Not to worry, he'd be saved by Mr. Canoe Head.

I hope in the Apple tradition it is $666, and when you lose it like you lost your other ultra-losable hardware you make a Frowine face so hard it freezes that way.

I still have a working Osborn 1 and use almost every day. That's over three decades of service. My CP/M 2.2 disks are toast, so I've replaced the OS with one of my own design for use in my hobby home automation projects. The 300 Baud modem died so I use its RS-232 (serial) port with an IR LED and resistor across DTR to do IO with my home theatre system. The IEEE-488 (parallel) port is used for multiple sensor IOs and a sanitized COM link to my Linux server network which can route IR messages around the rest of the home.

It's more of an "antique" retro conversation piece, but I'm a practical guy and find collectables such as this 1st widespread "portable" PC to be far more interesting when in use; Rather than collecting dust and only being the subject of tech war storries others can witness the power of its simplicity and appreciate the workhorse in action. When I press the button on my remote or smart-phone app visitors (esp. kids) heads are turned by the 5 1/4 inch drive access sounds as the proper code translation table is loaded into the 64KB RAM and colored debugging LEDs on its exposed bread boards blink while status messages flicker to life scrolling up the 54x24 character green monochrome display, then lights dim and a projector screen lowers, and various set-top boxes have their inputs configured. Kids will spend hours "watching TV" just changing the channels and active devices while actually paying attention to the old Osborne One doing its duty. I consider it sort of like an 80's version of steam-punk -- My take on "cyber-punk". Sometimes I'll show the older kids how to manually command systems by making and breaking circuits with a paperclip on the breadboard to do IO. The resulting stream of "how"s and "why"s is fully expected; This setup was socially engineered to lead hapless inquisitors away from the mind-numbing TV and out to tinker with the brain boosting electronics and robotics projects in the garage.

I have some replacement parts from its dead brothers and sisters, but it too will eventually bite the dust eventually and be replaced with other hardware. I really miss parallel ports. Even kids can do IO by hand on the old interface instead of running everything through a more complex serialization protocol; Building a USB interface just to get back bit-mapped parallel IO is just silly. Thus, old beige boxes and custom DOS programs are still my favourite for intro to software / hardware & robotics even more so than single board or embedded systems like Raspberry Pi or Arduino and its clunky expansion ports -- for want of a simple Parallel Interface... I mean, you can use a bit or byte pattern of a parallel interface as an "escape code" to signal a mode switch and with a few transistors you can have as many "expansion cards" to program as you want. When I'm teaching how stuff works, I don't want things like this abstracted away and hidden behind proprietary hardware and software interfaces.

Remember the Three R's: Reduce, Reuse and Recycle. Reusing old hardware should be attempted before recycling. Experiencing the magic blue smoke escaping from an old main board, ISA / PCI card, etc. is an important part of learning electronics projects. Having to redo their work teaches folks to be more careful even if the parts are otherwise "worthless junk". Making interesting and/or useful things out of a "Trash 80" is seen by youngsters more impressive than using purpose built devices designed to facilitate the project. If they make it past the Cyber-Junkyard Frankenstein stage Only Then do they move up to working on more expensive single board systems and full featured robotics systems, bypassing the Raspberry Pi and Arduino stage altogether (and foisting some of my old junk into other unsuspecting tinkerers' garages).

The Osborne 1 is great for operating your whole home AV gear. Bugfixing custom hardware and Z80 instructions exercises one's memory and maintains neuro-plasticity -- It can even cause kids to favor educational programming instead of that obnoxious crap on TV nowadays.

My daughter forgot her iPhone 4 in a pocket while doing laundry (commercial-sized front loader in an apartment building). The door locks when you start these. She panicked when she realized (like all teenagers do when they are without their device for 10 seconds) that she didn't have it and that it was probably in the wash.

No amount of convincing could get that machine to stop or open up, so she sat their crying for the entire wash cycle (I could only imagine what the accelerometer was doing during the spin cycle). When it stopped and unlocked she retrieved the phone and it was fine. Still works today two years later. I suspect the iPhone 4 will go down in history as being a really solid device, although with 10s of millions of them I'm sure there are lots of stories to the contrary.

Thanks for posting this. I had a 15C which I gave to a friend when I got a 28S. The 28S is still on my desk and still works brilliantly. Both calculators are my favourites. The 28S takes "N" batteries which were for "cameras" when cameras still had film in them. So they are getting a little harder to find. It takes a few years for them to die, but I'm starting to stockpile them anyway.

I'm guessing the button cells for the 15C are a little easier to find.

Absolutely.

But we were talking about mitigating measures. That is almost never patch and recompile, it's things like turning off a service, changing the firewall rules, moving servers into a different network - things that are very much within the duties of the sysadmin (with proper clearance and risk acceptance by management, etc. etc.)

Basically, if you have a bug that makes your internal network open to the world, but you can avoid it by disabling feature X in the config file, and your company doesn't require feature X, then that's something the sysadmin can do, and he can do it right now, while the vendor is working on a patch.

I agree on that 100%

That depends a lot on the particular problem. In many cases, there are mitigating measures that can be taken until a patch is available, and I'd argue strongly that the people affected should make the call on that, not you or I or anyone else.

By withholding information, you are making decisions for other people. But you are not in a position to make that call, because you are not the one who suffers the consequences.

I advocate for giving everyone all the information so they all can act according to their needs and abilities. I argue for letting people make their own decisions.

See other reply.

Yes, of course, a closed source development that does external code reviews can have more eyes on the project then an open source development that does no external code reviews. But then you're comparing apples and oranges.

I didn't see it's the thousands of eyes that fanatics claim.

I'm simply saying that if your source code is open, your number of eyes on the project is (dev team) + (people looking at it) while for a closed source project the number is (dev team).

Since "people" cannot be negative, by necessity (dev team) + (other people) >= (dev team)

It doesn't.

It does guarantee that the number of reviewers is equal to or higher, provided everything else is equal.

Yes, this argument is being made a million times and it doesn't prove anything because it rests on so many assumptions that may or may not be true that it's total truth value is about as good as tossing a coin.

The two most important:

First, you assume that the official patch is the only thing that can be done. In many, many cases there are other (temporary) measures that can be taken to mitigate a problem or limit its impact. Who are you to decide for everyone on the planet with their different needs and scenarios which is better?

Second, you assume that there are thousands of hackers who didn't know about it. Yes, it is likely that the number of bad guys knowing about the problem was less than 100% before the announcement. But any real professional doesn't care about number of hackers, he cares about risk, which is number multiplied by impact. If the people who are the worst danger to my business and are most likely to target me already have the exploit, I don't give a fuck about a thousand random script kiddies also getting it.

Depends, but yes for many non-essential services, that is indeed an option. Imagine your actual web service doesn't use SSL, but your admin backend does. It's used only by employees on the road, because internal employees access it through the internal network.

Sure you can turn that off for a week. It's a bit of trouble, but much better than leacking all your data.

Or if it's not about your web service, but about that SSL-secured VPN access to your external network? If you can live without home office for a week, you can turn that off and wait for the patch, yes.

Most importantly, who are you to decide that everyone should wait for a patch instead of giving people the opportunity to deploy such mitigating measures?

People don't learn.

We used to do that.

Full disclosure evolved primarily as a countermeasure because vendors took those grace periods not as a "we need to get this fixed in that time", but as a "cool, we can sit on our arses doing nothing for another two weeks".

My preferred choice of being left alone or being beaten to a pulp is being left alone, not some compromise in the middle, thank you. Just because there are two opposing positions doesn't mean that the answer lies in the middle.

I've given more extensive reasoning elsewhere, but it boils down to proponents of "responsible disclosure" conveniently forgetting to consider that every delay also helps those bad guys who are in posession of the exploit. Not only can they use it for longer, they can also use it for longer against targets who don't know they are vulnerable.

Many, many companies run non-essential services that they would not hesitate to shut down for a few days if they knew that there's an exploit that endangers their internal systems. Other companies could deploy mitigating measures while waiting for the patch.

Don't pretend sysadmins are powerlessly waiting with big eyes for the almighty vendor to issue a patch.

There's a black market where you can buy and sell 0-days.

Sure you give it to more people (and for free) than before. But the really dangerous people are more likely than not to already have it.

That is true. However, you also need to take a few other things into account. I'll not go into detail, I think everyone has enough knowledge and imagination to fill in the blanks:

• There is an actual black market for exploits where they are bought and sold.
• Not announcing a weakness withholds the information not just from the bad guys, but also from sysadmins, preventing mitigating measures and proper risk awareness.
• We have over 20 years of history proving that vendors regularily move slower or not at all until a weakness is making headlines
• There have been many cases where several researchers had partial information about an exploit, and only once combined was the true impact known. For example, one research might know about the problem and how to exploit it, but thinks it can't be leveraged to a compromise. Another might know about the potential compromise, but think it can't be triggered in a real-world scenario.

Despite all the theoretical arguments seemingly in favour, security through obscurity does not work and we've known that for like forever.

Ummm, if you bothered more than a cursory glance at my thing you'd notice I AM advocating open solutions. Monowall is FreeBSD, with some mods and a nice WebUI stuck on it for configuration. EdgeOS, that runs on the ERL, is a fork of Vayetta, which is a fork/mod of Debian.

Both are open solutions but both are under active development and support by a team. Hence I'm a pretty big fan. Monowall was last updated in January, and they still support their legacy version for old hardware like WRAP systems, and their new version for more powerful systems. EdgeOS was updated in March, and they have an alpha for the next version going you can opt in to.

On the other hand the OSS firmwares are half-abandoned it seems. When I Google for Tomato I get a page that talks about it as a WRT54G firmware and looks like it hasn't seen updates in 5-8 years. Further down there's a "Tomato USB" mod on it that was updated in 2010 and still runs on 2.6.

This sort of thing does not engender trust in long term viability or freedom from bugs/exploits.

Also there's the issue that some of us have high speed needs. My Internet connection is 150/20mbps. So I need something that can support that. Triple stream N is pretty much the minimum (dual stream N maybe can in ideal cases) and AC is a better choice. Also the "router" part of the router needs to be able to keep up with that kind of speed, even when I've set up my firewall rules and such.

Finally you seem to confuse reliability with swappability. Sure, you can have a whole host of cheapass old routers and if one dies, put in a new one. However it is hard to do when you need more powerful, and thus expensive, hardware but also that isn't reliable, that is just having extras. I'd rather just have something that has less issues, that works for years on end with no problems, and not have to mess with it. That's what you get with something like a monowall box.

Also like I said, one component may need replacing before others. My Edgerouter Lite will last me a long time, unless it breaks, since it can handle around gigabit speeds with the setup I have (I've tested it). However if I get much faster Internet, I'll need a new cable modem, since mine is only 8x4 stream, and to go much above where I'm at you usually want 16 streams down. Likewise if my WAP is likely to get replaced sooner than the ERL, but probably not as soon as the cable modem.

I can have latest tech where I want it, older tech where I don't and it is all good. Also in my experience setups like that are extremely reliable.