Slashdot Mirror

If you like Python you might like Ruby too (I love em both). I always wished I had learned Ruby with ruby warrior:
https://www.bloc.io/ruby-warri...
https://github.com/ryanb/ruby-...

pygame is a good recommendation. Once I found a nice game that was written by a beginner, so I took his code and made some improvements, just to show how it could be done. Perhaps the OP might find interesting the historic of this git repo: https://github.com/dmbasso/ent...

We could try to raise funds to pay for reverse engineering of the VPU in the Novena laptop -- if we could find skilled reverse engineers ready to take the job. Can you introduce me to any?

A quick search turns up this product description which points to the Freescale i.MX6Q specs.

Does anyone know what he means with "VPU"?

The GPU is a Vivante GC2000, which has been partially reverse engineered already; support is being added to etnaviv, which is a user-space driver -- the part connecting Mesa + Gallium to the kernel driver -- for the Vivante graphics cores (support older cores like the GC860 is good enough for everyday use). The kernel driver itself (galcore) is available under GPL, although it could use a cleanup. So there is no need to reverse engineer everything from scratch, but the etnaviv project could certainly use more contributors.

There is also a video decoding acceleration block in the i.MX6, but like all things H.264 that is likely a patent minefield, so I'm not sure it would be worth spending a lot of resources on reverse engineering that.

Github went down? Did not notice that. I checked the status and yes, they had a few hiccups in the last months. But in each case the issue was resolved in under an hour and in most cases it was only a minor glitch. I don't know what is less "enterprise ready" that this type of reliability.

Also in the case of git, when the central public repository is down, that does not mean you can't work. Compare that to Exchange or Team Foundation Server, the entire company grinds to a halt when these systems go down and I have seen my fair share of downtime.

Here's what the author of the spec said. I doubt you have more insight into the true meaning of the standard than he does.

The fact that it was default off is old news. Go be retarded somewhere else.

https://github.com/lulzlabs/Ai...

Disclaimer: We don't give a fucking shit about prohibitions over the use of encryption. fuck you NSA.

http://gamearchitect.net/Artic... By Kyle Wilson
""Software is hard," reads the quote from Donald Knuth that opens Scott Rosenberg's Dreaming in Code. The 400 pages that follow examine why: Why is software in a never-ending state of crisis? Why do most projects end up horribly over-budget or cancelled or both? Why can't we ship code without bugs? Why, everyone asks, can't we build software the same way we build bridges? ... But the nature of software is that the problems are always different. You never have to solve the exact problem that someone's solved before, because if software already existed that solved your need, you wouldn't have to write it. Writing software is expensive. Copying software is cheap. Scott Rosenberg coins this as Rosenberg's Law: Software is easy to make, except when you want it to do something new. The corollary is, The only software that's worth making is software that does something new."

See also the book http://www.dreamingincode.com/ by Scott Rosenberg:
"Dreaming in Code: Two Dozen Programmers, Three Years, 4,732 Bugs, and One Quest for Transcendent Software sets out to understand why, through the story of one software project -- Mitch Kapor's Chandler, an ambitious, open-source effort to rethink the world of e-mail and scheduling. I spent three years following the work of the Chandler developers as they scaled programming peaks and slogged through software swamps. In Dreaming in Code I tell their stories."

I doubt it mentions how I wrote to the Chandler Project early on about using ideas like triples from my Pointrel project but did not get much of a reply... :-) Still my own project has been ongoing for decades. It's surprisingly difficult just to store and synchronize versions of data in useful ways when faced with uncertainties about future needs.

My latest attempt of many, many:
https://github.com/pdfernhout/...
"This stores snippets of HTML entered in a text area in a local IndexedDB database in your browser. These snippets can be displayed in a list below the edit box. TiddlyWiki was a bit of an inspiration for that list display. This is intended to support "bootstrapping" more a more complex system, such as Doug Engelbart worked toward to support a co-evolution of tools, knowledge, community, and processes."

Git is remarkable in that way in fitting into current practices of using hierarchical files changed by desktop tools. Still, it misses a lot as far as references to data items that can be exchanged globally (needing longer hashes), or dealing with large binary files (constantly rechecking stuff, but with workarounds), or dealing with rapid collaboration by several people such as to create shared drawings. But it is still awesome as far as it goes.

"Dat" is another up-and-coming approach I wish well, started by Max Ogden:
http://www.knightfoundation.or...
http://dat-data.com/
"Dat seeks to increase the traction of the open data movement by developing better tools for collaboration."

Or implement some form of 3C Transaction

Why is Target playing catch up? Why doesn't it leapfrog Chip and Pin and do something even better?
Why should anybody hand over the credentials required to initiate transactions in their name to a clerk or a machine that they don't control?

Let's start with a concept like 3C Transactions and build something much better than Chip and Pin.
3C is more secure than C-n-P and easier to implement. It could begin initial rollout with no new hardware required by merchants.

Of course, 3C is really just a napkin sketch and would take some work to build into a real world solution. But the benefits over C-n-P seem so obvious that it (or something with similar principles) should be well worth the effort.

> "This is from late last year and is not resolved yet"

The issue is marked "Closed": "This fixes #35"

I don't know you contribute at propagating the myth that chromium cannot reliably block scripts, despite all the information I gave you. At this point what you are essentially arguing is that chromium-based browsers do not implement correctly Content-Security-Policy "script-src 'none'". See http://caniuse.com/contentsecuritypolicy.

That other developers with great reputation didn't think of this solution doesn't make it less real and effective.

"HTTP Switchboard doesn't use the problematic API, which doesn't work reliably because it is asynchronous. It injects Content Security Policy header synchronously: it is rock solid in preventing JS from executing."

So I did a little checking and Http Switchboard appears to disagree with your 'rock solid' assessment. This is from late last year and is not resolved yet. This post by HTTP Switchboard author Raymond Hill, also from late last year, indicates he is still struggling with an asynchronous API. A temporary workaround was proposed to disable javascript entirely and then let the extension only activate rather than suppress, but this had undesirable and unworkable side effects.

"Reputation is something to respect, but hard technical facts come first for me."

Indeed. It appears the hard technical fact is that Chromes architecture still prevents proper noscript.

It's open source, https://github.com/darkwallet/...
Anyway it's safer to run everything in separate VM's
I guess javascript implementation is possible?

You are wrong: https://github.com/gorhill/htt...

Try HTTP Switchboard. https://github.com/gorhill/htt... Hard to beat,

Really?

Look, if I were a shady character out to compromise a couple million (the best-case target audience size for a Silk Road replacement) home computers, there are easier ways to do it.

Write an Angry Birds clone. Send an email saying "free money in the attached file" to a spammers address list. Or just put it on a drive-by website.

You are attacking a particularily paranoid target audience. If I were a drug pusher, I wouldn't be afraid of other criminals, I'd be afraid that the whole thing is a government sting.

But then again, it looks like a normal app, so it won't be getting administrator access, you can sandbox it (OS X, no idea if windows has copied it yet) and if you are using it for serious amounts of money, you can review the source code or pay someone to do it for you.

Of all the things that you can be legitimately afraid of in this field of commercial activity, running the app is probably the least dangerous.

I would recommend Mozstumbler or openwlanmap instead. They do the same thing basically.

If you go to https://github.com/lulzlabs/Ai... you can access the original.

It seems they are using the Amateur Radio Fldigi software to support their Lulzpacket protocol.

All rather sad and overrated really.

I'm late to the discussion but this might help. It's the solution I use every day, after a lot of effort:
- I tend to take a lot of notes, about many things. I have wanted and been thinking about what you're asking for a long time, and had discussions about it with others.
- Over time I've used spreadsheets, a paper system, text files named and organized carefully into directories, emacs org-mode, jedit, then enhanced those with collapsible outlines that do work well, but break down after a certain point.
- We made a long-term plan, then got busy with life.
- Recently I've been able to give it some attention again, and I have created the beginnings of software that I hope will become your dream software for this purpose. Really. I don't use such words frequently or lightly. It is AGPL.
- It is successfully now replacing my use of collapsible outlines in jedit (which itself much easier than emacs' org mode, which I used to use). Not replacing my spreadsheet yet, but that is in the plans.
- It has a text-based UI that perhaps only its author could love (only text-based, wouldn't be too hard to adapt to a GUI given how it's organized, I hope). It is keyboard-efficient, and (almost?) always can be used by simply reading the screen and tapping a single visible menu letter for what you. It feels a little bit like "git commit --interactive" does.
- It doesn't have a convenient installer or prebuilt binaries but I hope/plan to make something in that direction *soon*. Right now the step-by-step INSTALLING guide has you installing PosgreSQL (not hard, really), java, maven, and following some instructions. But it does work.
- When you launch it, it is a bit bare, because I haven't implemented data sharing or templates yet, to show an idea for how I use it to organize arbitrary life information in a somewhat useful, complete way.. But there are specific plans.
- Right now, it amounts to creating entities that have whatever data you want, in a fundamental model of knowledge a layer below what text (words) provides, with efficient collapsible outlines of such entities that (withing a few days) can be recursively nested or one outline can be linked in multiple places. There is some theory behind this. Not ACM-rigorous maybe, not BNF, but it's not completely loose either.
- It can import/export from text outlines like I used to use, now.
- It needs a search feature which is also coming soon, and shouldn't be hard to do since postgres is underneath it all.
- It works. I use it in my job every single day, and rely on it. With the features it has *now*, it is replacing or has replaced my personal journal, to-do lists, planning tool, notes on many subjects, and little notes like "my wife said the cord she uses for those backpacks she makes is 12' long", but *modeled* (in an early, rough, incomplete way) not just typed as a note. That note (aka Entity) is associated with my wife, or soon to be text-seearchable, and could also be associated with anything else I care to link it to. It is not bug-free, but I use it all day, every day.
- It's freely available at https://github.com/onemodel/on... . If our old mailing lists at OneModel.org (preferred) don't work any more (it's been a while), you can contact me either via github pull request, or at, let's say, removing the spaces, filling in numbers and the @ sign where I'm hinting (sorry to be obscure, spam is annoying): luke three hundred thirty-nine -------> onemodel.org.

If they want to have fun decrypting, lets at least give them a worthy challenge ;)

I send myself files coded with over 10 different algorythms (use of a bash script to automatise crypt/decrypt.
code is there: https://github.com/jupiter126/...

Well, it's open source, so dig in and check yourself... The nasty thing here is that if there is a small jump hidden somewhere, it could start executing the music data and you can hide a lot of malicious x86 code there. But the module itself is only a bit under 200 lines, so it is easy enough to be fully audited by anyone that knows a bit C.

there is a nice issue on there github account, https://github.com/usrbinnc/ne...

At the risk of sounding like an idiot...where are the actual sources for the wifi driver?

This: https://github.com/wrt1900ac/o...

Seems to be the best starting point...but where can one find the actual wifi driver source?

I've set up my entire business around Redmine. There are some pretty impressive plugins to handle blogs, CMS, CRM and even a WYSIWIG editor to help "normal" people format tables, lists and text but who would normally be put off by trying to learn Textile. SCM and issue tracking is integrated, there are time trackers and forums, GANTT charting... it's a great resource.

Best of all, it's database agnostic and open-source.

Do you work for GitHub or know anything beyond what they posted?

Foobar2000 runs perfectly under WINE on Linux and OS X. I have been using it for years without any problems. So far, the only flaw I have found is that it does not find new music placed into your media folder after it finishes scanning for new files during start-up, so you have to restart the thing to help it find music just added.

For values of "perfectly" that include pops, clicks, distortion, and lack of 24-bit support, in my experience.

Foobar2000 runs perfectly under WINE on Linux and OS X. I have been using it for years without any problems. So far, the only flaw I have found is that it does not find new music placed into your media folder after it finishes scanning for new files during start-up, so you have to restart the thing to help it find music just added.

It's easy enough to export Evernote data into a directory full of HTML files. I dump mine into the git repo I keep all my important files in. That even keeps formatting and linking, which is a big improvement over most text file oriented solutions. If you're more of a fan of wiki style for that, you can use something like Markdown conversion.

The main tie-breaker reason I ended up at Evernote is full read and write access to the repository on my phone. The days of losing an idea when I'm wandering around are gone. I type it into my phone, and by the time I'm on my desktop that note is stored with more redundancy that I ever achieved on my own.

The article doesn't make it completely clear that this doesn't have much to do with the fixing problems in OpenSSL.

Commits to the true OpenSSL source can be seen through the web interface at https://github.com/openssl/ope.... What the article is talking about is tidying up the version that is built in to OpenBSD. Not that that isn't worthwhile work, but it's unlikely to fix many hidden problems in OpenSSL itself, unless the OpenBSD devs find something and hand it back to the upstream.

I just use a fanless box (made by cappuccino pc, but there are other vendors too) with several ethernet ports (at least two for WAN and LAN) running standard debian.

But then I apply linux's best-kept traffic shaping secret, HFSC. See https://gist.github.com/eqhmco... .You should be able to apply that same script to any linux distro or mini-distro.

The idea is you do AQM first, and QoS only later or even not at all, to get both low-latency for interactive TCP sessions and throughput for bulk session.

AQM is all about dropping packets to throttle TCP and prevent it from overwhelming your ISP's bandwidth caps. When done properly, it works amazingly well, and HFSC + SFQ can do it properly.

It would be nice if they had some sort of code review in place for this sort of stuff. However, this isn't a paid project, so the developers writing this are doing arguably the best they can.

The code was reviewed. The commit log shows that the reviewer was Stephen Henson (thanks to slashdot user grub for pointing this out.)

There are a couple tools available at:

https://github.com/Lekensteyn/...

It's python based so YMMV

They will tell you if you are vulnerable (See the README.md file)

https://github.com/OpenELEC/Op...

Just determined in the last week to be due to async suspend/resume. From the various reports, oretty much all Intel hardware is affected.

http://www.google.com/intl/en/...

It turns out they are not that much cheaper though, so I don't really see the value proposition in practice implied by Phil Shapiro since they are not yet $100 and screens still cost money:
"Review: Asus crafts a tiny $179 Chromebox out of cheap, low-power parts"
http://arstechnica.com/gadgets...

I'm surprised Roblimo could miss pointing the Chromebox out, just mentioning the Raspberry Pi. Although he was right to point out the SSD speedup is significant for any small computer.

Another big miss is that for US$50 you can buy an Android Smartphone and use it only with Wi-Fi. Example of what we paid $50 for a few months ago, but now is $31?
http://www.amazon.com/Kyocera-...
"The Kyocera Hydro is sophistication and style in a mainstream Android smartphone that can work for everyone. Plus it offers water-resistance, giving consumers the âoeno-fearâ durability and security they demand. With a 3.5 inch HVGA touchscreen, 3.2 MP camera and video, and Android 4.0, you get the best of all worlds."

Although I would much rather use the Chromebook with a keyboard for making content than trying to use an Android phone. But $30 to be connected with the global internet? That is an amazing realization of many educational technologist's dreams (e.g. Alan Kay Dynabook or OLPC XO-1). And perhaps also some nightmares... See also the 1950s short story by Theodore Sturgeon called "The Skills of Xanadu" on where that all could lead.

My own hopes and predictions from 2000 based in part on seeing the "Cybiko":
"[unrev-II] The DKR hardware I'd like to make..."
http://www.dougengelbart.org/c...
http://en.wikipedia.org/wiki/C...

Also, I don't see why a teacher or librarian is so keen to limit people's mobility (although it doesn't surprise me, going with the "school is prison" meme).

A big value to my $250 Samsung Chromebook is how light and portable it is. I still use my Quad Core Mac Pro Desktop with three big screens for work and running VirtualBox VMs (and the Chromebook could not replace that, especially the screens) -- used to run Debian for about five years until we (my wife especially) got tired of all the random breakage with every "apt-get dist-upgrade" around 2008 (probably much better now). But I use my Chromebook (with Linux under the covers) for just noodling around or surfing the web and posting on Slashdot sitting in our living room, or doing some light for-fun development work. As I said in another post, I wrote this JavaScript-based information manager tool bootstrapping system entirely on the Chromebook:
https://github.com/pdfernhout/...

Why do I use the Chromebook instead of my desktop (treadmill workstation actually) Mac Pro? Psychological and social, mostly. I gain some distance from my daily paying work by using a different computer in a different place. I also have done it partially as an experiment in learning about the next generation of computing. It's true that our two-year old Macbook Pro is still a much better computer as far as keyboard and screen and CPU and what it can do -- but it is often otherwise in use these days. My wife would always complain about me leaving a lot of tabs open in Firefox. And so on. The Chromebook is more a personal computer just for me. And it was cheap enough that I could justify it as an experiment compared to another $1000-$2500 Macbook.

We did however buy a $1000 Win 8 ASUS laptop a few months ago anyway. What a disappointment as a laptop. Even with a bigger screen and much faster pr

https://chrome.google.com/webs...

I just wrote a completely open ended HTML5/CSS/JavaScript app on my Samsung $250 Chromebook using the regular user mode and "Caret". I saved versions of the files on the Chromebook and ran them locally from Chrome. The app I wrote uses IndexedDB for local storage of snippets of HTML (which can include JavaScript). The app is intended to support boostrapping a better app by supporting experiments with HTML5/CSS/JavaScript. You can edit text and have it included as a section of HTML on the page. From start to finish (well, it's not really "done") I wrote it on the Chromebook.

I just put the code up on GitHub as an example for you (again using only the Chromebook) :
https://github.com/pdfernhout/...

You can try a demo version here which will store data in your browser: http://rawgithub.com/pdfernhou...

Here is a direct link to the bootstrap.json content to paste in as a start: https://raw.githubusercontent....

See the GitHub repo for basic instructions on how to use it.

Granted, to do C compiling I'd need some tool that converted C to JavaScript in a special way, but more and more such tools exists.
https://github.com/kripken/ems...
http://www.infoq.com/research/...

So, more and more things are possible with Chromebooks or similar devices.

https://chrome.google.com/webs...

I just wrote a completely open ended HTML5/CSS/JavaScript app on my Samsung $250 Chromebook using the regular user mode and "Caret". I saved versions of the files on the Chromebook and ran them locally from Chrome. The app I wrote uses IndexedDB for local storage of snippets of HTML (which can include JavaScript). The app is intended to support boostrapping a better app by supporting experiments with HTML5/CSS/JavaScript. You can edit text and have it included as a section of HTML on the page. From start to finish (well, it's not really "done") I wrote it on the Chromebook.

I just put the code up on GitHub as an example for you (again using only the Chromebook) :
https://github.com/pdfernhout/...

You can try a demo version here which will store data in your browser: http://rawgithub.com/pdfernhou...

Here is a direct link to the bootstrap.json content to paste in as a start: https://raw.githubusercontent....

See the GitHub repo for basic instructions on how to use it.

Granted, to do C compiling I'd need some tool that converted C to JavaScript in a special way, but more and more such tools exists.
https://github.com/kripken/ems...
http://www.infoq.com/research/...

So, more and more things are possible with Chromebooks or similar devices.

Sourcecode

Virus Shield, by developer Deviant Solutions, was a handsome, apparently easy-to-use security app for Android devices. For $4, the app promised hassle-free, ad-free security for Android users, without impacting battery life or performance. And, mostly, Virus Shield delivered - no ads, no fuss.
 
What's noteworthy is how successful Virus Shield apparently was the app made it into several "top paid" lists on the Play Store, and was apparently purchased more than 10,000 times since its release on March 28, making it at least a $40,000 payday for the mysterious Deviant Solutions.

CSOnline

It's worth noting that the official Snort rules for detecting Heartbleed were broken for a while, until an update earlier *today*:

    snort.org

And many of the early widely circulated IDS rules failed to detect a Heartbleed exploit if the TLS heartbeat exploit was done AFTER the start of encryption (including the widely circulated EmergingThreats signatures):

    heartleech

Sometimes it's helpful to have those recorded packets sitting there on disk to rip over and analyze, in case you need to travel back in time a bit...

Conclusion

It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed.

Here is the Github repo for the PoC code.

This PRNG is not the NSA making a crypto system stronger ala DES, it's a backdoor.

PR: 2658

Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.

Have a look for yourself. The reviewer "steve" is Stephen Henson.

Test your servers yourself: https://gist.github.com/takesh... This was a server-side attack so clients are unaffected.

There have been a number of sites.
SSLLabs scanner has been updated to check for Heartbleed, and also will report when the cert validity starts (handy if you want to see whether they're using a new cert). https://www.ssllabs.com/ssltes...
LastPass has a pretty decent scanner that just focuses on Heartbleed (without all the other info that you get from SSLLabs): https://lastpass.com/heartblee...
There are some others out there as well, of course.

There's even one for client-side testing (almost as critical):
Pacemaker is an awesome little POC script (python 2.x) for testing whether a *client* is vulnerable (many that use OpenSSL are...). https://github.com/Lekensteyn/...

An awful lot of mobile apps use it, though (I've heard rumors that this includes some mobile browsers). I just tested an app using the POC at https://github.com/Lekensteyn/... on a fairly sensitive app and it worked, dumping (decrypted) HTTPS requests/responses that the app had done, plus some SSL data. It works before the client (such as an app) has a chance to verify the server certificate, too; this makes MitM trivial.

One potential attack is to wait for an app to connect to a server over SSL, at which point a symmetric key will be generated. The attacker then MitM's the next connection the client tries to make and dumps memory. With some luck, this could include the symmetric key for the first connection, allowing the attacker to decrypt any recorded (or ongoing) traffic, and to intercept any ongoing communication using that key.

"Functionally, you need two things to infect a machine. A weakness you can exploit on target machine and a vector through which infection goes in"
compromising a system doesn't always leave a trace. for example heartbleed doesn't leave a single logfile of it's infection. it can infect many many computers https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt 43 of the top 1000 websites is vulnerable to heartbleed not to mention how many consumer devices aren't safe.
because there are humans involved in coding for computers mistakes are made. this is a universal weakness. a vector i am assuming you mean a 'carrier' for the virus and well most people qualify as a vector for virus transmission.
NAT is not a protection against the above. and software can't stop a determined cracker once they get any admin power they use scripts and macros they target BIOS maybe. and virus protection or firewalls don't always load prior to everything else, leaving a possibility for infection based on when the service is started.
xbox one was cracked by a 5 year old, albeit one who was cracking cellphones at age 1. http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/
and yes locking everyone up would make it hard to spread computer viruses. it is not a good idea though, you're claiming you can beat human nature... which is the vector of any real hacking. good luck with that.

Looks like snhenson most recently committed the two places final s2n() macro call the above linked article identifies as the line that finally sends data, as well as the n2s() that got data from the remote connection:

https://github.com/openssl/ope...
https://github.com/openssl/ope...

Not sure which is worse, using the unsanitized user input (which it seems he MUST have known was user input) or the copy-n-paste coding.

Sorry for the public shaming, but it seems he'd better at least make a case that he's not on the NSA payroll. Of course mistakenly relying on user input is the sort of mistake we've all probably made at least once, so it's quite believable that it was an honest mistake.

Looks like snhenson most recently committed the two places final s2n() macro call the above linked article identifies as the line that finally sends data, as well as the n2s() that got data from the remote connection:

https://github.com/openssl/ope...
https://github.com/openssl/ope...

Not sure which is worse, using the unsanitized user input (which it seems he MUST have known was user input) or the copy-n-paste coding.

Sorry for the public shaming, but it seems he'd better at least make a case that he's not on the NSA payroll. Of course mistakenly relying on user input is the sort of mistake we've all probably made at least once, so it's quite believable that it was an honest mistake.

I think the point is that Visual Studio encourages programmers to code to APIs available only on Windows. Pretty much every time I've tried to load a .NET application in Mono, the application has stopped with an error that a particular system library is unavailable.

You might not have everything installed properly. I wanted to bring this up on a Raspberry Pi recently. The first attempt at running it failed an error regarding missing assemblies, or something to that effect. sudo apt-get install mono-complete fixed that.

Based on @ShanghaiBill's solution, I wrote a solver and simulation in Python (that also fixes ShanghaiBill's buggy pinning of "him.rock" to 0.5 - the player could in theory, choose to play rock at more than 50% probability). Use Pypy for speedy execution - I uploaded the code to GitHub: https://github.com/ttsiodras/R...

http://code.nasa.gov/

I gave up on it years ago, when I realized there were only 32 items in it. (2 have been listed as 'coming soon'). You'll find more open source software if you look at the lists that the individual centers maintain :

• 78 : https://sr.grc.nasa.gov/
• 50 : http://opensource.gsfc.nasa.go...
• 27 : http://ti.arc.nasa.gov/opensou...
• 46 : http://www.nasa.gov/centers/jo...

Or see the NASA Github page (34 items, but that includes 'code.nasa.gov') : https://github.com/nasa

The listed 'NASA Official' has changed since it was released ... maybe this one will actually care about maintaining a list, rather than doing the bare minimum to meet some requirement from the White House.

(which was my interepretation of the response I got when I contacted the previous official about http://data.nasa.gov/ ... of course, back then, it actually linked to places, rather than crap like the content-less http://data.nasa.gov/solar-dat... )

It's worth noting that this is already possible today.

The only question is whether Allura will be game-changingly good at what it sets out to do.

(Also, I agree that this is a Good Thing overall. What we see today is a GitHub monoculture.)

Agreed. See 3C Transactions for one simple idea on how to implement this today. Never give out a cedential that can be used to generate a transaction. There's no good reason.