Forgot your password?

Comment: Ted Unangst's article (Score 4, Informative) 287

by grub (#46758065) Attached to: OpenBSD Team Cleaning Up OpenSSL

Ted Unangst wrote a good article called "analysis of openssl freelist reuse"

His analysis:

This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security focused malloc, just one that frees memory every now and again). Instead, it lay dormant for years until I went looking for a way to disable their Heartbleed accelerating custom allocator.

it's a very good read.

Comment: Re:I prefer to browse real bookstores (Score 2) 83

by JanneM (#46744263) Attached to: Seattle Bookstores Embrace

Welcome to the minority you share with the employees at Amazon HQ.

What minority? Most people do work or have other income sources (even though unemployment is alarmingly high the world over). And my income is slightly less than the average for people my age where I live.

My point was that books are not an expensive indulgence; not in absolute terms and not compared to other everyday extras ranging from movie tickets, coffee-shop coffe or music buys, to weekend beers or tobacco.

I'm not saying the price difference doesn't matter for anybody, or for any kind of book. I am saying that for many people the limit for book buying is not how many books you can afford, but how many you have time to read. And after all, if you're hard up for cash, used book stores or the library are excellent sources for reading material as well, and cheaper still than Amazon.

Comment: Re:I prefer to browse real bookstores (Score 2) 83

by JanneM (#46744129) Attached to: Seattle Bookstores Embrace

After you browsed through the real bookstores, where did you buy them?

I usually both browse and buy at real bookstores. In fact, I sometimes browse on Amazon (the ratings are very useful), then buy at the bookstore.

Why? Because even when the price difference is large, the absolute price is still quite low. Besides, these days the price difference often isn't actually very large anymore, once you add the cost of shipping. The difference may be that of a plain cup of coffee or less for a book I may spend weeks enjoying. And I can get the book right then, right there, not have to wait for shipping and schedule a pick-up time.

I work and I have disposable income. I don't, however, have a lot of free time. I can buy far more books than I will ever have time to read without making much of a dent in my personal play money. The limit is not money but time. Books I can't find elsewhere I order from Amazon or Rakuten, but otherwise I prefer the physical store.

Comment: Re:It's time we own up to this one (Score 1) 149

by Bruce Perens (#46730395) Attached to: NSA Allegedly Exploited Heartbleed
I think we need to take a serious look at the "many eyes" theory because of this. Apparently, there were no eyes on the part of parties that did not wish to exploit the bug for close to two years. And wasn't there just a professional audit by Red Hat that caught another bug, but not this one?

Comment: Re:It's time we own up to this one (Score 3, Informative) 149

by Bruce Perens (#46729769) Attached to: NSA Allegedly Exploited Heartbleed
I'd say more than just the "community". We have a great many companies that incorporate this software and generate billions from the sales of applications or services incorporating it, without returning anything to its maintenance.I think it's a sensible thing to ask Intuit, for example: "What did you pay to help maintain OpenSSL?". And then go down the list of companies.

Comment: It's time we own up to this one (Score 4, Insightful) 149

by Bruce Perens (#46729661) Attached to: NSA Allegedly Exploited Heartbleed

OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

+ - NSA said to have used Heartbleed bug for years->

Submitted by grub
grub (11606) writes "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts."

Link to Original Source

"I have just one word for you, my boy...plastics." - from "The Graduate"