I've worked with lawyers quite a bit during my career, both as in against them and as in I hired them. As human beings, they aren't better or worse than any other profession - you have assholes, you have great people, and a lot inbetween.

Sorry to hear you only got the assholes.

And if we're talking about 21st century oppressive regimes, I'd go so far to say that any weapon that doesn't penetrate an APC or at least kevlar armour is pretty much pointless.

Never forget that the 2nd amendment was written in a time when tanks were a crazy idea that an italien painter had drafted a few schematics of.

Because that's not the only law on the book, and because just because it's written down doesn't mean its right.

Which is exactly my point, yes.

Because it's too late to do that the simple way. Corporations and the 0.1% who own them can easily outspend any and all groups of private citizens now that all limits are lifted.

And it doesn't strike you that this is just completely fucked up? That corporations think it's their job to fuck over the very society that made them possible in the first place?

So if I'm the bad guy with the gun I just need to wait until my panicked, untrained victim with his low-precision gun has wasted its two bullets somewhere into the landscape and then put a bullet into his head?

The WW2 Liberator pistols were mostly designed to create fear. Germans at checkpoints could no longer largely assume the citizens were unarmed. It works in a war setting because you're already beyond the point where you are accepting friendly casualties as part of the plan.

In a peace setting, more guns == more gun deaths. Not just due to accidents, but also because people on either side (both criminals and law enforcement) are much more likely to shoot in uncertain situations because they have to assume the other guy is armed. In most european countries, when you get robbed you are likely to lose your wallet and highly unlikely to lose your life. In countries with lots of guns, the robbers shoot more often because when the guy makes a sudden move, it could be him drawing a gun, not just panic.

That's bullshit. Lawyers are just dogs biting at whatever we (as society) tell them to bite at. It's the laws that need changing. If we hadn't allowed these ridiculous lawsuits in the first place, they wouldn't exist.

Case in point: In many countries in the world you can tell a stupid kid that its stupid without fear of a lawsuit. Or you can run science projects. And you don't have to print "contents could be hot after heating" on the package of microwave food and "don't use to dry pets" on the microwave itself.

That's a risk you always have and thus not a valid counter-argument. And if anyone has experience in doing this kind of cleanup work in a way that doesn't, then it's the OpenBSD team, because they've done this before.

True, most of my experience is with companies 10k, but you're just being arrogant calling that "really small". Almost all of those companies are part of a larger corporation, and you don't manage IT operating activities in multinational corporations on the corporate level. The corporate level decides if you go with SAP or Oracle, but not which patch level of Apache is used on the website of one of 20 subsidiaries.

At least that's the way it was in my last two companies (one a subsidiary of a 65k employee corporation, one part of a 30k employee corporation). If you know of any multinational corporations where the CTO of the top-level holding has to sign off on patch deployment, let me know.

We're talking operative emergency response here, not rollout of new corporate IT infrastructures. I hope you see the difference.

You're cute. I've done this shit for a living for a while. Yes, many companies' incidence response procedures are crap, but they shouldn't, and it is perfectly possible to get an emergency countermeasure deployed within 24 hours with all the t's crossed and i's dotted and perfect SOX compliance and whatever else you need. It's just something you need to think about before the emergency hits you.

Of course everything else is never equal.

But what are you trying to accomplish here? Argue that a project with 100 developers has more eyes on the code than one with 4? Moot point, no argument.

We don't get the luxury of having 50 identical software projects with different team sizes and a size control, so we have to go with the real world and "everything else being equal" is just a way of saying that you if you want to compare closed vs. open source, you need to compare comparable projects, not an open source project with a handful of people with a closed source project two orders of magnitude larger - or the other way around.

There's a difference?

sysadmin, firewall admin - let's not pick nits here. The point is that there are mitigating measures, and if signing off on something that prevents your company secrets leaking out to the Internet without you even noticing takes more than 24 hours then your incident response procedures are retarded and you can hire me for a workshop to improve them dramatically.

Yeah, there was absolutely nothing anyone could do. Oh wait, except for this brutally complex and technically challenging thing right from the official vulnerability announcement:

That was definitely not a feasabole option for anyone on the planet...

You are right on those.

Except for the "nothing can be done" part. That's not your judgement call to make. There is always at least one option - pulling the power plug - and it might well be a feasable temporary solution for some people affected.

Absolutely.

But we were talking about mitigating measures. That is almost never patch and recompile, it's things like turning off a service, changing the firewall rules, moving servers into a different network - things that are very much within the duties of the sysadmin (with proper clearance and risk acceptance by management, etc. etc.)

Basically, if you have a bug that makes your internal network open to the world, but you can avoid it by disabling feature X in the config file, and your company doesn't require feature X, then that's something the sysadmin can do, and he can do it right now, while the vendor is working on a patch.