It's an audit, not a re-write. The results of the audit may drive re-writes, and the re-writes may lead to code breakage or at least loss of compatibility, but that's irrelevant to the audit itself. This is essentially a read-only review. It's definitely not a fork, a la LibreSSL.

Past a certain level, certs are a pure waste of time. Relatively few people at my current employer (a large multinational InfoSec consulting firm; most of my work is pentesting) have any security-type certification except for the compliance blokes, and nobody could have gotten the job on the basis of certifications alone. They're probably worth it if you're coming from *no* security background, and they aren't worthless (though they may well be a relative waste of time) at the higher levels of the field, but the idea of some ultra-elite cert that will open every door and command respect from all you meet is a joke.

Pedantic, but... Writing a vuln is dead easy. Here's one (compile this into a world-executable program with setuid:root):
#include <stdio>
void vulnerable () {
    char buf[8];
    gets(buf);
}
int main () {
    vulnerable();
}

Writing a functional exploit, on the other hand, is a lot trickier, especially with all the exploit mitigation stuff found in modern operating systems (and libraries; some of them won't let you call gets() anymore by default). Fortunately, in my professional experience (4+ years of pentesting, both as part of a company's internal security team and as a security consultant), this is rarely requested. The client may want a PoC on occasion, if they think their stuff can't possibly be vulnerable, but even then it needn't do anything special or be robust across system configurations or anything.

Getting back to the core question: if you're going to be pentesting native code, especially whitebox testing where you are expected to review source code as well, you need to know C/C++, maybe Objective-C, maybe pre-.NET Visual Basic or even things like FORTRAN or COBOL if your client's codebase is old enough. For web apps, you need to know your HTML and JS, but it's also important to know HTTP - yes, the protocol - and browser security features like same-origin policy. For the server side of web stuff, there's a hundred different languages and probably ten times as many frameworks that you might need to know, but for the most part knowing PHP, Java, Ruby, at least one .NET language, and maybe Python is good enough for the vast majority of sites (add perl if you want to go old-school).

Scripting languages like Powershell and Python are actually really useful to a pentester, because you can knock together little utilities to try things out that way. Want to send a carefully crafted sequence of UDP packets, or decrypt all that stuff the client has "protected" with a hardcoded AES key and find their secrets? A few minutes of work will get you a tool that will save you lots of time in the future.

Running metasploit is "pentesting" only in the sense that microwaving a TV dinner is "cooking". If that's all you can do, you don't know jack.

Now, metasploit is a useful tool, in the same way that a microwave can be a useful tool even in a professional kitchen, but knowing when and how to use it to good effect is very different from just relying on it because you don't know how to do anything else. Finding the right target is a pretty important skill, for one thing. For another, there's a ton of stuff that isn't in metasploit (or similar tools), so a real pentester needs to be sufficiently familiar with attack techniques to find stuff the tools don't know about. Similarly, often the exact attack in the tool is blocked even though the target remains vulnerable to the vulnerability, because somebody who doesn't know any better than "running metasploit == penetration testing" saw that they could make their system pass the scan by blacklisting a particular input or operation without understanding the underlying vulnerability at all.

Well, speaking as a professional "information security consultant" (who, on occasion, uses nmap and even more-destructive tools against clients), I guarantee you that mutually acceptable employment terms which permit and even expect the use of such tools is what has been paying my very comfortable standard of living for the past few years. From tiny companies that have a mobile app to supplement their primary business, to "stealth mode" silicon valley startups, to healthcare-related companies that are paranoid about leaking info, to huge financial firms (ugh, avoid those), to colossi of the computer/software/cloud industry, I've worked all kinds of places.

Of course, it helps that I'm employed by a company with an excellent reputation. Very little of my work actually involves automated tools; I will run them (unless the client asks not to, which is uncommon) because there's no reason not to, but that's not what they pay me for. My job is to find the stuff that the tools won't, like XSS in an optional parameter that you'll never see used while spidering a site, or exploitable race conditions in a driver when you send the right pair of IOCTLs in close succession, or... you get the idea. Yes, it takes longer, and yes, it costs more that hiring some script kiddie (or telling your sysadmin to turn into one), but it's worth it in the end.

I agree. "I, Robot" wasn't a movie of a book, it was a movie of a *concept* (that had also been explored in a book). The movie, judged either on its own merits or merely as an exploration of Asimov's three laws, is good. It doesn't cover as many scenarios of human-robot interaction as the book does, but the part that it does cover goes pretty well.

Treason has an extremely specific definition in the USA. It what way does what he did qualify as such? Cite specific a specific example if you don't want to be dismissed as a brainless idiot proudly parroting your tribal allegiance.

Out of curiosity, how much less do you think he should have done? What secrets should he have kept from the citizens of the US and its (nominal) allies?

Sigh. You really don't get economics at *all*, do you? (Dragonslicer, talking to you too.)

The very concept of "get away with raising the price" shows an incredible lack of understanding. The optimal price is a function of supply and demand. If a company charges less than the optimal price, they will make less money off their available supply than would otherwise be the case. If the company charges more than the optimal price ("oh my $DEITY they are getting away with it!") they will price themselves out of the range of some of their potential demand, and wind up with unsold supply. Both of these options reduce revenue, but there's nothing impossible about them; they're just bad for business.

Hopefully this is reasonably understandable. Of course, things get a bit more complicated when you consider the ways in which supply and demand can be manipulated. For example, setting a high price on a luxury can actually increase demand, up to a point, and if you have a monopoly you can restrict supply to keep prices (and profits) high as well. There's also funny, semi-irrational effects like customer/brand loyalty, where some people will voluntarily give one company a monopoly on their business.

What regulation does (at the first order) is add a new cost of doing business. This cost reduces the money a company has available to obtain supply. Thus, the balance of supply and demand shifts; when supply goes does, unless demand goes down commensurately, the optimal price goes up. The company does take less profit, yes, but (assuming demand stays constant), not by the full amount that the regulation costs them; their customers also pay more.

The catch is that demand for that company's product only remains constant when the price goes up if all of their competitors are subjected to the same regulatory cost and commensurately raise their prices as well. If not - for example, if one company is subjected to a charge that all the others are not, and they compete for the same customers - then the company being regulated will lose about that much in profit. They will probably be able to recoup some of that by accepting lower supply but raising prices a little and relying on their loyal customers to keep buying that supply, but they will end up with less money.

Mind you, it should come as no surprise that regulation, when viewed from the perspective of a single established company, is pretty much always bad. View it from other perspectives, though, and it can be quite good. A company that wants to break into a monopolized market may be able to undercut the regulated competition. A potential customer who was previously not served due to being insufficiently profitable (not unprofitable, just not maximally profitable for the company) may now be able to purchase goods or services. Somebody who was completely unrelated to the company but was being harmed by an externality of its business (for example, environmental pollutants) will have their life improved.

Bandwidth is absolutely a physical thing. There is a physical hard limit on bits per second of information transmitted through any medium. There is also a significantly tighter (though growing) technological limit on our ability to transmit, route, and receive those bits in the physical transmission media we currently employ.

Saying "transmitting a lot ... data uses nothing" is ridiculous. It uses part of the limited supply of bandwidth. This bandwidth can be expanded by installing more transmission media (cable, fiber, microwave antennas, network switches, etc.) wherever the bottleneck happens to be, but that costs money too, and companies won't do it unless they expect to be able to capitalize on the increased capacity.

He never actually really says, at least in the interview transcript. He claims a technological solution exists that doesn't weaken the security otherwise, but - speaking as a information security engineer - I'm not buying it. He says what he actually *wants* is a "legal framework" to compel decryption of data. This implies that the decryption keys would have to be kept around (goodbye forward secrecy), though it doesn't actually say so. It also implies that he wants something that a subpoena can't already get, which is more than a little concerning.

Care to explain how "a legal framework for data access of entities that operate within and under a US legal construct" (aside from, you know, warrants and subpoenas and so forth) is possible for encrypted data *without* weakening the cryptosystem in a manner "antithetical to the security interests of the United States, our people, our military, our intelligence community, and anyone else who requires secure communications in any form"?

You talk a lot, but you aren't actually offering any solutions. You're just cheering for team World Gestapo. If you want anybody to take anything you say seriously, start offering solutions. The fact that crypto beats the NSA is a feature (a vital one), not a bug. If you want to argue otherwise, try coming up with the following:
1) A method / reason we should believe it won't be used to cripple our information security.
2) A reason we should believe other nations won't obtain and use the same access against us.
3) An actual problem that would be solved by going through all this rigmarole, that existing laws and government powers don't provide.
4) A reason to believe this wouldn't be abused and cause greater harm than good.

The standard of evidence I require for #4, but the way, is to make this more important than freeing the innocents held in Guantanamo Bay and punishing the uniformed abominations who tortured them.

There. I've told you what it would take to change my mind. Care to do the same?

I wouldn't say it's prohibition or puritanism that leads to deviancy, except in the sense that religion leads to heresy; you can't be deviant without having something to deviate *from*. Most fetishes are completely harmless, at least in the sense of damage to society; why stigmatize somebody just for being different? That's almost as bad as the puritanism itself, I'd say. Perhaps you mean "deviancy" in some other, more "evil" way (that is still not redundant with "perversion"), but in that case you should watch your terminology; "deviancy" is frequently used as a derogative you apply to those different from you or from your approved choices.

I'm not even sure the claim that prohibition leads to perversion is valid either. It's easy to define things which are "perverted" even while being otherwise permissive, but I'm not sure I buy the theory that people who would be, say, sexually attracted to children in today's American society are *less* likely to be so attracted in other cultures. Maybe they would, but I'd need to see evidence to believe it.

Nonetheless, you're on the right course. This notion that sex - that the mere *knowledge* of sex - is something kids need protection from is absurd and counterproductive. Forget deviants and perverts, "protecting" kids from sex leads to STDs, to teenage pregnancies, and to other harms that come from furtive and often careless experimentation instead of educated people making informed (possibly still unwise, but at least not ignorant) choices. As for the while nudity taboo, people have bodies. Under your clothes, you're completely naked. We all are. There is neither purpose nor value to keeping children from seeing bodies; all that does is give the kids a goal of seeing that which has been forbidden.

That wasn't balefire. Leaving aside the fact that we've never seen balefire in any form except originating *from* the channeler (or ter'angreal), balefire would have burned the Dragon out of the pattern, never to be reborn.

I could believe he *wanted* to use balefire - depending on how long it had been since the madness took him, it might even have worked to bring back his family - but despite the superficial resemblance (bar of searingly right light burns a hole into the earth where it hits) it just doesn't make sense for it to have been that particular weave.

I see this moronic attempt at a "joke" every time this topic comes up, but you win today's lottery in terms of getting responses, so...

Tesla makes (significant) profit on every sale. The problem is that they don't make a lot of sales. In order to make a lot of sales, they need to dramatically invest in production. Some of that goes into upgrades and retooling (making it possible to sell cheaper cars, which will get more sales), some of that goes into sheer manufacturing capacity (more factories, including their "gigafactory" for batteries).

That doesn't even count their ongoing investments in research, of course, but without those the company would never have gotten anywhere at all, and for a startup to successfully compete with the big dogs long-term, they have to leverage their first-mover research advantage ruthlessly. That might suck if you're the kind of investor that expects every week to see a higher close price than the last, but if you're *that* stupid, you've got worse problems...

Funny thing about investments in R&D: in the short term, they cost money. Of course, in the long term, they make it possible to earn a *lot* more money than they cost, but they do typically result in a few unprofitable quarters. Tesla could have just gone on selling their current lineup (or hell, their lineup from two years ago; no need to develop the dual-drive models) and been profitable - remember, they earn money on each sale - but they'd never have managed much volume. Eventually their backlog would have grown from "a few months to a year" until it reached "there's no point ordering one, it'll be obsolete by the time it arrives". Relatively shortly thereafter, that lineup of Teslas would have been obsolete on the day each one arrived, and nobody would buy them anymore.

It's not like Tesla can't afford a bad quarter. $100M is a hell of a lot cheaper than "our company is now worthless because we failed to stay relevant in this rapidly growing and advancing industry, squandering our position at the top of it". They can absorb a hit like that, even a number of hits like that.

I'll pass on that business plan.

Well, I guess that explains why you aren't a self-made multi-billionaire, doesn't it?