Can't tell you how many times I've received the "well if they got this far, it's game over anyway" response, and it's been bullshit every single time. SSL isn't a magic cure-all; it's one of many, many different layers, each of which raise the bar of complexity and difficulty of successful, undetected penetration. Is SSL a super powerful security layer? No, but why take away something that's trivial for you to set up and maintain and which creates additional work for an attacker?

This idea that we should simply give up at some point is absurd. It's the reason you find incidents like the Target breach happen so much (though typically not with that level of impact). It's because beyond a certain point, everyone just throws their hands up and assumes that if somebody got that far, they won. Meanwhile, 20 other countermeasures which would cost nearly nothing to implement are left by the wayside and any one of them just might have been the straw that broke the attackers' back. This mentality needs to stop if we're ever to make progress preventing attacks and limiting the damage done.

Of course SSL isn't anywhere close to bulletproof. Just like a firewall isn't bulletproof. Anti-malware/anti-rootkit applications aren't bulletproof. NIDS/IPS and HIDS aren't bulletproof. All those things together, however, raises the bar for an attacker to successfully locate and exploit a vulnerability and remain undetected. The less of those kinds of things you have in place (and appropriately configured/monitored/alarming/etc), the lower that bar.

My response said nothing of SSL being a magic cure-all. It was a response to the idea that security behind the firewall is unnecessary because firewall.

The 1980s called and would like their "my firewall stops ALLLL the hackerz!" approach to security back.

On the server providing updates to all your Windows systems? Thank goodness you have no authority over my network. All the guys on my team get regular reminders about the importance of defense in depth.

Blahblahblah.

I've studied the science and the "science" behind climate change for 20 years. I've reviewed the publicly available data. I've reviewed the models and their results. I've reviewed the common methodologies behind the statistical smoothing and proxy data collection. I've also studied the arguments raised by those who claim it's impossible or simply untrue.

What I've found is that both sides are filled to the brim with people who understand nothing of scientific rigor. They're filled with people who reached a conclusion as soon as they heard the initial one-liner argument from one side or the other. In the end, the real science underpinning this discussion is in its infancy. We're looking at an incredibly complex system with enormously influential inputs that come and go - some in cycles, some not - and which drastically alter the equation. We're still at the point where we don't know what we don't know. What we do know is that changes are happening and have been happening which have an enormous impact on human civilization and the entire ecosystem. We also know that we've been doing significant environmental damage to some areas.

What we most certainly do not know is how our activities have affected the world's climate. We just don't. We can't model any of it because we don't understand it. There's never been a model that's worked even reasonably well for more than about 3 years and not a one can do historical prediction without an enormous amount of fudging (i.e. "yeah no idea why that data is there, so rather than just ignoring it, we told the model that at this specific point there would be some new factor we called "X" that accounts for the change and then goes away at this other point, so now the model looks better". "Oh, our model just ignored that data and we marked it as bad data").

You see, the problem here isn't that I don't understand science. I do. It isn't that I haven't kept up with the field. I have. That's the problem: I've actually looked at it from both sides, and both sides are fairly full of shit.

It gets worse...

If you go back more than about 35 years, the data becomes so terrible that you have to use ridiculous amounts of statistical hand-waving to pretend you have any sort of precision (and to make the data move outside the error bars). When you go back past about 1920 (when the first fragments of standardized temperature measurement took hold), the data turns into a pile of garbage. Now you're on to looking at which flowers bloomed where and subjective accounts from human settlements (e.g. some guy's personal correspondence complaining about how cold it's been this year). If you want to go back further, to points where -as you said- you get geologically significant data, you're using even more terribly imprecise proxies like ice cores. They'll tell you within a couple of degrees what the average was over the course of a few hundred years.

None of this, outside of data gathered in the past ~35 years, even comes close to actually being able to diagnose the cause of a 1c shift over the course of 100 years. Not only can we not say what the actual cause is, we can't even say that it hasn't happened in half the one-century periods since the end of the last ice age. And that data gathered over the past ~35 years since satellites went into orbit? That data disagrees with itself. You ask the satellites, you get one set of data. You ask the ground stations, you get another set of data. You ask the proxies, you get yet another set of data. Some of that data agrees on general trends and some of it outright bucks everything else.

All of it gets hand-waved away with "we know what we're talking about!!!". This isn't science; certainly not the science I grew up with. In the science I grew up with, you didn't start with the conclusion, then develop the tests that get you there and ignore any and all data to the contrary.

"A study out of McGill University sought to examine historical temperature data going back 500 years..."

In other words, "We looked at the last 2 seconds of this 9 hour VHS quality movie and determined that the car featured in it is moving faster than it should be in last frame."

I think we need to take a serious look at the "many eyes" theory because of this. Apparently, there were no eyes on the part of parties that did not wish to exploit the bug for close to two years. And wasn't there just a professional audit by Red Hat that caught another bug, but not this one?

I have to say I'm even less confident in the plan to couple it to DNSSEC.

Sure. We're better. But we need to be even better than that.

I'd say more than just the "community". We have a great many companies that incorporate this software and generate billions from the sales of applications or services incorporating it, without returning anything to its maintenance.I think it's a sensible thing to ask Intuit, for example: "What did you pay to help maintain OpenSSL?". And then go down the list of companies.

OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

"Well, the world needs ditch diggers too!"

https://www.youtube.com/watch?...

Funny how most gun control advocates in the US will swear up and down that this kind of fascist crap isn't part of their agenda. The gun rights crowd gets called paranoid for even suggesting it as a future possibility.

If you don't want to own guns, that's fine and I honestly have no problem at all with someone making that personal decision. Where I draw the line is when someone tries to make that decision for me. Whether or not I actually do own or want to own any firearms is my business and mine alone. If one accepts that self-defense is a basic human right, one must also accept that the tools necessary to exercise that right are intrinsically and inseparably linked. God/nature/whatever does not provide the average person (in particular, women and children, but applicably to all) the means for self defense against hardened violent criminals, those on stimulant drugs such as cocaine, PCP, etc, and those who through some mental defect have become uncontrollably violent. God/nature/whatever also does not provide the average person the means for self defense against groups of violent attackers or those using tools of their own (be they guns, knives, hammers, baseball bats, or sharp sticks). Lastly (and of course what everyone will jump on as soon as it's mentioned), God/nature/whatever does not provide anyone with the means for resisting a tyrannical government which has violated the rights of its citizens and begun treating them as subjects or slaves.

From my perspective, a society which bars average, decent, law-abiding people from obtaining the best available means of defense against anyone or any group meaning to do them or other innocent people harm has violated one of the fundamental justifications for having government: defense of peoples' rights. I completely understand that many if not most in some societies (such as in the UK, Australia, and some others) decided as a group that they didn't want guns around anymore. However, some invariably would prefer (and no doubt some actually do - at great personal risk) to keep guns around for self defense. They have a natural/God-given right to do so and no law passed by any number of people in the society can take away that right.

If all but one vote away basic, fundamental human rights, this remains the essence of the tyranny of the majority. It is three foxes and a hen voting on what's for dinner. It is always wrong and never justifiable and no government should be allowed to do it as it is a violation of the sole justification for the existence of government.

Wait a moment, are you saying that there are people who might ignore the gun-free zone signs and carry a gun anyway? What kind of person would even think of doing such a thing?

But your point is well taken. I think the best way to go is to stop everyone but the police and the military from carrying guns, just like they do in Mexico. Then we could enjoy Mexico's legendarily low violent crime rate right here in the United States.

Exactly, which is why you always see mass shootings at gun shows, gun stores, and gun ranges where there's lot of guns, lots of ammunition, and lots of gun-obsessed people.

Thankfully, there are some places where that sort of thing isn't tolerated, like schools, malls, and US Postal offices. Ahh yes, gun-free zones, where violence is a thing of the past.