Yes, openssl is a piece of junk that is far too widely used. Polarssl looks nice and especially interesting is the version that was mathematically proven to be immune to a whole bunch of CWEs: http://trust-in-soft.com/polar...
But for OpenBSD they can't use polarssl since it's gnu licensed. The sad thing is polarssl was originally called xyssl and xyssl was originally BSD licensed. If only OpenBSD would start with the final xyssl codebase and replace OpenSSL with that...
Theo, you left South Africa at the age of 9. Do you have any connection to the country? Have you been back? Do you think of yourself as a South African or a Canadian? Do you speak any Afrikaans? Places like Cape Town are beautiful and hike-worthy. I believe you enjoy hiking so was wondering if you've ever been back there for hiking.
Also, it is interesting that there are so many South Africans in tech. Elon Musk (Tesla), Mark Shuttleworth (Ubuntu), etc. Do you feel any connections to them due to a common heritage?
I tried to do the math on this too. First of all, I'm not sure if the number is 20,000 USD or CAD (Since OpenBSD is based in Canada not the US). Next up is the fact that many of the machines are older non x86 machines that are not power efficient. For example when the SGI/AlphaStations/VAX/SparcStations were produced, focus was on MHz not power utilization. Finally, I think the project might use some type of uninterruptible power supply (UPS) as well as network switches, etc.
So by your math you're looking at CAD 20,000 = EUR 13,500 which at EUR 0.20 per kWh would buy you 67500 kWh = 7.7 kWh.
Now the project has supports about 20 architectures. And there are dedicated machines used to build the base system and dedicated machines used to build ports so at least 2 of each machine. On top of that there's probably an NFS server to host the source code, some UPS, network switches, etc, etc. So say about 50 machines total.
So 7.7kWh / 50 machines gets you to 154 watts per machine. I do believe they are on 24x7 as there are daily builds for many architectures, etc, etc. 150 watts is not unreasonable power consumption in my opinion.
Take a closer look at the google trends data. If you click on the "qt" tab you actually see that most of the searches are related to "qt syndrome" or "long qt". these are medical conditions and have nothing to do with UI toolkits. if you click on the "gtk" or "gnome" tab, the search terms are all related to UI toolkits.
Perhaps it's not something specific to gtk/gnome, but maybe all the toolkits including qt are in decline. Either due to smartphones/mobile or ubunut's unity or something else.
In all seriousness though, it's a pretty good plan. Everyone knows that BSD means real engineering while Linux is "just a hobby, won't be big and professional"
Even if you have the source, it doesn't mean you can confirm what the binary is doing. See the classic "Trusting Trust" attack which is decades old.
In my experience the most common reason for binaries that are not reproducible is due to build timestamps being embedded into the binary. For example, the ar command added the D flag in the past few years exactly for the purpose of being able to output reproducible results. (see the man page at http://linux.die.net/man/1/ar)
It's true that reproducible binaries are probably a good thing from a security stand point, but in practice it can be a lot of work to make sure the build produces these. And even then, as Thompson showed, that doesn't always guarantee that what you see is what you get.
hi, go read the links again. i think they speak for themselves; it doesn't matter to me if you have a different view of things. frankly this is getting away from the question that was asked so this is the last i have to add here.
having encrypted passwords plus at least some people choosing weak passwords plus rainbow tables or other brute force tools is a recipe for some people's accounts to be compromised.
um... no. cloud vendors can disappear without notice in which case you're out of luck. lastpass was hacked last year so that isn't the safest choice either. see http://lifehacker.com/5799036/the-best-password-utilities-that-dont-store-your-data-in-the-cloud
so this is a real problem. the fact that you;re thinking about this means you're planning which is like better than probably 80% of people out there. so what i would do is come up with something that works for you and have your spouse/next of kin actually try to follow the agreed procedure without you around and have them report back on problem areas. a lot of businesses have disaster recovery plans which they try to play out once or twice a year. trying it definitely finds some problem areas.
This 1978 crypto is supposed to be safe against quantum computers: http://www.technologyreview.com/blog/arxiv/25629/ (if that's the specific angle you're worried about). The downside is the key management because the keys have to be really really long (i.e. 20,000+ characters vs having a memorable passowrd or passphrase that you'd be able to use today).
They're actually far ahead in some areas. WiFi is a breeze to setup compared to some Linux distros. And they really do aim for extreely high standards (i.e. POSIX) compliance. The other area that's outstanding is the documentation. Most *commercial* products don't have the level of quality the openbsd documentation has.
I use OpenBSD for everything from online banking and web surfing with Chrome to playing games, to watching youtube and viewing PDFs and my photo collection. About the only desktop activity I can't do on OpenBSD is use Wine for windows emulation which isn't supported and probably never will be. But in a pinch they have qemu which I keep meaning to try out because unfortunately I still need to use MS Office for work.
And I use gnome which very closely follows the latest releases. KDE is another story and is quite far behind but there's been a recent effort to finally get it updated and maybe the next release will have some of that work included.
i use OpenBSD on *all* my laptops. these are not servers. they are desktops with gnome/chrome browser/etc. find it works really great. i don't know if he's just making stuff up sight unseen or he's actually tried using one of the BSDs.
i definitely second dreamhost. They had a bit of a screwup with billing a while back (search the web), but was quickly reversed. And as the other person said, i haven't had any problems and what they give you for the money is great.
another good choice if you want a dedicated server and have a bit more to spend is m5hosting. they let you pretty much pick your OS of choice (*BSD or the main Linux distros) and give you root access. their customer service is also fantastic.
The best stuff to read after you think you've got the basics are anti-patterns which show you what not to do. A lot of that stuff can be quite eye opening to read. One of the best books on that topic is Effective Java by Joshua Bloch. Also, search the web for sites like this one: http://www.odi.ch/prog/design/newbies.php
Also, not a book per se, but if you do write some code it's possible to learn more by analyzing the code with tools like findbugs which will show you a list of things wrong with your code. Even professional programmers can learn something from these kinds of tools.
his argument is also wrong. he's assuming that just because developers are *paid* they are more productive than unpaid developers. how do you know that paid developers are not surfing the web all day? i just don't buy this at all...
Slashdot Mirror
Yes, openssl is a piece of junk that is far too widely used. Polarssl looks nice and especially interesting is the version that was mathematically proven to be immune to a whole bunch of CWEs: http://trust-in-soft.com/polar...
But for OpenBSD they can't use polarssl since it's gnu licensed. The sad thing is polarssl was originally called xyssl and xyssl was originally BSD licensed. If only OpenBSD would start with the final xyssl codebase and replace OpenSSL with that...
while not official, there's a semi-live conversion of the cvs tree to git. This has what you need: http://anoncvs.estpak.ee/cgi-b...
See BinpatchNG from m:tier. They've solved what you're asking for.
Theo, you left South Africa at the age of 9. Do you have any connection to the country? Have you been back? Do you think of yourself as a South African or a Canadian? Do you speak any Afrikaans? Places like Cape Town are beautiful and hike-worthy. I believe you enjoy hiking so was wondering if you've ever been back there for hiking.
Also, it is interesting that there are so many South Africans in tech. Elon Musk (Tesla), Mark Shuttleworth (Ubuntu), etc. Do you feel any connections to them due to a common heritage?
I tried to do the math on this too. First of all, I'm not sure if the number is 20,000 USD or CAD (Since OpenBSD is based in Canada not the US). Next up is the fact that many of the machines are older non x86 machines that are not power efficient. For example when the SGI/AlphaStations/VAX/SparcStations were produced, focus was on MHz not power utilization. Finally, I think the project might use some type of uninterruptible power supply (UPS) as well as network switches, etc.
So by your math you're looking at CAD 20,000 = EUR 13,500 which at EUR 0.20 per kWh would buy you 67500 kWh = 7.7 kWh.
Now the project has supports about 20 architectures. And there are dedicated machines used to build the base system and dedicated machines used to build ports so at least 2 of each machine. On top of that there's probably an NFS server to host the source code, some UPS, network switches, etc, etc. So say about 50 machines total.
So 7.7kWh / 50 machines gets you to 154 watts per machine. I do believe they are on 24x7 as there are daily builds for many architectures, etc, etc. 150 watts is not unreasonable power consumption in my opinion.
That's not quite right. Netflix utilizes FreeBSD heavily. See: https://signup.netflix.com/openconnect/software
Take a closer look at the google trends data. If you click on the "qt" tab you actually see that most of the searches are related to "qt syndrome" or "long qt". these are medical conditions and have nothing to do with UI toolkits. if you click on the "gtk" or "gnome" tab, the search terms are all related to UI toolkits.
Perhaps it's not something specific to gtk/gnome, but maybe all the toolkits including qt are in decline. Either due to smartphones/mobile or ubunut's unity or something else.
So they're basically "reinventing" how BSD does things? They even blatantly copied an OpenBSD image for this presentation...
(Compare slide 13 from the presentation with OpenBSD 4.9 art)
In all seriousness though, it's a pretty good plan. Everyone knows that BSD means real engineering while Linux is "just a hobby, won't be big and professional"
Even if you have the source, it doesn't mean you can confirm what the binary is doing. See the classic "Trusting Trust" attack which is decades old. In my experience the most common reason for binaries that are not reproducible is due to build timestamps being embedded into the binary. For example, the ar command added the D flag in the past few years exactly for the purpose of being able to output reproducible results. (see the man page at http://linux.die.net/man/1/ar) It's true that reproducible binaries are probably a good thing from a security stand point, but in practice it can be a lot of work to make sure the build produces these. And even then, as Thompson showed, that doesn't always guarantee that what you see is what you get.
+1
answer all calls with a robo-answerer... no one uses phones anymore, all communication now happens on facebook/twitter.
This show is great, your complaints are silly.
So next you'll complain about having an American version of iron chef? Go back to watching reruns of Takeshi's Castle...
hi, go read the links again. i think they speak for themselves; it doesn't matter to me if you have a different view of things. frankly this is getting away from the question that was asked so this is the last i have to add here.
definitely. in the non-rpg world this is known as Secret Sharing. See http://en.wikipedia.org/wiki/Secret_sharing
lastpass was definitely hacked. even the ceo admits usernames and encrypted passwords could have been taken: http://www.pcworld.com/article/227268/lastpass_ceo_explains_possible_hack.html
having encrypted passwords plus at least some people choosing weak passwords plus rainbow tables or other brute force tools is a recipe for some people's accounts to be compromised.
um... no. cloud vendors can disappear without notice in which case you're out of luck. lastpass was hacked last year so that isn't the safest choice either. see http://lifehacker.com/5799036/the-best-password-utilities-that-dont-store-your-data-in-the-cloud so this is a real problem. the fact that you;re thinking about this means you're planning which is like better than probably 80% of people out there. so what i would do is come up with something that works for you and have your spouse/next of kin actually try to follow the agreed procedure without you around and have them report back on problem areas. a lot of businesses have disaster recovery plans which they try to play out once or twice a year. trying it definitely finds some problem areas.
see the comment above on the 1978 cryptosystem...
This 1978 crypto is supposed to be safe against quantum computers: http://www.technologyreview.com/blog/arxiv/25629/ (if that's the specific angle you're worried about). The downside is the key management because the keys have to be really really long (i.e. 20,000+ characters vs having a memorable passowrd or passphrase that you'd be able to use today).
They're actually far ahead in some areas. WiFi is a breeze to setup compared to some Linux distros. And they really do aim for extreely high standards (i.e. POSIX) compliance. The other area that's outstanding is the documentation. Most *commercial* products don't have the level of quality the openbsd documentation has.
I use OpenBSD for everything from online banking and web surfing with Chrome to playing games, to watching youtube and viewing PDFs and my photo collection. About the only desktop activity I can't do on OpenBSD is use Wine for windows emulation which isn't supported and probably never will be. But in a pinch they have qemu which I keep meaning to try out because unfortunately I still need to use MS Office for work. And I use gnome which very closely follows the latest releases. KDE is another story and is quite far behind but there's been a recent effort to finally get it updated and maybe the next release will have some of that work included.
i use OpenBSD on *all* my laptops. these are not servers. they are desktops with gnome/chrome browser/etc. find it works really great. i don't know if he's just making stuff up sight unseen or he's actually tried using one of the BSDs.
Have you looked at rsnapshot?
It's based on this article:
http://www.mikerubel.org/computers/rsync_snapshots/
i definitely second dreamhost. They had a bit of a screwup with billing a while back (search the web), but was quickly reversed. And as the other person said, i haven't had any problems and what they give you for the money is great.
another good choice if you want a dedicated server and have a bit more to spend is m5hosting. they let you pretty much pick your OS of choice (*BSD or the main Linux distros) and give you root access. their customer service is also fantastic.
The best stuff to read after you think you've got the basics are anti-patterns which show you what not to do. A lot of that stuff can be quite eye opening to read. One of the best books on that topic is Effective Java by Joshua Bloch. Also, search the web for sites like this one: http://www.odi.ch/prog/design/newbies.php
Also, not a book per se, but if you do write some code it's possible to learn more by analyzing the code with tools like findbugs which will show you a list of things wrong with your code. Even professional programmers can learn something from these kinds of tools.
his argument is also wrong. he's assuming that just because developers are *paid* they are more productive than unpaid developers. how do you know that paid developers are not surfing the web all day? i just don't buy this at all...