riferguson's comments

...which won a Grammy last year for "Best Bluegrass Album", and for which he is actively touring right now.

So, yeah, his point is "here are the royalty riches you can expect when you make an award winning album and drag yourself all over the country promoting it."

Kind of explains the whole "Pink Panther 2" and "Cheaper by the Dozen 2" things.

"Easy", as in least effort on your part, or "easy", as in highest probability of success?

Not at all the same thing.

Judge Learned Hand: "Anyone may arrange his affairs so that his taxes shall be as low as possible; he is not bound to choose that pattern which best pays the treasury. There is not even a patriotic duty to increase one's taxes. Over and over again the Courts have said that there is nothing sinister in so arranging affairs as to keep taxes as low as possible. Everyone does it, rich and poor alike and all do right, for nobody owes any public duty to pay more than the law demands."

I stand corrected.

Apple has one patent in the H.264 pool, US 7292636, and one in the MPEG-4 Systems pool, US 6134243. I have no idea if either of these would be relevant to Theora.

For what it's worth, there are hundreds of patents in the total MPEG-LA pool.

Presumably it would be the holders of the putatively infringed patents that would be assembling the "pool". I don't think Apple is in the Video Codec patent-holding business. As a major licensee of H.264, you'd have to presume Apple be in a position to know if someone else was rounding up the usual suspects.

Once again, Gabe and Tycho have the important insight: http://www.penny-arcade.com/comic/2004/03/19/

If the job involves writing code, you're going to be asked to write code in the interview.

The "reverse-a-linked-list" question is an attempt at "minimal coding question that anyone should be able to do in 15 minutes at a whiteboard". It's an indicator, a mark of the ability to think on your feet and understand the basics -- think of it as the "pons asinorum" of programming. (cf http://en.wikipedia.org/wiki/Pons_asinorum)

If you're going to demand argument-from-authority, I've probably interviewed more than 200 PhD's for various positions over the last 30 years, and a statistically significant number of them were unable to pass a basic set of tests that history has shown to indicate the ability to function in an industrial-style software development environment.

Industry demands a different skill set than research; not better, not worse, just different.

Three things:

First, those are questions for a variety of different positions all mixed together. Product manager candidates get asked different questions than engineering candidates.

Second, yes, Microsoft tracks the effectiveness of interviewers based on the outcome of the interview loops and the performance of the people who get hired.

Third, all of the questions listed, no matter how trivial they seem, are dispositive. I've interviewed engineering candidates with PhD's from top tier universities who couldn't reverse a linked list when asked, or who couldn't even explain basic concepts in their putative focus areas. You have to ask the seemingly stupid stuff -- it's a continual surprise.

Full disclosure: no, I don't work there now. Yes, I used to, a very long time ago.

I have absolutely no opinion about the validity of this particular patent, but I want to forestall a bunch of random griping.

Please, please don't post commentary that involves "just reading the patent" and thinking (a) you know what it means, or (b) saying that it's "obvious" from a cursory glance.

All patents need to be interpreted in light of their "file history", which is the correspondence between the Patent Office and the filer during the patent examination. It is literally true that the words in the text may not mean what you think they do.

It is not uncommon for patent claims to be completely changed by the file history, which in complex cases can comprise thousands of pages of back and forth; if you pay the copying costs you can get the patent office to send you the file for any particular patent.

If a patent has been litigated, you may be able to figure out what the court and the original patent examiner thought the patent meant by reading the lawsuit filings and judgement, but just looking at the patent by itself is not necessarily going to help you understand the details.

[IANAL, but I've been to the rodeo before.]

Every reference to the GPL in the article is to version 3 of the license, which does not contain the language you reference.

Care to try again?

You're missing mine, I'm afraid: I've made no claim about anyone having to do anything. Indeed, if I was in Charlie's shoes, I wouldn't be working on spec.

Let me put it another way.

There are two markets for exploits: the legitimate one, and the criminal one.

Charlie is participating in the legitimate one. He's going to get paid what the sole counterparty wants to pay him. We can argue about what the counterparty should pay him, but that's up to Apple (in this case), and there are a lot of different things that might enter into their calculation.

An argument that uses the value of the exploit in the criminal market in an attempt to set a value in the legitimate one only makes sense in one of two cases: (a) you're going to take your work and sell it over there, or (b) you claim that someone else either has already discovered or will soon discover the same exploit independently, and will choose to sell it on the criminal market, and therefore the value of your work should reflect the danger of that happening.

In the first case, you're engaging in blackmail.

In the second case, it's just not a very good argument -- because the chance that each element in the chain of reasoning about the value (it's about to be or has already been discovered by someone else, it's going to end up on the black market, it's a substantial risk for a 0-day, etc.) is not true represents a probability that reduces the overall value of your exploit in the legitimate market. Plus, there's the additional reductions in exploit value that come from the vendor not actually caring that much about fixing problems until they're in the wild, or having already found the issue and decided that the particular problem isn't worth fixing for a variety of non-technical reasons, or any one of a dozen other external factors.

Working on spec and then demanding that the vendors match the exploit values that the criminal market is paying is just a Bad Idea, morally and practically.

I will go and read the paper. Thanks for the pointer.

[Let's use "Alice" as the name of our hypothetical security researcher.]

If the Bad Guys can get the exploit from someone else, then Apple equally could pay someone other than Alice to disclose it to them. Your premise assumes the work is fungible.

If the entire set of people (including Alice) who are capable of finding these vulnerabilities conspired to withhold their work and push the White Hat market clearing price up to the level that the Bad Guys will pay, then the answer to your question would be yes.

If it's a market without price fixing, then Alice withholding her work doesn't materially affect the actual price of the exploit to Apple, and in that case the answer to your question is no.

I have no problem with you, Charlie, or anyone else being paid top dollar for his or her work, particularly in an important field like security research.

Indeed, I think it's a great idea for Apple and the other vendors to reimburse 3rd parties for high quality results.

But he wasn't saying "I put X hours into this, and therefore it's worth $X*(billing rate)."

He was saying "the market value of this is $Z., and it's more for things that have a greater impact."

I don't know Charlie Miller from a hole in the ground, and so I have no idea if he's going to be selling his work to the Russian Mafia. If you say he's a great guy, I'm sure you're right.

Nevertheless, if he thinks that security exploits have a market value beyond a reasonable billing rate, he's implicitly using the threat of the Bad Guys to raise the value of his work.

That's a very fine line to be walking.

Miller says that the bugs have a market value beyond $5000 -- indeed, he claims that an IE8 exploit has a "market value" of over $50k.

But that market value exists only if you're willing to sell the exploits to people who either (a) are planning to use them or (b) want to fix them. The former group are the ones setting the market value, since they're the ones who are going to monetize the exploits.

The idea of announcing NO MORE FREE BUGS really amounts to saying to the world "I'm either going to sell my work to criminals, or am going to participate in an ongoing blackmail scheme to make myself rich."

Nice. Good luck with that, Charlie.

Dude, Google is your friend.

Mike was being coy when he described himself as a "former Microsoft employee", but dismissing him as a "random investor from Texas" is silly.

http://people.forbes.com/profile/michael-j-maples/49137 http://query.nytimes.com/gst/fullpage.html?res=990CE2D81038F... http://www.alibre.com/corporate/management.asp

It's not clear from the video, but the utility power number probably includes environmental stuff like cooling and lights. Just dividing one number by the other isn't going to give you the size of the power supply for each machine.