Software is real. It's part of the world. Same as the internet - it isn't a "cyberspace", it's people sitting at keyboards, and servers in real places, with actual cables between. And laws apply to those people, servers, cables, and software. And analogies apply equally well and equally badly between software and the rest of the world as they do between other parts of the rest of the world. Some analogies are useful, some less so. Just because it's "software" doesn't make it, and the processes that produce it, magically immune to logical, ethical, and legal analysis.

The torrent is the movie. It's just heavily compressed, using a compression algorithm that involves a look-up to a different location.

I love listening to the "whoosh" sound that accompanies each and every reply to this. Priceless!

I was probably over-optimistic when I said "finding bugs like this is easy to automate". What this would probably need is runtime access checking turned on, and a test case that has mismatched lengths. The latter would require the tester to implement what I call C4 tests, or "comprehensive corner case coverage".

Not true. Writing code is very hard to automate. Finding bugs like this is easy to automate. In fact, the OpenSSL team specifically turned off all the memory overrun checks on all platforms, because some platforms have performance problems with them. So, the automated checks should have spotted this problem (at run time, rather than compile time, but there are other tools for that), but they were turned off.

Priceless.

I watched that Penn and Teller piece with the glass wall, and although it's entertaining, it's statistically misleading, which is unforgiveable in that context.

They knocked over a single pin and said that that was representative of any potential link with autism. They then went on to throw balls to represent all the different diseases that vaccines protect against. But the "cost" of all vaccines was only counted once. The "benefit" of vaccine protection was counted dozens of times.

The implication is that that one pin being knocked over is the only thing that can happen for all of the vaccines against the diseases that they mentioned. Maybe that is statistically representative, I'd like to know. I am pro-vaccine, but I'm also pro-telling-it-straight, which they did not.

Faith is not necessary in order to hold all human life to be precious. As an agnositc-almost-atheist (in that you cannot prove a negative) I am actually rather offended at the suggestion.

That's what the Romans believed.

If some software that is released has problems, people should point it out. If a development process is flawed, people should point it out. If you work in open source software, specifically in security software, you should be prepared for people to criticize both your code and your development and testing safeguards. Maybe billrp could do better. Maybe (unlikely) I could do better. Maybe a hundred people on Slashdot could do better. But do we really want a hundred different open source SSL implementations all written by unknown people? That would not help the situation at all. Maybe all we need is one competing implementation by a different team with different methods, and maybe enough people saying "OpenSSL is not up to the job" might just inspire someone to build that team.

Free and open criticism is vital in security software. Nobody should ever be told to shut up about this kind of thing.

You're only violating their copyright if you distribute it. If I legally acquire a copy of a piece of software, I can use it without agreeing to any other stipulations. Depending on jurisdiction, of course, different legal systems may rule in different ways on that point. And I'm not sure what the jurisdiction that this guy lives in has said about it.

The GPL has a specific clause pointing this out, and it's there because the authors of the GPL believe that they have no authority to prevent you from using their software. I agree with them. It always amuses me when GPL'd software contains a clickthrough insisting that you press an "Agree" button, when the licence specifically says that no such agreement is necessary.

Bennett-bashing seems to be popular round here, but I usually find his articles to be interesting. This one is excellent.

Same here. I love sweet peppers, which are pretty much zero on the scale if you remove the seeds, and I certainly use more of those than hot peppers, but I like jalapenos as well, and plenty of finely chopped scotch bonnets in a chilli.

Are you implying that a 23% boost in CPU speed is irrelevant?

Minecraft runs pretty well.