The big companies probably want more control over the project than LibreSSL will allow them. They've been burned once by relying on old-style Unix community dev. But it's also entirely their own fault for not funding and auditing the open source code they were building their billions on.
Seems to me LibreSSL is the way to go, but I can also see why the corporations would just use it as a side-stream for hints on what to fix. They have enough resources to rewrite openSSL from the inside rather than the the LibreSSL tear-down approach. Having both projects is really a benefit for LibreSSL as longs as it gets sufficient interest and resources.
The odometers did not even have a digit for 100,000. The rare car "turned over" back to zero. Title forms still have a check box for that. It's one thing the Car Talk guys were right about.
Some actual energy and costs figures are here: http://ccows.csumb.edu/wiki/in... (Concerns a different region in California, but has been put together well.)
In the political battle in Santa Cruz last year, a key contention was that the proposed carbon offsets were not a real benefit to the environment.
Yes, LiteSpeed web server, a common drop-in replacement for Apache, had the bug even when the shell of a LAMP stack did not. LS patched it.
If this bug had been in 0.9.8 the web would be in a real disaster now. Many web ISP's stay behind a few versions on the stack. I've got one that runs the oldest PHP version still in release. That's a bit extreme. So the bug hit more big companies.
The special ed kids with learning disabilities are mixed with the ones with behavioral/emotional disabilities in this school. In other words, people that get made fun of, and people that are a danger to them. Sheep and wolves. Must make the regular classrooms nice to remove both the slow learners and troublemakers.
The same thing happens in homeless shelters, where it's hard to protect the defenselessly mentally ill from the bad guys. And prisons, where a lot of mentally ill people live due to the policies of our country.
Another problem in this case is that the police and the judge are an extension of the school administration, and see themselves that way. Also, it is a small Western Pennsylvania school district surely dominated by athletics. Also, we don't know the full story. This could be the best school in the world, but I somehow doubt it.
They all need to be contributing to OpenSSL or a fork.
In a typical year the OpenSSL project receives about US$2000 in donations.
This week we have received roughly 200 donations totaling nearly US$3000. Amounts have ranged between $0.02 and $300, and I notice that some individuals have made multiple contributions.
Clearly $billion corporations like RedHat are going to spend more time auditing code commits, with or without lawsuits. Google found this bug and I wonder what kind of fork / NSS migration / whatever solution will emerge. NSS is from Mozilla, and Google revenue funds Mozilla.
Maybe it will go as far as "OpenSSL considered harmful" and anything linked to it will be flagged. That would be too sensible.
Is it possible to ensure by a configuration parameter, that curl uses OpenSSL, and not NSS to retrieve https content? I need to ensure this, in order to enforce compliance with FIPS140-2, which RHEL6.2 has certified?
By the way I know NSS does a lot of FIPS compliance, but part of the Heartbleed problem for the "normal" user is that it is hard to tell what openssl is linked into. We had it in our web server daemon even though shell "openssl version" showed a good version.
This guy has retracted part of his analysis based on comments, but tries to make a case that passwords and cookies in the http headers are more likely to be exposed than keys. Remember, http-auth is still used a lot. http://blog.erratasec.com/2014...
You were better off using non-SSL, unless you were on wireless or something easily snooped. I'm not aware http:80 servers have a little query that gets you memory dumps. Do I misunderstand?
And if you haven't seen ASCII-art porn images come clacking out of a teletype with a phone-cradle modem to a time-sharing computer, then you weren't there (thankfully perhaps). http://en.wikipedia.org/wiki/T...
Briefly I had to deal with compiled programs on decks of IBM cards. BASIC was much nicer for a student doing small programs because it was interpreted and you could fix it as you went along (in memory). Those card decks looked cool on Hawaii Five-0, but one syntax mistake in a cobol or fortran program and you had to wait another two hours to get your homework done.
It's not the first time Kristoffer has flashed his tech skills. “He’s figured out vulnerabilities 3 or 4 times,” said Davies. At age 1, Kristoffer got past the toddler lock screen on a cell phone by holding down the home key.
Amazon's primary interest in this device *seems* to be to drive sales on Amazon Instant, not to serve as a general purpose streamer like Roku (though it does that too). There's some confusion in the business press about what Amazon is up to, but this is a likely guess. It doesn't want to be reliant on Roku, ChromeCast, Sony, etc., and would like to have a sticky ecosystem like Apple.
The other theory is that Amazon believes users will prefer it as a premium branded product, again like Apple. The product does not need to compete with Roku on price, in that case, but does need to compete on features.
These are photographs, not telescopic images of the universe. How many megapixels does a camera phone need? Are people going to be sending me the full pictures and then I have to spend time reducing them to a reasonable size?
Where is this magical place you think the Social Security Administration should have been saving your contributions? In the stock market? Cubes of cash? Mutual funds? Maybe something safer? Treasury bonds? Well, that's what they did.
Slashdot Mirror
Classic Theme Restorer. Cheap, easy, no config.
Cinnamon or Mate?
The big companies probably want more control over the project than LibreSSL will allow them. They've been burned once by relying on old-style Unix community dev. But it's also entirely their own fault for not funding and auditing the open source code they were building their billions on.
Seems to me LibreSSL is the way to go, but I can also see why the corporations would just use it as a side-stream for hints on what to fix. They have enough resources to rewrite openSSL from the inside rather than the the LibreSSL tear-down approach. Having both projects is really a benefit for LibreSSL as longs as it gets sufficient interest and resources.
Cox also competes with Verizon FiOS in several markets. This article says only 9%, last year: http://www.telecompetitor.com/...
The odometers did not even have a digit for 100,000. The rare car "turned over" back to zero. Title forms still have a check box for that. It's one thing the Car Talk guys were right about.
Some actual energy and costs figures are here:
http://ccows.csumb.edu/wiki/in...
(Concerns a different region in California, but has been put together well.)
In the political battle in Santa Cruz last year, a key contention was that the proposed carbon offsets were not a real benefit to the environment.
MailChimp etc. are not mailing lists. They are one-way distribution lists. Mailman has to deal with replies to the group.
In other words, you could not detect the bug by looking at "openssl version" at the shell prompt, or looking for the openssl version in phpinfo().
Yes, LiteSpeed web server, a common drop-in replacement for Apache, had the bug even when the shell of a LAMP stack did not. LS patched it.
If this bug had been in 0.9.8 the web would be in a real disaster now. Many web ISP's stay behind a few versions on the stack. I've got one that runs the oldest PHP version still in release. That's a bit extreme. So the bug hit more big companies.
The special ed kids with learning disabilities are mixed with the ones with behavioral/emotional disabilities in this school. In other words, people that get made fun of, and people that are a danger to them. Sheep and wolves. Must make the regular classrooms nice to remove both the slow learners and troublemakers.
The same thing happens in homeless shelters, where it's hard to protect the defenselessly mentally ill from the bad guys. And prisons, where a lot of mentally ill people live due to the policies of our country.
Another problem in this case is that the police and the judge are an extension of the school administration, and see themselves that way. Also, it is a small Western Pennsylvania school district surely dominated by athletics. Also, we don't know the full story. This could be the best school in the world, but I somehow doubt it.
They all need to be contributing to OpenSSL or a fork.
https://groups.google.com/foru...
Security theater is sometimes more like security exhaustion.
Narayanan is agreeing with Thatcher by the way.
Clearly $billion corporations like RedHat are going to spend more time auditing code commits, with or without lawsuits. Google found this bug and I wonder what kind of fork / NSS migration / whatever solution will emerge. NSS is from Mozilla, and Google revenue funds Mozilla.
Maybe it will go as far as "OpenSSL considered harmful" and anything linked to it will be flagged. That would be too sensible.
NSS? I'm no expert, but wonder why it's not used more. Force of habit? License differences? http://www.gossamer-threads.co...
Here's a sad post from one year ago:
http://stackoverflow.com/quest...
By the way I know NSS does a lot of FIPS compliance, but part of the Heartbleed problem for the "normal" user is that it is hard to tell what openssl is linked into. We had it in our web server daemon even though shell "openssl version" showed a good version.
This guy has retracted part of his analysis based on comments, but tries to make a case that passwords and cookies in the http headers are more likely to be exposed than keys. Remember, http-auth is still used a lot. http://blog.erratasec.com/2014...
You were better off using non-SSL, unless you were on wireless or something easily snooped. I'm not aware http:80 servers have a little query that gets you memory dumps. Do I misunderstand?
And if you haven't seen ASCII-art porn images come clacking out of a teletype with a phone-cradle modem to a time-sharing computer, then you weren't there (thankfully perhaps). http://en.wikipedia.org/wiki/T...
Briefly I had to deal with compiled programs on decks of IBM cards. BASIC was much nicer for a student doing small programs because it was interpreted and you could fix it as you went along (in memory). Those card decks looked cool on Hawaii Five-0, but one syntax mistake in a cobol or fortran program and you had to wait another two hours to get your homework done.
Line numbers were great. You could add line 15 at any time!
But M$ gave us BAT files, which are terrible.
From TFA:
Amazon's primary interest in this device *seems* to be to drive sales on Amazon Instant, not to serve as a general purpose streamer like Roku (though it does that too). There's some confusion in the business press about what Amazon is up to, but this is a likely guess. It doesn't want to be reliant on Roku, ChromeCast, Sony, etc., and would like to have a sticky ecosystem like Apple.
The other theory is that Amazon believes users will prefer it as a premium branded product, again like Apple. The product does not need to compete with Roku on price, in that case, but does need to compete on features.
I think most of the work is done by Mozilla's own paid engineers, except on community projects like Seamonkey and, now, Thunderbird. I could be wrong.
If you're going to buy cheapo electronic parts, you should buy a decent multimeter for testing.
These are photographs, not telescopic images of the universe. How many megapixels does a camera phone need? Are people going to be sending me the full pictures and then I have to spend time reducing them to a reasonable size?
Where is this magical place you think the Social Security Administration should have been saving your contributions? In the stock market? Cubes of cash? Mutual funds? Maybe something safer? Treasury bonds? Well, that's what they did.