Because this is a witch-hunt by people who think the Eich thing was a witch-hunt and not about a CEO being appointed who had demonstrated appalling interpersonal skills.
Flamebait is not about "saying things to get people pissed off"! Flamebait is about intentionally trolling to insight a response.
Urgh, I think the confusion here is that Slashdot has both Flamebait and Troll mods. In practice, almost every post that's legitimately moderated a Troll is also a Flamebait, and vice-versa.
I agree the original post is an example of both. It invents a strawman designed to demonize both those with concerns about Eich and also homosexuals and, one assumes, the liberal side of Congress, all together. It's not written in good faith, it exists purely to get people riled up, either defensive about their own position or attacking people for a view point they almost certainly don't have.
Right. Instead of a remotely-exploitable information leak, it's most probably reduced to (at worst) a low-grade denial-of-service attack caused by crashing HTTPS server processes no faster than they can respawn.
...but only on operating systems/platforms with a hardened malloc() that has been configured to use the hardening.
At the risk of re-opening old wounds, if what you liked about 1.4 was that it was quite configurable, you probably didn't like it!
A genuinely good rule to come out of the UI research world is that you shouldn't have to spend 30 minutes setting up your desktop to have something usable and comfortable out of the box. 1.x failed because they delivered something that "looked good" (in a 2000 version of GNOME 3 type way) out of the box but whose usability was abysmal.
I genuinely liked GNOME 2.x. Yes, some power options weren't there, but 99% of users would never have found them. In practice, the defaults made for a great desktop. Ubuntu in the GNOME 2 era was easily the second best OS in terms of usability after Mac OS X, way ahead of Windows at the time (even more so now I guess!)
GNOME 3? That's kinda where we got what GNOME 1 advocates would say was the worst of all worlds, no configurability and a garbage UI that's looks over substance. But look closer: they're repeating the same mistakes as GNOME 1 again. The default desktop is horrible. But their solution to it is to make it the world's most configurable desktop by adding lots of scripting and plug-ins to the mix. True, you don't have check boxes any more, but instead you have libraries of plugins you can use instead. Oh yay!!!
Is anyone happy about it? By rights, those who think GNOME originally peaked at 1.4 should be overjoyed. In theory, you now have more configurability than ever before!
In practice, it's a bad design, it's not what people want, you can kinda sorta get used to it and then you might be almost as productive as you were before, but in practice, the defaults need scrubbing and the realization needs to set in that WIMP interfaces standardized on most user elements and most shell elements for a reason. Windows 95 onwards, Mac OS 1.x onwards, AmigaOS Workbench 1.x onwards, GEM 1.x (not 2.x but only because of lawsuits), TOS, GNOME 2, et al, all implement essentially the same user interface with minor, not major, tweaks. Other than GNOME, the only platform to try to break this has been Windows with Windows 8, and look how that turned out.
We don't need more configurability. We need a UI that isn't crappy to begin with.
All of which seems to be off-topic. It looks like the GNOME Foundation's money woes actually have to do with overspending on an women's outreach program. Which is embarrassing and I suspect will feed the anti-PC mob that's gathering around Tech right now, even though the issue is with overspending, not on having the program in the first place. *sigh*
I don't know about that. His supporters probably go with a default assumption of "He won't", his opponents probably go with a default assumption of "He will", this is pretty much a statement making it clear both should quit it with their knee jerk assumptions.
...which ironically makes it a relatively honest statement. I guess you can be honest if you're saying nothing!
Yeah. It's a big patch. I started looking through it when it came out and while I noticed bugs (there's a "convert integer to string" call in there that uses a variable - fortunately the integer involved - that hasn't been initialized yet - "n2s(p, payload);") nothing I saw before realizing it was way more work than I'd expected jumped out at me as the actual security flaw here.
(No saying I'm on board with Rice at Dropbox, just answering the question) Rice brings to the board the same thing all other ex-high-government-officials brings to a board: connections.
The part that interests me is why Dropbox has suddenly felt it needs government connections. It might be, ironically, that the Snowden revelations means Dropbox suddenly feels it (and other Internet companies that handle confidential data) needs more clout in Washington, and need to find better ways to fight off government intrusion into their client's personal data.
If so, Rice is a highly amusing choice of person to organize such a lobbying effort.
An operating system is more than a kernel, and additionally the same kernel may run on different CPUs, so no, just because two computers share the same kernel doesn't mean the same apps will run on them.
Look at, for example, a Linux based OS like Ubuntu vs a similar Linux based OS like WHAT_YOUR_ROUTER_RUNS for an obvious example! (Was tempted to use Android as the example, but I believe Android uses some customizations to the Linux kernel that make it not-quite-Linux-kernel-though-from-a-developers-standpoint-youd-never-know)
FWIW, that's a misreading of Theo (and other's) comments.
The failure to use the system malloc() was not the underlying issue. In most operating systems, the Heartbleed bug would have been implemented even if OpenSSL used the system malloc().
The issue was more that the system malloc() in OpenBSD (and some other operating systems) has been hardened so that, when passed various flags, it'll either zero out the block first before returning it (like calloc()) or in OpenBSD's case it'll actually mark the pages using the MMU in such a way that if the block is read before written to it'll cause the application reading the block to crash.
As a result, IF OpenSSL had used the system malloc() then two things would have happened. First, the bug would have slightly more likely been discovered (if exploited, and if someone was religiously watching what was happening to the Apache child processes on their OpenBSD server.)
Second, regardless of whether the bug would have been discovered, OpenBSD servers wouldn't have been compromised.
That's it.
The bug itself had to do with allowing a mismatch between the amount of data sent and the amount retransmitted in what's essentially an echo command that TLS implements. A hardened malloc() would make it impossible to exploit that, but OpenSSL would still have a bug even with one, just one that couldn't (probably, maybe, perhaps) be used to get confidential data.
I must be a masochist because I just posted the same point of view again, but based upon your comment and the sibling post, have avoided the term "hate group" and focussed on the actual actions of the Prop 8 group itself. Maybe it'll get a more sane reaction.
Well, no, because that's not really a position of hate now is it? She's haggling over the meaning of the term "marriage" but ultimately is in favor of same sex couples to have the same rights that heterosexual couples have. She states it twice, "I donâ(TM)t ever want anybody to be denied rights within our country" and "perhaps we will decide that there needs to be some way for people to express their desire to live together through civil union" in the the four sentence position you quote. Yes, many gay activists would be upset that Rice seems unwilling to recognize the significance of the term "marriage" in this case, but most would at least understand she's not trying to deny them actual legal rights or rights of association.
And Eich pointedly didn't back down from that position - that homosexuals are dangerous to children - when it became public knowledge he'd made those donations to fund ads saying just that despite claiming to have noted the pain it was causing to people around him.
Regardless of your views on gay marriage, Eich co-funded some extremely nasty propaganda and handled the revelations that he did so extremely badly. As such, it was reasonable for us to question his judgement, honesty, respect, and management skills, and ask why he was supposedly a good person to trust with the role of CEO.
Rice? Uh... well, judgement, honesty... you'll have to look elsewhere for a sign she's deficient in those areas, although to be honest, I don't think you'll have far to go Iraq.
He said that, but is that what happened? Were OpenSSL's developers aware that malloc()/free() have special security concerns that OpenBSD's developers had specifically addressed (I assume that's what meant by "a conscious decision to turn off last-line-of-defense-security")
I understand Theo's point, to a certain degree I kinda understand it, but I'm more inclined to feel the problem is with OpenSSL's developers clearly not understanding the security concerns about malloc(). That is, if they were aware that OpenBSD's malloc() contained code to ensure against data leakage, it would seem to me to be highly probable they would have implemented the same deal in OpenSSL given, you know, their entire point is security. The fact they didn't makes me think they didn't know OpenBSD's malloc() had these measures in the first place.
Should they have done? And how should they have known? Genuine question, and finger pointing would be inappropriate right now: how do we make sure that certain security strategies and issues are as well known as, say, stack pointer issues are today.
The discussion is about discrimination and not oppression. You can be discriminated against without being oppressed.
FWIW, given there's no default $2500 being given to anyone right now, it's more the case that this is an example of some people being discriminated for rather than against, but that's nit picking;-)
But we're full circle and regardless of whether the word "kidnapping" is generic enough, I believe we see eye to eye on the point I was trying to make (my self confidence right now is zero about my ability to impart ideas, for good reasons.) The issue isn't discrimination, it's the context. We treat it as shorthand for "bad discrimination", but enabling someone or some group to overcome burdens that apply to them and them alone isn't not a case of bad discrimination.
You missed out wages. And the fact the job in question can't be something that one gender would automatically be suitable for. Both of those were major parts of my post, but I guess nobody seems to understand anything I write these days (just look at the Brendan Eich "debate" where pretty much everyone who responded to me acted as if I'd said the exact opposite of what I actually said) so I guess it's worth repeating.
If men are a genuine minority in the exotic dancing field (because there are far, far more female strippers than male) would you say that the industry is discriminatory, and that there should be subsidies for men who want to get into that field?
No, I wouldn't, because it's not an economically significant occupation that carries with it prestige and a good salary. It's also more open to question whether it can be opened up, given that the sexual nature of the occupation means particular bodily (including gender, but also including age, size, weight, etc) attributes are likely to be more in demand and likely to ensure the continued survival of that industry.
The two aren't really comparable for a lot of reasons. If programming was underpaid, and if there was something about programming that meant it would be considerably economically less valuable if women were involved, then I'd agree it'd be a good question. But the economic power that comes with high quality jobs means that the focus on gender equality is always going to focus on opening up that type of work, not on crappier work.
For much the same reason, there's no massive movement to open up construction work to more women too.
Not sure what idea you think came from me, but the AC BMO was replying to posited this: "All this does is give women more opportunities than men without addressing the actual issues: Why women apparently feel unable or unwilling to following a career in the computing fields".
BMO was rather obviously trying to answer the implied question (that needs to be solved if the issues are to be addressed) "Why (are) women apparently (...) unable or unwilling to following a career in the computing fields".
There certainly is a kind of asshole culture here. I'm as guilty of it as most, I'd guess. Whether that's the problem is open to question, although a certain amount of the assholedom from a loud but hopefully small minority does seem to be focussed on protecting the status quo and that can't help any current outsider feel welcomed.
It might be worth determining why "sex discrimination" is an issue, and seeing whether the concept is a problem in this case for the same underlying problems, rather than simply jumping on it and implying it's wrong because it's discrimination.
In particular, we are NOT in a situation where men/boys feel they're unable, or that it's undesirable, to follow a career in the computing fields, and the policy above doesn't and will not change that. Should that change, should men genuinely end up being excluded and unable to enter a legitimate career field like this one, then we obviously need to re-examine the policies in question.
We often say "X is wrong" as shorthand for "X, when done with the effect of Y, is wrong". We say, for example, that kidnapping is wrong. That doesn't stop us from non-consensually grabbing suspected kidnappers off the street, handcuffing them, stuffing them in the back seat of a police car, and after following a lengthy legal process to make sure we got the right person, sticking them in an 8x8 cell they can't escape from. How is that not kidnapping? Well, it is kidnapping, but it's considered acceptable for a reason...
Because this is a witch-hunt by people who think the Eich thing was a witch-hunt and not about a CEO being appointed who had demonstrated appalling interpersonal skills.
Witch-hunts tend to get the wrong people.
This. Absolutely this. Finally someone gets it!
Urgh, I think the confusion here is that Slashdot has both Flamebait and Troll mods. In practice, almost every post that's legitimately moderated a Troll is also a Flamebait, and vice-versa.
I agree the original post is an example of both. It invents a strawman designed to demonize both those with concerns about Eich and also homosexuals and, one assumes, the liberal side of Congress, all together. It's not written in good faith, it exists purely to get people riled up, either defensive about their own position or attacking people for a view point they almost certainly don't have.
Personally I find stupidity a turn-off.
I don't think you're making the case you think you're making ;-)
At the risk of re-opening old wounds, if what you liked about 1.4 was that it was quite configurable, you probably didn't like it!
A genuinely good rule to come out of the UI research world is that you shouldn't have to spend 30 minutes setting up your desktop to have something usable and comfortable out of the box. 1.x failed because they delivered something that "looked good" (in a 2000 version of GNOME 3 type way) out of the box but whose usability was abysmal.
I genuinely liked GNOME 2.x. Yes, some power options weren't there, but 99% of users would never have found them. In practice, the defaults made for a great desktop. Ubuntu in the GNOME 2 era was easily the second best OS in terms of usability after Mac OS X, way ahead of Windows at the time (even more so now I guess!)
GNOME 3? That's kinda where we got what GNOME 1 advocates would say was the worst of all worlds, no configurability and a garbage UI that's looks over substance. But look closer: they're repeating the same mistakes as GNOME 1 again. The default desktop is horrible. But their solution to it is to make it the world's most configurable desktop by adding lots of scripting and plug-ins to the mix. True, you don't have check boxes any more, but instead you have libraries of plugins you can use instead. Oh yay!!!
Is anyone happy about it? By rights, those who think GNOME originally peaked at 1.4 should be overjoyed. In theory, you now have more configurability than ever before!
In practice, it's a bad design, it's not what people want, you can kinda sorta get used to it and then you might be almost as productive as you were before, but in practice, the defaults need scrubbing and the realization needs to set in that WIMP interfaces standardized on most user elements and most shell elements for a reason. Windows 95 onwards, Mac OS 1.x onwards, AmigaOS Workbench 1.x onwards, GEM 1.x (not 2.x but only because of lawsuits), TOS, GNOME 2, et al, all implement essentially the same user interface with minor, not major, tweaks. Other than GNOME, the only platform to try to break this has been Windows with Windows 8, and look how that turned out.
We don't need more configurability. We need a UI that isn't crappy to begin with.
All of which seems to be off-topic. It looks like the GNOME Foundation's money woes actually have to do with overspending on an women's outreach program. Which is embarrassing and I suspect will feed the anti-PC mob that's gathering around Tech right now, even though the issue is with overspending, not on having the program in the first place. *sigh*
I don't know about that. His supporters probably go with a default assumption of "He won't", his opponents probably go with a default assumption of "He will", this is pretty much a statement making it clear both should quit it with their knee jerk assumptions.
Yeah. It's a big patch. I started looking through it when it came out and while I noticed bugs (there's a "convert integer to string" call in there that uses a variable - fortunately the integer involved - that hasn't been initialized yet - "n2s(p, payload);") nothing I saw before realizing it was way more work than I'd expected jumped out at me as the actual security flaw here.
(No saying I'm on board with Rice at Dropbox, just answering the question) Rice brings to the board the same thing all other ex-high-government-officials brings to a board: connections.
The part that interests me is why Dropbox has suddenly felt it needs government connections. It might be, ironically, that the Snowden revelations means Dropbox suddenly feels it (and other Internet companies that handle confidential data) needs more clout in Washington, and need to find better ways to fight off government intrusion into their client's personal data.
If so, Rice is a highly amusing choice of person to organize such a lobbying effort.
An operating system is more than a kernel, and additionally the same kernel may run on different CPUs, so no, just because two computers share the same kernel doesn't mean the same apps will run on them.
Look at, for example, a Linux based OS like Ubuntu vs a similar Linux based OS like WHAT_YOUR_ROUTER_RUNS for an obvious example! (Was tempted to use Android as the example, but I believe Android uses some customizations to the Linux kernel that make it not-quite-Linux-kernel-though-from-a-developers-standpoint-youd-never-know)
...fruit flies like bananas. I stand corrected.
ERs are not free healthcare, just healthcare without a credit check. They're increadibly expensive.
You also can't get long term healthcare from them, they're called Emergency Rooms for a reason. Cancer is not an emergency...
FWIW, that's a misreading of Theo (and other's) comments.
The failure to use the system malloc() was not the underlying issue. In most operating systems, the Heartbleed bug would have been implemented even if OpenSSL used the system malloc().
The issue was more that the system malloc() in OpenBSD (and some other operating systems) has been hardened so that, when passed various flags, it'll either zero out the block first before returning it (like calloc()) or in OpenBSD's case it'll actually mark the pages using the MMU in such a way that if the block is read before written to it'll cause the application reading the block to crash.
As a result, IF OpenSSL had used the system malloc() then two things would have happened. First, the bug would have slightly more likely been discovered (if exploited, and if someone was religiously watching what was happening to the Apache child processes on their OpenBSD server.)
Second, regardless of whether the bug would have been discovered, OpenBSD servers wouldn't have been compromised.
That's it.
The bug itself had to do with allowing a mismatch between the amount of data sent and the amount retransmitted in what's essentially an echo command that TLS implements. A hardened malloc() would make it impossible to exploit that, but OpenSSL would still have a bug even with one, just one that couldn't (probably, maybe, perhaps) be used to get confidential data.
I must be a masochist because I just posted the same point of view again, but based upon your comment and the sibling post, have avoided the term "hate group" and focussed on the actual actions of the Prop 8 group itself. Maybe it'll get a more sane reaction.
Thanks
I know I'll be modded down again but:
Well, no, because that's not really a position of hate now is it? She's haggling over the meaning of the term "marriage" but ultimately is in favor of same sex couples to have the same rights that heterosexual couples have. She states it twice, "I donâ(TM)t ever want anybody to be denied rights within our country" and "perhaps we will decide that there needs to be some way for people to express their desire to live together through civil union" in the the four sentence position you quote. Yes, many gay activists would be upset that Rice seems unwilling to recognize the significance of the term "marriage" in this case, but most would at least understand she's not trying to deny them actual legal rights or rights of association.
In addition, regarding the concerns with Eich: Eich didn't merely donate money to some generic pro-Prop 8 group, the Prop 8 group itself was broadcasting ads before and after Eich donated to them describing homosexuals and homosexual marriage as dangerous to Children.
And Eich pointedly didn't back down from that position - that homosexuals are dangerous to children - when it became public knowledge he'd made those donations to fund ads saying just that despite claiming to have noted the pain it was causing to people around him.
Regardless of your views on gay marriage, Eich co-funded some extremely nasty propaganda and handled the revelations that he did so extremely badly. As such, it was reasonable for us to question his judgement, honesty, respect, and management skills, and ask why he was supposedly a good person to trust with the role of CEO.
Rice? Uh... well, judgement, honesty... you'll have to look elsewhere for a sign she's deficient in those areas, although to be honest, I don't think you'll have far to go Iraq.
No, because it's atypical.
Ouch. Serious ouch. Thank you. That suggests that the situation is considerably worse than De Raadt said.
He said that, but is that what happened? Were OpenSSL's developers aware that malloc()/free() have special security concerns that OpenBSD's developers had specifically addressed (I assume that's what meant by "a conscious decision to turn off last-line-of-defense-security")
I understand Theo's point, to a certain degree I kinda understand it, but I'm more inclined to feel the problem is with OpenSSL's developers clearly not understanding the security concerns about malloc(). That is, if they were aware that OpenBSD's malloc() contained code to ensure against data leakage, it would seem to me to be highly probable they would have implemented the same deal in OpenSSL given, you know, their entire point is security. The fact they didn't makes me think they didn't know OpenBSD's malloc() had these measures in the first place.
Should they have done? And how should they have known? Genuine question, and finger pointing would be inappropriate right now: how do we make sure that certain security strategies and issues are as well known as, say, stack pointer issues are today.
FWIW, given there's no default $2500 being given to anyone right now, it's more the case that this is an example of some people being discriminated for rather than against, but that's nit picking ;-)
But we're full circle and regardless of whether the word "kidnapping" is generic enough, I believe we see eye to eye on the point I was trying to make (my self confidence right now is zero about my ability to impart ideas, for good reasons.) The issue isn't discrimination, it's the context. We treat it as shorthand for "bad discrimination", but enabling someone or some group to overcome burdens that apply to them and them alone isn't not a case of bad discrimination.
You missed out wages. And the fact the job in question can't be something that one gender would automatically be suitable for. Both of those were major parts of my post, but I guess nobody seems to understand anything I write these days (just look at the Brendan Eich "debate" where pretty much everyone who responded to me acted as if I'd said the exact opposite of what I actually said) so I guess it's worth repeating.
No, I wouldn't, because it's not an economically significant occupation that carries with it prestige and a good salary. It's also more open to question whether it can be opened up, given that the sexual nature of the occupation means particular bodily (including gender, but also including age, size, weight, etc) attributes are likely to be more in demand and likely to ensure the continued survival of that industry.
The two aren't really comparable for a lot of reasons. If programming was underpaid, and if there was something about programming that meant it would be considerably economically less valuable if women were involved, then I'd agree it'd be a good question. But the economic power that comes with high quality jobs means that the focus on gender equality is always going to focus on opening up that type of work, not on crappier work.
For much the same reason, there's no massive movement to open up construction work to more women too.
Not sure what idea you think came from me, but the AC BMO was replying to posited this: "All this does is give women more opportunities than men without addressing the actual issues: Why women apparently feel unable or unwilling to following a career in the computing fields".
BMO was rather obviously trying to answer the implied question (that needs to be solved if the issues are to be addressed) "Why (are) women apparently (...) unable or unwilling to following a career in the computing fields".
There certainly is a kind of asshole culture here. I'm as guilty of it as most, I'd guess. Whether that's the problem is open to question, although a certain amount of the assholedom from a loud but hopefully small minority does seem to be focussed on protecting the status quo and that can't help any current outsider feel welcomed.
This is HP we're talking about, I'm pretty sure none of their executives have been human since Carly Fiorina...
Help! Help! I'm being oppressed!
It might be worth determining why "sex discrimination" is an issue, and seeing whether the concept is a problem in this case for the same underlying problems, rather than simply jumping on it and implying it's wrong because it's discrimination.
In particular, we are NOT in a situation where men/boys feel they're unable, or that it's undesirable, to follow a career in the computing fields, and the policy above doesn't and will not change that. Should that change, should men genuinely end up being excluded and unable to enter a legitimate career field like this one, then we obviously need to re-examine the policies in question.
We often say "X is wrong" as shorthand for "X, when done with the effect of Y, is wrong". We say, for example, that kidnapping is wrong. That doesn't stop us from non-consensually grabbing suspected kidnappers off the street, handcuffing them, stuffing them in the back seat of a police car, and after following a lengthy legal process to make sure we got the right person, sticking them in an 8x8 cell they can't escape from. How is that not kidnapping? Well, it is kidnapping, but it's considered acceptable for a reason...