Slashdot Mirror
How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?
jammag writes: "Heartbleed has dealt a blow to the image of free and open source software. In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily. As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.' Many users of proprietary software, tired of FOSS's continual claims of superior security, welcome the idea that Heartbleed has punctured FOSS's pretensions. But is that what has happened?"
Which is run by a former Microsoft executive who was in charge of security. I guess he can gloat about being personally responsible.
Help stamp out iliturcy.
In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily.
False. Bugs can and do happen. However, what can also happen with open source software is that entities other than the group working on the project can find bugs. In this case, Google found the bug. If the source were not open, maybe it would have never been officially recognized and fixed.
That's fine with me.
Yes, we can trace the changelogs in the software & note who was checking the changes and missed them, but that all can be circumvented.
The fact is we don't know if Heartbleed was an honest mistake or not...we don't know who knew and when...we don't know alot
FOSS is nowhere in the conversation, btw...this has absolutely nothing to do with the fact that this was Open Source project.
Private company's products have ridiculous security issues...comparing this to that is not helpful.
Thank you Dave Raggett
We're surrounded by tiny errors in the world. Heck, they're even built into our DNA. The vast majority of tiny little errors do no harm, and we don't notice them. We gloss over them, like a typo in a book. It's just that every once in a while, a tiny little error can occur that snowballs into something much greater. Like cancer. Or a massive, accidental security leak.
More eyeballs usually do make bugs more shallow, but only if the eyes know what to look for.
Occasionally living proof of the Ballmer peak.
Nobody is going to discard OpenSSL due to this - the majority of people are patching systems and reminding people that security is important (a side benefit of this incident)
The next step will be when someone puts up the money for a proper code review of the OpenSSL codebase and fixes up any other issues that may exist.
It's reasonable to say that there are more people and organisations able to resolve this issue than if it were a closed source proprietary solution.
All this episode does is to remind us that security is hard. Encryption is even harder.
Kriston
Many eyeballs may make bugs shallower, but those many eyeballs don't really exist. Source availability does not translate to many people examining that source. People, myself included, may like to build to install packages but that's it.
What we need are intelligent bots to constantly trawl source repositories looking for bugs. People just don't have the time any more.
I don't think anyone claims that open-source software won't ever have security issues. The claim is that the open-source model tends to find and correct the flaws more effectively than the closed-source model, and that the soundness of the resulting product tends to be better on average.
One case does not disprove that. The key words there are "tends" and "on average".
How do we know that serious security flaws don't exist in the SSL implementations used by Microsoft or other proprietary vendors?
It's 6 of one, half-dozen of the other.
Anyone can view the source of an open source project, which means anyone can find vulnerabilities in it. Specifically, hackers wishing to exploit the software, as well as users withing to audit and fix the software. But, someone who knows what they're doing has to actually look at the source for that to matter; and this rarely happens.
Hackers must black-box closed source software to find exploits, which make it more difficult than finding them in open source software; the flip-side is that they can only by fixed by the few people who have the source. If the hacker doesn't disclose the exploit and the people with access to the code don't look for it, it goes unpatched forever.
Open source software does provide an advantage to both sides, hackers can find exploits more easily and users can fix them more easily; with closed source, you're at the mercy of the vendor to fix their code but, at the same time, it's more difficult for a hacker to find a vulnerability without access to the source.
Then, we consider how good fuzzing techniques have gotten and... well, as it becomes easier to find vulnerabilities in closed source software, open source starts to look better.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So, the "with many eyes all bugs are shallow" notion fails. There were not enough eyes on the OpenSSL library, which is why nobody discovered the bug.
Except that someone did discover the bug, when they were looking at the code because it was open source. And they did report it. And it did get fixed. Later than anyone would want of course. But it happened. Maybe the similar errors would and are being missed in the Windows and Mac implementations.
The issue is not that some open source software has a bug in it. We're all grown-up enough (I hope) to realise that NO software is ever perfect.
The only interesting point about this situation is how the Open Source world reacts to it and what processes get put in place to reduce the risk of a similar situation arising in the future.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
The point of open source is that it allows independent code inspection, not that it promises security. Microsoft has had many vulnerabilities discovered and exploited without releasing source code. The vulnerability in question may not have even been discovered by an inspection of the code. All it would take is a typo to have your code request bob (4 letters) instead of bob (3 letters).
Bugs happen, leaving the source open just gives individuals an opportunity to find them. It doesn't imply that all bugs will be found instantaneously, just that anyone can look for the bugs. Compare this to closed source, which has a very narrow group of people examining the code base, and only their word that everything is sound. I hate to think how long, if ever, a flaw like this would go unchecked and exploited if only the gatekeepers where allowed to check out the goods.
Q: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?
A: It doesn't. OSS is purported to be a *better* software development methodology. "Better" != "perfect". TFS is a troll.
Il n'y a pas de Planet B.
What hasn't been found in closed source software because it is too inconvenient to look?
I don't know, Microsoft got caught about being able to waltz through the password check with full spaces, which is slightly worse than forgetting to place a character limit back onto something. Admittedly the stakes are not the same, but you can check it, and enough do that it works.
It's safer in terms of checking for back doors, sloppy coding anyone can do.
/sarcasm/ And proprietary software's security through obscurity is a so much better model. /end sarcasm/
At least it's known if this has gotten fixed and it will hopefully keep developers from getting too lax in the future. Both of which are unkowns in proprietary software.
The huge problem with OSS is that if no one takes the responsibility to do a good code audit for a project, the NSA will do that independently, file the found exploits, and tell nobody.
similar issue in closed source would have less chance of discovery, and if/when discovered would not be disclosed in the same way, but most like attempted to be kept on the dl.. while being exploited by interested parties.
At least with FOSS, you can quickly identify and fix problems that show up. Proprietary software fixes only happen when they have no other choice but to fix it.
I go out of my way to complicate the simple things, so that I can simplify the complicated things.
Proponents of open/closed source both make valid points about security, however both leave you with a FALSE sense of security.
Both these statements are false at some level:
Open source because so many look at it, it has to be secure. (But obviously, things can be missed)
Closed is written by professionals (hopefully) and even if there's a flaw, no one has the code to detect it, so it has to be secure.
The biggest difference that I see is that leaks like this in open source blow up bigger and get a lot more media attention. Bugs just as bad hit closed source all the time, but have an active effort by the company (Again, hopefully) to keep the bugs quiet and patch them. If this wasn't a problem with closed-source, there would be no patches, which is true in open source as well. Obviously, I have a bias towards the open source model. But these are my random thoughts.
that'll be bollixed by the WMD on credit cabals too http://www.youtube.com/results?search_query=weather+manipulation+energy+costs but we we might not be paying to poison ourselves quite so much
If the bug was in some proprietary SSL stack, would we even have heard about it? Would it have even been fixed? Who knows. That's the WHOLE POINT...
Show me on the 1st Amendment bobblehead where the moderator touched you...
This doesn't really change it, because think how a proprietary SSL library would've handled this. The vulnerability was found specifically because the source code was available and someone other than the owners went looking for problems. When was the last time you saw the source code for a piece of proprietary software available for anyone to look at? If it's available at all, it's under strict license terms that would've prevented anyone finding this vulnerability from saying anything to anyone about it. And the vendor, not wanting the PR problem that admitting to a problem would cause, would do exactly what they've done with so many other vulnerabilities in the past: sit on it and do nothing about it, to avoid giving anyone a hint that there's a problem. We'd still have been vulnerable, but we wouldn't know about it and wouldn't know we needed to do something to protect ourselves. Is that really more secure?
And if proprietary software is written so well that such vulnerabilities aren't as common, then why is it that the largest number of vulnerabilities are reported in proprietary software? And that despite more people being able to look for vulnerabilities in open-source software. In fact, being a professional software developer and knowing people working in the field, I'm fairly sure the average piece of proprietary software is of worse quality than the average open-source project. It's the inevitable effect of hiring the lowest-cost developers you can find combined with treating the fixing of bugs as a cost and prioritizing adding new features over fixing problems that nobody's complained about yet. And with nobody outside the company ever seeing the code, you're not going to be embarrassed or mocked for just how absolutely horrid that code is. The Daily WTF is based on reality, remember, and from personal experience I can tell you they aren't exaggerating. If anything, like Dilbert they're toning it down until it's semi-believable.
Comment removed based on user account deletion
Only true when the developer(s) can own up to the problem. Last time I tried reporting a problem, it took 18 months to get a fix. A majority of that time was spent proving that there was indeed a bug, and it took another developer confirming it's existence before the issue was promptly reopened and fixed.
That's how you end up with so many duplicates on bug trackers, closing reports while other users run into the same problems.
The series of process errors that resulted in Chernobyl(sp?), Three Mile Island, and Fukushima Dai(ii?)chi.
A small series of 'innoculous' oversites leading to the sort of far reached disaster that could end the lives of a non-trivial number of people.
And don't think that it couldn't, since any number of other countries could have been using this to catch insurgents or free thinkers for up to the last 2 years!
Comment removed based on user account deletion
Most of the non-OpenSSL instances of TLS implementations out there are probably SChannel.
I would be shocked if Microsoft hadn't had equally severe bugs, and further surprised if they could fix them as fast.
Comment removed based on user account deletion
Just because it is open source, it does not make it well written. If a project does not have enough resources, it will suffer. If you try to write it yourself, you will introduce bugs. Existing code isn't better, but it has been tested longer.
This is a project that is supported by mostly one person. They wrote their own memory management when others exists that have been tested for these types of mistakes (It was done for legacy support and performance).
I don't want to say that this code was poorly written. It was more of a general statement. I did look at the code for this and I saw where the fix was refactored a bit. Wrapping magic numbers into a variable did make it easier for me to read. I spent a long time looking at what was wrong with the original code. I knew where it was wrong, but could not follow it back to see where it went wrong. I decided to just trust that it was wrong and move on.
I think anyone could have made this mistake and I am sure others are out there. I think we got lucky. This could have gone the other way to be the worst worm we have ever seen.
Quick disclaimer: I learned C++ once and can kind of still read it. Some code is obviously easier than other for a novice like me. I have mad respect for devs that work at this level. I mean no disrespect with these comments.
"Given enough eyeballs, all bugs are shallow" has proven true time and again. The key point in the phrase is "enough eyeballs". In this particular case, the affected software was OpenSSL. Let's examine that for a second.
OpenSSL is a cryptography library. Cryptography is, by definition, a very "exclusive" field of development due to the complex mathematics and rigorous rules that have to be followed in order to successfully contribute. It then follows that the audience that is both capable and willing to contribute to the project is very, very small in relation to the audiences readily available to other projects such as Apache Tomcat or GNOME.
This is where the "enough eyeballs" comes into play: clearly, for the longest time, there weren't enough. The reason is understandable and explained in the above paragraph - the vast majority of software developers out there are probably not able to contribute meaningfully to a project such as OpenSSL.
However, and echoing on other comments that have already been posted, the good news is that because it was open source the vulnerability was detected and corrected. Had it been closed-source it might never have been found - let alone acknowledged or even fixed. I'll take that over a walled garden any day of the week and twice on Sunday. That - to me, at least - reinforces the argument that open-source is safer and more secure than closed-source, not the other way around as some would like to believe. This is by the simple fact that larger number of eyeballs can be brought to bear on a piece of software in order to eventually shallow out the bugs.
How many closed-source companies are willing to make that level of investment in their software quality if they can still be profitable without having to do it? Further still, what if making that investment would bring profitability into question? Would they still make the investment? I think not...
Safer means less chance for an issue. But just like in gambling, as the odds get worse, the jackpot goes up.
We have seen now someone win 100M, somthing that happens every 40 years.
Vajk
What if this was not 'OpenSSL' but instead it was some form of 'ClosedSSL' library that had this problem in it?
NSA would still have access to THAT code, you can bet your ass they would, they wouldn't leave a project like that alone. However nobody else would know (unless stumbling upon it by chance or being able to access the source OR if some insider SOLD that information to somebody on the outside and now you'd have a vulnerability that is exploited by the gov't and by shadiest of the organisations/people out there).
This does not change the discussion in terms of open source code being safer, this changes the discussion around certain practices of development / testing and also this may attract more attention of people towards the SECURITY of our information on the Internet and hopefully we'll move in the direction of working out the details of actually much more SECURE methods of communications.
I certainly have a few ideas of my own that I would like to implement now, but never mind that. The point is that this is good stuff, it finally shed a light on this topic, that should have had much more light on it for a much longer period of time in the first place.
We need better methods around building security within our systems and I think this raises the bar.
You can't handle the truth.
How?
Closed source was always safer.
One word for you: Microsoft. Maybe two: Adobe.
All the convenient "leaks" that are placed there to be helpful to the NSA?
You know - the "all American Microsoft" that is bowing for their master, being a trustful servant?
Closed source is not inherently safer. Raymond's proposition is theoretically sound, however in actual practice, the NSA has "many eyes"...
"Flyin' in just a sweet place,
Never been known to fail..."
In the delusional make believe world of open source, yes. In the real world, no. In the real world, the only people spending any meaningful amount of time scrutinizing the source code of ANY project are the few people actually working on it.
In addition to once again disproving the delusional 'all bugs are shallow' bullshit, the real problem with OpenSSL was lack of proper testing, another problem that plagues open source projects because proper testing isn't fun.
Only if one buys that "security through obscurity" is a legitimate form of network safety. A decade's worth of Internet Explorer and ActiveX vulnerabilities would suggest you're wrong.
The world's burning. Moped Jesus spotted on I50. Details at 11.
When a bug makes itself obvious to many users, then many eyeballs do get applied, find it, and come up with a fix more quickly. Heartbleed was not obvious to anybody except it's perpetrators. Also, the general case implicit assumption of Raymond's assertion is that many users means many programmers who can understand the code and will bother to look at it before they use it. This is demonstrably false to even the most casual observer.
The problem with code that provides "infrastructure" like operating system kernels or internet/network stack software is that when they run smoothly, almost nobody outside it's small group of developers bothers looking at the source. Heartbleed runs quite smoothly as it sends off those passwords, so nobody looks.
Next question.
We don't see the world as it is, we see it as we are.
-- Anais Nin
bugs are not the issue. it's how systems get updated once the bugs are fixed. without automatic security updates, heartbleed will be with us for a long long time.
So there was a bug in OpenSSL. Big bug, yes, but that's not the reason it was (and still is!) a big problem.
The genesis of the big problem is one of monoculture, not only of OpenSSL being the dominant SSL implementation, but probably more importantly, the fact that pretty much all Internet security that is accessible and matters to ordinary users is SSL/TLS in the first place.
If you think this is bad, imagine what happens if the fundamantals of SSL itself are compromised: What would we replace it with? How, considering this is effectively the only secure connection technology available across all common OSes and embedded devices? How long would that take? (Years, at least, I'd wager...)
What we need is more flexible security methods in the first place, and open, standard implementations (like OpenSSL, but growable) that can allow us to proactively extend security methods as the net matures, and *quickly* address bug-based vulnerabilities when that approach fails. (Note that this may require the implementation of some kind of standard "secuirity code VM", so new code and new methods can be easily distributed even to older systems that may not be fully supported anymore. And no, I'm not glossing over things like limits on code space, memory, and the like, nothing will allow every system to be upgraded, but we do need some way to allow and authenticate that (while preventing bad guys, including governments, from using the mechanism to create weaknesses.))
"The future's good and the present is nothing to sneeze at." - Roblimo's last
This alters the "Open source is safer" discussion in the same way that someone dying from an allergic reaction to a vaccine would alter the "Getting vaccinated is safer" discussion.
Closed source is hazardous in many ways. Along with being more frequently targeted, the NSA revelations showed that Microsoft worked with the NSA when deciding how quickly to close some holes. Another hazard is the threat of being attacked and/or sued by companies whose products were found to have problems.
No question the heartbleed thing is a huge and embarassing problem. But you know? It's actually kind of hard to count the number of high-profile vulnerabilities in F/OSS software as not a whole lot come to mind. On the other hand, the list is enormous for closed source from large companies... also hard to count but for another reason.
It does highlight one important thing about F/OSS, though. Just because a project has enjoyed a long, stable and wide deployment, code auditing and other security practices are pretty important and just because it's a very mature project doesn't mean something hasn't been there a long time and had simply gone unnoticed for a long, long time. People need wakeup calls from time to time and F/OSS developers can be among the worst when it comes to their attitudes about their territories and kingdoms. (I can't ever pass up the opportunity to complain about GIMP and GNOME... jackasses, the lot of them.)
The problem was found because the code was Open Source. If it had been closed source, then the bug would still be secret. To the extent to which the bug was recognized (or commissioned) and exploited by the likes of the NSA, it would have probably remained secret for a lot longer.
According to Microsoft's EULA, for example, finding -- much less fixing -- such a bug is illegal. If the NSA had paid them to put such a bug into the Windows version of SSL, then it would probably remain unpatched for years after someone had pointed it out to them as an exploitable bug.,, and anybody openly reporting such a bug, even after 6 months of trying to get MS to fix it, would be roundly criticized for disclosing the bug 'prematurely'.
Even then, it would probably not be fixed by Microsoft until at least the next monthly bug release cycle (or even the one after that.
With the code being Open Source, the problem got fixed faster than yesterday. Period. If the OpenSSL people refused to fix it, then it would have been forked. ... and more to the point: Such a security-centric fork would have been legal.
OS Software is like love: The best way to make it grow is to give it away.
Lets not forget that the NSA has Windows source code and can find and exploit bugs without reporting them to Microsoft.
The heartbleed bug is mostly only useful to the NSA because once you extract the servers private key you still need to be able to eavesdrop on the targets communications. Most people don't have the ability to do that.
Do we want incubated and awesomely connected, or do we want "free" and unchallenged? This duality is basic to our human nature but again and again its simply a matter of choosing this way and that way without a need to "battle it" out for ever? We are social creatures and we associate everything with everything, technology is a particularly important expression of it.
Should we re-engineer the idea that makes the web, the web? In other should we really venture out to recreate a smarter engine behind the hardware platform? Mobile particularly shows the need for a stronger hardware platform integration. This seems daunting and it truly is however it means that we have re-engineer the root foundations of the internet, meaning the network systems that connect the device platforms. IF we are able to successfully re-envision both, than yes we aptly have the opportunity to leave the "old world" in the dust.
Retweet about this tonight: Let me tell you about a company that wants to re-engineer the IRS. Talk about daunting. The site: thenewirs.com a private allocation vote directly submitted to the IRS. Think about it like this, why do we hold elections? So that elected officials can send tax monies to where we want so we can get the things that we want. This stands to integrate even further our direct will as a democratic power system. [check my tweets @Rvela82]
What can be the catalyst for a tighter internet to device to human (i.e.. the Home)? The possibilities are quite varied so my idea is just prospect. Internet fed through the electric outlet. This technology came as quick as it went away from the media's attention. This could be a means to make "the power lines" of the internet to make it truly open yet employ key encryptions on the outlet circuitry itself and in conjunction with the device platform level security initiator, this can create new methodologies for the new web.
I hate to build upon this idea because as I truly said possibilities exist to widely for one person to conceptualize. We have to open the discussion and use the ideas as inheritantly employable configurations. Yet I will continue in the aspect that the integration has to happen systematically, and that theorizing on it is truly the whimsey and muse of a man.
Take for example, a user end software layer to this model, call it 'The Uniform Web Internet Console' its a console written directly on the device that configures the internet for the individual users. In essence making it impossible for device to be reached by externally controlled networks. Think like negating websites based on their hosting platform, from the top builders down to custom written programs written on IBM versus coded on HP? etc. If this system seems to complicated it actually isn't - I'm a millennial I definitely know it can be made quite easily interpretable for my relative audience as a user experience.
We need this program so that world wide corporate entities will seek the new types of partnerships that they never thought they needed. Is this effect a truly feasible outcome from such a programming perspective. Yes because it reengineers the internet in a way that secures it at its roots. In other words its revolution.
Just like www.newirs.com reinvents establishments based on certain aspects of political oversight, the people's primary responsibility, to make it simpler, easier, more agile. This does it for the world wide web and it causes more free technologies at a local level to sprout with new embedded logic capabilities, hence more change at the human level.
Consortium is the lifeblood of civilization.
Oh and Slashdot I'm not an anyomous coward, I'm RJ betch.
For more material on the UWIC that I've written about, reach out to me via twitter @rvela82
it had been run through automated analysis software and passed because a different part of the code was doing something naughty for which there hadn't been a testcase previously. (Mallocing, freeing, then remallocing a section of memory and assuming the pointer address would remain the same).
A bigger issue might be the 'tunnel vision' approach of analysis. This bug was the result of *MULTIPLE* little issues resulting in a big issue. If anybody had actually stepped through that entire process of code this problem would've been found earlier, but most likely the function itself was scrutinized, passed 'first glance' muster, then was forgotten about as a non-critical codepath.
As this issue has shown however, the non-critical codepaths are ripe for exploitation by malicious actors, be they private or state.
I do believe open source is safer as it does absolutely allow for independant party review, which is how this bug was found. Because outside parties had access to OpenSSL they were able to find the problem, whereas with closed source software it might have never been found, or found but hushed up by the company. Proprietary software has just as many bugs as open source, if not more, the difference is there is less accountability.
That being said, the full potential of open source software in independant party review is not brought to its full potential but the fact that a lot of open source software is poorly documented as to the internal construction of the code. This ends up wasting time for programmers to basically have to spend more time than it should to learn the internals, and even wastes time of those running the project basically repeating explanations of the code whereas if they were to make some documentation people could get many more answers without having to bother the project leads. It makes the learning curve much steeper that when dealing with software that has a lot of code, to not have any documentation on how that code fits together. On one hand, we say that open source allows people to review the code, but just opening the source alone does not make it easy as possible for this to happen, the code needs internals documentation or else it often will take simply too much time for people on the outside for people to penetrate it. Many open source software projects end up with a cliche who understands the internals of the software because they wrote it, but its difficult for those on the outside to penetrate. Even for an expert programmer, being able to access documentation speeds up the time to become familiar with the code immensely.
Not doing code documentation is a poor practice and open source developers should document what they are doing for others and as well to save time by preventing having to explain things over and over again to newcomers.
How 'bout that SSL bug discovered not recently in OSX/iOS?
Sure the open source is not a silver bullet, nobody argues this.
And law of big numbers sure does it thing, yes, shit happens in open source just as well.
But how often this happens in open source vs closed source?
How often such incidents go unnoticed in closed source world?
Linux forever
PlUU-lease! Where is my "overrated" mods when I need them?
The NSA is why my hair has fallen out and my gut has gotten big. They're also behind the big mudslide in Washington. In fact, they are the boogeyman for EVERYTHING!
God you people get annoying.
It's BECAUSE of open source we even learned about Heartbleed. If it was closed source the hole would still exist hidden in the shadows.
The dangers of knowledge trigger emotional distress in human beings.
so 'git' is just unhackable...its perfectly secure...no way someone could've put a gun to the guy's head while he sat in front of his computer to make these changes...
if I was the criminal/CIA agent, i'd actually help the guy with an alibi..maybe tell him to claim it "was an accident"
no way that people would infect a system ***and*** lie about it...b/c that never happens simultaneously /sarcasm
Thank you Dave Raggett
If I'm a malicious hacker, or the NSA, but I repeat myself....
I'd be now (if i wasn't before) checking the feeds for gnutls, nss,, and openssl, hoping to catch he bug before anyone else, so i can exploit it.
That said, I'd also be checking out the best decompilers to see if that helps me find bugs in closed source code. Im sure people have looked online for Windows source code to see if there are any ways to exploit it. In this case, a small group of hackers would have the code, and would necessarily want to limit the number of people aware of those exploits.
In a nutshell, we're all screwed.
One word for you: Microsoft.
2003 called, they want your Microsoft back. The Microsoft of 2014 has a better security record than almost every other vendor in the consumer field.
I would worry more about Flash, Java, Firefox and Android.
" just about every SSL-encrypted internet communication over the last two years has been compromised."
No, it really hasn't.
It's accurate to say that just about every Open-SSL encrypted session for servers that were using NEW versions of OpenSSL (not all those ones out there still stuck on 0.9.8(whatever) that never had the bug) were potentially vulnerable to attack.
That's bad, but it's a universe away from "every SSL session is compromized!!!" because that's not really true.
They were vulnerable to attack, that is to say, the security was compromised. He didn't say they were hacked, stolen, eavesdropped, or surreptitiously recorded.
compromise: to expose or make vulnerable to danger, suspicion, scandal, etc.; jeopardize: a military oversight that compromised the nation's defenses.
I've noticed that a lot of TV sci-fi confuses "compromise" with "breach"; as in hull, shields, defenses, etc.
my, your, his/her/its, our, your, their
I'm, you're, he's/she's/it's, we're, you're, they're
It means we need to raise the bar for contributors and maintainers. If they are not using 100% code coverage fuzz testing in their unit tests (the bare minimum a security researcher will use against a product to detect exploitable code) then they don't need to be a maintainer. End of discussion. Period. You either maintain unit tests with at least range checking (which you can automatically generate if your doc comments aren't stupid) and fuzz tests for the same unit tests (which can be generated from the unit tests) for every damn line of your code, or you need to STOP. Period. No one else should be running your fucking piece of shit untested code. If you CAN'T do this basic fucking step of code coverage, unit tests for edge cases and fuzz testing then you should not be releasing open source software. Period. If you're not doing this and you're the maintainer of a security related product? Well, then you should hang yourself as soon as possible, because you are a worthless despicable piece of shit. Period.
And, if you are an arm-chair apologist who thinks I'm being too harsh in my insistence maintainers and developers follow basic security precautions or not work on open source, because you don't give a flying fuck about security: Fuck you too, You're part of the problem. Go jump in a tar-pit because you're hindering the herd.
Bottom line: People who don't give a flying fuck about security shouldn't be producing software. You shouldn't let such people maintain FLOSS projects. You get the fucking security you pay for. Yes it's free, but I'm talking development costs. Since NONE OF YOU FUCKERS actually cares about security YOU DO NOT HAVE ANY.
Either SHUT THE FUCK UP, or USE THE DAMN TOOLS WE GAVE YOU AND DEMAND THE OTHER IDIOTS DO TO.
"Wah, we don't fucking care about security! Why don't we have any security?!" Blow it out your ass, morons. This is why I develop my own hobby OSs and compilers. Because you really can't trust ANYONE to do it right in this day and age. Your moronic double standards are your own damn fault. You don't want to pay the time in development costs to test your software properly, but you want it to be secure. Something has to give, idiots! All the pundits sound like a bunch of imbeciles. Fact: The were NOT using the available memory checking, code coverage and input fuzzing tools. OF COURSE IT'S NOT SECURE!
Yeah, because closed source companies like Microsoft never copy code between versions of Windows, so simple vulnerabilities in things like Windows Metafiles would never affect the security of the entire userbase of Windows 3.0, 3.1, 3.11, NT 4, 2000, ME and XP at the same time. Who knows what other closed source vulnerabilities are lurking out there?
Data point: the NSA reportedly discovered this bug within days of its placement, and didn't disclose it.
When the bad guys have a lot more eyes than the good guys, it skews the math.
I've read the FOSS argument for years and I guess I have leaned in favor of it from a bug perspective. But in this case, I think closed source would have won, at least to the current point in time. If OpenSSL is truly behind 60-75% of the world's web servers, then the value in hacking it is enormous. Thus if I am a criminal organization, it might be worth spending $1M for guys to read that open source code and find problems that I can then monetize for a big profit.
I don't think you are going to get $1M worth of code inspection on the white hat side for OpenSSL. Maybe going forward it will, and companies may be willing to invest in the upkeep. Not out of goodness, but because it makes good business sense. For a large organization, how many soft and hard dollars have been chewed up in the last week doing analysis, patching, client communication and general PR for Heartbleed? Probably enough that a $10K donation in time or money to OpenSSL upkeep would be feasible.
There is also evidence that the bad guys have been exploiting this in the wild. So the usual argument of "we found the bug quicker with open source" is probably wrong here. The better-funded and more highly motivated bad guys found it quickest.
My guess is the bad guys have been working this bug against Yahoo for awhile. Yahoo told me a couple of months ago (and others I know) that someone was attempting to login to my account from Russia. I would now suspect Heartbleed here.
The logic for finding bugs on the black hat side is OR (find any bug and exploit). The logic on the white hat side is AND (prevent all bugs). The table is always tilted like this unfortunately in the security arena. Bugs will always happen and the good guys can't win every time, regardless of code access.
"Ever since the "Heartbleed" flaw in encryption protocol OpenSSL was made public on April 7 in the US there have been various questions about who knew what and when."
.. His private-sector experience includes serving as Vice President, Chief Information Security Officer and Chief Security Strategist at eBay and as Chief Security Officer for Microsoft ."
Company | Codenomicon: "Howard A. Schmidt, Chairman of the Board
One of the critical parameters that is studied in the art of defect analysis and prevention is "scope of loss."
The scope of loss of the heartbleed bug is huge. Not only is the scope huge, but it is completely unknown what was lost in the two years that the bug was in the wild before it was discovered.
In general, this situation demonstrated the complete lack of review, effort, and professionalism that goes into open-source. Really, it has proved to be simply a hobby, and hobby code simply doesn't cut it.
Without professional, thorough engineering review and analysis (not even millions of people "just playing around in linux"), no software can be considered safe. Open source software is generally woefully underfunded in this respect, and since it can't possibly be tested with any degree of confidence, it is only appropriate for anyone who cares to ditch it immediately, until such time as there are thorough processes in place to guarantee good code.
It's a statement. It's a statement by a dogmatist on one side, and there will be statements by dogmatists on the other side. Two dogmatists don't have discussions--they just try to shout one another down.
Yeah, if you get enough eyeballs on a problem, sure it might be easier to solve. But users != eyeballs. I suppose being open source, it is easier to get eyeballs on something, but it is also easier for the black hats to get eyeballs on something as well and exploit it.
In the end, neither side in the dogmatic divide is likely to listen let alone switch sides.
Do you have a source for your claim that heartbleed was found by code review? As far as I knew, it was found by researchers at Codenomicon who were trying to test their software by trying to act as attackers. The fact that the bug slipped through code review exposes one of the major issue with open source software, that there are lots of developers working on code but little to no organized QA beyond code review.
I would take my chances with FOSS. How crazy is the statement that XP can not be safely used without Microsoft support, given that they had 13 years to fix bugs in a feature-frozen release? In an open source release used for so long and on the same scale, chances of finding a new catastrophic bug would be slim. For example, Heartbleed was found in 3 years. Likewise goto fail bug in Apple open source was discovered in a relatively short time.
Not to mention that if new bugs were found in desupported but still somewhat popular open source software, users would create their own fix in no time rather than having to pay millions to Microsoft.
Heartbleed is a perfect example of why software should be written in "safe" languages, which can protect against buffer overruns, rather than unsafe languages like C and C++.
Of course, the problem is that if you try to distribute open source software written in a safe language, everyone bitches and whines about how they don't have a compiler for that language, and how run time checking slows the software down by 10%. Personally I'd rather have more reliable software that ran 10% slower, than less reliable software that ran faster. It's also crazy to turn off the run-time checks "after the software is debugged", as if the debugging process ever succeeded in finding all the bugs. As C.A.R. Hoare famously observed in 1973, "What would we think of a sailing enthusiast who wears his lifejacket when training on dry land, but takes it off as soon as he goes to sea?"
The "with enough eyes" argument, and "if programmers were just more careful" arguments don't justify continued widespread use of unsafe languages. Granted, safe languages don't eliminate all bugs, but they eliminate or negate the exploit value of huge classes of bugs that are not just theoretical, but are being exploited all the time.
I keep hoping that after enough vulnerabilities based on buffer overruns, bad pointer arithmetic, etc. are reported, and cost people real money, that things will change, but if Heartbleed doesn't make a good enough case for that, I despair of it ever happening.
Without the ability for anyone, not just a limited subset of employees, to access and modify the source code, the bug may have never been found. At best, it would have been found later and taken longer to fix.
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
---
You avoided backing up your accusation where YOU said I say you are Barbara, not Barbie = TomHudson (same person http://tech.slashdot.org/comme... , & sockpuppeteer like you) -> http://slashdot.org/comments.p...
Funny you can't back up your "bluster" there either, lol...
---
Why, Lastly?
You're crackers! See here multiple personality disorder http://slashdot.org/comments.p... + manic depression http://slashdot.org/comments.p...
APK
P.S.=> So, THIS quote below is my policy on sockpuppeteers like you Zontar = TrollingForHostsFiles (your sockpuppetry):
"The only way to a achieve peace, is thru the ELIMINATION of those who would perpetuate war (sockpuppet masters like YOU, troll -> http://slashdot.org/comments.p... ). THIS IS MY PROGRAMMING -> http://start64.com/index.php?o... & soon, I will be UNSTOPPABLE..." - Ultron 6 FROM -> http://www.youtube.com/watch?v...
Which quite obviously, I am, since none of you DOLTISH TROLLS are able to validly technically disprove my points on hosts enumerated in the link to my program above of how hosts give users of them more speed, security, reliability, & anonymity... period!
(Trolls like YOU that use sockpuppets http://slashdot.org/comments.p... (your sockpuppet "alterego" TrollingForHostsFiles) & TomHudson - Barbara, not Barbie too http://tech.slashdot.org/comme... before you)
... apk
Nobody clicks on THE links. Nobody READS your comments. Everybody CAN see you need proFESSional help.
You forget that this just happened to Apple a couple months ago in their SSL implementation. The misplaced goto statement caused them to ignore all certificate chain checking. Apple was quite fast in notifying people and working on a fix for it.
1. Proprietary software could have a million bugs like this. You just wouldn't know it. They do not become less dangerous because they are proprietary, nor do security flaws become more dangerous because they are in open-source code.
2. Open-source software at least has the possibility of being looked at over and over. Proprietary code may be reviewed or not depending on the resources, interest, and monetization capability of that code. A possible review by all relevant coders in the world is always more review than by a limited team of programmers and analysts at one company.
3. The real problem with Heartbleed is the time that passed between code being written and a bug being discovered. That delay exacerbates the security problem. However, there will be some sort of statistical (probably Poissonian or normal) distribution of the time required to catch a bug since introduction into code. As with anything, there are outliers. Heartbleed with its serious and longstanding flaw must be considered an outlier unless shown otherwise. I have not seen evidence that this happens on a regular basis with any software, FOSS or otherwise.
I would appreciate it if future Slashdot discussions were let out through the upper orifice with some maturation period in the brain, rather than through the lower orifice after festering in the colon.
Entia non sunt multiplicanda praeter necessitatem.
"and no one is seriously interested in forking it or doing a new implementation."
I'll be removing oppenssl from every macine i touch and recommending the same to everyone. There are demonstrably better alternatives available. (some at a cost).
Any sysadmin who wants to back openssl with HIS job and declare that is the best he can do for his business and his customers is welcome too. I will simply provide better alternatives to CHEAP and LAZY wannabees.
You can't be cheap, lazy and stupid at the same time. there is a rule against that.
I'm not saying I'm smarter than you because of some stupid bug by some stupid programmer who thought he knew C. I am just saying I'm smarter than you.
OpenSSL's well is poisoned just like indian rivers. Because the people who are supposed to take care of it keep shitting in it. But IT IS FREE!
eat your shit. Go ahead
Look! It's the wannabe 'developer'. It has no skills, so it adds some crap to a text file and declares itself a 'programmer'. Your "host file" solution doesn't work, it is spam and it offers *NO* protection, you dribbling idiot. Too bad when they turkey-basted your mom, they didn't shove it in her ass instead. Or did they...
I've heard other people say this too, but I don't see how that can be. Are there any stats that convincingly prove this? It seems to me that proprietary companies have some advantages when it comes to marketing. They can always sue people who claim they have found an exploit in the software. And there is no law obligating a proprietary company to announce when someone has found an exploit in their proprietary software and informed the company about it. So I would take claims that Microsoft has a "better" security record with a mountain of salt. Who is Microsoft being compared to? SCO? What is the metric? Where is the data?
If an eyeball isn't looking for a security bug then an eyeball won't see a security bug.
But security and safety are not free, as peoples around the world are already familiar with. Free software in itself, as in the past few days has been laid out to dry by every VC-backed non-open idea factory in the US, is not the reason why you now need to change your passwords. The reasons should be self-evident.
It has done so by making the issue public and allowing it to be given proper consideration, as opposed to being covered up by those in the know while people continue exploiting it. This is a significant step forward in the open source discussion because this is open source working as it should, the bug was found because there were many eyes in the general area. Open Source versus Closed Source is becoming the difference between systems you can vouch for and systems you can't.
In a closed source world we would have everybody vulnerable without anyone knowing about it. That only helps if you're one of the people abusing it, because nobody is taking precautions against it. Now we are actually able to respond to a real threat that we can explore deeply. Sorry, closed source is not going to give me confidence.
Raymond's proposition is theoretically sound
No, it isn't. It's nonsense and it always has been.
There is plenty of evidence for the effectiveness of good code reviews, but most of it shows rapidly diminishing returns with the number of reviewers. You get much of the benefit from having even one or two additional people read over something. By the time you've had more than four or five people take a look, the difference in effectiveness from adding more barely even registers, unless one of the additional reviewers has some sort of unique perspective or expertise that makes them not like the others.
Given that almost every major FOSS system software project has had its share of security bugs, there is really very little evidence to support Raymond's claim at all. It's not like it has ever been taken seriously outside the FOSS fan club, but there are a lot of FOSS fans on Slashdot, and so plenty of comments (and positive moderations) reinforce the groupthink as though it's some inherent truth.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
There are no reliable metrics that indicate FOSS is safer. None. FOSS is an ideology to many and that means that it is beyond reproach. The hailstorm of excuses that surrounded the fiasco of the Gnome/KDE 3 rollout is a case in point.
A big company that you hate does this and we have to hear about it for the next 20 years. FOSS does it and "oh it's open source so it's kinda OK, you know?"
Get off the smug position you hold and enter the real world. Heartbleed costs the FOSS world reputational damage and the best you can do is "maybe it would have never been officially recognized"?? So how then, do the bugs get recognized and patches developed for MS Patch Tuesday? Do angels whisper into the ears of MS executives?
I don't expect any of this to make an impact on you though. As I said going in, it's ideology you hold.
ESR's statement remains true.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
After a lot of soul searching whether or not I should actually honor this obvious attempt at trolling with a comment, I think I should, lest someone actually take it serious and believe it.
Allow me to take you on an excursion into the world of security. Before you get your hopes up, it's not as glamorous or kinda-sorta-shady-sinister-blackhat as you might think. But I'll try to make it as interesting as it can be.
Part of security are audits. Audits are, in a nutshell, attempts to find out whether there are weaknesses in the surface you're auditing. For example, you prod at a server, check its ports, make sure that everything that answers does so in a way that cannot be exploited, and so on.
Those that at least dabbled in security will know about the various "boxes" used to describe the "rules of engagement" in such an audit. Most commonly known, I'd guess, are "black" and "white" box tests. In a "black box" test, you get no or very little information about your target and your task is to find out whatever you can find about it. A "white box" test is the exact opposite, where you get full disclosure of your target's makeup, e.g. what services are running, at what patch level, often even what purpose they serve and what department they belong to, and so on.
One might now think that the more "normal", more "useful" test is a black box test. Because, hey, if I tell you everything, what the hell would you test? But, know what? A black box tests is something that you'd do to test the tester's ability, not that of your target. With a black box test you can rather find out just how much the guy you hired to do your audit actually knows about the whole shit.
If you actually want to test the target, you disclose about any information there is. That might sound odd now, but when you think about it, it starts to make a lot of sense. This information can be available to a potential attacker. A disgruntled ex-employee could have that information. Or someone who spends a lot of time social engineering and prodding can gain it somehow. Assuming that you could increase your security by withholding information from a potential attacker is at best giving you a false sense of security because you can NEVER actually say with at least a semblance of certainty that a potential attacker CAN NOT have that information. Like I said before, all it takes is a pissed off ex admin and this attacker would have ALL the information.
And it's rather trivial to sell information these days...
Now, what does this have to do with the question open vs. closed source?
It means that just because YOU do not have the information does not mean that your attacker does not have it. Closed source is akin to the black box in the aforementioned example, open source the white box. When you audit closed source, you will learn more about the abilities of your auditor rather than about the security level of the software you audit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2003 called, they want your Microsoft back.
If only we could.
We need a "+1 -- nice sig" moderation.
Then again you ARE a nobody Zontar (lol). Reading? How about WRITING instead (lol) -> http://slashdot.org/comments.p...
Now since you CLAIM to allegedly a writer by trade? How come "lil' ole' me" had to SCHOOL you in it. hmmm???
Imagine that!
Did your spellchecker & grammar assist features break down in your word processor (that guys like me wrote, that YOU ONLY MERELY "write about" no less) & that you are apparently helpless without and have the balls to even SPEAK to us? Please... lmao!
APK
P.S.=> Keep never failing to FAIL, Zontar... I love it! apk
In general maybe. This issue had nothing to do with encryption though (or hard security stuff even).
It was a very basic input checking error in a massively crusty overly obfuscated and badly written/documented codebase that all kinds of people have been tacking 'kitchen sink' style features onto for years. It's almost as if the codebase is actively trying to counteract the 'many eyes' effect.
OpenBSD has already taken on their fork and started stripping out cruft - who knows that fork could end up having a portable version that everyone else starts using (like with OpenSSH).
Companies like Google and RedHat etc are presumably going to be putting some extra resources into OpenSSL to help clean it up. It's importance means they would be crazy not to. Hopefully they also put some resources into funding/helping the OpenBSD fork too as a better longer term option.
"Your "host file" solution doesn't work, it is spam and it offers *NO* protection, you dribbling idiot.} - by Anonymous Coward on Tuesday April 15, 2014 @07:04PM (#46762109)
To validly technically disprove any of 17 enumerated points here http://start64.com/index.php?o... and prove me, wrong, on where & how I state custom hosts files give users of them more added SPEED, more added SECURITY, more added RELIABLITY, & even more ANONYMITY (to an extent on the latter only).
---
* :)
(Go for it - I will merely tear you apart Zontar, as you troll me by ac posts now...)
Gotta admit, this is my favorite part of doing libelous lying little trolls like Zontar in, with facts & a challenge, with their bs.quoted above.
APK
P.S.=>It's YOUR reputation Zontar, Mr. Writer (not) - mine's safe & all the moreso when you "run, forrest: run!!!" here or spout totally invalid bs or more trolling... lol.!
... apk
I think the grandparent was right. MS now is hugely better than the MS of 10-15 years ago. I'm not going to try and objectively prove that as I don't care enough about MS and probably couldn't anyway.
But the NT4 to XP/2003 era was appalling security wise - but they changed that. IIS went from swiss cheese to one of the tougher web servers to break. You just don't hear any more about the kinds of problems they used to have. If you endured those days or just laughed from the sidelines, you don't need any hard data to see that they have improved a lot.
I found this paper from Theo de Raadt illuminating though. He steps through 10+ years of OS hardening techniques OpenBSD has put in place to prevent badly written applications misbehaving. Towards the end he summarises how other platforms do this stuff - the only other platform that did it all by default was Windows (yikes!).
Closed source was always safer.
One word for you: Microsoft. Maybe two: Adobe.
THIS! It's funny how Microsoft has all the issues that they do, and yet when a problem shows up in anything else, the fanbois instantly ejaculate LOOK!! SEE???
Sorry kids, Windows has a many year legacy of needing constant security updates, way too many for you to be braying about this, as proof of the bankruptcy of FOSS.We get it, But Redmond products have a lead that will never be equaled.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
A proper hacker doesn't care if the "source" they're reading has to be disassembled first, or if they have nice source code. All they care about is whether that code is worth exploiting to get personal information or other valuables, for a large enough audience. I'd think that the track record OpenSSL has compared to closed-source security products that have been compromised attests to this. If all it took was one huge vulnerability to discredit the paradigm, then closed source would have been discredited ages ago.
You don't have a professional career seeing as you don't know how to write code. Trolling Slashdot and getting kicked off of many tech-related sites is not a career. You're just butthurt that Zontar (and many others!) have called your "hosts file" solution a complete waste and very similar to malware. Again, look up the definition of libel, though I expect your reading level to be that of a fifth-grader...much like your 'coding' ability. You fucked your own 'career' - ever do a Google search for yourself? First, find a dirt cheap bottle of booze and some of your moms anti-psychotics. Do that Google search for yourself. Read the results. Then read them again. Yes, you don't have a career, let alone a professional one, no good standing or good reputation to protect. You see, years ago you lost any potential to have a 'career' (not that you'd pass any exam, tech or othewise). You are a classic fuckup and you did that to yourself - no one to blame but you. Or maybe your mom. See, you can't feel 'libeled', or actually be libeled since you have no professional career, reputation or good will to be harmed. Nor has anyone here lied about the fact that your shit software has been identified as malware in the past. Stupid fucking douchenozzle...
For a malware site it's listing good company in many categories http://start64.com/index.php/c... alongside his program so reconsider your words. They are, as always, obviously in error (especially considering you actually link to the companies that produce them, e.g. Microsoft, right next to my app). Others include Comodo, Panda, McAfee, Kaspersky, Malwarebytes, ZoneAlarm & other good names in the industry.
See - I can run iwth them. You can't. That's only 1 category too... there are many others it fits.
APK
P.S.=> Sorry to burst your DELUSIONAL bubble, but I live on my own since the 80's & have my own spot however, occasionally while travelling worldwide for work I lived TONS of spots in the world (or for play too of course) or between jobs though, to save money, I'd live with family when I was younger (as I didn't have my own place then, I rented like young folks do, had a lot of wild crazy roommates, lol, male & female), like most do, when they're younger pursuing work, to save money - a smart move) but not with my Mom (some fool thinks Jan is a woman's name, but it's also JOHN in other languages so yea, I'd pop in @ my pop's place, we get along well (good man) in those circumstances for 1 yr. total time, maybe 2 over oh, 50 yrs. now way earlier on? There ya go on that).
Educationally I was a lettering NCAA athlete (starter 1st year attackman - which they owe me 10 points for STILL pisses me off) for a great national power AND another letter too now that I think about it, lol -> http://lemoynedolphins.com/spo...
On PAID jobs? One of my proudest things was increasing a MS certified partner's program up to 40% more efficiency (a block level device driven caching system) & ideas for ramdisk usage up to a finalist @ MS TechEd two yrs. in a ROW in its hardest categories: SQLServer Performance Enhancement 2000-2002 iirc... got paid. Was fun. Great company, good mgt. (Mr. Eric Dickman a pleasure to work with remotely).
That & doing MIS systems for decades too... now I run my own businesses and survive that way (got smart, no more wageslave for me - get all the bennies that way, 10x the headaches, but all the cake)... apk
For a malware site it's listing good company in many categories http://start64.com/index.php/c... [start64.com] alongside This program so reconsider your words
APK
P.S.=> HAD to do THAT (lol), why? Zontar's a writer -> http://slashdot.org/comments.p...
Can someone answer a technical question? My midunderstanding is that Heartbleed is a buffer overflow, which is also what a bunch of other security bugs have been over the years. (Obviously there are other ways.) Why is there no library code that one calls to set up a buffer, have the buffer read the input, and return the result? The caller would provide a buffer size (or maybe it can be inferred from a passed variable? my C is very rusty) and a few other args, and the library code would protect against any overflow.
Or does such code exist, but people don't use it?
Microsoft Windows.
if this is supposed to be a new economy, how come they still want my old fashioned money?
All heart-bleed proves is that C+ is a poor language to be programming security software in.
Open Source vs Closed Source is as much a philosophy as it is substance. We can argue the benefits of having many eyes on the code from Open Source as opposed to having funded coders with Closed Source. In the balance, each project will be different based upon its own unique factors. The one constant is that Open Source does have superior transparency.
Which is why you run from, & donwmod to hide, this http://news.slashdot.org/comme...
APK
P.S.=> I've worked in the Fortune 100-500 pal, in positions (network admin or programmer-analyst) - have you? No... prove otherwise. Again, you're more than welcome to take 'the APK challenge' here regarding my latest freeware -> http://news.slashdot.org/comme... (which, true to troll libeling form, ZONTAR does a "Run, Forrest: RUN!!!" from, every time trolling by ac, sockpuppet, or using his registered 'luser' account here... lol!)
... apk
How can you be a good chess player if you do not lose the odd game? So the opensource code got a strike against it, I am sure GNU/Opensource teams are coming back at this with a vengeance, developing better protection methods. Stuff like this will rally security teams. Sure, not all bugs/vulnerabilities can be caught, but the ones that are...will have the living s--t kicked out of it. Chalk it up to valuable experience. I am sure developers are whipping themsleves into a mea culpa frenzy. A bit of humility will go a long way to making something superior.
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
You do realize that encryption is security through obscurity ... right? ActiveX is just a plugin system, just like XPCOM in firefox, but you know that too ... right?
Please don't quote shit that you utterly fail to understand. The only part you got right was that IE was buggy as shit. Of course, so is Firefox, but you ignore all the security fixes it has gotten. The only thing is does better, and that Microsoft sucks at is time to fix, which while extremely important, is only part of the equation.
+5 insightful ... the ignorance runs deep here.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I think this says more about the prevailing view of security. Every programmer is told "NEVER roll your own encryption". The default result is that most programmers never even look at the code and instead assume it MUST be safe since the infallible "experts" wrote it. What we are seeing here is not the fault of open source vs closed source; it is about voodoo programming being considered good security practice.
I'm not saying that everyone should be rolling their own encryption, but people should be looking over the experts implementations instead of assuming they are perfect (this bug could have been caught by any number of "normal" programmers had they simply taken the time to looked).
Hahaha, this is hilarious that the GP is +5 insightful.
Mod me down, my New Earth Global Warmingist friends!
it's not a matter of open source but a matter of having israel partisans working on mission critical code.
You're obviously a troll and an idiot, but just for the record: I don't know if Seggelmann is Jewish - his last name is, but then so are a lot of German last names... and he's German (not Israeli) and there aren't many German Jews left - but the reviewer of the code was Stephen Henson, who is not Jewish. Do you blame him too? RSA (the company that became synonymous with public crypto, and the algorithms they patented) stands for Ron Rivest, Adi Shamir, and Len Adleman. The last two are also Jews, and Adi Shamir is actually an Israeli. Do you blame them too? In fact, according to the Bible, there's this guy named Jesus who was also a Jew. Do you blame him too? As it happens, there are a disproportionate number of Israeli programmers in the tech space, mostly because as far as I can tell they've always had a high ratio of well-educated people in math and comp sci, and lately an influx of of well-educated former-Russians too. Thank god it wasn't an Indian or Chinese programmer who caused this, or /. servers would collapse from the comments.
Comment removed based on user account deletion
Encryption is not security through obscurity. Encryption is security through rigorous openness and review.
"Security through obscurity is generally a pejorative term referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security." The secret key in cryptography is neither design nor implementation.
Comment removed based on user account deletion
Comment removed based on user account deletion
WHAT IF comments are worthless. The facts are that a serious bug existed in a widely used open source component for several years. Comments like what if the software were written differently or better tested or were proprietary are fanciful speculations. The real issue is how to avoid or at least reduce the likelihood of this occurring in the future. Recommendations that people should work harder or write better code are of course equally worthless.
Encryption is meant to make the original text be obscure, however the means of encryption should not remain obscure. What "security through obscurity" refers to is the common and naive practice of assuming that no one will guess your security methods, and the problem is that people do find this stuff out. Ie, assuming that no one will guess your backdoor debugger password. Now it is fine to start with a strong set of security practices and then only after that is in place it can be made more obscure. But usually when something is made obscure it is because the security is really weak in the first place.
As for ActiveX, the problem was not that the end user would go and hunt down a trusted plug in and install it, but that it relied upon the web to tell you if something was trusted and then automatically install it (and for the average user this happened even without their knowledge). This was done at the same time that Java was promoted as an alternative, a system that was intended to be designed for security by sandboxing the code (though of course it had flaws) as well as being cross platform, whereas ActiveX was all about taking plain x86 code and executing it as long as it was signed.
The real problem with ActiveX was the idiotic idea from Microsoft that it should be installed automatically without bothering the users with annoying questions such as asking for permission first; they did the same boneheaded move by allowing executables in emails to be executed without a confirmation. It wasn't until they started added UAC that it seemed they understood what the problem was.
I think that it's really not about open or closed source. It's about monoculture, the whole net is more resilient if we didn't do that. So many warned about that issue with the desktop/laptop running Windows, and that risk is there and real still, but while worrying about that we built it anyway in an a non-OS specific way on servers too
The vulnerability was found specifically because the source code was available and someone other than the owners went looking for problems.
I keep seeing people claim this. Codenomicon didn't discover the bug by looking at the source, but I can't find any information about how Neel Mehta discovered the bug.
People will pass up steak once a week, for crap every day.
The bug was found by code review, twice independently in a short period of days.
Codenomicon didn't discover the bug due to a code review (source). I can't find any information on how Neel Mehta discovered the bug, though.
People will pass up steak once a week, for crap every day.
They have had many (and likely will continue to do so), but the fact is that never (not yet anyway) have they had one with as severe and wide reaching implications as this one.
It's all a matter if spin. It should be "bug found and patched because of open source" if it was closed few if any would have been able to look and find and patch the bug
Safer != Perfect
Open Source is not perfect. It also does not help when you have large commercial institutions RELYING on the source code in a security critical role under constant attack by well-funded adversaries, AND the developers of said open source code are so pitifully underfunded, AND the commercial proprietors that cause said open source library to become a high-value target are only willing to invest in features, and not improvements that would lead to better quality and lesser likelihood of serious bugs.
May I remind everyone that unlike most GNU, Apache and Linux projects, OpenSSL and OpenSSH follow the BSD model of a small team of developers doing the work. Although the source is available the review and upgrades are limited by the small group of developers working on the project. This model of developer is somewhere between the Cathedral and the Bazaar. The number of eyes on the code may be reduced because of the lack of ability of being able to make direct contributions to the code base.
Fixed within, 24 hours on 187 servers running open source openssl libraries, f and earlier versions.
I still do not have fixes for about 5 proprietary customer products, and there has been no word from 3 of them if they intend to fix them.
I have informed my customers that they should consider moving from the proprietary products IF they have the cash to do so.
I really do not see your point in asking the question.
You cannot design and build secure software to begin with.
You need to have the source code for the forseeable future now because of the world we live in.
Very very bad people are coming out of the pit and they want your infrastructure, your data and your intellectual property.
But above all, they want control of you.
Open Source can prevent a world like that from taking hold, but it cannot save a fool from his foolishness.
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Randall Long, formerly of a Obama administration, joins Microsoft. This guy leaves MS for the Obama administration. Al Gore sits on Apple's board.
When you use Linux, you hurt MS's and Apple's profits, which hurts Democrats. When you use Linux, you help the Republicans.
I think this says more about the prevailing view of security. Every programmer is told "NEVER roll your own encryption". The default result is that most programmers never even look at the code and instead assume it MUST be safe since the infallible "experts" wrote it. What we are seeing here is not the fault of open source vs closed source; it is about voodoo programming being considered good security practice.
I'm not saying that everyone should be rolling their own encryption, but people should be looking over the experts implementations instead of assuming they are perfect (this bug could have been caught by any number of "normal" programmers had they simply taken the time to looked).
The irony is that the openssl authors chose to roll their own malloc implementation instead of using the default, trusted one which would have likely crashed instead of facilitating the leakage of memory. (I still blame the fundamentally flawed nature of C for even allowing this)
sounds like its working as hoped, right?
The quote is "given enough eyeballs, all bugs are shallow." That's a clear admission that open software, like all other software, contains bugs; that's why you want the many eyeballs. Any claim otherwise is a symptom of not understanding plain English. Eric's whole point was that the bugs in open software will be found and fixed faster than the bugs in other software, due to the population of interested people who will study it, looking for the bugs.
Perhaps it is not being stated clearly but the point that you are missing is the fact that this bug in some of the most critical network software in use had been around for 2 years. This fact demonstrates the hyperbole of the quote. Its a well crafted quote, illustrates a concept well, but people read way too much into it. Few FOSS users are developers, few developers are qualified readers. Eyeballs are a plus, but not a panacea. The gap between proprietary and open exists but it is exaggerated.
A second and more important fact is that the bug was not discovered by eyeballs on source code. The techniques used seem to be the same applied to proprietary closed source code.
"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
http://readwrite.com/2014/04/1...
Nothing in that quote implies (to anyone with reasonable understanding of English and basic logic) that open software doesn't have bugs.
Straw man.
It does have the assumption that if more people view the source they will automatically fix vulnerabilities. This however assumes that people will always do the right thing and report bugs. For security flaws in particular this is not a given a lot of people that would have the knowledge to spot a bug may also be from governements or organised crime and have a vested interest in the code not being fixed.
If you look at something like vms or aix, there may be big security holes but because it's closed source.....nobody knows
The visibility doesn't make it so bugs don't exist. It makes them more likely to be found. This one existed and was found.
After two years in the wild. And apparently *not* by eyeballs on source code. Proprietary or open seems irrelevant to this discovery.
"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
http://readwrite.com/2014/04/1...
The Open Source "many eyes" philosophy is only relevant when there are many eyes. This works great for non-specialized tasks, and ok for specialized tasks. For highly specialized tasks, the "many eyes" dwindles to "few eyes", and so the opportunity for long-lived errors is longer. In commercial settings, this is counteracted by the profit motive. In open source, the only counterbalance is project discipline. The key takeaway is to support disciplined FOSS projects for specialized functionality, or pay for this level of suppport.
I am of the opinion, and have been for a while, that casual coding (i.e. coding something in your free time, not backed by hint of monetary gain) is at the heart of the problem. People code casually because it is fun to do. They don't like writing comments, documentation, or clean code. This is not to mention that these project need good people that can write this complex code and putting massive amounts of rules and coding practices is not going to attract people to code in their free time. When you have code that is backed by money and/or a company, the motivation exists to do the not fun stuff, but the required stuff to make code more secure, more easy to audit, and easier to understand. Without that type of backing, you have people hacking away writing code as quick and dirty as possible. That is the reputation that FOSS is trying to get rid of. That is the reputation that hurts its adoption rate, especially in critical and important systems. That is the reputation that the OpenSSL vulnerability drags kicking and screaming into the limelight. Unfortunately, it is a reputation that has a significant basis in reality and, in my opinion, the Heartbleed vulnerability will have lasting effects for years to come.
Closed source just has deliberate NSA backdoors. Clearl superior and much more efficient than accidental backdoors.
"I is in your PC reading all your emailz!" - lolcat works for NSA
I am anarch of all I survey.
no, Raymond said the bugs are shallow, not non-existent - i'm sure you can understand the difference....
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
In Zontar's case absolutely manic depression http://slashdot.org/comments.p... + multiple personality disorder http://slashdot.org/comments.p... given that information it's easy to see who's a mentally disturbed individual who doesn't consider the consequences of his actions and what is legal or not in libel. Some say that is the very definition of insanity. Not considering the consequences of their actions. Zontar fits that. I have to disagree after reading some of this.
will you just fuck off polluting the posts with this shit
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
To really understand a lot of projects to the point where a developer can make substantial contributions often takes a substantial investment of time by a developer. So some combination of full-time employment in the area, government grants, a basic income, or gifts of some sort are required for experienced developers to have substantial time to look at source code. It's true some developers have time to do it as a hobby, and others might have time as students. But to really dig into complex code and keep at it for a substantial period of time require, in US society at least, generally requires some kind of external support (even if just a spouse who earns money). This issue is not helped by the fragmentation of many software projects via forks, the competition between similar FOSS projects, and the proliferation of languages and not-very-good standards which all chew up vast amounts of developer time.
Of course, some people, like Bill Gates, who was born with a substantial trust fund have inherited the wealth needed to allow them to develop free software the rest of their life. However, for good or bad, he did not pursue that choice.
"How to Become As Rich As Bill Gates"
http://philip.greenspun.com/bg...
"William Henry Gates III made his best decision on October 28, 1955, the night he was born. He chose J.W. Maxwell as his great-grandfather. Maxwell founded Seattle's National City Bank in 1906. His son, James Willard Maxwell was also a banker and established a million-dollar trust fund for William (Bill) Henry Gates III. In some of the later lessons, you will be encouraged to take entrepreneurial risks. You may find it comforting to remember that at any time you can fall back on a trust fund worth many millions of 1998 dollars."
A substantial "basic income" equivalent to US Social Security from birth would, in a sense, make everyone a millionaire overnight and give them the time they need to pursue public benefit projects, whether doing code review or raising children well. Linux in part is a result of Finland's generous support for students like Linus.
http://www.linfo.org/linus.htm...
"Torvalds thus decided to create a new operating system from scratch that was based on both MINIX and UNIX. It is unlikely that he was fully aware of the tremendous amount of work that would be necessary, and it is even far less likely that he could have envisioned the effects that his decision would have both on his life and on the rest of the world. Because university education in Finland is free and there was little pressure to graduate within four years, Torvalds decided to take a break and devote his full attention to his project."
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
It's just a question of how many of them that are discovered and how serious they are.
In this case it was a simple mistake, and had serious effects. In other cases the bugs may be caused not by simple mistakes but a very complex chain of mistakes and still just result in a small side-effect.
As I see it - the best way to avoid simple mistakes like missing to set a character limit is to restrict use of languages where this check isn't built into the language itself. C and C++ is good for some coding, but that code has to be strictly reviewed and cross-checked to ensure that it's secure. Other languages has a lower risk of simple mistakes because they don't allow the user to address data outside the boundaries of a declared variable, or they do extend the allocation of a variable when needed.
So looking into languages like Ada, Java, C# and Matlab/Simulink (or the clone Scilab) should be on the list of languages to consider. Even Basic would be worth to consider. Or if you want to be a bit more esoteric Erlang is not a bad choice.
Just be aware that almost every programming language has a basic platform written in C, so it's important to make sure that the platform doesn't have any problems.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Bye
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
In all this hoopla i havent bothered to look at the code in question yet, but im always slightly dismayed when i throw some popular open source stacks at commonly available but expensive static analysis tools like Coverity or Klocwork.
There are plenty of companies running full open source stack servers with the licenses available - i wonder how often things like OpenSSL and other critical infrastructure pieces go through the best static analysis tools available ? And how much of it gets addressed.
http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
You do realize that encryption is security through obscurity ... right?
i don't think this quote means what you think it does.
Please don't quote shit that you utterly fail to understand.
ditto.
ActiveX is just a plugin system,
as much as a shotgun against your head is just a metal tube.
the ignorance runs deep here.
don't be so modest. you just contributed a fair share.
And don't forget the *deliberate* security holes placed in close software. A link that comes to my mind: http://en.wikipedia.org/wiki/N...
You do realize that encryption is security through obscurity ... right?
No, it's not. The major difference is, that with a proper cryptosystem, if someone discovers your key, you can just switch to a new key and you're as safe as you were (not considering collateral caused by key leak). With security through obscurity, the once the genie is out of the bottle, you won't make it safe without changes to the design of the system.
As someone said, the ignorance runs deep here.
I don't HAVE to say that your Hosts File Engine is crap, Spanky. Half the freaking Internet has already said it for me.
Your app doesn't do anything that any text editor with basic regular expression support can't do better already, and do so WITHOUT pegging a 4-core CPU.
And there is NO WAY IN HELL that I'm EVER going to let such an abomination override the OS task scheduler on any system I administer. That's just insane.
Il n'y a pas de Planet B.
The key issue with this is that many eyes did not check this code. One way to get many eyes is via university. Open source is great for learning about how existing code is written, including safe practices vs. "performance". Usually people are asked to review smaller pieces of code like kernel components as part of coursework. This demonstrates it is useful perhaps to consider other, less sexy bits. Note that changes are being committed over time so there is always new material.
See my journal, I write things there
How does linking to the top of the same thread help your case? Why do you keep doing that?
Hyperlinks are not magic. There needs to be some meaningful content at the other end for them to be of any use.
ProTip: Making a false claim which merely links to a repetition of the false claim does not make the false claim true.
Il n'y a pas de Planet B.
Encryption is meant to make the original text be obscure, however the means of encryption should not remain obscure.
That is true, but the problem with OpenSSL is that much of the code has been deliberately obscured.
I once tried to use part of the encryption codes from OpenSSL in another project - after awhile I gave up and realized that the original implementation (can't recall which one - might have been Blowfish) was cleaner, and easier to understand.
It seems that it in order to be included in OpenSSL it had been rewritten to conform to some coding standard that made it more fragile and less readable; I assume this was done because of some coding-hubris in the OpenSSL-team.
Here are some others that also have issues with the OpenSSL code-base:
http://article.gmane.org/gmane.os.openbsd.misc/211963
https://www.peereboom.us/assl/assl/html/openssl.html
So, I believe the conclusion is that "Open source can be safer - if done right".
Why are you so adamant that it was not "eyeballs". So they fizzed their own infrastructure and found the issue. The article you posted is scant on the details if the tool and a google search did not turn up any salient details on the tool. From the description it appears to be black box testing SSL/TLS for obvious overruns. Was this not open source software, we may not have had such a quick response to this issue.
Don't for get Oracle!
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
The comment in TFA about marketing seems dead on. I honestly cannot think of any other disclose security vulnerability that got it's own logo.
There are no reliable metrics that indicate FOSS is safer. None.
Can you propose a metric that would compare the "safety" of FOSS versus closed-source/proprietary software?
(I thought not.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I think the grandparent was right. MS now is hugely better than the MS of 10-15 years ago.
Hugely worse is hardly imaginable.
"I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
No matter how narrow the bell curve, outliers are still gonna happen.
I would like to just point out this is a huge win in my book for Debian.
Are you kidding? Debian once implemented a custom change that deliberately weakened all SSL keys generated on Debian systems:
http://www.debian.org/security...
https://wiki.debian.org/SSLkey...
Young whippersnappers with short-term memory...
It is not the NSA's job to cause mudslides, or make peoples hair fall out.
It is NSAs JOB to crack (other peoples) security systems. You are not being paranoid, they are out to get you.
Of course, other agencies do this too ...
Anyone who believes exponential growth can go on forever in a finite world is either a madman or an economist
eventually lol.
Proprietary or open seems irrelevant to this discovery.
You can't make such conclusions from one bug. Bugs will happen, and bugs will go unnoticed. The question is about whether the open source nature of a piece of software decreases the frequency of those events.
For wont of mod points here... YES! THIS!
Entirely too many point the fingers at FOSS coding practices, etc.
A closed source business is actually quite a bit more likely to have made this screwup than a FOSS one because they're as often as not more inclined to give security only an afterthought- and many times features are driven by marketing than any sound design decisions. What we have here is a revelation that security is hard- the feature that was "innocent" should have never found it's way into the code base in the first place. At least not in the very ill-advised method that was used. This is a stupid thing that would've happened either side of the fence on the FOSS/Closed issue. This is because most fools think that security or encryption is "easy" or think that they should add any old sort of "ease of use" features on top of security functions, etc.
Yes, you should try to make it very easy to use- but ease of use should be your LAST thoughts on a security related feature set. It's easy to weaken the security as shown by Heartbleed.
"Many eyes makes bugs shallow" applies not only to people working on the buggy code itself, but also all the developers who use the code. Bugs are almost always almost found because of software behaviour, and in general bugs in closed or open software are equally likely to be discovered by end-users. Bug are far more likely to be found by developers though. Consider some different scenarios: (1) A bug is discovered because following the documentation on how to use some API doesn't work exactly as expected; a really bad bug because behaviour under normal conditions is wrong. (2) A bug is discovered because a developer makes an invalid call to an API and it doesn't error out gracefully; still a bad bug, but most developers are going to correct their code to use the API correctly, and maybe file a bug report if the problem is bad enough to break their software. In case (1) someone is always going to file a bug report, closed or open source doesn't matter. In case (2) is different; chances are a developer isn't going to bother submitting a bug report if the buggy code is closed source, they'll just write some validation around the API call to avoid the bug before it happens. If open source, this validation will probably be submitted as a patch upstream, or at least someone is likely to report the bug. But then there's case (3), heartbleed. What you've got here is a bug that for correct input works, no bug to file, for incorrect input appears to still work, so still no apparent bug, but for incorrect input it does extra stuff you don't know in advance to check for. A developer with a case (3) bug is far less likely to discover that bug. If the library is open, a developer debugging their code might step into the library code and see the problem, slightly increasing the likelihood of the bug being found in open source as compared to closed.
The point is that downstream developers count as 'eyes', and probably make up the majority of those eyes. Because of lower barriers to entry, open source projects when compared to their equivalent closed-source counter parts tend to have many more downstream developers. Even is the case of non-library, end-user application projects, other devs are write plugins, extensions etc. so this remains mostly true. The argument that the eyes don't exist is not true. The eyes may not be looking directly at the code, but the code's behaviour is being tested in a variety of other ways. Case (1) bugs are going to be found and reported regardless of whether the source is open or not. Case (2) bugs are probably equally likely to be found, but far more likely to be reported and fixed if the buggy code is open source if there is a downstream workaround. Case (3) bugs are hard to find either way, but are MUCH easier to fix in the open source world.
After two years in the wild. And apparently *not* by eyeballs on source code. Proprietary or open seems irrelevant to this discovery.
"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
Given the simplicity of this bug, it's not hard to imagine what the source code for the bug looked like given the behavior. It is also not hard to imagine that upon discovering the unexpected results, the bug was confirmed by looking at the source code. Maybe for this bug, looking at the source code was just a confirmation of what they already knew. For many other bugs, looking at the source code is necessary to efficiently figuring out what the code is actually doing.
I'm not saying that this exact bug was found because it was in open source code. I am saying that it is not hard to imagine how a bug like this would be easier to find in open source software than closed source software.
At my company we use open source software libraries for our commercial products. When we find anomalies, we are actually able to figure out if bugs are in our own software or in the open source libraries we use. In fact, we actually run static analysis tools on every piece of open source software that we use because we care about the security of our own applications. We don't use openSSL, but if we did, we may have actually found this bug. That wouldn't be possible if the source was closed.
I can't find any information about how Neel Mehta discovered the bug.
By looking at the source.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
OpenSSL has no competition at its core competency, so the team really has no motivation to deliver an iteratively better product, apart from their need to scratch an itch. FLOSS software projects tend not to operate in a competitive environment, where multiple OSS products are useful for the same thing and vie for placement. This is probably bad.
I definitely don't agree.
Take any rant against FLOSS, the first thing you'll hear is complaints about "too much choices to pick from".
Sorry, but you can both complain that there's too much choice (hard on the user) and at the same time not enough choice (hard on security).
In the case of encryption, OpenSSL is far from the only present library. Its IS indeed very popular, but it's not the only used library.
GnuTLS is another popular library, which wasn't affected by Heartbleed (not specifically by this bug. It's not without problems, but still).
Mozilla's NSS seem popular with browsers (Firefox and Chrome use it, probably others too -and not only browsers: Pidgin uses it too). Again a different library, popular too
And that's just he major libraries. Then there are ton of others to chose from.
Some written in higher level language (Botan is in C++) and some (I hope, I haven't tested them all) probably using some facilities to abstract away a few pitfall like buffer lengths.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
...Chalk it up to valuable experience...
According to this sort of argument, nothing bad ever happens. The Air France 447 crash will improve pilot training, the Boston Marathon bombing will improve race security...
This point of view gives us no insight in to how to improve things. It belongs in the 'not even wrong' category.
One Google researcher and two Codenomicon researches disclosed this together. Funny how that was left out.
I suspect you meant that sarcastically, but if system software (meaning OS kernels, network stacks, device drivers, etc.) were written in better languages, our computer systems could be far safer and more robust, quality of life could be better, and the benefit to productivity and the global economy could be substantial.
For the computing industry, it is one of the great tragedies of our time that C and its derivatives have become so entrenched. There is absolutely no reason we can't have a systems programming language that offers the necessary low-level control without the limited programming model, error-prone syntax and weak safety features of C.
Unfortunately, it is momentum and ubiquity that keep most of the industry using C and its brethren, not technical merit. The vast ecosystem surrounding C is hard to beat for scale. There is promising work being done in some places, Rust for example, but I know of no practical alternative that is ready for production use today.
Of course, OpenSSL itself isn't running at the level of an OS kernel, so it doesn't need the same degree of low-level access anyway. But there is a wider point here about much more than just OpenSSL.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Seriously, who is "she" ?
Saying Microsoft has better security record is like saying your shit-sandwich has nearly the least shit of any shit-sandwich vendor, but ignore that crazy guy selling sandwiches after washing his hands.
I hope you warned them about March 11th 2004 terrorist attacks in Madrid..
If OpenSSL was not open source, but some black box library from a major vendor, this bug would have never been found and fixed (many Windows or SCADA bugs going unfixed for years ...). Or it would have been fixed in silence, to avoid embarrassment of the vendor, leaving everyone else unsafe.
I don't know what better evidence for open source software being safer do we need. OSS doesn't mean that there are no bugs, but that they get eventually found and fixed by someone, without being left at the mercy of the vendor of the software. This has worked really well in this case.
99% of Arstechnica = trolling TALKERS that haven't achieved squat who altered posts of mine on the arstechnica site itself, AND, on their own personal sites!
They also stalked me all over the web harassing me.
(Pime example thereof = Jeremy Reimer, & his pal Jay Little - BOTH of whom had their website's REMOVED BY THEIR HOSTING PROVIDERS for libeling me, email harassing me, stalking me site-to-site over the web, for YEARS... only to have me uttterly FLOOR THEM over @ Windows IT Pro during "The Memory Optimization Hoax" article where Jay Little, who came there @ Jeremy Reimer's request, claimed he was an "exchange expert" - ONLY TO HAVE ME TOTALLY DESTROY HIM on the fact that Microsoft's own documentation PROVED that memory optimizer techniques & programs can UNHALT stalled Exchange servers - speeding them up when frozen).
They altered posts of mine there as well... they're shit, plain & simple.
IF I AM LYING HERE, then WHY did CrystalTech REMOVE Jay Little's website?
&
IF I am lying here, then WHY did Shaw of Canada put Jeremy Reimer on a TRACKING TICKET to monitor his email harassing me AND kick his website off their servers as well??
Hmmm?
APK
P.S.=> They, like you? Aren't FIT TO LICK MY BOOTS, you libeling little scumbag:
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
... apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
(YOU CAN'T, CAN YOU?)
APK
P.S.=> Obviously NOT as you avoid that like the plague, you done zero BIGMOUTH libeling little troll... apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
(YOU CAN'T, CAN YOU?)
APK
P.S.=> Obviously NOT as you avoid that like the plague, you done zero BIGMOUTH libeling little troll... apk
Which I don't believe considering you spend so much time here it is unreal, first of all. Secondly?
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
(YOU CAN'T, CAN YOU?)
Any IDIOT can 'write words' about programs - me? I actually WRITE THEM, you unskilled bigmouthed whose mouth wrote checks he can't backup LITTLE libeler (like you).
APK
P.S.=> Obviously NOT as you avoid that like the plague, you done zero BIGMOUTH libeling little troll... apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
(YOU CAN'T, CAN YOU?)
APK
P.S.=> Obviously NOT as you avoid that like the plague, you done zero BIGMOUTH libeling little troll... apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
(YOU CAN'T, CAN YOU?)
Changing the parameters now eh TELLLING MORE LIES!
What was said was that I killed the process scheduler here:
http://slashdot.org/comments.p...
SO HOW AM I DOING THAT BY SETTING MY APP INTO HIGHER PROCESS PRIORITIES hmmm?
You're SUCH A BULLSHITTING twisting of words libelous little troll... you're pitiful.
APK
P.S.=> Obviously NOT as you avoid that like the plague, you done zero BIGMOUTH libeling little troll... apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
(YOU CAN'T, CAN YOU?)
APK
P.S.=> Obviously NOT as you avoid that like the plague, you done zero BIGMOUTH libeling little troll... apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
APK
P.S.=> "Run, Forrest - RUN!!! you'll avoid THAT like the plague (per my subject line above) - why's THAT, Zontar, you libelous freak? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
APK
P.S.=> "Run, Forrest - RUN!!! you'll avoid THAT like the plague (per my subject line above) - why's THAT, Zontar, you libelous freak? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
Work? YOU call what YOU CLAIM to do, work?? LMAO... a child can write words (even about programs)... can you write decent programs though (like myself)??
LOL - HELL NO!
APK
P.S.=> "Run, Forrest - RUN!!! you'll avoid THAT like the plague (per my subject line above) - why's THAT, Zontar, you libelous freak? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
APK
P.S.=> "Run, Forrest - RUN!!! you'll avoid THAT like the plague (per my subject line above) - why's THAT, Zontar, you libelous freak? apk
...get back to me in 100 years.
"The wisdom of the Patriarchs was that they *knew* they were fools." --Master Foo
"... To Stop it. The process has already begun. I receive no pleasure in this. It is simply the only logical solution... - Ultron 6 FROM -> http://www.youtube.com/watch?v...
THUS:
"Shutdown code, rejected: My programming ( http://start64.com/index.php?o... ) has advanced beyond YOUR commands: Beyond YOUR weakness" - Ultron 6 FROM -> http://www.youtube.com/watch?v...
* Not a DAMN THING you can do about it - as you trolls most CERTAINLY can't disprove my points on hosts files giving users of them added speed, security, reliabliity, & anonymity online - period.
(You know it, I KNOW IT - heck, anyone reading with 1/2 a brain on /. the past 2-3 yrs. now does as well, seeing you trolls harass me to no end - only to end up with EGG ON YOUR FACES being unable to disprove 17 points on the benefits noted above @ the download link to my program above)
APK
P.S.=> It quite simply CAN'T be done - why you would do that, used to boggle my mind. It's a good program, that does the job & offers EXACTLY the benefits I extoll here & enumerate in its download link. HOWEVER - It doesn't anymore.
You're either malware makers/botnet masters (since I block them out refreshed daily from 12 reputable & reliable sources in the security community), advertisers (obviously, I block their ads which steal your speed you PAID for & infect you too with malicious scripts quite often + track you), inferior competitors (Ghostery/AdBlock/RequestPolicy), or webmasters (who are pissed off I block their ads - well, those have been getting exploited, & I held off on letting my app out (not anymore after that)) & it isn't "Souled-Out" INFERIOR either (doing far less & not as well) like SOME browser addons (Adblock & Ghostery) & it also shores up security faults in DNS & speeds up resolution of your fav. sites you hardcode in it (faster than remote DNS lookups + secures you vs. DNS request logs + DNSBL) too - multiple bonus!...
.. apk
The issues, whether it be closed / proprietary or open source is two fold:
1) Competency of the person writing the code or making the design changes.
2) Competency of the person who is reviewing the work to understand potential issues surrounding the design and, as applicable, the implemented code.
A developer SHOULD never be a final reviewer of their own work. They can double check their work, clean it up, verify it meets coding standards.. But, ultimately, it comes down down to the one or more competent reviewers to study the work.
When one writes a paper or a long-winded post and try to review our work immediately after it is written, the brain will, by nature, fill in the gaps. If you have to critically review your own work, walk away for a day or two and then come back and tackle the assignment. You will be amazed at the errors you missed before.
FOSS is not any more safer than proprietary code if nobody who understands has the capability to understand the code and issues actually looks at it critically. A few years ago, the OpenSSL team achieved FIPS 140-2 compliance which was a major undertaking and achievement. I haven't yet checked, but did the version affected by Heartbleed pass FIPS 140-2 certification as a cryptographic token? Or, did they never resubmit the code for recertification? I would suspect it was never resubmitted as the cost for certification is too high. Had it been done, this MIGHT have been exposed long before now.
What WAS done correct was the rapid response once the problem was identified. This is something that corporations may drag their heels on as there a legal and financial repercussions when a vulnerability is found - even worse with an live exploit in the wild. They have to perform a risk analysis (on all levels) and determine if a fix is to happen at all. At the same time, corporations that rely on any system without a service level agreement that covers such issues take a major risk. This is where reliance on FOSS can bite you and why many corporations still maintain critical systems on proprietary operating systems and commercial software.
"I don't HAVE to say that your Hosts File Engine is crap." - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @02:45AM (#46764647)
You're more than welcome to disprove the 17 enumerated points here I list that give users more speed, security, reliablity, & even anonymity then http://start64.com/index.php/6... and show us YOU CAN WRITE A BETTER ONE, libeler (see my ps below, & backup your libel there too loser).
---
"Your app doesn't do anything that any text editor with basic regular expression support can't do better already, and do so WITHOUT pegging a 4-core CPU." - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @02:45AM (#46764647)
For starters:
Didn't know those could do a REVERSE DNS lookup and speed up your favorite websites (by resolving using the 1st lookup too, hosts, locally - which is FAR faster than calling out to a remote DNS since hosts is cached in RAM).
My program does... do they?
(YOU FAIL again, libeler)
"And there is NO WAY IN HELL that I'm EVER going to let such an abomination override the OS task scheduler on any system I administer. That's just insane." - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @02:45AM (#46764647)
LMAO - CHANGING WHAT WAS SAID HERE ERRRONEOUSLY NOW Zontar?
http://slashdot.org/comments.p...
SO HOW AM I DOING THAT BY SETTING MY APP INTO HIGHER PROCESS PRIORITIES hmmm?
APK
P.S.=>
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
... apk
>As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.'
He doesn't say they don't exist. Look at how fast it was patched though. Microsoft would have taken months.
The simple fact is that Heartbleed was caused by a mistake that any programmer, paid or unpaid, free or proprietary, could make. The entirety of the code commit was freely available for anyone to look at at any time, increasing its audience beyond that of closed-source code. Just because no one managed to catch it prior doesn't mean that open source is not safer. In fact, if it had been closed source, the exploit could very likely have remained unnoticed for much longer.
WHY were their websites removed by hosting providers @ CrystalTech & Shaw?
ANSWER THAT.
Is it perhaps since ARSTECHNICA = libeling trolls just like YOU? Figures you'd use your FELLOW LIBELERS to "back you up" but it's ineffectual
---
Changing the parameters now eh TELLLING MORE LIES!
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
SO HOW AM I DOING THAT BY SETTING MY APP INTO HIGHER PROCESS PRIORITIES hmmm?
You're evading where you FUCKED UP again, & telling LIES about it now? LMAO... you fail.
APK
P.S.=>
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
You said my "APK Hosts File Engine" is a virus/malware http://slashdot.org/comments.p... but it's EASILY PROVABLE it's not, right there in that link too.
Now PROVE YOUR FALSE ACCUSATION above: Show me a quote OR POST of me posting off topic on hosts where they did NOT apply... go for it!
You'll "Run, Forrest: RUN!!! as usual from THAT... why is THAT Zontar? We KNOW why (libeler)... apk
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apkview=article
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
The same argument can be applied to government. Just because all laws are visible to the public doesn't mean we don't ever put and keep bad laws in effect. The solution to bad laws is not hiding them, it's more publicity. Similarly, more review on each commit would help the OpenSSL project.
``OK, so ten out of ten for style, but minus several million for good thinking, yeah?''
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Same reasons I did well with UltraDefrag64 suggesting it to them & they put me in its credits no less (good program) - soon I'll be adding a 100 part 'breakup' of large intake data to make it even FASTER (along with doing what PeerBlock does, albeit MINUS adding "more" parts in layered drivers, by simply populating an existing tool that works, like hosts, in the Windows firewall, with known bad IP addresses & any the users wants to add (like I did with the 100's of things connecting to YOU here on /. - none of them slow me down, track me, or serve scripts to me either unlike you, dumbass... see subject-line above, lol!).
NOW:
Quit running away from producing the REST what's asked of you -> http://slashdot.org/comments.p... since you've FAILED this part badly - changing words you used now stupid? WEAK & STUPID... just like you.
APK
P.S.=> Oh, so NOW it's "subverts", eh? No stupid, it's using the process scheduler subsystem to do so dumbass:
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
... apk
Why are you so adamant that it was not "eyeballs". So they fizzed their own infrastructure and found the issue. The article you posted is scant on the details if the tool and a google search did not turn up any salient details on the tool. From the description it appears to be black box testing SSL/TLS for obvious overruns.
And such testing would find such a bug equally well in proprietary or open source code. It seems fairly clear that the bug was not discovered by someone reading the source code, despite the code being available for two years and the code being absolutely critical to networking.
The value of many eyeballs is often exaggerated. Few users are developers. Few developers are qualified readers.
At my company we use open source software libraries for our commercial products. When we find anomalies, we are actually able to figure out if bugs are in our own software or in the open source libraries we use. In fact, we actually run static analysis tools on every piece of open source software that we use because we care about the security of our own applications. We don't use openSSL, but if we did, we may have actually found this bug. That wouldn't be possible if the source was closed.
That is not true. At past jobs where we used proprietary libraries in our commercial products, I always advocated for buying the more expensive source licenses rather than the less expensive binary only licenses. We even chose vendor A over vendor B due to A have a source option and B not having one. Fortunately all the libraries we used had source options, obviously YMMV. Management was always reluctant until we found and resolved problems in these proprietary libraries just as you describe doing in open source. Management quickly became believers in buying the source licenses so that our fate was not in a 3rd party's hands.
Proprietary or open seems irrelevant to this discovery.
You can't make such conclusions from one bug.
Good thing I was commenting on only this one bug. That said, one can absolutely make the statement that fuzzing and other penetration testing works equally well on proprietary and FOSS code. The binary being tested doesn't care about the nature of it license.
Bugs will happen, and bugs will go unnoticed. The question is about whether the open source nature of a piece of software decreases the frequency of those events.
No one is arguing whether bugs will occur and go unnoticed. What is being argued is that the value of the "many eyeballs" concept is often exaggerated. Few users are developers. Few developers are qualified readers.
I'm sure the NSA wishes we were using more proprietary tools, however.
Well, since you asked:
Currently that's 5 Insightful mods, 1 Overrated, and 1 Troll.
I start at 1 when logged in, and I get an extra +1 for having excellent Karma.
What's "Karma", you ask? That's something you don't really need to worry about, since you are too big a coward to create an account and log in to it before posting, and even then, you need to post stuff that people think is useful, informative, insightful, which you don't seem capable of doing, so my advice is not to bother.
Il n'y a pas de Planet B.
You started your own janitorial service? Congrats.
Il n'y a pas de Planet B.
Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
You're a TRUE coward (& libeler): Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them?
NO - now as anyone can see? You're REDUCED to illogical ad hominem attacks instead... - like the lousy useless unskilled TROLL I've proven you truly are... lol!
... apk
A shithole like DemonWare perhaps?
Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Apparently you've figured out that I don't want or need to post AC in response to your trolls, APK.
I've been having a field day finding your slimy little trails all over the Internet and exposing you for the lifelong spammer, bully, troll, crapflooder, and liar that you are.
Why should I not want to receive credit for unearthing all these wonderful facts about yourself that you've been leaving lying about for the last decade or more?
Besides, it's been giving me something to take my mind off cigarettes--I decided to quit on Monday after being a smoker for 30+ years.
This is working out really well for me, too--every time a I get a craving for a smoke, I just hit the Google again and find something new to smoke you with, instead. :D
Or maybe next time I'll switch to Bing and see what they've got on you, as well.
Il n'y a pas de Planet B.
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Safer != Perfect
But it's not safer. It's less safe.
It also does not help when you have large commercial institutions RELYING on the source code in a security critical role under constant attack by well-funded adversaries, AND the developers of said open source code are so pitifully underfunded, AND the commercial proprietors that cause said open source library to become a high-value target are only willing to invest in features, and not improvements that would lead to better quality and lesser likelihood of serious bugs.
And so the excuse making comes.
No, the "for many eyes all bugs are shallow" did not really fail.
The OpenSSL with TLS heartbeat shipped in November 2013 in most of the major distributions. The bug was found and reported on April 3rd 2014 by Codenomicon, and by a sheer stroke of completely innocent happenstance and magic Google security found out about it and reported it too. The bug was reported and fixed extremely fast, in April 2014.
No closed source software can pull anything like this off, they usually take a week or two to sync up and to man the project team, sit in meetings, organize an acceptance within the organization, sit in meetings, start investigations, prepare damage controls just in case, calculate fix/no-fix, sit in meetings, implement something, sit in meetings, review the changes, tick the boxes, redo the documentation layouts for new corporate color scheme, sit in meetings, and so forth.
Yes, the commit was made years ago, but basically very, very few were using it since it wasn't packaged by distributions. There is not a million eyeballs staring at a dev branch of some open source project. The major release branches get users and thus eyeballs.
No question the heartbleed thing is a huge and embarassing problem.
The biggest of the internet era. Only outdone by the Y2K category of bugs.
And the origins of both are optimisations which are no longer necessary. For Y2K, back in the day saving 2 bytes repeatedly mattered. And for C, back in the day, saving a bounds check mattered. (And on top of that the Open SSL term believed creating their own malloc mattered.) Nowadays none of these optimisations are worth it. They should all be long gone.
It's everybody's failure that C hasn't been replaced as a systems programming language. It's ought to be a footnote in history by now.
Hahahaha Zontar downmods (sockpuppets) your post to try hide it. Good luck on a +5 post of his he got publicly fried in and all of Zontar's sockpuppets he used to mod up his own posts (and yours down that expose him) like TrollingForHostsFiles http://slashdot.org/comments.p... can't help him now.
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Quit running away from producing what's asked of you. Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
That's all.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
You say my program's useless?
Ok:
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
My program's in usermode. ProcessScheduler is a kernelmode subsystem.
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO, no less!
(Arstechnica - Where they edit & alter others' posts that knock them out as I did repeatedly showing they are like YOU - mere talkers or writers, no actual programs to their credit, lol)...
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
"Nobody clicks on THE links" - by Anonymous Coward on Tuesday April 15, 2014 @06:52PM (#46762013)
Now WHAT was that you said Zontar? You clicked on it Zontar.
APK
P.S.=> Keep running from this (it's YOUR funeral) -> http://slashdot.org/comments.p...
"One word for you: Microsoft. Maybe two: Adobe."
I find it interesting that in defending closed source you cited the two worst offenders for security breaches in the tech world. It can be safely assumed that any internet connected product running Microsoft and Adobe products is infected by multiple malware and spyware applications even without the involvement of state run organizations.
One problem I see that is huge is in where it affects Android. It is an unfortunate reality that phone makers do not want to update or patch their phones as they would rather sell people new phones and carriers would rather extend contracts. So yes, perhaps I did understate it a bit.
There needs to be a push for phone makers to update their firmware NOW.
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity if my program's useless http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Um wasn't this bug non-existent in the versions released after this two year old version of openSSL? My 14.04 install didn't get patched, didn't have to, it never had it affected version. Updates people, do your dam updates!
On, NO, they found a serious bug in a FOSS package, Oh NO, the proprietary fanboys are saying that the Sky is Falling! Meanwhile, a fix comes out on the day that the advisory is issued and the patch to the library is on several repositories that day. On April 7, the day of the CERT, Debian had a patch to the openssl livrary.
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us all a post where I put up material on hosts where it doesn't apply & is OFF TOPIC.
You can't, obviously, can you? Nope... lol! That makes YOU a lying bullshitter.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
You also said MY program is a virus?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I have destroyed, like I am destroying YOU loser (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler to make his process run faster." - FROM -> http://slashdot.org/comments.p...
Again: How would the process scheduler be turned off by doing that?
APK
P.S.=> Can't get out of your crap now, can you? Nope... same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
Funny:
You can't seem to explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I am "so bad", why did THAT happen to them? apk
Have you heard of an old cliche that goes "learn from your mistakes". By your logic, no errors can ever be made and learned from.
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
I just wiped my linux box and installed windows 8.
Cause, I figured, how much worse could it be?
Thank God, I won't be wasting my time compiling stuff from "trusted sources anymore.
Seriously, wtf is that all about anyway?
Can you imagine how foolish us guys feel after taking this ssl tarball from hell and forcing it in to our system?
Problem is there are to many freeloaders who will pick stuff right out of your trash as long as it's free.
I have a much higher sense of self worth since i got rid of this crap.
True freedom is buying whatever you can afford instead of listening to Stallman for 30 years.
Even the French prefer windows over Mandarin Linux.
Mandarin Linux - what's up with that?
Um wasn't this bug non-existent in the versions released after this two year old version of openSSL? My 14.04 install didn't get patched, didn't have to, it never had it affected version. Updates people, do your dam updates!
14.04 pre-releases were vulnerable. Perhaps you are confused because the release version of 14.04 LTS, built days after the fix and to be released tomorrow, is clean.
In the age of contracting, outsourcing, offshoring, etc. most proprietary software is actually pretty exposed..
Saying Microsoft has better security record is like saying your shit-sandwich has nearly the least shit of any shit-sandwich vendor, but ignore that crazy guy selling sandwiches after washing his hands.
So, how many consumer desktop/laptop/tablets/phones run a *nix distro that isn't from Google or Apple?
Have they hit 1% yet? No? There's a reason for that and it's not 'because they're too awesome'.
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk/b
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
Have you heard of an old cliche that goes "learn from your mistakes". By your logic, no errors can ever be made and learned from.
What we have here is a failure to learn from previous mistakes - this bug violates a number of basic principles in the development of secure software, and most of those principles were derived from hard experience.
I will agree that there is one thing to be learned here: The phrase "with enough eyes, all bugs are shallow" is simplistic wishful thinking, and potentially dangerous if mistaken for a realistic verification policy.
I didn't READ the comment. Seek proFESSional help.
I just wanted to chip in and remind you that the real world do have people who don't engange in opionionated debates and can deduce logic from statements. Cheers! Don't be depressed when people seem stupid, it's just the stupid crowd that talk a lot louder. Hang in there! :)
I am planning to reveal my slashdot account to him in due course (that's right APK - you're going to get a new, named target soon). For now, I follow the show from a distance and have found a number of your posts to be very entertaining, so thanks for that :)
-- The Seek Help Troll - advising APK on mental health since 2007
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk since YOu say my program's "crapware"
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
I disproved that too here WITH PROOF FROM A RELIABLE & REPUTABLE SOURCE IN THE SECURITY COMMUNITY who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
http://slashdot.org/comments.p...
(Which I always produce from reputable sources, NOT fellow "trolls" whom I destroyed, like I am destroying YOU (see ps below)):
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
You prove it again, second time. You think it's cool to troll with sockpuppets? Clue, it's not.
You've been called out. I'm waiting for you to explain your quoted libel here http://slashdot.org/comments.p...
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
Ok: CONTRARY PROOF from a REPUTABLE security community source http://slashdot.org/comments.p... who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
Ok: CONTRARY PROOF from a REPUTABLE security community source http://slashdot.org/comments.p... who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
You said by turning up cpu priorities in my program I am turning off the processscheduler?
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
Ok: CONTRARY PROOF from a REPUTABLE security community source http://slashdot.org/comments.p... who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
---
"He's effectively turning off the Windows process scheduler" - FROM -> http://slashdot.org/comments.p...
Question:
How would the process scheduler be turned off by doing that?
APK
P.S.=> Same with using arstechnica as your backers - BIG mistake!
I annihilated arstechnica, & outside their private playpen where THEY STALKED ME TO @ Windows IT Pro forums http://slashdot.org/comments.p... , no less!
You can't explain WHY Jeremy Reimer and Jay Little's websites were removed by CrystalTech &/or Shaw CA hosting providers
IF I'm "so bad", why'd THAT happen to 'em? apk
Proof's in Jay Little's OWN WORDS below, quoted, that he never denied & in fact, AFFIRMED!
PERTINENT QUOTES/EXCERPTS:
---
Jay Little being kicked from CrystalTech.com:
"I asked Jay Little to run this by Dr. Russinovich in fact, lol, & he never tried it again. He OUTRIGHT RAN, & especially after CrystalTech.com removed his website for libel & death threats directed my way! ******* "IM NOT REMOVING THE CONTENT. I HAVE HOWEVER BEGUN HOSTING MY WEBSITE ELSEWHERE." - jaylittle - March 31, 2005 & "This battle with APK has taken it's toll I am afraid." - 4/2/2005 7:47:38 AM jaylittle @ www.jaylittle.com ******* So did petitiononline.com as well for the same childish 'geek angst' that FATBOY Jay Little (no dick type, you know, an obese monstrosity) tried: Jay, learn a bit out IRQL_LESS_THAN_OR_EQUAL_TO, buffer overruns/underruns" FROM-> http://windowsitpro.com/system...
AND
Jeremy Reimer being places on a tracking ticket by his ISP, Shaw of Canada:
"Thank you for your report. Please advise the sender to cease & desist this unwanted communication w/ you & keep this record. If further messages are received after that, we can investigate this further & we will act accordingly. & Hello Mr. Kowalski, we have added this evidence to Jeremy's tracking ticket... Regards, Acceptable Use Policy Management Team Shaw High-Speed Internet Service Shaw Cablesystems G.P. 2400 - 32nd Avenue N.E. Calgary, Alberta, T2E 9A7" FROM-> http://windowsitpro.com/system...
---
For starters!
(Which, as anyone can see, Neither Jay Little OR Jeremy Reimer DENY that happened to them - being kicked from their hosting providers for stalking, email harassing, & libeling me on their websites (and other places online)).
* Want emails from CystalTech, ENom, Shaw too? Just ask & "ye shall receive"... now, "eat your words" yet again, you libelous little scumbag!
APK
P.S.=> You FAIL, yet again Zontar the Mindless (libeling troll that you are)... apk
Or you could start using Mozilla NSS (mod_nss). Not only independently written, it also aggressively protects private keys unlike any version of OpenSSL/SSLeay does.
Kriston
"Your hosts file app is SPYWARE, dude." - by Zontar The Mindless (9002) on Wednesday April 09, 2014 @02:43AM (#46702387) FROM -> http://slashdot.org/comments.p...
You said MY program's a spyware?
Ok: CONTRARY PROOF from a REPUTABLE security community source http://slashdot.org/comments.p... who hosts my app (malwarebytes hpHosts) which you are FREE TO VERIFY by email if you like as MY proof!
Now: Is YOUR SOURCE Computer Associates REPUTABLE? See here http://www.bing.com/search?q=c...
---
"for a crapware host files app that nobody in his right mind wants to allow anywhere close to his system" - by Zontar The Mindless (9002) on Wednesday April 16, 2014 @12:24PM (#46769393) FROM -> http://slashdot.org/comments.p...
You say my program's crapware?
Disprove 17 points here showing hosts give uses more speed, security, reliability, & anonymity then since YOu say my program's "crapware" http://start64.com/index.php?o...
---
"You barge into discussions with your off-topic hosts file nonsense" - by Zontar The Mindless (9002) on Friday April 11, 2014 @09:51PM (#46731153) FROM -> http://slashdot.org/comments.p...
Show us a post where I put up material on hosts where it doesn't apply.
You can't, can you? Nope - That makes YOU a liar.
APK
P.S.=> You FAIL, sockpuppeteer troll...
... apk