injection.
I also made sure that covered buffer overflows and cross site scripting.
Then along comes this Slashdot article and BANG!
I realise I've covered the top 3.
Now all I need to worry about are 4-49, and I'm good to go.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842</id>
	<title>Re:Yeah, right.</title>
	<author>Have Brain Will Rent</author>
	<datestamp>1265051520000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p>this is about making someone accountable.</p></div>
</blockquote><p>

Exactly. Why do you see that as a bad thing? Suppose instead of "contract" we say "these are the design/coding standards at this company and as an employee of this company you are required to follow them. If you don't then we will penalize you." What exactly is wrong with that?<br> <br>

For the last umpteen years, in all sorts of venues social and professional, I've been seeing accountability become more and more denigrated and dismissed. "Oh let's not play the blame game!" What the hell is wrong with people that they <i>don't</i> want accountability from others?</p></div>
	</htmltext>
<tokenext>this is about making someone accountable .
Exactly. Why do you see that as a bad thing ?
Suppose instead of " contract " we say " these are the design/coding standards at this company and as an employee of this company you are required to follow them .
If you do n't then we will penalize you .
" What exactly is wrong with that ?
For the last umpteen years , in all sorts of venues social and professional , I 've been seeing accountability become more and more denigrated and dismissed .
" Oh let 's not play the blame game !
" What the hell is wrong with people that they do n't want accountability from others ?</tokentext>
<sentencetext>this is about making someone accountable.
Exactly. Why do you see that as a bad thing?
Suppose instead of "contract" we say "these are the design/coding standards at this company and as an employee of this company you are required to follow them.
If you don't then we will penalize you.
" What exactly is wrong with that?
For the last umpteen years, in all sorts of venues social and professional, I've been seeing accountability become more and more denigrated and dismissed.
"Oh let's not play the blame game!
" What the hell is wrong with people that they don't want accountability from others?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31211536</id>
	<title>Re:Background checks are awful and stupid</title>
	<author>Anonymous</author>
	<datestamp>1266694680000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>Fact: child molesters have the lowest recidivism rate of all convicts. I don't know how you define "too high", though. Perhaps it's any rate &gt; 0\%?  I also enjoy punishing the majority for the mistakes of the minority.  It's kind of "my thing".</p><p>- Despot</p></htmltext>
<tokenext>Fact : child molesters have the lowest recidivism rate of all convicts .
I do n't know how you define " too high " , though .
Perhaps it 's any rate &gt; 0 \ % ?
I also enjoy punishing the majority for the mistakes of the minority .
It 's kind of " my thing " .- Despot</tokentext>
<sentencetext>Fact: child molesters have the lowest recidivism rate of all convicts.
I don't know how you define "too high", though.
Perhaps it's any rate &gt; 0\%?
I also enjoy punishing the majority for the mistakes of the minority.
It's kind of "my thing".- Despot</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31191946</id>
	<title>Re:The most dangerous C programming error</title>
	<author>Anonymous</author>
	<datestamp>1266491040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Flip the comparison. "if (red = alert\_code)" will cause a compiler error, assuming red is a value.<br>IE:<br>if ( 1 = i )<br>will cause the compiler to catch your mistakes.</p></htmltext>
<tokenext>Flip the comparison .
" if ( red = alert \ _code ) " will cause a compiler error , assuming red is a value.IE : if ( 1 = i ) will cause the compiler to catch your mistakes .</tokentext>
<sentencetext>Flip the comparison.
"if (red = alert\_code)" will cause a compiler error, assuming red is a value.IE:if ( 1 = i )will cause the compiler to catch your mistakes.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179914</id>
	<title>Show me</title>
	<author>hoytak</author>
	<datestamp>1265041500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>a programmer who doesn't get bitten by race conditions on occasion, and I'll show you one who doesn't program more than basic multithreaded code.</p><p>A good programmer is a good debugger...</p></htmltext>
<tokenext>a programmer who does n't get bitten by race conditions on occasion , and I 'll show you one who does n't program more than basic multithreaded code.A good programmer is a good debugger.. .</tokentext>
<sentencetext>a programmer who doesn't get bitten by race conditions on occasion, and I'll show you one who doesn't program more than basic multithreaded code.A good programmer is a good debugger...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</id>
	<title>The most dangerous C programming error</title>
	<author>Anonymous</author>
	<datestamp>1265050620000</datestamp>
	<modclass>Funny</modclass>
	<modscore>5</modscore>
	<htmltext><tt>if (alert\_code = red)<br>&nbsp; &nbsp;launch\_missles ();</tt></htmltext>
<tokenext>if ( alert \ _code = red )     launch \ _missles ( ) ;</tokentext>
<sentencetext>if (alert\_code = red)   launch\_missles ();</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31196138</id>
	<title>Re:Lol @ Dangerous</title>
	<author>Verity\_Crux</author>
	<datestamp>1266520980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>My roommate is a pilot. They wouldn't let him carry on his fingernail clippers last week. It must be common temptation for pilots to cut their fingernails mid-flight. (I agree that those of us writing transportation control software have a lot more at stake. If I wanted to manipulate the website on purpose I suppose I could forward myself some credit cards and passwords. That's still a level below accidentally accelerating when we intended to decelerate.)</htmltext>
<tokenext>My roommate is a pilot .
They would n't let him carry on his fingernail clippers last week .
It must be common temptation for pilots to cut their fingernails mid-flight .
( I agree that those of us writing transportation control software have a lot more at stake .
If I wanted to manipulate the website on purpose I suppose I could forward myself some credit cards and passwords .
That 's still a level below accidentally accelerating when we intended to decelerate .
)</tokentext>
<sentencetext>My roommate is a pilot.
They wouldn't let him carry on his fingernail clippers last week.
It must be common temptation for pilots to cut their fingernails mid-flight.
(I agree that those of us writing transportation control software have a lot more at stake.
If I wanted to manipulate the website on purpose I suppose I could forward myself some credit cards and passwords.
That's still a level below accidentally accelerating when we intended to decelerate.
)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181784</id>
	<title>Wrong way of putting it!</title>
	<author>Der PC</author>
	<datestamp>1266488460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I wish the original poster (and everyone else using these terms) would stop doing so.<br>

There are <b>no such thing</b> as "bugs". There are programming errors and programmer mistakes.<br>

And "bugs" (aka. programming errors) do <b>absolutely not</b> "creep into the code"!<br>

This terminology has made for a bunch of apologetic imbecile programmers that blame their errors on the position of the stars or the foulness of their neighbours farts. They do by no means convey the reality of the situation.<br>

I am a computer scientist, and I stand by every <i>programming mistake</i> I make.</htmltext>
<tokenext>I wish the original poster ( and everyone else using these terms ) would stop doing so .
There are no such thing as " bugs " .
There are programming errors and programmer mistakes .
And " bugs " ( aka .
programming errors ) do absolutely not " creep into the code " !
This terminology has made for a bunch of apologetic imbecile programmers that blame their errors on the position of the stars or the foulness of their neighbours farts .
They do by no means convey the reality of the situation .
I am a computer scientist , and I stand by every programming mistake I make .</tokentext>
<sentencetext>I wish the original poster (and everyone else using these terms) would stop doing so.
There are no such thing as "bugs".
There are programming errors and programmer mistakes.
And "bugs" (aka.
programming errors) do absolutely not "creep into the code"!
This terminology has made for a bunch of apologetic imbecile programmers that blame their errors on the position of the stars or the foulness of their neighbours farts.
They do by no means convey the reality of the situation.
I am a computer scientist, and I stand by every programming mistake I make.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181094</id>
	<title>Re:Misplaced Burden</title>
	<author>grumbel</author>
	<datestamp>1266524580000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>And lets not forget to put some blame on the OS. If the OS would provided a framework to properly isolate applications from each other most exploids would simply turn into a harmless denial of service. I couldn't care less if a broken PDF crashes the PDF reader, but I if that broken PDF can get access to my whole system something is seriously wrong with the underlying OS. There is no reason why a PDF reader, webbrowser or most other tools should ever need access to my whole system. Access to a window to draw their stuff, access to the data they need (i.e. just the byte-stream, not the filesystem) and to a location to store their config data would be enough for most applications, yet instead they get access to everything that a user account can reach.</p><p>There is happening some slow progress in that area with AppArmor and such, but we are still quite far away from having a native application be as secure a Flash app or a Java Applet by default. And yes, those aren't 100\% safe either, but there is a different between being secure and having an exploid every now and then and providing no security whatsoever from the start.</p></htmltext>
<tokenext>And lets not forget to put some blame on the OS .
If the OS would provided a framework to properly isolate applications from each other most exploids would simply turn into a harmless denial of service .
I could n't care less if a broken PDF crashes the PDF reader , but I if that broken PDF can get access to my whole system something is seriously wrong with the underlying OS .
There is no reason why a PDF reader , webbrowser or most other tools should ever need access to my whole system .
Access to a window to draw their stuff , access to the data they need ( i.e .
just the byte-stream , not the filesystem ) and to a location to store their config data would be enough for most applications , yet instead they get access to everything that a user account can reach.There is happening some slow progress in that area with AppArmor and such , but we are still quite far away from having a native application be as secure a Flash app or a Java Applet by default .
And yes , those are n't 100 \ % safe either , but there is a different between being secure and having an exploid every now and then and providing no security whatsoever from the start .</tokentext>
<sentencetext>And lets not forget to put some blame on the OS.
If the OS would provided a framework to properly isolate applications from each other most exploids would simply turn into a harmless denial of service.
I couldn't care less if a broken PDF crashes the PDF reader, but I if that broken PDF can get access to my whole system something is seriously wrong with the underlying OS.
There is no reason why a PDF reader, webbrowser or most other tools should ever need access to my whole system.
Access to a window to draw their stuff, access to the data they need (i.e.
just the byte-stream, not the filesystem) and to a location to store their config data would be enough for most applications, yet instead they get access to everything that a user account can reach.There is happening some slow progress in that area with AppArmor and such, but we are still quite far away from having a native application be as secure a Flash app or a Java Applet by default.
And yes, those aren't 100\% safe either, but there is a different between being secure and having an exploid every now and then and providing no security whatsoever from the start.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179472</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179666</id>
	<title>Therac-25</title>
	<author>SemperUbi</author>
	<datestamp>1265039340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Bad programming for a radiation therapy machine caused it to emit 100 times the radiation dose after certain keystrokes, burning patients badly and killing some of them.  Wikipedia has the root cause analysis.</htmltext>
<tokenext>Bad programming for a radiation therapy machine caused it to emit 100 times the radiation dose after certain keystrokes , burning patients badly and killing some of them .
Wikipedia has the root cause analysis .</tokentext>
<sentencetext>Bad programming for a radiation therapy machine caused it to emit 100 times the radiation dose after certain keystrokes, burning patients badly and killing some of them.
Wikipedia has the root cause analysis.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180342</id>
	<title>Re:Just Show Me the List!!</title>
	<author>nprz</author>
	<datestamp>1265045700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Looking at <a href="http://cwe.mitre.org/data/definitions/22.html#Related\_Attack\_Patterns" title="mitre.org" rel="nofollow">http://cwe.mitre.org/data/definitions/22.html#Related\_Attack\_Patterns</a> [mitre.org], I wonder who generated their examples:</p><p><div class="quote"><p>The program would generate a profile pathname like this:<nobr> <wbr></nobr>/users/cwe/profiles/../../../etc/passwd</p><p>When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file:<nobr> <wbr></nobr>/etc/passwd</p><p>As a result, the attacker could read the entire text of the password file.</p></div><p>Big fucking deal of the attacker reading the passwd file. On my machine, it is 644 and I'm pretty sure it needs to be readable to function.<br>Maybe if they wrote shadow file, I'd give them more credit.</p></div>
	</htmltext>
<tokenext>Looking at http : //cwe.mitre.org/data/definitions/22.html # Related \ _Attack \ _Patterns [ mitre.org ] , I wonder who generated their examples : The program would generate a profile pathname like this : /users/cwe/profiles/../../../etc/passwdWhen the file is opened , the operating system resolves the " ../ " during path canonicalization and actually accesses this file : /etc/passwdAs a result , the attacker could read the entire text of the password file.Big fucking deal of the attacker reading the passwd file .
On my machine , it is 644 and I 'm pretty sure it needs to be readable to function.Maybe if they wrote shadow file , I 'd give them more credit .</tokentext>
<sentencetext>Looking at http://cwe.mitre.org/data/definitions/22.html#Related\_Attack\_Patterns [mitre.org], I wonder who generated their examples:The program would generate a profile pathname like this: /users/cwe/profiles/../../../etc/passwdWhen the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file: /etc/passwdAs a result, the attacker could read the entire text of the password file.Big fucking deal of the attacker reading the passwd file.
On my machine, it is 644 and I'm pretty sure it needs to be readable to function.Maybe if they wrote shadow file, I'd give them more credit.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31188130</id>
	<title>Re:Lol @ Dangerous</title>
	<author>Capt.Albatross</author>
	<datestamp>1266522780000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>That is because the referenced article is about security (you cannot tell this from the title alone, but it is clear from the context in which the original appears.) It does not address design or semantic errors, so the 'chip &amp; pin is broken' issue from yesterday would not be a candidate, and the chosen errors are weighted by frequency of occurrence. All in all, it is a pretty narrow scope for such a grandiose title.</htmltext>
<tokenext>That is because the referenced article is about security ( you can not tell this from the title alone , but it is clear from the context in which the original appears .
) It does not address design or semantic errors , so the 'chip &amp; pin is broken ' issue from yesterday would not be a candidate , and the chosen errors are weighted by frequency of occurrence .
All in all , it is a pretty narrow scope for such a grandiose title .</tokentext>
<sentencetext>That is because the referenced article is about security (you cannot tell this from the title alone, but it is clear from the context in which the original appears.
) It does not address design or semantic errors, so the 'chip &amp; pin is broken' issue from yesterday would not be a candidate, and the chosen errors are weighted by frequency of occurrence.
All in all, it is a pretty narrow scope for such a grandiose title.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958</id>
	<title>Lol @ Dangerous</title>
	<author>JustNiz</author>
	<datestamp>1265041920000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>I work as a software developer in the avionics industry.<br>This list is ridiculous.<br>There's nothing any website programmer could do that is even remotely dangerous compared to what we could screw up yet all I see in the list are website programming bugs.</p></htmltext>
<tokenext>I work as a software developer in the avionics industry.This list is ridiculous.There 's nothing any website programmer could do that is even remotely dangerous compared to what we could screw up yet all I see in the list are website programming bugs .</tokentext>
<sentencetext>I work as a software developer in the avionics industry.This list is ridiculous.There's nothing any website programmer could do that is even remotely dangerous compared to what we could screw up yet all I see in the list are website programming bugs.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31185036</id>
	<title>25 errors - just good enough</title>
	<author>Anonymous</author>
	<datestamp>1266511080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>This goes against the business practice<br>of "just good enough".  If you want the bugs fixed,<br>the contract value would have to go up 5X or more.</p><p>I'm sure businesses would appreciate that !</p></htmltext>
<tokenext>This goes against the business practiceof " just good enough " .
If you want the bugs fixed,the contract value would have to go up 5X or more.I 'm sure businesses would appreciate that !</tokentext>
<sentencetext>This goes against the business practiceof "just good enough".
If you want the bugs fixed,the contract value would have to go up 5X or more.I'm sure businesses would appreciate that !</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31183582</id>
	<title>Re:The most dangerous C programming error</title>
	<author>geminidomino</author>
	<datestamp>1266504720000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p>//Fixed.</p><p>void le\_nap(void)<br>{<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sleep 500;<br>}</p><p>if (alert\_code = red)<br>{<br>
&nbsp; &nbsp; &nbsp; if (le\_tired)  le\_nap;<br>
&nbsp; &nbsp; &nbsp; launch\_missles ();<br>}</p></htmltext>
<tokenext>//Fixed.void le \ _nap ( void ) {           sleep 500 ; } if ( alert \ _code = red ) {       if ( le \ _tired ) le \ _nap ;       launch \ _missles ( ) ; }</tokentext>
<sentencetext>//Fixed.void le\_nap(void){
          sleep 500;}if (alert\_code = red){
      if (le\_tired)  le\_nap;
      launch\_missles ();}</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420</id>
	<title>Re:Yeah, right.</title>
	<author>Mr Thinly Sliced</author>
	<datestamp>1265037180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Yep this isn't about removing vulnerabilities or improving quality - this is about making someone accountable.</p><p>Having a countract where the developer is made liable? This is management blame-storming at it's finest.</p></htmltext>
<tokenext>Yep this is n't about removing vulnerabilities or improving quality - this is about making someone accountable.Having a countract where the developer is made liable ?
This is management blame-storming at it 's finest .</tokentext>
<sentencetext>Yep this isn't about removing vulnerabilities or improving quality - this is about making someone accountable.Having a countract where the developer is made liable?
This is management blame-storming at it's finest.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179696</id>
	<title>Post a link to the actual list</title>
	<author>Anonymous</author>
	<datestamp>1265039580000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Instead of articles *about* the list, go to http://cwe.mitre.org/top25/.</p></htmltext>
<tokenext>Instead of articles * about * the list , go to http : //cwe.mitre.org/top25/ .</tokentext>
<sentencetext>Instead of articles *about* the list, go to http://cwe.mitre.org/top25/.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187714</id>
	<title>Sure, I'll take liability</title>
	<author>geminidomino</author>
	<datestamp>1266521400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I'll take liability, when the industry changes enough that I can say "No, you can't have that" when the client asks for something stupid, and the end result is not me moving to a fulfilling career as a wal-mart greeter.</p></htmltext>
<tokenext>I 'll take liability , when the industry changes enough that I can say " No , you ca n't have that " when the client asks for something stupid , and the end result is not me moving to a fulfilling career as a wal-mart greeter .</tokentext>
<sentencetext>I'll take liability, when the industry changes enough that I can say "No, you can't have that" when the client asks for something stupid, and the end result is not me moving to a fulfilling career as a wal-mart greeter.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179472</id>
	<title>Misplaced Burden</title>
	<author>Anonymous</author>
	<datestamp>1265037540000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>The way to prevent most of these types of errors is to fix the programming language.  A modern high-level language simply should not allow most of these things to happen.  Any such language which does needs to be either fixed or discarded.</p><p>Yes, for low-level work you need languages without such safeguards.  But for the rest of development work, the compiler/interpreter/runtime environment should prevent even the most careless of programming from making most of there errors.</p></htmltext>
<tokenext>The way to prevent most of these types of errors is to fix the programming language .
A modern high-level language simply should not allow most of these things to happen .
Any such language which does needs to be either fixed or discarded.Yes , for low-level work you need languages without such safeguards .
But for the rest of development work , the compiler/interpreter/runtime environment should prevent even the most careless of programming from making most of there errors .</tokentext>
<sentencetext>The way to prevent most of these types of errors is to fix the programming language.
A modern high-level language simply should not allow most of these things to happen.
Any such language which does needs to be either fixed or discarded.Yes, for low-level work you need languages without such safeguards.
But for the rest of development work, the compiler/interpreter/runtime environment should prevent even the most careless of programming from making most of there errors.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187070</id>
	<title>Re:The most dangerous C programming error</title>
	<author>cain</author>
	<datestamp>1266519180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>if (alert\_code = red)<br>
&nbsp; &nbsp; &nbsp; launch\_missles ();</p></div></blockquote><p>Yes it's dangerous, but only because <tt>launch\_missles</tt> is actually a #define:<br><tt><br>#define launch\_missles() \<br>
&nbsp; &nbsp; &nbsp; &nbsp; fprintf(stdout, "I'm launching the missles now!\n");  \<br>
&nbsp; &nbsp; &nbsp; &nbsp; really\_launch\_missles ();<br></tt></p><p>Heh.</p></div>
	</htmltext>
<tokenext>if ( alert \ _code = red )       launch \ _missles ( ) ; Yes it 's dangerous , but only because launch \ _missles is actually a # define : # define launch \ _missles ( ) \         fprintf ( stdout , " I 'm launching the missles now ! \ n " ) ; \         really \ _launch \ _missles ( ) ; Heh .</tokentext>
<sentencetext>if (alert\_code = red)
      launch\_missles ();Yes it's dangerous, but only because launch\_missles is actually a #define:#define launch\_missles() \
        fprintf(stdout, "I'm launching the missles now!\n");  \
        really\_launch\_missles ();Heh.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179672</id>
	<title>blaming programmers.....DUMB</title>
	<author>Anonymous</author>
	<datestamp>1265039400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>what is a programmer to do when managers demand short coding time, nothing but leave features out. Each feature costs time and given less time companies have to be happy with more bugs</p></htmltext>
<tokenext>what is a programmer to do when managers demand short coding time , nothing but leave features out .
Each feature costs time and given less time companies have to be happy with more bugs</tokentext>
<sentencetext>what is a programmer to do when managers demand short coding time, nothing but leave features out.
Each feature costs time and given less time companies have to be happy with more bugs</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180436</id>
	<title>Re:Yeah, right.</title>
	<author>mabhatter654</author>
	<datestamp>1265046720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>yes and know.  When our IT department started having to follow SOX and other code management tools, the first thing to managers was "put in a ticket".</p><p>What will happen is developers will become full-blown assholes about every little thing. Everything will be required to be signed off in triplicate. Code will be awesome but delivery will push out 6 months minimum.</p></htmltext>
<tokenext>yes and know .
When our IT department started having to follow SOX and other code management tools , the first thing to managers was " put in a ticket " .What will happen is developers will become full-blown assholes about every little thing .
Everything will be required to be signed off in triplicate .
Code will be awesome but delivery will push out 6 months minimum .</tokentext>
<sentencetext>yes and know.
When our IT department started having to follow SOX and other code management tools, the first thing to managers was "put in a ticket".What will happen is developers will become full-blown assholes about every little thing.
Everything will be required to be signed off in triplicate.
Code will be awesome but delivery will push out 6 months minimum.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31190018</id>
	<title>Re:Lol @ Dangerous</title>
	<author>Anonymous</author>
	<datestamp>1266484920000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I hear you on this one. I work in the process control industry, writing software that runs powerful and dangerous machinery, so none of these are really all that applicable to that work.</p><p>In fact, one might argue that the majority of software that is written in any given year is embedded software in electronics devices which have nothing to do with SQL or website work.</p><p>Maybe the world of "web programming" is full of reprobates, but in the software that runs cars, aircraft, microwaves, industrial facilities, assembly robots, stuff where it actually matters, this level of inattention is either unheard of or quickly remedied through the HR department.</p></htmltext>
<tokenext>I hear you on this one .
I work in the process control industry , writing software that runs powerful and dangerous machinery , so none of these are really all that applicable to that work.In fact , one might argue that the majority of software that is written in any given year is embedded software in electronics devices which have nothing to do with SQL or website work.Maybe the world of " web programming " is full of reprobates , but in the software that runs cars , aircraft , microwaves , industrial facilities , assembly robots , stuff where it actually matters , this level of inattention is either unheard of or quickly remedied through the HR department .</tokentext>
<sentencetext>I hear you on this one.
I work in the process control industry, writing software that runs powerful and dangerous machinery, so none of these are really all that applicable to that work.In fact, one might argue that the majority of software that is written in any given year is embedded software in electronics devices which have nothing to do with SQL or website work.Maybe the world of "web programming" is full of reprobates, but in the software that runs cars, aircraft, microwaves, industrial facilities, assembly robots, stuff where it actually matters, this level of inattention is either unheard of or quickly remedied through the HR department.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182770</id>
	<title>Examples contain bugs...</title>
	<author>kleuske</author>
	<datestamp>1266499200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The fun thing is that i've found at least three bugs in their example code other than the ones MITRE intended to illustrate. The most glaring of which would prevent the code from even getting compiled.

<a href="http://cwe.mitre.org/data/definitions/805.html" title="mitre.org" rel="nofollow">http://cwe.mitre.org/data/definitions/805.html</a> [mitre.org]

void host\_lookup(char *user\_supplied\_addr){<br>
struct hostent *hp;<br>
in\_addr\_t *addr;<br>
char hostname[64];<br>
in\_addr\_t inet\_addr(const char *cp);<br><nobr> <wbr></nobr>/*routine that ensures user\_supplied\_addr is in <br>the right format for conversion */<br>
validate\_addr\_form(user\_supplied\_addr);<br>
addr = inet\_addr(user\_supplied\_addr);<br>
hp = gethostbyaddr( addr, sizeof(struct in\_addr), AF\_INET);<br>
strcpy(&amp;hostname, hp-&gt;h\_name);<br>
}<br>

The final strcpy will not work, since the first parameter is a pointer-to-pointer-to-char, instead of pointer-to-char.</htmltext>
<tokenext>The fun thing is that i 've found at least three bugs in their example code other than the ones MITRE intended to illustrate .
The most glaring of which would prevent the code from even getting compiled .
http : //cwe.mitre.org/data/definitions/805.html [ mitre.org ] void host \ _lookup ( char * user \ _supplied \ _addr ) { struct hostent * hp ; in \ _addr \ _t * addr ; char hostname [ 64 ] ; in \ _addr \ _t inet \ _addr ( const char * cp ) ; / * routine that ensures user \ _supplied \ _addr is in the right format for conversion * / validate \ _addr \ _form ( user \ _supplied \ _addr ) ; addr = inet \ _addr ( user \ _supplied \ _addr ) ; hp = gethostbyaddr ( addr , sizeof ( struct in \ _addr ) , AF \ _INET ) ; strcpy ( &amp;hostname , hp- &gt; h \ _name ) ; } The final strcpy will not work , since the first parameter is a pointer-to-pointer-to-char , instead of pointer-to-char .</tokentext>
<sentencetext>The fun thing is that i've found at least three bugs in their example code other than the ones MITRE intended to illustrate.
The most glaring of which would prevent the code from even getting compiled.
http://cwe.mitre.org/data/definitions/805.html [mitre.org]

void host\_lookup(char *user\_supplied\_addr){
struct hostent *hp;
in\_addr\_t *addr;
char hostname[64];
in\_addr\_t inet\_addr(const char *cp); /*routine that ensures user\_supplied\_addr is in the right format for conversion */
validate\_addr\_form(user\_supplied\_addr);
addr = inet\_addr(user\_supplied\_addr);
hp = gethostbyaddr( addr, sizeof(struct in\_addr), AF\_INET);
strcpy(&amp;hostname, hp-&gt;h\_name);
}

The final strcpy will not work, since the first parameter is a pointer-to-pointer-to-char, instead of pointer-to-char.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180952</id>
	<title>Bad "it's not the programmer's fault" comments...</title>
	<author>Anonymous</author>
	<datestamp>1265053260000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>Really bad.</p><p>The problem is that 99\% of us fellow programmers are full of sh*te and know next to nothing. How many programmers do know what a rainbow table is? How many know what use a salt is for? How many know that in most PKCS the public/private key pair is typically used to exchange a symmetric key and why is it so? The birthday paradox? How many know how a timing attack works?</p><p>If you think that's bad, I've got much more worrysome: most programmers simply do not understand at all how public/private crypto keys work. I remember scratching my head on this, last century, when I read about it. I simply couldn't understand it at first. "Why would it be slower without the private key?". I went on to write my own algo to crack weak keys. Just to "master" the topic. Who takes that pain?</p><p>Another monstrously huge problem is that you can't really be a good programmer unless you've also at least some sysadmin skills. Do you eat stateful firewall rules for breakfast? Or may you know jack shit about networking and you're writing your applications so that it becomes a pain for sysadmins to install/monitor and they've got to pierce holes everywhere for your swiss cheese app to run correctly?</p><p>Face it, there are so many security issues because most programmers are completely clueless when it comes to security.</p><p>You want to see how lame it is? Go look at the retarded answers voted +30 on stackoverflow.com on some subjects: I saw one accepted answer with 32 votes where the dude explaining what a salt was completely missing the point. Then there was a deluge of comments telling him he and all the people who voted this crap answer up where on heavy crack, yet the comment defending the bogus and stupid answer themselves kept being modded up too. Then of course if you get a bit too vocal in your own answer (who still gets some +votes because they're not all complete retards) because you're pissed off to read such misinformation you've got retards with lots of rep like Shog9 who're going to play the revisionists with your posts and for lots of these high reps are completely clueless too, they actually change the meaning of what you wrote, making it wrong (not on purpose, it's incompetence, not malice). And that "tragedy of commons" website of crap is where the "real programmers" hang out. Sad.</p><p>This is how bad the situation is: most programmers really have no fraking clue about security. Most programmer don't even know what a stateful firewall is.</p><p>Worst of them all: because XSS and SQL-injection are not hard to understand, they *think* they know it all about security when they know what these attacks are. Yet they are actually completely clueless for about 20 others issues of these 25 listed.</p><p>The bullshit answers "but the bad buy are attacking us" are no excuse for our incompetence and lack of knowledge.</p></htmltext>
<tokenext>Really bad.The problem is that 99 \ % of us fellow programmers are full of sh * te and know next to nothing .
How many programmers do know what a rainbow table is ?
How many know what use a salt is for ?
How many know that in most PKCS the public/private key pair is typically used to exchange a symmetric key and why is it so ?
The birthday paradox ?
How many know how a timing attack works ? If you think that 's bad , I 've got much more worrysome : most programmers simply do not understand at all how public/private crypto keys work .
I remember scratching my head on this , last century , when I read about it .
I simply could n't understand it at first .
" Why would it be slower without the private key ? " .
I went on to write my own algo to crack weak keys .
Just to " master " the topic .
Who takes that pain ? Another monstrously huge problem is that you ca n't really be a good programmer unless you 've also at least some sysadmin skills .
Do you eat stateful firewall rules for breakfast ?
Or may you know jack shit about networking and you 're writing your applications so that it becomes a pain for sysadmins to install/monitor and they 've got to pierce holes everywhere for your swiss cheese app to run correctly ? Face it , there are so many security issues because most programmers are completely clueless when it comes to security.You want to see how lame it is ?
Go look at the retarded answers voted + 30 on stackoverflow.com on some subjects : I saw one accepted answer with 32 votes where the dude explaining what a salt was completely missing the point .
Then there was a deluge of comments telling him he and all the people who voted this crap answer up where on heavy crack , yet the comment defending the bogus and stupid answer themselves kept being modded up too .
Then of course if you get a bit too vocal in your own answer ( who still gets some + votes because they 're not all complete retards ) because you 're pissed off to read such misinformation you 've got retards with lots of rep like Shog9 who 're going to play the revisionists with your posts and for lots of these high reps are completely clueless too , they actually change the meaning of what you wrote , making it wrong ( not on purpose , it 's incompetence , not malice ) .
And that " tragedy of commons " website of crap is where the " real programmers " hang out .
Sad.This is how bad the situation is : most programmers really have no fraking clue about security .
Most programmer do n't even know what a stateful firewall is.Worst of them all : because XSS and SQL-injection are not hard to understand , they * think * they know it all about security when they know what these attacks are .
Yet they are actually completely clueless for about 20 others issues of these 25 listed.The bullshit answers " but the bad buy are attacking us " are no excuse for our incompetence and lack of knowledge .</tokentext>
<sentencetext>Really bad.The problem is that 99\% of us fellow programmers are full of sh*te and know next to nothing.
How many programmers do know what a rainbow table is?
How many know what use a salt is for?
How many know that in most PKCS the public/private key pair is typically used to exchange a symmetric key and why is it so?
The birthday paradox?
How many know how a timing attack works?If you think that's bad, I've got much more worrysome: most programmers simply do not understand at all how public/private crypto keys work.
I remember scratching my head on this, last century, when I read about it.
I simply couldn't understand it at first.
"Why would it be slower without the private key?".
I went on to write my own algo to crack weak keys.
Just to "master" the topic.
Who takes that pain?Another monstrously huge problem is that you can't really be a good programmer unless you've also at least some sysadmin skills.
Do you eat stateful firewall rules for breakfast?
Or may you know jack shit about networking and you're writing your applications so that it becomes a pain for sysadmins to install/monitor and they've got to pierce holes everywhere for your swiss cheese app to run correctly?Face it, there are so many security issues because most programmers are completely clueless when it comes to security.You want to see how lame it is?
Go look at the retarded answers voted +30 on stackoverflow.com on some subjects: I saw one accepted answer with 32 votes where the dude explaining what a salt was completely missing the point.
Then there was a deluge of comments telling him he and all the people who voted this crap answer up where on heavy crack, yet the comment defending the bogus and stupid answer themselves kept being modded up too.
Then of course if you get a bit too vocal in your own answer (who still gets some +votes because they're not all complete retards) because you're pissed off to read such misinformation you've got retards with lots of rep like Shog9 who're going to play the revisionists with your posts and for lots of these high reps are completely clueless too, they actually change the meaning of what you wrote, making it wrong (not on purpose, it's incompetence, not malice).
And that "tragedy of commons" website of crap is where the "real programmers" hang out.
Sad.This is how bad the situation is: most programmers really have no fraking clue about security.
Most programmer don't even know what a stateful firewall is.Worst of them all: because XSS and SQL-injection are not hard to understand, they *think* they know it all about security when they know what these attacks are.
Yet they are actually completely clueless for about 20 others issues of these 25 listed.The bullshit answers "but the bad buy are attacking us" are no excuse for our incompetence and lack of knowledge.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182910</id>
	<title>i can see your error</title>
	<author>circletimessquare</author>
	<datestamp>1266500700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>you wrote</p><p>launch\_missles ();</p><p>you meant</p><p>launch\_missiles ();</p><p>mutually assured destruction saved!</p></htmltext>
<tokenext>you wrotelaunch \ _missles ( ) ; you meantlaunch \ _missiles ( ) ; mutually assured destruction saved !</tokentext>
<sentencetext>you wrotelaunch\_missles ();you meantlaunch\_missiles ();mutually assured destruction saved!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316</id>
	<title>Yeah, right.</title>
	<author>Anonymous</author>
	<datestamp>1265036400000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>I'll sign such a contract, but the project will take twice as long and my hourly rate will go up 300\%.</p><p>People like to draw the comparison with civil engineering, where an engineer may be liable (even criminally) if, say, a bridge collapsed. But this isn't really the same thing. We're not talking about software that simply fails and causes damage. We're talking about software that fails <i>when people deliberately attack it</i>. This would be like holding a civil engineer responsible when a terrorist blows up a bridge -- he should have planned for a bomb being placed in just such-and-such location and made the bridge more resistant to attack.</p><p>The fault lies with two parties -- those who wrote the insecure code, and those who are attacking it. I'll start taking responsibility for my own software failures when the justice system starts tracking down these criminals and prosecuting them. Until then, I'll be damned if you're going to lay all the blame on me.</p></htmltext>
<tokenext>I 'll sign such a contract , but the project will take twice as long and my hourly rate will go up 300 \ % .People like to draw the comparison with civil engineering , where an engineer may be liable ( even criminally ) if , say , a bridge collapsed .
But this is n't really the same thing .
We 're not talking about software that simply fails and causes damage .
We 're talking about software that fails when people deliberately attack it .
This would be like holding a civil engineer responsible when a terrorist blows up a bridge -- he should have planned for a bomb being placed in just such-and-such location and made the bridge more resistant to attack.The fault lies with two parties -- those who wrote the insecure code , and those who are attacking it .
I 'll start taking responsibility for my own software failures when the justice system starts tracking down these criminals and prosecuting them .
Until then , I 'll be damned if you 're going to lay all the blame on me .</tokentext>
<sentencetext>I'll sign such a contract, but the project will take twice as long and my hourly rate will go up 300\%.People like to draw the comparison with civil engineering, where an engineer may be liable (even criminally) if, say, a bridge collapsed.
But this isn't really the same thing.
We're not talking about software that simply fails and causes damage.
We're talking about software that fails when people deliberately attack it.
This would be like holding a civil engineer responsible when a terrorist blows up a bridge -- he should have planned for a bomb being placed in just such-and-such location and made the bridge more resistant to attack.The fault lies with two parties -- those who wrote the insecure code, and those who are attacking it.
I'll start taking responsibility for my own software failures when the justice system starts tracking down these criminals and prosecuting them.
Until then, I'll be damned if you're going to lay all the blame on me.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179628</id>
	<title>Programmers are only a part of the problem</title>
	<author>Anonymous</author>
	<datestamp>1265038980000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Yes, there are many bad programmers out there.  Probably over 50\% of them wouldn't understand the bugs (security or otherwise) if you sat down and tried to explain it to them.  Probably most people who work as programmers should be in another field. This isn't, however, really the issue.</p><p>With commercial software, the real problems are well known.  Product and project managers for the most part do not understand software.  What they do understand is their deadline and making their bosses happy.  Quality is always sacrificed in order to make those deadlines.  Companies put far less emphasis on testing than they should, and even when companies have great programmers and go to great effort to test, things will slip through anyway.  Fees, contracts, etc. are really just a replacement for training that comes too late, after the problem has already occurred.</p></htmltext>
<tokenext>Yes , there are many bad programmers out there .
Probably over 50 \ % of them would n't understand the bugs ( security or otherwise ) if you sat down and tried to explain it to them .
Probably most people who work as programmers should be in another field .
This is n't , however , really the issue.With commercial software , the real problems are well known .
Product and project managers for the most part do not understand software .
What they do understand is their deadline and making their bosses happy .
Quality is always sacrificed in order to make those deadlines .
Companies put far less emphasis on testing than they should , and even when companies have great programmers and go to great effort to test , things will slip through anyway .
Fees , contracts , etc .
are really just a replacement for training that comes too late , after the problem has already occurred .</tokentext>
<sentencetext>Yes, there are many bad programmers out there.
Probably over 50\% of them wouldn't understand the bugs (security or otherwise) if you sat down and tried to explain it to them.
Probably most people who work as programmers should be in another field.
This isn't, however, really the issue.With commercial software, the real problems are well known.
Product and project managers for the most part do not understand software.
What they do understand is their deadline and making their bosses happy.
Quality is always sacrificed in order to make those deadlines.
Companies put far less emphasis on testing than they should, and even when companies have great programmers and go to great effort to test, things will slip through anyway.
Fees, contracts, etc.
are really just a replacement for training that comes too late, after the problem has already occurred.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181512</id>
	<title>Re:Background checks are awful and stupid</title>
	<author>Anonymous</author>
	<datestamp>1266485580000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>In most cases, even a felony for something foolish in your teens will not override years of professional experience. And many crimes do not necessarily lead to a repeat of the crime: some crackers, for example, have gone on to productive careers in software development or security.</p></div><p>No, what matters for the various policies involving background checks is how recently you were convicted, not how recently the crime happened.  The few places I've interviewed that did anything but refuse to talk to me after the background check came back told me as much.</p><p>I got the distinct sense that there was no human judgment at all involved.  It was simply a machine-like adherence to specific rules that denied me the jobs.</p><p>I've largely been forced into working at places small enough to not do background checks.  And, I can't say as I'm entirely unhappy with that.  The once or twice I've worked for larger places I've generally not enjoyed it.</p></div>
	</htmltext>
<tokenext>In most cases , even a felony for something foolish in your teens will not override years of professional experience .
And many crimes do not necessarily lead to a repeat of the crime : some crackers , for example , have gone on to productive careers in software development or security.No , what matters for the various policies involving background checks is how recently you were convicted , not how recently the crime happened .
The few places I 've interviewed that did anything but refuse to talk to me after the background check came back told me as much.I got the distinct sense that there was no human judgment at all involved .
It was simply a machine-like adherence to specific rules that denied me the jobs.I 've largely been forced into working at places small enough to not do background checks .
And , I ca n't say as I 'm entirely unhappy with that .
The once or twice I 've worked for larger places I 've generally not enjoyed it .</tokentext>
<sentencetext>In most cases, even a felony for something foolish in your teens will not override years of professional experience.
And many crimes do not necessarily lead to a repeat of the crime: some crackers, for example, have gone on to productive careers in software development or security.No, what matters for the various policies involving background checks is how recently you were convicted, not how recently the crime happened.
The few places I've interviewed that did anything but refuse to talk to me after the background check came back told me as much.I got the distinct sense that there was no human judgment at all involved.
It was simply a machine-like adherence to specific rules that denied me the jobs.I've largely been forced into working at places small enough to not do background checks.
And, I can't say as I'm entirely unhappy with that.
The once or twice I've worked for larger places I've generally not enjoyed it.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179418</id>
	<title>The actual link . . .</title>
	<author>HazyRigby</author>
	<datestamp>1265037180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext> . . . to the list, instead of an <i>article</i> discussing the list:

<a href="http://cwe.mitre.org/top25/" title="mitre.org" rel="nofollow">Link</a> [mitre.org]</htmltext>
<tokenext>.
. .
to the list , instead of an article discussing the list : Link [ mitre.org ]</tokentext>
<sentencetext> .
. .
to the list, instead of an article discussing the list:

Link [mitre.org]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31183358</id>
	<title>Re:Yeah, right.</title>
	<author>fuzzyfuzzyfungus</author>
	<datestamp>1266503640000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext>The problem is not accountability, accountability is perfectly fine. The problem is incorrect application of accountability, and overbroad belief in its effectiveness.<br> <br>
For "accountability" to be properly applied, it must always be connected to power. The relationship goes both ways. Nobody with power should ever lack accountability, lest their power degenerate into mere tyranny, and nobody with accountability should ever lack power, lest they merely be made the scapegoat. This is the real problem with the false "accountability" commonly found in organizational contexts:<br> <br>

If, for example, you have a "release engineer" who must sign off on a software product, or a team of mechanics that must get a 747 ready for passenger flight, those people <i>must</i> have the power to halt the release, or the flight, if they believe that there is a problem. If they do no have this power, they aren't actually "accountable" they are merely scapegoats, and the one who does have this power is truly accountable; but is dodging accountability by assigning it to subordinates. The trouble is, in real world situations, being the person proximately responsible for expensive delays is, at best, thankless. Unless the organization as a whole is invested in the importance of that role, the person filling it will be seen as an obstruction. Obstructions have a way of being circumvented. Assigning blame under those circumstances is actually the <i>opposite</i> of accountability; because punishing the person who didn't make the decision will mean letting the person who did off the hook(in the same way that falsely convicting the innocent isn't "tough on crime" because it implies releasing the guilty).

The second issue is the belief that being made accountable will make humans behave fully responsibly. This isn't the abusive mess that the first issue is; but it is contrafactual and tends to distract attention away from the more valuable task of building systems that are (at least somewhat) resistant to human error. Even when accountability is correctly apportioned to power, humans are imperfect instruments. If you want to build systems of complexity unprecedented in human evolutionary history, you will have to learn to build systems that are tolerant of some amount of error. Checklists, automated interlocks, automated fuzz testing, etc, etc. must all be employed; because, ultimately, "accountability" and punishment, while they have their virtues, cannot remediate failure. Executing murderers doesn't resurrect their victims. Suing programmers doesn't recover data stolen in some hack attack. There isn't anything wrong with punishing the guilty; but its utility in accomplishing people's <i>actual objectives</i> is surprisingly tepid. People don't want to sue programmers, they want high-quality software. People don't want to fire mechanics, they want planes that don't crash. People don't want to incarcerate criminals, they want to be free of crime. "Accountability" is one tool that can be used to build the systems that people actually want(and there are arguments to be made that it is ethically obligatory in any case); but single minded focus on it <i>will not</i> achieve the ultimate objectives that people are actually seeking.</htmltext>
<tokenext>The problem is not accountability , accountability is perfectly fine .
The problem is incorrect application of accountability , and overbroad belief in its effectiveness .
For " accountability " to be properly applied , it must always be connected to power .
The relationship goes both ways .
Nobody with power should ever lack accountability , lest their power degenerate into mere tyranny , and nobody with accountability should ever lack power , lest they merely be made the scapegoat .
This is the real problem with the false " accountability " commonly found in organizational contexts : If , for example , you have a " release engineer " who must sign off on a software product , or a team of mechanics that must get a 747 ready for passenger flight , those people must have the power to halt the release , or the flight , if they believe that there is a problem .
If they do no have this power , they are n't actually " accountable " they are merely scapegoats , and the one who does have this power is truly accountable ; but is dodging accountability by assigning it to subordinates .
The trouble is , in real world situations , being the person proximately responsible for expensive delays is , at best , thankless .
Unless the organization as a whole is invested in the importance of that role , the person filling it will be seen as an obstruction .
Obstructions have a way of being circumvented .
Assigning blame under those circumstances is actually the opposite of accountability ; because punishing the person who did n't make the decision will mean letting the person who did off the hook ( in the same way that falsely convicting the innocent is n't " tough on crime " because it implies releasing the guilty ) .
The second issue is the belief that being made accountable will make humans behave fully responsibly .
This is n't the abusive mess that the first issue is ; but it is contrafactual and tends to distract attention away from the more valuable task of building systems that are ( at least somewhat ) resistant to human error .
Even when accountability is correctly apportioned to power , humans are imperfect instruments .
If you want to build systems of complexity unprecedented in human evolutionary history , you will have to learn to build systems that are tolerant of some amount of error .
Checklists , automated interlocks , automated fuzz testing , etc , etc .
must all be employed ; because , ultimately , " accountability " and punishment , while they have their virtues , can not remediate failure .
Executing murderers does n't resurrect their victims .
Suing programmers does n't recover data stolen in some hack attack .
There is n't anything wrong with punishing the guilty ; but its utility in accomplishing people 's actual objectives is surprisingly tepid .
People do n't want to sue programmers , they want high-quality software .
People do n't want to fire mechanics , they want planes that do n't crash .
People do n't want to incarcerate criminals , they want to be free of crime .
" Accountability " is one tool that can be used to build the systems that people actually want ( and there are arguments to be made that it is ethically obligatory in any case ) ; but single minded focus on it will not achieve the ultimate objectives that people are actually seeking .</tokentext>
<sentencetext>The problem is not accountability, accountability is perfectly fine.
The problem is incorrect application of accountability, and overbroad belief in its effectiveness.
For "accountability" to be properly applied, it must always be connected to power.
The relationship goes both ways.
Nobody with power should ever lack accountability, lest their power degenerate into mere tyranny, and nobody with accountability should ever lack power, lest they merely be made the scapegoat.
This is the real problem with the false "accountability" commonly found in organizational contexts: 

If, for example, you have a "release engineer" who must sign off on a software product, or a team of mechanics that must get a 747 ready for passenger flight, those people must have the power to halt the release, or the flight, if they believe that there is a problem.
If they do no have this power, they aren't actually "accountable" they are merely scapegoats, and the one who does have this power is truly accountable; but is dodging accountability by assigning it to subordinates.
The trouble is, in real world situations, being the person proximately responsible for expensive delays is, at best, thankless.
Unless the organization as a whole is invested in the importance of that role, the person filling it will be seen as an obstruction.
Obstructions have a way of being circumvented.
Assigning blame under those circumstances is actually the opposite of accountability; because punishing the person who didn't make the decision will mean letting the person who did off the hook(in the same way that falsely convicting the innocent isn't "tough on crime" because it implies releasing the guilty).
The second issue is the belief that being made accountable will make humans behave fully responsibly.
This isn't the abusive mess that the first issue is; but it is contrafactual and tends to distract attention away from the more valuable task of building systems that are (at least somewhat) resistant to human error.
Even when accountability is correctly apportioned to power, humans are imperfect instruments.
If you want to build systems of complexity unprecedented in human evolutionary history, you will have to learn to build systems that are tolerant of some amount of error.
Checklists, automated interlocks, automated fuzz testing, etc, etc.
must all be employed; because, ultimately, "accountability" and punishment, while they have their virtues, cannot remediate failure.
Executing murderers doesn't resurrect their victims.
Suing programmers doesn't recover data stolen in some hack attack.
There isn't anything wrong with punishing the guilty; but its utility in accomplishing people's actual objectives is surprisingly tepid.
People don't want to sue programmers, they want high-quality software.
People don't want to fire mechanics, they want planes that don't crash.
People don't want to incarcerate criminals, they want to be free of crime.
"Accountability" is one tool that can be used to build the systems that people actually want(and there are arguments to be made that it is ethically obligatory in any case); but single minded focus on it will not achieve the ultimate objectives that people are actually seeking.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31209030</id>
	<title>I guess...</title>
	<author>tyoup</author>
	<datestamp>1266665760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>... I have to find a new job</htmltext>
<tokenext>... I have to find a new job</tokentext>
<sentencetext>... I have to find a new job</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182652</id>
	<title>Re:The most dangerous C programming error</title>
	<author>Anonymous</author>
	<datestamp>1266498060000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>enum color {<br>
&nbsp; &nbsp; &nbsp; &nbsp; red,<br>
&nbsp; &nbsp; &nbsp; &nbsp; green,<br>
&nbsp; &nbsp; &nbsp; &nbsp; blue<br>};</p><p>Today is your lucky day.<nobr> <wbr></nobr>:-)</p></htmltext>
<tokenext>enum color {         red ,         green ,         blue } ; Today is your lucky day .
: - )</tokentext>
<sentencetext>enum color {
        red,
        green,
        blue};Today is your lucky day.
:-)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182906</id>
	<title>Wrong approach.</title>
	<author>malkavian</author>
	<datestamp>1266500700000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>By all means, accountability is great.<br>But saying the developer is at fault is ridiculous.  It opens the door for companies to mismanage projects as per usual, and clueless HR departments to hire people who don't know what they're doing, and fire people arbitrarily every time they have a complaint from someone that the software doesn't work.<br>Start the responsibility with the company.  If the company sends a flawed product and are to be made accountable, then the organisation needs to prove:</p><p>* It has proper QA processes in place to test the product, and that the staff are suitably qualified.<br>* The project management was performed to allow for proper specification, design and development within the normal working hours of a day, taking holidays and time lost due to usual unforeseen circumstances.<br>* Training, or self learning time is allocated to enable staff to keep current with developments and issues with languages/compilers/methods they use.</p><p>If you're going to hold a developer responsible, then it should be absolutely certain that everyone in the dependancy chain for that person is responsible.  Did HR hire someone who wasn't fit for purpose?  Their job is to ensure that doesn't happen.  They're the start of the problem chain.<br>Did management provide the logistics necessary to complete the job to a quality?  If not, they should be liable.<br>Did the sales team (if it's bespoke software) make impossible promises (if so, and developer opinion was overturned such that a 'broken' system was arrived at from spec, then the salesman should be accountable).<br>Did the producer of the spec introduce a design flaw that resulted in the error?  If it wasn't the developer, then the specifier/designer was at fault.<br>Pretty much whichever way you look at it, management and HR should carry the can first, leaking down to the developer, if you're going to be sensible about it.  If a place is well run, well managed then sure, have developer liability, but expect to have raised costs to cover developer's professional liability insurance.</p></htmltext>
<tokenext>By all means , accountability is great.But saying the developer is at fault is ridiculous .
It opens the door for companies to mismanage projects as per usual , and clueless HR departments to hire people who do n't know what they 're doing , and fire people arbitrarily every time they have a complaint from someone that the software does n't work.Start the responsibility with the company .
If the company sends a flawed product and are to be made accountable , then the organisation needs to prove : * It has proper QA processes in place to test the product , and that the staff are suitably qualified .
* The project management was performed to allow for proper specification , design and development within the normal working hours of a day , taking holidays and time lost due to usual unforeseen circumstances .
* Training , or self learning time is allocated to enable staff to keep current with developments and issues with languages/compilers/methods they use.If you 're going to hold a developer responsible , then it should be absolutely certain that everyone in the dependancy chain for that person is responsible .
Did HR hire someone who was n't fit for purpose ?
Their job is to ensure that does n't happen .
They 're the start of the problem chain.Did management provide the logistics necessary to complete the job to a quality ?
If not , they should be liable.Did the sales team ( if it 's bespoke software ) make impossible promises ( if so , and developer opinion was overturned such that a 'broken ' system was arrived at from spec , then the salesman should be accountable ) .Did the producer of the spec introduce a design flaw that resulted in the error ?
If it was n't the developer , then the specifier/designer was at fault.Pretty much whichever way you look at it , management and HR should carry the can first , leaking down to the developer , if you 're going to be sensible about it .
If a place is well run , well managed then sure , have developer liability , but expect to have raised costs to cover developer 's professional liability insurance .</tokentext>
<sentencetext>By all means, accountability is great.But saying the developer is at fault is ridiculous.
It opens the door for companies to mismanage projects as per usual, and clueless HR departments to hire people who don't know what they're doing, and fire people arbitrarily every time they have a complaint from someone that the software doesn't work.Start the responsibility with the company.
If the company sends a flawed product and are to be made accountable, then the organisation needs to prove:* It has proper QA processes in place to test the product, and that the staff are suitably qualified.
* The project management was performed to allow for proper specification, design and development within the normal working hours of a day, taking holidays and time lost due to usual unforeseen circumstances.
* Training, or self learning time is allocated to enable staff to keep current with developments and issues with languages/compilers/methods they use.If you're going to hold a developer responsible, then it should be absolutely certain that everyone in the dependancy chain for that person is responsible.
Did HR hire someone who wasn't fit for purpose?
Their job is to ensure that doesn't happen.
They're the start of the problem chain.Did management provide the logistics necessary to complete the job to a quality?
If not, they should be liable.Did the sales team (if it's bespoke software) make impossible promises (if so, and developer opinion was overturned such that a 'broken' system was arrived at from spec, then the salesman should be accountable).Did the producer of the spec introduce a design flaw that resulted in the error?
If it wasn't the developer, then the specifier/designer was at fault.Pretty much whichever way you look at it, management and HR should carry the can first, leaking down to the developer, if you're going to be sensible about it.
If a place is well run, well managed then sure, have developer liability, but expect to have raised costs to cover developer's professional liability insurance.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179936</id>
	<title>So what does this do to open source?</title>
	<author>Anonymous</author>
	<datestamp>1265041740000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>What if you obtain your software through means other than a written, detailed negotiated contract?</p><p>What if you provide software you have written to the world under terms no more detailed than, say, the GPL?</p><p>Is this <i>really</i> a serious effort at security, or is it a corporate push to get entities away from libre software?</p><p>Any word on who is really behind this?</p></htmltext>
<tokenext>What if you obtain your software through means other than a written , detailed negotiated contract ? What if you provide software you have written to the world under terms no more detailed than , say , the GPL ? Is this really a serious effort at security , or is it a corporate push to get entities away from libre software ? Any word on who is really behind this ?</tokentext>
<sentencetext>What if you obtain your software through means other than a written, detailed negotiated contract?What if you provide software you have written to the world under terms no more detailed than, say, the GPL?Is this really a serious effort at security, or is it a corporate push to get entities away from libre software?Any word on who is really behind this?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179408</id>
	<title>Re:Yeah, right.</title>
	<author>TapeCutter</author>
	<datestamp>1265037120000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>Yes, damage caused by a deliberate attack is an insurance matter, not an engineering matter. Nothing can be made 100\% failsafe.</htmltext>
<tokenext>Yes , damage caused by a deliberate attack is an insurance matter , not an engineering matter .
Nothing can be made 100 \ % failsafe .</tokentext>
<sentencetext>Yes, damage caused by a deliberate attack is an insurance matter, not an engineering matter.
Nothing can be made 100\% failsafe.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31216528</id>
	<title>Re:Yeah, right.</title>
	<author>TapeCutter</author>
	<datestamp>1266693000000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><i>"Just like an insurer will not offer a policy on an uncertified structure, the day may come when insurers will not indemnify for losses involving the use of uncertified software."</i>
<br> <br>
That day has already arrived in the form of recognised quality assurance standards (eg: ISO-9000). Such standards in both software and civil engineering are concerned with prevention, detection and remedy of faults rather than the individual's skill at bolting things together.</htmltext>
<tokenext>" Just like an insurer will not offer a policy on an uncertified structure , the day may come when insurers will not indemnify for losses involving the use of uncertified software .
" That day has already arrived in the form of recognised quality assurance standards ( eg : ISO-9000 ) .
Such standards in both software and civil engineering are concerned with prevention , detection and remedy of faults rather than the individual 's skill at bolting things together .</tokentext>
<sentencetext>"Just like an insurer will not offer a policy on an uncertified structure, the day may come when insurers will not indemnify for losses involving the use of uncertified software.
"
 
That day has already arrived in the form of recognised quality assurance standards (eg: ISO-9000).
Such standards in both software and civil engineering are concerned with prevention, detection and remedy of faults rather than the individual's skill at bolting things together.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181014</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179484</id>
	<title>Micromanagement</title>
	<author>russotto</author>
	<datestamp>1265037600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The model contract smacks of the customer attempting to micromanage the vendor's development process.  You might get away with that if you're IBM or the Federal Government, but most smaller customers aren't going to have that kind of clout.</p><p>And of course, the "security training" section is pure self-promotion for SANS itself.</p></htmltext>
<tokenext>The model contract smacks of the customer attempting to micromanage the vendor 's development process .
You might get away with that if you 're IBM or the Federal Government , but most smaller customers are n't going to have that kind of clout.And of course , the " security training " section is pure self-promotion for SANS itself .</tokentext>
<sentencetext>The model contract smacks of the customer attempting to micromanage the vendor's development process.
You might get away with that if you're IBM or the Federal Government, but most smaller customers aren't going to have that kind of clout.And of course, the "security training" section is pure self-promotion for SANS itself.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31198140</id>
	<title>Off by one errors</title>
	<author>bar-agent</author>
	<datestamp>1266588300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>These ones look like they could be off-by-one errors.</p><p>3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')<br>12. Buffer Access with Incorrect Length Value<br>14. Improper Validation of Array Index<br>17. Integer Overflow or Wraparound<br>18. Incorrect Calculation of Buffer Size</p><p>Only 5 out of 25? Has the dreaded "off-by-one" error lost its teeth?</p></htmltext>
<tokenext>These ones look like they could be off-by-one errors.3 .
Buffer Copy without Checking Size of Input ( 'Classic Buffer Overflow ' ) 12 .
Buffer Access with Incorrect Length Value14 .
Improper Validation of Array Index17 .
Integer Overflow or Wraparound18 .
Incorrect Calculation of Buffer SizeOnly 5 out of 25 ?
Has the dreaded " off-by-one " error lost its teeth ?</tokentext>
<sentencetext>These ones look like they could be off-by-one errors.3.
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')12.
Buffer Access with Incorrect Length Value14.
Improper Validation of Array Index17.
Integer Overflow or Wraparound18.
Incorrect Calculation of Buffer SizeOnly 5 out of 25?
Has the dreaded "off-by-one" error lost its teeth?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179582</id>
	<title>I am divided on this one</title>
	<author>wisnoskij</author>
	<datestamp>1265038320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>While it makes sense for the developer of any product to be held responsible for its quality, it does not make sense for some huge multinational company to sue a $20/hr programmer for billions in damages.</htmltext>
<tokenext>While it makes sense for the developer of any product to be held responsible for its quality , it does not make sense for some huge multinational company to sue a $ 20/hr programmer for billions in damages .</tokentext>
<sentencetext>While it makes sense for the developer of any product to be held responsible for its quality, it does not make sense for some huge multinational company to sue a $20/hr programmer for billions in damages.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179460</id>
	<title>25 is a nice round number.</title>
	<author>Anonymous</author>
	<datestamp>1265037480000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>But I think they probably could have shortened it to about 6 or 7. "Sanitize every input", "pay attention to trusted vs untrusted input methods", "bounds checking - do it", "make sure the encryption you use is strong enough", "watch multi-threading carefully", and the interesting one: "while error messages should be helpful and detailed, remember that you're not the only one reading them."</htmltext>
<tokenext>But I think they probably could have shortened it to about 6 or 7 .
" Sanitize every input " , " pay attention to trusted vs untrusted input methods " , " bounds checking - do it " , " make sure the encryption you use is strong enough " , " watch multi-threading carefully " , and the interesting one : " while error messages should be helpful and detailed , remember that you 're not the only one reading them .
"</tokentext>
<sentencetext>But I think they probably could have shortened it to about 6 or 7.
"Sanitize every input", "pay attention to trusted vs untrusted input methods", "bounds checking - do it", "make sure the encryption you use is strong enough", "watch multi-threading carefully", and the interesting one: "while error messages should be helpful and detailed, remember that you're not the only one reading them.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31198434</id>
	<title>Re:Background checks are awful and stupid</title>
	<author>Anonymous</author>
	<datestamp>1266590640000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>16 is legal in Sweden.</p></htmltext>
<tokenext>16 is legal in Sweden .</tokentext>
<sentencetext>16 is legal in Sweden.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180404</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187042</id>
	<title>Re:Yeah, right.</title>
	<author>Anonymous</author>
	<datestamp>1266519060000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Even strongly reviewed code in tightly controlled circumstances, under perfect design standards will sometimes get  bugs in it.  Even after being reviewed in triplicate and having been in use for 10 years, there are still critical flaws in some software.</p><p>Some flaws, even those that ARE remotely exploitable, are too subtle to detect by standard means.</p><p>I know someone who does binary code analysis and has found vulnerabilities in EVERY single software package he's looked at.  Granted, he's one of the best in the world at it and has found bugs in the asm code of software that has been through extensive unit-testing, automated and manual black box and 'crystal box' source code security reviews and exhaustive verification of every input...</p><p>In some cases, the best modern compilers still generate subtle machine-level exploitable bugs with perfectly written code.</p><p>This is not akin to building a highway bridge...  It is more akin to building a space station.   Sure, with exhaustive testing, it can be MOSTLY good, but there will ALWAYS be bugs in the system.</p><p>I would wager the best of the best (hacker-wise) could find some issues in military-grade security software that spends more time in security audits than most software spends in the entire development cycle.</p><p>How exactly does one "hold someone accountable" for this sort of issue?</p></htmltext>
<tokenext>Even strongly reviewed code in tightly controlled circumstances , under perfect design standards will sometimes get bugs in it .
Even after being reviewed in triplicate and having been in use for 10 years , there are still critical flaws in some software.Some flaws , even those that ARE remotely exploitable , are too subtle to detect by standard means.I know someone who does binary code analysis and has found vulnerabilities in EVERY single software package he 's looked at .
Granted , he 's one of the best in the world at it and has found bugs in the asm code of software that has been through extensive unit-testing , automated and manual black box and 'crystal box ' source code security reviews and exhaustive verification of every input...In some cases , the best modern compilers still generate subtle machine-level exploitable bugs with perfectly written code.This is not akin to building a highway bridge... It is more akin to building a space station .
Sure , with exhaustive testing , it can be MOSTLY good , but there will ALWAYS be bugs in the system.I would wager the best of the best ( hacker-wise ) could find some issues in military-grade security software that spends more time in security audits than most software spends in the entire development cycle.How exactly does one " hold someone accountable " for this sort of issue ?</tokentext>
<sentencetext>Even strongly reviewed code in tightly controlled circumstances, under perfect design standards will sometimes get  bugs in it.
Even after being reviewed in triplicate and having been in use for 10 years, there are still critical flaws in some software.Some flaws, even those that ARE remotely exploitable, are too subtle to detect by standard means.I know someone who does binary code analysis and has found vulnerabilities in EVERY single software package he's looked at.
Granted, he's one of the best in the world at it and has found bugs in the asm code of software that has been through extensive unit-testing, automated and manual black box and 'crystal box' source code security reviews and exhaustive verification of every input...In some cases, the best modern compilers still generate subtle machine-level exploitable bugs with perfectly written code.This is not akin to building a highway bridge...  It is more akin to building a space station.
Sure, with exhaustive testing, it can be MOSTLY good, but there will ALWAYS be bugs in the system.I would wager the best of the best (hacker-wise) could find some issues in military-grade security software that spends more time in security audits than most software spends in the entire development cycle.How exactly does one "hold someone accountable" for this sort of issue?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180404</id>
	<title>Re:Background checks are awful and stupid</title>
	<author>Anonymous</author>
	<datestamp>1265046420000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>Child molesters are really a special case; they have a mental disorder.  However, even there the system is fucked.  A guy who screws a 16-year-old girl when he's 18 is NOT a child molester.  The only people who should be guilty of true child molestation are those who molest pro-pubescent children, like 12 and under.  That's where you someone is truly sick in the head, because no normal man would ever be attracted to a pre-pubescent child.  But lots of men will admit to being attracted to a 17-year-old girl.  Lots of female movie stars aren't much older than this.</p></htmltext>
<tokenext>Child molesters are really a special case ; they have a mental disorder .
However , even there the system is fucked .
A guy who screws a 16-year-old girl when he 's 18 is NOT a child molester .
The only people who should be guilty of true child molestation are those who molest pro-pubescent children , like 12 and under .
That 's where you someone is truly sick in the head , because no normal man would ever be attracted to a pre-pubescent child .
But lots of men will admit to being attracted to a 17-year-old girl .
Lots of female movie stars are n't much older than this .</tokentext>
<sentencetext>Child molesters are really a special case; they have a mental disorder.
However, even there the system is fucked.
A guy who screws a 16-year-old girl when he's 18 is NOT a child molester.
The only people who should be guilty of true child molestation are those who molest pro-pubescent children, like 12 and under.
That's where you someone is truly sick in the head, because no normal man would ever be attracted to a pre-pubescent child.
But lots of men will admit to being attracted to a 17-year-old girl.
Lots of female movie stars aren't much older than this.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180614</id>
	<title>Re:Background checks are awful and stupid</title>
	<author>rve</author>
	<datestamp>1265049120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"Anonymous" stood for: anyone who posts on 4chan without logging in. It's not a group any more than "Anonymous Coward" is.</p></htmltext>
<tokenext>" Anonymous " stood for : anyone who posts on 4chan without logging in .
It 's not a group any more than " Anonymous Coward " is .</tokentext>
<sentencetext>"Anonymous" stood for: anyone who posts on 4chan without logging in.
It's not a group any more than "Anonymous Coward" is.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182324</id>
	<title>PEBKAC</title>
	<author>deebug497</author>
	<datestamp>1266494460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>A Monday morning quite a few years ago: <br>
UPDATE Customer SET NotifiedByMail = 'false'<br>
*click*<br>
Err, I mean WHERE Id = 140487<br>
*click*<br>
Sudden realisation.<br>
Oh crap...<br> <br>

Let's say I committed a very, very bad thing and I rolled back under my desk...</htmltext>
<tokenext>A Monday morning quite a few years ago : UPDATE Customer SET NotifiedByMail = 'false ' * click * Err , I mean WHERE Id = 140487 * click * Sudden realisation .
Oh crap.. . Let 's say I committed a very , very bad thing and I rolled back under my desk.. .</tokentext>
<sentencetext>A Monday morning quite a few years ago: 
UPDATE Customer SET NotifiedByMail = 'false'
*click*
Err, I mean WHERE Id = 140487
*click*
Sudden realisation.
Oh crap... 

Let's say I committed a very, very bad thing and I rolled back under my desk...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179856</id>
	<title>I always do that...</title>
	<author>Anonymous</author>
	<datestamp>1265041020000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I must have put a decimal point in the wrong place or something. Shit.  I always do that. I always mess up some mundane detail.</p></htmltext>
<tokenext>I must have put a decimal point in the wrong place or something .
Shit. I always do that .
I always mess up some mundane detail .</tokentext>
<sentencetext>I must have put a decimal point in the wrong place or something.
Shit.  I always do that.
I always mess up some mundane detail.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187320</id>
	<title>Re:Yeah, right.</title>
	<author>Anonymous</author>
	<datestamp>1266520260000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Sounds to me like intel is at fault.  It's their processor that builds the stack in reverse causing buffer overflows to even be possible in the first place!</p></htmltext>
<tokenext>Sounds to me like intel is at fault .
It 's their processor that builds the stack in reverse causing buffer overflows to even be possible in the first place !</tokentext>
<sentencetext>Sounds to me like intel is at fault.
It's their processor that builds the stack in reverse causing buffer overflows to even be possible in the first place!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179658</id>
	<title>Sanitization is a worrying term to use.</title>
	<author>argent</author>
	<datestamp>1265039280000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p><i>Improper Sanitization of Special Elements used in an OS Command</i></p><p>The best solution is not "sanitization" (which people usually perform by blocking or editing out what THEY think are dangerous metacharacters) but proper encapsulation. In addition, there's a misleading section here:</p><blockquote><div><p>For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.</p></div></blockquote><p>Execl() is not a "C" API, it's a UNIX API. It doesn't involve quoting. On a UNIX system, you can safely take advantage of this mechanism to pass parameters and bypass either shell or application quoting inconsistencies. On Windows, even if your program is in Perl and you pass system() an array of arguments, Perl is still at the mercy of the called program to correctly parse the quoted string it gets from CreateProcess()... *unless* you are operating under the POSIX subsystem or a derivitive like Interix.</p><p>In addition, whether you quote your arguments, use execl(), or use a smart wrapper like Perl's system(), you still need to ensure that COMMAND level metacharacters (like the leading dash (on UNIX) or slash (on Windows) of an option string) are properly handled.</p><p>This latter problem may remain even if you pass the command arguments through a configuration file to avoid the possibility of shell metacharacters being exploited.</p><p>Whitelists can't be simplistic. You can't ban the use of "-" in email addresses, for example. Encoding is better.</p></div>
	</htmltext>
<tokenext>Improper Sanitization of Special Elements used in an OS CommandThe best solution is not " sanitization " ( which people usually perform by blocking or editing out what THEY think are dangerous metacharacters ) but proper encapsulation .
In addition , there 's a misleading section here : For example , in C , the system ( ) function accepts a string that contains the entire command to be executed , whereas execl ( ) , execve ( ) , and others require an array of strings , one for each argument .
In Windows , CreateProcess ( ) only accepts one command at a time .
In Perl , if system ( ) is provided with an array of arguments , then it will quote each of the arguments.Execl ( ) is not a " C " API , it 's a UNIX API .
It does n't involve quoting .
On a UNIX system , you can safely take advantage of this mechanism to pass parameters and bypass either shell or application quoting inconsistencies .
On Windows , even if your program is in Perl and you pass system ( ) an array of arguments , Perl is still at the mercy of the called program to correctly parse the quoted string it gets from CreateProcess ( ) ... * unless * you are operating under the POSIX subsystem or a derivitive like Interix.In addition , whether you quote your arguments , use execl ( ) , or use a smart wrapper like Perl 's system ( ) , you still need to ensure that COMMAND level metacharacters ( like the leading dash ( on UNIX ) or slash ( on Windows ) of an option string ) are properly handled.This latter problem may remain even if you pass the command arguments through a configuration file to avoid the possibility of shell metacharacters being exploited.Whitelists ca n't be simplistic .
You ca n't ban the use of " - " in email addresses , for example .
Encoding is better .</tokentext>
<sentencetext>Improper Sanitization of Special Elements used in an OS CommandThe best solution is not "sanitization" (which people usually perform by blocking or editing out what THEY think are dangerous metacharacters) but proper encapsulation.
In addition, there's a misleading section here:For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument.
In Windows, CreateProcess() only accepts one command at a time.
In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.Execl() is not a "C" API, it's a UNIX API.
It doesn't involve quoting.
On a UNIX system, you can safely take advantage of this mechanism to pass parameters and bypass either shell or application quoting inconsistencies.
On Windows, even if your program is in Perl and you pass system() an array of arguments, Perl is still at the mercy of the called program to correctly parse the quoted string it gets from CreateProcess()... *unless* you are operating under the POSIX subsystem or a derivitive like Interix.In addition, whether you quote your arguments, use execl(), or use a smart wrapper like Perl's system(), you still need to ensure that COMMAND level metacharacters (like the leading dash (on UNIX) or slash (on Windows) of an option string) are properly handled.This latter problem may remain even if you pass the command arguments through a configuration file to avoid the possibility of shell metacharacters being exploited.Whitelists can't be simplistic.
You can't ban the use of "-" in email addresses, for example.
Encoding is better.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31193612</id>
	<title>Ah. Need to sell more training...</title>
	<author>jamie(really)</author>
	<datestamp>1266499500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"The Vendor shall be responsible for verifying that all members of the developer team have been successfully trained in secure programming techniques.</p><p>Pre-contract award, the Vendor shall document the process including training courses that their application developers have taken prior to developing applications.</p><p>Pre-contract award, the Vendor shall certify to the Purchaser that only application developers who have received appropriate level of formal training on secure application development and passed a competency test on application security shall be involved in the Contract."</p><p>Translation:</p><p>We, the security consultants, are going out of business and need to sell more training courses.<br>We, the managers of big companies, are going out of business and need someone to blame. You know that we will still accept the lowest bid, and we know that you're qualifications will be faked, but at least when the shit hits the fan we can point at you and say it wasnt our fault.</p></htmltext>
<tokenext>" The Vendor shall be responsible for verifying that all members of the developer team have been successfully trained in secure programming techniques.Pre-contract award , the Vendor shall document the process including training courses that their application developers have taken prior to developing applications.Pre-contract award , the Vendor shall certify to the Purchaser that only application developers who have received appropriate level of formal training on secure application development and passed a competency test on application security shall be involved in the Contract .
" Translation : We , the security consultants , are going out of business and need to sell more training courses.We , the managers of big companies , are going out of business and need someone to blame .
You know that we will still accept the lowest bid , and we know that you 're qualifications will be faked , but at least when the shit hits the fan we can point at you and say it wasnt our fault .</tokentext>
<sentencetext>"The Vendor shall be responsible for verifying that all members of the developer team have been successfully trained in secure programming techniques.Pre-contract award, the Vendor shall document the process including training courses that their application developers have taken prior to developing applications.Pre-contract award, the Vendor shall certify to the Purchaser that only application developers who have received appropriate level of formal training on secure application development and passed a competency test on application security shall be involved in the Contract.
"Translation:We, the security consultants, are going out of business and need to sell more training courses.We, the managers of big companies, are going out of business and need someone to blame.
You know that we will still accept the lowest bid, and we know that you're qualifications will be faked, but at least when the shit hits the fan we can point at you and say it wasnt our fault.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180594</id>
	<title>Re:Just Show Me the List!!</title>
	<author>shutdown -p now</author>
	<datestamp>1265048820000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>What's sad is that SQL injection and good old primitive buffer overflow still top the list...</p><p>Regarding #2, I'm inclined to blame PHP for that thing being so high up there. Its standard library way of handling parameters in SQL statements has long been lacking - and while it's definitely possible to get right, and there are frameworks which make it easier, too much "HOWTO" and "learn in 24 seconds" PHP code out there is written without any regard to injection possibility, and it gets blindly copied over and over.</p><p>Still, that crap is regularly seen in Java and<nobr> <wbr></nobr>.NET apps as well. Which is really sad, because there's absolutely no excuse to get it wrong there - all you need to do is to use parametrized statements (PreparedStatement in JDBC, the usual DbStatement in ADO.NET). Always. No exceptions. Period.</p><p>Buffer overflow? God, how long this has been around? Still in top #3...</p><p>Well, for one thing, it shows just how much software is still being written in C &amp; C++ rather than managed languages. For another, it shows that a lot of software written in C++ ignores the higher-level features of the language, and uses old-style code littered with strcpy and the likes.</p><p>I would have hoped we can do better in 2010...</p></htmltext>
<tokenext>What 's sad is that SQL injection and good old primitive buffer overflow still top the list...Regarding # 2 , I 'm inclined to blame PHP for that thing being so high up there .
Its standard library way of handling parameters in SQL statements has long been lacking - and while it 's definitely possible to get right , and there are frameworks which make it easier , too much " HOWTO " and " learn in 24 seconds " PHP code out there is written without any regard to injection possibility , and it gets blindly copied over and over.Still , that crap is regularly seen in Java and .NET apps as well .
Which is really sad , because there 's absolutely no excuse to get it wrong there - all you need to do is to use parametrized statements ( PreparedStatement in JDBC , the usual DbStatement in ADO.NET ) .
Always. No exceptions .
Period.Buffer overflow ?
God , how long this has been around ?
Still in top # 3...Well , for one thing , it shows just how much software is still being written in C &amp; C + + rather than managed languages .
For another , it shows that a lot of software written in C + + ignores the higher-level features of the language , and uses old-style code littered with strcpy and the likes.I would have hoped we can do better in 2010.. .</tokentext>
<sentencetext>What's sad is that SQL injection and good old primitive buffer overflow still top the list...Regarding #2, I'm inclined to blame PHP for that thing being so high up there.
Its standard library way of handling parameters in SQL statements has long been lacking - and while it's definitely possible to get right, and there are frameworks which make it easier, too much "HOWTO" and "learn in 24 seconds" PHP code out there is written without any regard to injection possibility, and it gets blindly copied over and over.Still, that crap is regularly seen in Java and .NET apps as well.
Which is really sad, because there's absolutely no excuse to get it wrong there - all you need to do is to use parametrized statements (PreparedStatement in JDBC, the usual DbStatement in ADO.NET).
Always. No exceptions.
Period.Buffer overflow?
God, how long this has been around?
Still in top #3...Well, for one thing, it shows just how much software is still being written in C &amp; C++ rather than managed languages.
For another, it shows that a lot of software written in C++ ignores the higher-level features of the language, and uses old-style code littered with strcpy and the likes.I would have hoped we can do better in 2010...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976</id>
	<title>Re:Background checks are awful and stupid</title>
	<author>Anonymous</author>
	<datestamp>1265042040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>No, stupid behavior leads to failing background checks. Keep cause and effect in the correct order.</p><p>In most cases, even a felony for something foolish in your teens will not override years of professional experience. And many crimes do not necessarily lead to a repeat of the crime: some crackers, for example, have gone on to productive careers in software development or security.</p><p>But if you are a convicted child molester, I \_do not want\_ you anywhere unsupervised with children. The recidivism rate is too high. And if you have pulled the sort of stunts that, say Brian Thomas Mettenbrink, a member of the cracker group "Anonymous", was convicted of, I don't want you anywhere near my systems. You'd have proven you were too self-righteous and vindictive to be trusted with my equipment.</p></htmltext>
<tokenext>No , stupid behavior leads to failing background checks .
Keep cause and effect in the correct order.In most cases , even a felony for something foolish in your teens will not override years of professional experience .
And many crimes do not necessarily lead to a repeat of the crime : some crackers , for example , have gone on to productive careers in software development or security.But if you are a convicted child molester , I \ _do not want \ _ you anywhere unsupervised with children .
The recidivism rate is too high .
And if you have pulled the sort of stunts that , say Brian Thomas Mettenbrink , a member of the cracker group " Anonymous " , was convicted of , I do n't want you anywhere near my systems .
You 'd have proven you were too self-righteous and vindictive to be trusted with my equipment .</tokentext>
<sentencetext>No, stupid behavior leads to failing background checks.
Keep cause and effect in the correct order.In most cases, even a felony for something foolish in your teens will not override years of professional experience.
And many crimes do not necessarily lead to a repeat of the crime: some crackers, for example, have gone on to productive careers in software development or security.But if you are a convicted child molester, I \_do not want\_ you anywhere unsupervised with children.
The recidivism rate is too high.
And if you have pulled the sort of stunts that, say Brian Thomas Mettenbrink, a member of the cracker group "Anonymous", was convicted of, I don't want you anywhere near my systems.
You'd have proven you were too self-righteous and vindictive to be trusted with my equipment.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179788</id>
	<title>coding open source is the biggest mistake.</title>
	<author>Anonymous</author>
	<datestamp>1265040540000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext>i hear if you code open source that you end up with this irresistible taste for other men's dicks and shit. smokin them dicks. eating that shit right from another faggots ass.</htmltext>
<tokenext>i hear if you code open source that you end up with this irresistible taste for other men 's dicks and shit .
smokin them dicks .
eating that shit right from another faggots ass .</tokentext>
<sentencetext>i hear if you code open source that you end up with this irresistible taste for other men's dicks and shit.
smokin them dicks.
eating that shit right from another faggots ass.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182532</id>
	<title>Re:Background checks are awful and stupid</title>
	<author>Anonymous</author>
	<datestamp>1266496560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I'd agree with you conceptually, but despite episodes of "Boston Legal", it would take surprising cleverness to be convicted of child molestation for an 18 year old guy to be convicted in a sexual event with a 16 year old girl. Even if it's actually forcible rape, the ease of "pleading out" and getting a lesser sentence is so large that I'd be surprised if anyone here can name even a single such case.</p></htmltext>
<tokenext>I 'd agree with you conceptually , but despite episodes of " Boston Legal " , it would take surprising cleverness to be convicted of child molestation for an 18 year old guy to be convicted in a sexual event with a 16 year old girl .
Even if it 's actually forcible rape , the ease of " pleading out " and getting a lesser sentence is so large that I 'd be surprised if anyone here can name even a single such case .</tokentext>
<sentencetext>I'd agree with you conceptually, but despite episodes of "Boston Legal", it would take surprising cleverness to be convicted of child molestation for an 18 year old guy to be convicted in a sexual event with a 16 year old girl.
Even if it's actually forcible rape, the ease of "pleading out" and getting a lesser sentence is so large that I'd be surprised if anyone here can name even a single such case.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180404</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187542</id>
	<title>Re:Yeah, right.</title>
	<author>nagnamer</author>
	<datestamp>1266520920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><blockquote><div><p>this is about making someone accountable.</p></div></blockquote><p>Exactly. Why do you see that as a bad thing? Suppose instead of "contract" we say "these are the design/coding standards at this company and as an employee of this company you are required to follow them. If you don't then we will penalize you." What exactly is wrong with that?</p></div><p>I would argue that it would be far more efficient and beneficial for the company if they simply <em>trained</em> their people to pay attention to stuff like common errors mentioned in OP.</p></div>
	</htmltext>
<tokenext>this is about making someone accountable.Exactly .
Why do you see that as a bad thing ?
Suppose instead of " contract " we say " these are the design/coding standards at this company and as an employee of this company you are required to follow them .
If you do n't then we will penalize you .
" What exactly is wrong with that ? I would argue that it would be far more efficient and beneficial for the company if they simply trained their people to pay attention to stuff like common errors mentioned in OP .</tokentext>
<sentencetext>this is about making someone accountable.Exactly.
Why do you see that as a bad thing?
Suppose instead of "contract" we say "these are the design/coding standards at this company and as an employee of this company you are required to follow them.
If you don't then we will penalize you.
" What exactly is wrong with that?I would argue that it would be far more efficient and beneficial for the company if they simply trained their people to pay attention to stuff like common errors mentioned in OP.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31190970</id>
	<title>Sue the Moon</title>
	<author>Tablizer</author>
	<datestamp>1266487440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p> by drafting contracts that hold developers responsible</p></div> </blockquote><p>Good luck taking Biytu in Timbuktu to court.<br>
&nbsp; &nbsp; &nbsp;</p></div>
	</htmltext>
<tokenext>by drafting contracts that hold developers responsible Good luck taking Biytu in Timbuktu to court .
     </tokentext>
<sentencetext> by drafting contracts that hold developers responsible Good luck taking Biytu in Timbuktu to court.
     
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179778</id>
	<title>You get what you pay for...</title>
	<author>Dgtl\_+\_Phoenix</author>
	<datestamp>1265040360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>As much as we might like to think otherwise, software development is a business. And like all businesses the goal is to generate profit by increasing revenue and decreasing cost. As such an inherent bargain is struck between consumers and software shops as to proper ratio of cost to quality.

High volume consumer applications get a lot of attention to quality though less to security. It's all a matter of threat assessment verse the cost of securing against such threats. Sure we all want perfect software where the software engineer is held accountable for every bug. But we also want software whose cost is comparable to a 20 dollar an hour sweet shop programmer. The software that results is really an economic compromise between the two. Running a space shuttle or saving patients lives? You probably are willing to shell out for the high cost software engineer. Putting up your hello kitty fan club blog? You might settle for something a little bit less... high class.

I've been in this business for awhile now and as much as we like to wax poetic about quality we are still just trying to have our cake and eat it too. Better, faster, cheaper. Pick two.</htmltext>
<tokenext>As much as we might like to think otherwise , software development is a business .
And like all businesses the goal is to generate profit by increasing revenue and decreasing cost .
As such an inherent bargain is struck between consumers and software shops as to proper ratio of cost to quality .
High volume consumer applications get a lot of attention to quality though less to security .
It 's all a matter of threat assessment verse the cost of securing against such threats .
Sure we all want perfect software where the software engineer is held accountable for every bug .
But we also want software whose cost is comparable to a 20 dollar an hour sweet shop programmer .
The software that results is really an economic compromise between the two .
Running a space shuttle or saving patients lives ?
You probably are willing to shell out for the high cost software engineer .
Putting up your hello kitty fan club blog ?
You might settle for something a little bit less... high class .
I 've been in this business for awhile now and as much as we like to wax poetic about quality we are still just trying to have our cake and eat it too .
Better , faster , cheaper .
Pick two .</tokentext>
<sentencetext>As much as we might like to think otherwise, software development is a business.
And like all businesses the goal is to generate profit by increasing revenue and decreasing cost.
As such an inherent bargain is struck between consumers and software shops as to proper ratio of cost to quality.
High volume consumer applications get a lot of attention to quality though less to security.
It's all a matter of threat assessment verse the cost of securing against such threats.
Sure we all want perfect software where the software engineer is held accountable for every bug.
But we also want software whose cost is comparable to a 20 dollar an hour sweet shop programmer.
The software that results is really an economic compromise between the two.
Running a space shuttle or saving patients lives?
You probably are willing to shell out for the high cost software engineer.
Putting up your hello kitty fan club blog?
You might settle for something a little bit less... high class.
I've been in this business for awhile now and as much as we like to wax poetic about quality we are still just trying to have our cake and eat it too.
Better, faster, cheaper.
Pick two.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179568</id>
	<title>Just outsource.</title>
	<author>nicknamenotavailable</author>
	<datestamp>1265038140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Outsource security and programming to those countries responsible for the attacks.</p><p>Right away the system will have fewer vulnerabilities and there will be fewer attacks.</p></htmltext>
<tokenext>Outsource security and programming to those countries responsible for the attacks.Right away the system will have fewer vulnerabilities and there will be fewer attacks .</tokentext>
<sentencetext>Outsource security and programming to those countries responsible for the attacks.Right away the system will have fewer vulnerabilities and there will be fewer attacks.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180000
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31185218
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181512
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31205896
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31183358
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187320
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31191946
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182532
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180404
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182796
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187542
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182652
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31184034
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187042
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180614
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31188130
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187070
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180342
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31195314
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179666
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31190018
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31216528
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181014
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179408
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31183582
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182910
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31198140
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180436
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31211536
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31198434
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180404
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31196138
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180600
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180594
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_17_2327253_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181094
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179472
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179418
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179410
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179976
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180614
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31211536
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181512
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180404
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182532
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31198434
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179658
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179600
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179666
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31195314
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179958
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180600
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31196138
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31190018
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31188130
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180762
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31183582
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31191946
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182796
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187070
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31185218
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182652
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31182910
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179778
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179316
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179420
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180842
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187542
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31183358
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31205896
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187042
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31184034
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180436
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31187320
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179408
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181014
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31216528
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179974
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179460
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179472
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181094
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181818
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31181046
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180952
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_17_2327253.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31179558
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31198140
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180342
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180594
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_17_2327253.31180000
</commentlist>
</conversation>
