Oh, and as an addendum, I consider anything that originates from the client, something that the user can generate.
i.e. untrusted input is untrusted input. People get far to specific about that kind of thing. If you're taking input from a client, and passing it to a system executable in some way, that's bad.
I understand the nature of the bug. I ALSO think it's stupid to call an executable and pass in a parameter from the user.
The "With many eyes all bugs are shallow" myth is busted again.
Uhh.. I guess I'd say the "many eyes" have been saying for almost 20 years that a website that takes in user data and then passes that to a shell to run an executable is kinda stupid, and insecure.
So far, HTTP requests to CGI scripts have been identified as the major
attack vector.
Umm.. who still does that? That sounded wonky, risk-prone, and a hack in the mid 90s. Who's still using CGI scripts to execute shell code?
I disagree with your basic premise, that things are secure, or insecure. Everything is a tradeoff. Using a foreign CDN is a tradeoff of trusting a third party to be secure vs doing it yourself. Just because you do it yourself doesn't mean it's "more secure", it's just more in your control, which can be good or bad.
We make this tradeoff all the time. Have you ever used 3rd party software on your website? Well then you're making a tradeoff as well.
You're right to be suspcious of trusting a 3rd party, but I don't agree that using a CDN is always a bad choice, incompetent, and obvious to anyone competent.
People develop lives and other interests. If you'd like to dedicate yourself to one thing, great. But you have an odd idea about the nature of liking what you do. Liking what you do is very different from wanting to do it all the time. The world is an interesting place with a lot of different things in it. Don't assume people that have other interests (Family, hobbies, houses, travel, leisure) aren't passionate about what they do, they've just realized that there's more to life than computers.
In fact, a good way to get burned out is to do exactly what I suspect you're doing. Working really long hours, and dedicating lots of your free time to software. Cut it out, and maybe you won't get burned out.
I think you said the words you're talking about in your anecdote. Worth and trust. Both those are earned, and can be over-valued. The developer in question shouldn't be trusted.
Not without huge advances in theoretical mathematics, no.
Cryptography relies not only on the math being correct, but the implementation as well. How sure are you that Apple implemented the random number generator properly, for instance? Maybe that 128 bit key only has 64 bits of entropy because someone screwed up. 64 bits of entropy is feasible to brute-force.
Also, only RSA relies on factoring large numbers. RSA, and other public-cryptography is only used to encrypt the key. The underlying algorithm is still generally block ciphers like AES, which aren't dependent on prime numbers.
So instead of requesting access to the data, they'll request access to installing a special update to your phone that simply transmits the encryption key.
If you trust Apple to update your software, and Apple has to do whatever the government says, there's always going to be a way for the government to get your data.
Of course, the respect you're seeking must be proportional to your actual skills, merit to the company, etc.
Hmmm.. this is the only statement I find questionable. Everything else I agree with. I think everyone deserves respect. The lowest level employee doesn't deserve to be yelled at for missing deadlines, or having a bug that's missed. That's basic human nature, and you're not entitled to it simply because you're more valuable, it's something all people need. I understand your position, but if the only way you can gain "respect" is through fear (fear you'll leave), that's still an indication of a sick organization.
Long term, you should still leave if everyone doesn't deserve respect, not just "valuable" people.
The trick is that doctors need to stop treating schizophrenics like we're sick. They need to start treating us like we're real people that just happen to have a different sense of reality.
In a sense, I sort of agree with you, in another, totally not. Depression is also another way of viewing reality. Is someone who's depressed "wrong" about concentrating on the negative aspects of living? No... but I think most people who're depressed would rather NOT be depressed. Obviously telling someone who's depressed to just "cheer up", and "things aren't that bad" isn't going to help much. But like a disease, it's an aspect of yourself you'd rather not have and aren't in total control of, and want to be "cured" of. So the disease model isn't too far from the truth. I don't see how scizophrenia is much different.
You yourself don't really like your symptoms, wouldn't you rather they be gone? So I'm not sure I really understand your point.
The same inadequate reasoning that makes people think their could be meaning to the universe is the same lack of reasoning that causes smart people to be religious.
You make the mistake of categorizing all religion into one big bin. Thinking about our place in the universe is a religious activity, but also a very human one. Deciding we have no place in the universe, or the universe has no meaning is also in that same category. By seeking to escape religion, you're only being ensared by it.
More than a legal precedent this needs solid regulations with teeth. I suspect that if you walk into whatever the Italian equivalent of Best Buy waving this judgement around and demanding a refund that they will just have security escort you out. But if refusal to even offer a Windows free machine was worthy of a fine, let alone not removing it, then windows free machines would be widely available.
I've spent some time living and working in Italy. I'd be very, very careful before I simply apply US and Canadian ideas and norms onto Italy. Italy isn't filled with big box stores. I don't know that there's an equivalent mass retailer that sells everything from PCs to appliances in Italy. Rome at least is more filled with smaller retailers rather than enormous mega-retailer stores like in the US. There's some big retailers to be sure, but there's a lot more smaller ones.
But the one thing you should be VERY wary of is applying the rule of law to Italy. The normal rules of fines, and governments imposing restrictions on things doesn't always apply. Italian courts are a mess, and regularly change verdicts. So I wouldn't just naturally expect Italian retailers to suddenly start offering Windows free machines available for sale. Italy isn't like the US, or even the rest of the EU.
$.06 is about 80 cents today. That's not free. You may think it's a minor distinction, but the truth is it's not. We know from repeated sociological studies that people treat free as a different category than something that's charged for. And if you establish the value early on as free, it's VERY hard to go back and get people to pay later on.
That's totally different than charging 80 cents in 2014 dollars. I'd also imagine that being in the military has different expectations than civilian life. It's a donation the publishers gave to the war effort. Once the war is over, nobody would expect to go back to being given cheap books anymore.
Before you go around calling people morons, you might want to learn a little about how software is horribly insecure, even when designed to be. The recent OpenSSL vulnerability is a good example.
If you think "slapping encryption, message signing, and sanity checks" is going to save you, you have a LOT to learn.
Work continues in this area. -- DEC's SPR-Answering-Automaton
