No no, it's quite simple really:

"It it not improbable that everything suddenly sprang into existence from nothing?"

"Well, yes, that's HIGHLY unlikely!"

"So it is. Therefore, given an infinite metaverse this has certainly occurred. Thus, even if not the origin of this universe, it absolutely is the case in an infinite number of others, including an uncertain number which are indistinguishable from our own wherein we are having the same conversation. Q.E.D."

This is all uncovered extensively in "Super Fragile Improbabilistic Theoreticalidocious". The improbable motive force of creation was first theorized by none other than the esteemed Douglas Adams himself.

Well, I'm a developer too. Mostly open source. Thing is, I don't bite off more than I can chew. This is a security product. They're not using basic code coverage tools on every line, or input fuzzing. They missed a unit test that should have been automatically generated. This is like offering a free oil change service boasting A+ Certified Mechanics, then forgetting to put oil in the damn car. Yeah, it was a free oil change, but come the fuck-on man. You really can't fuck up this bad unless you're stoned! I mean, if you change the oil, you check the oil level after you're done to ensure it hasn't been over-filled... You check all the code-paths, and fuzz test to make sure both sides of the #ifdef validate the same, or else why even keep that code? "I can accept the responsibility of maintaining and contributing to an industry standard security product" "YIKES I Didn't Fully Test my Contribution! Don't blame me! I never said I could accept the responsibility of contributing to or maintaining an industry standard security product!"

It's cancerous shit like you that give open source a bad name. Own up, or Fuck off.

No it's a curse. I have input fuzzing, unit tests, code coverage profiling and Valgrind memory tests. Such a bug wouldn't have slipped past me with both eyes shut -- no seriously! If I fuck up accidentally like this THE COMPUTER TELLS ME SO without ever having to do anything but make the mistake and type make test all. I test every line of code on every side of my #ifdef options, in all my projects. If you're implementing ENCRYPTION AND/OR SECURITY SOFTWARE then I expect such practices as the absolute minimum effort -- I mean, that's what I do, even when it's just me coding on dinky indie games as a hobby. I don't want to be known as the guy who's game was used to compromise users' credentials or data, that would be game over for me.

These ass-hats have just shown the world that they can't be trusted to use the fucking tools we wrote that would have prevented this shit if they'd have just ran them. It's really not acceptable. It's hard to comprehend the degree of unacceptable this is. It reeks of intentional disaster masquerading as coy "accidental" screw up, "silly me, I just didn't do anything you're supposed to do when you're developing industry standard security software". No. Just, no. An ancient optimization that was made default even though it only mattered on SOME slower platforms? Yeah, OK, that's fucking dumb, I can buy it as an accident. However, NOT TESTING BOTH BRANCHES for that option? What the actual fuck? I could see someone missing an edge case in their unit test, but not even using input fuzzing at all? It's not hard, shit, I have a script that generates the basic unit fuzzing code from the function signatures in .H files, you know, so you don't miss a stub...

"Never attribute to malice what can be adequately explained by stupidity." -- The level of stupidity required is unexplainable. How the fuck are they this inept and in charge of THIS project? THAT'S the real issue. This isn't even the fist time OpenSSL shit the bed so bad. In <- this linked example, it was Debian maintainers and not the OpenSSL maintainers fault (directly): Instead of adding an exception to the Valgrind ignore list (which you most frequently must have in any moderately sized project, esp one that handles its own memory management) they instead commented out the source of entropy, making all the SSL connections and keys generated by OpenSSL easily exploitable since it gutted the entropy of the random number generator (which is a known prime target for breakage that's very hard to get right even if you're not evil, so any change thereto needs to be extremely well vetted). Last time the OpenSSL maintainers brazenly commented they "would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was." -- Except that they silently stopped paying attention to to the public bug tracker / questions and quietly moved to another dev area, making it nearly impossible to contact them to ask them about anything (a big no-no in Open Source dev), but it gives you a better idea about the sort of maintainers these fuck-tards are.

We don't know absolutely for sure, but we're pretty damn close to absolutely certain that OpenSSL and other security products (see: RSA's BSafe) are being targeted for anti-sec by damn near all the powers that be. So, now we find out OpenSSL has an obsolete optimization -- a custom memory pool (red flag goes up right away if you see memory reuse in a security product, that shit MUST be even more throughly checked than entropy-pools, since it can cause remote code execution, memory leaks, and internal state exposure... you don't say?). We find that optimization would have been caught by basic fuzz test with Valgrind, which apparently folks have been using previously according to the comments in the prior SNAFUBAR. Even if unit-test missed the out of bounds edge-case values on the alternate codepath, the alternate codepath NEVER was tested for YEARS? That's inexcusable, almost as bad as developers of a popular open source security entering silent-running mode... It's pretty clear why: If that branch was compiled in it would reveal this bug that was splaying OpenSSL wide open. Now get this: They use the excuse that the codepath hadn't been tested in so long to KEEP USING THE BUGGY CUSTOM MEMORY MANAGER?! Look, if I was writing a memory manager for a security product, guess what my #1 reason for doing so would be? To memset freed memory to zeros automatically and PREVENT this type of data leak.

If I did something like this I would fire myself, I'm being perfectly honest. I would demote myself from executive software architect all the way down to build-script code-monkey. I'd stop everything, slap myself upside the head, contact my customers and apologize for the delay, offer a refund if they can't wait and need to go with another solution, I'd cancel my vacation to make up for the money I won't have, and get my ass in gear putting together a proper built, test, deploy framework and I wouldn't accept a single new feature until everything was checking out, had unit tests for edge cases and fuzzing for all functions, and I had 100% code coverage on these tests. This is a security product for fuck's sake, so in that case, If I messed up this bad I'd have myself neutered on top of all that so as to spare the gene pool any chance of my brain-damaged contribution.

This is a curse because in a post-Snowden world OpenSSL should be dead to us now, but it won't be, it's entrenched -- Like a grandma zombie it will lumber on without anyone having the guts to bash its brains in because it looks like something we were deeply connected to just a moment ago. The thing is though, that zombie is not our granny anymore, it's infected. There is absolutely no telling how many more glaring fuckups that exist, readily compromising the security of the entire stack and which have oh-so-convenient plausible deniability if ever discovered. OpenSSL needs a full and complete security audit, and the maintainers should be banned from any open source security software that wants to be seen as credible. If I were them I'd be apologizing and stepping down, asking the community to appoint a new maintainer. The code is now cursed, and so are its maintainers, just as some of its contributors, and all of its users are.

Fortunately for me, from the first time I looked at the design of the TLS/SSL PKI CA system and vomited at the stupidity of it all, I have been operating under the assumption that the entire thing is purpose built to be a complex security theater that offers no security whatsoever. It really is a collection of single points of failure: Any CA can create certs for any domain, so you have to trust ALL of them to never be compromised or the whole thing falls apart, not to mention all the bad-actors listed as trusted roots by default in all browsers ensuring that you can not trust all of the CAs ever. If the implementations could be trusted you could use trusted self-signed certs to secure endpoints for your internal business domain, but I really don't see how any CA can prove that it is trustworthy given government gag-orders exist, and I haven't yet seen an implementation of SSL that I feel I can trust.

Look: It sucks, but if you want it done right you really are going to have to do it yourself, or find a trustworthy bloke to do it for you. It's the keys to the kingdom people, that's what's called a single point of failure. It's guaranteed to be 100% screwed if its widespread and an unrelated 3rd party or committee is in charge, count on it. Damn near every government on the planet employs a building full of people who's job it is to make this so. The only blessing in disguise is that this is yet another nail in the coffin, not just for OpenSSL, but for the Public Key Infrastructure in general. More and more folks are jumping ship and looking for better solutions, realizing that no CAs can be trusted at all, and trusting hundreds of them is pure stupidity.

It's a real shame no one invented a trust graph system where multiple intermediaries can vouch for identities like in PGP, oh, wait... Huh, why does TLS even exist then? Right, to make sure your shit is very exploitable.

Oh? Scientists are taking longer and longer to get Nobel Prizes, meanwhile our President got one just for being elected! Never mind the more competent and capable black fellow who Obama got redistricted out of office to begin his ascent... maybe Gerrymandering is a feat worth a "Nobel" prize? Ah, wait, now I remember, these prizes are just political bullshit, who gives a fuck about them? I don't.

Neurology is unlocking the mystery of the mind and Cybernetics provides models for the creation of new mental latices so that minds may escape their bodies. Information theory gives us insight into the quantification of cognition and its unification with mathematics. Philosophy may soon have epistemology verifiable through quantum physics and ethics based on rigorously provable physics equations. The theory of expansion says there are multiverses and we haven't even colonized the moon let alone been to the nearest planet in person not to mention the nearest star or galaxy... and these fuckers want to claim science is winding down? Sounds like some Grade A+ Christian Fundamentalist Pandering to me: "Science is almost dead! See, it didn't have all the answers. Yaaaay God!"

Hell, I can barely keep up with feeding my distributed neural network experiments ever more precessing power due to the exponential increase in cheap computation complexity. For the first time on this planet a species stands poised to intelligently design and manufacture the biogenesis of a completely new form of life, and some idiots are saying we've reached the end of the road in science? Fuck that. If PCs continue their progress then by 2050 the machine intelligences in my server racks alone will have many times more computation power than a human head does, to say nothing of the Internet as a whole. We just began 3D printing new organs and regenerating existing organs too. We're making ARTIFICIAL EYES and we can even cure deafness. We've got artificial brain implants restoring and repairing the functionality of minds, we even have the first ever telepathy by way of copying the thoughts and memories of one mouse into another. We may not only colonize the asteroid belt, but even create self assembling minds the size of small planets with electromagnetic brain waves so powerful they can shape reality itself concentrating energy matter at a whim, like the most powerful coherent beams on Earth crudely do now. Science killed the old gods, deprecating the term by defining new ones like Alien Intelligence. Now we are closer than ever to creating god-like beings or becoming like gods ourselves, at the very least immortal, and yet science is "running out" of great things to discover? Really?

I could go on about discoveries and achievements to be made in every field from education to material science, from grief counseling to artificial flavoring, from textiles to construction there is not a single area of research that doesn't stand to make revolutionary advances for humanity in everything from self healing metals and glass to houses that think to transforming electro-chemically powered clothing to vegetables and meats that grow in your fridge to environmentally friendly cellularly engineered organically grown building construction or even just candy that repairs and prevents cavities.

It would take a really small minded and ignorant fool to claim science is running out of achievements or advancements. Try peering out from under a rock some time. With each new technology the door opens to even more progress. Just compare the last century to the century before that to refute the bullshit claim; Try it with millenniums to get a real grasp on progress. Machines have developed capabilities in a few short decades that took organic life billions of years to emerge. All observational evidence proves such nonsensical statements as in TFA ill-informed at best, and an indication of brain damage at worse.

The article is sensationalists anti-science garbage. Nature will grant the same fate to troglodytes as trilobites. If you lack adequate awareness, you become a fossil. Adapt or become extinct.

As contrasted with training users to embrace the utter cluster fsck of nausea inducing purple and green bruised UI vomit that is Windows 8?

I install Debian and Gnome (2 or 3) or KDE for elderly folks at the community center. Guess what? They have less of a problem going from XP to Linux than from XP to Vista, 7 or 8. Gnome's "dead-zone" which prevents shaky hands from accidentally copying when they want to double click is a favorite feature among the elderly. In fact, since Windows8's release I have tripled the number Linux installs and instead of just extending the life of old hardware both young and old folks just want a release from the non-communicative anti-discoverable W8 interface bullshit. I have been met with driver issues downgrading from Win 8 to Win 7 on many occasions, whereas a Linux live CD works out of the box far more reliably. On systems where the install wouldn't work for some reason, e.g. MS surface or surface pro hardware, most folks I meet would rather return it to the store or pawn it than continue using Windows, AOL Kids Edition.

If barely computer literate fuddie-duddies can cope, then the "Linux retraining cost" is just FUD. Anyone who really can't adapt should be fired for incompetence, heaven forbid a necessary website be changed while they're employed with you.

Well, what you are pointing out is that a CA is a single point of failure -- Something actual security conscious engineers avoid like the plague. What you may not realize is that collectively the entire CA system is compromised by ANY ONE of those single points of failure because any CA can create a cert for ANY domain without the domain owner's permission. See also: The Diginotar Debacle.

The thing is, nobody actually checks the the cert chain, AND there's really no way to do so. How do I know if my email provider switched from Verisign to DigiCert? I don't, and there's no way to find out that's not susceptible to the same MITM attack.

So, let's take a step back for a second. Symmetric stream ciphers need a key. If you have a password as the key then you need to transmit that key back and forth without anyone knowing what it is. You have to transmit the secret, and that's where Public Key Crypto comes in, however it doesn't authenticate the identity of the endpoints, that's what the CA system is supposed to do. Don't you see? All this CA PKI system is just moving the problem of sharing a secret from being the password, to being which cert the endpoint is using -- That becomes the essential "secret" you need to know, and it's far less entropy than a passphrase!

At this time I would like to point out that if we ONLY used public key crypto between an client and server to establish a shared secret upon account creation, then we could use a minor tweak to the existing HTTP Auth Hashed Message Authentication Code (HMAC) proof of knowledge protocol (whereby one endpoint provides a nonce, then the nonce is HMAC'd with the passphrase and the unique-per-session resultant hash provides proof that the endpoints know the same secret without revealing it) to secure all the connections quite simply: Server and client exchange Nonces & available protocols for negotiation, the nonces are concatenated and HMAC'd with the shared secret stored at both ends, then fed to your key-stretching / key expansion system AND THAT KEYS THE SYMMETRIC STREAM CIPHER SIMULTANEOUSLY AT BOTH ENDS so the connection proceeds immediately with the efficient symmetric encryption without any PKI CA system required.

PKI doesn't really authenticate the endpoint, it just obfuscates the fact that it doesn't by going through the motions and pretending to do so. It's a security theater. SSL/TLS and PKI are essentially the Emperor's New Secure Clothes. At least with the shared secret model I mention above, there's just that one-time small window of PK crypto for secret exchange at worst (failing to intercept account creation means no MITM) and at best you would actually have the CHANCE to go exchange your secret key out of band -- Visit your bank in person and exchange the passphrase, etc. then NO MITM could intercept the data. HTTP Auth asks for the password in a native browser dialog BEFORE showing you any page to login (and it could remember the PW in a list, or even generate them via hashing the domain name with a master PW and some salt so you could have one password for the entire Internet). That's how ALL security should work, it ALL relies on a shared secret, so you want the MOST entropic keyspace not the least entropic selection (which CA did they use). If you're typing a password into a form field on a web page, it's ALREADY game over.

Do this: Check the root certs in your browser. For Firefox > Preferences > Advanced > Certificates > View. See that CNNIC one? What about the Hong Kong Post? Those are Known bad actors that your country is probably at cyber war with, and THEY ARE TRUSTED ROOTS IN YOUR FUCKING BROWSER?! Not to mention all the other Russian ones or Turkish, etc. ones that are on the USA's official "enemy" list. Now, ANY of those can pretend to be whatever domain's CA they want, and if your traffic bounces through their neck of the woods they can MITM you and you'll be none the wiser. Very few people if anyone will even inspect the cert chain which will show the big green bar, and even if they do they really can't know whether the domain has a cert from these trusted CAs just to comply with that country's laws or whatever.

So, I would put it to you this whole "Heartbleed" business is totally overblown. If you're NOT operating under the assumption that the entire TLS/SSL Certificate Authority / Public Key Infrastructure isn't purposefully defective by design and that all your keys are bogus as soon as they are created, then you're just an ignorant fool. Heartbleed doesn't change jack shit for me. My custom VPN uses the HMAC key expansion protocol mentioned above. I don't do ANYTHING online that I wouldn't do on the back of a post-card, because that's the current level of security we have.

I would STRONGLY encourage you to NOT TRUST the IETF or ANY security researchers who think the SSL/TLS system was ever a secure design. It was not ever secure, and this has been abundantly clear to everyone who is not a complete and utter moron. Assuming that the entire web security field isn't completely bogus is bat-shit insane.

Ah, but your time is worth money, as evidenced by the loathsome ad-sponsored apps.

I mean, if I sell my dinky indie game-mechanic experiments then I'm spending negative money on mobile apps, right?

Well, the problem is seeing sick people in the hospital and thinking the doctors are making people sick. Correlation is not causation. Girls have equal opportunity and are making the choice not to be in CS and IT, that doesn't mean there's sexism or any reason to try to fix it. I mean, we don't have a shortage of STEM workers.

Hell, even the girls that DO like to code are looking at Silicon Valley, where you're considered dead at the family raising age of 40, and making far better decisions about the future than the silly guys who will do what they like to do whether it's very profitable or smart in the long term sense -- Just look at the Mathematicians and Scientists who scrap and fight for funding, they're not doing it for the money... You can code for a hobby and make games or something, but have a real job elsewhere that's got more stability than churn.

So what's the deal? If they know men and women are different, and that cross-culturally more egalitarian societies have even larger sex differences (probably because people are more free to do what they like doing), then they know no amount of teaching girls to code is going to fix the "gender gap" in the shitty STEM fields. So what's up with all the claims of anti-women discrimination when there isn't any evidence of that at all in the west? Ah, well they can leverage false guilt and shame and say, "We tried as hard as we can! We have a shortage of female workers in STEM! Title IX! Let us have more (lower paid) H1B employees and to correct the SEXIST M:F ratio!" You don't want to be called a SEXIST even if we have absolutely zero evidence of that, do you?! Ugh.

Yeah, that's exactly what's going on. To be perfectly clear: We can accept that our gender differences will produce trends in the workplace without limiting individuals to only following the trends, and without or shaming them if they do so. However, all this inequality nonsense is rubbish. Equal Opportunity won't produce equal ratios of M:F because males and females are different! Look, it's not sexist that there are so few male romance novelists, right? Guys just don't want to do that job nearly as much as women do. Where's the research that shows the percentage of girls vs guys that actually enjoy STEM work (not just those that think they'll enjoy it as a prestigious high status position, then bail, like 80% of female participants from my gamedev group, when they realize how much time and social life they'll be sacrificing for thankless work mostly no one will appreciate)? I mean, you'd think that before shouting "SEXISM" they'd at least want to know for sure that it's not just women opting to take a different career path (like therapy, psychiatry, teaching or other female dominated fields), Right?!

Wrong. Where's the outrage that there aren't enough male teachers, therapists, romance novelists, or more female coal miners, brick layers, waste management technicians, etc? Isn't that "sexist"? These Social Justice Warrior campaigns are just self selecting data and refusing to test the null hypothesis so they can leverage false victimhood to suit their political and economic agendas just like they've been doing so for at least the past three decades. You can expect as much from these fucking sexist and racist bigots, always. Not satisfied with making College into a social justice indoctrination camp they're bringing the totalitarian Orwellian bullshit to the lower grade levels; The better to brain wash your kids with, my dear.

Next thing you know they'll want to start banning words and making thought crime illegal. 1984 doesn't have shit on present day social justice bullshit.

Man, these greasy energon cubes are more than meets the eye, Optimus.

I thought you had a taste for crunchy fried things, Bumblebee?

When in Rome, do as the Romulans!

Shut Up Starscream!

Waiting weeks or years to get the next episode of shows airing right now without a .torrent? A few well crafted spoiler tweets gets through and you'd be gutted and roasting like a pig.

It's not the size of the pipe, it's the severity of the clog's filth. You grossly underestimate the content of these messages. TFA says some contained political rhetoric written by the CIA. I have quite a few routers that will barf core at the mere smell of partisan politics in the filters, and Cuba is getting weapon's grade bullshit!

Yeah, but it makes the equations to get from here to things besides mars essentially impossible to compute given the hardware available to run the course correction software. Take a look at Rosetta, the ESA's mission to catch a comet by its tail this year. Those are some crazy gravity assists.

Back in my day this wouldn't have been an issue since we ran a host of different custom interfaces and clients. We had to organize our own cross country backhaul via overlapping local calling networks, and orchestrated email routing networks using outdials. Probably only hackers used clients with encrypted links for their BBSs.

I don't know what you're talking about with that fed-speak. I never heard of any crazy lossy crap like duct-taping payphones together neither, but there may have been a few railroad tracks used as a transmission lines, or party-numbers as hubs to spook the ghost-busters at their own game, but those were just urban legends, of course.

Allow me to translate from buzz-ard to sysopian:

SSL-Ping Data Exfiltration Exploit: Detection and mitigation even a flaming lamer that can't patch OpenSSL can use

"Since this 0-day vuln was published skiddies have been exploiting it to leak data available to OpenSSL 64KB at a time via running one of the pre-written exploit proof-of-concept sources (as skiddies are wont to do) against a bunch of affected Internet facing services. This SNAFU is particularly FUBAR since all the distros that noobs use are building an ancient OpenSSL ver so they can't even push out a simple patch, obviously. We fingered the exploit in use and have a signature so your punk-buster scripts can detect the crackers and ATH0 before your cipher keys get the five-finger discount."