draichess geocities website mirror

Mirror here: 

https://blog.davidshoon.org/draichess/

Username: open

Password: sesame

It's got some goodies from the naughties. Archive.org doesn't have it all, so I've published the entirety of the website on my blog.

NB: You'll need IPv6 to access blog.davidshoon.org. 

Overflow

In computing, a buffer is meant to be a place of order — a defined space, a promise of containment. Data comes in, it fits neatly, it moves on.  
When it works, it’s invisible.  

A buffer overflow happens when more data is written than the space was designed to hold. It’s a simple arithmetic mistake, yet it tells a deeper story: that expectations and reality have drifted apart. Somewhere, a promise was made that the system could handle it. It couldn’t.

The elegance of limits

Every buffer has boundaries. They aren’t failures of imagination; they’re expressions of discipline.  
Good code checks its inputs — not because it doubts the data, but because it respects the container.

The trouble begins when that respect erodes. A few extra bytes here, a little exception there — it all seems harmless. After all, the system hasn’t crashed yet. The logs are clean. Things appear to be running smoothly.

Until, suddenly, they aren’t.

Silent corruption

Overflows rarely announce themselves immediately. They don’t explode in a dramatic cascade of errors. Instead, they leak — a value overwritten here, a flag flipped there. Something subtle, deniable.  

By the time the failure becomes visible, the origin is hard to find. Everyone points somewhere else in the code. It’s difficult to assign blame when the system’s integrity has been quietly compromised over time.

Sometimes the corruption spreads. Adjacent structures — those meant to hold something entirely different — begin to behave strangely. Functions misfire. Memory turns unreliable. Trust becomes guesswork.

The illusion of capacity

Developers often overestimate how much a buffer can hold. Maybe they assume the input will stay small. Maybe they’ve handled bigger loads before and assume it’ll be fine again. Maybe the warnings were commented out long ago — "temporary," of course.  

But capacity isn’t about confidence. It’s about measurement, and respect for constraints that aren’t negotiable. Once a buffer starts stretching to accommodate everything asked of it, something essential has already gone wrong.

Defensive design

Resilient systems anticipate excess. They install boundaries not as barriers, but as protections for what’s inside.  
They check lengths before trusting input. They reject what doesn’t fit. They log, they pause, they push back.

The best code doesn’t aspire to handle *everything*. It knows what it’s for, and stops there.

Recovery

After an overflow, cleanup is difficult. You can patch the code, harden the interface, maybe even redesign the structure. But the memory once corrupted can leave traces — artifacts of what used to be reliable.  

Over time, systems that keep overflowing develop a kind of brittleness. Patches pile up. Documentation grows vague. No one remembers why certain limits exist, only that removing them “breaks something.”

Healthy systems are unglamorous. They validate, reject, and defer. They leave a little space unused — not wastefully, but wisely.

Epilogue

It’s easy to admire a program that takes on more than it was meant to, that runs hot and appears to handle it all.  
But real stability — the quiet kind — comes from knowing precisely where the edges are, and refusing to cross them.  

Because when a system fails, it’s rarely because it didn’t have enough capacity.  
It’s because it didn’t respect the capacity it already had.


From the Systems Desk

Author: Anonymous (but probably someone who's seen a few core dumps, both digital and otherwise).

ZZimps TAM (total addressable market)

If ZZimps charges $0.02 per dollar for every DLC asset in an indie game, then:

* Assuming 200 DLC assets that can be sold across all indie games

* 4000 players in each indie game willing to buy all 200 DLC assets

* 500 indie games being developed each year

Then ZZimps gets a recurring yearly revenue of = 200 x 4000 x 500 x 0.02 = $8,000,000.

DLC asset creators getting $0.49 per dollar for every DLC asset. And Indie developers get $0.49 per dollar for every DLC asset.

Then:

* Assuming DLC assets get sold on all 500 indie games:

* DLC asset creators get = 0.49 x 4000 x 500 = $980,000 per asset, per year. If all 200 assets are theirs, then their total revenue is: $196,000,000 / year.

As for indie game developers:

* Assuming all 200 DLC assets are purchased by all 4000 players on their game:

* Indie game developers get = 0.49 x 4000 x 200 = $392,000 per game.

$392k is a big improvement in revenue compared to the usual payment for the game, which is usually $5 to $10 per game per player (i.e. $40,000 per game at $10 each).

But again, all of this assumes the DLC market has the capability to charge roughly $200 worth of DLC asset per Indie game, which may or may not be realistic.

It's a tough market for Indie developers, but ZZimps may provide some help.

As you can see though, the market is for DLC asset creators. However, monetizing DLC assets is difficult, as 3D mesh markets generally don't charge for "each DLC download" but rather, for each 3D model.

What does it take to be a DLC asset creator with ZZimps?

You first need a 3D mesh. But then you need to write some code that controls the mesh and has logic which pertains to the DLC character, such as health statistics, inventory, etc.

This code logic is written in such a way, that using ZZimps DLC plugin, it will work in as many game engines ZZimps has interfaces for. It will be digitally signed code, so players will know it's secure.

The ecosystem for Indie game developers is maturing, and ZZimps is trying to encourage it further.

If you have any further questions, feel free to contact me via ZZimps (www.zzimps.com).

Why quality matters over quantity when it comes to coding

When you create a piece of code, it's like a cookie cutter template. You can replicate the software very easily, but if there's an error in the template, the error propagates to every copy of the software.

You also end up with a bad reputation.

That's why when you create code, quality must come first. Quantity (lines of code, features, etc) come second, because it doesn't matter how many features or lines of code you have, if ONE single line of code has an error, that's a potential show-stopper.

Here's where DRUDGET'S cybersecurity software comes in. You might write sloppy C/C++ code where you don't check for buffer overflows. It doesn't matter, you pray the mitigations will catch it. It doesn't. Unless you use MMU (memory management unit) based mitigations. That's what DRUDGET's heap buffer overflow protector uses.

Again, DRUDGET's code wouldn't be necessary if you wrote perfect code the first time around. DRUDGET catches other things too: memory leaks, deadlocks, all caught and solved; garbage collection for memory leaks, and deadlock detector plus real-time deadlock workaround.

Unfortunately though, none of this is useful for "critical" applications that demand life-safety first: DRUDGET's software can only do so much. Embedded firmware running in some RTOS that is used in a medical device, or auto-pilot vehicle, needs to be written with QUALITY in mind.

That's why DRUDGET also has a source code auditing service. We audit your source code to ensure it complies with standards and use automated tools, that we crafted ourselves, as well as manual intervention, to secure your source code.

(As an example using our auditing tool, we found a flaw in Apache: CVE-2023-31122. https://ubuntu.com/security/CVE-2023-31122 - CVSS 3 Severity Score of 7.5 "high". I wanted to find a flaw in an open source application, and it took less than a minute to find it.)

So if you write C/C++ code, and your reputation is on the line, go visit DRUDGET (https://www.drudget.com.au) and send us your details. Our software makes QUALITY code easier to manufacture.

Drudget's cybersecurity software is a billion dollar TAM

Drudget's cybersecurity software is a billion dollar TAM (total addressable market) - read as: I'm hiring.

There's over a billion mobile phones out there.

I could license Drudget's cybersecurity software for $1 each -- securing mobile phones against memory corruption hacking.

That's a one billion dollar TAM. No joke. One billion dollars. Or more. I could be a billionaire.

But I haven't pushed it yet. I know I should, and I have been worrying about getting enough money for my daily needs instead, so I've been focusing on my day job at a SaaS company.

I don't even know how to get mobile phone companies to sign on. I need a sales guru.

So here's the kicker: I'm hiring a sales guru. But I can't afford to pay you a salary. Instead you will get a commission based off the licensing that you're able to get signed up. And equity. You get what you earn.

The product is already made by me, and works on Linux based operating systems, such as Android. It secures C/C++ apps on your phone against memory corruption bugs (i.e. buffer overflows, use after free, double free, etc). Even prevents memory leaks.

There's literally nothing you need to do; except sign contracts with big companies like Samsung, Nokia, Motorola, etc.

Also, there's a cloud self-healing code, which prevents hackers from successfully crashing web servers (with buffer overflows, etc) and exploiting them. It's like a WAF (web application firewall) except it uses IPC (inter-process communication) to figure out what to do. It knows what was sent to the server, and adjusts a ban-list accordingly, and re-adjusts buffers on the fly.

In the future (i.e. with additional funding), and with Generative AI, it could even fix the code in the open source web server. Otherwise it could patch the web server binary in real-time, using process injection techniques.

The self-healing cloud market is even bigger than the mobile phone market, because server-side security is paramount to having a secure endpoint for all your devices to talk to. Imagine the amount of tech support calls that would be saved with self-healing cloud code.

Alas, I still worry about my daily bread, so I cannot pursue this dream. If I got VC (venture capital) funded that would be a different story, but Drudget is a self-funded venture, and I don't have the time to travel around to find VC funding.

So I'm also hiring a VC fund manager. Again, no salary, but equity in the company. Obviously the more you can attract investors, the more you get as equity.

Summary: Hiring a sales guru, and VC fund manager. No salary. Do it only at your own risk to financial health. Apply via https://www.drudget.com.au.

NB: I'm pretty stressed out right now, due to my day job, so please don't waste my time. Just apply by sending your CV and a cover letter, preferably in markdown (.md) format.

Why AGILE doesn't suck.

Previously I wrote why AGILE sucks. Now I write a piece on why AGILE doesn't suck.

Godel

First off I start with a theorem based off Godel's incompleteness theorem, which basically says: 

Any theory T has a paradox P, and can't be resolved unless a new theory T' is made, which solves the paradox P but will have its own paradox P'.

That is because of Godel's incompleteness theorem. Either the theory is inconsistent, or cannot prove everything; which idealises itself as a paradox.

Why AGILE doesn't suck.

Imagine a computer program is a theory T. And that it should match the business case. However, there's a paradox P, which the business case might need to meet and solve, and thus the computer program needs to change to T' (knowing full well there's another P' that could be a problem.)

So AGILE capitalises on this by making changes favourable -- being flexible and not being fixed in a contract allows you to manipulate theories: T -> T' -> T'' -> T''' and so on; with corresponding paradox "Ps" i.e. P -> P' -> P'' -> P'''.

However, this is where AGILE still sucks.

Why AGILE still sucks.

If you manipulate theories, you will have a bunch of paradoxes which need to be solved by each theory. If it's unsolved, that's technical debt. So you have to refactor after each addition of a new theory, to ensure you eliminate the paradoxes and only have one SINGLE final paradox.

But we are human.

So I guess that's the deciding factor. We are human, and our business cases are always expanding in scope. Translated, this means our theories will always expand into some new theory.

So this is why AGILE wins in the end. If done properly, with refactoring and eliminating paradoxes, it will have the better outcome.

However, when I run a business, and I sure as hell won't develop more code than I need to unless you pay me a subscription fee...

Because creating code isn't free.

But, then, that's where the generative AI is supposed to come in and tell me that you should code for free because otherwise you'll be replaced with AI and its "Large Language Models".

But they're flawed. We know, because they're unable to solve even the simplest paradoxes. 

Because paradoxes are hard. And they're dependent on the environment -- e.g. chicken or egg paradox, which came first? We can't tell just by looking at that sentence, but we know, given biology, that a bird that looked like a chicken laid an egg which had genetic mutations which gave rise to a chicken. (Note: It doesn't resolve the paradox of which came first, the bird or the egg; as you can see, it just shifts the paradox into a larger scope paradox.)

Generative AI is not even close to solving paradoxes like that, because it doesn't experience the human world. The real world. The reality.

Nature defines how paradoxes are solved.

I was working on Riemann's hypothesis by the way...

And I realised the reason why the hypothesis exists is because it's trying to solve a paradox.

We're going to need a new theory T' (and not just ZFC set theory) to solve it. However, that's the problem. Riemann's hypothesis tackles the theory of theories and paradoxes, because it's attempting to solve a problem relating to prime numbers, and that's part of the problem, since there's an infinite number of primes, and ZFC says you can't prove infinity (since you can't count to infinity), and that itself is a paradox.

However, attacking RH using modular forms is something interesting. Imagine being able to wrap up all the prime numbers in a modular form. That would allow you to brute force all possibilities and solve RH.

However, there is no pattern to prime numbers, as it appears to be randomly distributed as it gets larger. So ... modular forms is probably not a solution, in fact, it's probably a paradox in modular forms as well.

The paradox P just keeps in escaping into every new theory T'.

There is always going to be one final paradox anyway.

So, hence, AGILE still sucks.

(Edit: I mentioned "modular forms" and I only now realise that was a mistake. I meant finite field, which RH has been solved for, but whether this applies generally is another question.)

Why AGILE development sucks.

For example, if I was given a ticket for a requirement, where I say y = x + 2.

Then the code I write:

```

int func(int x)

{

return x + 2;

}

```

Now I'm given a new requirement, where it's supposed to double the input, and chain that up with the original function.

```

int func2(int x)

{

return 2 * func(x);

}

```

Now I'm given a third requirement, which is to substract 4 from the input, and it's supposed to chain up to func2.

```

int func3(int x)

{

return func2(x) - 4;

}

```

Now I'm given a fourth requirement, which is to substract 2x of the input from the chained function.

```

int func4(int x)

{

return func3(x) - (2 * x);

}

```

If I put all the code together, and run it:

```

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

int func(int x)

{

return x + 2;

}

int func2(int x)

{

return 2 * func(x);

}

int func3(int x)

{

return func2(x) - 4;

}

int func4(int x)

{

return func3(x) - (2 * x);

}

int main()

{

int i;

for (i = 0; i < 256; i++) {

printf("%d\n", func4(i));

}

}

```

I will get all zeroes.

If I simply refactored the code, I would get:

```

int refactored(int x)

{

return 0;

}

```

This is why AGILE development sucks, and never gives the simplest possible code to do a particular task, unless you refactor it constantly.

Because you will always get "new" requirements, and some of them are conflicting with each other, or cancel each other out, and if you don't refactor to remove these conflicting requirements, they linger in code as bloat.

Strictly speaking, waterfall designers "know" what they want and would've gone straight towards "refactored(int x)", if they have enough insight (and deep knowledge of the task). This is why they still can't be beaten, when it comes to designing good software or hardware.

AGILE development is for babies who don't know what they're doing, and they're guessing every step of the way.