Contract clauses that forbid benchmark publication (unless the vendor likes them) are called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal, but Oracle certainly rigorously enforces them. There was a law passed in 2016 that prevented similar problems for Yelp, but DeWitt clauses haven't been struck down yet (and should be).
See my post, "The DeWitt clause’s censorship should be illegal" by David A. Wheeler (2017-06-25): https://www.dwheeler.com/essay...
China indeed forces geographic data to be "off" a little bit compared to the rest of the world. For more information, see: https://en.wikipedia.org/wiki/... in particularly the discussion on the GCJ-02 datum (colloquially Mars Coordinates).
Won't happen, that amendment died in the conference reconciliation. The merged version does have an open source software pilot, but that's it:
Section 875:
(a) DoD shall “initiate the open source software pilot program”
(b) NLT 60 days enactment of this Act, the SECDEF shall “provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a).”
The #1 problem is lack of education. A large number of software developers have had no formal training in software development. Almost all who HAVE had formal education don't receive any education or training in how to develop SECURE software.
I teach a graduate course at George Mason University (GMU) on how to design and implement secure software. So there are people who are learning, but there are many more to go.
For the most part, countering the OWASP top 10 doesn't cost more, so cost has nothing to do with it. At the high end of security requirements it definitely costs more, but stuff like parameterized statements (countering SQL injection) and using web frameworks that automatically counter XSS injection don't cost any more.
This isn't about open source software, or "compliance" regarding open source software. This is about failing to do timely security updates of reused third-party software. It doesn't matter if it's open source software or not. If you use third-party software, you need to update that software when a security update happens, and you have to do it BEFORE an attacker exploits it.
This has been necessary for decades. Haven't you ever updated an operating system because a vulnerability was found in it? Of course you have. If you reuse software, and you embed it in something you use or deploy, then you need to update when the reused software has a security vulnerability. One advantage of open source software today is that there are tools that make it easier to monitor and update. But you still have to be prepared for security updates. You can do this by monitoring updates, using package managers to let you easily update, having automated tests so you can verify that the update is okay, and by having a deployment system so you can send out your update. All of this is available. Check out this video for an example: https://www.youtube.com/watch?... .
If you don't keep your software patched in a timely way, you get p0wned. That's how it works. That's ALWAYS been how it works.
"E-mail" is not a hard term to define. It's just "electronic mail". You can split email into "local on one computer" and "distributed across a network", since those were created separately, but it really isn't that complicated. There really is something called "truth", it'd be nice to acknowledge that sometimes.
Nazi Germany was not a "Christian nation". Nazi leaders like Joseph Goebbels, Martin Bormann, and Heinrich Himmler saw the kirchenkampf campaign against the Churches as high priority, and anti-church and anticlerical sentiments were strong among the grassroots party activists. The Nazi propaganda minister, Joseph Goebbels, said that there was "an insoluble opposition between the Christian and a heroic-German world view". Hitler's chosen deputy, Martin Bormann, advised Nazi officials in 1941 that "National Socialism and Christianity are irreconcilable.".
Their argument mostly disproves their claim. I agree that security is much more than eliminating software exploits, but at least 3 of their "top" 5 examples ARE software exploits (because of either a fault in the implementation or in its spec).
1. abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks
The software should prevent bad passwords by default, but for the sake of argument I'll grant them that one.
2. broadcast name resolution poisoning (like WPAD) -- 64%
That's a software exploit. If your protocol is vulnerable to poisoning, your protocol has a problem.
3. local admin password attacks (pass-the-hash attacks) -- 61%
Software exploit. Hashes are supposed to *not* be equivalent to the password they were derived from. This is a well-known software exploit.
4. attacks on cleartext passwords in memory (like those using Mimikatz) -- 59%
If an untrusted program can see cleartext passwords in memory, there's a software exploit, they're not supposed to do that.
5. insufficient network segmentation -- 52%
Okay, that's not a software exploit.
So #5 is not a software exploit, #1 is arguably not a software exploit (though it suggests a software problem), and the rest (#2, #3, #4) are software exploits (there's a software vulnerability in the protocol or its implementation). I would agree with them that security is much more than software, but software has an important role to play. The *REASON* that #2, #3, and #4 are problems is because people weren't paying enough attention to security.
You mean "unlimited rights" not "unlimited use rights". Once the government has unlimited rights it can release the software as open source software.
For more details, see my paper "Publicly Releasing Open Source Software Developed for the U.S. Government" by David A. Wheeler, Software Tech News, Volume: 14 Number: 1 - DoD and Open Source Software. https://www.csiac.org/journal-...
I don't think that "open source software" has been significantly redefined. Here's the definition of Open Source Software in this memo:
"Software that can be accessed, used, modified, and shared by anyone. OSS is often distributed under licenses that comply with the definition of "Open Source" provided by the Open Source Initiative (https://opensource.org/osd) and/or that meet the definition of "Free Software" provided by the Free Software Foundation (https://www.gnu.org/philosophy/free-sw.html)."
That's a little laxer than I'd prefer, but it seems reasonable enough.
Not so. It's true that the policy focuses more on sharing within the federal government, but it also specifically requires that at least 20% of the code be shared with the public as OSS. It's a start.
Mobile sites tend to be far more secure for users than social apps (you can say "privacy" instead if you want, though many people don't understand the difference).
Most social apps, like this one, want total ownership of your phone - and therefore they own you. They demand access to your microphone, camera, location, contact list, and everything else. Big Brother never got so much data. In contrast, the websites don't get access to all that stuff. Facebook doesn't pay me enough to completely give up all my privacy.
Tom Kent falsely claims that, "The argument for lowercasing Internet is that is has become wholly generic, like electricity and the telephone." Here's a thought experiment: I'll create a few disconnected networks, interconnect them, but *not* to the Internet. By definition, any set of interconnected networks is an internet (but not *the* Internet). Then I'll sell a service that lets people access my internet... which lacks Google, Wikipedia, and many other things. I bet he'll suddenly find that "the Internet" is *NOT* generic - it is a *specific* set of interconnected networks, which has a proper name.
Governments still routinely create interconnected networks that use TCP/IP, but do *NOT* connect to the Internet - especially when security is critical. AP may be unaware of this, but it's still true.
Upper/lower casing in the end isn't THAT critical. The REAL problem is that too many reporters do not understand what they're reporting about, nor do they check their sources to find out. The difference between "Internet" and "internet" have been documented for decades. Failure to understand, and failure to check sources, is the REAL problem here.
I think a lot of Android users would like a phone that (1) gets security updates in a timely way, (2) has reasonably current features, (3) is generally trustworthy, and and (4) isn't force-loaded with lots of uninstallable crapware. Android is a nice OS, but a lot of the smartphone manufacturers seem to assume that users don't care about these things.
I think a great measure would be the percent (or number) of days in the year where there were no publicly-known unfixed vulnerabilities. Many phones still have Stagefright vulnerabilities - there were changes that fixed some Stagefright vulnerabilities, but NOT all of them, and thus the phones are still vulnerable.
Wake me up later when something important happens. The fine article says: "The non-binding treaty, approved in Paris in December after years of U.N. climate negotiations, aims to slow the rise of greenhouse gases, such as carbon dioxide, blamed for putting Earth on a dangerous warming path."
A "non-binding treaty" doesn't actually do anything, other than create photo opportunities.
Speed reading is awesome, but there's more than one speed. There's at least "speed with full comprehension", and "skimming to get the gist". I strongly recommend training yourself, overtime, to increase both speeds. You CAN'T do this all at once, but you can train your brain to recognize words more quickly. I used a training device so that I could recognize individual words more quickly, and that really helps you to read more quickly with full comprehension. Basically, as brain gets faster recognizing individual words, you'll naturally read faster with full comprehension. (You should also know how to sound out unfamiliar words, but familiar words should be recognzied quickly.) When you're skimming to get the gist, it's more about strategy - figuring out what parts of the text you need to read first (in most technical documents you read the abstract carefully, then skim the conclusions, then skim the introduction if looks like it might be useful.
I also recommend training listening speed. I listen to lots of podcasts, and I've slowly increased my listening speed by +10% over time. I can now listen to podcasts, with full comprehension, at 2x through 2.5x (depending on the original speed of the speakers).
Your brain can be trained to do things more quickly, but you have to train it. It's worth it.
Redox is based on a microkernel: http://www.redox-os.org/book/b...
They seem to be emphasizing a very small number of system calls, and making "everything a URL" (instead of everything a file): http://www.redox-os.org/book/b...
I'm skeptical this will get very far, but let 'em try!
I think he has a point. Most people (especially non-technical people) primarily only post and interact with others using sites owned by strangers (typically big companies). Just look at the URLs - is the domain is owned by someone other than the poster? If it is, then that other organization decides what you can do or not do. I've long owned my own domain, and I can post what I please on my webiste. If I want to move sites, I can just move hosting organization - the URLs come with me, because I own the domain. I don't think the problem is the existence of big companies at all - the problem is the difficulty of exiting. I don't mind others hosting my material as long as I can leave. If you can't practically leave, then you're no longer in control. Currently it's impractical always own the domain, but even in those cases, it's worth considering the exit cost. For example, git makes it *easier* to move to other hosting organizations (though by no means trivial).
It's a good thing that computers can't make lifelike images and that no pictures of people are on the Internet. Oh, wait, those assumptions might not be true. Look, all authentication systems have weaknesses, but this one seems designed to be trivial to circumvent. Ugh.
That is an awesome summary. I just put that in slide set 1 of graduate class materials on developing secure software: http://www.dwheeler.com/secure...
because you people made it illegal for teachers to live in your area
Strawman. No one made it illegal to be a teacher (or fireman or whatever), and no one made anyone take that job either. If it's too expensive to live in SF as a teacher or fireman, then teachers and firemen start to disappear. If they are important, then their local salaries will get raised until they stop disappearing. That's how economics works.
Now clearly this causes lots of undesirable dislocations. But the fundamental problem here, as far as I can tell, is that SF's government appears to have discouraged building new housing, and been depending on mechanisms like rent controls which have KNOWN serious problems. You can pretend economics doesn't matter, but it does, and it causes lots of easily predictable effects. The SF city government appears to have let a problem fester, with (again) predictable consequences. It is entirely appropriate to be sympathetic to the many people harmed by the SF government's bad policies. Yes, they need help, and I think they SHOULD get help. But part of that help needs to be acknowledging that ignoring economics doesn't work.
We're talking past each other; let me try again. No one is saying, "you may not live in SF". Anyone can live in SF, as long as you can pay for it. The problem is that SF housing costs more than many can afford. There's no human right to $500/month rents in SF. You may believe that it's good policy, and that's a different question. I suspect that SF has a long history of pretending that economics don't apply to its housing, based on the little I've read about it.
Slashdot Mirror
Contract clauses that forbid benchmark publication (unless the vendor likes them) are called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal, but Oracle certainly rigorously enforces them. There was a law passed in 2016 that prevented similar problems for Yelp, but DeWitt clauses haven't been struck down yet (and should be). See my post, "The DeWitt clause’s censorship should be illegal" by David A. Wheeler (2017-06-25): https://www.dwheeler.com/essay...
China indeed forces geographic data to be "off" a little bit compared to the rest of the world. For more information, see: https://en.wikipedia.org/wiki/... in particularly the discussion on the GCJ-02 datum (colloquially Mars Coordinates).
Won't happen, that amendment died in the conference reconciliation. The merged version does have an open source software pilot, but that's it: Section 875: (a) DoD shall “initiate the open source software pilot program” (b) NLT 60 days enactment of this Act, the SECDEF shall “provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a).”
The #1 problem is lack of education. A large number of software developers have had no formal training in software development. Almost all who HAVE had formal education don't receive any education or training in how to develop SECURE software.
I teach a graduate course at George Mason University (GMU) on how to design and implement secure software. So there are people who are learning, but there are many more to go.
For the most part, countering the OWASP top 10 doesn't cost more, so cost has nothing to do with it. At the high end of security requirements it definitely costs more, but stuff like parameterized statements (countering SQL injection) and using web frameworks that automatically counter XSS injection don't cost any more.
This isn't about open source software, or "compliance" regarding open source software. This is about failing to do timely security updates of reused third-party software. It doesn't matter if it's open source software or not. If you use third-party software, you need to update that software when a security update happens, and you have to do it BEFORE an attacker exploits it. This has been necessary for decades. Haven't you ever updated an operating system because a vulnerability was found in it? Of course you have. If you reuse software, and you embed it in something you use or deploy, then you need to update when the reused software has a security vulnerability. One advantage of open source software today is that there are tools that make it easier to monitor and update. But you still have to be prepared for security updates. You can do this by monitoring updates, using package managers to let you easily update, having automated tests so you can verify that the update is okay, and by having a deployment system so you can send out your update. All of this is available. Check out this video for an example: https://www.youtube.com/watch?... . If you don't keep your software patched in a timely way, you get p0wned. That's how it works. That's ALWAYS been how it works.
"E-mail" is not a hard term to define. It's just "electronic mail". You can split email into "local on one computer" and "distributed across a network", since those were created separately, but it really isn't that complicated. There really is something called "truth", it'd be nice to acknowledge that sometimes.
Nazi Germany was not a "Christian nation". Nazi leaders like Joseph Goebbels, Martin Bormann, and Heinrich Himmler saw the kirchenkampf campaign against the Churches as high priority, and anti-church and anticlerical sentiments were strong among the grassroots party activists. The Nazi propaganda minister, Joseph Goebbels, said that there was "an insoluble opposition between the Christian and a heroic-German world view". Hitler's chosen deputy, Martin Bormann, advised Nazi officials in 1941 that "National Socialism and Christianity are irreconcilable.".
We can't solve all problems with laws, but some laws could reduce the problem. Here are some ideas: http://www.dwheeler.com/essays...
This is an old idea, see Plato's "Allegory of the Cave".
Their argument mostly disproves their claim. I agree that security is much more than eliminating software exploits, but at least 3 of their "top" 5 examples ARE software exploits (because of either a fault in the implementation or in its spec). 1. abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks The software should prevent bad passwords by default, but for the sake of argument I'll grant them that one. 2. broadcast name resolution poisoning (like WPAD) -- 64% That's a software exploit. If your protocol is vulnerable to poisoning, your protocol has a problem. 3. local admin password attacks (pass-the-hash attacks) -- 61% Software exploit. Hashes are supposed to *not* be equivalent to the password they were derived from. This is a well-known software exploit. 4. attacks on cleartext passwords in memory (like those using Mimikatz) -- 59% If an untrusted program can see cleartext passwords in memory, there's a software exploit, they're not supposed to do that. 5. insufficient network segmentation -- 52% Okay, that's not a software exploit. So #5 is not a software exploit, #1 is arguably not a software exploit (though it suggests a software problem), and the rest (#2, #3, #4) are software exploits (there's a software vulnerability in the protocol or its implementation). I would agree with them that security is much more than software, but software has an important role to play. The *REASON* that #2, #3, and #4 are problems is because people weren't paying enough attention to security.
You mean "unlimited rights" not "unlimited use rights". Once the government has unlimited rights it can release the software as open source software. For more details, see my paper "Publicly Releasing Open Source Software Developed for the U.S. Government" by David A. Wheeler, Software Tech News, Volume: 14 Number: 1 - DoD and Open Source Software. https://www.csiac.org/journal-...
I don't think that "open source software" has been significantly redefined. Here's the definition of Open Source Software in this memo: "Software that can be accessed, used, modified, and shared by anyone. OSS is often distributed under licenses that comply with the definition of "Open Source" provided by the Open Source Initiative (https://opensource.org/osd) and/or that meet the definition of "Free Software" provided by the Free Software Foundation (https://www.gnu.org/philosophy/free-sw.html)." That's a little laxer than I'd prefer, but it seems reasonable enough.
Not so. It's true that the policy focuses more on sharing within the federal government, but it also specifically requires that at least 20% of the code be shared with the public as OSS. It's a start.
Mobile sites tend to be far more secure for users than social apps (you can say "privacy" instead if you want, though many people don't understand the difference). Most social apps, like this one, want total ownership of your phone - and therefore they own you. They demand access to your microphone, camera, location, contact list, and everything else. Big Brother never got so much data. In contrast, the websites don't get access to all that stuff. Facebook doesn't pay me enough to completely give up all my privacy.
Tom Kent falsely claims that, "The argument for lowercasing Internet is that is has become wholly generic, like electricity and the telephone." Here's a thought experiment: I'll create a few disconnected networks, interconnect them, but *not* to the Internet. By definition, any set of interconnected networks is an internet (but not *the* Internet). Then I'll sell a service that lets people access my internet... which lacks Google, Wikipedia, and many other things. I bet he'll suddenly find that "the Internet" is *NOT* generic - it is a *specific* set of interconnected networks, which has a proper name. Governments still routinely create interconnected networks that use TCP/IP, but do *NOT* connect to the Internet - especially when security is critical. AP may be unaware of this, but it's still true. Upper/lower casing in the end isn't THAT critical. The REAL problem is that too many reporters do not understand what they're reporting about, nor do they check their sources to find out. The difference between "Internet" and "internet" have been documented for decades. Failure to understand, and failure to check sources, is the REAL problem here.
I think a lot of Android users would like a phone that (1) gets security updates in a timely way, (2) has reasonably current features, (3) is generally trustworthy, and and (4) isn't force-loaded with lots of uninstallable crapware. Android is a nice OS, but a lot of the smartphone manufacturers seem to assume that users don't care about these things.
I think a great measure would be the percent (or number) of days in the year where there were no publicly-known unfixed vulnerabilities. Many phones still have Stagefright vulnerabilities - there were changes that fixed some Stagefright vulnerabilities, but NOT all of them, and thus the phones are still vulnerable.
Wake me up later when something important happens. The fine article says: "The non-binding treaty, approved in Paris in December after years of U.N. climate negotiations, aims to slow the rise of greenhouse gases, such as carbon dioxide, blamed for putting Earth on a dangerous warming path." A "non-binding treaty" doesn't actually do anything, other than create photo opportunities.
Speed reading is awesome, but there's more than one speed. There's at least "speed with full comprehension", and "skimming to get the gist". I strongly recommend training yourself, overtime, to increase both speeds. You CAN'T do this all at once, but you can train your brain to recognize words more quickly. I used a training device so that I could recognize individual words more quickly, and that really helps you to read more quickly with full comprehension. Basically, as brain gets faster recognizing individual words, you'll naturally read faster with full comprehension. (You should also know how to sound out unfamiliar words, but familiar words should be recognzied quickly.) When you're skimming to get the gist, it's more about strategy - figuring out what parts of the text you need to read first (in most technical documents you read the abstract carefully, then skim the conclusions, then skim the introduction if looks like it might be useful.
I also recommend training listening speed. I listen to lots of podcasts, and I've slowly increased my listening speed by +10% over time. I can now listen to podcasts, with full comprehension, at 2x through 2.5x (depending on the original speed of the speakers).
Your brain can be trained to do things more quickly, but you have to train it. It's worth it.
Redox is based on a microkernel: http://www.redox-os.org/book/b... They seem to be emphasizing a very small number of system calls, and making "everything a URL" (instead of everything a file): http://www.redox-os.org/book/b... I'm skeptical this will get very far, but let 'em try!
I think he has a point. Most people (especially non-technical people) primarily only post and interact with others using sites owned by strangers (typically big companies). Just look at the URLs - is the domain is owned by someone other than the poster? If it is, then that other organization decides what you can do or not do. I've long owned my own domain, and I can post what I please on my webiste. If I want to move sites, I can just move hosting organization - the URLs come with me, because I own the domain. I don't think the problem is the existence of big companies at all - the problem is the difficulty of exiting. I don't mind others hosting my material as long as I can leave. If you can't practically leave, then you're no longer in control. Currently it's impractical always own the domain, but even in those cases, it's worth considering the exit cost. For example, git makes it *easier* to move to other hosting organizations (though by no means trivial).
It's a good thing that computers can't make lifelike images and that no pictures of people are on the Internet. Oh, wait, those assumptions might not be true. Look, all authentication systems have weaknesses, but this one seems designed to be trivial to circumvent. Ugh.
That is an awesome summary. I just put that in slide set 1 of graduate class materials on developing secure software: http://www.dwheeler.com/secure...
Strawman. No one made it illegal to be a teacher (or fireman or whatever), and no one made anyone take that job either. If it's too expensive to live in SF as a teacher or fireman, then teachers and firemen start to disappear. If they are important, then their local salaries will get raised until they stop disappearing. That's how economics works.
Now clearly this causes lots of undesirable dislocations. But the fundamental problem here, as far as I can tell, is that SF's government appears to have discouraged building new housing, and been depending on mechanisms like rent controls which have KNOWN serious problems. You can pretend economics doesn't matter, but it does, and it causes lots of easily predictable effects. The SF city government appears to have let a problem fester, with (again) predictable consequences. It is entirely appropriate to be sympathetic to the many people harmed by the SF government's bad policies. Yes, they need help, and I think they SHOULD get help. But part of that help needs to be acknowledging that ignoring economics doesn't work.
We're talking past each other; let me try again. No one is saying, "you may not live in SF". Anyone can live in SF, as long as you can pay for it. The problem is that SF housing costs more than many can afford. There's no human right to $500/month rents in SF. You may believe that it's good policy, and that's a different question. I suspect that SF has a long history of pretending that economics don't apply to its housing, based on the little I've read about it.