as others have said, i'd call bs until i heard a model associated with this. Did you buy it new? off Ebay? my wife's iPhone 4 is close to 4 years old, can run iOS7 (though never get ios8) and gets security updates.
Apple sees value in the software ecosystem. They want everyone on the latest OS so you can buy more apps from the Apple store. Google wants to sell you ads. The difference in perspective is why I lean iOS,
As may times DOS/Windows has been burned by bad design (Explorer hiding extension yet action dependent on extension being a big one) the lack of functionality helps it here. The * is not interpreted by the shell, but by the app. It sees a *, and does a library call to do the glob. So there's no chance of it being interpreted as a flag. My guess is that DOS was so restricted in memory, that executing a glob may have blown the stack, much like we use xargs on UNIX when a fileglob is too much.
I did some web stuff in the year 2000, back when PayPal was nothing but a Palm Pilot app. Even back then, as the rules were still being written (Javascript was relatively new), you "program convenince on the client, validate everything no matter on the server".
I'm a programmer. I've written GUI code, I've written a device driver that shipped in a commercial UNIX kernel. I've used Windows since 3.1 days (WindowsForWorkgroupsForTheWin!). I've even debugged and configured Windows Vista in Chinese even though I can't read it - I was able to get someone to translate the occasional dialog box.
I can not understand Win8. When my sister asks me to help configure something on her Win8 laptop, I struggle with the UI as if I'm some rookie coming from some stoneage tribe.
They'll do anything to pick them up cheaply, even trade some unwanted Surface 3's for some!
Jokes aside (and please don't mod for flamebait, it's sarcasm above, downmod for a bad joke if anything)...
I don't think will go much. You're assuming that someone values their $1000+ dollar MacBook Air at $650 and values the Surface at something worth the discount. Considering the amount of work you'd have to do to migrate (either Windows to Mac, or Mac to Windows) you have to think about 200-300 realistically for swapping costs. Makes good headlines (as we see here) but won't help much.
Unions do the exact same thing, why isn't that collusion? I see no issue with a bunch of companies agreeing not to engage in a poaching war.
The rules for Unions are different. Would you have the same attitude with your 5 year old drinking and out til 3AM than a 22 year old? The rules for the companies is that it's collusion. They did something they weren't supposed to.
As to why, it's like the offside rule in soccer/hockey. The rule itself doesn't make much sense if you think about it by itself (why not let people charge on breakaways) but it has side effects (fewer forwards up, more guys back on defense, even FEWER goals, if that is possible with the top tier teams).
One company/corporation has a lot more power than an individual. A union does some work to make the power a bit more equal. But if you get corporations colluding, the power goes back to the corporation. Side effects? No growth in wages. No increased purchasing power (remember that the US economy is 70% consumer based, the bulk of that money comes from wages). People doing odd borrowing to maintain a standard of living (thinking of your home as a piggy bank is due to stagnant wages, and was a part of a great Economic Collapse). Squelching of wage increases has a lot of negative consequences, at least you can trim the illegal parts out.
Isn't the banana population under serious threat because of monoculture? I remember the current banana cultivar - the Cavendish - is under threat because of lack of disease resistance because of monoculture. The previous well used cultivar, the Gros Michel, was replaced because it lost to a disease threat - also due to monoculture. The article didn't mention anything about plant disease resistance.
I swear this is not flame-bait, but this is one reason why i like the iOS model. Selective perms. Even there, Google apps ask for too much. I disable a lot (e.g. location and microphone for Google Search).
Google seems to not like this. If you don't have location turned on for Google Search, all of Google Now gets turned off, even for explicit things i ask for that they don't need my location for. I specifically asked for Bulls news (yes, Im a masochist), you don't need to know where I am to show this. But Google doesn't show.
And even the old model wasn't all that good on Android. If I have an update, they'd ask for the new perms (not able to select any, it's all, or not update) or they give an option to delete the app. The implication is that you might as well push through the new perms, or delete the app as (nearly) useless.
Though this is a bit opinion based (as only any talk of where center is can be)... the Republican Party is already right of "center". It's all relative of course - the US Democratic party would most likely be Centre-Right in most other places.
This is kind of like the joke about morals. "Im perfectly moral, anyone looser is a slut, anyone tighter is a prude, i just happen to be perfect". Both parties like to claim the Center, to be "real America". Forget center, lets worry about relative - Republicans are (almost always) Right of Democrats, and Tea Party Republicans father Right still.
The Tea-Party wing isn't, by political science terms, "conservative". The proper term is Reactionary. They are moving from Right to much Farther Right. Conservative says "lets stay where we are". The Tea-Party is more "Lets go back to where we were before."
The Gold Standard? Generally accepted as unworkable during The Great Depression. It's cool in good times, causes horrible horrible spirals in bad times. Most countries moved off of it in the 1930's. We started then, and moved completely off in the 70's, Tea Partiers want to go back to that. The fact that the locked exchange rates of the Euro countries, which act as a mini-gold-standard, exacerbated and deepened a crisis there notwithstanding.
The New Deal? Trying to rollback a lot of it (though Republicans in general want to also).
Voting Rights? Attempted rollbacks. Though the rollbacks tend to hit minorities and poor people (who don't tend to vote Republican) more.
They claim to want to go back to the Constitution. Where women couldn't vote? Where a black man was defined as 3/5 of a white man? Very Reactionary. I'm in Chicago, which wasn't in the Union in 1783. Maybe as a Tea Party person, I'd really need to talk to the Algonquin Indian tribe for leadership. I'll make sure to find some nice French Canadians to trade furs with.
We live in a complex world. A lot of people want to pretend the complexity is just a screen, that it's a cloud inflicted by (assumed to be evil) men and that they can see the Truth, the Simplicity. These are the people who are voting Tea Party. Are they batshit? Dunno. But the world is complex. And if your model of the world is to ignore the complexity and pretend it's simple, you're going to want to pull the wrong levers, and you'll most likely cause some damage.
With the Snowden leaks, the NSA issues still roaming around, with the Supreme Court looking at Aereo, do you think that anything that affects national politics does NOT hit technology?
Lotus developed a system like this in the 80's. Some production cars even made it to the street.
Maybe they didn't "lean in".. but they could have. I remember reading a talk from an engineer from Nissan/Infiniti who said they did try the "lean in" back in the 90's, but it was too weird for most drivers.
..but only Google Play supports that, not third-party app stores. I haven't looked into other app stores, and now it's less likely I will.
With the pushing back on Samzung/Tizen, and new Google Silver program, Google seems to be trying to tighten up. The fact that growing Android with more chipsets has a side effect of making Google Play more central to the experience will make some Mountain View folks very happy.
I think there's a basic issue here, and that's of "what do I want to work on". This is a problem in any project - it's not limited to coding.
I'm sure GNUTLS is coded how many things are coded. Lets start with a framework, and hang dummy code on it. Say "hey we got here!" when we got a packet. Then you flesh that out, and do what you really should do when you get that. Hey, it works! Beers all around. Then later, you start thinking "hmm, how can this get abused" and you add checks.
But wait, before you think of how you can get broken, you're like "this code needs real functionality, let me work on this next". And the boundschecks never get coded.
I'm sure you've been on a project where you thought "i really should cross all the T's, dot all the I's here" then your boss says "it works good enough" and you never get around to making it bulletproof. Or you do the fun drywall project at home, and you already sanded with 150 grit, you just not bother with the 300 grit.. it's good enough.
OpenSource doesn't mean it's not written by people, with peoples' quirks and issues.
The raw sockets deal - Windows added raw sockets, or more simply said the ability to manipulate Internet packets at a very low level. Mr Gibson acted as if the entire Internet was about to collapse. In theory it was a bit easier to make fake packets and try to mess with other computers, in practice malware that is embedded in the kernel could already do this, and the bad machines could only mess with poorly configured machines anyway. If you know networking, fake packets don't help TCP that much anyway, mostly fun to mess with UDP. There is a lot of damage you can do without raw sockets.
The knock against Steve on this wasn't so much the initial panic about raw sockets, but that he stuck to his guns once people explained how this wasn't a big deal. Either he Just Didn't Get It, or he wanted to fearmonger, or both. He sounded a bit chicken little here, and never really seemed to get why he was wrong.
Winders XP Steve hates 8, fine, we all do. But instead of going to 7, for a long time he wanted to stick with XP. His reasoning, i don't go to any bad websites, i have a firewall, etc. This is shortsighted. Malware advertising on random ad networks is a big deal now, can Steve vet EVERY ad that he sees on the net? Can he vet that every website that he visit has never been pwned and had malware inserted? Can he vet that every machine on his LAN is clean? The worse thing is that he keeps talking about how he runs XP over and over on his podcast. He kind of implies "this is safe for me to do" but never really says "nobody else in their right mind should do this".
Assembly for a long time he was crazy about assembly, kind of showing how cool he was by using it. I learned assembly/machine code from a book when i was in 7th grade or so. I think it's cool in theory to write some assembly code now. in practice I'd never use it for a real app. Why not? Partially because of time; most libraries and tools are for C or other higher-than-assembly-level languages - you'd need to reinvent a lot of wheels and hope you did them right. And partially for static checking tools which would have a much harder time with assembly checks.
Mr Gibson's podcast has some good factual info, but his opinions are occasionally off and sometimes even dangerous. It's like the story of the broken watch - a broken watch is right twice a day, but you'd need another watch to tell you when. Steve's right a lot of times, but you need to know enough already to know when he's not right, and when he's not right RUN.
Can you imagine parsing a stack trace or equivalent from one of these? Each stack is different.
Ignoring the fact that Heisenbugs would be much more prevalent.
Part of programming is paring of states. The computer is an (effectively) infinite-state machine. When you add bounds and checks you're reducing the number of states. This would add a great deal, making bugs more prevalent. Since a lot of attacks are based on bugs, this may increase the likelihood of some attacks.
I saw those slides. There were 17 levels of #ifdefs in the code. Every ifdef is a binary switch, which means 2^17 different iterations of source code.(!!!!!) That's 131072 different compiles (!!!!!!).
So, lets pretend that a config/make sequence just needs 10 minutes (unlikely, they have an oddball config script that isn't like autoconf). To hit 17 levels of ifdef, you'd need approx 910 computer-days just to do all the compiles. Do you think they tested this matrix?
I hate to beat up on a bunch of people who did hard work for free, but they really did a bad job on a lot of things.
Add to that the "oh my god we gotta copy _____" about the new USB C connector. You can flip it, just like a Lightning connector. But yet another micro connector.
And don't get me started about the "full speed" "high speed" "Higher speed" mess that is 1.0 2.0 and 3.0 speeds.
A few years back, a cop got shot on a traffic stop. The driver pulled a gun, the cop couldn't see it, window tints. So, soon there was a state law saying o window tints, at least in front windows. That said, i see a lot of cars that have them, so not sure if the law is still on the books, or whether cops just ignore it. I'm sure if it's still on the books, it's not enforced equally black/white.
If you check the slides, there are a few areas that they failed hard on. I don't know if you're a C developer, but I've coded a bit, and the slides scared me a bit.
Yeah, there was the "cross platform" stuff. Do we really need EBCDIC support? There's a simple rule about code. If you can't test it, you should pull it. Do you have a machine you can test on? They had Win32 Winsock code, which is a special case. But all modern Windows computers have a Berkely sockets type stack. This doesn't need special code, which means a lot less code to debug.
When the OpenSSL guys state (with some justification) that they have no resources, part of the problem is they waste it by having unused code paths. They'd save some testing time by having removed this code before.
But they also did "cross platform" it badly. They had their own printf, when printf has been done and safe for years. But just in case on some oddball platform, we have our own. They had 17 levels of nested #ifdef. If you don't know C, that's SCARY. There's no way you'd unwind that in your head, and there's near zero chance you'd be able to code a test plan for that. Why? Because you can think of #ifdef as a way of doing simple code modification... 17 levels deep of this type of modification is near impossible to think through and is nearly guaranteed for bugs.
Worst of all, in name of one platform, they came out with an oddball memory allocator. They added things to this allocator to the point where they couldn't run a normal one. Worse off? They got so used to BUGS in this allocator that they couldn't move off of it. And these bugs are directly related to the Heartbleed bug - it's a memory management bug. Instead of thinking "hey, we're doing a lot of weird stuff just for this odd platform" they made the decision "hey, lets go even deeper down the hole of bad code"
So, in name of "cross platform" they had many many design mistakes, including something that broke much of HTTPS. I wouldn't use "they were doing cross platform" as an excuse for their mistakes, because in this name, they had made much of their mistakes.
This wasn't in some text editor. This was in a piece of core crypto. The level of sloppiness allowed is zero.
They OpenBSD folks take their tone from Theo De Raadt, who generally is one of the ruder people out there. When i first heard the rants about OpenSSL, i was thinking "well, they didn't have to smack them down so hard." After reading the slides, Im thinking "yeah, I'd rant that hard" though i don't have the same Forum as the LibreSSL guys have.
* Choice. Now I need to figure out which is better. This is why Amazon has reviews - choice makes things difficult.
* Diffusion of resources. Part of the reason OpenSSL was so bad was that this team had no money and no resources.
There are a lot of projects out there, forks for spite, forks for license religion, that are a waste of time and resources. "Oh ____ has a free software license, but it has slightly different focuses of types of freedom, therefore it's heresy. Hey, here's GNU____. We know you'll ignore the bugs/missing features, because FREEDOM"
Water in sufficient quantities is toxic. I don't even mean in the drowning sense, or the silly DiHydrogen Monoxide jokes, but if you have too much water, it can kill you.
Nitrogen also works this way. Nitrogen in air, normal pressure, is fine. Nitrogen under pressure can kill you.
Too much oxygen can make you space out.
There are a lot of things that follow this - if you think of normal doses of heat, or electricity, you're fine. If too much, you die. It doesn't take a lot of thinking to come up with examples.
Though I don't know the exact mechanism, I'd say to watch Apollo 13. Watch how much effort they put in to the CO2 scrubbers, to remove carbon dioxide from the air. They had sufficient oxygen, it was the CO2 levels that were too high. That's what was making them sick.
Slashdot Mirror
as others have said, i'd call bs until i heard a model associated with this. Did you buy it new? off Ebay?
my wife's iPhone 4 is close to 4 years old, can run iOS7 (though never get ios8) and gets security updates.
Apple sees value in the software ecosystem. They want everyone on the latest OS so you can buy more apps from the Apple store. Google wants to sell you ads. The difference in perspective is why I lean iOS,
As may times DOS/Windows has been burned by bad design (Explorer hiding extension yet action dependent on extension being a big one) the lack of functionality helps it here. The * is not interpreted by the shell, but by the app. It sees a *, and does a library call to do the glob. So there's no chance of it being interpreted as a flag. My guess is that DOS was so restricted in memory, that executing a glob may have blown the stack, much like we use xargs on UNIX when a fileglob is too much.
I did some web stuff in the year 2000, back when PayPal was nothing but a Palm Pilot app. Even back then, as the rules were still being written (Javascript was relatively new), you "program convenince on the client, validate everything no matter on the server".
Seems they never learned that.
I'm a programmer. I've written GUI code, I've written a device driver that shipped in a commercial UNIX kernel. I've used Windows since 3.1 days (WindowsForWorkgroupsForTheWin!). I've even debugged and configured Windows Vista in Chinese even though I can't read it - I was able to get someone to translate the occasional dialog box.
I can not understand Win8. When my sister asks me to help configure something on her Win8 laptop, I struggle with the UI as if I'm some rookie coming from some stoneage tribe.
I hate hate hate hate Windows 8.
They'll do anything to pick them up cheaply, even trade some unwanted Surface 3's for some!
Jokes aside (and please don't mod for flamebait, it's sarcasm above, downmod for a bad joke if anything) ...
I don't think will go much. You're assuming that someone values their $1000+ dollar MacBook Air at $650 and values the Surface at something worth the discount. Considering the amount of work you'd have to do to migrate (either Windows to Mac, or Mac to Windows) you have to think about 200-300 realistically for swapping costs. Makes good headlines (as we see here) but won't help much.
The rules for Unions are different. Would you have the same attitude with your 5 year old drinking and out til 3AM than a 22 year old? The rules for the companies is that it's collusion. They did something they weren't supposed to.
As to why, it's like the offside rule in soccer/hockey. The rule itself doesn't make much sense if you think about it by itself (why not let people charge on breakaways) but it has side effects (fewer forwards up, more guys back on defense, even FEWER goals, if that is possible with the top tier teams).
One company/corporation has a lot more power than an individual. A union does some work to make the power a bit more equal. But if you get corporations colluding, the power goes back to the corporation. Side effects? No growth in wages. No increased purchasing power (remember that the US economy is 70% consumer based, the bulk of that money comes from wages). People doing odd borrowing to maintain a standard of living (thinking of your home as a piggy bank is due to stagnant wages, and was a part of a great Economic Collapse). Squelching of wage increases has a lot of negative consequences, at least you can trim the illegal parts out.
Isn't the banana population under serious threat because of monoculture? I remember the current banana cultivar - the Cavendish - is under threat because of lack of disease resistance because of monoculture. The previous well used cultivar, the Gros Michel, was replaced because it lost to a disease threat - also due to monoculture. The article didn't mention anything about plant disease resistance.
I swear this is not flame-bait, but this is one reason why i like the iOS model. Selective perms. Even there, Google apps ask for too much. I disable a lot (e.g. location and microphone for Google Search).
Google seems to not like this. If you don't have location turned on for Google Search, all of Google Now gets turned off, even for explicit things i ask for that they don't need my location for. I specifically asked for Bulls news (yes, Im a masochist), you don't need to know where I am to show this. But Google doesn't show.
And even the old model wasn't all that good on Android. If I have an update, they'd ask for the new perms (not able to select any, it's all, or not update) or they give an option to delete the app. The implication is that you might as well push through the new perms, or delete the app as (nearly) useless.
Though this is a bit opinion based (as only any talk of where center is can be)... the Republican Party is already right of "center". It's all relative of course - the US Democratic party would most likely be Centre-Right in most other places.
This is kind of like the joke about morals. "Im perfectly moral, anyone looser is a slut, anyone tighter is a prude, i just happen to be perfect". Both parties like to claim the Center, to be "real America". Forget center, lets worry about relative - Republicans are (almost always) Right of Democrats, and Tea Party Republicans father Right still.
The Tea-Party wing isn't, by political science terms, "conservative". The proper term is Reactionary. They are moving from Right to much Farther Right. Conservative says "lets stay where we are". The Tea-Party is more "Lets go back to where we were before."
The Gold Standard? Generally accepted as unworkable during The Great Depression. It's cool in good times, causes horrible horrible spirals in bad times. Most countries moved off of it in the 1930's. We started then, and moved completely off in the 70's, Tea Partiers want to go back to that. The fact that the locked exchange rates of the Euro countries, which act as a mini-gold-standard, exacerbated and deepened a crisis there notwithstanding.
The New Deal? Trying to rollback a lot of it (though Republicans in general want to also).
Voting Rights? Attempted rollbacks. Though the rollbacks tend to hit minorities and poor people (who don't tend to vote Republican) more.
They claim to want to go back to the Constitution. Where women couldn't vote? Where a black man was defined as 3/5 of a white man? Very Reactionary. I'm in Chicago, which wasn't in the Union in 1783. Maybe as a Tea Party person, I'd really need to talk to the Algonquin Indian tribe for leadership. I'll make sure to find some nice French Canadians to trade furs with.
We live in a complex world. A lot of people want to pretend the complexity is just a screen, that it's a cloud inflicted by (assumed to be evil) men and that they can see the Truth, the Simplicity. These are the people who are voting Tea Party. Are they batshit? Dunno. But the world is complex. And if your model of the world is to ignore the complexity and pretend it's simple, you're going to want to pull the wrong levers, and you'll most likely cause some damage.
With the Snowden leaks, the NSA issues still roaming around, with the Supreme Court looking at Aereo, do you think that anything that affects national politics does NOT hit technology?
The joke is on us.
Climate change is occurring all over the coast, and we just elected people who essentially put their fingers in their ears and say LALALALALA.
Lotus developed a system like this in the 80's. Some production cars even made it to the street.
Maybe they didn't "lean in" .. but they could have. I remember reading a talk from an engineer from Nissan/Infiniti who said they did try the "lean in" back in the 90's, but it was too weird for most drivers.
With the pushing back on Samzung/Tizen, and new Google Silver program, Google seems to be trying to tighten up. The fact that growing Android with more chipsets has a side effect of making Google Play more central to the experience will make some Mountain View folks very happy.
I think there's a basic issue here, and that's of "what do I want to work on". This is a problem in any project - it's not limited to coding.
I'm sure GNUTLS is coded how many things are coded. Lets start with a framework, and hang dummy code on it. Say "hey we got here!" when we got a packet. Then you flesh that out, and do what you really should do when you get that. Hey, it works! Beers all around. Then later, you start thinking "hmm, how can this get abused" and you add checks.
But wait, before you think of how you can get broken, you're like "this code needs real functionality, let me work on this next". And the boundschecks never get coded.
I'm sure you've been on a project where you thought "i really should cross all the T's, dot all the I's here" then your boss says "it works good enough" and you never get around to making it bulletproof. Or you do the fun drywall project at home, and you already sanded with 150 grit, you just not bother with the 300 grit.. it's good enough.
OpenSource doesn't mean it's not written by people, with peoples' quirks and issues.
The raw sockets deal - Windows added raw sockets, or more simply said the ability to manipulate Internet packets at a very low level. Mr Gibson acted as if the entire Internet was about to collapse. In theory it was a bit easier to make fake packets and try to mess with other computers, in practice malware that is embedded in the kernel could already do this, and the bad machines could only mess with poorly configured machines anyway. If you know networking, fake packets don't help TCP that much anyway, mostly fun to mess with UDP. There is a lot of damage you can do without raw sockets.
The knock against Steve on this wasn't so much the initial panic about raw sockets, but that he stuck to his guns once people explained how this wasn't a big deal. Either he Just Didn't Get It, or he wanted to fearmonger, or both. He sounded a bit chicken little here, and never really seemed to get why he was wrong.
Winders XP Steve hates 8, fine, we all do. But instead of going to 7, for a long time he wanted to stick with XP. His reasoning, i don't go to any bad websites, i have a firewall, etc. This is shortsighted. Malware advertising on random ad networks is a big deal now, can Steve vet EVERY ad that he sees on the net? Can he vet that every website that he visit has never been pwned and had malware inserted? Can he vet that every machine on his LAN is clean? The worse thing is that he keeps talking about how he runs XP over and over on his podcast. He kind of implies "this is safe for me to do" but never really says "nobody else in their right mind should do this".
Assembly for a long time he was crazy about assembly, kind of showing how cool he was by using it. I learned assembly/machine code from a book when i was in 7th grade or so. I think it's cool in theory to write some assembly code now. in practice I'd never use it for a real app. Why not? Partially because of time; most libraries and tools are for C or other higher-than-assembly-level languages - you'd need to reinvent a lot of wheels and hope you did them right. And partially for static checking tools which would have a much harder time with assembly checks.
Mr Gibson's podcast has some good factual info, but his opinions are occasionally off and sometimes even dangerous. It's like the story of the broken watch - a broken watch is right twice a day, but you'd need another watch to tell you when. Steve's right a lot of times, but you need to know enough already to know when he's not right, and when he's not right RUN.
#PlaysForSure
Can you imagine parsing a stack trace or equivalent from one of these? Each stack is different.
Ignoring the fact that Heisenbugs would be much more prevalent.
Part of programming is paring of states. The computer is an (effectively) infinite-state machine. When you add bounds and checks you're reducing the number of states. This would add a great deal, making bugs more prevalent. Since a lot of attacks are based on bugs, this may increase the likelihood of some attacks.
I've been on Slashdot too much, i read it as "10 Micro$softs of wasted time"
I saw those slides. There were 17 levels of #ifdefs in the code. Every ifdef is a binary switch, which means 2^17 different iterations of source code.(!!!!!) That's 131072 different compiles (!!!!!!).
So, lets pretend that a config/make sequence just needs 10 minutes (unlikely, they have an oddball config script that isn't like autoconf). To hit 17 levels of ifdef, you'd need approx 910 computer-days just to do all the compiles. Do you think they tested this matrix?
I hate to beat up on a bunch of people who did hard work for free, but they really did a bad job on a lot of things.
Add to that the "oh my god we gotta copy _____" about the new USB C connector. You can flip it, just like a Lightning connector. But yet another micro connector.
And don't get me started about the "full speed" "high speed" "Higher speed" mess that is 1.0 2.0 and 3.0 speeds.
Im in Chicago, meaning Illinois.
A few years back, a cop got shot on a traffic stop. The driver pulled a gun, the cop couldn't see it, window tints. So, soon there was a state law saying o window tints, at least in front windows. That said, i see a lot of cars that have them, so not sure if the law is still on the books, or whether cops just ignore it. I'm sure if it's still on the books, it's not enforced equally black/white.
If you check the slides, there are a few areas that they failed hard on. I don't know if you're a C developer, but I've coded a bit, and the slides scared me a bit.
Yeah, there was the "cross platform" stuff. Do we really need EBCDIC support? There's a simple rule about code. If you can't test it, you should pull it. Do you have a machine you can test on? They had Win32 Winsock code, which is a special case. But all modern Windows computers have a Berkely sockets type stack. This doesn't need special code, which means a lot less code to debug.
When the OpenSSL guys state (with some justification) that they have no resources, part of the problem is they waste it by having unused code paths. They'd save some testing time by having removed this code before.
But they also did "cross platform" it badly. They had their own printf, when printf has been done and safe for years. But just in case on some oddball platform, we have our own. They had 17 levels of nested #ifdef. If you don't know C, that's SCARY. There's no way you'd unwind that in your head, and there's near zero chance you'd be able to code a test plan for that. Why? Because you can think of #ifdef as a way of doing simple code modification... 17 levels deep of this type of modification is near impossible to think through and is nearly guaranteed for bugs.
Worst of all, in name of one platform, they came out with an oddball memory allocator. They added things to this allocator to the point where they couldn't run a normal one. Worse off? They got so used to BUGS in this allocator that they couldn't move off of it. And these bugs are directly related to the Heartbleed bug - it's a memory management bug. Instead of thinking "hey, we're doing a lot of weird stuff just for this odd platform" they made the decision "hey, lets go even deeper down the hole of bad code"
So, in name of "cross platform" they had many many design mistakes, including something that broke much of HTTPS. I wouldn't use "they were doing cross platform" as an excuse for their mistakes, because in this name, they had made much of their mistakes.
This wasn't in some text editor. This was in a piece of core crypto. The level of sloppiness allowed is zero.
They OpenBSD folks take their tone from Theo De Raadt, who generally is one of the ruder people out there. When i first heard the rants about OpenSSL, i was thinking "well, they didn't have to smack them down so hard." After reading the slides, Im thinking "yeah, I'd rant that hard" though i don't have the same Forum as the LibreSSL guys have.
This is not a universal good. There is a cost to:
* Choice. Now I need to figure out which is better. This is why Amazon has reviews - choice makes things difficult.
* Diffusion of resources. Part of the reason OpenSSL was so bad was that this team had no money and no resources.
There are a lot of projects out there, forks for spite, forks for license religion, that are a waste of time and resources. "Oh ____ has a free software license, but it has slightly different focuses of types of freedom, therefore it's heresy. Hey, here's GNU____. We know you'll ignore the bugs/missing features, because FREEDOM"
Water in sufficient quantities is toxic. I don't even mean in the drowning sense, or the silly DiHydrogen Monoxide jokes, but if you have too much water, it can kill you.
Nitrogen also works this way. Nitrogen in air, normal pressure, is fine. Nitrogen under pressure can kill you.
Too much oxygen can make you space out.
There are a lot of things that follow this - if you think of normal doses of heat, or electricity, you're fine. If too much, you die. It doesn't take a lot of thinking to come up with examples.
Though I don't know the exact mechanism, I'd say to watch Apollo 13. Watch how much effort they put in to the CO2 scrubbers, to remove carbon dioxide from the air. They had sufficient oxygen, it was the CO2 levels that were too high. That's what was making them sick.