If you don't think people should have the right to bear arms, then at least have the balls to advocate repealing the 2nd amendment, rather than just reowrding it to make it useless. The last thing we need is do nothing laws creating more opportunities for our nations wealth to be wasted on lawyers.
I personally think the 2nd amendment should be changed, *because* it's clear to me that the 2nd amendment refers to the individuals right to own weapons. I think we should have laws that control ownership of weapons, but I don't see how this is constitutional.
I feel like democrats and republicans can agree that we shouldn't allow anybody to have a nuclear weapon.
Once changing the 2nd amendment is on the table, all this BS about miltias is irrelevant. We don't need a constitutional amendment protecting the right of states to arm their own national guard, or to protect the right of national guard members to own guns. Obviously the national guard is going to have guns. If all the government needs to do to seize their gun is discharge them from the national guard, military, or fire them from being a police officer, etc, then there is no right to bear arms.
This would be the equivalent of changing the first amendment to protect the freedom of speech that was approved by the government. If you were going to do that, you may as well just remove it.
Yeah that makes a lot of sense. Lend someone hundreds of thousands of dollars for the golden opportunity of making a whopping $100. Good luck convincing anybody, much less banks, to go along with this.
But that's the kind of logic I expect from someone who thinks gay marriage and legal sex between adults and children (i.e. what NAMBLA wants) are comparable.
A millionaire (originally and sometimes still millionnaire) is an individual whose net worth or wealth is equal to or exceeds one million units of currency.
I am a software developer with 9+ years experience. I bought a house at the end of 2011 for $570K and zillow says it's worth $695K now. In 27 years, I think it's pretty likely I will be a millionaire due to inflation and paying off my house.
And a million monkeys will eventually type out the complete works of Shakespeare
If you had enough monkeys (or more suitably random typers), enough time, and enough energy, you would eventually get the complete works of Shakespeare.
As Dan Dennett said about philosopher's syndrome:
mistaking a failure of imagination for an insight into necessity.
Open source is no more (or less) perfect that closed source at a fundamental level. Bugs are introduced in both. The difference is that once found, open source has more eyes looking to try to fix it.
If that was the only benefit, then open source would be pretty useless. Once you find a bug, fixing it is usually pretty trivial. Heartbleed for example was just a simple buffer overflow and pretty much everyone came up with the same immediate solution.
OK fine. It would not be possible if you did not have access to the source code. It is true that you can buy access to the source from some closed source software. But the fact that you are choosing software based on whether you are able to access the source code, I would argue is a point in favor of open source software rather than closed source proprietary software (the vast majority of which you can not buy source code access).
My point is that we cannot say something is (or has been) compromised unless we have concrete evidence of the compromise in hand. We can't just say, in the abstract, "everything's compromised" simply on the basis of the assumption that all software is fatally flawed.
I certainly don't think so either, but I don't use the definition of "compromised" that almitydave suggested.
Even if you didn't know anything about the architecture of openssl, you'd probably be able to spot heartbleed if you knew a about buffer overflow bugs. Even if you didn't know about buffer overflow bugs, a static code analysis tool would have probably caught this bug as buffer overflows are very fairly easily caught in this way.
After two years in the wild. And apparently *not* by eyeballs on source code. Proprietary or open seems irrelevant to this discovery.
"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
Given the simplicity of this bug, it's not hard to imagine what the source code for the bug looked like given the behavior. It is also not hard to imagine that upon discovering the unexpected results, the bug was confirmed by looking at the source code. Maybe for this bug, looking at the source code was just a confirmation of what they already knew. For many other bugs, looking at the source code is necessary to efficiently figuring out what the code is actually doing.
I'm not saying that this exact bug was found because it was in open source code. I am saying that it is not hard to imagine how a bug like this would be easier to find in open source software than closed source software.
At my company we use open source software libraries for our commercial products. When we find anomalies, we are actually able to figure out if bugs are in our own software or in the open source libraries we use. In fact, we actually run static analysis tools on every piece of open source software that we use because we care about the security of our own applications. We don't use openSSL, but if we did, we may have actually found this bug. That wouldn't be possible if the source was closed.
It isn't a matter of "every single bug in a piece of open source software", this is a hugely deployed piece of open source security software and you would expect that if the "many eyes" thing were indeed true then this is exactly the place it would be demonstrated yet what we have here is one of the most widely deployed critical security bugs ever. This isn't a condemnation of open source in any way, just of the misguided vocal advocates that pad their arguments with falsehoods rather than focussing on the real advantages of open source (like the speed at which bugs like this can be patched).
And the bug was found by people who were not the developers, but rather people using the software. This is unlike bugs which are not as widely deployed, and are far less likely to ever be found.
I know such claims have always been false and this is just more proof of it at the most prominent and non-theoretical level so I'm not quite sure what your point is. This alone didn't disprove the claim, it just added more proof (and at an extremely high visiblity) that the claim is false.
My point is that nothing about this situation is any kind of failing of open source software if you had realistic expectations to begin with. There was a really bad bug that was introduced into a widely distributed piece of open source software and after a few years, some people found it and it's now getting fixed.
This is like asking "In the USA, am I free to get married to whoever I want?", and then complaining that you were lied to because Angelina Jolie didn't want to marry you.
In the same way that it was (maybe incorrectly) assumed the person who wanted to get married to "whoever he wanted" was really asking "Am I prevented from marrying anyone that I want provided they also want to marry me?"...
It is also common to assume that when someone says "Anyone can verify open source software to be secure and non-malicious", they are saying "No one is prevented from verifying open source software", rather than "Anyone (regardless of their software engineering ability) will find every single bug in a piece of open source software."
If you thought that it was claimed that every piece of open source software was bug free (contingent upon being "verified" as such), I'm sorry to tell you that you were misinformed.
Not only is both open source not able to be verified with 100% certainty. It is impossible to prove that software in general (open or closed) is bug free as a corollary to Alan Turing's proof that no solution exists to the halting problem.
Even if 99% of bugs are found by the developers, why wouldn't you want that last 1% that is found by random people? I've found bugs in libraries for software that I was using. I'm sure lots of developers do this every once in a while.
But how many FOSS projects really have diligent review of all their code by anything like that many people? For many projects, getting a change accepted requires only the approval of one or two others. Activities like the current detailed review of TrueCrypt are the exception, not the rule.
A lot of the bugs are caught well after the code is accepted. People sometimes just randomly spot things. The probability is low, but over enough time and with enough eyeballs, you catch bugs this way.
I was trying to hunt down a bug in my own code and ended up catching a bug in motif once. This was only possible because the source was open. I don't think this is such a rare occurrence. Even if 1 in 10 programmers spots 1 bug in open source software in their life, that's like hundreds of thousands if not millions of bugs being found, that otherwise wouldn't have been.
If you really want a dramatic improvement in catching these kinds of bugs and you've already got a respectable code review process in place, you'd probably do better by considering complementary strategies instead of pursuing ever diminishing returns from throwing more people into the same informal code review process
We definitely should be throwing people at the open source code. But having code be open, isn't throwing anybody at the code. It is just making it available to people who already want to look at it.
Choose safer programming languages that don't admit certain kinds of programmer error in the first place. Employ formal methods to make sure the underlying algorithms are sound. Adopt different testing strategies.
Yeah all that stuff. No one is saying that open source is the *only* way to find bugs.
Many eyeballs may make bugs shallower, but those many eyeballs don't really exist. Source availability does not translate to many people examining that source. People, myself included, may like to build to install packages but that's it.
There are 7 billion people in the world. It doesn't take a large percentage of people to look at the code for there to be a large number (i.e. larger than the number that would have looked at the code if it were closed)
I don't look through open source code very frequently, but I stumbled upon a bug in openmotif and submitted a fix. This was not possible before motif was open sourced.
What we need are intelligent bots to constantly trawl source repositories looking for bugs. People just don't have the time any more.
We have software that analyzes source code for common programming errors of the sort that heartbleed was. These tools can simply be integrated into the build, so that you get a warning when you introduce a potential bug and try to compile it.
The claim was never "All bugs will be found before being used if software is open source". The claim was merely that it is more likely for a bug in open source software to be found (i.e. by either good guys or bad guys), and that this is a good thing overall.
OK so if you are using "compromise" to mean "Every SSL session in the past 2 years was potentially vulnerable to danger", then I guess that's true in the sense that almost every computer is compromised since there are probably many unnoticed security holes in just about every OS and commonly used library.
The problem here is that people have been using the argument that Open Source is better because these issues can't happen "because" of the visibility.
The visibility doesn't make it so bugs don't exist. It makes them more likely to be found. This one existed and was found.
And the argument "Open Source is inherently safer" has been very heavily damaged by Heartbleed and now ranks up there with "Macs don't get viruses" and "Women are worse drivers".
The argument "seatbelts make riding in a car safer" is not "heavily damaged" by someone dying in a car accident while wearing a seatbelt.
Imagine this code was closed source. Whats the desired outcome? That hackers never stumble upon the bug and the it goes unnoticed forever, and therefore never needs to be fixed?
There is plenty of evidence for the effectiveness of good code reviews, but most of it shows rapidly diminishing returns with the number of reviewers.
To me this is an argument *for* open source software. It *takes* LOTS of eyes to catch bugs, *because* there is diminishing returns by adding more code reviewers. It is only by having hundred or thousands of them that you can hope to catch those ones that would otherwise go unnoticed.
By the time you've had more than four or five people take a look, the difference in effectiveness from adding more barely even registers, unless one of the additional reviewers has some sort of unique perspective or expertise that makes them not like the others.
And one easy way to have a diverse group of code reviewers is to have a lot of them.
Given that almost every major FOSS system software project has had its share of security bugs, there is really very little evidence to support Raymond's claim at all.
Every piece of software of any reasonable size has security bugs. The fact that we know about them is because someone found them, which is exactly what is supposed to happen.
Slashdot Mirror
Well if you say you used "mathematics", it must be true....
/s
If you don't think people should have the right to bear arms, then at least have the balls to advocate repealing the 2nd amendment, rather than just reowrding it to make it useless. The last thing we need is do nothing laws creating more opportunities for our nations wealth to be wasted on lawyers.
I personally think the 2nd amendment should be changed, *because* it's clear to me that the 2nd amendment refers to the individuals right to own weapons. I think we should have laws that control ownership of weapons, but I don't see how this is constitutional.
I feel like democrats and republicans can agree that we shouldn't allow anybody to have a nuclear weapon.
Once changing the 2nd amendment is on the table, all this BS about miltias is irrelevant. We don't need a constitutional amendment protecting the right of states to arm their own national guard, or to protect the right of national guard members to own guns. Obviously the national guard is going to have guns. If all the government needs to do to seize their gun is discharge them from the national guard, military, or fire them from being a police officer, etc, then there is no right to bear arms.
This would be the equivalent of changing the first amendment to protect the freedom of speech that was approved by the government. If you were going to do that, you may as well just remove it.
Having +$10,000 while in school (i.e. rather than debt) is actually pretty good.
Yeah that makes a lot of sense. Lend someone hundreds of thousands of dollars for the golden opportunity of making a whopping $100. Good luck convincing anybody, much less banks, to go along with this.
But that's the kind of logic I expect from someone who thinks gay marriage and legal sex between adults and children (i.e. what NAMBLA wants) are comparable.
From wikipedia:
A millionaire (originally and sometimes still millionnaire) is an individual whose net worth or wealth is equal to or exceeds one million units of currency.
I am a software developer with 9+ years experience. I bought a house at the end of 2011 for $570K and zillow says it's worth $695K now. In 27 years, I think it's pretty likely I will be a millionaire due to inflation and paying off my house.
And a million monkeys will eventually type out the complete works of Shakespeare
If you had enough monkeys (or more suitably random typers), enough time, and enough energy, you would eventually get the complete works of Shakespeare.
As Dan Dennett said about philosopher's syndrome:
mistaking a failure of imagination for an insight into necessity.
Open source is no more (or less) perfect that closed source at a fundamental level. Bugs are introduced in both. The difference is that once found, open source has more eyes looking to try to fix it.
If that was the only benefit, then open source would be pretty useless. Once you find a bug, fixing it is usually pretty trivial. Heartbleed for example was just a simple buffer overflow and pretty much everyone came up with the same immediate solution.
OK fine. It would not be possible if you did not have access to the source code. It is true that you can buy access to the source from some closed source software. But the fact that you are choosing software based on whether you are able to access the source code, I would argue is a point in favor of open source software rather than closed source proprietary software (the vast majority of which you can not buy source code access).
My point is that we cannot say something is (or has been) compromised unless we have concrete evidence of the compromise in hand. We can't just say, in the abstract, "everything's compromised" simply on the basis of the assumption that all software is fatally flawed.
I certainly don't think so either, but I don't use the definition of "compromised" that almitydave suggested.
Even if you didn't know anything about the architecture of openssl, you'd probably be able to spot heartbleed if you knew a about buffer overflow bugs. Even if you didn't know about buffer overflow bugs, a static code analysis tool would have probably caught this bug as buffer overflows are very fairly easily caught in this way.
7 billion * 0.001% = 70,000. There I just did it.
After two years in the wild. And apparently *not* by eyeballs on source code. Proprietary or open seems irrelevant to this discovery.
"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
Given the simplicity of this bug, it's not hard to imagine what the source code for the bug looked like given the behavior. It is also not hard to imagine that upon discovering the unexpected results, the bug was confirmed by looking at the source code. Maybe for this bug, looking at the source code was just a confirmation of what they already knew. For many other bugs, looking at the source code is necessary to efficiently figuring out what the code is actually doing.
I'm not saying that this exact bug was found because it was in open source code. I am saying that it is not hard to imagine how a bug like this would be easier to find in open source software than closed source software.
At my company we use open source software libraries for our commercial products. When we find anomalies, we are actually able to figure out if bugs are in our own software or in the open source libraries we use. In fact, we actually run static analysis tools on every piece of open source software that we use because we care about the security of our own applications. We don't use openSSL, but if we did, we may have actually found this bug. That wouldn't be possible if the source was closed.
It isn't a matter of "every single bug in a piece of open source software", this is a hugely deployed piece of open source security software and you would expect that if the "many eyes" thing were indeed true then this is exactly the place it would be demonstrated yet what we have here is one of the most widely deployed critical security bugs ever. This isn't a condemnation of open source in any way, just of the misguided vocal advocates that pad their arguments with falsehoods rather than focussing on the real advantages of open source (like the speed at which bugs like this can be patched).
And the bug was found by people who were not the developers, but rather people using the software. This is unlike bugs which are not as widely deployed, and are far less likely to ever be found.
I know such claims have always been false and this is just more proof of it at the most prominent and non-theoretical level so I'm not quite sure what your point is. This alone didn't disprove the claim, it just added more proof (and at an extremely high visiblity) that the claim is false.
My point is that nothing about this situation is any kind of failing of open source software if you had realistic expectations to begin with. There was a really bad bug that was introduced into a widely distributed piece of open source software and after a few years, some people found it and it's now getting fixed.
This is like asking "In the USA, am I free to get married to whoever I want?", and then complaining that you were lied to because Angelina Jolie didn't want to marry you.
In the same way that it was (maybe incorrectly) assumed the person who wanted to get married to "whoever he wanted" was really asking "Am I prevented from marrying anyone that I want provided they also want to marry me?"...
It is also common to assume that when someone says "Anyone can verify open source software to be secure and non-malicious", they are saying "No one is prevented from verifying open source software", rather than "Anyone (regardless of their software engineering ability) will find every single bug in a piece of open source software."
If you thought that it was claimed that every piece of open source software was bug free (contingent upon being "verified" as such), I'm sorry to tell you that you were misinformed.
Not only is both open source not able to be verified with 100% certainty. It is impossible to prove that software in general (open or closed) is bug free as a corollary to Alan Turing's proof that no solution exists to the halting problem.
Is your point that it's good that this hole was noticed or bad that it was noticed?
Even if 99% of bugs are found by the developers, why wouldn't you want that last 1% that is found by random people? I've found bugs in libraries for software that I was using. I'm sure lots of developers do this every once in a while.
But how many FOSS projects really have diligent review of all their code by anything like that many people? For many projects, getting a change accepted requires only the approval of one or two others. Activities like the current detailed review of TrueCrypt are the exception, not the rule.
A lot of the bugs are caught well after the code is accepted. People sometimes just randomly spot things. The probability is low, but over enough time and with enough eyeballs, you catch bugs this way.
I was trying to hunt down a bug in my own code and ended up catching a bug in motif once. This was only possible because the source was open. I don't think this is such a rare occurrence. Even if 1 in 10 programmers spots 1 bug in open source software in their life, that's like hundreds of thousands if not millions of bugs being found, that otherwise wouldn't have been.
If you really want a dramatic improvement in catching these kinds of bugs and you've already got a respectable code review process in place, you'd probably do better by considering complementary strategies instead of pursuing ever diminishing returns from throwing more people into the same informal code review process
We definitely should be throwing people at the open source code. But having code be open, isn't throwing anybody at the code. It is just making it available to people who already want to look at it.
Choose safer programming languages that don't admit certain kinds of programmer error in the first place. Employ formal methods to make sure the underlying algorithms are sound. Adopt different testing strategies.
Yeah all that stuff. No one is saying that open source is the *only* way to find bugs.
Many eyeballs may make bugs shallower, but those many eyeballs don't really exist. Source availability does not translate to many people examining that source. People, myself included, may like to build to install packages but that's it.
There are 7 billion people in the world. It doesn't take a large percentage of people to look at the code for there to be a large number (i.e. larger than the number that would have looked at the code if it were closed)
I don't look through open source code very frequently, but I stumbled upon a bug in openmotif and submitted a fix. This was not possible before motif was open sourced.
What we need are intelligent bots to constantly trawl source repositories looking for bugs. People just don't have the time any more.
We have software that analyzes source code for common programming errors of the sort that heartbleed was. These tools can simply be integrated into the build, so that you get a warning when you introduce a potential bug and try to compile it.
How many people actually know how to read code?
A lot.
Just b'cos it's open doesn't mean that it's comprehendible
It makes it comprehensible to *more* people.
and therefore, the fact that the code is open & out there doesn't have that much of an advantage, particularly when it's such complex code.
The code at the center of Heartbleed was not complex at all. It's just that no one noticed it.
The claim was never "All bugs will be found before being used if software is open source". The claim was merely that it is more likely for a bug in open source software to be found (i.e. by either good guys or bad guys), and that this is a good thing overall.
OK so if you are using "compromise" to mean "Every SSL session in the past 2 years was potentially vulnerable to danger", then I guess that's true in the sense that almost every computer is compromised since there are probably many unnoticed security holes in just about every OS and commonly used library.
The problem here is that people have been using the argument that Open Source is better because these issues can't happen "because" of the visibility.
The visibility doesn't make it so bugs don't exist. It makes them more likely to be found. This one existed and was found.
And the argument "Open Source is inherently safer" has been very heavily damaged by Heartbleed and now ranks up there with "Macs don't get viruses" and "Women are worse drivers".
The argument "seatbelts make riding in a car safer" is not "heavily damaged" by someone dying in a car accident while wearing a seatbelt.
Imagine this code was closed source. Whats the desired outcome? That hackers never stumble upon the bug and the it goes unnoticed forever, and therefore never needs to be fixed?
There is plenty of evidence for the effectiveness of good code reviews, but most of it shows rapidly diminishing returns with the number of reviewers.
To me this is an argument *for* open source software. It *takes* LOTS of eyes to catch bugs, *because* there is diminishing returns by adding more code reviewers. It is only by having hundred or thousands of them that you can hope to catch those ones that would otherwise go unnoticed.
By the time you've had more than four or five people take a look, the difference in effectiveness from adding more barely even registers, unless one of the additional reviewers has some sort of unique perspective or expertise that makes them not like the others.
And one easy way to have a diverse group of code reviewers is to have a lot of them.
Given that almost every major FOSS system software project has had its share of security bugs, there is really very little evidence to support Raymond's claim at all.
Every piece of software of any reasonable size has security bugs. The fact that we know about them is because someone found them, which is exactly what is supposed to happen.
What about offering a job to men to be on a men's football team?
Is it illegal to run a gym that only allows women as customers? My wife goes to such a gym.