Main Page

Explain xkcd: It's 'cause you're dumb.
(Difference between revisions)
Jump to: navigation, search
m (Getting started: Right, don't sign the main page)
(New here?)
(48 intermediate revisions by 7 users not shown)
Line 1: Line 1:
''Welcome to the Explain XKCD wiki''
+
__NOTOC__{{DISPLAYTITLE:explain xkcd}}
 +
<center>
 +
<font size=5px>''Welcome to the '''explain [[xkcd]]''' wiki!''</font>
  
__TOC__
+
We have collaboratively explained [[:Category:Comics|'''{{#expr:{{PAGESINCAT:Comics}}-9}}''' xkcd comics]],
 +
<!-- Note: the -9 in the calculation above is to discount subcategories (there are 8 of them as of 2013-02-27),
 +
    as well as [[List of all comics]], which is obviously not a comic page. -->
 +
and only {{#expr:{{LATESTCOMIC}}-({{PAGESINCAT:Comics}}-9)}}
 +
({{#expr: ({{LATESTCOMIC}}-({{PAGESINCAT:Comics}}-9)) / {{LATESTCOMIC}} * 100 round 0}}%)
 +
remain. '''[[Help:How to add a new comic explanation|Add yours]]''' while there's a chance!
 +
</center>
 +
== Latest comic ==
 +
<div style="border:1px solid grey; background:#eee; padding:1em;">
 +
<span style="float:right;">[[{{LATESTCOMIC}}|'''Go to this comic explanation''']]</span>
 +
<br clear="right">
 +
{{:{{LATESTCOMIC}}}}
 +
{{#ifexist:Talk:{{LATESTCOMIC}}|<h2>Discussion</h2>
 +
{{Talk:{{LATESTCOMIC}}}}
 +
}}</div>
  
==Comics==
+
<small>''Is this out of date? {{Purge|Clicking here will fix that}}.''</small>
The latest comic is number [[1090]]
+
  
All the comics (so far) are [[:Category:Comics|here]].
+
== New here? ==
 +
<div style="float:right; margin: 0 0 1em 1em">{{Special:ContributionScores/10/7/nosort,notools}}<div style="font-size:0.85em; width:25em; font-style:italic">[[Special:ContributionScores|Lots of people]] contribute to make this wiki a success. Many of the recent contributors, listed above, have just joined. You can do it too! Create your account [[Special:UserLogin/signup|here]].</div></div>
  
== Welcome ==
+
You can read a brief introduction about this wiki at [[explain xkcd]]. Feel free to sign up for an account and contribute to the wiki!  We need explanations for comics, characters, themes, memes and everything in between.  If it is referenced in an [[xkcd]] web comic, it should be here.
Please sign up for an account and contribute to the Explain XKCD wiki!  We need explanations for comics, characters, themes, memes and everything in between.  If it is referenced in an [http://www.xkcd.com XKCD] web comic, it should be in here.
+
  
If you need help with the wiki syntax, Mediawiki has a great wealth of information to help you the syntax right.  In particular, their instructions on [http://www.mediawiki.org/wiki/Help:Navigation Navigation] and [http://www.mediawiki.org/wiki/Help:Editing_pages Editing] are strongly recommended (but do be aware that these links take you to ''their'' site; you'll have to come back here to participate. ;-)
+
* If you're new to wikis like this, take a look at these help pages describing [[mw:Help:Navigation|how to navigate]] the wiki, and [[mw:Help:Editing pages|how to edit]] pages.
  
== Getting started ==
+
* Discussion about various parts of the wiki is going on at [[Explain XKCD:Community portal]]. Share your 2¢!
For new comic pages:
+
  
1. Every registered user can upload images.
+
* [[List of all comics]] contains a complete table of all xkcd comics so far and the corresponding explanations. The red links ([[like this]]) are missing explanations. Feel free to help out by creating them! '''[[Help:How to add a new comic explanation|Here's how]]'''.
  
2. Put the comic number, the date it was posted and a link to the comic above the photo.
+
== Rules ==
 +
Don't be a jerk. There are a lot of comics that don't have set in stone explanations; feel free to put multiple interpretations in the wiki page for each comic.
  
3. Put the image text below the photo.
+
If you want to talk about a specific comic, use its discussion page.
 
+
4. Explain away below that.
+
 
+
If you are setting up a new page for a new (or old) comic, please make sure you also redirect the comic number to that page as well.
+
 
+
The syntax for redirects is:
+
 
+
<nowiki>#REDIRECT [[pagename]]</nowiki>
+
 
+
For example, on the page for 1045 is:
+
 
+
<nowiki>#REDIRECT [[Constraints]]</nowiki>
+
 
+
That allows the users of the site to search via the comic number or the name of the comic.
+
 
+
=== Choose a comic! ===
+
Wondering which comics haven't been started yet?  There's a list over at [[Explain XKCD:Checklist]].  Pick one and get started!
+
 
+
== Rules ==
+
Don't be a jerk.  There are a lot of comics that don't have set in stone explanations, feel free to put multiple interpretations in the wiki page for each comic.
+
  
If you want to talk about a specific comic, the Discussion page is perfect for that.
+
Please only submit material directly related to —and helping everyone better understand— xkcd... and of course ''only'' submit material that can legally be posted (and freely edited.)  Off-topic or other inappropriate content is subject to removal or modification at admin discretion, and users who repeatedly post such content will be blocked.
  
If you have a message for an admin, feel free to leave a message on their personal discussion page.
+
If you need assistance from an admin, feel free to leave a message on their personal discussion page. The list of admins is [[Special:ListUsers/sysop|here]].
  
The Admins are [[Special:ListUsers/sysop|here]].
+
[[Category:Root category]]

Revision as of 21:16, 24 March 2013

Welcome to the explain xkcd wiki!

We have collaboratively explained 5 xkcd comics, and only 1952 (100%) remain. Add yours while there's a chance!

Latest comic

Go to this comic explanation

2018 CVE List
CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
Title text: CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.

Explanation

Ambox notice.png This explanation may be incomplete or incorrect: Created by HACKING THIS WIKI VIA THE EDIT BOX - The explanation looks like a list. Explain the comic and put the security vulnerabilities in a table. Do NOT delete this tag too soon.


CVE (Common Vulnerabilities and Exposures) is a standardized format for assigning an identity to a cybersecurity vulnerability (similar to the way that astronomical bodies are assigned unique identifiers by committees). Giving vulnerabilities a unique identifier makes them easier to talk about and helps in keeping track of the progress made toward resolving them. The typical format of a CVE identifier is CVE-[YEAR]-[NUMBER]. For example, the CVE identifier for 2017's widespread Meltdown vulnerability is CVE-2017-5754. CVEs also contain a short description of the issue.

In this comic (released in February 2018), Randall presents a number of spurious predicted CVEs for later in 2018. Each CVE identifier is given as "CVE-2018-?????", reflecting the fact that they have not yet happened so we don't know exactly what their CVE identifier will be.

Table of possible CVE

Security Vulnerability Notes
Apple products crash when displaying certain Telugu or Bengali letter combinations. This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic released [1], as well as past similar iOS vulnerabilities[2][3].
An attacker can use a timing attack to extploit [sic] a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon. Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in cloud server like the ones in Wikipedia. Claude Shannon was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits - hence the pertinence of extracting just some of the bits from his Wikipedia entry. This is a silly security problem since all the bits of the article are publicly available.
At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk. Cafés usually offer free WiFi service to patrons, as a business strategy to encourage said patrons to remain in the building and buy more coffee. Some use a password, so that only patrons can use the WiFi. Since anybody could go in the cafe to read the post-it, and then use the network from nearby, the ability to read it from outside is at most a trivial problem. For systems that are supposed to be secure, writing passwords in a visible place is a major security flaw. For instance, following the 2018 Hawaii false missile alert the agency received criticism for a press photo showing a password written on a sticky note attached to a monitor.[4]
A remote attacker can inject arbitrary text into public-facing pages via the comments box. Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "persistent cross-site scripting", where input provided by the user is displayed to other users in a dangerous fashion that allows attackers to inject arbitrary HTML or Javascript code into e.g. a comment section.
MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel." Some people pronounce "SQL" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system, the latest generally available version (at the time of writing) is MySQL 5.7.
A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges. Privilege escalation refers to any illegitimate means of giving a system user greater access than they are supposed to have, and most hackers will seek to achieve this if they can. The most highly-sought privilege is that of the root user, which allows complete access to an entire system.

This CVE, however, presents the reverse situation; that a flaw can allow a root user to de-escalate, the exact opposite of what a hacker would want to achieve.[citation needed] (In any case, the root user can always de-escalate manually if they so choose, as they have complete control).

Apple products catch fire when displaying emoji with diacritics. Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not be found on emojis. It is also a reference to a common problem of modern gadgets catching fire (usually related to flaws in Lithium-Ion batteries).
An oversight in the rules allows a dog to join a basketball team. This likely refers to the movie Air Bud; about a dog playing basketball. This has been a common theme in xkcd comics, see 115: Meerkat, 1439: Rack Unit, 1819: Sweet 16, 1552: Rulebook
Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer [sic] in Missouri that no one's checked on in a while. Haskell is a functional programming language, functional programming is characterized by using functions that don't have side effects (can't change things which would be accessible in other parts of the program), as in 1312: Haskell. The joke here is discovering that indeed it does have side-effects, but for some unknown (and highly absurd) reason they only manifest on a specific computer in a nondescript location, but no one has noticed.
Nobody really knows how hypervisors work. "Hypervisors" are a tool for computer virtualization. Virtualization is complex to implement, as it requires a computer to completely simulate a computer, with its own unique hardware and software. Many IT professionals and businesses rely heavily on various forms of virtualization, but the individual employees would be hard-pressed to explain how it works. Programs running on other virtual computers, or on the real computer may be able to access information on a virtual computer in ways which would not be possible with a real computer. Therefore understanding how the hypervisor works is important to assessing security of a virtual server.

Meltdown and Spectre are related to this.

Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour. This joke is about arcane systems that are running Linux in exceedingly rare situations, such that reproducing the error would be incredibly difficult or inconvenient, and would only affect a very tiny user base (if any at all). System/390 is an IBM mainframe introduced almost 30 years before this comic, which has a version of Linux. UTC+14 is a time zone used only on some islands in the Pacific Ocean, i.e., the Line Islands, and is also the earliest time zone on earth. The joke continues by stating that even if all of these absurd conditions were met, the resulting vulnerability would still be relatively benign: simply changing a user's preferred clock display format. Other xkcd comics make references to such obscure computer-time issues relating to time zones and time conversions, and how many programmers find these issues frustrating or even traumatizing.
x86 has way too many instructions. The x86 architecture is considered "CISC" (a "Complex instruction set computer"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first Apple Macintosh. In the 1980s, this design philosophy was countered by the "RISC" ("Reduced instruction set computer") design movement exemplified by SPARC, MIPS, PowerPC (previously used by Apple) and the ARM chips common in mobile phones - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. At the time, there was an internet war about the merits of each approach (with the Mac and PC being on different sides, at one time; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s); this "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk; however, the 64-bit architecture introduced by AMD and since adopted by Intel does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues such as the speculative cache load issue in Meltdown and Spectre depend more on details of implementation rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.
NumPy 1.8.0 can factor primes in O(log n) time and must be quietly deprecated before anyone notices. NumPy is the fundamental package for scientific computing with Python. O(log n) is Big O notation meaning that the time it takes for a computer algorithm to run is in the order of log n, for an input of size n. O(log n) is very fast and is more usual for a search algorithm. Prime factorization currently is O(2nn). If something can find the prime factors of a number this quickly, especially a semiprime with two large factors, there are attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem, that of proving that a number is in fact a prime.
Apple products grant remote access if you send them words that break the "I before E" rule. Another joke on the first CVE and a common English writing rule of thumb, which fails almost as often as it succeeds. Possibly a jab at Apple's image, portraying their software as unable to handle improper grammar or spelling.
Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers. Skylake x86 chips are a line of microprocessors made by Intel. Some processors are soldered directly to a system board or daughter board, while others are attached to boards that plug into the system board by means of a socket (pins or connectors that make physical contact with receptacles or connectors on a system board). Some sockets, especially older ones, require force to insert or remove and often require the use of a flat blade screwdriver or a specialized tool to remove, but most modern ones use ZIF (Zero Insertion Force) techniques, often involving a lever or similar to tighten or loosen the friction/tightness of the contacts. No screwdriver is needed in this case. Yes, you can forcefully remove any processor from its socket with a screwdriver.[citation needed] There are many reports from people not using common sense.
Apparently Linus Torvalds can be bribed pretty easily. Linus Torvalds is the benevolent dictator of the Linux kernel codebase. Normally it is hard to pass a change because he has the last word about what merge to the code base because that code is replicated in all Linux installations. Linus made the news in January 2018 when, having looked at one of Intel's proposed fixes for the Spectre and Meltdown vulnerabilities, he declared "the patches are COMPLETE AND UTTER GARBAGE"[5]. Presumably in the future they will successfully bribe him to be less blunt and/or less critical of vulnerability fixes that are complete and/or utter garbage. If this were the case, this would be a severe critical vulnerability to all Linux servers and machines.
An attacker can execute malicious code on their own machine and no one can stop them. The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code[citation needed], but this would usually not be described as an attack except in the case of a locked-down appliance, such as a video game console or pay TV decoder.
Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it. This could refer to a CVE vulnerability of JPG files where javascript embedded within the image file is executed by some application, only this time the code is visible on the image instead of invisibly encoded within the image file, however such code is only executed if the image contains a photo of a baby in a saddle riding a dog. It's unclear whether the photo would be a digital photo, a printed photo (i.e. as taken using the digital camera), or maybe both. This "bug" would not only require the device to figure out specifically what the photo contains image-wise, something that's REALLY HARD for computers to do reliably, it would also require OCR (Optical Character Recognition) type code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? As an example, OCR used to be hard to do reliably and now it's a lot more routine and built into a lot of devices.
Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed. Flash has been an integral browser plugin for decades but has fallen out of favor in the 2010s, and eventually discontinued because of its notoriously abysmal security record. All security experts advise against install. The joke here relates to the perceived difficulty with keeping Flash up to date or even installed properly to begin with. A common user experience which is the subject of numerous jokes and memes is the constant nagging notification to install or update Flash in order for web pages to display properly. While anecdotal, many IT professionals will bemoan the trouble that Flash has given them in the workplace due to these notifications and problems related to them.
Turns out the cloud is just other people's computers. This refers to a computer meme where replace "cloud" with "other people's computers" must be used in all marketing presentation to CEOs and not computer literate persons to evaluate the security impact of using "Cloud services". Part of the humor here is that "the cloud", in actuality, is simply a term for hosted services, i.e., computers being run by other people (typically businesses that specialize in this type of "Platform As A Service" or "PAAS" service model). Calling "the cloud" as "other people's computers" is, at its core, entirely accurate, though it takes away the business jargon and simplifies the situation in such a way that it might cast doubt on the security, reliability, and general effectiveness of using "cloud" solutions.
A flaw in Mitre's CVE database allows arbitrary code insertion.[~~CLICK HERE FOR CHEAP VIAGRA~~] Mitre's CVE database is the database where all CVE are stored. This log message forms the punchline of the comic, as it implies that all of the exaggerated error messages above were inserted by hackers exploiting the vulnerability. To pour salt in the wound, they then included in a typical spam link purporting to offer cheap viagra.
It turns out Bruce Schneier is just two mischevious [sic] kids in a trenchcoat. (Title text) Bruce Schneier is security researcher and blogger. The "two kids in a trenchcoat" is a reference to the Totem Pole Trench trope. Shortly before this comic was posted, a story went viral in which two kids were photographed attempting this for real to get into a screening of Black Panther.

References

  1. https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/
  2. https://thenextweb.com/apps/2017/01/18/iphone-ipad-apple-text-ios-bug/
  3. http://www.telegraph.co.uk/technology/2018/01/18/apple-text-bomb-can-crash-iphones-single-message/
  4. http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T
  5. https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/

Transcript

[A heading is centered above a list of 21 vulnerabilities]
Leaked list of major 2018 security vulnerabilities
CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.
CVE-2018-????? An attacker can use a timing attack to extploit a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
CVE-2018-????? At the cafe on Third Street, the Post-it note with the WiFi password is visible from the sidewalk.
CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.
CVE-2018-????? MySQL server 5.5.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.
CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.
CVE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. computer in Missouri that no one's checked on in a while.
CVE-2018-????? Nobody really knows how hypervisors work.
CVE-2018-????? Critical: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
CVE-2018-????? x86 has way too many instructions.
CVE-2018-????? NumPy 1.8.0 can factor primes in O(log n) time and must be quietly deprecated before anyone notices.
CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.
CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.
CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.
CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
CVE-2018-????? Turns out the cloud is just other people's computers.
CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.[~~Click here for cheap viagra~~]

Trivia

Randall has previously referenced diacritics in 1647: Diacritics.

Bruce Schneier was previously mentioned in the title texts of 748: Worst-Case Scenario and 1039: RuBisCO.


Is this out of date? Clicking here will fix that.

New here?

Last 7 days (Top 10)

Lots of people contribute to make this wiki a success. Many of the recent contributors, listed above, have just joined. You can do it too! Create your account here.

You can read a brief introduction about this wiki at explain xkcd. Feel free to sign up for an account and contribute to the wiki! We need explanations for comics, characters, themes, memes and everything in between. If it is referenced in an xkcd web comic, it should be here.

  • List of all comics contains a complete table of all xkcd comics so far and the corresponding explanations. The red links (like this) are missing explanations. Feel free to help out by creating them! Here's how.

Rules

Don't be a jerk. There are a lot of comics that don't have set in stone explanations; feel free to put multiple interpretations in the wiki page for each comic.

If you want to talk about a specific comic, use its discussion page.

Please only submit material directly related to —and helping everyone better understand— xkcd... and of course only submit material that can legally be posted (and freely edited.) Off-topic or other inappropriate content is subject to removal or modification at admin discretion, and users who repeatedly post such content will be blocked.

If you need assistance from an admin, feel free to leave a message on their personal discussion page. The list of admins is here.

Personal tools
Namespaces

Variants
Actions
Navigation
Tools

It seems you are using noscript, which is stopping our project wonderful ads from working. Explain xkcd uses ads to pay for bandwidth, and we manually approve all our advertisers, and our ads are restricted to unobtrusive images and slow animated GIFs. If you found this site helpful, please consider whitelisting us.

Want to advertise with us, or donate to us with Paypal?