Suppose that the data resides in Swizerland (Swiss privacy laws prohibit moving data overseas - don't know exact details, but the idea should be obvious). Suppose the credentials to give the data is only on the hands of a swiss administrator - no american has access to the data/server/credentials in Swizerland. In this case no matter who in the company orders to give him the credentials, the administrator in Swizerland cannot give them or he would be breaking the Swiss law.
To me the situation has been exactly the opposite. I had a job where I had to fight to get old crapware rewritten because "it provably works" (although it has e.g. access after "free"). I have never seen an old software that would work with the new requirements in the new environment. Quite contrary, old software slowly but surely deteriorates with #ifdefs, code nobody dares to remove, hacks that just happen to work as they change timing, you name it. Just like good-old OpenSSL.
Same with bridges btw, 20th century bridge would hardly suffice today (price, time to build, etc.).
But the companies exists solely to make profit to their owners. Which means "time to market", which means "security is not an option - until it is really needed".
For example, I am certain that 99% of Facebook/Twitter/... users don't give a shit how secure it is - especially as they know NSA has unlimited and unaccountable access into it.
So what you are effectively saying is "we (foss) did a great job, let's pat each other on the back! Then let's continue our marvellous path of joy and glory".
(translation: we, the cowboy coders, are totally ignoring fatal problems in processes and attitude and won't fix them 'cause we "are better". if the sarcasm was lost in translation, your bad).
First, I detest the excuse "some one is worse - or at least you cannot prove it is not, therefore we are actually quite good!" Then, I call bullshit. Closed source do get "CVE'd" and the companies can be held liable. Foss developers cannot be sued (and get as much money as from G/M/A/...).
But do continue with the same attitude. After next exploit, and 10 more later, just say "yes, someone out there is worse, especially now as we have fixed ALL known vulnerabilities". Although the new version out next month will probably introduce more new holes than what were fixed.
I knew this excuse would used again and again, long before Heartbleed. I complained loudly (see my history) for your though to be fatally flawed. The problem is, that this kind of thinking generates more holes than fixes.
But then, I think you were sarcastic and the moderators missed it.
Speed limits are overly conservative, and it is entirely possible to drive fast and drive safely. [...] I don't pay much attention to speed limits. [...] slowing down when there is additional risk. Additional risk includes [...]
You are a dangerous idiot. Quite ofthen the speed limit is not to protect you, but others. Quite often the (low) speed limit is due to "addition risk", a risk that might be difficult or impossible for the driver to see. Which you have decided to neglect, because you think you are a "better driver". Hint: your reaction time is most likely not significantly smaller than others.
No, that is not what they are after. They want you to pay for the information. So that you would not get it freely from "illegal" or "gray" (hard to say whether illegal or not) sites. So that if you do, they can send you the "600€ or face prosecution" -letter.
If I have understood correctly, in (someparts of?) USA, if you drive the getaway car in a bank robbery and someone dies, you will be charged (and probably convicted) of murder. Although, in a way, what you did is nothing more than what a taxi driver does. Right?
I have, and never will, understand the Coke-phenomenon. To me all colas are "too strong", they kill the taste food - so they cannot be drank with food. But still people do. For thirst - no, again, too much sugar or other sweeteners, it does not take the thirst away. But still people do.
By far the best drink is tap water, for thirst and with most foods (unless you fancy a nice beer or wine, but that is different story entirely).
Apparently there are even cola-connoisseur like you (not that there's anything wrong about it).
Don't get me wrong, I occasionally do drink a soft drink, but that is mostly to get some sugar into blood stream.
Newspapers have editors who can be kept responsible for the content in the newspaper, search engines do not. Then EU does have "government", "police", "judicial system" and "newspapers" as separate entities unaffectable by others (government cannot directly control police, judicial system or newspapers, neither can police control any of the other entities, and so on).
We should not stop bashing OpenSSL, ever (although I do admit it is "product of the community"). Just to remind people that this kind of development is not acceptable, not "even" in FOSS world.
The allocator was never "100% necessary". It might have been advantageous in some systems, but in vast majority of systems it have never been more than a hassle. Then when they made the OpenSSL unworkable without their allocator - or rather without the undocumented behaviour their allocator happened to have, they should have removed it immediately. But no, they were macho, they thought "we know better".
This problem was caused by a simple missed parameter check, nothing more. Stop acting like the cultural problem is with the developers when it is with the leaches who consumer their work.
I do not believe you. If this were an isolated case, then you'd be right. But no, this kind of "oops, well now it is fixed" things happens all the time, over and over again. The culture of the programming never improves due to the error - no matter how simple, no matter that it should have been noticed earlier, no matter what.
I am willing to bet that after next hole the excuses will be same "it was simple, now it is fixed, should up" and "why don't you make better, shut up" or just "you don't understand, shut up". And still the cowboy-coding continues.
This was caused partially by unchecked parameter (this should have never happened, there is no excuse for it), partially because the idiots used their own allocator which created the covert channel and prohibited the use of malloc-debug libraries. Libraries which would have found the error - again this should not have happened.
Less clear my ass! I'd say there is no leadership in the project, unless "FUD" (fear of it breaking something) is called "leadership". But then as you say, "nobody cares". If the code is as you describe, the whole shebang should be rewritten from scratch using higher level managed language. Any managed language would have prevented the information leak although probably not the unchecked value.
I challenge anybody to review it and find (or notice) the bug. My point, once again, is: C should not be used for security sensitive programs, we should start using managed languages. I know, won't happen, because people are lazy and won't learn. Yet again we will think that this fix solves everything, that now OpenSSL is fixed. Which it most likely is not; I would be really surprised if there are no holes KNOWN (to some russian, chinese, israeli, usa,... agency, or mafia).
Are you saying I do not have the right to say "Eich must be fired" or "please support my view" or "I will use another browser"? Any of those or all together or where is the line? AFAIK nobody has threatened him or other people, have they?
Note: I personally have no opinion whether Eich should step down or not.
Close but no cigar. Suppose that "we" hold a democratic election whether gays should go to jail. Now, suppose over 50% vote "yes, they must". I cannot ever agree with "you don't get your way". Even minorities, i.e. a bunch of individuals as you put it, have rights. Rights which are more important than "democracy". After all, we don't keep elections whether OJ is guilty or not, and I sincerely hope we never will.
Whether Eichs view is "popular" or "mainstream" does not make it less appalling. Today "war on terror" has huge popularity, like McCarthy before, and so on.
And since it takes me a few days to adjust to getting up 1 hour earlier (the norm is only 1 day per hour), I miss an hour's sleep for a few days after the clock change.
This is something I just cannot understand.
First, the human internal clock is not 24 hours. Second, the sunrise and sunset move by an hour in two to three weeks (depending where you live), so it cannot be Sun related (not that you claim it is - but some do). Third, if you move to different time zone, say two hours off, you will notice pretty much nothing in the next day. Fourth, in the Autumn nobody claims they "must go to bed and wake up hour early" or "clock is off for weeks".
So I do not claim you do not have the problems you mention, but I think it is more because you look at the clock "I cannot go to sleep this Sunday earler than one hour late".
BTW, AFAIK melatonin is not addictive, whether it helps or not - I wouldn't know.
No, the main question is whether phone usage increases the likelihood of an accident or not (and if it increases, how much). This is testable at least in simulated environments - if not already done.
I'd be really surprised if the most of incompabilities were not bugs in the code itself (or libraries as you point out). Far too many a program rely on some undefined behaviour, and when it changes, you are screwed.
Slashdot Mirror
Suppose that the data resides in Swizerland (Swiss privacy laws prohibit moving data overseas - don't know exact details, but the idea should be obvious). Suppose the credentials to give the data is only on the hands of a swiss administrator - no american has access to the data/server/credentials in Swizerland. In this case no matter who in the company orders to give him the credentials, the administrator in Swizerland cannot give them or he would be breaking the Swiss law.
[...] we refuse to accept old, working stuff.
To me the situation has been exactly the opposite. I had a job where I had to fight to get old crapware rewritten because "it provably works" (although it has e.g. access after "free"). I have never seen an old software that would work with the new requirements in the new environment. Quite contrary, old software slowly but surely deteriorates with #ifdefs, code nobody dares to remove, hacks that just happen to work as they change timing, you name it. Just like good-old OpenSSL.
Same with bridges btw, 20th century bridge would hardly suffice today (price, time to build, etc.).
But the companies exists solely to make profit to their owners. Which means "time to market", which means "security is not an option - until it is really needed".
For example, I am certain that 99% of Facebook/Twitter/... users don't give a shit how secure it is - especially as they know NSA has unlimited and unaccountable access into it.
Wrong. Open source can provide advantages, but only if all processes etc. are followed. Most often they are not.
So what you are effectively saying is "we (foss) did a great job, let's pat each other on the back! Then let's continue our marvellous path of joy and glory".
(translation: we, the cowboy coders, are totally ignoring fatal problems in processes and attitude and won't fix them 'cause we "are better". if the sarcasm was lost in translation, your bad).
First, I detest the excuse "some one is worse - or at least you cannot prove it is not, therefore we are actually quite good!"
Then, I call bullshit. Closed source do get "CVE'd" and the companies can be held liable. Foss developers cannot be sued (and get as much money as from G/M/A/...).
But do continue with the same attitude. After next exploit, and 10 more later, just say "yes, someone out there is worse, especially now as we have fixed ALL known vulnerabilities". Although the new version out next month will probably introduce more new holes than what were fixed.
I knew this excuse would used again and again, long before Heartbleed. I complained loudly (see my history) for your though to be fatally flawed.
The problem is, that this kind of thinking generates more holes than fixes.
But then, I think you were sarcastic and the moderators missed it.
Speed limits are overly conservative, and it is entirely possible to drive fast and drive safely. [...]
I don't pay much attention to speed limits. [...] slowing down when there is additional risk. Additional risk includes [...]
You are a dangerous idiot. Quite ofthen the speed limit is not to protect you, but others. Quite often the (low) speed limit is due to "addition risk", a risk that might be difficult or impossible for the driver to see. Which you have decided to neglect, because you think you are a "better driver". Hint: your reaction time is most likely not significantly smaller than others.
No, that is not what they are after. They want you to pay for the information.
So that you would not get it freely from "illegal" or "gray" (hard to say whether illegal or not) sites.
So that if you do, they can send you the "600€ or face prosecution" -letter.
"taxi driver is thinking"
This is exactly my point. And you missed it.
If I have understood correctly, in (someparts of?) USA, if you drive the getaway car in a bank robbery and someone dies, you will be charged (and probably convicted) of murder. Although, in a way, what you did is nothing more than what a taxi driver does. Right?
Get real!
I have, and never will, understand the Coke-phenomenon.
To me all colas are "too strong", they kill the taste food - so they cannot be drank with food. But still people do. For thirst - no, again, too much sugar or other sweeteners, it does not take the thirst away. But still people do.
By far the best drink is tap water, for thirst and with most foods (unless you fancy a nice beer or wine, but that is different story entirely).
Apparently there are even cola-connoisseur like you (not that there's anything wrong about it).
Don't get me wrong, I occasionally do drink a soft drink, but that is mostly to get some sugar into blood stream.
Newspapers have editors who can be kept responsible for the content in the newspaper, search engines do not.
Then EU does have "government", "police", "judicial system" and "newspapers" as separate entities unaffectable by others (government cannot directly control police, judicial system or newspapers, neither can police control any of the other entities, and so on).
We should not stop bashing OpenSSL, ever (although I do admit it is "product of the community").
Just to remind people that this kind of development is not acceptable, not "even" in FOSS world.
The allocator was never "100% necessary". It might have been advantageous in some systems, but in vast majority of systems it have never been more than a hassle. Then when they made the OpenSSL unworkable without their allocator - or rather without the undocumented behaviour their allocator happened to have, they should have removed it immediately. But no, they were macho, they thought "we know better".
This problem was caused by a simple missed parameter check, nothing more. Stop acting like the cultural problem is with the developers when it is with the leaches who consumer their work.
I do not believe you. If this were an isolated case, then you'd be right. But no, this kind of "oops, well now it is fixed" things happens all the time, over and over again. The culture of the programming never improves due to the error - no matter how simple, no matter that it should have been noticed earlier, no matter what.
I am willing to bet that after next hole the excuses will be same "it was simple, now it is fixed, should up" and "why don't you make better, shut up" or just "you don't understand, shut up". And still the cowboy-coding continues.
This was caused partially by unchecked parameter (this should have never happened, there is no excuse for it), partially because the idiots used their own allocator which created the covert channel and prohibited the use of malloc-debug libraries. Libraries which would have found the error - again this should not have happened.
But then, maybe I just should shut up ...
You forgot NIH. OpenSSL used its own allocator, the most positive thing I can say about that is "totally idiotic". AFAIK nobody is removing it ...
Furthermore, C is insufficient language for a security software (C++ when properly used barely acceptable, managed languages much better).
"less clear"?
Less clear my ass! I'd say there is no leadership in the project, unless "FUD" (fear of it breaking something) is called "leadership". But then as you say, "nobody cares".
If the code is as you describe, the whole shebang should be rewritten from scratch using higher level managed language. Any managed language would have prevented the information leak although probably not the unchecked value.
I challenge anybody to review it and find (or notice) the bug. ... agency, or mafia).
My point, once again, is: C should not be used for security sensitive programs, we should start using managed languages.
I know, won't happen, because people are lazy and won't learn. Yet again we will think that this fix solves everything, that now OpenSSL is fixed. Which it most likely is not; I would be really surprised if there are no holes KNOWN (to some russian, chinese, israeli, usa,
Are you saying I do not have the right to say "Eich must be fired" or "please support my view" or "I will use another browser"?
Any of those or all together or where is the line?
AFAIK nobody has threatened him or other people, have they?
Note: I personally have no opinion whether Eich should step down or not.
Close but no cigar.
Suppose that "we" hold a democratic election whether gays should go to jail. Now, suppose over 50% vote "yes, they must".
I cannot ever agree with "you don't get your way". Even minorities, i.e. a bunch of individuals as you put it, have rights. Rights which are more important than "democracy". After all, we don't keep elections whether OJ is guilty or not, and I sincerely hope we never will.
Whether Eichs view is "popular" or "mainstream" does not make it less appalling. Today "war on terror" has huge popularity, like McCarthy before, and so on.
And since it takes me a few days to adjust to getting up 1 hour earlier (the norm is only 1 day per hour), I miss an hour's sleep for a few days after the clock change.
This is something I just cannot understand.
First, the human internal clock is not 24 hours. Second, the sunrise and sunset move by an hour in two to three weeks (depending where you live), so it cannot be Sun related (not that you claim it is - but some do). Third, if you move to different time zone, say two hours off, you will notice pretty much nothing in the next day. Fourth, in the Autumn nobody claims they "must go to bed and wake up hour early" or "clock is off for weeks".
So I do not claim you do not have the problems you mention, but I think it is more because you look at the clock "I cannot go to sleep this Sunday earler than one hour late".
BTW, AFAIK melatonin is not addictive, whether it helps or not - I wouldn't know.
No, the main question is whether phone usage increases the likelihood of an accident or not (and if it increases, how much). This is testable at least in simulated environments - if not already done.
But then, we both know what the study will show.
Track record this far is ... can I use enron as an adjective?
I'd be really surprised if the most of incompabilities were not bugs in the code itself (or libraries as you point out). Far too many a program rely on some undefined behaviour, and when it changes, you are screwed.