The pothole app was probably a poor choice of example, but is much simpler to understand than insurance risk pools, so that's probably why they chose it. There are plenty of examples of digital ghettos that don't open themselves up to this "personal responsibility" bullshit argument, and the economic bias the big data introduces into the system is going to negatively impact groups of people that are not so easily defined as by race, gender or poverty. It's a real and growing problem and without constant attention to the effects of data mining, it will get much worse over time.

Also note that when the delusional complain about the "welfare queens" possession of a cell phone is often an item on their list alongside cable TV.

I wouldn't give it 25 years. The last technical obstacle is about to fall on the enterprise campus, in that the latest generation of switches and wifi conrollers that are being sold now have roadmapped upgrade paths to RIPE-554. Almost all our other gear has been IPv6 ready for year; once the old edge switches are phased out (5 year timeframe) those roadmaps will have become reality and then it's just a matter of finding the time, which won't take two decades.

I do. Just because data is aggregate does not make it harmless, especially when insurance company risk pools get involved. The people using this data are under no oath or legal obligation to use it in a humane, reasonable, or positive fashion. This data is slowly building the boundaries of the digital ghettos of the future.

Yeah, to say that "standards don't keep up with technological progress" is a one-sided perspective, since technology doesn't keep up with standards. If it did, I'd be more of a coder and less of an implementer, because 80% of my time is papering over standards noncompliance in vendor equipment.

Better to say implementors and standards bodies don't coordinate like they should.

Engineers don't just apply known science, they deal with the parts of the system that aren't obeying the textbook rules and find places to look for new phenomena in the process. To do so they analyse behavior and build models that predict the tolerances needed to get things working with a high degree of confidence. The difference is they don't go off on tangents because they have an objective, but engineers are often the initial discoverers of phenomena. It usually takes a pure scientist to then go in to spend the time explain more precisely why they had to make the tweaks they did, but there is plenty of overlap and there are plenty of people you cannot put into one category or another.

Um, no, mechanical engineering has more to deal with now than they did then, because materials science and nanotech are increasingly important components.

I don't know where you get your ideas about the engineering disciplines. They pretty much all have frontiers.

It's a worn out thesis echoed many times over by the occasional erudite edlder for some physchological reasons that will perhaps never be fully understood, even by said erudite elders.

If you want an interesting discussion along these lines, it's much more interesting to discuss how educational techinique could be improved to bring people up to speed faster, given the amount of knowlege needed to make an impact is arguably higher but we obviously haven't managed to figure out how to teach faster. Or how we are starting to get culturally desensitized to discoveries that actually would be ground shaking back in the day. Or how emergent behaviors have suddenly made new areas of math not formerly considered worthy of the title of "science" much more pertinent, and after all, physicists were really doing just math to explain observations back when they made their Nobel winning discoveries.

I don't think so in this case. I normally would have waited on the firehose for a submission with a better writeup, but this was relatively urgent news so I upvoted it anyway.

(Yes someone did understand you weren't talking about the potential intentionality of the bug, don't despair there are people capable of comprehension out there and you may even meet one face to face someday :-)

There may seem to be more now because there is more auditing going on since the NSA revelations reminded people what had to be done, and also the slower trend of case law starting to punish mishandling of customer data. The halcyon days are over and the backlog is being cleared up.

My computer is too busy calculating an MD5 in a managed memory VM that doesn't even have an unsigned or sized integer types and thus must perform basic left barrel roll operations in about 50 opcodes worth of abstraction container dereferencing, to allow me to respond to this post appropriately.

For sshd there was possibly some protection afforded by the privilege separation model. I'd store your old keys and wait to see something from someone who knows it cold.

It's not the fix of the code that's messy. It's the fix of the trusts using that code to function. They are all broken. After the upgrade keys need to be replaced, certificates re-issued, endpoints and clients reconfigured to trust new keys, and in some cases customers and end-users may need to be involved. For anything of CDE level security or higher, it's as big a cleanup job than the one that gave us openssl-blacklist, but the blacklist for this would be neither complete nor easy to assemble.

I predict a lot more interest in turning on CRL pathways in the future.

You really think the guy behind hotgritsnatalyportmanphotos.org is trustworthy?

While you're right this was very negligent for a project of the stature and importance of openssl, merely discovering this bug in closed source software would have required a fuzzer and much luck, leaving it unfixed for whoever had managed to get a a copy of the source to exploit for much longer.

All I can say personally is I sure picked the right two years to get lazy about patching up.

Basically it means if you know any UNIX sysadmins, they'll be pretty cranky for the next week or so as they've been busy trying to put the poop back in the baby.

Oh yeah, and lots of your gadgets and favorite cloud services may be vulnerable, so anything stored on them may be in the hands of others.

Who knows who knew what and when, but the 2012 statement is a misinterpretation of TFA where they seem to be saying it essentially started "hitting the shelves" in distros about then, whereas before then it was mostly only distributed in beta builds and head code.