You are correct about there being other IIS security vulnerabilities. There have also been other OpenSSL, Apache, and Nginx remote code execution vulnerabilities.

The Nginx RCE could also be used to compromise key storage.... could do even better than that, could load an eavesdropping trojan into memory.

The past IIS vulns did not necessarily easily compromise key storage.

The Heartbleed bug is MUCH easier to exploit than any RCE bug, even though the RCE bugs are more useful for an attacker, if a server is known to be vulnerable to one.

You would not believe what VP's will force you to do to get their $20 million flagship project out the door and then quickly forgotten about after the guy that was forced to do it quits in disgust.

Fraud that can get you in jail is not one of those things that some VP can force you to do.

The CA has to be validated by third party auditors, before it can even be trusted. One of the aspects that must be audited is the governance of that CA and the policies and controls of the CA designed to ensure the CA operates only according to the policies, and that would include that no system admin or member of management is capable of bypassing the rules.

GPL doesn't restrict people from using the software any way they want. It restricts them from preventing anyone else from using the software any way they want.

No... you're missing the big picture. It restricts the following use right: The right to use the code by modifying it and making a copy of the software and sell or give it to a friend or client, without giving the friend or client access to the source code.

Modifying the code and redistributing just the binary is one way of using the program. This use of the program is restricted by the GPL.

So the GPL does indeed restrict use.

You are prohibited from adding proprietary changes and keeping the nature and form of your changes confidential and protecting your rights to your changes and modifications.

pretty much every current web server cert in existence also needs to be revoked. Are the CAs even willing/able to do something on that scale in a short amount of time?

Calm down. A majority of web servers are not vulnerable and never were. All in all... less than 30% of SSL sites need to revoke any keys.

Some websites are running with SSL crypto operations performed by a FIPS140-2 hardware security module; these are not vulnerable, since OpenSSL doesn't have access to the private key stored in the server's hardware crypto token.

Many web sites are running on Windows IIS. None of these servers are vulnerable.

Plenty of web sites are running under Apache with mod_nss, instead of mod_ssl. None of the websites using the LibNSS implementation of SSL are vulnerable.

Many web sites are running on CentOS5 servers with Redhat's openssl 0.9.x packages. None of these servers were ever vulnerable.

Many web sites are running on CentOS6 servers, that had not updated OpenSSL above 1.0.0. These websites weren't vulnerable.

Many websites are running behind a SSL offload load-balancer; instead of using OpenSSL. Many of these sites were not vulnerable.

I'm sure some places will have their root CA on an externally connected machine, then try to place blame, likely saying how insecure UNIX is (when it isn't any particular flavor of UNIX that is at fault.)

Since this is in violation of the CA/Browser forum rules and Mozilla policies that pertain to trusted CA certificates; they are either lying, grossly negligent, OR both: if they have a root CA's private key ever loaded into an externally connected machine.

In fact.... a CA root certificate itself, is not a trusted certificate for ANY domain name. They'd have to go out of their way to compromise it --- such as by issuing a OCSP responder certificate with the same keypair.

the user of the keys should do this. Would you want to pay for new certs even if you were not affected by heartbleed?

It's within the CA's right, however, to scan the URLS certified by each certificate, test for Heartbleed vulnerability --- and automatically revoke, if they determine that the site is vulnerable.

Then perhaps Apple HAS given back significantly more than we know about?

3)if you want to redistribute it, in any way shape or form, give us credit

Yes... Unfortunately number (3) is a bit lost, for most redistributions of OSes or large software packages that happen to have BSD licensed elements --- there is no meaningful show of credit.

There used to be an advertising requirement in the original 4-clause BSD license, that would require mention of the developer's organization in advertising material --- but that bit got raped/essentially forced out, mainly due to the GPL being arbitrarily incompatible with it.

You can't stop someone from using the software the way they want.

Yes you can. You can release it under a restrictive license such as the GPL Version 3, then they either cannot legally use it, OR they must distribute the source back.

You can also choose a GPL-incompatible free software license with even more restrictions, if you like.

Can you seriously imagine a disaster that would destroy all of these locations (and thus all of their knoweledge and infrastructure) entirely and near simultaneously that would also leave any significant number of human survivors such that they'd have a shot at rebuilding society anyway?

My suggestion is that for the first 20 or 30 years after the apocalyptic event; there might be no use for the knowledge contained in those books. People will largely prioritize survival over the preservation of the pieces of their former civilization.

When you are freezing to death.... the materials in old buildings, such as libraries... are attractive firewood

The apocalpytic event may have been a meteor shower that compromised the roofs of all these buildings, so by the time the knowledge is useful in over 100 years --- these places have all been torn apart

That's assuming they even have a vaccine. Ebola has no cure and has a 90%+ kill rate.

Yes.... well.... there have been cases of the Ebola fever in 6 African countries since 1976.

But so far, the survival rate is so low and the death rate so high, that the virus tends to kill its hosts, before the disease can spread much, and the infectious dead bodies have generally been in isolated areas --- thus limiting the spread of the virus so far.

Of course.... in the event of a worldwide infectious disease pandemic, the #1 survival trait to have, would be a unique biology, and (by pure luck) resistance to the infection....

In an apocalypse scenario... those libraries might all burn to the ground, or targetted by insurgents for book burning, so the information could still be lost. How many redundant copies of the information are available to educated people but Protected and adequately vaulted against both natural disaster and human sabotage?

This is solely for the IRS' purposes, to ensure that you cannot subtract losses related to your non-profitable business, from your other income or inflows into your business: in other words, the IRS "HOBBY" definition is for the purpose of maximizing government tax revenues.

Other regulators are not beholden to their position. IRS Will also reclassify as non-Hobby when it is in their interests to do so.

Correct. If your organization engages Geotrust with that service, then you can setup a certificate authority within your own organization chained to their certificate.

However, you have to follow rules that are even more restrictive than what that a CA has to follow with their root certificate, and you have to be audited like a CA.

This is very expensive, and it is not immediately clear: what organizations would be willing to go through the tremendous expenses, and not take the additional few steps to get on the browser trust lists.

It is certainly not something you will see Mom and Pop firms doing. Perhaps some companies in the top 50 of the Fortune 500.

I do care that we've created a pool of privileged drivers who are no longer receiving any feedback when they engage in higher-risk driving behaviors.

I don't think that's true. If they are driving recklessly, they are still going to get pulled over.

"Go ahead and drive as fast as you want; we'll trust your judgement on that until after your first high-speed collision..." probably isn't a real solid basis for road safety.

No. However.... speeding tickets for drivers apparently going 75mph in a 70mph zone are bullshit. There are a large number of tickets that have everything to do with generating revenue for police officers and government, which have absolutely nothing in fact to do with "road safety".

The arbitrariness of "Well.. you gave to these charitable causes" is no more arbitrary than the basis for the speeding ticket in the first place, in many cases.

There are plenty of miscreants engaging in high-risk road behaviors such as tailgating, drunk driving, cutting other drivers off --- turning in front of oncoming traffic, slamming on the breaks for no reason, repeatedly swerving around traffic from lane to lane (with high-risk lane changes directly in front of another driver), that manage to never get any tickets ----- and they don't seem to need special stickers or license plates to get away with it.