I think you would be surprised. I also think that the process one would have to go through to get vetted and get access to those forums probably requires actions that a major corp wouldn't take. FWIW, I work in security at Google and have never heard of any sort of monitoring of criminal forums.

Of course, but it's even more in their interest to make sure their own systems are fixed before they take any action which could result in the information spreading to potential attackers. Of course, attackers may already have had it, but if so that's water under the bridge. If not, the moment you disclose it to anyone you've increased dramatically the odds that someone who might want to exploit you will hear of it, even if you're just telling the dev team. For that matter, even disclosing it internally is a risk, so you'd want to keep that as tight as possible as well. I work in security at Google and didn't hear about Heartbleed until it was publicly disclosed.

Given the severity of the damage that could be caused by Heartbleed once information about it is widely disclosed, particularly given how trivial the exploit code is to write, Google would (IMNSHO) have been foolish to disclose it to the OpenSSL team before getting all of its key systems patched.

(Disclaimer: I work for Google but don't speak for Google. The above represents only my personal opinions.)

So rather than address the issue linked to, you're just going to slip into typical lefty ad hominem in order to avoid the substance of the matter? Yup, that's what you did.

Please drop this idiotic phrase.

Besides, total lunar eclipses aren't red at all, at least, none I've ever seen. They're a neat copper colour.

...laura

Because Civ is a single player game. It isn't meant for multiplayer, and multiplayer has always been a terrible experience. I'd prefer if they dropped it entirely and spent more time on polishing the AI or released it earlier. Because they shove in a half baked multiplayer we get a worse game.

No, the numbers have turned out AT ALL. Because we haven't been given actual numbers. The numbers we got don't tell us who's paid (thus making time spent filling in an online form into an actual money-changes-hands transaction that actually insures somebody), and don't tell us how many people in that mix were the ones who had their insurance cancelled on them (roughly 6-million, so far).

So, actually, the numbers turned out pretty much right where critics said they would: abysmally low.

I think you don't understand what the word "right" means.

Should people also have a right to housing, clothing, food, climate control, utilities, and the rest, without concern for cost? Does everyone have that right? Because if you don't have those things, you could die. Just like you could by not having a "right" to the services of a podiatrist when you have achy feet.

If everyone has a right to the labor of professional medical people, and everyone has a right to the medicines, supplies, facilities, and multi-million dollar test equipment ... how does that work? We all have the right to assemble, the right to free speech, etc. The constitution protects us from government interference in such things. If we have a right to a little bit of the waking hours of a nutritionist, or the right to something that a bunch of people working in the pharma industry spent their week making, does that mean that everyone should get those things for free? Who pays? How can it be a "right" if you have to force your neighbor, on penalty of losing their wages or their home, to provide it to you? That's your idea of a right? Get a grip.

It doesn't even tell you that much, since it can only check functional aspects, not non-functional aspects. For example, unit tests can't prove that the code isn't leaking data through side channel attacks. That's a simple and obvious one, but there are more direct security failures which also won't be identified by any unit tests.

If you're working with people who are comfortable with technology, then making such a transition should not cause too much pain. Annoyances yes, especially with file format compatibility issues, but nothing too serious. You'll be answering lots of questions, but the questions themselves will be from a position of needing some details filled in, not failure to understand basic concepts.

On the other hand, if you're working with people for whom computers and technology are PFM (Pure @#%$ing Magic) then ANY CHANGE, no matter how trivial, will lead to nervous breakdowns. For such people, use of a computer involves memorized incantations (if not outright prayers) based on mouse movements, clicks, and magic words typed into the screen. If these change, even slightly, they will be utterly lost and terrified -- and they'll blame YOU.

If this is the case, then you're going to have to create a standardized installation of Linux with a normal desktop interface (Cinnamon, KDE) and then TRAIN your employees on how to use it. Mint is a good choice. I'm using the KDE version of Mint 16 on all my workstations. The cinnamon version is also perfectly usable. There are of course other options. The key is to create an environment that is as close to what they know as possible. Not necessarily in terms of how it looks, but how it BEHAVES.

Even so, there will always be some differences that will trip such users up. You guys might have to hire a temp worker whose sole job will be to train and support your employees until they learn the new incantations.

The good news is that moving from XP/Vista/7 to a normal desktop Linux distro will actually be easier than trying to retrain these employees to use the malware that is Windows 8.

Future victims of this criminal organization should sue Symantec.

Class action lawsuit.

I also think that criminal charges for aiding and abetting would apply as well.

Automated testing for security problems doesn't really work. Oh, you can do fuzzing, but that's hit and miss, and general unit testing can catch a few things, but not much. Mostly, security code just requires very careful implementation and code review. Eyeballs -- smart, experienced eyeballs.

OpenSSL has terrified me for years. The code is very hard to read and understand, which is exactly the opposite of what's desired for easy review and validation of its security properties. It needs to be cleaned up and made as simple, straightforward and accessible as possible, or replaced with something else that is simple, straightforward and accessible. My theory on why it is the way it is -- and it's far from unusual in the crypto library world -- is that cryptographers tend not to be good software engineers, and software engineers tend not to have the cryptography skills needed.

I spend some (not very much, lately) of my time working on an open source crypto library called Keyczar that tries to address one part of this problem, by providing well-engineered crypto APIs that are easy to use and hard to misuse. That effort focuses on applying good engineering to the boundary between library and application code, which is another source of rampant problems, but Keyczar uses existing crypto libs to provide the actual implementations of the primitives (the C++ implementation uses openssl, actually). I've long wished we could find crypto libs that were well-engineered, both internally and in their APIs.

They're not bribing girls to code. The gift certificates go to the teachers. And, actually, the certificates just give the teachers money they can donate to charities, not cash in their own pockets. So it's just a small incentive to motivate teachers to give girls a little more opportunity to find out whether they like coding.