Ted Unangst wrote a good article called "analysis of openssl freelist reuse"
This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security focused malloc, just one that frees memory every now and again). Instead, it lay dormant for years until I went looking for a way to disable their Heartbleed accelerating custom allocator.
it's a very good read.
I wasn't considering the time spent shopping for books, whether on an online site or in a store, but the overall time I have to read. Besides, browsing the store is part of the fun, not a chore. I basically count that as part of my reading time.
Welcome to the minority you share with the employees at Amazon HQ.
What minority? Most people do work or have other income sources (even though unemployment is alarmingly high the world over). And my income is slightly less than the average for people my age where I live.
My point was that books are not an expensive indulgence; not in absolute terms and not compared to other everyday extras ranging from movie tickets, coffee-shop coffe or music buys, to weekend beers or tobacco.
I'm not saying the price difference doesn't matter for anybody, or for any kind of book. I am saying that for many people the limit for book buying is not how many books you can afford, but how many you have time to read. And after all, if you're hard up for cash, used book stores or the library are excellent sources for reading material as well, and cheaper still than Amazon.
After you browsed through the real bookstores, where did you buy them?
I usually both browse and buy at real bookstores. In fact, I sometimes browse on Amazon (the ratings are very useful), then buy at the bookstore.
Why? Because even when the price difference is large, the absolute price is still quite low. Besides, these days the price difference often isn't actually very large anymore, once you add the cost of shipping. The difference may be that of a plain cup of coffee or less for a book I may spend weeks enjoying. And I can get the book right then, right there, not have to wait for shipping and schedule a pick-up time.
I work and I have disposable income. I don't, however, have a lot of free time. I can buy far more books than I will ever have time to read without making much of a dent in my personal play money. The limit is not money but time. Books I can't find elsewhere I order from Amazon or Rakuten, but otherwise I prefer the physical store.
Try SpiderOak. Free 2 GB, zero-knowledge, secure. Works on a load of OSs and devices.
I'm a completely satisfied customer.
Theo de Raadt should fork OpenSSL. He could call it OpenOpenSSL.
OK guys. We've promoted Open Source for decades. We have to own up to our own problems.
This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.
But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts."
Link to Original Source