Forgot your password?
typodupeerror

+ - One week of OpenSSL cleanup ->

Submitted by CrAlt
CrAlt (3208) writes "After the news of heartbleed broke early last week, the OpenBSD team dove in and started axing it up into shape. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls.

Then Jonathan Grey (jsg@) and Reyk Flöter (reyk@) come next, followed by a group of late starters. Also, an honorable mention for Christian Weisgerber (naddy@), who has been fixing issues in ports related to this work.

All combined, there've been over 250 commits cleaning up OpenSSL. In one week. Some of these are simple or small changes, while other commits carry more weight. Of course, occasionally mistakes get made but these are also quickly fixed again, but the general direction is clear: move the tree forward towards a better, more readable, less buggy crypto library.

Check them out at http://anoncvs.estpak.ee/cgi-b..."

Link to Original Source
Bug

Bug Bounties Don't Help If Bugs Never Run Out 234

Posted by Soulskill
from the trying-to-bail-the-ocean dept.
Bennett Haselton writes: "I was an early advocate of companies offering cash prizes to researchers who found security holes in their products, so that the vulnerabilities can be fixed before the bad guys exploited them. I still believe that prize programs can make a product safer under certain conditions. But I had naively overlooked that under an alternate set of assumptions, you might find that not only do cash prizes not make the product any safer, but that nothing makes the product any safer — you might as well not bother fixing certain security holes at all, whether they were found through a prize program or not." Read on for the rest of Bennett's thoughts.

Comment: Re:*Yawn* I'll Wait for the Mint Edition (Score -1) 173

by YourMissionForToday (#46782637) Attached to: Ubuntu Linux 14.04 LTS Trusty Tahr Released

Yes, it's in one monolithic file.

Try making a minor typo in the syntax, then restart networking. You will lose all network connectivity on ALL interfaces.

Fix your typo and try to start networking again. It won't work until you reboot.

Or you can try adding your config to one of the seemingly infinite network config subdirectories (ifup.d, post-ifup.d, etc). Make the same typo anywhere in the subdirectories and you'll still mess up all networking and have to reboot.

I guess this is acceptable if you haven't used any OS besides Windows 98. For the rest of us it's maddening.

Comment: Not a surprise, but no reflection of O/S vs Prop. (Score 4, Insightful) 132

by RonBurk (#46774511) Attached to: Code Quality: Open Source vs. Proprietary

First, we shouldn't confuse Coverity's numerical measurements with actual code quality, which is a much more nuanced property.

Second, this report can't compare open source to proprietary code, even on the narrow measure of Coverity defect counts. In the open source group, the cost of the tool is zero (skewing the sample versus the commercial world) and Coverity reserved the rights to reveal data. Would commercial customers behave differently if they were told Coverity might reveal to the world their Coverity-alleged-defect data?

Again, having good Coverity numbers can't be presumed to be causally related to quality. For example, Coverity failed to detect the "heartbleed" bug, demonstrating that the effect of bugs on quality is very nonlinear. 10 bugs is not always worse than 1 bug; it depends on what that one bug is.

Comment: Re:Ukraine's borders were changed by use of force (Score 1) 303

by gmhowell (#46764195) Attached to: Is Crimea In Russia? Internet Companies Have Different Answers

Honestly I don't get the stance of some ppl from the US against Russia.
Russia is the best friend and has been the most loyal, the strongest and the most valuable ally for the USA. Really. At times of apocalyptic events Russians and Americans stood together. It was before and it may be again when we have to save the Earth itself. Nobody can help the US but Russia when things get hot. Alienating Russians is what make things worse.

Those things are called movies. The space aliens didn't really invade Earth.

Idiot, he was referring to the documentary about the asteroid that they blew up with the nuke. You know, when Daredevil makes out with Arwen.

Comment: Re:Shareholders profits? (Score 1) 146

by gmhowell (#46764147) Attached to: How Amazon Keeps Cutting AWS Prices: Cheapskate Culture

Replying to myself: I assumed they would cut expenses to feed the shareholders but I was wrong. TFA explains:

Amazon generated a whopping $74.45 billion in revenue for its financial year to 31 December 2013, but just $274 million in net income, a margin of roughly 0.3 percent. It sells Kindles at cost.

Compare this with Google, which saw net income of $12.9 billion on revenues of $59.8 billion for the year to 31 December 2013, a margin on 21.6 percent; or to Microsoft, which posted revenue of $77.9 billion for the year to 30 June, with a net income $21.9 billion, a margin of 28.1 percent

Question is: how do they manage to make shareholders accept that?

I'm guessing the investors expect Amazon to become and stay the Walmart of the internet (or perhaps the Sears and Roebuck from catalog days) and be be able to either ramp up margins or pay them at that level for a LONG time.

Comment: Re:Why is this crap on the internet (Score 1) 95

by gmhowell (#46762409) Attached to: Lack of US Cybersecurity Across the Electric Grid

It was actually wishful thinking rather than faith. I've seen the same things you describe. I've also seen where things like this are swept under the rug forever. Then, the root cause analysis comes back and people flip shit because nothing was done about it in the past. Well, nothing other than ignore the recomendations of us morlocks...

Center meeting at 4pm in 2C-543.

Working...