If I were a programmer
That's the problem: you're not.
and found that completely unacceptable, I could always choose not to work on such an important project critical to the security of so many.
That the old tired meme used to keep honest competent people out of critical jobs; but unlike generals and politicians, programmers able to work on OpenSSL don't grow up in trees, so you will have to make do with (almost) the same people and stuff your "incentives" and "reactions" up your ass.
I do have to wonder if the task was made easier given the purpose of the server. After all, I'd think it wouldn't get traffic at all except for those people responding to the challenge.
On the contrary, it may have made things harder.
Reading the private key relies on forcing malloc() to reuse some small block from the free block list with a lower address than the block containing the key, insteading of simply carving a new block out of free memory (with an address higher than the key).
That may be easier to do on a busy server, because you don't have to send millions of queries just to fragment its memory; you may just assume that malloc is already reusing freed blocks, and exploit the algorithm it uses to do that (eg by manipulating the length of payload to let it allocate some unusual size block for which some gap just before the key is the perfect fit).
I have met a lot of them, and while they are extremely friendly people, they are also staunchly conservative when it comes to things like cochlear implants and what they see as the erosion of Deaf culture.
Does a cochlear implant let one hear as "normal" people do, or at least as much as an 80-old with a hearing aid?
If the answer is "not quite", then they have all the reasons to be conservative.
This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security
This is simply not true, stop spinning it.
Even if OpenSSL is using system's malloc, with all its mitigation features, the bug still works. The attacker just has to be more careful, lest he should read freed() and unmapped memory, and so cause a crash and (supposedly) leave some kind of meaningful trail.
They just included it as delivered by the OpenSSL people (BTW, OpenSSL is a different project, no relation to OpenBSD).
A simple code changes review would have caught such an obvious bug (trusting without checking a buffer length parameter received over the network).
As to their memory randomization thing and how OpenSSL worked around that by wrapping malloc(), that's a red herring; if you're able to read the whole process memory by 64kb, there's no problem to follow all pointers in the manner of a garbage collector, or simply mine it following known patterns.
Was it automatically enabled?
The Soviets most certainly did have state mandated atheism. You could get sent to the gulags for admitting to or demonstrating your religious beliefs.
When was that?
AFAIK, the Orthodox Church was very much scaled back, but its priest, seminaries, etc were still payed for by the State, and just as in tsarist times, the Church was an active & enthusiastic organ of the totalitarian state (the clergy ranks were even assimilated to ranks in the secret police).
Camouflage is security through obscurity.
If the enemy is using (effectively) some kind of thermal detection, then yes, camouflage shares all the characteristics of security through obscurity.
Including but not limited to stupidly complicating the task of corpse recovery.
I like to think of it it his way. A soldier wears camoflage in the field to help protect
Stop playing silly semantic games and equivocation fallacies.
What's next? Arguing that 'security through obscurity' is obscure in Jude the Obscure's way?
Pretending that adding an obscurity layer is effective makes just as much sense as pretending that run-length encoding a gzip file will make it smaller.
I would have expected them to include the original cyrillic name and all the
I can see those letters fine.
No, you don't.
Just because you don't know Polish, don't assume that "Pchn" and "jea" are actual words.
Explaining quicksort to the layman.
[...]
Sort the names into three piles
That is dumb.
The big advantage of quicksort is that is able to quickly sort in place.
Now try to convey that with your piss-poor piles and cards examples.
Anything but mergesort (including bubbesort) looks contrived with physical objects.
I find the idea that a "Central Lie" is necessary for people to act morally highly offensive, and impossible to prove in practice; but if that is really the case, then better let the whole world go to hell than having to play with and smugly pretend to believe some random bullshit.
And if we're into real Scotsmans, for a "real" Christian, the thing is about sin and salvation, not pretending to be an idiot in the hope that the others will do the same, and so be able to go along nicely instead of killing and maiming each other.
"If it ain't broke, don't fix it." - Bert Lantz