Most engineering graduates aren't PEs - you don't need the credential to work as an engineer. It indicates a certain level of professionalism, so people can choose to hire a PE. Of course in some life-safety situations there might be a regulation saying you can't do X (build a highway bridge) until a PE signs off the design.

It's not like a union where it's illegal to hire people that have identical qualifications. It pretty much just defines the label "Professional Engineer" to mean someone who has passed the test etc. to show they are qualified. If you want to hire an untested engineer, you're free to do so, and most people do exactly that.

* I'm not currently a PE, nor an expert in the field, so I may be mistaken about something in this post and I welcome any corrections.

I called the Texas licensing board asking how this is supposed to work and the person who answered pretty much said "yeah, you're screwed, unless you've been working as some other type of engineer".

I'd really like to talk to you about just how you went about getting licensed, and under what conditions you'd sign off on someone else. If you're nearby, maybe I can buy you lunch sometime. I can be reached at deepmagicbeginshere AT gmail.

If a someone burns a gallon of 90% gas, 10% ethanol, they've only burned 0.9 gallons of gas. Yay, less gas burned! That's the win.

However, people don't drive 1 gallon to work, they drive X miles to get to work. Since the blend has lower mpg, more of it is burned on the same trip. For easy math, let's look at a 33 mile trip, in a car that gets 33 mpg on gas. Using 100% gas, that trip will burn 1 gallon of gas. That's a key number:

33 mile trip = 1 gallon of pure gas

With the blend, the mpg will be about 10% lower, or 30 mpg. Therefore, it will take 1.1 gallons of blend to make the trip.

33 mile trip = 1.1 gallon of blend

Let's divide that blend into its components:

33 mile trip = 1 gallon of gas + 0.1 gallon of ethanol

So what have we saved. In the first instance, we burned one gallon of gas. In the second instance, we burned one gallon of gas, plus .1 gallon of ethanol. We've saved nothing. We have, however, increased the cost of food by wastefully burning corn that could have been eaten.

> By your reasoning, we had been using asbestos for 4500 years, so surely if there was something inherently unsafe about it, we would have known about it 4400 years ago.

Asbestos was a curiosity until about 1900, when it started to be used a lot. Pliny wrote about the dangers of it 1800 years earlier, in 80 AD. Other people probably knew about the danger earlier, but Pliny's writings are the oldest we still have available for reading on the subject.

The FDA has in fact said there have been no problems, ie the rule is not necessary, but they felt like making some new rules just in case. GP doesn't assume anything - the FDA agrees with his assertion as to the facts. They just feel that they have nothing better to do, so they might as well come up with some new rules. GP believes that new rules need justification.

> Yeah, those CPAs auditing Enron did a bang-up job of it, didn't they?

The 100-year old firm that audited Enron was worth over nine BILLION dollars at the time. It's now worth a few thousand, because nobody will ever hire them. The market executed them.

Compare Sony and their root kit.

Arthur Anderson was a 100-year old brand worth $9.3 billion. Because they violated the public trust, they are now worth about $0. The company still exists, but noone will buy from them.

Sony, on the other hand, is still selling electronics after rooting their customers' computers wholesale. Electronics company does something unethical - they have a PR problem for a few months. CPA does something unethical - the market executed them.

Many states in the US now license software engineers because the national organization now has criteria. A problem is that you need sign-off from an existing PE who knows your work, so there is a bootstrapping problem. A new software PE has to be approved by an existing PE, but there are virtually no existing software PEs to approve the first generation.

Of course, it's always been possible to work under the same ethical guidelines voluntarily. More than once I've told a client I won't do something because it would be akin to malpractice.

Yes, it does, pretty well. I've used a PE (Professional Engineer) for exactly that reason - they "sell" trustworthiness, objectivity. The person I bought my house from and I paid the PE precisely because we know they sell the truth, rather than telling either of us what we want to hear.

That's the same thing CPAs sell - the market pays Price Waterhouse Coopers to find the truth, rather than skewing things.

You obviously know what you're talking about, you are very good at ignoring evidence. For example, just recently in Egypt, archeologists discovered Egyptian documents several thousand years old. These ancient Egyptian records show pharoah's army chasing the Jews out of Egypt after the Jews' worship of a false god brought great suffering to Egypt - plagues and the like.

The scene by the Egyptians looks strikingly like another account of the Jews' exodus from Egypt, for the same reasons. The only difference is which side is described as the "bad guys". The same story told, described the same way by the opposing parties - you think that might be evidence that they're describing something that actually occurred?

If you've ever played the telephone game, or been alive on earth for more than five years, you know that anything that gets repeated from person to person to person gets distorted along the way. For you to then purposely distort it further in order to claim the event must not have occurred isn't a belief in evidence - it's a pitiful, transparent attempt to protect an obviously very wounded ego.

> OpenSSL should have been near, if not at the top of, the list of groups contacted.

Absolutely. In the case I mentioned where I found the vulnerability, the FIRST contact I made was the development team.

As to the fact that people can't be protected on every site until the updated packages are out, how does that mean they should NOT be protected when possible? Are you sad that it's "unfair" that they are protected on some sites and not others? So you'd like to remedy that by exposing their data ALL the time? Is that more fair, to have all of their data vulnerable instead?

> My point is that there is probably some dollar value at which the cost to find the next vuln would never increase beyond that -- in other words, the Apache web server could never reach a state at which you could not find a new vuln for less than $10 million.

And that's GUARANTEED to be wrong. We know for certain that after all vulnerabilities are found, spending $100,000,000,000,000,000 still won't find another one. We can reason that the last vulnerability may well be either a) very hard to find (not worth it) or b) fairly to find (in which case $1000 bounty is perfect.). We can guarantee that at some point infinite resources would be wasted, because there are no more findable vulnerabilities severe enough to be worth finding.

Aside from the obvious ethical reason, I see two reasons more important than the $1,000 to go "white hat" rather than "black hat".
When a potential employer Googles my name, I want them to find my name on CVEs, Github commits, etc. - demonstrable proof that I do in fact find and fix real-world issues. I'm working on that. Right now, I'd have to point out my contributions, they aren't easily found via Google. For that, having a company or other organization publicly acknowledge my work is much more valuable than $1,000, if it helps me land a great job.

On the other hand, selling it on the black market could put me in federal prison. If the god guys offer me $1,000 plus a reputation boost, while the bad guys offer me $5,000 plus a possible prison sentence, I think I'll take the good guys' offer. That $1,000 could, in some cases, be enough to pay someone's past-due rent so they don't feel they have HAVE to capitalize on it in a bad way.

The other scenario I see is that several times per year I notify a smaller company of some security hole I noticed in passing. I haven't thoroughly probed it, just noticed "gee, it throws an error on O'Doole, it's probably not escaping the input and therefore vulnerable to SQL injection". Sometimes I don't bother to track down the proper person to notify and go notify them. Sometimes, I send an email to the only readily available email address, customer service, and the $8 drone on the other end replies with a form letter wholly inappropriate to the situation, so they obviously don't understand what I told them. In those cases, I'll likely not spend much time trying to find another person at the company. If most companies paid even $100 for a bug bounty, that would make it worth my time to spend a few minutes finding their report form and use it. Heck, at $100 per SQL injection vulnerability I could make a good living finding and reporting those for six hours per day.

Thesis is essentially that fixing a bug doesn't increase security because the software still has an infinite number of bugs.

Obviously, this is false. A software package may have 6 security bugs. Fixing 3 of them reduces by 50% the chance that the bad guy will find one.

There is no option that's going to protect those tax returns. Telling the bad guys about it will certainly endanger the tax return data, though.
Since many (most?) people use the same or similar password for Facebook as they use for their tax service, protecting Facebook traffic actually protects a few tax returns.

What clearly isn't an effective option would be to announce the vulnerability to hundreds of tax-preparer sites before a updated package is available, expecting them to manually (and correctly) patch the code, without leaking the vulnerability so that it becomes widely known to the bad guys.

If you're going to try to protect people in the time between discovery and the fix being widely distributed, you can only do that by keeping it relatively secret, by limiting details to a small number of trusted people. Once you tell a lot of people, you've told a lot of bad guys. There's no need to do that before the updates are available and people can protect their customers.