New NSA-Funded Code Rolls All Programming Languages Into One 306
An anonymous reader writes "What's your favorite programming language? Is it CSS? Is it JavaScript? Is it PHP, HTML5, or something else? Why choose? A new programming language developed by researchers at Carnegie Mellon University is all of those and more — one of the world's first "polyglot" programming languages. Sound cool? It is, except its development is partially funded by the National Security Agency, so let's look at it with a skeptical eye. It's called Wyvern — named after a mythical dragon-like thing that only has two legs instead of four — and it's supposed to help programmers design apps and websites without having to rely on a whole bunch of different stylesheets and different amalgamations spread across different files.
Wyvern = Wyrm (Score:3, Interesting)
Why? What's the worst that could happen? What's the best?
Why is the NSA interested in something like that directly? What is the potential for abuse?
Is it to make code analysis that much more centralized and (supposedly) simple?
Why didn't this come up with itself before now?
Re:Wyvern = Wyrm (Score:5, Interesting)
The standard NSA tatctic for introducing security holes into a system is to obfuscate things so that holes are hard to spot and find. SELinux is probably such a system, and this polglot language -- which effectviely makes debugging impossible -- is likely another.
Re: (Score:3, Insightful)
To properly need to debug such a language, you would need to be aware of all of the possible rules, pitfalls, bugs, and race conditions of every language under its hood.
At a basic level, is your "if else" condition running on it's Java or C++ or C version? Does it catch exceptions? Where is data being handled in memory? Are buffer overruns possible in some of these languages?
No one human could possibly we simultaneously cognisant of all possible sources of error. Programs in such a language would be a secur
Wyvern = Wyrm (Score:2)
But the good news for the USA is the data will still have connect with say international billing and other US set global standards.
Thats where a system like this might be fun. You dont have to care what the backend was, just what is sent as known, expected, decrypted data.
Pulling useful data from new bespoke communications streams will be like setting the old standards.
Re:Wyvern = Wyrm (Score:5, Insightful)
To write applications in one language, instead of HTML, CSS, JavaScript, SQL, and something else. Not including multiple levels of configuration files (website and web server at least).
The NSA could insert backdoors which, unless they were incomprehensible crypto, would be easily found by both white and black hat investigators. Also, Carnegie Mellon University, which has a pile of research announcements every year, has its entire research department under suspicion of colluding with an oppressive government agency and spends decades regaining international status as someone you can do anything other than make the punchline of a joke.
CMU losing status is, to CMU, absolutely an intolerable option. I'm not saying it won't just because of the potential impact, but you asked what is the worst that could happen. Backdoors, and a respected university bursts into flames and is disregarded for decades internationally. That's bad.
Fewer bugs.
Because despite recent bad press, they are interested in security. If we can write stuff with fewer bugs, we are more secure. Maybe there are still plenty of bugs in the hardware/OS that they know about, but fewer bugs in the application level, which means the foreigners don't know about them because they don't exist.
Pretty small. White hats will vet the libraries, black hats will try to penetrate it, and it's no more or less secure than anything else a human has written. But people can make mistakes in fewer languages. And they aren't replacing languages, from the sound of it.
I suppose you could read the article.
Why didn't the airplane come up before it did? Are you insinuating something? Do you know something we don't know? Did someone mod you up for any particular reason, or just because you spewed thoughtless rhetorical questions?
Re:Wyvern = Wyrm (Score:5, Insightful)
backdoors [...] would be easily found by both white and black hat investigators.
That's about the same as stating it is as simple to find a needle in a haystack as to put one in.
We already have issues finding normal bugs. We have seen flaws in kernels and encryption libraries that might have well been a typo, yet were in for years.
Re: (Score:2)
Put the haystack into a body of water and the hay will mostly float whereas the needle will sink.
Re: (Score:2)
Re: (Score:2)
No, how do they work?
Re: (Score:2)
As for why someone did not come up with it before, I have not looked lately, but old versions of GCC could compile together half a dozen languages into a single binary and I worked on a team that split up the project into multiple languages using the feature.
"bad press", "interested in security" (Score:3)
Your post makes various other points that sound reasonable to me, but I have to call out the above line from a couple of angles:
1) using the phrase "bad press" implies a virtuous subject that has been distorted by a reporting industry with a non-virtuous agenda. NOTHING OF THE SORT has happened to poor lil' NSA here... they FUCKED us, straight up, and got caught red-handed.
2) Whatever the extent to which the NSA is "interested in sec
Re: (Score:3)
It *has* been done before. I worked on it years ago. One of my colleagues came up with it in 1999.
http://www.waterlanguage.org/ [waterlanguage.org]
It was brilliant to work in, but it didn't catch on.
Re: (Score:2)
Except that it's not valid XML but something even worse.
That language just looks horrible.
Re: Wyvern = Wyrm (Score:2, Interesting)
Not impressed. The OP obviously doesn't understand a thing about programming languages in general, or programming as an activity in particcular. Or he would know that the use of multiple files, and multiple languages, is a means to an end, not a nuisance. Namely to manage complexity, and to use the most appropriate level of abstraction to solve a particular problem. If he'd know he would not claim that wyvern is a polyglot language, but that it is a meta language to create internal DSLs, domain specific lan
Re: (Score:2)
Why didn't this come up with itself before now?
Jack of all trades, master of none.
Re: (Score:2)
Lack of basic research (Score:5, Insightful)
I arrived at America pretty late - at the 60's - but at least at that time America had several institutions doing all kinds of wonderful basic research
Bell Labs
Xerox's famous lab at Palo Alto
The Skunkworks
And at that time Darpa funded a lot of basic research as well
Today, all gone
Even Darpa's funding are not aiming at basic research - such as what TFA has outlined - what they are doing at Carnegie Mellon is actually an applied research ... taking what has been known and add another layer onto it
What's happening in America nowadays is very worrying
Re:Lack of basic research (Score:5, Insightful)
Of course, a lot of research was done by the private labs of corporations back then, like IBM, RCA, etc.. Engineering was a respected profession, you needed real talent to become an engineer or programmer and you could earn a good living that way in the West.
Then one day some bright psychopath realized it would be cheaper if universities did the research with government money instead.
Then you get the research done, your future employees come already in debt, and then they work for peanuts paying back their student loans.
So companies used to pay YOU to do research, now YOU pay to go to university and the companies get to keep the IP!
And social engineering and manipulation means that people will WILLINGLY do so!
Brilliant!
Re: (Score:2)
Yet at the same time, the US spends considerably more on research than it did then. I think here the explanation is that public funding crowded out private for basic research.
It makes little sense to fund your own research in the cases where some government would fund it for you. Similarly, if you're a researcher, public funding is high quality and less demanding than private funding. Sure, you have to fill out a ton of paperwork. But they don't have the anything like the expectations th
Re: (Score:2)
Wyvern? (Score:3)
Shit summary (Score:5, Insightful)
CSS and HTML5 are not programming languages. You don't "choose" html5 over, say, php.
(And don't fucking say HTML5 + CSS3 is turing complete)
Re:Shit summary (Score:5, Insightful)
I didn't see any programming languages in the list on the summary. Just a bunch of web shit.
Re:Shit summary (Score:5, Funny)
Yeah and can you imagine the horrific shit sandwich that would be a combination of CSS, HTML5, PHP and JavaScript?
666 Mark of the Techno Beast. It's like some shit Ghostbusters 2099 would be tasked with stopping.
stupid argument (Score:2, Insightful)
CSS & HTML5 ***are*** code languages for programming machine behavior
*at the presentation level*
it's not an "original gangster" hardcore badass super 1337 C#+! language...it's not complex or "bragable" at a gathering of dorks trying to impress each other...
but it's symbols that form a code that humans use to 'program' machine behavior...that's a programming language
just accept it, once and for all, and stop all of you....just stop
it doesnt make your skillz any less bragable...it's a coding language...mo
Re: (Score:2, Informative)
CSS & HTML5 ***are*** code languages for programming machine behavior
CSS & HTML5 are data that is interpreted by a computer program. They are not "code languages". The rule of thumb is that without some sort of control structure (if/then/else, loops, etc.), it's just data.
For HTML, this becomes obvious once you see how many real languages (JavaScript, PHP, ColdFusion, VisualBasic/ASP, etc.) have been created to overcome its lack of control structures.
then all code is data (Score:2)
you can't redefine "coding" by calling everything "data"
it's instructions for a machine...that's coding...
you're playing linguistic games & no matter how you do it you're still wrong functionally
Re: (Score:2)
But PRESENTATION (how something looks) and BEHAVIOUR (how something acts) are two different things.
Saying "programming machine behaviour... at the presentation level" is a nonsensical statement. HTML/CSS define content & presentation. They do not "program behaviour".
Or as Wiki puts it [wikipedia.org], "The purpose of programming is to find a sequence of instructions that will automate performing a specific task or solve a given problem". HTML & CSS simply do not qualify. They are certainly computer languages, b
definition is clear (Score:2)
presentation is behavior...in fact, if all you have is a monitor **all behavior is presentation**
if use HTML5 to tell a computer to display a black background when you go to a URL
OR i could do the same to ****PROGRAM**** the computer to display a white background when you go to a URL
either way, user enters data (URL in browser) and computer returns a ***PROGRAMMED*** response
programmed using HTML5 so that the browser knows it's the *background* that is to be black, not another part
that's programming no matt
CSS? (Score:5, Funny)
"What's your favorite programming language? Is it CSS?"
Why yes, I just love writing VoIP systems in CSS.
Re: (Score:2)
Every time I see the wish to create yet another, newer, better way to program a computer, instead of the oldschool assembler, C, Basic and Pascal methods, it keeps reminding me to ask people to let's come up with a better way to represent numbers. As in Roman numerals like MCMLXXXIV truly suck compared to Hindu (called Arabic) 1984 numerals, but we shouldn't leave it at that, there's gotta be something better than that Hindu representation. But the reality is that we'd be like a dog chasing it's tail with a
Re:CSS? (Score:5, Insightful)
I'd like to point out that you can't represent irrational numbers accurately without a new system. Let alone trancendental numbers.
Also some numbering systems are more convenient. Binary, for example. Not different numerals, but used differently.
I know, not exactly your point, but don't dismiss languages other than C, Basic, and Pascal.
Compiler virus (Score:5, Interesting)
Wasn't there some discussion on how effective a special, compiler-embedded virus would be? This seems like a good candidate for that.
NSA: A Source Name we trust! (Score:2)
Yes! Finally, a programming language and development system from a serious organization we can all trust to help us produce secure applications! I am so happy I'm doing the little Snoopy Dog House Dance! Oh-Joy! More Exclamation Points Please!!!
Re: (Score:2)
Yeah, like that horrible SELinux thing they developed...
Re: (Score:3)
You have n programming languages... (Score:5, Funny)
Re: (Score:3)
Apologies to you, AC, for hijacking your highly upvoted comment.
We appear to have something rather serious at work here. A registered user (jelIomizer, the second 'L' is actually an 'i' character or some Unicode variant) posted over 28 posts (all MyCleanPC spam) in under 6 minutes on this article--something neither you or I can do. This smacks of a slashcode bug or admin collusion.
For reference [cryptome.org]...
Oh yeah, hello to all the friendly NSA propaganda operatives out there. Go fuck yourself.
Re: (Score:2)
http://xkcd.com/927/ [xkcd.com]
Ridiculous Summary, Interesting Papers (Score:3, Informative)
As you'd expect from CMU, the papers themselves are pretty interesting. Just read the abstracts instead of trying to guess from the summary or vice article, which are both way off the mark.
http://www.cs.cmu.edu/~aldrich/papers/ecoop14-tsls.pdf
http://www.cs.cmu.edu/~aldrich/papers/maspeghi13.pdf
Because More is always better !!! (Score:2)
At the NSA they KNOW a bigger haystack is a better haystack, so why not extend that idea to a programming language.
By understanding all the languages you get the strengths of all the languages and none of the weaknesses, programmers can just ignore the weaknesses then they arent there,
Why should programmers have to put up with those pesky syntax errors when you can just make the language accept any (stupid) command.
Forward to the future !
why- just why? (Score:4, Insightful)
Why in the hell would you need to look at something with a skeptical eye just because money came from a certain source? Is the reputation of carnegie mellon suspect or something? And if so, shouldn't that in and of itself be the reason of suspect?
The submiter is a shallow person suffering from guilt by association which is never a valid premise. I mean i know skin heads who donate to planned patrenthood specifically because they have all their abortion clinics in areas with high minority populations and keep the minority populations in check. Does that mean we have to look at them wiyh a skeptical eye too? Of course not- or at least npt because a source of their funding has issues most of us find repulsive.
The merrits of this will rest on its own. There is absolutely no reason to put the integrity of the development into question simply because the NSA gave funding.
Re:why- just why? (Score:5, Insightful)
Re: (Score:2)
No.. you are just as likely to overlook good research and settle for bad research when the source of funds is a primary role in how you accept it.
The research and or science will stand on its own merrits. Well, that is if science is the goal and not politics. In this case, a university of good repute just had its integrity challenged by nothing more than idiots on parade trying to turn something political. There is no justification for it. Just mentioning the funding sources is one thing, but they actually
Re: (Score:2)
The NSA never touched this though. You sem to be trying to say that since a drunken murderer buys jim beam that all whiskey jim beam produces is somehow now suspect. It juat aint so.
Re: (Score:2, Insightful)
There is absolutely no reason to put the integrity of the development into question simply because the NSA gave funding.
Uh yes, there is.
As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
How much longer are you willing to be a battered spouse, making excuses for your abuser?
Re: (Score:2)
If the NSA or evil software writers association actually developed the software, then yes. But simply passing money to an otherwise reputated team makes no sense- closed or open.
Re: (Score:2)
Except that one wonders *why* are they funding it. How will it make our communications less secure?
Off hand the only thing that comes to mind is that there would be fewer components of the browser that the NSA needed to compromise if all the languages used the same interpreter. Perhaps that's all there is. It's even possible that they didn't fund the project with a malign intent. That, however, is not the way I'd bet given their "improvements" of encryption methods.
Re: (Score:3)
No, it doesn't "roll all languages into one" (Score:5, Informative)
No, it doesn't "roll all languages into one". It just allows embedding of the text of another language, such as HTML, into a Wyvern program. Variables can be substituted. Like this:
(except that the last 3 lines above should be indented, because this language uses Python-style block notation.)
Of course, everybody does that now, but the way they do it, especially in PHP, tends to lead to problems such as SQL injection attacks. The idea here is that Wyvern has modules for the inserted text which understand what kinds of quoting or escaping are required for the embedded language text.
I just glanced at the paper, but that seems to be the big new feature.
Re: (Score:2)
That problem would not exist if people new how to use a database.
Re: (Score:2, Informative)
It's not just about quoting or escaping. It actually builds an AST for each TSL expression (for example, an HTML expression), so they can tell if the expression is valid and how to combine the Wyvern expression with the TSL expression containing it. It looks like brain-dead string concatenation, which reduces clutter and improves readability, but it gives you all the benefits of using the type system.
Re: (Score:2)
yeah, and the Java experience is that embedding code with html isn't a great idea. That's why JSP is on the way out and JSF on the way in.
skilled international negotiator! (Score:2)
Yeah, about as skilled and effective as past Israeli-Palestinian negotiators...
CSS? JavaScript? PHP? HTML5? (Score:5, Insightful)
Are these what the kids call programming languages these days?
It doesn't sound very serious.
Re: (Score:3)
> Are these what the kids call programming languages these days?
Yup. A lot of 'programmers' don't even know non-web languages exist. I wish I was kidding. And a lot of employers don't know either. The whole thing is just really sad.
Re: (Score:2)
Programming language? (Score:2)
CSS: not a programming language.
HTML: not a programming language.
PHP: not a programming language.
Note: I'm a web developer mostly these days, I write a bucket of each of these. I'm a computer science educated professional and I also write a lot of code in Java and C++. I really like PHP. It is however not a bloody programming language, it's a scripting language.
Re: (Score:2)
So in order to be a programming language it has to be compiled instead of interpreted?
Where does compiled PHP fit into your world view?
Re: (Score:3)
That's a distinction without a difference. All "scripting languages" are programming languages, quibbling over whether the particular domain a language is used in makes it a "real" language or not is fodder for arrogant asses who need to make others seem smaller to boost their own pathetic egos.
Obviously, different languages have different strengths and weaknesses. You wouldn't write an OS kernel in JavaScript, and you wouldn't write system administration automation in C++. Sneering at the domain of one
Re: (Score:3)
Well, PHP is a programming language, just not really a general-purpose one.
Anyways, web-stuff is a small part of programming, and not really an important one as it is pretty limited.
Re:Programming language? (Score:5, Insightful)
I really like PHP. It is however not a bloody programming language, it's a scripting language.
I really hate PHP, but what I hate even more is being confronted with this mysterious distinction between "scripting" and "programming" languages.
A language might be strongly or weakly, dynamically or statically typed. A particular implementation might employ a compiler, a virtual machine or interpreter. These are meaningful distinctions. But what (with the possible exception of a hardware specific control language) does it even mean for a language (as distinct from its implementation) to be a "scripting" language?
Would PHP cease to be a scripting language if an object code compiler were available for it? Is 'C' a "scripting language" just because it's interpreted [softintegration.com]? And what about a language which has never actually been implemented, what in the language specification determines unequivocally if that language is 'scripting' or a a 'programming' language?
Re: (Score:3)
The distinction is determined solely by the prejudices of whomever is bothering to make it. Scripting is a domain in which a programming language is used, not some basic attribute of it. You could use C to write your system automation tools, but it would be a waste of time when a simple Bash script would get the job done quicker and in a far more concise manner. Likewise, you could write your virtualization software in Ruby but its going to be dog slow, and probably full of weird hacks to make shit work.
Re: (Score:2)
Agreed. Assembly is just a scripting language for microprocessors. C is just a scripting language for the compiler back-end. The OP did a terrible job of making his case.
Re: (Score:2)
[quote]
CSS: not a programming language.
HTML: not a programming language.
[/quote]
CSS and HTML are such devious piles of junk, they should be turing complete by now.
Which behaviour? (Score:5, Interesting)
//\
/*
#include "stdio.h"
/**///\
public class test2 {
//\
public static
void main
(String[]a)//\
/*
(int argc, char *argv[])//*/
{
System.out.printf("hi, I'm java\n");/*
printf("hi, I'm C\n");//*/
}
//\
}
Re: (Score:2)
void main(int argc, char *argv[])
valid C
Nope. Not valid C. Valid would be int main(void), int main(int argc, char **argv)(and equivalent), and in some cases int main(int argc, char **argv, char **envp) (and equivalent).
Source [open-std.org]
Re: (Score:2)
Depends on the standard. Even "main()" can be valid.
Re: (Score:2)
Depends on the standard.
No. None of the C Standards ever had void a valid return type for main, and, frankly all of them (since we're talking standards, that means C89 through C11) give you int main(void) and int main(int argc, char **argv)(and equivalent).
It's not like i didn't link a source.
Even "main()" can be valid.
Yes, C89 allowed leaving away the int, that's called "implicit int". Needless to point out, the return type is still int.
Re: (Score:2)
"main()" does not have void as return type, it has "no return type specified". You are also not going back far enough if C89 is the first thing you look at and you are constraining your search too much if you require an "IOS" Standard. There are others around, even if bodies like ISO would probably say they are not standards. Not so.
Re: (Score:2)
Furthermore probably sucks to think that a function taking no parameters like foo(void) and a function taking an unspecified number of parameters like foo() and (void) were the same thing. Your mind might be a bit C++-damaged (in C++, foo() in fact means foo(void)).
Educate much?
Consider char (*foo(int)
They've re-invented PL/1 (Score:2)
Re: (Score:2)
And we know how well that worked the last time.
Nah. They've re-invented Ada.
Ada is when they re-invented PL/1.
Hmm. What comes after strike 2?
Re: (Score:2)
Sorry, but PL/1 was a decent language with atrocious subsets at rediculous prices. The compiler was also large and slow. And I had some problems with it's "intelligent type conversion"s. But you've got to remember what other languages were around at the time. It hadn't learned Object Oriented programming. Etc. But it made safe use of pointers rather easy. I wrote my first Red-Black tree in PL/1 and it was a lot easier both to do and to understand than the one I did later in C.
OTOH, I must admit that
Why is scripting better than an amalgation of CSS? (Score:2)
I really don't understand this. Almost every site I go to does the same damn crap with Javascript and all of it could be done with other technologies.
LLVM's logo is a wyvern (Score:4, Insightful)
Keep away from it (Score:2)
It's supposed to help the NSA, and to hurt you in the end.
if it did, that would eliminate my bugs (Score:4, Insightful)
It doesn't do what the summary says.
If it did, that would take care of half of my bugs. Within a 30-minute period, I might well work in PHP, Perl, ActionScript, JavaScript, and some other language. A large portion of my errors are things like using empty() in JavaScript. Especially, ActionScript is almost the same as JavaScript, and a lot of Perl is also valid PHP, so when switching between these it's easy to absent-mindedly tap out a line in the wrong language.
Once upon a time, I used vim syntax highlighting, which doesn't typically catch using the right syntax, but the wrong function name, but does make missed braces and such obvious. Maybe I should right a vim plugin for "wrong language, dummy." It would look for echo (phph vs print (Perl), etc.
Re: (Score:2)
This reminds me of ls.bat and various other little .bat files people put on DOS and Windows machines for obvious reasons.
All programming languages? (Score:3)
Does it do APL ? Forth ? 6502 assembler?
Re: (Score:2)
They forgot to add the distiction "... your average script-kiddie has ever heard of".
OMG! (Score:2)
They've re-invented PL/1!
Its really too bad... (Score:5, Insightful)
The NSA's reputation has been annihilated. There are good people that work for such organizations. People that could and do benefit our society on a regular basis. Their institution was simply coopted by irresponsible people that sadly destroyed everything. Its a shame.
Re: (Score:2)
Maybe it's time to reanimate (D)ARPA - the guys that gave us the Internet.
Re: (Score:2)
Maybe it's time to reanimate Al Gore?
Re: (Score:2)
The only NSA employee I'd trust is John Casey.
FTFY (Score:5, Funny)
"...and here's another one!"
Re: (Score:3)
Jellomizer (Score:2)
Jellomizer has multiple posts all dated with 7:12 PM. Now, as a Slashdot member over the years, with excellent karma, I can't even post that fast, regardless of what I'm posting. What allows Jellomizer, without the consent of the editors/admins, to post spam repeatedly, without any time delay?
all of those and more... (Score:2)
Anthing based upon HTML or CSS is guaranteed to be a unmaintainable crap. Put them together, and you have the largest pile of shite ever !
Naive predictions (Score:2)
Without having looked at the post or scrutinized the language, here's a couple of guesses:
1) looks like C: i.e. verbose, vacuous, loopy.
2) has crappy (i.e. industry-standard) array-handling.
3) fails to incorporate any of the decades of research about how people approach problems versus how programming languages do.
Re: (Score:2)
What I really want to know is... how the fuck does a registered user post over 20+ posts in under 6 minutes without being filtered by the "you must wait X minutes" filter. This smacks of a slashcode exploit or editor collusion. I'm a registered user with Excellent karma, and I can't post anywhere NEAR that fast.
Re: (Score:3)
There's a comment threshold feature that effectively eliminates your ability to see low rated comments, which these ravings are rendered to with a quickness thanks to a rather decent moderation scheme.
Caveat: two or three of the smartest things I've ever read on here were, at least at one point, low threshold.
Re: (Score:2)
Allowing blatant spam to drown AC comments is likely the goal. Still not sure how Jellomizer posts over 20 (20+!!!) posts in under 6 minutes even IF they had excellent karma. This smacks of a slashcode bug or editor collusion. Normal users won't suffer because of the karma bonus, but affected users will include any ACs making relevant points. Allowing the spam to continue unabated will simply result in controversial viewpoints (held legitimately, posted AC to preserve reputation) being drowned out. For furt
Re: (Score:2)
Though since this is Slashdot, there's virtually zero chance this is the first (or the last) instance of a disgruntled nerd with some coding skill.
Can't you just picture the editors, worked up into a frenzy this Monday morning, feverishly pursuing a solution?
Re: (Score:2)
That's fine and wonderful, but some of us browse at -1 because some people make great points as an AC. This sort of spamming blatantly denies those people a voice.
Re: (Score:3)
Indeed. And JavaScript and PHP are special-purpose languages that are unfit to be user in a general setting. The OP has no clue.
Re: (Score:2)
Not quite, but it decidedly requires quite advanced skills to produces anything good with it.
Re: (Score:2)
Re: (Score:2)
Perl was a polyglot before it was cool. Hipster Perl.