which is already concerning, as fine motor skills are very important, the other sentence in the article that worried me was the mention that kids now have trouble memorizing even simple lines for a play, since they are used to information being easily always available so they aren't putting in the effort of learning it.

As much as easy global information access is great, unless you learn the basics it's quite difficult to make sense of what's available and to have an informed opinion. Just because you have a river of information always available it doesn't help if you can't relate to it, it makes you that much more susceptible to being influenced, because since you are not able to discriminate between quality information and misleading or wrong information, any page/blog/article of somebody with an agenda can just point to "studies" that support their point (no matter how objectively wrong that point is) and it transforms informed discussions into popularity contests.

I don't think it's tinfoil hat time in terms of there being some sort of overall arching conspiracy about this, but it sure is concerning when you have a society like ours where media has many orders of magnitude more funding and impact than academia, I mean, even the word "academia" nowadays is overlaid with negative connotations (at least in North America) rather than the respect it should evoke: these days an actor/model stating an opinion can easily counterbalance hundreds of scientists/academics with fact-based studies.

Before the internet there were just as many crackpot theories around, however they were not presented as if they were the same as science, if you went to the library you wouldn't find in the astronomy section geocentric books shelved together with heliocentric and general relativity ones: now with your browser on the "internet library" you can find professional-looking sites pro/anti everything and without the tools learned in school/university how can you make sense of which is right? especially in cases where the science is counter-intuitive for a particular issue?

The C64 came out in 1982, the Commodore Amiga, and Commodore 128 came out in 1985

6 months after the C64 came out were there already rumblings that the Amiga was on its way? Obviously in a decade where you went from the ZX80 to the 486 there were new computers on a fairly regular basis, but it was really not the same as it is today with yearly PC updates (cpu/video), yearly phones, yearly games, ...

I laughed at the joke, but it is actually true, you can't compare the feeling one got in the early 80s when computers were new and mysterious (and expensive) and they got a C64, the vast majority of things now are commodity, there is going to (predictably) be a new and (slightly) improved model next year or in a couple of years at the most, there is not as much attachment as there used to be.

When the C64 came out, you didn't already know that next July/September the C65 was going to come out, and the year after the C66, etc. you didn't need a credit card to play your C64 games, you didn't need to pay $0.99 every 5 games of Archon or wait 1 day for the 'crystal' to 'recharge', most games were not thinly veiled attempts to nickle and dime you to death. You didn't have Archon 1983 knowing that Archon 1984 was going to come out next year with slightly reskinned pieces, and Archon 1985 the year after that with maybe a rule tweak or two.

In order to have nostalgia you need a unique time to think about, and nowadays electronics (and increasingly games) are anything but unique: there is no money in fostering feelings of attachment to what you bought, the money is to make you want to get rid of it and get a 'better' model basically as soon as you got home from the store.

and btw, funding is good, but funding does not buy you a good software development process: for that you need to actually focus on finding a good process first, and use the funding to achieve what you are planning without forgetting that if it's a critical piece of infrastructure nowadays it will be attacked by adversaries with much larger pockets than yours no matter how large yours are, so the process has to take into account that any development is done in a completely hostile environment, where a-priori you cannot trust ANYTHING, you can't trust your compiler, you can't trust your system libraries, you can't trust your fellow developers and you can't trust the repository you are using.

How do you deal with this? That is definitely a question you would need some of that funding to answer correctly, but it probably would include a lot of redundancy and testing: the advantage of the OSS model is that you can actually do this out in the open where everybody can see what you are doing and vet it every step of the way (a lot of those eyes are unskilled in your particular domain, but still it's a lot better than not having those eyes available at all).

this does not have anything to do with open source and all to do with the software development process (or lack of) used here: something like this could've happened in a closed source library just as easily, the only difference would be that rather than source analysis you'd have used other tools to find the vulnerability: if a new addition to a protocol comes in and you have bad intentions of course the first thing you do is to see what happens if you feed it invalid data, if you did that here you'd have found this extremely quickly (and probably faster than if you were trying to do source analysis).

The main issue here is that you should not be able to commit anything to something like OpenSSL with only one reviewer looking at it, period. The secondary issue is that for anything this important there should be a LOT of unit tests for everything and that absolutely everything everywhere should be tested with invalid input to make sure the library is solid: QA-ing a crypto library is a job as important as writing it in the first place and should be funded just as much, there unfortunately does seem to be a bias against QA being as important as development among developers, until this bias is removed this kind of issue will keep happening.

QA and development are two faces of the same coin for critical software, some people are better at writing something, others at finding issues with things other people developed: there should be no stigma for people preferring focusing more on QA, but in a lot of companies QA is seen as much less prestigious than development and the first thing to outsource, which leads to substandard testing, which creates more problems (because the tests are not good but give you the false impression that your software is ok).

that is the typical OSS strawman, if you don't like it why don't you do it? if you are complaining, are you volunteering? if not you are not allowed.

We are not talking here of a random OSS project, I have contributed to some of those over the years in my off hours when I feel like working into some other environment than what I do at work, we are talking about a library that most of the internet depends on for security: do you really think it should be volunteers that should be working on it? don't you think that Google, Amazon, ebay, paypal, and all the major world banks could take 0.0001% of their profits and put together a fund to hire competent people to do this full time? and not just security researchers, project managers, QA, technical writers, etc.

OpenSSL/GnuTLS/... development is not something to be done in off hours, at off times in your company when you don't have other projects to do, it has to be done as your primary job description with no rush, no pressure, just making sure that things are done right and stay done right, with a proper process, proper QA and proper project management.

I have many years of defensive C development under my belt, I especially love passwords and associated issues, I have worked with crypto software before, but it's not something that I would want to risk doing at night when I am tired after a day at my "real job" and my brain is not at 100% efficency, hence why "I am not volunteering I see".

this is what I was getting at above when I was talking about how any time there is any criticism of the US its inhabitants will often respond with "we are doing the best we can" or "if you don't like it here leave" or "it's better here than in a 3rd world country" or "since you don't live here you are not allowed to comment" etc. the vast majority of people are glad to be born where they were, if you removed economic incentives very, very few people would emigrate and leave behind their family, friends and memories: I have left my country many years back, and not a day goes by I don't miss it and wish I could go back, even after having made for myself a life here in North America now with new friends and so on it still is not the same. Most people from every country feel the same way, we all love our country of birth, and that despite all its warts and problems it's still the best place to be, it's just basic human nature.

This said just because in my opinion the US is on a wrong path from a societal standpoint and its priorities are not serving the majority of is citizens well, I don't think that the US is a horrible place to live like some truly bad places on our planet, having seen first hand how some people live in slums in the 3rd world even the worst place in the US cannot compare. This said to me the situation is akin to "living off the table scraps of the kings sitting on the floor under the table in the warm castle is better than being starving to death outside in the cold", of course it is better, but is it really all that should be aspired to?

You don't think that at the end of WW2 the US did not have over 10x the resources per-capita of, say, Austria? In 1945 the US had 150 million inhabitants, Austria had 7 million, the US is 10 million square km, Austra is 83000 square km, this makes it so the pop density for them in 1945 was 15/sqkm vs 85/sqkm so even if Austria and the US had the same amount of natural resources per sqkm in their country, the US would have had already nearly 6 times as many on a per-capita basis.

Now, I don't want to spend quite some time researching hard data, but I think you will agree that the natural resources available in the US (in terms of arable land, minerals, metals, oil, coal, ...) are much larger in abundance: I don't remember ever reading about Austria as a net oil/coal/food exporter for example... Austria's industry after WW2 was not exactly in great shape either.

Now look at available data about education, schooling, life expectancy, and general quality of life among the two countries: do you think the US is doing as good a job as it could be? by a long shot? The US was on a trajectory where it could definitely have become the greatest country in the world on all metrics, but it seems all the tremendous energy generated in the 50s-60s and to a certain extent 70s was harnessed towards making the powerful as powerful as possible, and the rich as rich as possible, as opposed to making society as livable for everybody as possible.

The great tragedy is that this trajectory change was sold, and is still being sold, as somehow good for the country as a whole while if you, for example, look at the recently proposed republican budget, with all its cuts to social programs, cuts to taxes for rich individuals and increases in military expenditures without a partisan hat on, it seems pretty obvious it is only good for the few and very, very bad for the many: but this issue is of course framed in a "us vs them" "job creators vs moochers" "socialists vs americans" metaphors and so half the country would still vote for it if they could, when a country's population is not given the tools they need to develop critical thinking and instead is taught that opinions and beliefs should carry the same weight as scientific theories and facts, it is a lot easier to sway with emotional pleas as opposed to reasoned arguments.

do you think that a country like the US with the vast, vast, vast natural resources it contains, its economic power, and the amount of extremely bright people that call it their home should not have 10x the standard of living of a small country in Europe with next to no natural resources, much fewer inhabitants, and an industry that was basically razed to the ground a generation ago?

If US society was geared towards making life as good as possible for everybody I am sure by now everybody would be on basic income with free healthcare (especially mental health, which is sorely underfunded right now) and education. People could be free to do what they wanted to do with their life without having to worry about becoming destitute, not being able to eat or have shelter. Of course some people would take advantage of that and live a life of videogames and idleness, but is that reason enough not to provide society at large the option of not being chained to a for-profit job if their don't want to? basic income would be just that, basic, a grocery allowance, a rent allowance for some sort of "government housing" apartment, a very minimal allowance for extras, that's it, if you want more you can always get a job just like now, it's just that if you don't have a job rather than ending up on the street you'll at least be taken care of.

Wouldn't society as a whole be improved by its citizens being able to do what they want instead of what they need to survive? In the end idle pursuits are hollow pleasures, and sooner or later people will tire of them, the vast, vast majority of people are happiest when they feel they are contributing to their well being and to society at large, and the most rewarding form of contribution is to feel you are doing a good job, whatever the "good job" is according to your inclination: some people like to build furniture, others to code, others to cook, etc.

In my opinion the majority of people would still work full time to have a better standards of living, and jobs would eventually have their pay rise based on the willingness of people to do them as opposed to how desperate people are to find one: if a job is rewarding and enjoyable it should pay a lot less than one that isn't, being a professional golf player is a lot more fun than being a dishwasher at a restaurant, why should it also be paying 100x more? just because if you are a pro golfer you can sell more stuff to people that they don't need so the corporations that produce it make more money? how does that help society as a whole?

If this meant that eating out would cost $500 because the line staff had to be paid $50/hour to work there and there would be very few restaurants less, well, that's what will happen: or is being able to go out to eat whenever you want (because you are lucky you have the skills to be in a high paying job) worth having a lot of people working at those restaurants be paid under poverty-level wages and have to have two jobs which makes it impossible for them to improve their situation?

Why does your genetic luck in terms of your hand-eye coordination and your luck in being born to the right parents at the right time have to make it so that you will have an amazingly easier life than somebody who due to a small genetic abnormality was born blind? how fair is that? and how fair a society is that idolizes the former and tries to remove as much help as possible from the latter because somebody somewhere might be "taking advantage of government handouts"? always with the focus towards the few that take advantage of things vs the may that would benefit from them?

This is getting way out of topic, but when you see decisions by the supreme court that corporations are people (who can't be put in jail, though, if a corp does something bad often the worst thing that happens is the CEO leaves with their golden parachute and then it's business as usual) and money is free speech (money that is not accountable, however, where "hate speech" in the form of attack ads is considered totally ok) it's hard to believe the US is as great a nation as it could be if its priorities were different.

If you have that few settlers come into a continent as large, virgin and as rich as North America (compared to tiny European countries that had been exploited for millennia in most cases, with very few natural resources) it seems to me that the US standards of living should've been 10x what the rest of the world had, if you take into account that Europe suffered through two world wars on its soil (where the second one especially nearly destroyed it industrially for many years) the US standards of living should've been more like 50x higher for several decades afterwards.

By any metric you can think of unfortunately I don't see life in the US being 10x better than in the rest of the developed first world for the average person (life expectancy, happiness, schooling, health, ...), I mean, as far as you can find out the majority of personal bankruptcies in the US is due to medical expenses, where in the rest of the world getting sick does not automatically mean losing all you've worked for in your life.

Nowadays with the whole 'money = free speech' it seems the table is tilting even more towards large class disparities in the population, and a much bigger division by the haves and have nots. Despite this perversely, due to endless straw-manning by interested parties, a lot of people appear, from the outside at least, to vote for politicians that are actively out to make their life worse: it is of course quite hard to develop an informed opinion when large amounts of money, advertising and content are funneled towards muddying any issue and transforming it into either a partisan dilemma or a who-do-you-like-most uninformed decision.

The general culture of the land also seems to have an extremely strong sense of being defensive any time the country is criticized in any way shape or form, in all countries I've lived in or visited there is not as much animosity when it comes to recognizing their nation's shortfalls: ask any European in several countries, say, about bureaucracy or lack of competitiveness or the impossibility to fire people etc. etc. and you'll never hear the end of it, ask any American about health care (unless of course the ones that have gone bankrupt) and you will just get partisan talking points, these days usually about Obamacare.

The cult of "rugged individualism" that seems to permeate American society is good for some things (very low barriers to starting a business, for example, a feeling of personal responsibility, etc.) but unless it's tempered by some sort of "compassionate government" it is not conducive to having a harmonious society where yes, there are still differences in social status, but they are not as extreme, and there is no risk of anybody in one of the wealthiest nations in the world ending up destitute because their genetic luck ran out and they were in an accident or became sick with an expensive-to-treat condition.

The US might be great from a military power standpoint, no doubts about that, and from a 'can-do attitude' as well, but society should be about a lot more than who has the most money, who can make more money, it's should not be a competition, as much as the gospel in the US seems to be that we are all born equal we really aren't: our parents' social situations are different, our genes are different, many of us have disabilities, everybody should not be held to the same standard in a win-or-die kind of situation.

People should stop thinking "I don't care if by doing X to prevent 'abuse' by that moocher society will be worse for everybody, as long as there are no 'moochers' it's totally fine if everybody is in misery but the really lucky ones", but the odds of that happening are pretty low, when interested parties will do their best to frame all policy decisions in a "you're against the 'moochers' or you are a 'moocher' yourself".

The best country in the world would be a country where everybody has the opportunity to excel, and nobody runs the risk of failing due to its inbuilt safety nets, the US could certainly afford this if there was the will to make it so, now that would be American Exceptionalism I would gladly stand behind.

... so much of the internet depends on for security just one reviewer for a commit seems way way way too little, honestly checking anything into openssl (or gnutls) should be at least a 4-step approval process (submitter -> mantainer for that area -> overall library mantainer -> security officer), for any code that includes buffers/malloc especially if related to user supplied data the final security review should be a panel.

Everybody makes mistakes, everybody can have a 'brown paper bag' coding moment (especially around Christmas/New Year's like it happened in this case), 2 people having a 'brown paper bag' moment at the same time around the holidays is definitely not that unlikely, for something as important as a crypto library on which so many things depend a single reviewer is just not enough.

I do feel for the original developer, and hope that he won't suffer more about this than he already is (any developer worth their salt feels quite bad about bugs they introduce, let alone if they lead to this many problems), we've all made coding mistakes, no matter how experienced we are, so the focus should not be on "who" but more on "what kind of process can we introduce so this does not happen again".

Moving away from C in my opinion would just be a band-aid, other languages don't expose you to this particular bug, that's fine, however for security software choosing a vetting process for what goes in the codebase is a lot more important than choosing what language it's written in, not to mention that it's not that "hard" to write "secure C" especially if one leans on all the various available tools/libraries and writes proper unit tests, in this case for example had the malloc decision not been influenced by performance reasons (on unspecified platforms) this would not have been as big of a deal as it was.

it is a generally well regarded and vetted package that supports a fairly rich set of cryptography tasks out of the box.

I would see that as a drawback for using it in webservers: if I am writing something internet-facing I want to use the smallest and simplest possible library that does the job, maybe it would be time to fork openssl into openssl-core / openssl-extras and have openssl-core have only the most minimal set of functionality related to securing connections and that's it? I would honestly also only support a few platforms for -core to simplify the code analysis even more (the more ifdefs, the more possible issues)

say, for example, cut the rope 2, which was not free but where you had to use consumable powerups to get certain items in the levels (the "clovers") in order to unlock some levels, only after a major outcry the developer changed it so you could get access to the extra levels if you got 3 stars on all the others. You also get a 'daily gift' (usually a powerup or two) just so you are semi-forced to check in every day, and there are also other obnoxious mechanics so as soon as you spend a little bit of time thinking about a level the "level solution" powerup starts blinking annoyingly. And this is on a non-free game!

I had insta-bought all previous cut the rope games pretty much and 3 starred most of the levels in all of them (great mechanics, om nom is cute) and I had gotten a lot of my friends into them, but I have honestly given up in disgust with cut the rope 2 (only gone through 1-2 worlds) and will not give the developer a dime for "powerups" or any further games they will release.

In terms of "pure" f2p I am actually enjoying hearthstone, I had never played a card game before but it is definitely fun (after you lose enough games to get matched up with similar "f2p" opponents without tons of rares/legendaries), it took me losing about 15-20 games in a row before I ended up at a level where I more or less win 50-60% of the time and my opponents also only have "standard" cards. I figure blizzard is losing money on me as a player, but I figure the wow subscription I have been paying for many years more than covers this (if at all I think Blizzard should give a free card pack every month to WoW subscribers as a random gift, if it was retroactive it'd be even better ;) )

you would use the HSM (or a usb key on a trusted computer with your passwords, for lower security scenarios, say, where you have a colo and/or don't want to buy an hsm) to 'prime' the system to avoid having the issue where you either have to leak a little bit of info or you don't know for sure if the first few users' passwords are correct or not right after a reboot, as part of the reboot process you would log in in turn with all these known usernames/passwords in order to get the system up to an initialized state so it can validate 'real' users properly.

why would you need multiple people assigned to this job? seems to me if you are really concerned you could 'prime' this system by using an attached HSM with however many random accounts/passwords you'd like to be logged in at bootup: outside of somebody physically breaking into your server room and stealing your keycard it would seem quite secure to me...