All Hands to the Sieve

Stan Kelly-Bootle

Issue #78, October 2000

A recent FLASH alert from SANS reveals the dangers lurking in the bowels of MS Access, Word 2000 and Internet Explorer 5.00+.

If you want to be thoroughly depressed by the CS “state of the art”, apart from running/crashing Windows, you should check out Peter Neumann's RISKS reports and the regular lists of “vulnerabilities” issued by the SANS Institute. No OS, kernel, compiler, library, parser or command seems immune, however “mature”. Mon dieu, we are not just talking kilobillion (who knows?) spreadsheet flaws or megabillion lost spacecraft (good for some), but pandemic, apodictic, uncaught exceptions based, in spite of endless warnings, on the syntactic quirks of C arrays.

A recent FLASH alert from SANS reveals the dangers lurking in the bowels of MS Access, Word 2000 and Internet Explorer 5.00+. SANS is offering a prize for “quick” fixes, but these bugs are eminently “proprietary”. Microsoft, let's face it, has more than their unfair share of expert programmers schooled in the latest software engineering agendas. Indeed, Microsoft Press offers many bibles on how to develop provably “robust” applications. Yet, in spite of linguistic and developmental tools aimed at detecting the “obvious” errors (memory leaks and array overflows), this fine group of MS programmers lets slip the dogs of...er...dogs.

The epistemological, unanswerable challenge, of course, is to first define “bug” and then, “bug-free”. Even Stephen Hawking's “Brief...” open-ended, temporal historiography may not allow us to test every path through all the if-then-elses of our sweetly crafted code. And what does it mean to “match” a specification expressed, ultimately, in “natural” language? (As Hawking's cosmos time-reverses to the Big Crunch, will we see our GOTOs mapped as COMEFROMs?)

The success of the open-source approach depends on the critical exposure of the code to many unbiased programmers motivated only by the true target, whereas an in-house “slave”, with share options at stake, may be loath to rock the boat.

In spite of which, recent SUID security flaws in the Linux kernel indicate (more depressions) that simple code slips can escape multiple perusal. On the bright side, we have (i) prompt, open acknowledegment and fixes; (ii) no end of scapegoats (boucs emissaries)—hands up, whosoever was guilty from the 144,000 remnant. Peter Salus will record your confession/contribution.

Due soon from Prentice-Hall, Bob Toxen's Real World Linux Security (see Note 1).

GIMPS

Moving to another aspect of widespread open computing, GIMPS is the Great Internet Mersenne Prime Search (see Note 2). Over 8,000 individual users are engaged in finding ever-larger primes. Way back, Euclid proved that there's no end in sight, for if P is the largest prime, then either P!+1 is a bigger bugger or it must have a prime factor larger than P. QED! (Where P! means factorial P, not to be confused with the second “!” which expresses amazement and relief!)

They say if you don't see the beauty of this proof (suitably refined), you'll never be a mathematician.

And, a sure test of your sensayuma goes thus: the Sieve of Eratosthenes (another dead Greek) offers a slowish algorithm for listing each prime in ascending sequence. My own Kelly's Sieve lists both composites and primes with a single for loop.

The point is whether there are primes between P and P!+1—and in June 1999, Nayan Hajratwala of the GIMPS team hit a new (temp) world record with:

2^6,972,593 - 1

I'll spare you the seven miles of digits and commas needed to printf() this number.

Next month: how to help find alien intelligence via the SETI collaborative program at http://www.setiathome.ssl.berkeley.edu/. [Join the Linux Journal group! —Ed.] Chances are that some little green mathematicians already know the next largest prime.

Notes

Stan Kelly-Bootle (skb@atdial.net) has been computing on and off since his EDSAC I (Cambridge University, UK) days in the 1950s. He has commented on the unchanging DP scene in many columns (“More than the effin' Parthenon”—Meilir Page-Jones) and books, including The Computer Contradictionary (MIT Press) and UNIX Complete (Sybex). Stan writes monthly at http://www.sarcheck.com/ and http://www.unixreview.com/.