I should point out that "we don't know of any dire consequences" suggests both "alright, git'r done" and "whoa, let's look at this carefully before we act."
Standards don't benefit anybody except web developers.
This is the foundation of your failure to understand.
If you can't see how fragmentation impacts more than the people who build the websites, you are shortsighted. If you don't see how Microsoft's incompatibility is a matter of their choice, you are blind.
The fact that you started your career writing "actual software" may be what's got you confused. The web is basically a single platform. It's not a proliferation of distinct operating systems that require ports. Microsoft intentionally creates and allows/maintains incompatibilities for the sake of vendor lock-in. (Netscape did this, too. I don't just hate on MS.) That's self-serving, needless infliction of wide-scale inefficiency. You don't get that this adds up? The people who pay for websites pay more and get less. The people who use websites and web apps end up paying through a variety of inconveniences and at times complete breakage to the point of being unusable. The people who were locked into using IE suffered more downtime and cost us more in support. The overall loss in human productivity has not been limited to web developers, hello. Glasses.
Take a look here:
IE1 - 1995-08 -...
IE2 - 1995-11 - 03 mos.
IE3 - 1996-08 - 09 mos.
IE4 - 1997-09 - 13 mos.
IE5 - 1999-03 - 18 mos.
IE6 - 2001-08 - 29 mos.
IE7 - 2006-10 - 62 mos. == The Great Languish
IE8 - 2009-05 - 31 mos.
Try correlating that period, 2001-08 through 2006-10, with what's going on this graph. Microsoft only cared about bettering their browser as much as it helped them maintain control. If you weren't fed up with IE6's impact on you and everyone else for the first half decade of this millenium, you weren't paying attention. No, that behavior was not "...Ok?" It was bullshit and I'm not lying down to take more of it.
Anyway, I don't think there's any convincing you and other battered wives like you that Microsoft's embrance-and-extend behavior is something requiring opposition. You seem to have the dog pack mentality that believes domination is equal to righteousness. And you call the needless extra work QA, but you fail to understand what you're actually doing is grovelling compliantly with your multi-browser ports and hacks. You enable Microsoft. I'd love it if you figured out what was going on then stood up and pushed back some. I suppose being antagonistic with you only serves me to feel better for a moment as I vent my anger rather than actually gives you space to think the matter through. I call you a jackass because of your belligerent and harmful ignorance, but that only sets you up to resist these ideas rather than to be ready to see their merits. My mistake. You're still a fool, but it's a disservice to us all that I failed to take a tack with you that stood some chance of helping you be enlightened rather than entrench you in your idiocy. I guess I'm just talking to myself at this point. No hard feelings!
I'm just glad that Microsoft's dominance is quickly coming to an end in the browser market, as you can tell by the right side of that graph. I'll continue to work to hasten it, and to hasten broader compatibility. Evidently by the rise of Firefox et al. there are enough people working towards this end even if there's some number out there who think like you. I hope your attitude of enabling another Great Languish is ineffectual. No hard feelings, but please don't try to convince anyone that IE is a good choice, thanks.
Humanity's got enough problems. Needless inefficiency is needless. I imagine your more fundamental misunderstanding is regarding the concept of independence. I hope the current financial crisis is driving home for
You obviously fail to understand the gravity of the situation. Does the web seem like a trivial thing to you? Are you one of those people who says "oh, it's just another thing on the Internet -- no need to take it seriously"?
You think that it's okay to pain "a very, very small percentage of the population" with compatibility problems? I guess you wouldn't give a damn about sewer system engineers or transportation system engineers or power grid engineers either, eh? That's pretty idiotic myopia.
"Yeah, you're suffering. Big deal, there aren't many of you. Just relax." Fuck that.
If you'd been following along you'd have noticed the 5 year languish of IE6. Microsoft dominated the market using its distribution and then just stopped. "Tada! The World-Wide Web! Let it rot." What, you never had to clean up a friend's IE6-spyware-infested machine? Only when their dominance was threatened did they rouse themselves to make any changes. And now you think "they're making a good try here at fixing the problems"? And you're ready to take what they serve you? You trust these guys? The same purveyors of stagnation?
The self-serving protocol pollution and dominance games of Microsoft are only half the problem. You are the other half. Ignorant users (and developers) who fail to see the importance of standards and who are either virtual amnesiacs about Microsoft's track record of standards subversion or are just acting like battered wives.
What happens with standards and the web is pretty damn important. Get some glasses, jackass.
Try to push things towards using a single standard so that move towards "write once, run everywhere".
Hinder further fragmentation of the code you have to write. The two major versions of IE already complicate things unnecessarily, so discourage adoption of IE8 every chance you get.
Internet Explorer is lame.
When you think about it, you realize it's true. Generally the cool kids aren't into IE.
Please don't encourage yet another browser we'll all have to support.
If your job depends on addressing the market, then write to standards (test in Firefox and Safari and Opera) and IE7/IE6. That's where the market's at right now.
If your boss says you should anticipate IE8, point them to this graph and this graph. Tell them your anticipation is that IE8 will add work without adding substantial market benefit. You can put off IE8 support until it proves it can achieve the same penetration as IE7.
I guess you think what I wrote was crap. Specifically anything? Look, that's a problem with nebulous emotional thinking. It doesn't address specifics well enough to make any headway. So, please try to be specific.
I think it's great you came up with a scenario, though. I find that that's a wonderful way to mull over ideas. (Remember, get specific, though, in your analyses. "Feels wrong!" is a useful first pass, but getting stuck there and acting out from such a position is a bane to civilization. Don't be a bane.)
Did you choose 3 months because you thought it was relevant to the discussion of embryos that's the focus here, or did you maybe hope to do some sleight of hand to slip things further into unclear territory? Supposedly EEG signs begin to occur at around 12 weeks.
Look, despite the vitriol I've got for obnoxious ignorance, the truth is that I care about the well being of all sentience. I want you not to hurt, I want cats and dogs not to hurt, I want even criminals not to hurt. That last bit probably doesn't jibe with your mentality, but it probably jibes with that Jesus hippy's mentality. Anyway, I am not opposed to forcing a stop to misbehavior, though I prefer alternatives.
The scenario you offer is complex, and I'm guessing you don't care to have a sincere discussion. I'll let you do the heavy lifting of disentangling all the specific issues and then I'll address each of them in turn. How's that? I expect, however, that you will be unable to discern the components, let alone be willing to work towards anything except promoting your agenda.
Off the cuff that's kind of compelling, and maybe deserves a fair shake. I say we look a little more closely.
I think the attempted analogy would rather have us thinking about something like 70% of all humans dying unnaturally. If that were the stat I think maybe we wouldn't be aghast at a few unnatural deaths. (And we should probably look at the differences between "unnatural death" and "murder". I think not all unnatural deaths are murder, unless that's how you're defining "unnatural death".)
And an embryo really isn't a "breathing" human. And not all life seems sacred to detractors of stem cell research, so "living" doesn't count for much (to them). Not even all human life seems sacred. And taking it a step further, not even all conscious human life is sacred to typical opponents.
Still.
These things may not be real arguments one way or another, so I shouldn't be so misleading by quashing the parent's argument, tossing ad hominem barbs, and leaving it at that. The issues here really are very complex and subtle.
Longevity of sentience is one thing. Likelihood of death by various means another. The actual experience of sentiences yet another (what's called "quality of life"). The potential for sentience is yet another.
Outrage at an embryo being destroyed because of the destruction's effect on the potential sentience of a child is only a step from outrage at each ovum failing to be fertilized, at condoms being used, or even at people not having procreative sex in the first place. Potential doesn't only begin at fertilization. I think that boundary is a convenient simplicity where folks can alight their truer feelings. My guess is it's about personal feelings of helplessness. There, I said it. Right-to-Lifers (anti-choicers) are projecting their existential grief and their impotence amid fearful chaos. Life's not so bad, quit being so scared. While we're at it, quit being such xenophobes, not all strangers are evil.
Anyway, quit confusing egg fertilization with innocent sentience. That's dumb.
As I said, though, the matter is subtle and complex. I don't have a good understanding of it. I struggle with concepts like the following: How is potential sentience from an embryo ethically different from the potential sentience of an adult in suspended animation? My intuition has me feeling they're very different, that the adult in suspended animation is more valuable. Makes me think the likelihoods of outcomes are relevant. But, there, am I not guilty of the same kind of intuitive, emotional, pre-rational thinking that I'm ascribing to dumb fear-for-lifers? To some degree, yes. But, no, not substantially. I am openly admitting my uncertainty and seeking to understand better. I am a few steps ahead because I understand and admit more details about the ethical complexities of the situation, whether they bolster my preferred outcome. I am aware of the influence of biases, so I seek to know my own biases and their influence. In contrast, the fear-for-lifers I am familiar with are motivated to assuage their pathological feelings, not to understand. They bring reason along only as a tool in service of their biases. I would sooner trust the intuition of a humbly uncertain person with a manifestly shrewder grasp driven by curiosity and truth. And even then I would temper any action based on that intuition proportionately with the intuition's vagueness and the moral severity of the matter.
So my action at this point is further philosophical meditation rather than obnoxious campaigning. That and slamming ignorant zealots who should be acting similarly. Shut the fuck up.
You make it sound like this is the rarest thing in the world. It a solid and substantial vulnerability.
I don't mean to make it sound like the "rarest thing in the world". But I wouldn't expect maybe a single Slashdotter to be in this position. Otherwise, please note my comment here.
Oh, that's what you mean by "complete denial". I thought you meant denial as in
Denial is a defense mechanism postulated by Sigmund Freud, in which a person is faced with a fact that is too uncomfortable to accept and rejects it instead, insisting that it is not true despite what may be overwhelming evidence.
I didn't realize you meant it in the simple sense of "to state that something is not true".
But maybe you actually do mean the defense mechanism version? I guess then that there would have to be overwhelming evidence. Do you see it as likely or possible that qpopd would be given 4 GB of (even virtual) memory? I'm not familiar with how it's normally run. Anyone?
What about the disingenuous part? Is that also for denying the feasibility of the vulnerability scenario? I take it you think he really believes it's a feasible vuln and he's not being honest about it?
Well, yes, the bug is a very big deal for certain implementations. Though counting per installation they may be rare, the extent of their effect is quite great.
I expect it would be fairly trivial for these sites to update (though this is highly dependent). Or was trivial, as I imagine they've already done it.
Considering the extent, your find is of great value. Thanks. Considering the uniqueness of your find and the renown of the software, this is historic. Congratulations.
And I hear you were responsible in your disclosure. If that's the case, then thanks very much for that too.
This is very interesting. The idea of patching when harmless though not necessary has some appeal to me, as a ward against future problems as you say, but something doesn't seem quite right about it.
It's unlikely that I'll forget "The djbdns Bug", but more relevantly I don't anticipate accidentally implementing service of delegated subdomains.
As I'm very interested in knowing the truth of claims regarding Bernstein's misbehavior, it would help me very much if you could point to specific quotes or actions of his that show "complete denial" and being "disingenuous". Thanks!
The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky's patch and requested to accept my apologies.
He's apologizing. How's that for forthright behavior? He's not being evasive. He's not pointing fingers. He's owning up to personal error, and expressing what appears to be compunction. For one bug in a decade.
Yeah, tell me how you don't like his attitude. I think it's fine.
Mr. Bernstein, good work I say. Thank you very much for your efforts and skill and honesty.
Since I'm one of the admins who's enjoyed having an vulnerability-free djbdns installation for years, I thought I'd look more into the vuln.
Say what you will about DJB, other than being seemingly ornery he appears to be forthright and focused on correctness. In under a week he confirms the vuln and posts a patch and awards the security guarantee money. This is the kind of behavior I want from the people who build my software. http://article.gmane.org/gmane.network.djbdns/13864
Here's the bug:
If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com.
How many of you are running domains like this? It's not something I need to bother patching for. Ah, I guess that's another great thing about the relative rarity of bugs. If one is found it's less likely to be relevant for your particular situation.
The article submitter says:
"Anyone using djbdns is strongly encouraged to patch their servers immediately."
...he darn well clawed his way to the top through skill as much as luck I think, and I have a lot of respect for that.
I hope you're respecting the skill part, not the clawing part. We should make sure to disentangle the two.
For example, there might have a brilliantly talented and trained placekicker, but we might not want to respect his kicking babies. Regardless of how well the babies go sailing.
The Internet Explorer project was started in the summer of 1994 by Thomas Reardon and subsequently led by Benjamin Slivka, leveraging source code from Spyglass, Inc. Mosaic, an early commercial web browser with formal ties to the pioneering NCSA Mosaic browser. In late 1994, Microsoft licensed Spyglass Mosaic for a quarterly fee plus a percentage of Microsoft's non-Windows revenues for the software. Although bearing a name similar to NCSA Mosaic, Spyglass Mosaic had used the NCSA Mosaic source code sparingly.
Slashdot Mirror
Ah, well that's a heartening corroboration, the fact that security-minded persons are ahead of the curve in the switch away from IE.
I'm surprised the numbers aren't more dramatic.
The permanent effect is that you'll be sieving mosquitoes towards being silver.
I should point out that "we don't know of any dire consequences" suggests both "alright, git'r done" and "whoa, let's look at this carefully before we act."
Here's a relevant phenomenon that I recommend meditating on: personal overestimation by incompetents.
There's plenty of work aside from incompatibility mop up. And I prefer not to be making a living by grace of a societal problem.
That's a pretty shitty way to make a living.
Learn this concept before you bring up your unethical leeching lifestyle argument with anyone else: http://en.wikipedia.org/wiki/Broken_window_fallacy
Yeah... Okay, that's a problem.
Thankfully IE usage is just in freefall overall.
Who uses IE anymore?
Standards don't benefit anybody except web developers.
This is the foundation of your failure to understand.
If you can't see how fragmentation impacts more than the people who build the websites, you are shortsighted. If you don't see how Microsoft's incompatibility is a matter of their choice, you are blind.
The fact that you started your career writing "actual software" may be what's got you confused. The web is basically a single platform. It's not a proliferation of distinct operating systems that require ports. Microsoft intentionally creates and allows/maintains incompatibilities for the sake of vendor lock-in. (Netscape did this, too. I don't just hate on MS.) That's self-serving, needless infliction of wide-scale inefficiency. You don't get that this adds up? The people who pay for websites pay more and get less. The people who use websites and web apps end up paying through a variety of inconveniences and at times complete breakage to the point of being unusable. The people who were locked into using IE suffered more downtime and cost us more in support. The overall loss in human productivity has not been limited to web developers, hello. Glasses.
Take a look here:
Try correlating that period, 2001-08 through 2006-10, with what's going on this graph. Microsoft only cared about bettering their browser as much as it helped them maintain control. If you weren't fed up with IE6's impact on you and everyone else for the first half decade of this millenium, you weren't paying attention. No, that behavior was not "...Ok?" It was bullshit and I'm not lying down to take more of it.
Anyway, I don't think there's any convincing you and other battered wives like you that Microsoft's embrance-and-extend behavior is something requiring opposition. You seem to have the dog pack mentality that believes domination is equal to righteousness. And you call the needless extra work QA, but you fail to understand what you're actually doing is grovelling compliantly with your multi-browser ports and hacks. You enable Microsoft. I'd love it if you figured out what was going on then stood up and pushed back some. I suppose being antagonistic with you only serves me to feel better for a moment as I vent my anger rather than actually gives you space to think the matter through. I call you a jackass because of your belligerent and harmful ignorance, but that only sets you up to resist these ideas rather than to be ready to see their merits. My mistake. You're still a fool, but it's a disservice to us all that I failed to take a tack with you that stood some chance of helping you be enlightened rather than entrench you in your idiocy. I guess I'm just talking to myself at this point. No hard feelings!
I'm just glad that Microsoft's dominance is quickly coming to an end in the browser market, as you can tell by the right side of that graph. I'll continue to work to hasten it, and to hasten broader compatibility. Evidently by the rise of Firefox et al. there are enough people working towards this end even if there's some number out there who think like you. I hope your attitude of enabling another Great Languish is ineffectual. No hard feelings, but please don't try to convince anyone that IE is a good choice, thanks.
Humanity's got enough problems. Needless inefficiency is needless. I imagine your more fundamental misunderstanding is regarding the concept of independence. I hope the current financial crisis is driving home for
WTH? Relax? Fuck that.
You obviously fail to understand the gravity of the situation. Does the web seem like a trivial thing to you? Are you one of those people who says "oh, it's just another thing on the Internet -- no need to take it seriously"?
You think that it's okay to pain "a very, very small percentage of the population" with compatibility problems? I guess you wouldn't give a damn about sewer system engineers or transportation system engineers or power grid engineers either, eh? That's pretty idiotic myopia.
"Yeah, you're suffering. Big deal, there aren't many of you. Just relax." Fuck that.
If you'd been following along you'd have noticed the 5 year languish of IE6. Microsoft dominated the market using its distribution and then just stopped. "Tada! The World-Wide Web! Let it rot." What, you never had to clean up a friend's IE6-spyware-infested machine? Only when their dominance was threatened did they rouse themselves to make any changes. And now you think "they're making a good try here at fixing the problems"? And you're ready to take what they serve you? You trust these guys? The same purveyors of stagnation?
The self-serving protocol pollution and dominance games of Microsoft are only half the problem. You are the other half. Ignorant users (and developers) who fail to see the importance of standards and who are either virtual amnesiacs about Microsoft's track record of standards subversion or are just acting like battered wives.
What happens with standards and the web is pretty damn important. Get some glasses, jackass.
Try to push things towards using a single standard so that move towards "write once, run everywhere".
Hinder further fragmentation of the code you have to write. The two major versions of IE already complicate things unnecessarily, so discourage adoption of IE8 every chance you get.
Internet Explorer is lame.
When you think about it, you realize it's true. Generally the cool kids aren't into IE.
Please don't encourage yet another browser we'll all have to support.
If your job depends on addressing the market, then write to standards (test in Firefox and Safari and Opera) and IE7/IE6. That's where the market's at right now.
If your boss says you should anticipate IE8, point them to this graph and this graph. Tell them your anticipation is that IE8 will add work without adding substantial market benefit. You can put off IE8 support until it proves it can achieve the same penetration as IE7.
I guess you think what I wrote was crap. Specifically anything? Look, that's a problem with nebulous emotional thinking. It doesn't address specifics well enough to make any headway. So, please try to be specific.
I think it's great you came up with a scenario, though. I find that that's a wonderful way to mull over ideas. (Remember, get specific, though, in your analyses. "Feels wrong!" is a useful first pass, but getting stuck there and acting out from such a position is a bane to civilization. Don't be a bane.)
Did you choose 3 months because you thought it was relevant to the discussion of embryos that's the focus here, or did you maybe hope to do some sleight of hand to slip things further into unclear territory? Supposedly EEG signs begin to occur at around 12 weeks.
Look, despite the vitriol I've got for obnoxious ignorance, the truth is that I care about the well being of all sentience. I want you not to hurt, I want cats and dogs not to hurt, I want even criminals not to hurt. That last bit probably doesn't jibe with your mentality, but it probably jibes with that Jesus hippy's mentality. Anyway, I am not opposed to forcing a stop to misbehavior, though I prefer alternatives.
The scenario you offer is complex, and I'm guessing you don't care to have a sincere discussion. I'll let you do the heavy lifting of disentangling all the specific issues and then I'll address each of them in turn. How's that? I expect, however, that you will be unable to discern the components, let alone be willing to work towards anything except promoting your agenda.
A quality of the "Authoritarians": Exceptionally punitive, even of victims.
Off the cuff that's kind of compelling, and maybe deserves a fair shake. I say we look a little more closely.
I think the attempted analogy would rather have us thinking about something like 70% of all humans dying unnaturally. If that were the stat I think maybe we wouldn't be aghast at a few unnatural deaths. (And we should probably look at the differences between "unnatural death" and "murder". I think not all unnatural deaths are murder, unless that's how you're defining "unnatural death".)
And an embryo really isn't a "breathing" human. And not all life seems sacred to detractors of stem cell research, so "living" doesn't count for much (to them). Not even all human life seems sacred. And taking it a step further, not even all conscious human life is sacred to typical opponents.
Still.
These things may not be real arguments one way or another, so I shouldn't be so misleading by quashing the parent's argument, tossing ad hominem barbs, and leaving it at that. The issues here really are very complex and subtle.
Longevity of sentience is one thing. Likelihood of death by various means another. The actual experience of sentiences yet another (what's called "quality of life"). The potential for sentience is yet another.
Outrage at an embryo being destroyed because of the destruction's effect on the potential sentience of a child is only a step from outrage at each ovum failing to be fertilized, at condoms being used, or even at people not having procreative sex in the first place. Potential doesn't only begin at fertilization. I think that boundary is a convenient simplicity where folks can alight their truer feelings. My guess is it's about personal feelings of helplessness. There, I said it. Right-to-Lifers (anti-choicers) are projecting their existential grief and their impotence amid fearful chaos. Life's not so bad, quit being so scared. While we're at it, quit being such xenophobes, not all strangers are evil.
Anyway, quit confusing egg fertilization with innocent sentience. That's dumb.
As I said, though, the matter is subtle and complex. I don't have a good understanding of it. I struggle with concepts like the following: How is potential sentience from an embryo ethically different from the potential sentience of an adult in suspended animation? My intuition has me feeling they're very different, that the adult in suspended animation is more valuable. Makes me think the likelihoods of outcomes are relevant. But, there, am I not guilty of the same kind of intuitive, emotional, pre-rational thinking that I'm ascribing to dumb fear-for-lifers? To some degree, yes. But, no, not substantially. I am openly admitting my uncertainty and seeking to understand better. I am a few steps ahead because I understand and admit more details about the ethical complexities of the situation, whether they bolster my preferred outcome. I am aware of the influence of biases, so I seek to know my own biases and their influence. In contrast, the fear-for-lifers I am familiar with are motivated to assuage their pathological feelings, not to understand. They bring reason along only as a tool in service of their biases. I would sooner trust the intuition of a humbly uncertain person with a manifestly shrewder grasp driven by curiosity and truth. And even then I would temper any action based on that intuition proportionately with the intuition's vagueness and the moral severity of the matter.
So my action at this point is further philosophical meditation rather than obnoxious campaigning. That and slamming ignorant zealots who should be acting similarly. Shut the fuck up.
George Guninski, I'll say again.
I'm pretty sure that's the exploit in question. If you disagree, could you link please?
You make it sound like this is the rarest thing in the world. It a solid and substantial vulnerability.
I don't mean to make it sound like the "rarest thing in the world". But I wouldn't expect maybe a single Slashdotter to be in this position. Otherwise, please note my comment here.
Oh, that's what you mean by "complete denial". I thought you meant denial as in
Denial is a defense mechanism postulated by Sigmund Freud, in which a person is faced with a fact that is too uncomfortable to accept and rejects it instead, insisting that it is not true despite what may be overwhelming evidence.
I didn't realize you meant it in the simple sense of "to state that something is not true".
But maybe you actually do mean the defense mechanism version? I guess then that there would have to be overwhelming evidence. Do you see it as likely or possible that qpopd would be given 4 GB of (even virtual) memory? I'm not familiar with how it's normally run. Anyone?
What about the disingenuous part? Is that also for denying the feasibility of the vulnerability scenario? I take it you think he really believes it's a feasible vuln and he's not being honest about it?
How does Address Space Layout Randomization (ASLR) affect total memory usage and its implications for counter values?
4 GB per process is what they were talking about. Really, seems improbable to me. Isn't that a bit like too many coops in one basket?
Well, yes, the bug is a very big deal for certain implementations. Though counting per installation they may be rare, the extent of their effect is quite great.
I expect it would be fairly trivial for these sites to update (though this is highly dependent). Or was trivial, as I imagine they've already done it.
Considering the extent, your find is of great value. Thanks. Considering the uniqueness of your find and the renown of the software, this is historic. Congratulations.
And I hear you were responsible in your disclosure. If that's the case, then thanks very much for that too.
This is very interesting. The idea of patching when harmless though not necessary has some appeal to me, as a ward against future problems as you say, but something doesn't seem quite right about it.
It's unlikely that I'll forget "The djbdns Bug", but more relevantly I don't anticipate accidentally implementing service of delegated subdomains.
(George Guninski.)
As I'm very interested in knowing the truth of claims regarding Bernstein's misbehavior, it would help me very much if you could point to specific quotes or actions of his that show "complete denial" and being "disingenuous". Thanks!
I just realized this:
The next release of djbdns will be backed by a new security guarantee.
In the meantime, if any users are in the situation described above,
those users are advised to apply Dempsky's patch and requested to accept
my apologies.
He's apologizing. How's that for forthright behavior? He's not being evasive. He's not pointing fingers. He's owning up to personal error, and expressing what appears to be compunction. For one bug in a decade.
Yeah, tell me how you don't like his attitude. I think it's fine.
Mr. Bernstein, good work I say. Thank you very much for your efforts and skill and honesty.
Since I'm one of the admins who's enjoyed having an vulnerability-free djbdns installation for years, I thought I'd look more into the vuln.
Say what you will about DJB, other than being seemingly ornery he appears to be forthright and focused on correctness. In under a week he confirms the vuln and posts a patch and awards the security guarantee money. This is the kind of behavior I want from the people who build my software. http://article.gmane.org/gmane.network.djbdns/13864
Here's the bug:
If the administrator of example.com publishes the example.com DNS data
through tinydns and axfrdns, and includes data for sub.example.com
transferred from an untrusted third party, then that third party can
control cache entries for example.com, not just sub.example.com.
How many of you are running domains like this? It's not something I need to bother patching for. Ah, I guess that's another great thing about the relative rarity of bugs. If one is found it's less likely to be relevant for your particular situation.
The article submitter says:
"Anyone using djbdns is strongly encouraged to patch their servers immediately."
I think "anyone" is a bit strong here.
...he darn well clawed his way to the top through skill as much as luck I think, and I have a lot of respect for that.
I hope you're respecting the skill part, not the clawing part. We should make sure to disentangle the two.
For example, there might have a brilliantly talented and trained placekicker, but we might not want to respect his kicking babies. Regardless of how well the babies go sailing.
Somewhat, according to WP:
The Internet Explorer project was started in the summer of 1994 by Thomas Reardon and subsequently led by Benjamin Slivka, leveraging source code from Spyglass, Inc. Mosaic, an early commercial web browser with formal ties to the pioneering NCSA Mosaic browser. In late 1994, Microsoft licensed Spyglass Mosaic for a quarterly fee plus a percentage of Microsoft's non-Windows revenues for the software. Although bearing a name similar to NCSA Mosaic, Spyglass Mosaic had used the NCSA Mosaic source code sparingly.
What MS did to Spyglass sort of epitomizes their assholery.
You may be interested to learn that your name is drug slang for a syringe.
What!
Where have you been for the last decade? Pay attention!
http://www.kb.cert.org/vuls/byid?searchview&query=isc%20bind
http://www.kb.cert.org/vuls/byid?searchview&query=djbdns
18 v. 0? And you're looking for what kind of "authority" to make this judgement for you?
(For full disclosure, there is now a single candidate (by-design) vulnerability listed with the CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4392)