instead of concentrating on replacing malloc, they could concentrate on replacing another part, namely designing buffer-types that contain buffer-size and are automatically bound-checked.
So heartbleed has something to do with their in-house memory management, in that they lost the opportunity to bake automatic bound checking into their custom memory manager.
One of the few quite brilliant things DJB did was write stralloc to avoid C string issues. I wish more people would use something similar in their code.
Everyone with a Nest is probably already aware of their Energy Partners https://nest.com/ca/energy-par... program.
Instead of having your utility company cut your power in the summer when its hot out like they do some places, Nest users' thermostats pre-cool their homes in the morning to reduce energy use during peak hours as determined by the power company. This is a win-win you sign up for, not a spying act.
If you don't want Nest to know about your energy usage, just disable its wifi connection. It still works fine without it.
Its right in the byline at the top of the article so it seems well-covered for those who click-through already. Also, I hate podcasts, so I'm glad they didn't link to that instead.
There should be no analogies, as comparing software to the real world means you're profoundly ignorant to begin with.
Software is real. It's part of the world. Same as the internet - it isn't a "cyberspace", it's people sitting at keyboards, and servers in real places, with actual cables between. And laws apply to those people, servers, cables, and software. And analogies apply equally well and equally badly between software and the rest of the world as they do between other parts of the rest of the world. Some analogies are useful, some less so. Just because it's "software" doesn't make it, and the processes that produce it, magically immune to logical, ethical, and legal analysis.
The torrent is the movie. It's just heavily compressed, using a compression algorithm that involves a look-up to a different location.
I love listening to the "whoosh" sound that accompanies each and every reply to this. Priceless!
What else would the public be familiar with computers doing in the late 50's that would help them have context for this decision?
It seems to me that the computer was still an unknown entity to most people at the time.
I was probably over-optimistic when I said "finding bugs like this is easy to automate". What this would probably need is runtime access checking turned on, and a test case that has mismatched lengths. The latter would require the tester to implement what I call C4 tests, or "comprehensive corner case coverage".
Not true. Writing code is very hard to automate. Finding bugs like this is easy to automate. In fact, the OpenSSL team specifically turned off all the memory overrun checks on all platforms, because some platforms have performance problems with them. So, the automated checks should have spotted this problem (at run time, rather than compile time, but there are other tools for that), but they were turned off.
"Everything should be made as simple as possible, but not simpler." -- Albert Einstein