Stefen Esser.
And the trojan is called Xsser?
Connection?

Crazy isn't it. It's perfectly obvious that terrorism is acts that are designed to terrorise. After 9/11 plenty of people were scared to fly, use other forms of public transport, visit large cities, or go to any busy public place. That's what made it terrorism. The act itself was mass murder - it's that larger intent to use fear to change behaviour that makes it terrorism.

Governments, politicians and security services are obviously intelligent enough to know this. Which makes their misuse of the word nothing less than deliberate propaganda.

I'm on a long term quest to watch all available episodes of Horizon (a BBC science documentary series going since the 1960s).

One of them is called "How to commit a perfect murder". I'm glad I use duckduckgo as a search engine rather than Google when I was looking that one up.

Just one example of why it's a bad idea to to let governments or corporations profile people based on what they search for.

No it isn't. The chance that these two vulnerabilities that hung round for 1-2 decades are the only ones is vanishingly small. They are an illustration that even the most mainstream of OSS code that's been around a long time hasn't been code reviewed properly.

They are proof that that many uncoordinated and unrewarded eyes DON'T find problems. Because they don't even look.

Bullshit. The vulnerability it deminstrates has been demonstrated, it is not documented, and it doesn't make any sense that that's what it does. That's not a feature.

The possibility that some people are using it in software doesn't make it a feature either. The very definition of hacking is using technology in a way that is not intended. That's what those programs are doing. Indeed malware is software that deliberately uses vulnerabilities, and that doesn't make those vulnerabilities features.

AFTER 20 years. Having to scramble to fix something 2 decades late is not in any way an endorsement of a development practice. It's a condemnation of it. And in any case it's no different from what commercial closed source software teams would do it they similarly found out they'd been negligent with a particular code base for 20 years.

"More eyes" is a myth. You have to be a blind zealot to still believe it.

I know I would because I already do on trains, trams and busses. And those journeys are shorter.

I'm very happy if they limit it so data and SMS.

Apple wouldn't have had this defect if they hadn't used open source. For sure it might (and does) have others, but given it's taken 20 years for this defect to be found, the idea that there is any superior bug finding capability in the open source arena is laughable.

The myth "With may eyes all defects are shallow" was only ever believed by the naive. Shellshock and Heartbleed have proved it was nonsense. At this time only the religious still believe it.

Which is probably why this is a quick and dirty downloadable patch, rather than a proper OS update available to all with auto-update.

Those who have systems that open up BASH to the internets can get this partial fix, and get subsequent ones as BASH fixes progress. Those 99.999% for whom it's not relevant aren't bothered with pointless updates.

Heck if you're going to rewrite in a more modern language why only move from a 1970s language to a 1980s language?

C++ does nothing to eliminate the common causes of defects and vulnerabilities - buffer overflows, dangling and unexpectedly nil pointers etc. Nor does it have anything to offer for the modern world of multiprocessing. And it's memory management is primitive.

If you're going to move forward from the 1970s, do it properly.

The problems show themselves just as much in software as anywhere else. e.g. People would much prefer to create new code than do code reviews or write tests, so defects in open source software linger around for a decade or two.

That's not a "dirty secret". Having a single component that launches all daemons is a laudable improvement over the adhoc, multiple methods that had grown up in Unix like OSs.

Linux has political problems between Linus and the systemd team, and systemd may be overreaching. None of which is relevant to OSXs entirely different component launchd.

And if anyone thinks there's any copying going on here, take note of the direction - OSX launchd dates back to 2005. Linux systemd to 2010.

You draw a distinction between "distracting" and "overheard in the first place" that I don't think is there.

And usually the volume IS elevated with mobile phone users. Most people are unaware of how good modern phones are at picking up the voice and cancelling out noise. And so they talk loudly on the phone.

Anyhow, I don't suppose we'll reach agreement. I suspect you are looking forward to being able to use a phone on a plane, and so lean towards arguments that result in that being allowed. I'm happier to just relax on a plane, so my bias it the other way.

If it's as limited as questions for common defects in an existing app, that's not so hard. But a system that can actually create an app by asking questions is much harder - unless the possible kids of apps are very limited in scope, as with expert systems and the 3GL fad of the 1980s.

Don't hold you breath. You can only ask those pertinent questions because you can imagine the app given a very incomplete outline. Artificial Imagination is even further away than Artificial Intelligence.