The most wear sensitive part of a laser printer is the copy drum. If I recall correctly the old LaserJets had the drum integrated with the toner cartidge, so you replace to most quickly wearing part of the printer four or five thousand pages. It's no wonder they lasted so long. The mechanical parts that move the paper through the printer are pretty robust, so I wouldn't be surprised if the printers go until the capacitors in the electronics dry up, or the internal power connectors go bad.

That would be interesting, if it were true. Here's what TFA says:

"Del." I assume is short for "delegate". According to their website, the American Tradition Institute's tag line is "Free Market Environmentalism through *Litigation*" I assuming this means they aren't pals with Greenpeace, or even The Sierra Club, any more than the National Socialists in Germany were pals with the socialist Republicans in 1930s Spain.

Depends on what you consider "hiding the research". A fishing expedition through a scientist's personal correspondence is an invitation to judge his work on *political* grounds.

In science your personal beliefs, relationships, and biography are irrelevant. There are evangelical Christian climate scientists who believe climate won't change because that would contradict God's will as expressed in the Bible. These scientists may be regarded as religious crackpots by their peers, but that hasn't prevented them from publishing in the same peer-reviewed journals as everyone else. Since their papers invariably are climate-change skeptic, clearly they are publishing work which supports their religious beliefs. But their motivations don't matter. What matters is in their scientific publications.

In 1988, Gary Hart's presidential bid and political career were ruined when he was photographed cavorting on a yacht named "Monkey Business" with a woman that wasn't his wife. Now I didn't care how many bimbos he was boinking, but a lot of people *did*, which made it a political issue (albeit a stupid one in my opinion). Do we really want to use the coercive power of the state to dig through the private lives of controversial scientists?

It's a pretense that that would serve any scientific purpose. Maybe Mann is intent on overthrowing capitalism and creating a socialist utopia. That would be relevant if he were running for dogcatcher, but it's irrelevant to what's in his scientific papers. Scientists publish papers all the time with ulterior motives, not the least of which is that they're being paid to do research that makes corporate sponsors happy. As long as what's in the paper passes muster, it's still science.

What about acting? Or fiction? These are artificial experiences that evoke real emotional responses. Once the right buttons in your brain are pushed, most of your brain can't tell the difference between what is real and what is synthetic.

Granted, authenticity in human interactions is important, but it's overrated. Fake engagement often is a perfectly acceptable substitute. Situations where people put considerable effort into *seeming* pleasant usually *are* more pleasant than they would be if everyone felt free to paste their indifference to you right on their faces.

So this is a very interesting technology. What's disturbing about it isn't that people might be fooled into thinking the user is truly interested; it's that the user himself no longer puts any effort into creating that illusion. What if that effort is in itself something important? What if fake engagement is often the prelude to real engagement? Maybe you have to start with polite interest and work your way up to the real thing; I suspect the dumber parts of your brain can't tell the difference. If that's true, taking the user's brain out of the interaction means that interaction will automatically be trapped on a superficial level. This already happens in bureaucratic situations where employees are reduce to rules-following automatons. Take the brain out of the equation and indifference follows.

I suspect that the researchers are well aware of these issues; I believe that I discern a certain deadpan, ironic puckishness on their part. People who truly view engagement with other people as an unwelcome burden don't work on technologies that mediate between people.

My late father-in-law designed inertial guidance systems. He worked on the Apollo program and the Trident missile. And he bought a Mercedes SUV, so it's clear it isn't an SUV that only an idiot would buy. He needed a vehicle that could pull a small boat trailer but had reached an age where he wanted a vehicle that was a little easier on the tuckus than a pickup truck. As such it wasn't a bad choice for him, especially as he had the dough to pay the eye-popping maintenance costs.

I prefer small cars myself, but I've driven a few SUVs and the Mercedes wasn't a bad choice for someone who wanted a truck that drives more or less like a car and doesn't care about the cost.

... because they paid him to drive a Mercedes.

"Mordor" sounds French to me. And "Sackville-Baggins" sounds like a frenchified English name, which I'm sure was no accident.

You say that like it's necessarily a bad thing.

We've got to stop acting as if the Founding Fathers were like Moses descending from Mount Sinai with the Constitution chiseled on a couple of stone tablets. They were brilliant, enlightened men for their day, but the Constitution is not a document of divine inerrancy.

The US Constitution is the COBOL of constitutions. Yes, it was a tremendous intellectual innovation for its time. Yes, it is still being used successfully today. But nobody *today* would write a constitution that way, *even if their intent was exactly the same* as the founders.

For one thing it's full of confusingly pointless ("To promote the Progress of Science") and hoplessly vague ("securing for *limited times*") phraseology that leaves courts wondering exactly what the framers meant, or whether they were just pointlessly editorializing ("A well regulated Militia, being necessary to the security of a free State").

It's also helplessly out of date. The Constitution was drafted before the existence of mass media and advertising; before photography even. It was the appearance of photography in newspapers that woke people up to the idea that they might have privacy rights that were being threatened. A Constitution written in 1900 would almost certainly have clauses explicitly recognizing a right to individual privacy and empowering the government to protect that right. A Constitution written in 2000 would almost certainly have clauses restricting the government from violating individual privacy.

And then there is slavery, an outright *evil* which is enshrined in the founder's version of the Constitution. That alone should disqualify any claim they may have had to superhuman morality.

So if we take it as given that the US Constitution is not divinely ordained, it's not necessarily a bad thing that the current generation should choose to butcher what the founders established. Would you re-institute slavery? Allow *states* to deprive citizens of liberty and property without due process? Eliminate direct election of senators?

So it's perfectly reasonable to butcher anything in the Constitution when you're proposing an *amendment* to the Constitution. That's the whole point. We should think for ourselves. In doing so, we're actually carrying on the work the framers themselves were doing. Every generation should learn from its predecessors, but think for itself.

So in other words, what somebody says is less important than who says it.

That's true of social science research as well. The difference is that social science research has to pass peer review, and stand up to contrary reearch in the literature.

Ok, I actually think you, me, and Theo all agree :)

1) We don't think a specific technical change would have _prevented_ the issue.

2) We all agree that better software engineering practices would have found this bug sooner. Maybe even prevented it from ever getting checked in (e.g. suppose the codebase was using malloc primitives that that static analysis tools could "see across", and that the code was analysis clean. Could this bug have existed?)

Who has claimed that using the system allocator, all else being equal, would have prevented heartbleed?

Who has claimed that heartbleed was an allocation bug?

I understand what freelists are and do.

The point here is that rigorous software engineering practices -- including the use of evil allocators or static analyzers that could actually understand they were looking at heap routines -- would have pointed out that the code implicated in heartbleed was unreliable and incorrect.

If you read the link you pointed at, after making a modification to OpenSSL such that coverity could understand that the custom allocator was really just doing memory allocation, Coverity reported 173 additional "use after free" bugs.

There are bugs from years ago showing that openSSL fails with a system allocator.

Don't you suppose that in the process of fixing such bugs, it is likely that correctness issues like this one would have been caught?

Actually, it is you who are wrong.

Theo's point from the beginning is that a custom allocator was used here, which removed any beneficial effects of both good platform allocators AND "evil" allocator tools.

His response was a specific circumstance of the poor software engineering practices behind openSSL.

Furthermore, at some point, openSSL became behaviorally dependant on its own allocator -- that is, when you tried to use a system allocator, it broke -- because it wasn't handing you back unmodified memory contents you had just freed.

This dependency was known and documented. And not fixed.

IMO, using a custom allocator is a bit like doing your own crypto. "Normal people" shouldn't do it.

If you look at what open SSL is

1) crypto software
2) that is on by default
3) that listens to the public internet
4) that accepts data under the control of attackers ... you should already be squarely in the land of "doing every possible software engineering best practice possible". This is software that needs to be written differently than "normal" software; held to a higher standard, and correct for correctness sake.

I would say that, "taking a hard dependence on my own custom allocator" and not investigating _why_ the platform allocator can no longer be used to give correct behavior is a _worst practice_. And its especially damning given how critical and predisposed to exploitability something like openSSL is.

Yet that is what the openSSL team did. And they knew it. And they didn't care. And it caught up with them.

The point of Theo's remarks is not to say "using a system allocator would have prevented bad code from being exploitable". The point is "having an engineering culture that ran tests using a system allocator and a debugging allocator would have prevented this bad code from staying around as long as it did"

Let people swap the "fast" allocator back in at runtime, if you must. But make damn sure the code is correct enough to pass on "correctness checking" allocators.

This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security focused malloc, just one that frees memory every now and again). Instead, it lay dormant for years until I went looking for a way to disable their Heartbleed accelerating custom allocator.

it's a very good read.