In another comment, I posted a link to the talk that the libreSSL people gave on what they're doing. It's not really true that what they come up with won't run on other platforms. They're just removing a ton of "#if defined(OPENVMS) && (! defined(WIN32))" in favor of assuming a POSIX compliant libc. Even WinX now has that.

They're taking the "shim" approach. For example, they have two BSD-only functions: explicit_bzero [will _not_ be optimized away by the compiler--just calls bzero] and arrayalloc [does what calloc does but does _not_ zero the memory].

The BSD calloc/arrayalloc do a precheck for overflow of nmemb * size.

These are easy [trivial] to implement for non BSD systems:
void
explicit_bzero(void *ptr,size_t len)
{
    memset(ptr,0,len);
}
void *
arrayalloc(size_t nmemb,size_t size)
{
    size_t totsize;
    void *ptr;

    totsize = nmemb * size;
    if (/* totsize overflowed*/) // blow up ...

    ptr = malloc(totsize);

    return ptr;
}

The OpenBSD folks forked OpenSSL into LibreSSL. In addition to checking security, they are doing general code cleanup, removing unnecessary/dead code. They did a talk recently about what they've accomplished: https://www.youtube.com/watch?...

IMO [as a programmer of 40+ years (30+ with C)], the programming style of the code is horrible. One of the functions that produced heartbleed is called dtls1_process_heartbeat. For starters, it has one of the worst indenting schemes I've seen and seems to violate most style/best practice guides I've read. It isn't surprising that a bug [security or not] would creep in.

Here's the original commit for the code:
http://git.openssl.org/gitweb/...

Here's the commit for the heartbleed fix:
http://git.openssl.org/gitweb/...

Well, consider that APL was originally based on an [alternate] mathematical notation developed by Kenneth E Iverson.

BTW, I was writing APL programs in 1972 [and I already knew Fortran] ... The real problem with APL, aside from needing an alternate keyboard, was that the equations were so dense that proper commenting was difficult. And, if you did proper commenting, it broke up the equations, defeating the purpose ...

The incentive the FCC should be providing is to adopt the European model for the "last mile" [cable]. If Comcast/Verizon can't keep up, any ISP could come in [into the CO literally] and connect directly to the consumer. Thus, ISP's are incentivized to provide good service or somebody else will [and the incumbents lose the customer].

If you look at NSA's TAO division [or some others], they specialize in looking for such zero days. They have used many zero days that are a lot harder to find/utilize than this one. They have 30,000 people working for them. Even if only 1,000 are looking for zero days full time, this is a lot of manpower to throw at the problem

Odds are pretty high that the NSA had, indeed, found the bug. But, they decided they had a shiny new toy for their arsenal. They didn't see the bigger picture that this vulnerability would become so widespread (e.g. not just servers, PC's, etc. but also routers, DSL modems, home routers, ...) that it would compromise systems we depend upon (e.g. secure banking, confidential medical records systems, to name but a few). Even if a few spies/terrorists got tripped up by this, the collateral damage count for this makes the "do not disclose" decision to be the wrong choice. With friends like the NSA, who needs saboteurs ...

Some of the FOSS is high quality indeed [I've even written some ;-)]. But, it's either Linux/BSD kernel, or where the code is contributed by paid employees of a given company (e.g. the Linux USB 3.0 driver is first rate, because it was written by a woman at Intel who is their point person for USB 3.0). Other FOSS is written by fresh grads who need/want street cred in order to get their first programming job. And some FOSS gets taken over by a small group with a "vision" [cult] that refuses to take suggestions/criticism, like Gnome 3, and gets train wrecked in the process.

YMMV ...

I don't expect all code to be bug free. I'm a programmer with 40+ years experience. I looked at the patch diffs, direct from the upstream repo. The bug was missing a simple bounds check on the length of a payload. Sorry to say, but, the original code, stylistically, was newbie quality. If I had been the reviewer, I would have required that it be cleaned up [not even looking for a vuln]. Doing so might have made the bug easier to see [and may have prevented the bloodshed].

Anybody [like the NSA] that looks for zero-days would/should have found it with a simple code inspection. Compared to a flaw in one of the math algorithms in SSL, this was low hanging fruit indeed.

And ... When the new feature was added, where was the unit test program for it? Consider that on CPAN, the average perl module has some 20-30 acceptance tests that run each time the module gets rebuilt. I add such tests to my code all the time.

Incompetent if they didn't find heartbleed [they are supposed to protect our infrastructure].

And massively irresponsible if they knew and didn't disclose it.

The overall damage is 1,000,000 times whatever the NSA might have gained as a penetration weapon in the arsenal. If they knew and didn't disclose, this is tantamount to doing more damage to U.S. [and world] interests than any cyber-criminal/terrorist/nation-state the NSA might hope to catch.

http://www.computerhistory.org...

You have to accept a license agreement and you will get to download msdos.zip

It's not BS.

The USPTO lowered its standards [at the behest of Congress] to lower its standards to reduce its backlog. If an application is denied, it can be refiled [many times]. The only way to truly clear it is to approve it [and toss it into the court system]:
http://www.techdirt.com/blog/i...

$10,000 times 20 is a trivial amount [on a corporate level] compared to an NRE budget for a legit R&D outfit. There seems to be plenty of [unscrupulous] VC money to back such refilings to get something that can be used to [patent] troll others. The first round funding for even a small startup [post angel round] is minimally $10M. This translates into 1,000 refilings.

(Also, isn't this really a question for superuser.com or similar?)

Possibly ;-)
http://superuser.com/questions...

According to a strength test, the password has only 49 bits of entropy, so it's surprising GCHQ couldn't crack it:

        < 28 bits = Very Weak; might keep out family members
        28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
        36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
        60 - 127 bits = Strong; can be good for guarding financial information
        128+ bits = Very Strong; often overkill

The checker had been posted on slashdot a while back [IIRC]:
http://rumkin.com/tools/password/passchk.php

http://www.scientificamerican.com/article.cfm?id=are-compact-fluorescent-lightbulbs-dangerous
https://www.sciencenews.org/blog/science-public/some-comfort-about-broken-cfls
http://www2.epa.gov/cfl/cleaning-broken-cfl

Thanks. Had read an article a while back about the trouble of getting the high lumen LEDs. State of the art may be advancing. But, my local store only had the 60 watt equiv LED when I was buying the incandescents.

While I've been using 90% CFL's for ten years, I have one fixture in the ceiling of a walk-in closet that needs an incandescent.

The bulb is inverted and is completely covered/enclosed. Can't use a CFL there [overheats the transformer]. Nor a halogen [too hot](?). Don't know about LED's or "high efficiency" incandescents, but the heat dissipation problem seems to be a factor. Can't change the fixture since I'm renting [and the landlord would be loathe to retrofit hundreds of units]. So, I don't have a ready replacement for my one remaining incandescent, so I stocked up on Jan 31. Prematurely, it seems.

While I like CFL's it seems most people don't. Particularly those families that have [small] children, since a broken CFL releases mercury, which is toxic. Also, I prefer the lumen output of a 100 watt equiv (27 watt CFL). Ultimately, I think LED's will be the long term solution. I did buy an LED just to try it, but the brightest I've found is barely the 60 watt equivalent.

This was one of the few cases where the regulation outpaced the technology.

Thanks for this. It could [very easily] be the one I was thinking of.