explain xkcd - User contributions [en]

Talk:235: Kite

2021-08-16T06:58:34Z

WurmWoode: Connecting the dots

I believe you are backwards on your interpretation of the title text. If it is hard to regret; you do not regret. Therefore you can regret awkward communication, but can't regret communications that never occurred. In this, Randall seems to be at odds with the tone of other pages, such as the choices arc.[[Special:Contributions/138.163.106.71|138.163.106.71]] 01:50, 11 October 2013 (UTC)

Agree on this and I have changed the explanation - I do however, believe that it is not the point that Randall tries to make - and have thus added that you can regret the missed conversation even more than a possible awkward one... [[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 18:15, 9 January 2014 (UTC)

==Pi day==
How has everyone missed this.

Not one notices that the day relates to {{w|Transcendentalism}}, and that relates to ''{{w|Walden|Life in the Woods}}'', which relates to {{w|Henry David Thoreau|Thoreau}}, who put it quintesentially:

::"I went to the woods because I wished to live deliberately, to front only the essential facts of life, and see if I could not learn what it had to teach, and not, when I came to die, discover that I had not lived."
[[User:WurmWoode|WurmWoode]] ([[User talk:WurmWoode|talk]]) 06:58, 16 August 2021 (UTC)

267: Choices: Part 4

2021-08-16T06:05:36Z

WurmWoode: /* Explanation */ grammar

{{comic
| number = 267
| date = May 24, 2007
| title = Choices: Part 4
| image = choices_part_4.jpg
| titletext = Making out with yourself: now an official xkcd theme? Troubling.
}}

==Explanation==
This is the {{w|existentialistic}} {{w|climax (narrative)|climax}} of the Choices series. It takes up the recurring [[xkcd]]-theme how people tend to be blind towards the staggering amount of possibilities that each day holds, with routine and boredom as a result. (See e.g. [[137: Dreams]] and [[706: Freedom]].)

The [[Megan]]-clone implies that Megan has been taken to some kind of {{w|afterlife}} or parallel universe outside reality. It's not a dream, but she will not remember this place when she goes back. But the clone hopes that these hints will stay with her. Realizing that she would not remember being here, Megan suddenly realizes that she might already have been here before. And the clone admits that she has taken her to this place once before. Although not for another hint; actually it was to make out with herself. And then she quickly says ''bye''.

The title text makes it clear that the Megan-clone did actually bring her previously into this place just to make out, and then refers to this being the second time this has been a theme, [[105: Parallel Universe]] being the first. [[Randall]] appears to find this a little troubling (or it may be that he suspects his readers will).

The series was released on 5 consecutive days (Monday-Friday). All parts of "[[:Category:Choices|Choices]]":
*[[264: Choices: Part 1]]
*[[265: Choices: Part 2]]
*[[266: Choices: Part 3]]
*[[267: Choices: Part 4]]
*[[268: Choices: Part 5]]

As this was the fourth in the series, it was released on a Thursday.

==Transcript==
:[Megan in a bubble is floating in outer space (on a dark blue background) next to her clone outside the bubble. Megan is simulating sitting down in the middle of the bubble. The clone reaches one arm out toward the bubble. There is no line from the first part of the clone's text to the rest of the text. It is given from the context who speaks. There are always more stars in the panels to the left than those to the left.]
:Clone: I shouldn't do this, but I pulled you out for a moment to give you a hint.
:Megan: A hint?
:Clone: Take wrong turns. Talk to strangers. Open unmarked doors. And if you see a group of people in a field, go find out what they're doing. Do things without always knowing how they'll turn out.

:[Megan leans towards the clone, the clone "lies" on her tummy with arms forward and legs lifted up.]
:Megan: Why tell me this?
:Clone: You're curious and smart and bored, and all you see is the choice between working hard and slacking off. There are so many adventures that you miss because you're waiting to think of a plan. To find them, look for tiny interesting choices. And remember that you are always making up the future as you go.

:[Megan is "sitting" down with her hands on her knees. The clone stands and lifts an arm up.]
:Megan: So, wait, what ''is'' this place? Am I going to wake up thinking this was a dream?
:Clone: This is... Think of this as after the game, outside the theatre. To go in, I had to suspend disbelief, forget the outside.

:[Megan again leans towards the clone; the clone spreads out her arms.]
:Megan: So you... Huh. Why give me hints I'm going to forget?
:Clone: You'll forget this trip but I think the hints should stay with you.
:Megan: ...If this is a game, are you— are ''we''— cheating?
:Clone: Yup.

:[Megan still leans towards the clone. The clone leans a little back, her arms down.]
:Megan: Is that a good idea?
:Clone: Well it's an interesting one. We'll see how it goes.
:Megan: Well, I guess I'll see you aroun—

:[Megan leans towards the clone with a hand up, the clone leaning even more back, almost like she is falling backwards.]
:Megan: Wait a minute; have you brought me here before?
:Clone: I ... Maybe. Once.
:Megan: For another hint?
:Clone: Er.
:Clone: Actually we just made out.
:Megan: We wh—
:Clone: Bye!

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Choices]]
[[Category:Comics sharing name|Choices]]
[[Category:Comics featuring Megan]]
[[Category:Sex]]

266: Choices: Part 3

2021-08-16T06:01:31Z

WurmWoode: /* Explanation */ grammar

{{comic
| number = 266
| date = May 23, 2007
| title = Choices: Part 3
| image = choices_part_3.jpg
| titletext = Wait, this is space -- how are you talking to me? And, as an afterthought, what's up with the hole in reality?
}}

==Explanation==
[[Megan]] is very unsure about what to think of her situation. Is it a dream? Is she in danger? She should be scared but isn't, and it does not feel like a dream, i.e. it feels real even though she suspects it is a dream. This would usually never be the case. If your dream feels realistic, you do not usually consider that you are dreaming.

Suddenly someone talks off-panel and tells Megan that she has been found. When Megan asks the speaker who it is, reality becomes even more distorted, and suddenly she finds that she is looking at herself outside the sphere. And the two Megans say hi...

In the title text, she realizes that if she were in real space, she wouldn't be able to hear any {{w|sound}}, like the voice talking to her, due to the lack of atmosphere. As an afterthought, she decides to ask about the hole in reality (which many people would consider to be more unusual than sound in space).

The series was released on 5 consecutive days (Monday-Friday). All parts of "[[:Category:Choices|Choices]]":
*[[264: Choices: Part 1]]
*[[265: Choices: Part 2]]
*[[266: Choices: Part 3]]
*[[267: Choices: Part 4]]
*[[268: Choices: Part 5]]

==Transcript==
:[A white Megan floats in a bubble against a dark blue space backdrop. She is at the top of the bubble. Her thoughts (not connected to her by a speak line) are shown above her in white.]
:Megan (thinking): I should feel scared.

:[She falls from the top of the bubble, the bubble rises, or both.]
:Megan (thinking): But I don't.

:[She hits the bottom of the bubble, and the bubble begins to fall down.]
:Megan (thinking): Maybe this is a dream.

:[She floats over the top of the now still bubble.]
:Megan (thinking): But it doesn't feel like one.

:[She now floats in the middle of the still bubble, in a larger panel. The sky behind her now has many stars and light effect. A voice speaks from off-panel above.]
:Voice (off panel): Okay, found you.
:Megan: Who are you?
:Voice (off panel): Er, hang on.
:Voice (off panel): This next part might be a little weird.

:[Beat panel, where Megan just floats in her bubble on the same background, but in a smaller panel.]

:[A large panel where many distorted copies of Megan whirl around the original Megan in her bubble; she also bends backwards. The stars and light display in the background is more clear around her bubble, that now creates a lens effect, that even distorts the distorted Megans even more. Around her bubbles edge and the lens edge, there are three places where brown lines appear on both these edges.]

:[All the copies have disappeared except for one who is hanging suspended outside Megan in her bubble. The new one is almost a mirror image, but not quite. The background is more dark blue, with fewer features.]

:[The Megan copy raises her hand and speaks. There are again more stars in the background.]
:Megan copy: Sorry — hi, me.
:Megan: ...Hi.

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Choices]]
[[Category:Comics sharing name|Choices]]
[[Category:Comics featuring Megan]]
[[Category:Space]]
[[Category:Physics]]

1505: Ontological Argument

2021-08-02T17:46:59Z

WurmWoode: /* Explanation */ fix "is was" "it was"

{{comic
| number = 1505
| date = March 30, 2015
| title = Ontological Argument
| image = ontological argument.png
| titletext = A God who holds the world record for eating the most skateboards is greater than a God who does not hold that record.
}}

==Explanation==

{{w|Ontology}} is the study of {{w|being}}, {{w|reality}}, and {{w|existence}}. “The {{w|ontological argument}}” is an attempt at proving the existence of {{w|God}} through reasoning about the {{w|nature}} of “being”.

[[Megan]]'s statement in the comic is likely a reference to what is considered the first ontological argument, that of 11th Century philosopher {{w|Anselm of Canterbury}}. His argument starts by defining God as “that than which nothing greater can be {{w|conceive}}d”. Another step in the argument is that you can conceive of such a being even if you don't believe it exists. Yet another step is the statement that a being, of which one can conceive, and which exists, is certainly greater than a being of which one can conceive and which does not exist. Implicit in the argument are two essential premises, both of which are controversial. These are a) that the existence of such a being is possible, and b) that existence is a great-making quality.

The comic makes fun of Anselm's ontological argument by extending to absurdity the claim that a being who exists is greater than one who does not exist, and that therefore God must exist. A God who can disprove the ontological argument must be greater than one who cannot disprove the ontological argument, therefore the ontological argument proves the existence of a God that disproves it. This argument, though a joke, carries some weight. If the Anselm's argument is sound, then disproving it is impossible, and God cannot do it. But if doing things is a great-making quality (a common assumption), then surely doing impossible things would be an even stronger great-making quality. Therefore the argument is able to be disproven, albeit only by God, which contradicts the initial premise that the argument is sound. Therefore, either doing things is not great-making, or the entire ontological argument is invalid reasoning.

The [[title text]] carries the absurdity a step further.

The comic also may be drawing an analogy to the {{w|omnipotence paradox}}, as it also refers to the idea that God's power would be greater if He could do the logically impossible. If [[Randall]] believes that Anselm's ontological argument is logically sound and based on true premises, then he should think it is impossible to disprove. Therefore, he references the omnipotence paradox by requiring that God do such an impossible thing in order to have maximally great power.

A popular parody of the ontological argument is that of {{w|Richard Dawkins}}, in his best-selling book “{{w|The God Delusion}}”. His parody is a version of the argument which attempts to prove that God does not exist. It is similar in approach to this comic and to the omnipotence paradox, in that it also requires a God that can do the logically impossible. In Dawkins' version—[http://en.wikipedia.org/w/index.php?title=Ontological_argument&oldid=691165762#Douglas_Gasking borrowed from the Australian philosopher Douglas Gasking]—God's greatness is demonstrated by his creation of the world. A being that somehow overcomes the great handicap of not existing and goes on to create the world would certainly be greater than a being that exists and creates the world. Therefore God, who by definition is “that than which nothing greater can be conceived”, must not exist.

Another, rather more famous parody, but which is entirely unrelated to the comic in approach, is that of {{w|Gaunilo of Marmoutiers}}, in which he argues for the existence of a maximally great island. This parody, added to the comic, seems to tell us what happened to the legendary {{w|Atlantis}}. It is worth noting that Anselm himself rebutted Gaunilo's argument, claiming that it was based on a fundamental misunderstanding of Anselm's original argument.

Not all ontological arguments for the existence of God rely on the notion that a God that exists is greater than one that does not exist. Examples include the modal ontological argument from {{w|Alvin Plantinga}}, and {{w|Gödel's ontological proof}}. {{w|Graham Oppy}}, an authority on ontological arguments, attempts to classify [http://plato.stanford.edu/entries/ontological-arguments/ here] what exactly makes arguments ontological; he concludes that it is that they are a priori in nature. He also classifies them into eight categories: {{w|definitional}}, {{w|conceptual}}, {{w|modal}}, {{w|Meinongian}}, {{w|experiential}}, {{w|mereological}}, {{w|higher order}}, and {{w|Hegelian}}.

This comic, in particular in the way Megan and [[Cueball]] are walking and in its reference to theology, greatly resembles the earlier comic [[1315: Questions for God]].

==Transcript==
:[Megan and Cueball are walking side-by-side.]
:Megan: ...but wouldn't a God who could find a flaw in the ontological argument be even '''''greater?'''''

{{comic discussion}}
[[Category:Comics featuring Megan]]
[[Category:Comics featuring Cueball]]
[[Category:Philosophy]]

1991: Research Areas by Size and Countedness

2020-12-16T03:37:11Z

WurmWoode: /* Explanation */ fx typo

{{comic
| number = 1991
| date = May 9, 2018
| title = Research Areas by Size and Countedness
| image = research_areas_by_size_and_countedness.png
| titletext = Mathematicians give a third answer on the vertical axis, "That question is poorly defined, but we have a sub-field devoted to every plausible version of it."
}}

==Explanation==

This comic is a [[:Category:Scatter plots|scatter plot]] that ranks different research fields according to the precision of the knowledge of the number of the studied object (vertical axis) vs. how large (the size of) the studied object is on the horizontal axis.

For instance, the facts pertaining to the number of United States presidents are well known (although the exact number is disputed in that Grover Cleveland is usually counted twice, because he served non-consecutive terms, so the official count exceeds the number of unique Presidents), so the study of their history is at the top of the Y-axis. This study is placed close to the Y-axis as the size of a president is about midway in size between the two extremes of the X-axis, elementary particles to the left (small) and the entire cosmos (cosmology) to the right (big).

On the X-axis, Presidents are close to the middle. Both presidents and other larger life forms (as a research area) including extinct animals (paleontology) and exobiology are all close to the same central position just right of the Y-axis, with smaller animals like birds and insects just to the left of the Y-axis. But where the number of presidents is well known (aside from the dispute about Cleveland), then the number of exoplanet life forms (exobiology) is completely unknown (and would likely be affected by other disputes, such as whether something the size of Pluto counts as a planet) and thus it will be found at the very bottom of the Y-axis, since we have no idea if there are life elsewhere and if so how many places will it be and how varied.

The 19 research areas are listed and explained in the [[#Tables of research areas|tables]] below.

In the title text, mathematicians may give a third answer that the concept of counting the things being studied is not reasonable, because the things are abstract or otherwise not discrete. There are many different types of math that blend into each other, and many have turned into separate sub-disciplines based on different interpretations of fundamental rules. As a specific example in geometry, different interpretations of how many lines you may draw parallel to another line through a given point has lead to hyperbolic (infinite parallel lines) and spherical (0 parallel lines) geometric systems that are just as valid (and valuable, in some contexts) as the more commonly known Cartesian (1 parallel line) geometry. As a specific example of the blending, number theory and set theory and topology all interrelate and it is difficult to concretely say whether many theorems belong to one branch of math or another.

==Tables of research areas==
For a table with the coordinates given in percentage for each research field, see the table in the [[#Trivia|trivia]] section

===Upper left quadrant===
This is the section with the small items with count known.

{| class = "wikitable"
! Research field
! Size of the thing
! Knowledge of #
! Explanation
|-
|{{w|Elementary particle physics}}
| The smallest subjects that we have actually detected are the {{w|elementary particles}}. In the {{w|Standard Model}} of particle physics, they are considered point masses (i.e. to have zero width). They may be made of smaller {{w|String theory|strings}} but if so these have still not been detected.
| We think we have a fairly good estimate of how many elementary particles that are known. There could be some uncertainty though, so it is not at the very top.
|Elementary particle physics is concerned with the study of subatomic particles (the smallest things that we know of), of which there are 17, not including antimatter. Most notably, until recently it was uncertain whether the {{w|Higgs boson}} was one of the elementary particles, but scientists have a "pretty good estimate" because the mathematical models don't predict the existence of many other particles
|-
|{{w|Dentistry}}
|Several mm to several centimeters
|Most teeth are visible to the naked eye, and dentists have x-ray technology to see what's not visible, so counting them is pretty straightforward.
|Dentistry is the study of teeth (pretty small, both in size as well as in quantity). Humans adults grow 32 teeth, which is a "pretty good estimate" since it is very rare for {{w|Hyperdontia|more than 32 teeth to grow}} and it is rather common for {{w|wisdom teeth}} to be surgically extracted or in some cases never to develop. Children may only have 20 teeth before they start falling out, but each tooth that falls out is because another tooth is growing underneath, so a child might have as many as 52 teeth, counting the child teeth that haven't fallen out yet plus the adult teeth that are starting to form. So while a dentist will usually have a good idea how many teeth will be in a patient's mouth, they won't know for sure until they look or consult dental records.
|-
|{{w|Shakespeare}} studies
|Most are the size of typical book. In printed form, they would be in the range of tens of centimeters in height and width and ~1 centimeter in depth. Although, if stored in digial form, they could be much smaller than a tooth, so it seems to refer to print or handwritten originals.
|Generally, 36 plays are attributed to him, but between 1 and 3 additional plays are considered "lost" (i.e. at some point between being first published or performed and scholars seriously studying Shakespeare, all known copies, references, and fragments were destroyed, making it impossible to determine whether Shakespeare actually wrote them or whether they actually existed as separate plays), and {{w|Shakespeare apocrypha|some 20 more}} are believed to have been written by him, but not signed. To make matters worse, some plays that ''were'' published or performed under Shakespeare's name are believed to have been written as collaborations (not fully by him) or mis-attributed (we don't know who wrote them but everyone says it was him).
|Shakespeare studies is concerned with the works of William Shakespeare.
|-
|{{w|Ornithology}}
|Birds tend to be small, with most species able to be held comfortably in hand; even the largest known flying bird, the {{w|Condor}}, stands smaller than the average human, with a handful of non-flying avians such as the {{w|ostrich}} being larger, but still weighing less than 2-3 humans.
|The number of known bird species is [https://en.wikipedia.org/wiki/Bird#Diversification_of_modern_birds estimated at about 10,000], though [https://www.amnh.org/about-the-museum/press-center/new-study-doubles-the-estimate-of-bird-species-in-the-world a 2016 research result] suggested a near-doubling of this figure. As for the number of individual birds, a paper aptly titled [https://link.springer.com/article/10.1023/A:1018341530497 "How many birds are there?"] examines a number of ways of counting them; the results are "surprisingly consistent", with counts of approximately 200-400 billion individual birds.
|We do have a "pretty good estimate", to within perhaps a factor of two.
|-
|Ancient {{w|literature}}
|As above, with Shakespeare plays, original or print reproductions would be the size of a book, typically. Although ancient {{w|scrolls}} may have different dimensions with similar total volume.
|Because of the high number of {{w|lost works}}, it is hard to have a solid estimate of the number, although rough lists have been made (e.g. {{w|Ancient literature#List of ancient texts}}).
|While it is fairly straightforward to look up how many books [http://www.proquest.com/products-services/Books-in-Print.html are currently in print], or how many books [https://mashable.com/2010/08/05/number-of-books-in-the-world/ all currently printed information would fit into if bound into equal-length volumes], and then limiting those estimates to those that date before a specific year, counting how many books from the period of interest haven't survived to the present day (books that were "{{w|lost work|lost}}" either by deliberate discontinuation, or accidental destruction such as in the {{w|Destruction of the Library of Alexandria|Library of Alexandria}}) is a bit more difficult. However, because we know the work existed (it is mentioned by name in some other text), we have "pretty good estimate" that the number of lost works is "only" in the tens of thousands, as is the number of surviving works.
|}

===Upper right quadrant===
This is the section with the big items with count known.

{| class = "wikitable"
! Research field
! Size
! Knowledge of #
! Explanation
|-
|{{w|Marine mammal|Marine}} {{w|Mammalogy|Mammology}}''[sic]''
|They range in size from the {{w|Marine Otter}} (about 1m) to the {{w|Blue Whale}} (up to 30m).
|About 125 non-extinct species.
|Marine mammals are the largest extant animals. The US Government [http://www.nmfs.noaa.gov/pr/species/mammals/ recognizes] 119 marine mammals. However, what constitutes each species is [https://www.marinemammalscience.org/species-information/list-marine-mammal-species-subspecies/ constantly being revised], with new studies indicating either that what used to be considered a subspecies is actually a separate species, or that what used to be considered a separate species is actually a subspecies. As the depths of the ocean are further explored, species that were outright unknown are spotted and need to be classified. However, since marine mammals breathe air and thus must surface, it's likely that all species have been observed by scientists.
|-
|{{w|List_of_Presidents_of_the_United_States|Presidential History}}
|All presidents are {{w|Heights of presidents and presidential candidates of the United States|human-sized}}, with the tallest being {{w|Abraham Lincoln}} at 6 ft 4 in and the shortest being {{w|James Madison}} at 5 ft 4 in.
|As of 2018, 45 people (only 44 are unique; Grover Cleveland is counted twice because his terms were not consecutive) have served or are serving as President of the United States.
|Presidents are generally considered "big" men in history. Therefore, each one is fairly well known and documented. There is, however, some discussion on how many presidents there have been in the history of the United States, since prior to the {{w|Twenty-fifth Amendment to the United States Constitution|25th amendment}}, it was unspecified whether vice presidents counted as presidents during the President's absence. Most notably, this ambiguity is the reason {{w|David Rice Atchison}}'s tombstone is inscribed with the words "President of the United States for one day" (he was not eligible and did not accept the duties even if he was).
|-
|{{w|Railway engineering}}
|Railways can span across countries, and therefore are fairly large
|As railroads are built by humans, we know pretty well how many there are. However small systems(parks, mines) may make this number uncertain.
|A railway can span anywhere from a few hundred feet, to thousands of miles, so they're pretty big. The type of a railway is generally given by its {{w|track gauge}}, which is defined as "standard" (the usual gauge for a region or country), "narrow" (rails closer together than that standard) and "broad" (rails farther apart than that standard). Since what is standard varies from country to country, and indeed from line to line, how many kinds of "narrow" gauge and "broad" gauge exist depend on who you ask. However, whereas every region has ''a'' standard gauge, "{{w|standard-gauge railway}}" has a specific meaning used by rail technicians and enthusiasts worldwide, of a track with rails 1435 mm (4 ft 8.5 in) apart. Anything narrower than that is often described as a narrow-gauge line, even if it is the standard gauge for a particular rail network.
|-
|{{w|Geology}}
|The {{w|Earth}} is larger, by far, than everything else on the chart except the universe (Cosmology), Black Holes, and God (at least under some conceptions, see "Theology" below).
|There is only one Earth (at least if you set aside the possibility of multiverses, see below in Cosmology).
|Geology is generally considered the study of rocks (small rocks being considered fragments of mountain layers, so what counts as a "rock" for a geologist can be pretty big). There is no universally agreed upon number to how many {{w|List of rock types|types of rock}} there are, but all geologists agree they can be grouped into igneous, metamorphic, and sedimentary rock. Alternatively, geology can be construed as the study of the planet Earth's composition ( *geo*- meaning "Earth" ), and geologists are confident that the planet Earth is big and there is only one of it.
|-
|{{w|Cosmology}}
| As this encompasses (at least) all of the visible parts of the {{w|universe}} we live in, there can be no other "items" to study that would be larger.
| There is only one visible universe, but there could be multiverses/parallel universes, and also an infinite universe beyond the borders of our own part of this universe's event horizon. So it depends on who you ask if they say there is one of and infinite number of universes to study, thus it is placed close to the middle of the two extremes.
|Cosmology is the study of the universe. There is an asterisk with the note "Depends on who you ask", relating to the estimate of how many universes there are. While it might seem obvious that there is only one universe, some branches of physics believe that our universe is part of a {{w|multiverse}}, and this remains an open and contested subject in the field.
|}

===Lower left quadrant===
This is the section with the small items with count unknown.

{| class = "wikitable"
! Research field
! Size
! Knowledge of #
! Explanation
|-
|{{w|Mycology}}
|microscopic to a few miles
|Estimated at 2.2 million to 3.8 million species.(Though of these only about 120,000 have been described.)
|Mycology is the study of fungi (since fungi tend to grow flat -- excepting for mushrooms, which are their sexual organs, and do not exceed a foot in height (see [http://www.isciencetimes.com/articles/5740/20130729/giant-fungus-china-mushroom-world-s-largest-size.htm World's Largest mushrooms] -- mushrooms are generally considered small). Many fungi are microscopic, but some get to be a few miles in diameter.[http://www.nationalgeographic.com.au/nature/the-worlds-largest-living-organism.aspx The World's largest living organism.] It is a lot harder to discern which species a fungus is, and therefore classify it, so we "have no idea" how many kinds of fungi there are. Studies [https://www.ncbi.nlm.nih.gov/pubmed/21613136 vary wildly] between about 70,000 to over 5,000,000. There is a comic named after this study: [[1664: Mycology]].
|-
|[[1012: Wrong Superhero|Entymology]]
| For insects, from a fraction of a mm to several 100.
| Estimated from 1,000,000 to 3,000,000
|It is unclear whether [[Randall]] means {{w|entomology}} or {{w|etymology}} (probably neither; it's likely that this wasn't a mistake and it is possibly a direct reference to [[1012: Wrong Superhero]]). In either case, [https://www.ncbi.nlm.nih.gov/pubmed/28938083 estimates for insects] (entomology) vary from less than 1,000,000 to 30,000,000; and [https://www.quora.com/How-many-root-words-are-there-in-the-English-language estimates for root words] (etymology) reaching hundreds of thousands. Entomology was mentioned in the title text of [[1610: Fire Ants]].
|-
|-
|{{w|Microbiology}}
|The {{w|Smallest organisms|smallest viruses}} are around 30nm long. The largest bacterium may reach almost 1mm.[https://curiosity.com/topics/the-worlds-largest-bacterium-is-visible-to-the-naked-eye-curiosity/].
|120,000 to 10,000,000+.
|Microbiology studies microscopic (too small to see) organisms, of which some 1,400 are known and "estimates for the total number of microbial species vary wildly, from as low as 120,000 to tens of millions and higher", according to [https://www.quora.com/How-many-root-words-are-there-in-the-English-language Nature magazine].
|-
|{{w|Pharmacology}}
|{{w|Drugs}}, including {{w|medications}} and {{w|recreational drug use|illegal and recreational drugs}} are molecules which are sub-microscopic (in the range of nanometers).
|Although it is possible to tally all the known drugs, this is at the extreme low end of the pile because the number of possible organic compounds is nearly infinite and the fraction of those are bioactive is completely unknown.
|The number of drugs (pharmaceuticals) discovered and synthesized is not tallied, according to [https://www.raps.org/regulatory-focus%E2%84%A2/news-articles/2014/10/how-many-drugs-has-fda-approved-in-its-entire-history-new-paper-explains recent studies], but an estimate can be obtained by seeing how many have passed through the {{w|Food and Drug Administration|U.S. FDA}} (1,453). Many home remedies, which might technically qualify as drugs, have not been approved because {{w|Novelty (patent)|"everybody knows that"}}, as well as many solely recreational drugs since regulation might result in outlawing. Because of this, "we have no idea" how many drugs truly exist. Since drugs are extremely powerful molecules that are only administered in choice amounts, they are generally perceived as small.
|}

===Lower right quadrant===
This is the section with the big items with count unknown.

{| class = "wikitable"
! Research field
! Size
! Knowledge of #
! Explanation
|-
|{{w|Botany}}
|Plants tend to range from few centimeters to hundreds of meters. Therefore, on average plants are about the same size as human beings.
|Plants estimated from 295,000 to 305,000 in total.
|Botany studies plants, which can reach {{w|List of superlative trees|hundreds of feet by any measure}}. Some {{w|Pando (tree)|clonal colonies of trees}} spread for miles. However, plant tend to clump together in forests and jungles, which makes it hard to get to them and document them. Every year, thousands of new plants are discovered, with the best estimate being that there are [https://news.mongabay.com/2016/05/many-plants-world-scientists-may-now-answer/ nearly 400,000 vascular plants] and an additional [https://www.britannica.com/topic-browse/Plants/Nonvascular-Plants 12,000 non-vascular plants]. However, the rate of discovery doesn't appear to be slowing down significantly, so we truly "have no idea."
|-
|{{w|Paleontology}}
|Paleontologists study fossils, which range in size from very small to very large. When most people think of paleontologists though, they tend to think of them as studying large animals such as dinosaurs.
|Estimated at around 5 billion species.
|Paleontology studies fossils, particularly those of extinct animals, which can reach {{w|Largest prehistoric animals|huge sizes}}. However, since fossils form under very special circumstances, if the animal did not die under those special circumstances, there will be no record of their existence. Therefore, the number of extinct animals can never truly be known, but we've found [http://scienceblogs.com/authority/2010/01/12/how-do-we-know-that-most-of-th/ around 250,000]
|-
|{{w|Black Hole}} {{w|Astronomy}}
|Compared to most astronomical objects, black holes are fairly small. However, most of them (that we are able to detect) are still larger than the Earth, so they would still fall on the "big" end of this chart. Alternatively, Randall may be referring to their mass, which is on the scale of stars.
|It has been estimated that the number of black holes in the {{w|Milky Way}} is around 100 million ([http://hubblesite.org/explore_astronomy/black_holes/encyc_mod3_q7.html]), although there is uncertainty in that estimate and the total number in the universe depends on the size of the universe (see "cosmology", above).
|"Most stellar black holes [...] are impossible to detect. Judging from the number of stars large enough to produce such black holes, however, scientists estimate that there are as many as ten million to a billion such black holes in the Milky Way alone." ([https://science.nasa.gov/astrophysics/focus-areas/black-holes NASA Black Hole information page])
|-
|{{w|Exobiology}}
|The comic puts this in the size range of paleontology, which can include many sizes (see above), and also marine mammalogy, which tends to have individuals that are in the range of tens of centimeters to several tens of meters. However, {{w|life|life as we know it}} is dominated in numbers by {{w|microbes}}, and {{w|Evolutionary history of life|life on Earth}} began {{w|Abiogenesis|microscopic}}, leading most {{w|Astrobiology|Astrobiologists}} to hypothesize that life on other planets would necessarily include microbes and [https://en.wikipedia.org/wiki/Fermi_paradox#No_other_intelligent_species_have_arisen only possibly include macroscopic life].
|The estimate of {{w|List of potentially habitable exoplanets|how many planets with life there are}} varies from 16 to 40,000,000,000; additionally, [https://en.wikipedia.org/wiki/Habitability_of_natural_satellites#In_the_Solar_System multiple moons] are believed to be potentially habitable for some forms of life in our own solar system. However, the number of bodies apart from Earth confirmed to have life is currently zero. Even more uncertain than the number of potentially habitable exoplanets is the {{w|Rare Earth Hypothesis|huge uncertainty}} in the likelihood of life arising on a habitable planet.
|Exobiology refers to the study of life outside Earth, which requires {{w|SETI|scanning the entire universe for life}}. Currently, exobiology seeks to find a planet or similar body with life (and, {{w|definition of planet|to qualify as a planet}}, bodies capable of sustaining life are big). The uncertainty about how many planets have life in the Milky Way relates to the {{w|Fermi Paradox}}. For life, of the type we know, to exist outside of the Solar system there need to be planets around other stars. Such planets are called Exoplanets, and they have been a [[:Category:Exoplanets|recurrent subject]] on xkcd.
|-
|{{w|Theology}}
|Presumably, any god transcends the bounds of spacetime, making this the largest.
|Depends on who you ask.
|Theology is not a strict science, but as presented here it is the field concerned with the study of one or more {{w|deity|deities}} which is a sacred supernatural being. In particular, theologians study the question of whether {{w|theism|one or more gods exist}} {{w|atheism|or not}}, and, in the former case, whether there are {{w|polytheism|multiple gods}} or {{w|monotheism|just one}} or indeed whether there is literally only {{w|pantheism|one god}}. Although the existence of any supernatural being(s) is unfalsifiable by any natural means, the entire human race has very strong opinions on the subject, so this field probably deserves the “depends on who you ask” disclaimer as well. quantitative uncertainty is also mentioned in [[900: Religions]].
|}

==Transcript==
:[An X-Y scatter plot of research areas, written in gray font, where both axes have arrows in both ends. At the end of each arrow is a label. Above the left part of the X-axis there is a line which goes to a text about the meaning of the X-axis. Similarly there is a line to from the top of the Y-axis to a questions “asked” to those that study the given subject, their answers being somewhere between the two labels on the Y axis.]

:[The X-axis from left to right, text first and then labels:]
:Size of the thing you study
:Small
:Big

:[The Y-axis from top to bottom, question first and then labels:]
:"That thing you study - how many of them are there?"
:"We have a pretty good estimate."
:"We have no idea"

:[The research areas names are listed here below by sorting them into the four quadrants from top left to bottom right. In each quadrant the areas are listed after most left first, and then top to bottom for those at the same x position.]

:[Upper left quadrant (Small & count known):]
:Elementary particle physics
:Dentistry
:Shakespeare studies
:Ornithology
:Ancient Literature

:[Upper right quadrant (Big & count known):]
:Presidential History
:Marine Mammology
:Railway Engineering
:Geology
:Cosmology*
:(*Depends who you ask)

:[Lower left quadrant (Small & count unknown):]
:Pharmacology
:Microbiology
:Entymology
:Mycology

:[Upper right quadrant (Big & count unknown):]
:Botany
:Paleontology
:Exobiology
:Black Hole Astronomy
:Theology

==Trivia==
Sortable table with the coordinates in percent:
{|class="wikitable sortable"
! Research area
! Size (%)
! Estimate (%)
|-
|Elementary Particle Physics ||7 ||72
|-
|Pharmacology ||12 ||6
|-
|Microbiology ||15 ||13
|-
|Dentistry ||21 ||84
|-
|Entymology ||24 ||25
|-
|Mycology ||29 ||38
|-
|Ornithology ||34 ||62
|-
|Shakespeare Studies ||37 ||88
|-
|Ancient Literature ||38 ||53
|-
|Botany ||60 ||40
|-
|Presidential History ||62 ||89
|-
|Marine Mammology ||66 ||68
|-
|Paleontology ||68 ||31
|-
|Exobiology ||68 ||5
|-
|Railway Engineering ||79 ||81
|-
|Geology ||90 ||90
|-
|Theology ||91 ||5
|-
|Black Hole Astronomy ||92 ||26
|-
|Cosmology ||94 ||62
|}

{{comic discussion}}

[[Category:Scatter plots]]
[[Category:Rankings]]
[[Category:Science]]
[[Category:Physics]]
[[Category:Astronomy]]
[[Category:Math]] 
[[Category:Fiction]] 
[[Category:Religion]] 
[[Category:Animals]] 
[[Category:Exoplanets]] 
[[Category:Politics]] 
[[Category:Geology]]
[[Category: Research Papers]]

Talk:593: Voynich Manuscript

2020-12-03T03:28:39Z

WurmWoode: repair wiki link

I feel that the title text is not well enough explained, but I don't know if it's enough to add an incomplete tag. [[Special:Contributions/108.162.254.163|108.162.254.163]] 03:37, 2 January 2014 (UTC)

[http://www.santa-coloma.net/voynich_drebbel/voynich.html It has been proposed] that the VM is a token artifact for Francis Bacon's utopian book ''{{W|New Atlantis|New Atlantis}}''. Under this theory, it would be akin to a prop replica made in relatively recent times. --[[User:Ishldgetoutmore|I Should Get Out More]] ([[User talk:Ishldgetoutmore|talk]]) 14:43, 18 March 2014 (UTC)

I feel like the [http://en.wikipedia.org/wiki/Codex_Seraphinianus Codex Seraphinianus] should be mentioned, but I'm not sure how it would fit in. [[User:Leafy Greens|Leafy Greens]] ([[User talk:Leafy Greens|talk]]) 17:05, 16 November 2014 (UTC)

Alternately, Megan could be attempting to distract Cueball from his line of questioning about where she got the book, by suggesting they play a game (possibly with the book), to steer the conversation away from the difficult question of where she got it. [[Special:Contributions/162.158.75.232|162.158.75.232]] 15:59, 28 June 2017 (UTC)

Why is Harry Potter part of this explanation? The idea of wolfsbane keeping werewolves at bay isn't anything like that new. --[[Special:Contributions/172.69.33.11|172.69.33.11]] 18:42, 27 August 2018 (UTC)

2342: Exposure Notification

2020-08-05T23:05:41Z

WurmWoode: /* Transcript */ think of the colons

{{comic
| number = 2342
| date = August 5, 2020
| title = Exposure Notification
| image = exposure_notification.png
| titletext = I don't see why everyone is so hungry for BAD news, but fine, I'll give in to feedback and add a dark mode.
}}

==Explanation==
{{incomplete|Created by a BOT THAT RECENTLY HAD CLOSE CONTACT WITH SOMEONE WHO HAS NOT TESTED POSITIVE FOR COVID. Do NOT delete this tag too soon.}}

During the coronavirus pandemic, several apps were developed to implement [https://en.wikipedia.org/wiki/Digital_contact_tracing digital contact tracing] by using one's location along with the location of others to notify someone if they had been potentially exposed to COVID-19. In this comic, a different type of app has been developed. Instead of notifying someone if they have been exposed to COVID-19, the app produces notifications if they have '''not''' tested positive. This is much less useful because it is not possible to tell whether anyone has actually been near anyone who was infected but rather annoys the user with excessive notifications.[[File:GNOME Shell, GNOME Clocks, Evince, gThumb, GNOME Files at version 3.30 (2018-09) in Dark theme.png|thumb|right|The GNOME desktop environment in dark mode]]

Dark mode is a common feature in apps which allows users the options to have a darker user interface. The title text, however, refers to dark mode not in the sense of the color scheme but rather that receiving notifications bearing the bad news that you have been exposed to COVID-19 is "dark." Because nobody likes his current app, Randall decides to give in and create a dark mode, which would make his app much more desirable for users.

==Transcript==
:[Cueball standing, holds out his smartphone to review alerts it has received]

:Exposure notification:
:1st alert 1:43PM: Good news. You recently had close contact with someone who has not tested positive for covid.
:2nd alert 1:38PM: Good news. You recently had close contact with someone who has not tested positive for covid.
:3rd alert 1:36PM: Good news. You recently had close contact with someone who has not tested positive for covid.
:4th alert 1:31PM: Good news. You recently had close contact with someone who has not tested positive for covid.

{{comic discussion}}

Talk:2342: Exposure Notification

2020-08-05T21:59:37Z

WurmWoode: Me thinks thou overthinketh this a bit much

Is it dark mode as in low light UI or dark mode as in depressing? Or both [[Special:Contributions/198.41.238.106|198.41.238.106]] 21:24, 5 August 2020 (UTC)

I think the title text is using the term "dark mode" not in the sense of UI design but rather that COVID-19 is "dark" and if the app were to have a mode that did what other apps did and gave notifications for potential exposures (bad news) that would be a "dark mode." I have refrained from putting this in the explanation for now as I am curious if there are other interpretations.[[User:Nk1406|Nk1406]] ([[User talk:Nk1406|talk]]) 21:27, 5 August 2020 (UTC)

I see we were thinking the same thing. I will add it.[[User:Nk1406|Nk1406]] ([[User talk:Nk1406|talk]]) 21:27, 5 August 2020 (UTC)

Sheesh, why dance around the point, say it loud and proud— ‘’dark humor’’ --[[User:WurmWoode|WurmWoode]] ([[User talk:WurmWoode|talk]]) 21:59, 5 August 2020 (UTC)

2342: Exposure Notification

2020-08-05T21:53:22Z

WurmWoode: /* Transcript */

{{comic
| number = 2342
| date = August 5, 2020
| title = Exposure Notification
| image = exposure_notification.png
| titletext = I don't see why everyone is so hungry for BAD news, but fine, I'll give in to feedback and add a dark mode.
}}

==Explanation==
{{incomplete|Created by a BOT THAT RECENTLY HAD CLOSE CONTACT WITH SOMEONE WHO HAS NOT TESTED POSITIVE FOR COVID. Do NOT delete this tag too soon.}}

During the coronavirus pandemic, several apps were developed to implement [https://en.wikipedia.org/wiki/Digital_contact_tracing digital contact tracing] by using one's location along with the location of others to notify someone if they had been potentially exposed to COVID-19. In this comic, a different type of app has been developed. Instead of notifying someone if they have been exposed to COVID-19, the app produces notifications if they have '''not''' tested positive. This is much less useful because it is not possible to tell whether anyone has actually been near anyone who was infected but rather annoys the user with excessive notifications.[[File:GNOME Shell, GNOME Clocks, Evince, gThumb, GNOME Files at version 3.30 (2018-09) in Dark theme.png|thumb|right|The GNOME desktop environment in dark mode]]

Dark mode is a common feature in apps which allows users the options to have a darker user interface. The title text, however, refers to dark mode not in the sense of the color scheme but rather that receiving notifications bearing the bad news that you have been exposed to COVID-19 is "dark." Because nobody likes his current app, Randall decides to give in and create a dark mode, which would make his app much more desirable for users.

==Transcript==
[Cueball standing, holds out his smartphone to review alerts it has received]

Exposure notification:

1st alert 1:43PM: Good news. You recently had close contact with someone who has not tested positive for covid.

2nd alert 1:38PM: Good news. You recently had close contact with someone who has not tested positive for covid.

3rd alert 1:36PM: Good news. You recently had close contact with someone who has not tested positive for covid.

4th alert 1:31PM: Good news. You recently had close contact with someone who has not tested positive for covid.

{{comic discussion}}

555: Two Mirrors

2020-01-31T02:08:16Z

WurmWoode: Luck would have it

{{comic
| number = 555
| date = March 13, 2009
| title = Two Mirrors
| image = two_mirrors.png
| titletext = If you actually do this, what really happens is Douglas Hofstadter appears and talks to you for eight hours about strange loops.
}}

==Explanation==
In folklore, {{w|Bloody Mary (folklore)|Bloody Mary}} is a legendary ghost or spirit conjured to reveal the future. She is said to appear in a mirror when her name is called multiple times (mainly 3). The Bloody Mary apparition may be benign or malevolent, depending on historic variations of the legend. The Bloody Mary appearances are mostly "witnessed" in teenage group participation games, often as part of a game of truth or dare.

In this comic, Megan sets up two mirrors facing each other, in which she can see herself receding ad infinitum. She then says "Bloody Mary" three times (as in the folklore) before ducking, conjuring an infinite number of spirits who jump from the mirror towards each other. It's not clear if they simply collide, or pass into the opposing mirror. Megan may be attempting an experiment either in particle physics upon {{w|LHC|colliding}} {{w|mirror matter}} or bridging {{w|Mirror Universe}}s by enabling Bloody Mary’s opposing characterizations to interact with each other, or both.

Megan is under several threats of bad luck, this escapade taking place (published) on a {{w|Friday the 13th}}, or [https://www.snopes.com/fact-check/breaking-a-mirror/ breaking a mirror] and according to myth, harm to body and soul for 7 years, and the risks of blasphemy and angering or losing control during the {{w|evocation}} of spirits, especially considering the quantity and consequent duration of such an invocation.

{{w|Douglas Hofstadter}} (also referenced in [[917: Hofstadter]]) is the author of ''{{w|Gödel, Escher, Bach}}'' and ''{{w|I Am a Strange Loop}}''. In the former book, among many other discussions of infinite loops, he points a television camera at the screen on which its image is projected, forming an endless series of screens similar to panel 2 of this comic. In the latter book he focuses on the idea of minds being self-referential. "In the end, we are self-perceiving, self-inventing, locked-in mirages that are little miracles of self-reference". This blends with the idea of the images of the person looking in the mirror being reflected endlessly.

==Transcript==
:[Megan sets up a full mirror adjacent to a bathroom-counter mirror.]

:[Megan looks through the bathroom counter mirror to see the infinite reflections.]

:Megan: Bloody Mary, Bloody Mary, Bloody Mary.

:[Megan ducks as the infinite Bloody Marys pop out between the two mirrors above her head.]
:''RAAGHHHHH''

{{comic discussion}}
[[Category:Comics featuring Megan]]

555: Two Mirrors

2020-01-31T01:28:14Z

WurmWoode: /* Explanation */ {{w|Mirror, Mirror (Star Trek: The Original Series)|Mirror, Mirror}}

{{comic
| number = 555
| date = March 13, 2009
| title = Two Mirrors
| image = two_mirrors.png
| titletext = If you actually do this, what really happens is Douglas Hofstadter appears and talks to you for eight hours about strange loops.
}}

==Explanation==
In folklore, {{w|Bloody Mary (folklore)|Bloody Mary}} is a legendary ghost or spirit conjured to reveal the future. She is said to appear in a mirror when her name is called multiple times (mainly 3). The Bloody Mary apparition may be benign or malevolent, depending on historic variations of the legend. The Bloody Mary appearances are mostly "witnessed" in teenage group participation games, often as part of a game of truth or dare.

In this comic, Megan sets up two mirrors facing each other, in which she can see herself receding ad infinitum. She then says "Bloody Mary" three times (as in the folklore) before ducking, conjuring an infinite number of spirits who jump from the mirror towards each other. It's not clear if they simply collide, or pass into the opposing mirror. Megan may be attempting an experiment either in particle physics upon {{w|LHC|colliding}} {{w|mirror matter}} or bridging {{w|Mirror Universe}}s by enabling Bloody Mary’s opposing characterizations to interact with each other, or both.

{{w|Douglas Hofstadter}} (also referenced in [[917: Hofstadter]]) is the author of ''{{w|Gödel, Escher, Bach}}'' and ''{{w|I Am a Strange Loop}}''. In the former book, among many other discussions of infinite loops, he points a television camera at the screen on which its image is projected, forming an endless series of screens similar to panel 2 of this comic. In the latter book he focuses on the idea of minds being self-referential. "In the end, we are self-perceiving, self-inventing, locked-in mirages that are little miracles of self-reference". This blends with the idea of the images of the person looking in the mirror being reflected endlessly.

==Transcript==
:[Megan sets up a full mirror adjacent to a bathroom-counter mirror.]

:[Megan looks through the bathroom counter mirror to see the infinite reflections.]

:Megan: Bloody Mary, Bloody Mary, Bloody Mary.

:[Megan ducks as the infinite Bloody Marys pop out between the two mirrors above her head.]
:''RAAGHHHHH''

{{comic discussion}}
[[Category:Comics featuring Megan]]

1493: Meeting

2020-01-31T00:18:03Z

WurmWoode: Chairs and bugs

{{comic
| number = 1493
| date = March 2, 2015
| title = Meeting
| image = meeting.png
| titletext = Here at CompanyName.website, our three main strengths are our web-facing chairs, our huge collection of white papers, and the fact that we physically cannot die.
}}

==Explanation==
[[Beret Guy]]'s business, as previously seen in [[1032: Networking]] and [[1293: Job Interview]], is going well, although it is unclear why. The common theme in these three comics is that Beret Guy misuses common business cliches. The following are examples and phrases that [[Randall]] is likely making a joke about:

*"If you're reading this, the web server was installed correctly.™" When a web server is installed automatically (like Apache through a package manager), it typically comes with a minimal configuration meant to deliver a single page saying all is working fine. Usually, a company will then configure the web server to provide actual meaningful content. It appears that in this case Beret Guy's company kept the page as is, but also trademarked the sentence as the company's motto, and proudly displays it under the company logo.

*"CompanyName.website": Companies are usually given descriptive or evocative names; Beret Guy's company, meanwhile, has been given a generic placeholder name that explains nothing about the company or website except that it is a company with a website. Currently, almost every middle-sized company runs a website, so it doesn't mean Beret Guy's company is in the information technology business (but many elements are specifically parodying Google). “Companyname.website” links to xkcd.com.

*"Welcome to a meeting!" The usual way to start a meeting is to welcome the participants by telling them in which meeting they are (e.g. "Welcome to the meeting on..."). Here, the complete lack of specifics in this sentence is an indication that the meeting has, in fact, no purpose at all, except to be just "A meeting". It could also mean that Beret Guy does not know the proper way to welcome people to a meeting.

*"I'm almost out of words so I'll keep this short." A common theme in the busy world of business is lack of time, so "I'm almost out of time" would be a valid reason for keeping a meeting short, rather than a finite quantity of words. Aside from the fiction movie {{w|A Thousand Words (film)|A Thousand Words}} or people taking a {{w|Vow of Silence}}, people usually don't have a particular quota on the number of words they have or can use. Beret Guy also seems to run out of words in the title text of [[1560: Bubblegum]].

*"Just wanna touch bases." Often business professions will contact a customer to "touch base," meaning to check in for a status update. The use of the plural "bases" suggests Beret Guy does not know what this means. This could also be a word play on the expression "Cover some bases".

*"Self-driving car project" Google has been working on {{w|self-driving cars}}, which usually shouldn't be lost track of and found by the police. The fact that it was launched "by accident" is concerning. It could mean the car was turned on by mistake and then left unattended, or perhaps that a driver of one of their cars fell asleep or otherwise stopped controlling the vehicle, but it is not clear because the accidental launch may refer to the project itself rather than the car. The involvement of the police may imply that the car crashed or otherwise obstructed traffic. That said, 90 miles before crashing is a good result for a self-driving car, especially when you didn't even know you built a self-driving car. What's especially ironic is the implication that the employees were carpooling (sharing a single vehicle for their commute, for reasons of efficiency/economy) in the self-driving car, and yet this carpool activity ended with the car setting off with nobody in it at all. These types of car was the topic of the later comic [[1559: Driving]], maybe misusing one of Beret Guy's cars. Self-driving cars is a [[:Category: Self-driving cars|recurring topic]] on xkcd.

*"Sales, any luck figuring out who our customers are?" In the real world, when companies want to find out "who [their] customers are", they are talking about learning more about their existing customers (e.g. age groups, interests, genders) in order to more closely match these customers' needs, and to discover ways to attract more of them. Here, Beret Guy and [[Ponytail]] apparently use the phrase literally - they have no records of making any sales. A normal enterprise struggles to sell its products/services in order to get money. Getting cash from an unknown source would lead to serious troubles - failure to comply with tax code, suspicion of money laundering - but overall, most enterprises suffer the opposite problem: they try as hard as they can but don't get enough cash to be profitable (despite keeping precise information about where cash comes from). Note, that the accidental launching of a project would suggest a theme, that large cash infusions for unknown or {{w| Money laundering|unscrupulous}} reasons could imply anonymous {{w|Venture capital|VC}} investors, perhaps amateurs or acting in an overheated market.

*"{{w|Bug tracker}}" usually refers to systems for tracking discovery, analysis, and fixing of software bugs (errors and problems), not the physical location of insects.

*"Web-facing" (title text) usually refers to software or a server that is connected to the internet using a web interface. However, in this case, the term is applied to chairs (likely meaning that they are either materially {{w|Webbing#Furniture|web-plaited}} or placed in front of a computer with internet browsing capability, or both).

*"White papers" (title text) are usually policy recommendations, but here Beret Guy is likely talking about actual (near-worthless) blank white pieces of paper.

*"Main strengths" (title text) typically refer to one's skills, but "we physically cannot die" may refer to the fact that incorporated companies are in a sense anthropomorphized — they're legally treated as "persons", with the ability to sue and be sued in civil courts; or, just as likely, that Beret Guy and his employees are literally immortal, in which case that would indeed be a great asset which could be used in a variety of ways, from things like making an unstoppable army (though they could still be captured or incapacitated) to investing for a long long time.

==Transcript==
:[Beret Guy is shown in silhouette. Above Beret Guy there is a black sign with white (and grey) text. Above this is his address to those in the meeting:]
:Beret Guy: Welcome to a meeting! I'm almost out of words, so I'll keep this short. Just wanna touch bases.
:[White text in the black sign (''.website'' in grey):]
:CompanyName.website
:''If you're reading this, the web''
:''server was installed correctly.™''

:[Beret Guy stands in front of an office chair and a table talking.]
:Beret Guy: First, a few updates. We've learned from the state police that the self-driving car project we launched by accident during this morning's carpool has come to an end about 90 miles outside of town. Very exciting!

:[Pony tail sits at the table.]
:Beret Guy [off-panel]: Profits are up. Sales, any luck figuring out who our customers are?
:Ponytail: Nope. Money keeps appearing, but we have no idea how or why.
:Beret Guy [off-panel]: Great!

:[Back to the situation from frame two.]
:Beret Guy: Oh, and one last thing—I saw a cool red beetle in the hall. Can someone add it to the bug tracker?
:[person off-panel]: Just did!
:Beret Guy: Thanks!

==Trivia==
*"CompanyName.website" is actually a domain name that was registered on 2014-11-20 and [http://companyname.website which redirects to xkcd.com]. Presumably, it is owned by Randall, for the same reason as in [[305]].

{{comic discussion}}
[[Category:Comics featuring Beret Guy]]
[[Category:Comics featuring Ponytail]]
[[Category:Beret Guy's Business]]
[[Category:Self-driving cars]]

1493: Meeting

2020-01-30T23:53:46Z

WurmWoode: /* Explanation */ is there a theme

{{comic
| number = 1493
| date = March 2, 2015
| title = Meeting
| image = meeting.png
| titletext = Here at CompanyName.website, our three main strengths are our web-facing chairs, our huge collection of white papers, and the fact that we physically cannot die.
}}

==Explanation==
[[Beret Guy]]'s business, as previously seen in [[1032: Networking]] and [[1293: Job Interview]], is going well, although it is unclear why. The common theme in these three comics is that Beret Guy misuses common business cliches. The following are examples and phrases that [[Randall]] is likely making a joke about:

*"If you're reading this, the web server was installed correctly.™" When a web server is installed automatically (like Apache through a package manager), it typically comes with a minimal configuration meant to deliver a single page saying all is working fine. Usually, a company will then configure the web server to provide actual meaningful content. It appears that in this case Beret Guy's company kept the page as is, but also trademarked the sentence as the company's motto, and proudly displays it under the company logo.

*"CompanyName.website": Companies are usually given descriptive or evocative names; Beret Guy's company, meanwhile, has been given a generic placeholder name that explains nothing about the company or website except that it is a company with a website. Currently, almost every middle-sized company runs a website, so it doesn't mean Beret Guy's company is in the information technology business (but many elements are specifically parodying Google). “Companyname.website” links to xkcd.com.

*"Welcome to a meeting!" The usual way to start a meeting is to welcome the participants by telling them in which meeting they are (e.g. "Welcome to the meeting on..."). Here, the complete lack of specifics in this sentence is an indication that the meeting has, in fact, no purpose at all, except to be just "A meeting". It could also mean that Beret Guy does not know the proper way to welcome people to a meeting.

*"I'm almost out of words so I'll keep this short." A common theme in the busy world of business is lack of time, so "I'm almost out of time" would be a valid reason for keeping a meeting short, rather than a finite quantity of words. Aside from the fiction movie {{w|A Thousand Words (film)|A Thousand Words}} or people taking a {{w|Vow of Silence}}, people usually don't have a particular quota on the number of words they have or can use. Beret Guy also seems to run out of words in the title text of [[1560: Bubblegum]].

*"Just wanna touch bases." Often business professions will contact a customer to "touch base," meaning to check in for a status update. The use of the plural "bases" suggests Beret Guy does not know what this means. This could also be a word play on the expression "Cover some bases".

*"Self-driving car project" Google has been working on {{w|self-driving cars}}, which usually shouldn't be lost track of and found by the police. The fact that it was launched "by accident" is concerning. It could mean the car was turned on by mistake and then left unattended, or perhaps that a driver of one of their cars fell asleep or otherwise stopped controlling the vehicle, but it is not clear because the accidental launch may refer to the project itself rather than the car. The involvement of the police may imply that the car crashed or otherwise obstructed traffic. That said, 90 miles before crashing is a good result for a self-driving car, especially when you didn't even know you built a self-driving car. What's especially ironic is the implication that the employees were carpooling (sharing a single vehicle for their commute, for reasons of efficiency/economy) in the self-driving car, and yet this carpool activity ended with the car setting off with nobody in it at all. These types of car was the topic of the later comic [[1559: Driving]], maybe misusing one of Beret Guy's cars. Self-driving cars is a [[:Category: Self-driving cars|recurring topic]] on xkcd.

*"Sales, any luck figuring out who our customers are?" In the real world, when companies want to find out "who [their] customers are", they are talking about learning more about their existing customers (e.g. age groups, interests, genders) in order to more closely match these customers' needs, and to discover ways to attract more of them. Here, Beret Guy and [[Ponytail]] apparently use the phrase literally - they have no records of making any sales. A normal enterprise struggles to sell its products/services in order to get money. Getting cash from an unknown source would lead to serious troubles - failure to comply with tax code, suspicion of money laundering - but overall, most enterprises suffer the opposite problem: they try as hard as they can but don't get enough cash to be profitable (despite keeping precise information about where cash comes from). Note, that the accidental launching of a project would suggest a theme, that large cash infusions for unknown or {{w| Money laundering|unscrupulous}} reasons could imply anonymous {{w|Venture capital|VC}} investors, perhaps amateurs or in an overheated market.

*"Bug tracker" usually refers to systems for tracking discovery, analysis, and fixing of software bugs (errors and problems), not the physical location of insects.{{Citation needed}}

*"Web-facing" (title text) usually refers to software or a server that is connected to the internet using a web interface. However, in this case, the term is applied to chairs (Likely meaning they are placed in front of a computer with internet browsing capability).

*"White papers" (title text) are usually policy recommendations, but here Beret Guy is likely talking about actual (near-worthless) blank white pieces of paper.

*"Main strengths" (title text) typically refer to one's skills, but "we physically cannot die" may refer to the fact that incorporated companies are in a sense anthropomorphized — they're legally treated as "persons", with the ability to sue and be sued in civil courts; or, just as likely, that Beret Guy and his employees are literally immortal, in which case that would indeed be a great asset which could be used in a variety of ways, from things like making an unstoppable army (though they could still be captured or incapacitated) to investing for a long long time.

==Transcript==
:[Beret Guy is shown in silhouette. Above Beret Guy there is a black sign with white (and grey) text. Above this is his address to those in the meeting:]
:Beret Guy: Welcome to a meeting! I'm almost out of words, so I'll keep this short. Just wanna touch bases.
:[White text in the black sign (''.website'' in grey):]
:CompanyName.website
:''If you're reading this, the web''
:''server was installed correctly.™''

:[Beret Guy stands in front of an office chair and a table talking.]
:Beret Guy: First, a few updates. We've learned from the state police that the self-driving car project we launched by accident during this morning's carpool has come to an end about 90 miles outside of town. Very exciting!

:[Pony tail sits at the table.]
:Beret Guy [off-panel]: Profits are up. Sales, any luck figuring out who our customers are?
:Ponytail: Nope. Money keeps appearing, but we have no idea how or why.
:Beret Guy [off-panel]: Great!

:[Back to the situation from frame two.]
:Beret Guy: Oh, and one last thing—I saw a cool red beetle in the hall. Can someone add it to the bug tracker?
:[person off-panel]: Just did!
:Beret Guy: Thanks!

==Trivia==
*"CompanyName.website" is actually a domain name that was registered on 2014-11-20 and [http://companyname.website which redirects to xkcd.com]. Presumably, it is owned by Randall, for the same reason as in [[305]].

{{comic discussion}}
[[Category:Comics featuring Beret Guy]]
[[Category:Comics featuring Ponytail]]
[[Category:Beret Guy's Business]]
[[Category:Self-driving cars]]

Talk:2191: Conference Question

2020-01-30T23:10:08Z

WurmWoode: Syntax o’r grammar?

I don't know to what "Word of Power" in the title text refers. A quick Google revealed something from Skyrim and something from D&D, but I have the feeling there must surely be a more original source for it, even if it is just a common term in folklore or something. [[User:Pureawes0me|Pureawes0me]] ([[User talk:Pureawes0me|talk]]) 07:45, 19 August 2019 (UTC)

: I think it means "magic word". The next step, "Unforgivable Curse", is from Harry Potter; a magic spell against someone that will get you jail time. (C. S. Lewis had an apocalyptic option, the "{{w|Deplorable Word}}", which killed every living person except the speaker) So Harry Potter's schoolteacher demonstrates the Unforgivables on spiders... and on students. (You find out why.) Also I think the title text is the platform speaker's response to Beret Guy. rja.carnegie@gmail.com [[Special:Contributions/162.158.158.183|162.158.158.183]] 09:12, 19 August 2019 (UTC) [[User:WhiteDragon|WhiteDragon]] ([[User talk:WhiteDragon|talk]]) 13:51, 19 August 2019 (UTC)

:: Yeah, I understand the "Unforgivable Curse" part - it's more "Word of Power" I'm struggling with. I agree that the title text could potentially be a response by the speaker, and I've updated the page to reflect this. [[User:Pureawes0me|Pureawes0me]] ([[User talk:Pureawes0me|talk]]) 10:20, 19 August 2019 (UTC)

::: It's from tabletop roleplaying games; [https://dungeonsdragons.fandom.com/wiki/Power_word some of the earliest high level spells from the original edition of Dungeons and Dragons were "Power Word Kill," "Power Word Blind," and "Power Word Stun."] These spells have been carried forward into newer editions where they are extremely unpopular because they were designed for campaigns when most monsters had a tiny fraction of the number of hit points typical today, and unlike essentially all of the fifth edition spells, they don't do anything when they don't work, and they don't work based on facts which are theoretically unknowable to the players. So, they kind of have a reputation for being the worst high level spells, and are sometimes included in magic items which turn out to be, well, like fruitcake, if you know what I mean. [[Special:Contributions/172.69.22.134|172.69.22.134]] 11:36, 19 August 2019 (UTC)

:::: Re-reading, incantation already is a magic spell, probably. In current use, malediction can be either speaking against someone or something, or its original meaning of actual malicious verbal magic. So I suppose Word of Power has to be more than a magic word... I found a couple of references in the world of H. P. Lovecraft but those I traced were 1970s or later, actually after D-and-D. So, not definite. rja.carnegie@gmail.com [[Special:Contributions/162.158.158.209|162.158.158.209]] 00:14, 20 August 2019 (UTC)

::Note that Unforgivable Curse will not get you just "little jail time". It gets you life sentence in Azkaban. -- [[User:Hkmaly|Hkmaly]] ([[User talk:Hkmaly|talk]]) 22:41, 20 August 2019 (UTC)

One thing I feel needs to be said is that this behavior shows a lack of linguistic skill, because any statement can always be phrased in the form of a question, e.g, most easily, "Do you agree that _______?" Or by asking about the details of the comment in which the commenter is most interested in emphasizing or soliciting a response. That this kind of thing happens among advanced academics shows how narcissistic and tone-deaf even otherwise intelligent people can often be. [[Special:Contributions/162.158.255.34|162.158.255.34]] 12:20, 19 August 2019 (UTC)
:Similar to how the comic ends in a question? I think your statement is part of the joke. Less of a statement, and more of an utterance. [[User:OhFFS|OhFFS]] ([[User talk:OhFFS|talk]]) 14:28, 19 August 2019 (UTC)
::Do you agree it could be more of a noun phrase and a verb phrase, or perhaps merely a subject and a predicate? [[Special:Contributions/162.158.255.34|162.158.255.34]] 00:15, 20 August 2019 (UTC)
:::And whereof is the object therein? [[User:WurmWoode|WurmWoode]] ([[User talk:WurmWoode|talk]]) 23:10, 30 January 2020 (UTC)

There is a Russian Folk Tale, among those collected by Afanasyev, called "Go I don't know where, Bring back I don't know what". In that story, the archer Andrey is given several impossible tasks by a tsar who covets his beautiful wife, the last of which is to go to I don't know where and bring back I don't know what. After journeying a vast distance and meeting his mother in law Baba Yaga, he is guided by an ancient frog across a river of fire, and is told "Over there you will find a house. Well, not so much a house as a hut. And it is not so much of a hut as a barn." This is I don't know where. So Beret Guy's intro to his statement may be a reference to this formulaic format. {{unsigned ip|172.68.174.22}}
: ...his mother in law is Baba Yaga? Did he know that? Does the tsar know that? Does it change matters tsar-and-beautiful-wife-wise... (Is this story in English at all, I don't know where...) Wikipedia knows several Baba Yaga stories (some with three Baba Yagas who don't live together, unless this is a complicated alibi) but none match this. rja.carnegie@gmail.com [[Special:Contributions/162.158.158.209|162.158.158.209]] 00:14, 20 August 2019 (UTC)

I think the Unforgivable Curse line in the title text is meant to reference the scene in HP&tGoF when Barty Crouch, posing as Professor Moody, demonstrates their use on spiders to the fourth years in Defense Against the Dark Arts. The curse, be it an annoyed audience member or the speaker, is to be cast on the friendly bug. [[Special:Contributions/108.162.238.83|108.162.238.83]] 21:04, 19 August 2019 (UTC)

I don't think Beret Guy is trying to say that he and the speaker are friends in his last line, I'm pretty sure he's saying that he's friends with the bug he found. {{unsigned ip|108.162.210.220}}
:^^^ Agreed. The "we" in "now we're friends" means Beret Guy and the bug, not Beret Guy and the speaker. It is, after all, a friendly bug. {{unsigned|Divgradcurl}}
::I also now agree, and I wrote the original wording. Thanks for fixing it, whoever fixed it. Oh, and remember to sign your comments with the four ~ thingies. [[User:N0lqu|-boB]] ([[User talk:N0lqu|talk]]) 13:07, 20 August 2019 (UTC)
:::I would like to meet the bug. I wonder whether Randall has ever introduced people to bugs he found. [[Special:Contributions/162.158.146.166|162.158.146.166]] 04:44, 21 August 2019 (UTC)

I have created a [[:Category:Harry Potter]] and found almost 20 comics to go there. And also a few that could have gone there, but where it was uncertain that Harry was the reference. --[[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 13:44, 20 August 2019 (UTC)

I believe the reference to "It might be the person simply blowing." is technically inaccurate. The movement of air (i.e. breeze/wind or someone exhaling air/blowing) is not the same phenomenon as a sound pressure wave propagating through air. [[Special:Contributions/162.158.158.149|162.158.158.149]] 13:09, 22 August 2019 (UTC)

2191: Conference Question

2020-01-30T22:57:47Z

WurmWoode: /* Explanation */ clarify

{{comic
| number = 2191
| date = August 19, 2019
| title = Conference Question
| image = conference_question.png
| titletext = I also have an utterance. Less of an utterance and more of an incantation. Less of an incantation and more of a malediction. Less of a malediction and more of a Word of Power. Less of a Word of Power and more of an Unforgivable Curse.
}}

==Explanation==
Usually at a conference or other event involving a speaker addressing a crowd, members of the crowd are given the chance to ask questions. This is intended so that people can perhaps ask the speaker to elaborate on a point they've made, or to ask the speaker's opinion on a topic related to their talk.

Occasionally, people at such an event will use (or, rather, abuse) the opportunity to ask a question to instead provide their own (unsolicited) opinion or statement. Such statements are often preceded with something along the lines of "I have a question. Well, less of a question and more of a comment." This formulation in particular has attracted [https://jamesmendezhodes.com/blog/2019/4/30/less-of-a-question-more-of-a-comment a lot of criticism] for not adding anything to the discussion and for pulling focus away from the speaker.

In the comic, this idea is taken to an extreme, with [[Beret Guy]] not only transforming the opportunity to ask a question into an opportunity to make a statement through successive rephrasing, turning this into an opportunity to show off a bug he has found. This is accomplished by using a multitude of synonyms in a ''continuum'' of relatable word pairs, except near the last: "question" and "comment" are similar, as are "comment" and "utterance", but the extremes, the difference between the first and the last in the entire set (in this case "question" and "friendly bug") is profound. In a way, this segue is meant to be similar to how, in the lines of a color spectrum, red fades into yellow: gradually, and with no abrupt transitions in color ({{w|YMMV}}: {{w|Color Graphics Adapter|CGA}} versus {{w|4K resolution|4K}}.

:'''Question.''' A {{w|question}} is what the crowd member is expected to provide, such that the speaker or a panel member could provide a related answer.

:'''Comment.''' A {{w|Topic and comment|comment}} by a crowd member, is when they just say something they believe, without expecting an answer, giving the speaker or panel members nothing to do. This may be seen as annoying by everyone else, as the crowd did not come to hear the opinion of other crowd members. But answers to relevant questions would be interesting to the crowd and the panel.

:'''Utterance.''' An {{w|utterance}} is just making a noise, which may or may not be actual words, or if actual words it may not be a complete sentence.

:'''Air Pressure Wave.''' {{w|Sounds}} are literally pressure waves in the air. So this could be a simple sound, or not a sound at all depending on the severity of the wave. It might be the person simply blowing.

:'''Friendly Hand Wave.''' Now instead of using his mouth to generate an air pressure wave, he's producing it with his hand, in a manner intended to be interpreted as "friendly". Many times hand waves are done in a friendly manner, designed more for the visual appeal than the amount of air pressure waves they generate.

:'''Friendly Bug.''' Now he is no longer doing anything himself, except to point out the fact that he has found a bug or {{w|insect}}, which he {{w|anthropomorphizes}} as being friendly.

:'''Want to meet it?''' He has decided that he and the friendly bug are actual friends, and ironically comes full circle by finally asking a question, though presumably whether the speaker wants to meet a bug is not related to the topic of the speaker's talk.

The title text takes the opposite route of Beret Guy, and each step instead refers to successively worse forms of magic spells which would, presumably, have a negative effect upon the listener. Starting from a mere utterance and then using Beret Guy's "it is less than" scheme, it progresses over worse and worse curses, ending with an unforgivable curse!

:'''Utterance.''' It begins with utterance which was also used by Beret Guy. See above.

:'''Incantation.''' {{w|Incantation}}, or a spell, is a magical formula intended to trigger a magical effect on a person or objects. It is not necessarily with evil intent.

:'''Malediction.''' A malediction is another word for {{w|curse}} (the prefix "mal" being a Latin root meaning "evil"). This is always with evil intent.

:'''Word of Power.''' "Word of Power" could refer to the dragonish form of magic in ''{{w|The Elder Scrolls V: Skyrim}},'' or the [https://dungeonsdragons.fandom.com/wiki/Power_word early 1st edition Dungeons & Dragons high level spells].

:'''Unforgivable Curse.''' The term "{{w|Magic_in_Harry_Potter#Unforgivable_Curses|Unforgivable Curse}}" refers to a set of three spells from the {{w|Harry Potter}} series, said to be so evil that their use on another person is unforgivable and illegal. The three spells are able to mind control (''Imperius''), torture (''Cruciatus''), and kill (''Avada Kedavra'') their target. It is unclear which spell is implied, though if it was accurate to call it a singular word of power, it is unlikely to be the killing curse.

The title text can be interpreted as a reply by [[Hairy]] (the speaker) to Beret Guy, indicating his annoyance at the topic being derailed. It could also be representative of [[Randall|Randall's]] feelings towards those who abuse the opportunity to ask a question in order to make a statement. Randall has recently done some book tours and was at {{w|San Diego Comic-Con}} [https://blog.xkcd.com/2019/07/15/san-diego-comic-con/ last month] where he served on various panels, so he probably has had personal first-hand experience with these kinds of circuitous non-questions.

==Transcript==
:[Hairy stands on a podium having just addressed a crowd of seated people. Beret Guy stands in the middle of the crowd, addressing Hairy. One of Beret Guy's hands is raised at chest height. The front row consists of Cueball, Ponytail, another Hairy, Megan, Hairbun, Danish and another Cueball.]

:Beret Guy: I have a question.
:Beret Guy: Well, less of a question and more of a comment.
:Beret Guy: I guess it's less of a comment and more of an utterance.
:Beret Guy: Really it's less an utterance more an air pressure wave.
:Beret Guy: It's less an air pressure wave and more a friendly hand wave.
:Beret Guy: I guess it's less a friendly wave than it is a friendly bug.
:Beret Guy: I found this bug and now we're friends. Do you want to meet it?

{{comic discussion}}

[[Category:Comics featuring Hairy]]
[[Category:Comics featuring Beret Guy]]
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring Ponytail]]
[[Category:Comics featuring Hairbun]]
[[Category:Comics featuring Danish]]
[[Category:Multiple Cueballs]]
[[Category:Public speaking]]
[[Category:Animals]]
[[Category:Fiction]]
[[Category:Harry Potter]]

1156: Conditioning

2020-01-30T21:43:37Z

WurmWoode: /* Explanation */ OMG — a visiting Pope, like the nuisance factor is NOT reknown

{{comic
| number = 1156
| date = January 4, 2013
| title = Conditioning
| image = conditioning.png
| titletext = 'Why are you standing in the yard wearing a papal hat and a robe covered in seeds?' 'Well, the Pope is visiting our town next month ...'
}}

==Explanation==
Herein, the author devises a method of addressing the issue of drivers who turn up their music to irritating levels which usually results in a lot of bass coming from the car — the low frequencies being the ones that most easily penetrate the car and travel farther, thus being more audible to those around the car.

As the title suggests, the idea is to {{w|Classical conditioning|condition}} animals to respond to a thumping bass. The machine is described as working as follows: every few hours, the bass would turn on, and the box would dispense food behind an opening designed to look like an open car window. Over time, local wildlife would flock to the box to get the food from inside, and would become trained that the sound of a subwoofer means that they can get food by flying through a car window.. Eventually, the animals would respond to any low music, including that played by cars.

The end result would be that the local wildlife would approach, and presumably attempt to enter, any car that has that same thumping bass. Drivers, in turn, would cease to turn up their music in order to prevent the groups of animals from chasing after their cars, thus solving the problem of annoyingly loud bass. This behavior modification can itself be seen as a {{w|Operant conditioning|somewhat different form of conditioning}}.

Although this plan may seem far-fetched, a similar scheme was seriously proposed in Britain during {{w|World War I}} to condition {{w|Gull|seagulls}} to associate a submarine's {{w|periscope}} with food, which would give away the locations of enemy submarines as the gulls flocked to their periscopes being raised.

The title text is a dialogue about using a similar method of conditioning to send animals after a visiting {{w|Pope}}. Why someone would want that to happen is left to the reader's imagination, although papal visitations usually disrupt the local communities with onerous traffic and special and ostentatious ceremonies, and do attract huge crowds of dignitaries, celebrities, the faithful, the curious, and attending purveyors of foodstuffs and trinkets. Not to mention the impact to the local AirBnB market. Or it could just be Black Hat, who would not need any particular reason for this sort of behavior, and might choose the Pope because of his highly recognizable outfit.

==Transcript==
:Every few hours, subwoofer plays throbbing bass for 10 seconds... [With arrow pointing to subwoofer.]
:...then bread crumbs are dispensed into box [With arrow pointing to bread feeder machine.]
:Opening [With arrow pointing to feeder opening shaped like a driver side car window.]
:Local wildlife [With arrows pointing to birds and a squirrel.]
:Protip: Leave this device in your yard for a week, then watch as the problem of loud music from passing cars solves itself.

{{comic discussion}}
[[Category:Biology]]
[[Category:Protip]]
[[Category:Squirrels]]
[[Category:Music]]
[[Category:Animals]]
[[Category:Science]]
[[Category:Psychology]]

208: Regular Expressions

2019-08-08T03:24:35Z

WurmWoode: /* Explanation */ Playing favorates

{{comic
| number = 208
| date = January 10, 2007
| title = Regular Expressions
| image = regular_expressions.png
| titletext = Wait, forgot to escape a space. Wheeeeee[taptaptap]eeeeee!
}}

==Explanation==

The comic begins with [[Randall]] saying how every time he develops a new skill, he finds himself daydreaming about using it to save the day. Computer skills aren't usually superhero material, which lends itself to the humor of the comic.

In computing, {{w|regular expression}}s ("regex") provide a concise and flexible means to "match" (specify and recognize) strings of text, such as particular characters, words, or patterns of characters.

Manually trying to look for a specific pattern through 200 MB of text is equivalent to looking for a needle in a haystack. But this task can be made easy by using regexes, since a script can read through text and match specific string patterns much faster than humans can achieve.

Obviously favoring a Perl implementation and supporting OS over some other syntax, like POSIX.

{{w|Perl}} is a popular scripting language that has often been referenced favorably in the comic. Perl is also the most acknowledged language when it comes to the performance while evaluating regular expressions.

The "PERL!" in the fifth panel is reminiscent of old superhero serials, particularly {{w|Batman (TV series)}}, in which sound effects such as "BAM!" "POW!" "ZAP!" would be displayed on screen in similar spiky bubbles. This fits with the theme of the comic, with Cueball being a "superhero" who fights crime using computer skills.

The title text refers to how sensitive regexes can be to small mistakes or missing characters. In [[1168: tar]], another potential hero fails (and gets blown up by a nuclear bomb that is only able to be disarmed by typing in a valid tar command) because the syntax of some commands and programming languages are just too difficult to remember by heart.

==Transcript==
:Whenever I learn a new skill I concoct elaborate fantasy scenarios where it lets me save the day.

:Megan: Oh no! The killer must have followed her on vacation!
:[Megan points to computer.]
:Megan: But to find them we'd have to search through 200 MB of emails looking for something formatted like an address!
:Cueball: It's hopeless!

:Off-panel voice: Everybody stand back.

:Off-panel voice: I know regular expressions.

:[A man swings in on a rope, toward the computer.]

:''tap tap''
:The word ''PERL!'' appears in a bubble.

:[The man swings away, and the other characters cheer.]

==Trivia==
*This comic is featured on one of the [http://shop.xkcd.com/products/i-know-regular-expressions T-shirts] sold at the xkcd store.

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring Megan]]
[[Category:Comics with color]]
[[Category:Regex]]

1957: 2018 CVE List

2018-06-28T00:34:38Z

WurmWoode: /* Table of possible CVE */ wikify

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==

{{w|Common Vulnerabilities and Exposures|CVE}} (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is '''CVE-[YEAR]-[NUMBER]'''. For example, the CVE identifier for 2017's widespread {{w|Meltdown (security vulnerability)|Meltdown vulnerability}} is [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

==Table of possible CVE==
{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain {{w|Telugu language|Telugu}} or {{w|Bengali language|Bengali}} letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic was released,<ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref> as well as past similar iOS vulnerabilities<ref>https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/</ref><ref>http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/</ref>.
|-
|An attacker can use a timing attack to extploit [''sic''] a race condition in {{w|Garbage collection (computer science)|garbage collection}} to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|The reference to using a Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in a cloud server like the ones in Wikipedia. {{w|Claude Shannon}} was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits.

This is not a security problem. However, since Shannon formulated how the amount of unique or actual information some entity contains is proportional to the number of bits required to encode it, retrieving only a few bits casts a dark perspective upon the significance of the Shannon article's content.
|-
|At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
|Cafés often offer free access to WiFi as a service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi, and may display the password on signage inside. Since anybody could go into the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is, at most, a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]], the agency concerned received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref>
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by a user, such as through a comment section, can result in dangerous content containing arbitrary HTML or JavaScript code being displayed to other users.
|-
|MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "{{w|SQL}}" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system. The latest generally available version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|{{w|Privilege escalation}} refers to any illegitimate means by which a system user gains greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system— a ''superuser''.

The irony of this CVE presents the reverse situation: that a flaw inadvertently ''de-escalates'' a root user to a less privileged user, which would cripple the ''superuser'', they would be disallowed access or ability to accomplish their required tasks, or worse, cause such tasks which do not {{w|fail safe}} to have catastrophic side effects.
|-
|Apple products catch fire when displaying emoji with diacritics.
|This is a reference to a common problem of modern gadgets catching fire (usually related to flaws in lithium-ion batteries), as well as to Apple products crashing when attempting to display certain character sequences. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not normally be found on emojis.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This probably refers to the movie {{w|Air Bud}}, about a dog playing basketball. This has been a common theme in xkcd comics: see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]].
In 2017, it was discovered that an oversight in the constitution of the state of Kansas may [http://www.kansascity.com/news/politics-government/article175956836.html permit a dog to be governor]. Shortly before this comic published, the Secretary of State's office ruled that [http://dfw.cbslocal.com/2018/02/13/dog-kansas-governor/ it could not].
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [''sic''] in Missouri that no one's checked on in a while.
|{{w|Haskell (programming language)|Haskell}} is a functional programming language. Functional programming is characterized by using functions that don't have side effects because they can not change things accessible in other parts of the program, as in [[1312: Haskell]]. The joke here is discovering that it does indeed have side-effects, manifested via external alteration, not violating the internal alteration paradigm.
|-
|Nobody really knows how hypervisors work.
|[[wikipedia:Hypervisor|"Hypervisors"]] are a tool for computer virtualization. Virtualization is implemented via various combinations of hardware and/or software, which requires a computer to completely simulate another computer, with its own unique hardware and software, and to varying degrees as to whether or not the virtualization is aware of or can determine whether it is being virtualized. Many IT professionals and businesses rely heavily on various forms of virtualization, but most of the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer, may be able to access information on a virtual computer in ways which would not be possible with a single real computer. Consequently, understanding how the hypervisor works is important to assessing the security of a virtual server. Meltdown and Spectre are related to this.
|-
|Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|This joke is about arcane systems that are running Linux in exceedingly rare situations, meaning that reproducing errors would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). {{w|IBM System/390 ES/9000 Enterprise Systems Architecture ESA family|System/390}} is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean (Primarily [[Wikipedia:Line_Islands|the Line Islands]]) and is also the earliest time zone on earth. Even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
|-
|x86 has way too many instructions.
|The x86 architecture (used in many Intel and AMD processors) is very complicated. Processors typically implement such a complex architecture using programs (microcode) run on a set of hidden, proprietary processors. The details of these hidden machines and errors in the microcode can result in security vulnerabilities, such as Meltdown, where the physical machine does not match the conceptual machine.

A more complicated instruction set is more complex to implement.{{Citation needed}} The x86 architecture is considered "CISC" (a "{{w|Complex instruction set computer}}"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first {{w|Apple Macintosh}}. In the 1980s, this design philosophy was countered by the "RISC" ("{{w|Reduced instruction set computer}}") design movement - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. Examples of RISC style designs include {{w|SPARC}}, {{w|MIPS}}, {{w|PowerPC}} (used by Apple in later Macintoshes) and the {{w|ARM architecture|ARM}} chips common in mobile phones. Historically, there was considerable discussion about the merits of each approach. At one time the Mac and Windows PC were on different sides; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s. This "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk. However, the 64-bit architecture introduced by {{w|AMD}}, and since adopted by {{w|Intel}}, does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues, such as the speculative cache load issue in Meltdown and Spectre, depend more on details of implementation, rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.

This explanation has way too many words.
|-
|NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
|Fantastically, this would be an unimaginable software threat, not to be confused with the even speedier, but future-bound, threat in hardware via {{w|Quantum computing}}.
NumPy is the fundamental package for scientific computing with the programming language Python. ''O''(log ''n'') is [[wikipedia:Big_O_notation#Infinite_asymptotics|Big O notation]] meaning that the time it takes for a computer algorithm to run is in the order of log ''n'', for an input of size ''n''. ''O''(log ''n'') is very fast and is more usual for a search algorithm. Prime factorization currently is ''O''(''2''''n''n)). If something can find the prime factors of a number this quickly, especially a [[wikipedia:semiprime|semiprime]] with two large factors, it will enable attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of [[wikipedia:Primality test|proving that a number is in fact a prime]].
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and [[wikipedia:I before E except after C|a common English writing rule of thumb]], which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove, and often require the use of a flat blade screwdriver or a specialized tool, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. However, any processor ''can'' be forcefully removed from its socket with a screwdriver.{{Citation needed}}
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|{{w|Linus Torvalds}} is the {{w|benevolent dictator for life}} of the Linux kernel codebase. Normally it is hard to make changes because he has the last word, and because the kernel is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE".<ref>https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/</ref> Presumably, it may be found that he may be successfully bribed to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code if they have root access and the necessary tools, but this would usually not be described as an attack, except in the case of a locked-down appliance, such as a video game console, a John Deere tractor, or pay TV decoder.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where JavaScript embedded within the image file is executed by some application. In this case, though, the code is visible on the image instead of invisibly encoded within the image file. The code is also only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using a digital camera), or maybe both.
Other than by some {{w|metadata}}, either internal to the image file, or embedded along with it, as in a web page, or a PDF or other container file, this "bug" would require the device to {{w|Hard AI|figure out}} specifically what the photo contains image-wise (something that's REALLY HARD for computers to do reliably), but would also require OCR (optical character recognition) code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably, but now it's a lot more routine and built into a lot of devices.
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|Flash has been an integral browser plugin for decades, but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against installing it. Preventing installation of Flash would make systems more secure, but most versions of Windows do not prevent Flash installation. The joke here relates to the difficulty of keeping Flash up to date, or even installed properly to begin with. A common user experience, which is the subject of numerous jokes and memes, is the constant nagging notification to install or update Flash in order for web pages to display properly. Many IT professionals will bemoan the trouble they have experienced in the workplace due to these notifications and problems related to them.
|-
|Turns out the cloud is just other people's computers.
|This refers to a meme that demands that "cloud" be replaced with "other people's computers" in all marketing presentation to CEOs and non-computer literate persons evaluating the security impact of using cloud services. Part of the humor here is that "the cloud" is, in actuality, simply a term for hosted services, or in other words computers being run by other people (typically businesses that specialize in this type of "{{w|Platform as a Service}}" or "PaaS" service model). Referring to "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[[779|[~~CLICK HERE FOR CHEAP VIAGRA~~]]]
|Mitre's CVE database is where all {{w|Common Vulnerabilities and Exposures|CVEs}} are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above might have been inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer inexpensive {{w|Viagra|brand-name Sildenafil}}.
|-
|It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
|Appears in the title text. {{w|Bruce Schneier}} is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the {{tvtropes|TotemPoleTrench|Totem Pole Trench}} trope. Shortly before this comic was posted, a [https://rare.us/rare-humor/two-kids-dressed-as-a-tall-man-to-get-into-black-panther-is-caught-on-video story went viral] in which two kids were photographed attempting this for real to get into a screening of ''Black Panther''.
|}

== References ==
<references/>

==Transcript==
:[A heading is centered above a list of 21 vulnerabilities]
:<big>Leaked list of major 2018 security vulnerabilities </big>

:CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
:CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
:CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
:CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
:CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
:CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
:CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
:CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
:CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
:CVE-2018-????? Nobody really knows how hypervisors work.
:CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
:CVE-2018-????? x86 has way too many instructions.
:CVE-2018-????? NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
:CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
:CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
:CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
:CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
:CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
:CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
:CVE-2018-????? Turns out the cloud is just other people's computers.
:CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

==Trivia==

Randall has previously referenced diacritics in [[1647: Diacritics]].

Bruce Schneier was previously mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]].

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Charts]]
[[Category:Programming]]
[[Category:Computers]]

1957: 2018 CVE List

2018-06-28T00:31:21Z

WurmWoode: /* Table of possible CVE */ Don't be afraid of quad-syllabics (metadata)

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==

{{w|Common Vulnerabilities and Exposures|CVE}} (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is '''CVE-[YEAR]-[NUMBER]'''. For example, the CVE identifier for 2017's widespread {{w|Meltdown (security vulnerability)|Meltdown vulnerability}} is [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

==Table of possible CVE==
{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain {{w|Telugu language|Telugu}} or {{w|Bengali language|Bengali}} letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic was released,<ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref> as well as past similar iOS vulnerabilities<ref>https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/</ref><ref>http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/</ref>.
|-
|An attacker can use a timing attack to extploit [''sic''] a race condition in {{w|Garbage collection (computer science)|garbage collection}} to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|The reference to using a Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in a cloud server like the ones in Wikipedia. {{w|Claude Shannon}} was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits.

This is not a security problem. However, since Shannon formulated how the amount of unique or actual information some entity contains is proportional to the number of bits required to encode it, retrieving only a few bits casts a dark perspective upon the significance of the Shannon article's content.
|-
|At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
|Cafés often offer free access to WiFi as a service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi, and may display the password on signage inside. Since anybody could go into the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is, at most, a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]], the agency concerned received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref>
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by a user, such as through a comment section, can result in dangerous content containing arbitrary HTML or JavaScript code being displayed to other users.
|-
|MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "{{w|SQL}}" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system. The latest generally available version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|{{w|Privilege escalation}} refers to any illegitimate means by which a system user gains greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system— a ''superuser''.

The irony of this CVE presents the reverse situation: that a flaw inadvertently ''de-escalates'' a root user to a less privileged user, which would cripple the ''superuser'', they would be disallowed access or ability to accomplish their required tasks, or worse, cause such tasks which do not {{w|fail safe}} to have catastrophic side effects.
|-
|Apple products catch fire when displaying emoji with diacritics.
|This is a reference to a common problem of modern gadgets catching fire (usually related to flaws in lithium-ion batteries), as well as to Apple products crashing when attempting to display certain character sequences. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not normally be found on emojis.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This probably refers to the movie {{w|Air Bud}}, about a dog playing basketball. This has been a common theme in xkcd comics: see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]].
In 2017, it was discovered that an oversight in the constitution of the state of Kansas may [http://www.kansascity.com/news/politics-government/article175956836.html permit a dog to be governor]. Shortly before this comic published, the Secretary of State's office ruled that [http://dfw.cbslocal.com/2018/02/13/dog-kansas-governor/ it could not].
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [''sic''] in Missouri that no one's checked on in a while.
|{{w|Haskell (programming language)|Haskell}} is a functional programming language. Functional programming is characterized by using functions that don't have side effects because they can not change things accessible in other parts of the program, as in [[1312: Haskell]]. The joke here is discovering that it does indeed have side-effects, manifested via external alteration, not violating the internal alteration paradigm.
|-
|Nobody really knows how hypervisors work.
|[[wikipedia:Hypervisor|"Hypervisors"]] are a tool for computer virtualization. Virtualization is implemented via various combinations of hardware and/or software, which requires a computer to completely simulate another computer, with its own unique hardware and software, and to varying degrees as to whether or not the virtualization is aware of or can determine whether it is being virtualized. Many IT professionals and businesses rely heavily on various forms of virtualization, but most of the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer, may be able to access information on a virtual computer in ways which would not be possible with a single real computer. Consequently, understanding how the hypervisor works is important to assessing the security of a virtual server. Meltdown and Spectre are related to this.
|-
|Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|This joke is about arcane systems that are running Linux in exceedingly rare situations, meaning that reproducing errors would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). {{w|IBM System/390 ES/9000 Enterprise Systems Architecture ESA family|System/390}} is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean (Primarily [[Wikipedia:Line_Islands|the Line Islands]]) and is also the earliest time zone on earth. Even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
|-
|x86 has way too many instructions.
|The x86 architecture (used in many Intel and AMD processors) is very complicated. Processors typically implement such a complex architecture using programs (microcode) run on a set of hidden, proprietary processors. The details of these hidden machines and errors in the microcode can result in security vulnerabilities, such as Meltdown, where the physical machine does not match the conceptual machine.

A more complicated instruction set is more complex to implement.{{Citation needed}} The x86 architecture is considered "CISC" (a "{{w|Complex instruction set computer}}"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first {{w|Apple Macintosh}}. In the 1980s, this design philosophy was countered by the "RISC" ("{{w|Reduced instruction set computer}}") design movement - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. Examples of RISC style designs include {{w|SPARC}}, {{w|MIPS}}, {{w|PowerPC}} (used by Apple in later Macintoshes) and the {{w|ARM architecture|ARM}} chips common in mobile phones. Historically, there was considerable discussion about the merits of each approach. At one time the Mac and Windows PC were on different sides; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s. This "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk. However, the 64-bit architecture introduced by {{w|AMD}}, and since adopted by {{w|Intel}}, does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues, such as the speculative cache load issue in Meltdown and Spectre, depend more on details of implementation, rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.

This explanation has way too many words.
|-
|NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
|Fantastically, this would be an unimaginable software threat, not to be confused with the even speedier, but future-bound, threat in hardware via {{w|Quantum computing}}.
NumPy is the fundamental package for scientific computing with the programming language Python. ''O''(log ''n'') is [[wikipedia:Big_O_notation#Infinite_asymptotics|Big O notation]] meaning that the time it takes for a computer algorithm to run is in the order of log ''n'', for an input of size ''n''. ''O''(log ''n'') is very fast and is more usual for a search algorithm. Prime factorization currently is ''O''(''2''''n''n)). If something can find the prime factors of a number this quickly, especially a [[wikipedia:semiprime|semiprime]] with two large factors, it will enable attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of [[wikipedia:Primality test|proving that a number is in fact a prime]].
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and [[wikipedia:I before E except after C|a common English writing rule of thumb]], which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove, and often require the use of a flat blade screwdriver or a specialized tool, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. However, any processor ''can'' be forcefully removed from its socket with a screwdriver.{{Citation needed}}
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|{{w|Linus Torvalds}} is the {{w|benevolent dictator for life}} of the Linux kernel codebase. Normally it is hard to make changes because he has the last word, and because the kernel is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE".<ref>https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/</ref> Presumably, it may be found that he may be successfully bribed to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code if they have root access and the necessary tools, but this would usually not be described as an attack, except in the case of a locked-down appliance, such as a video game console, a John Deere tractor, or pay TV decoder.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where JavaScript embedded within the image file is executed by some application. In this case, though, the code is visible on the image instead of invisibly encoded within the image file. The code is also only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using a digital camera), or maybe both.
Other than by some {{w|metadata}}, either internal to the image file, or embedded along with it, as in a web page, or a PDF or other container file, this "bug" would require the device to {{w|Hard AI|figure out}} specifically what the photo contains image-wise (something that's REALLY HARD for computers to do reliably), but would also require OCR (optical character recognition) code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably, but now it's a lot more routine and built into a lot of devices.
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|Flash has been an integral browser plugin for decades, but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against installing it. Preventing installation of Flash would make systems more secure, but most versions of Windows do not prevent Flash installation. The joke here relates to the difficulty of keeping Flash up to date, or even installed properly to begin with. A common user experience, which is the subject of numerous jokes and memes, is the constant nagging notification to install or update Flash in order for web pages to display properly. Many IT professionals will bemoan the trouble they have experienced in the workplace due to these notifications and problems related to them.
|-
|Turns out the cloud is just other people's computers.
|This refers to a meme that demands that "cloud" be replaced with "other people's computers" in all marketing presentation to CEOs and non-computer literate persons evaluating the security impact of using cloud services. Part of the humor here is that "the cloud" is, in actuality, simply a term for hosted services, or in other words computers being run by other people (typically businesses that specialize in this type of "Platform as a Service" or "PaaS" service model). Referring to "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[[779|[~~CLICK HERE FOR CHEAP VIAGRA~~]]]
|Mitre's CVE database is where all {{w|Common Vulnerabilities and Exposures|CVEs}} are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above might have been inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer inexpensive {{w|Viagra|brand-name Sildenafil}}.
|-
|It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
|Appears in the title text. {{w|Bruce Schneier}} is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the {{tvtropes|TotemPoleTrench|Totem Pole Trench}} trope. Shortly before this comic was posted, a [https://rare.us/rare-humor/two-kids-dressed-as-a-tall-man-to-get-into-black-panther-is-caught-on-video story went viral] in which two kids were photographed attempting this for real to get into a screening of ''Black Panther''.
|}

== References ==
<references/>

==Transcript==
:[A heading is centered above a list of 21 vulnerabilities]
:<big>Leaked list of major 2018 security vulnerabilities </big>

:CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
:CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
:CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
:CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
:CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
:CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
:CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
:CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
:CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
:CVE-2018-????? Nobody really knows how hypervisors work.
:CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
:CVE-2018-????? x86 has way too many instructions.
:CVE-2018-????? NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
:CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
:CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
:CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
:CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
:CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
:CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
:CVE-2018-????? Turns out the cloud is just other people's computers.
:CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

==Trivia==

Randall has previously referenced diacritics in [[1647: Diacritics]].

Bruce Schneier was previously mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]].

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Charts]]
[[Category:Programming]]
[[Category:Computers]]

1957: 2018 CVE List

2018-06-27T23:49:47Z

WurmWoode: /* Table of possible CVE */

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==

{{w|Common Vulnerabilities and Exposures|CVE}} (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is '''CVE-[YEAR]-[NUMBER]'''. For example, the CVE identifier for 2017's widespread {{w|Meltdown (security vulnerability)|Meltdown vulnerability}} is [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

==Table of possible CVE==
{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain {{w|Telugu language|Telugu}} or {{w|Bengali language|Bengali}} letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic was released,<ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref> as well as past similar iOS vulnerabilities<ref>https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/</ref><ref>http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/</ref>.
|-
|An attacker can use a timing attack to extploit [''sic''] a race condition in {{w|Garbage collection (computer science)|garbage collection}} to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|The reference to using a Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in a cloud server like the ones in Wikipedia. {{w|Claude Shannon}} was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits.

This is not a security problem. However, since Shannon formulated how the amount of unique or actual information some entity contains is proportional to the number of bits required to encode it, retrieving only a few bits casts a dark perspective upon the significance of the Shannon article's content.
|-
|At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
|Cafés often offer free access to WiFi as a service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi, and may display the password on signage inside. Since anybody could go into the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is, at most, a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]], the agency concerned received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref>
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by a user, such as through a comment section, can result in dangerous content containing arbitrary HTML or JavaScript code being displayed to other users.
|-
|MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "{{w|SQL}}" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system. The latest generally available version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|{{w|Privilege escalation}} refers to any illegitimate means by which a system user gains greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system— a ''superuser''.

The irony of this CVE presents the reverse situation: that a flaw inadvertently ''de-escalates'' a root user to a less privileged user, which would cripple the ''superuser'', they would be disallowed access or ability to accomplish their required tasks, or worse, cause such tasks which do not {{w|fail safe}} to have catastrophic side effects.
|-
|Apple products catch fire when displaying emoji with diacritics.
|This is a reference to a common problem of modern gadgets catching fire (usually related to flaws in lithium-ion batteries), as well as to Apple products crashing when attempting to display certain character sequences. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not normally be found on emojis.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This probably refers to the movie {{w|Air Bud}}, about a dog playing basketball. This has been a common theme in xkcd comics: see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]].
In 2017, it was discovered that an oversight in the constitution of the state of Kansas may [http://www.kansascity.com/news/politics-government/article175956836.html permit a dog to be governor]. Shortly before this comic published, the Secretary of State's office ruled that [http://dfw.cbslocal.com/2018/02/13/dog-kansas-governor/ it could not].
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [''sic''] in Missouri that no one's checked on in a while.
|{{w|Haskell (programming language)|Haskell}} is a functional programming language. Functional programming is characterized by using functions that don't have side effects because they can not change things accessible in other parts of the program, as in [[1312: Haskell]]. The joke here is discovering that it does indeed have side-effects, manifested via external alteration, not violating the internal alteration paradigm.
|-
|Nobody really knows how hypervisors work.
|[[wikipedia:Hypervisor|"Hypervisors"]] are a tool for computer virtualization. Virtualization is implemented via various combinations of hardware and/or software, which requires a computer to completely simulate another computer, with its own unique hardware and software, and to varying degrees as to whether or not the virtualization is aware of or can determine whether it is being virtualized. Many IT professionals and businesses rely heavily on various forms of virtualization, but most of the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer, may be able to access information on a virtual computer in ways which would not be possible with a single real computer. Consequently, understanding how the hypervisor works is important to assessing the security of a virtual server. Meltdown and Spectre are related to this.
|-
|Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|This joke is about arcane systems that are running Linux in exceedingly rare situations, meaning that reproducing errors would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). {{w|IBM System/390 ES/9000 Enterprise Systems Architecture ESA family|System/390}} is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean (Primarily [[Wikipedia:Line_Islands|the Line Islands]]) and is also the earliest time zone on earth. Even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
|-
|x86 has way too many instructions.
|The x86 architecture (used in many Intel and AMD processors) is very complicated. Processors typically implement such a complex architecture using programs (microcode) run on a set of hidden, proprietary processors. The details of these hidden machines and errors in the microcode can result in security vulnerabilities, such as Meltdown, where the physical machine does not match the conceptual machine.

A more complicated instruction set is more complex to implement.{{Citation needed}} The x86 architecture is considered "CISC" (a "{{w|Complex instruction set computer}}"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first {{w|Apple Macintosh}}. In the 1980s, this design philosophy was countered by the "RISC" ("{{w|Reduced instruction set computer}}") design movement - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. Examples of RISC style designs include {{w|SPARC}}, {{w|MIPS}}, {{w|PowerPC}} (used by Apple in later Macintoshes) and the {{w|ARM architecture|ARM}} chips common in mobile phones. Historically, there was considerable discussion about the merits of each approach. At one time the Mac and Windows PC were on different sides; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s. This "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk. However, the 64-bit architecture introduced by {{w|AMD}}, and since adopted by {{w|Intel}}, does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues, such as the speculative cache load issue in Meltdown and Spectre, depend more on details of implementation, rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.

This explanation has way too many words.
|-
|NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
|Fantastically, this would be an unimaginable software threat, not to be confused with the even speedier, but future-bound, threat in hardware via {{w|Quantum computing}}.
NumPy is the fundamental package for scientific computing with the programming language Python. ''O''(log ''n'') is [[wikipedia:Big_O_notation#Infinite_asymptotics|Big O notation]] meaning that the time it takes for a computer algorithm to run is in the order of log ''n'', for an input of size ''n''. ''O''(log ''n'') is very fast and is more usual for a search algorithm. Prime factorization currently is ''O''(''2''''n''n)). If something can find the prime factors of a number this quickly, especially a [[wikipedia:semiprime|semiprime]] with two large factors, it will enable attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of [[wikipedia:Primality test|proving that a number is in fact a prime]].
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and [[wikipedia:I before E except after C|a common English writing rule of thumb]], which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove, and often require the use of a flat blade screwdriver or a specialized tool, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. However, any processor ''can'' be forcefully removed from its socket with a screwdriver.{{Citation needed}}
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|{{w|Linus Torvalds}} is the {{w|benevolent dictator for life}} of the Linux kernel codebase. Normally it is hard to make changes because he has the last word, and because the kernel is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE".<ref>https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/</ref> Presumably, it may be found that he may be successfully bribed to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code if they have root access and the necessary tools, but this would usually not be described as an attack, except in the case of a locked-down appliance, such as a video game console, a John Deere tractor, or pay TV decoder.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where JavaScript embedded within the image file is executed by some application. In this case, though, the code is visible on the image instead of invisibly encoded within the image file. The code is also only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using a digital camera), or maybe both. This "bug" would not only require the device to figure out specifically what the photo contains image-wise (something that's REALLY HARD for computers to do reliably), but would also require OCR (optical character recognition) code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably, but now it's a lot more routine and built into a lot of devices.
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|Flash has been an integral browser plugin for decades, but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against installing it. Preventing installation of Flash would make systems more secure, but most versions of Windows do not prevent Flash installation. The joke here relates to the difficulty of keeping Flash up to date, or even installed properly to begin with. A common user experience, which is the subject of numerous jokes and memes, is the constant nagging notification to install or update Flash in order for web pages to display properly. Many IT professionals will bemoan the trouble they have experienced in the workplace due to these notifications and problems related to them.
|-
|Turns out the cloud is just other people's computers.
|This refers to a meme that demands that "cloud" be replaced with "other people's computers" in all marketing presentation to CEOs and non-computer literate persons evaluating the security impact of using cloud services. Part of the humor here is that "the cloud" is, in actuality, simply a term for hosted services, or in other words computers being run by other people (typically businesses that specialize in this type of "Platform as a Service" or "PaaS" service model). Referring to "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[[779|[~~CLICK HERE FOR CHEAP VIAGRA~~]]]
|Mitre's CVE database is where all {{w|Common Vulnerabilities and Exposures|CVEs}} are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above might have been inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer inexpensive {{w|Viagra|brand-name Sildenafil}}.
|-
|It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
|Appears in the title text. {{w|Bruce Schneier}} is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the {{tvtropes|TotemPoleTrench|Totem Pole Trench}} trope. Shortly before this comic was posted, a [https://rare.us/rare-humor/two-kids-dressed-as-a-tall-man-to-get-into-black-panther-is-caught-on-video story went viral] in which two kids were photographed attempting this for real to get into a screening of ''Black Panther''.
|}

== References ==
<references/>

==Transcript==
:[A heading is centered above a list of 21 vulnerabilities]
:<big>Leaked list of major 2018 security vulnerabilities </big>

:CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
:CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
:CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
:CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
:CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
:CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
:CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
:CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
:CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
:CVE-2018-????? Nobody really knows how hypervisors work.
:CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
:CVE-2018-????? x86 has way too many instructions.
:CVE-2018-????? NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
:CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
:CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
:CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
:CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
:CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
:CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
:CVE-2018-????? Turns out the cloud is just other people's computers.
:CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

==Trivia==

Randall has previously referenced diacritics in [[1647: Diacritics]].

Bruce Schneier was previously mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]].

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Charts]]
[[Category:Programming]]
[[Category:Computers]]

1957: 2018 CVE List

2018-06-27T23:35:54Z

WurmWoode: /* Table of possible CVE */ The odds are, in an infinite universe, that we ourselves are virtualized— so who virtualizes the virtualizers?

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==

{{w|Common Vulnerabilities and Exposures|CVE}} (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is '''CVE-[YEAR]-[NUMBER]'''. For example, the CVE identifier for 2017's widespread {{w|Meltdown (security vulnerability)|Meltdown vulnerability}} is [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

==Table of possible CVE==
{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain {{w|Telugu language|Telugu}} or {{w|Bengali language|Bengali}} letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic was released,<ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref> as well as past similar iOS vulnerabilities<ref>https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/</ref><ref>http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/</ref>.
|-
|An attacker can use a timing attack to extploit [''sic''] a race condition in {{w|Garbage collection (computer science)|garbage collection}} to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|The reference to using a Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in a cloud server like the ones in Wikipedia. {{w|Claude Shannon}} was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits.

This is not a security problem. However, since Shannon formulated how the amount of unique or actual information some entity contains is proportional to the number of bits required to encode it, retrieving only a few bits casts a dark perspective upon the significance of the Shannon article's content.
|-
|At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
|Cafés often offer free access to WiFi as a service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi, and may display the password on signage inside. Since anybody could go into the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is, at most, a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]], the agency concerned received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref>
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by a user, such as through a comment section, can result in dangerous content containing arbitrary HTML or JavaScript code being displayed to other users.
|-
|MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "{{w|SQL}}" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system. The latest generally available version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|{{w|Privilege escalation}} refers to any illegitimate means by which a system user gains greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system— a ''superuser''.

The irony of this CVE presents the reverse situation: that a flaw inadvertently ''de-escalates'' a root user to a less privileged user, which would cripple the ''superuser'', they would be disallowed access or ability to accomplish their required tasks, or worse, cause such tasks which do not {{w|fail safe}} to have catastrophic side effects.
|-
|Apple products catch fire when displaying emoji with diacritics.
|This is a reference to a common problem of modern gadgets catching fire (usually related to flaws in lithium-ion batteries), as well as to Apple products crashing when attempting to display certain character sequences. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not normally be found on emojis.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This probably refers to the movie {{w|Air Bud}}, about a dog playing basketball. This has been a common theme in xkcd comics: see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]].
In 2017, it was discovered that an oversight in the constitution of the state of Kansas may [http://www.kansascity.com/news/politics-government/article175956836.html permit a dog to be governor]. Shortly before this comic published, the Secretary of State's office ruled that [http://dfw.cbslocal.com/2018/02/13/dog-kansas-governor/ it could not].
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [''sic''] in Missouri that no one's checked on in a while.
|{{w|Haskell (programming language)|Haskell}} is a functional programming language. Functional programming is characterized by using functions that don't have side effects because they can not change things accessible in other parts of the program, as in [[1312: Haskell]]. The joke here is discovering that it does indeed have side-effects, manifested via external alteration, not violating the internal alteration paradigm.
|-
|Nobody really knows how hypervisors work.
|[[wikipedia:Hypervisor|"Hypervisors"]] are a tool for computer virtualization. Virtualization is implemented via various combinations of hardware and/or software, which requires a computer to completely simulate another computer, with its own unique hardware and software, and to varying degrees as to whether or not the virtualization is aware of or can determine whether it is being virtualized. Many IT professionals and businesses rely heavily on various forms of virtualization, but most of the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer, may be able to access information on a virtual computer in ways which would not be possible with a single real computer. Consequently, understanding how the hypervisor works is important to assessing the security of a virtual server. Meltdown and Spectre are related to this.
|-
|Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|This joke is about arcane systems that are running Linux in exceedingly rare situations, meaning that reproducing errors would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). {{w|IBM System/390 ES/9000 Enterprise Systems Architecture ESA family|System/390}} is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean (Primarily [[Wikipedia:Line_Islands|the Line Islands]]) and is also the earliest time zone on earth. Even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
|-
|x86 has way too many instructions.
|The x86 architecture (used in many Intel and AMD processors) is very complicated. Processors typically implement such a complex architecture using programs (microcode) run on a set of hidden, proprietary processors. The details of these hidden machines and errors in the microcode can result in security vulnerabilities, such as Meltdown, where the physical machine does not match the conceptual machine.

A more complicated instruction set is more complex to implement.{{Citation needed}} The x86 architecture is considered "CISC" (a "{{w|Complex instruction set computer}}"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first {{w|Apple Macintosh}}. In the 1980s, this design philosophy was countered by the "RISC" ("{{w|Reduced instruction set computer}}") design movement - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. Examples of RISC style designs include {{w|SPARC}}, {{w|MIPS}}, {{w|PowerPC}} (used by Apple in later Macintoshes) and the {{w|ARM architecture|ARM}} chips common in mobile phones. Historically, there was considerable discussion about the merits of each approach. At one time the Mac and Windows PC were on different sides; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s. This "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk. However, the 64-bit architecture introduced by {{w|AMD}}, and since adopted by {{w|Intel}}, does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues, such as the speculative cache load issue in Meltdown and Spectre, depend more on details of implementation, rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.

This explanation has way too many words.
|-
|NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
|NumPy is the fundamental package for scientific computing with the programming language Python. ''O''(log ''n'') is [[wikipedia:Big_O_notation#Infinite_asymptotics|Big O notation]] meaning that the time it takes for a computer algorithm to run is in the order of log ''n'', for an input of size ''n''. ''O''(log ''n'') is very fast and is more usual for a search algorithm. Prime factorization currently is ''O''(''2''''n''n)). If something can find the prime factors of a number this quickly, especially a [[wikipedia:semiprime|semiprime]] with two large factors, it will enable attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of [[wikipedia:Primality test|proving that a number is in fact a prime]].
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and [[wikipedia:I before E except after C|a common English writing rule of thumb]], which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove, and often require the use of a flat blade screwdriver or a specialized tool, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. However, any processor ''can'' be forcefully removed from its socket with a screwdriver.{{Citation needed}}
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|{{w|Linus Torvalds}} is the {{w|benevolent dictator for life}} of the Linux kernel codebase. Normally it is hard to make changes because he has the last word, and because the kernel is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE".<ref>https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/</ref> Presumably, it may be found that he may be successfully bribed to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code if they have root access and the necessary tools, but this would usually not be described as an attack, except in the case of a locked-down appliance, such as a video game console, a John Deere tractor, or pay TV decoder.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where JavaScript embedded within the image file is executed by some application. In this case, though, the code is visible on the image instead of invisibly encoded within the image file. The code is also only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using a digital camera), or maybe both. This "bug" would not only require the device to figure out specifically what the photo contains image-wise (something that's REALLY HARD for computers to do reliably), but would also require OCR (optical character recognition) code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably, but now it's a lot more routine and built into a lot of devices.
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|Flash has been an integral browser plugin for decades, but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against installing it. Preventing installation of Flash would make systems more secure, but most versions of Windows do not prevent Flash installation. The joke here relates to the difficulty of keeping Flash up to date, or even installed properly to begin with. A common user experience, which is the subject of numerous jokes and memes, is the constant nagging notification to install or update Flash in order for web pages to display properly. Many IT professionals will bemoan the trouble they have experienced in the workplace due to these notifications and problems related to them.
|-
|Turns out the cloud is just other people's computers.
|This refers to a meme that demands that "cloud" be replaced with "other people's computers" in all marketing presentation to CEOs and non-computer literate persons evaluating the security impact of using cloud services. Part of the humor here is that "the cloud" is, in actuality, simply a term for hosted services, or in other words computers being run by other people (typically businesses that specialize in this type of "Platform as a Service" or "PaaS" service model). Referring to "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[[779|[~~CLICK HERE FOR CHEAP VIAGRA~~]]]
|Mitre's CVE database is where all {{w|Common Vulnerabilities and Exposures|CVEs}} are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above might have been inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer inexpensive {{w|Viagra|brand-name Sildenafil}}.
|-
|It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
|Appears in the title text. {{w|Bruce Schneier}} is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the {{tvtropes|TotemPoleTrench|Totem Pole Trench}} trope. Shortly before this comic was posted, a [https://rare.us/rare-humor/two-kids-dressed-as-a-tall-man-to-get-into-black-panther-is-caught-on-video story went viral] in which two kids were photographed attempting this for real to get into a screening of ''Black Panther''.
|}

== References ==
<references/>

==Transcript==
:[A heading is centered above a list of 21 vulnerabilities]
:<big>Leaked list of major 2018 security vulnerabilities </big>

:CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
:CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
:CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
:CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
:CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
:CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
:CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
:CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
:CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
:CVE-2018-????? Nobody really knows how hypervisors work.
:CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
:CVE-2018-????? x86 has way too many instructions.
:CVE-2018-????? NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
:CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
:CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
:CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
:CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
:CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
:CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
:CVE-2018-????? Turns out the cloud is just other people's computers.
:CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

==Trivia==

Randall has previously referenced diacritics in [[1647: Diacritics]].

Bruce Schneier was previously mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]].

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Charts]]
[[Category:Programming]]
[[Category:Computers]]

1957: 2018 CVE List

2018-06-27T23:24:16Z

WurmWoode: /* Table of possible CVE */

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==

{{w|Common Vulnerabilities and Exposures|CVE}} (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is '''CVE-[YEAR]-[NUMBER]'''. For example, the CVE identifier for 2017's widespread {{w|Meltdown (security vulnerability)|Meltdown vulnerability}} is [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

==Table of possible CVE==
{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain {{w|Telugu language|Telugu}} or {{w|Bengali language|Bengali}} letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic was released,<ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref> as well as past similar iOS vulnerabilities<ref>https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/</ref><ref>http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/</ref>.
|-
|An attacker can use a timing attack to extploit [''sic''] a race condition in {{w|Garbage collection (computer science)|garbage collection}} to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|The reference to using a Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in a cloud server like the ones in Wikipedia. {{w|Claude Shannon}} was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits.

This is not a security problem. However, since Shannon formulated how the amount of unique or actual information some entity contains is proportional to the number of bits required to encode it, retrieving only a few bits casts a dark perspective upon the significance of the Shannon article's content.
|-
|At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
|Cafés often offer free access to WiFi as a service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi, and may display the password on signage inside. Since anybody could go into the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is, at most, a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]], the agency concerned received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref>
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by a user, such as through a comment section, can result in dangerous content containing arbitrary HTML or JavaScript code being displayed to other users.
|-
|MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "{{w|SQL}}" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system. The latest generally available version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|{{w|Privilege escalation}} refers to any illegitimate means by which a system user gains greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system— a ''superuser''.

The irony of this CVE presents the reverse situation: that a flaw inadvertently ''de-escalates'' a root user to a less privileged user, which would cripple the ''superuser'', they would be disallowed access or ability to accomplish their required tasks, or worse, cause such tasks which do not {{w|fail safe}} to have catastrophic side effects.
|-
|Apple products catch fire when displaying emoji with diacritics.
|This is a reference to a common problem of modern gadgets catching fire (usually related to flaws in lithium-ion batteries), as well as to Apple products crashing when attempting to display certain character sequences. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not normally be found on emojis.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This probably refers to the movie {{w|Air Bud}}, about a dog playing basketball. This has been a common theme in xkcd comics: see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]].
In 2017, it was discovered that an oversight in the constitution of the state of Kansas may [http://www.kansascity.com/news/politics-government/article175956836.html permit a dog to be governor]. Shortly before this comic published, the Secretary of State's office ruled that [http://dfw.cbslocal.com/2018/02/13/dog-kansas-governor/ it could not].
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [''sic''] in Missouri that no one's checked on in a while.
|{{w|Haskell (programming language)|Haskell}} is a functional programming language. Functional programming is characterized by using functions that don't have side effects because they can not change things accessible in other parts of the program, as in [[1312: Haskell]]. The joke here is discovering that it does indeed have side-effects, manifested via external alteration, not violating the internal alteration paradigm.
|-
|Nobody really knows how hypervisors work.
|[[wikipedia:Hypervisor|"Hypervisors"]] are a tool for computer virtualization. Virtualization is complex to implement, as it requires a computer to completely simulate another computer, with its own unique hardware and software. Many IT professionals and businesses rely heavily on various forms of virtualization, but most of the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer, may be able to access information on a virtual computer in ways which would not be possible with a single real computer. Consequently, understanding how the hypervisor works is important to assessing the security of a virtual server. Meltdown and Spectre are related to this.
|-
|Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|This joke is about arcane systems that are running Linux in exceedingly rare situations, meaning that reproducing errors would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). {{w|IBM System/390 ES/9000 Enterprise Systems Architecture ESA family|System/390}} is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean (Primarily [[Wikipedia:Line_Islands|the Line Islands]]) and is also the earliest time zone on earth. Even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
|-
|x86 has way too many instructions.
|The x86 architecture (used in many Intel and AMD processors) is very complicated. Processors typically implement such a complex architecture using programs (microcode) run on a set of hidden, proprietary processors. The details of these hidden machines and errors in the microcode can result in security vulnerabilities, such as Meltdown, where the physical machine does not match the conceptual machine.

A more complicated instruction set is more complex to implement.{{Citation needed}} The x86 architecture is considered "CISC" (a "{{w|Complex instruction set computer}}"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first {{w|Apple Macintosh}}. In the 1980s, this design philosophy was countered by the "RISC" ("{{w|Reduced instruction set computer}}") design movement - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. Examples of RISC style designs include {{w|SPARC}}, {{w|MIPS}}, {{w|PowerPC}} (used by Apple in later Macintoshes) and the {{w|ARM architecture|ARM}} chips common in mobile phones. Historically, there was considerable discussion about the merits of each approach. At one time the Mac and Windows PC were on different sides; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s. This "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk. However, the 64-bit architecture introduced by {{w|AMD}}, and since adopted by {{w|Intel}}, does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues, such as the speculative cache load issue in Meltdown and Spectre, depend more on details of implementation, rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.

This explanation has way too many words.
|-
|NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
|NumPy is the fundamental package for scientific computing with the programming language Python. ''O''(log ''n'') is [[wikipedia:Big_O_notation#Infinite_asymptotics|Big O notation]] meaning that the time it takes for a computer algorithm to run is in the order of log ''n'', for an input of size ''n''. ''O''(log ''n'') is very fast and is more usual for a search algorithm. Prime factorization currently is ''O''(''2''''n''n)). If something can find the prime factors of a number this quickly, especially a [[wikipedia:semiprime|semiprime]] with two large factors, it will enable attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of [[wikipedia:Primality test|proving that a number is in fact a prime]].
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and [[wikipedia:I before E except after C|a common English writing rule of thumb]], which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove, and often require the use of a flat blade screwdriver or a specialized tool, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. However, any processor ''can'' be forcefully removed from its socket with a screwdriver.{{Citation needed}}
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|{{w|Linus Torvalds}} is the {{w|benevolent dictator for life}} of the Linux kernel codebase. Normally it is hard to make changes because he has the last word, and because the kernel is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE".<ref>https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/</ref> Presumably, it may be found that he may be successfully bribed to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code if they have root access and the necessary tools, but this would usually not be described as an attack, except in the case of a locked-down appliance, such as a video game console, a John Deere tractor, or pay TV decoder.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where JavaScript embedded within the image file is executed by some application. In this case, though, the code is visible on the image instead of invisibly encoded within the image file. The code is also only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using a digital camera), or maybe both. This "bug" would not only require the device to figure out specifically what the photo contains image-wise (something that's REALLY HARD for computers to do reliably), but would also require OCR (optical character recognition) code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably, but now it's a lot more routine and built into a lot of devices.
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|Flash has been an integral browser plugin for decades, but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against installing it. Preventing installation of Flash would make systems more secure, but most versions of Windows do not prevent Flash installation. The joke here relates to the difficulty of keeping Flash up to date, or even installed properly to begin with. A common user experience, which is the subject of numerous jokes and memes, is the constant nagging notification to install or update Flash in order for web pages to display properly. Many IT professionals will bemoan the trouble they have experienced in the workplace due to these notifications and problems related to them.
|-
|Turns out the cloud is just other people's computers.
|This refers to a meme that demands that "cloud" be replaced with "other people's computers" in all marketing presentation to CEOs and non-computer literate persons evaluating the security impact of using cloud services. Part of the humor here is that "the cloud" is, in actuality, simply a term for hosted services, or in other words computers being run by other people (typically businesses that specialize in this type of "Platform as a Service" or "PaaS" service model). Referring to "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[[779|[~~CLICK HERE FOR CHEAP VIAGRA~~]]]
|Mitre's CVE database is where all {{w|Common Vulnerabilities and Exposures|CVEs}} are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above might have been inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer inexpensive {{w|Viagra|brand-name Sildenafil}}.
|-
|It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
|Appears in the title text. {{w|Bruce Schneier}} is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the {{tvtropes|TotemPoleTrench|Totem Pole Trench}} trope. Shortly before this comic was posted, a [https://rare.us/rare-humor/two-kids-dressed-as-a-tall-man-to-get-into-black-panther-is-caught-on-video story went viral] in which two kids were photographed attempting this for real to get into a screening of ''Black Panther''.
|}

== References ==
<references/>

==Transcript==
:[A heading is centered above a list of 21 vulnerabilities]
:<big>Leaked list of major 2018 security vulnerabilities </big>

:CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
:CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
:CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
:CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
:CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
:CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
:CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
:CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
:CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
:CVE-2018-????? Nobody really knows how hypervisors work.
:CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
:CVE-2018-????? x86 has way too many instructions.
:CVE-2018-????? NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
:CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
:CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
:CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
:CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
:CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
:CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
:CVE-2018-????? Turns out the cloud is just other people's computers.
:CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

==Trivia==

Randall has previously referenced diacritics in [[1647: Diacritics]].

Bruce Schneier was previously mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]].

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Charts]]
[[Category:Programming]]
[[Category:Computers]]

1957: 2018 CVE List

2018-06-27T23:16:01Z

WurmWoode: /* Table of possible CVE */ If you're not a SuperUser, you're a cripple

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==

{{w|Common Vulnerabilities and Exposures|CVE}} (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is '''CVE-[YEAR]-[NUMBER]'''. For example, the CVE identifier for 2017's widespread {{w|Meltdown (security vulnerability)|Meltdown vulnerability}} is [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

==Table of possible CVE==
{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain {{w|Telugu language|Telugu}} or {{w|Bengali language|Bengali}} letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic was released,<ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref> as well as past similar iOS vulnerabilities<ref>https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/</ref><ref>http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/</ref>.
|-
|An attacker can use a timing attack to extploit [''sic''] a race condition in {{w|Garbage collection (computer science)|garbage collection}} to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|The reference to using a Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in a cloud server like the ones in Wikipedia. {{w|Claude Shannon}} was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits.

This is not a security problem. However, since Shannon formulated how the amount of unique or actual information some entity contains is proportional to the number of bits required to encode it, retrieving only a few bits casts a dark perspective upon the significance of the Shannon article's content.
|-
|At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
|Cafés often offer free access to WiFi as a service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi, and may display the password on signage inside. Since anybody could go into the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is, at most, a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]], the agency concerned received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref>
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by a user, such as through a comment section, can result in dangerous content containing arbitrary HTML or JavaScript code being displayed to other users.
|-
|MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "{{w|SQL}}" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system. The latest generally available version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|{{w|Privilege escalation}} refers to any illegitimate means by which a system user gains greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system— a ''superuser''.

The irony of this CVE presents the reverse situation: that a flaw inadvertently ''de-escalates'' a root user to a less privileged user, which would cripple the ''superuser'', they would be disallowed access or ability to accomplish their required tasks, or worse, cause such tasks which do not {{w|fail safe}} to have catastrophic side effects.
|-
|Apple products catch fire when displaying emoji with diacritics.
|This is a reference to a common problem of modern gadgets catching fire (usually related to flaws in lithium-ion batteries), as well as to Apple products crashing when attempting to display certain character sequences. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not normally be found on emojis.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This probably refers to the movie {{w|Air Bud}}, about a dog playing basketball. This has been a common theme in xkcd comics: see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]].
In 2017, it was discovered that an oversight in the constitution of the state of Kansas may [http://www.kansascity.com/news/politics-government/article175956836.html permit a dog to be governor]. Shortly before this comic published, the Secretary of State's office ruled that [http://dfw.cbslocal.com/2018/02/13/dog-kansas-governor/ it could not].
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [''sic''] in Missouri that no one's checked on in a while.
|{{w|Haskell (programming language)|Haskell}} is a functional programming language. Functional programming is characterized by using functions that don't have side effects (can't change things which would be accessible in other parts of the program), as in [[1312: Haskell]]. The joke here is discovering that it does indeed have side-effects, but for some unknown (and highly absurd) reason they only manifest on a specific computer in a nondescript location, but no one has noticed.
|-
|Nobody really knows how hypervisors work.
|[[wikipedia:Hypervisor|"Hypervisors"]] are a tool for computer virtualization. Virtualization is complex to implement, as it requires a computer to completely simulate another computer, with its own unique hardware and software. Many IT professionals and businesses rely heavily on various forms of virtualization, but most of the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer, may be able to access information on a virtual computer in ways which would not be possible with a single real computer. Consequently, understanding how the hypervisor works is important to assessing the security of a virtual server. Meltdown and Spectre are related to this.
|-
|Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|This joke is about arcane systems that are running Linux in exceedingly rare situations, meaning that reproducing errors would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). {{w|IBM System/390 ES/9000 Enterprise Systems Architecture ESA family|System/390}} is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean (Primarily [[Wikipedia:Line_Islands|the Line Islands]]) and is also the earliest time zone on earth. Even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
|-
|x86 has way too many instructions.
|The x86 architecture (used in many Intel and AMD processors) is very complicated. Processors typically implement such a complex architecture using programs (microcode) run on a set of hidden, proprietary processors. The details of these hidden machines and errors in the microcode can result in security vulnerabilities, such as Meltdown, where the physical machine does not match the conceptual machine.

A more complicated instruction set is more complex to implement.{{Citation needed}} The x86 architecture is considered "CISC" (a "{{w|Complex instruction set computer}}"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first {{w|Apple Macintosh}}. In the 1980s, this design philosophy was countered by the "RISC" ("{{w|Reduced instruction set computer}}") design movement - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. Examples of RISC style designs include {{w|SPARC}}, {{w|MIPS}}, {{w|PowerPC}} (used by Apple in later Macintoshes) and the {{w|ARM architecture|ARM}} chips common in mobile phones. Historically, there was considerable discussion about the merits of each approach. At one time the Mac and Windows PC were on different sides; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s. This "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk. However, the 64-bit architecture introduced by {{w|AMD}}, and since adopted by {{w|Intel}}, does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues, such as the speculative cache load issue in Meltdown and Spectre, depend more on details of implementation, rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.

This explanation has way too many words.
|-
|NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
|NumPy is the fundamental package for scientific computing with the programming language Python. ''O''(log ''n'') is [[wikipedia:Big_O_notation#Infinite_asymptotics|Big O notation]] meaning that the time it takes for a computer algorithm to run is in the order of log ''n'', for an input of size ''n''. ''O''(log ''n'') is very fast and is more usual for a search algorithm. Prime factorization currently is ''O''(''2''''n''n)). If something can find the prime factors of a number this quickly, especially a [[wikipedia:semiprime|semiprime]] with two large factors, it will enable attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of [[wikipedia:Primality test|proving that a number is in fact a prime]].
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and [[wikipedia:I before E except after C|a common English writing rule of thumb]], which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove, and often require the use of a flat blade screwdriver or a specialized tool, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. However, any processor ''can'' be forcefully removed from its socket with a screwdriver.{{Citation needed}}
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|{{w|Linus Torvalds}} is the {{w|benevolent dictator for life}} of the Linux kernel codebase. Normally it is hard to make changes because he has the last word, and because the kernel is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE".<ref>https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/</ref> Presumably, it may be found that he may be successfully bribed to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code if they have root access and the necessary tools, but this would usually not be described as an attack, except in the case of a locked-down appliance, such as a video game console, a John Deere tractor, or pay TV decoder.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where JavaScript embedded within the image file is executed by some application. In this case, though, the code is visible on the image instead of invisibly encoded within the image file. The code is also only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using a digital camera), or maybe both. This "bug" would not only require the device to figure out specifically what the photo contains image-wise (something that's REALLY HARD for computers to do reliably), but would also require OCR (optical character recognition) code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably, but now it's a lot more routine and built into a lot of devices.
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|Flash has been an integral browser plugin for decades, but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against installing it. Preventing installation of Flash would make systems more secure, but most versions of Windows do not prevent Flash installation. The joke here relates to the difficulty of keeping Flash up to date, or even installed properly to begin with. A common user experience, which is the subject of numerous jokes and memes, is the constant nagging notification to install or update Flash in order for web pages to display properly. Many IT professionals will bemoan the trouble they have experienced in the workplace due to these notifications and problems related to them.
|-
|Turns out the cloud is just other people's computers.
|This refers to a meme that demands that "cloud" be replaced with "other people's computers" in all marketing presentation to CEOs and non-computer literate persons evaluating the security impact of using cloud services. Part of the humor here is that "the cloud" is, in actuality, simply a term for hosted services, or in other words computers being run by other people (typically businesses that specialize in this type of "Platform as a Service" or "PaaS" service model). Referring to "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[[779|[~~CLICK HERE FOR CHEAP VIAGRA~~]]]
|Mitre's CVE database is where all {{w|Common Vulnerabilities and Exposures|CVEs}} are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above might have been inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer inexpensive {{w|Viagra|brand-name Sildenafil}}.
|-
|It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
|Appears in the title text. {{w|Bruce Schneier}} is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the {{tvtropes|TotemPoleTrench|Totem Pole Trench}} trope. Shortly before this comic was posted, a [https://rare.us/rare-humor/two-kids-dressed-as-a-tall-man-to-get-into-black-panther-is-caught-on-video story went viral] in which two kids were photographed attempting this for real to get into a screening of ''Black Panther''.
|}

== References ==
<references/>

==Transcript==
:[A heading is centered above a list of 21 vulnerabilities]
:<big>Leaked list of major 2018 security vulnerabilities </big>

:CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
:CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
:CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
:CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
:CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
:CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
:CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
:CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
:CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
:CVE-2018-????? Nobody really knows how hypervisors work.
:CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
:CVE-2018-????? x86 has way too many instructions.
:CVE-2018-????? NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
:CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
:CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
:CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
:CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
:CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
:CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
:CVE-2018-????? Turns out the cloud is just other people's computers.
:CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

==Trivia==

Randall has previously referenced diacritics in [[1647: Diacritics]].

Bruce Schneier was previously mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]].

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Charts]]
[[Category:Programming]]
[[Category:Computers]]

1957: 2018 CVE List

2018-06-27T21:22:15Z

WurmWoode: /* Table of possible CVE */ You missed the cheap shot at Shannon vs information (bit) content

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==

{{w|Common Vulnerabilities and Exposures|CVE}} (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is '''CVE-[YEAR]-[NUMBER]'''. For example, the CVE identifier for 2017's widespread {{w|Meltdown (security vulnerability)|Meltdown vulnerability}} is [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 CVE-2017-5754]. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

==Table of possible CVE==
{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain {{w|Telugu language|Telugu}} or {{w|Bengali language|Bengali}} letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic was released,<ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref> as well as past similar iOS vulnerabilities<ref>https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/</ref><ref>http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/</ref>.
|-
|An attacker can use a timing attack to extploit [''sic''] a race condition in {{w|Garbage collection (computer science)|garbage collection}} to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|The reference to using a Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in a cloud server like the ones in Wikipedia. {{w|Claude Shannon}} was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits.

This is not a security problem. However, since Shannon formulated how the amount of unique or actual information some entity contains is proportional to the number of bits required to encode it, retrieving only a few bits casts a dark perspective upon the significance of the Shannon article's content.
|-
|At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
|Cafés often offer free access to WiFi as a service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi, and may display the password on signage inside. Since anybody could go into the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is, at most, a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]], the agency concerned received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref>
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by a user, such as through a comment section, can result in dangerous content containing arbitrary HTML or JavaScript code being displayed to other users.
|-
|MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "{{w|SQL}}" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system. The latest generally available version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|{{w|Privilege escalation}} refers to any illegitimate means by which a system user gains greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system.

This CVE, however, presents the reverse situation: that a flaw can allow a root user to ''de-escalate'' to a less privileged user. This would have no obvious benefit, since anything the user could do in the new mode, they could have done before anyway. In any case, the root user can always de-escalate manually if they so choose, as they have complete control.
|-
|Apple products catch fire when displaying emoji with diacritics.
|This is a reference to a common problem of modern gadgets catching fire (usually related to flaws in lithium-ion batteries), as well as to Apple products crashing when attempting to display certain character sequences. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not normally be found on emojis.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This probably refers to the movie {{w|Air Bud}}, about a dog playing basketball. This has been a common theme in xkcd comics: see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]].
In 2017, it was discovered that an oversight in the constitution of the state of Kansas may [http://www.kansascity.com/news/politics-government/article175956836.html permit a dog to be governor]. Shortly before this comic published, the Secretary of State's office ruled that [http://dfw.cbslocal.com/2018/02/13/dog-kansas-governor/ it could not].
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [''sic''] in Missouri that no one's checked on in a while.
|{{w|Haskell (programming language)|Haskell}} is a functional programming language. Functional programming is characterized by using functions that don't have side effects (can't change things which would be accessible in other parts of the program), as in [[1312: Haskell]]. The joke here is discovering that it does indeed have side-effects, but for some unknown (and highly absurd) reason they only manifest on a specific computer in a nondescript location, but no one has noticed.
|-
|Nobody really knows how hypervisors work.
|[[wikipedia:Hypervisor|"Hypervisors"]] are a tool for computer virtualization. Virtualization is complex to implement, as it requires a computer to completely simulate another computer, with its own unique hardware and software. Many IT professionals and businesses rely heavily on various forms of virtualization, but most of the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer, may be able to access information on a virtual computer in ways which would not be possible with a single real computer. Consequently, understanding how the hypervisor works is important to assessing the security of a virtual server. Meltdown and Spectre are related to this.
|-
|Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|This joke is about arcane systems that are running Linux in exceedingly rare situations, meaning that reproducing errors would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). {{w|IBM System/390 ES/9000 Enterprise Systems Architecture ESA family|System/390}} is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean (Primarily [[Wikipedia:Line_Islands|the Line Islands]]) and is also the earliest time zone on earth. Even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
|-
|x86 has way too many instructions.
|The x86 architecture (used in many Intel and AMD processors) is very complicated. Processors typically implement such a complex architecture using programs (microcode) run on a set of hidden, proprietary processors. The details of these hidden machines and errors in the microcode can result in security vulnerabilities, such as Meltdown, where the physical machine does not match the conceptual machine.

A more complicated instruction set is more complex to implement.{{Citation needed}} The x86 architecture is considered "CISC" (a "{{w|Complex instruction set computer}}"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first {{w|Apple Macintosh}}. In the 1980s, this design philosophy was countered by the "RISC" ("{{w|Reduced instruction set computer}}") design movement - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. Examples of RISC style designs include {{w|SPARC}}, {{w|MIPS}}, {{w|PowerPC}} (used by Apple in later Macintoshes) and the {{w|ARM architecture|ARM}} chips common in mobile phones. Historically, there was considerable discussion about the merits of each approach. At one time the Mac and Windows PC were on different sides; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s. This "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk. However, the 64-bit architecture introduced by {{w|AMD}}, and since adopted by {{w|Intel}}, does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues, such as the speculative cache load issue in Meltdown and Spectre, depend more on details of implementation, rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.

This explanation has way too many words.
|-
|NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
|NumPy is the fundamental package for scientific computing with the programming language Python. ''O''(log ''n'') is [[wikipedia:Big_O_notation#Infinite_asymptotics|Big O notation]] meaning that the time it takes for a computer algorithm to run is in the order of log ''n'', for an input of size ''n''. ''O''(log ''n'') is very fast and is more usual for a search algorithm. Prime factorization currently is ''O''(''2''''n''n)). If something can find the prime factors of a number this quickly, especially a [[wikipedia:semiprime|semiprime]] with two large factors, it will enable attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of [[wikipedia:Primality test|proving that a number is in fact a prime]].
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and [[wikipedia:I before E except after C|a common English writing rule of thumb]], which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove, and often require the use of a flat blade screwdriver or a specialized tool, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. However, any processor ''can'' be forcefully removed from its socket with a screwdriver.{{Citation needed}}
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|{{w|Linus Torvalds}} is the {{w|benevolent dictator for life}} of the Linux kernel codebase. Normally it is hard to make changes because he has the last word, and because the kernel is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE".<ref>https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/</ref> Presumably, it may be found that he may be successfully bribed to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code if they have root access and the necessary tools, but this would usually not be described as an attack, except in the case of a locked-down appliance, such as a video game console, a John Deere tractor, or pay TV decoder.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where JavaScript embedded within the image file is executed by some application. In this case, though, the code is visible on the image instead of invisibly encoded within the image file. The code is also only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using a digital camera), or maybe both. This "bug" would not only require the device to figure out specifically what the photo contains image-wise (something that's REALLY HARD for computers to do reliably), but would also require OCR (optical character recognition) code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably, but now it's a lot more routine and built into a lot of devices.
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|Flash has been an integral browser plugin for decades, but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against installing it. Preventing installation of Flash would make systems more secure, but most versions of Windows do not prevent Flash installation. The joke here relates to the difficulty of keeping Flash up to date, or even installed properly to begin with. A common user experience, which is the subject of numerous jokes and memes, is the constant nagging notification to install or update Flash in order for web pages to display properly. Many IT professionals will bemoan the trouble they have experienced in the workplace due to these notifications and problems related to them.
|-
|Turns out the cloud is just other people's computers.
|This refers to a meme that demands that "cloud" be replaced with "other people's computers" in all marketing presentation to CEOs and non-computer literate persons evaluating the security impact of using cloud services. Part of the humor here is that "the cloud" is, in actuality, simply a term for hosted services, or in other words computers being run by other people (typically businesses that specialize in this type of "Platform as a Service" or "PaaS" service model). Referring to "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[[779|[~~CLICK HERE FOR CHEAP VIAGRA~~]]]
|Mitre's CVE database is where all {{w|Common Vulnerabilities and Exposures|CVEs}} are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above might have been inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer inexpensive {{w|Viagra|brand-name Sildenafil}}.
|-
|It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
|Appears in the title text. {{w|Bruce Schneier}} is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the {{tvtropes|TotemPoleTrench|Totem Pole Trench}} trope. Shortly before this comic was posted, a [https://rare.us/rare-humor/two-kids-dressed-as-a-tall-man-to-get-into-black-panther-is-caught-on-video story went viral] in which two kids were photographed attempting this for real to get into a screening of ''Black Panther''.
|}

== References ==
<references/>

==Transcript==
:[A heading is centered above a list of 21 vulnerabilities]
:<big>Leaked list of major 2018 security vulnerabilities </big>

:CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
:CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
:CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
:CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
:CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
:CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
:CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
:CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
:CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
:CVE-2018-????? Nobody really knows how hypervisors work.
:CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
:CVE-2018-????? x86 has way too many instructions.
:CVE-2018-????? NumPy 1.8.0 can factor primes in ''O''(log ''n'') time and must be quietly deprecated before anyone notices.
:CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
:CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
:CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
:CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
:CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
:CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
:CVE-2018-????? Turns out the cloud is just other people's computers.
:CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

==Trivia==

Randall has previously referenced diacritics in [[1647: Diacritics]].

Bruce Schneier was previously mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]].

{{comic discussion}}

[[Category:Comics with color]]
[[Category:Charts]]
[[Category:Programming]]
[[Category:Computers]]