Forgot your password?
typodupeerror

Comment: Re:Go after the people who write the software (Score 1) 44

by PhilHibbs (#46778961) Attached to: 5-Year Suspended Sentence For S. Africa's First Online Pirate

There should be no analogies, as comparing software to the real world means you're profoundly ignorant to begin with.

Software is real. It's part of the world. Same as the internet - it isn't a "cyberspace", it's people sitting at keyboards, and servers in real places, with actual cables between. And laws apply to those people, servers, cables, and software. And analogies apply equally well and equally badly between software and the rest of the world as they do between other parts of the rest of the world. Some analogies are useful, some less so. Just because it's "software" doesn't make it, and the processes that produce it, magically immune to logical, ethical, and legal analysis.

Comment: Re:Original premise is false (Score 1) 580

by PhilHibbs (#46767895) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

I was probably over-optimistic when I said "finding bugs like this is easy to automate". What this would probably need is runtime access checking turned on, and a test case that has mismatched lengths. The latter would require the tester to implement what I call C4 tests, or "comprehensive corner case coverage".

Comment: Re:Original premise is false (Score 1) 580

by PhilHibbs (#46764887) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Not true. Writing code is very hard to automate. Finding bugs like this is easy to automate. In fact, the OpenSSL team specifically turned off all the memory overrun checks on all platforms, because some platforms have performance problems with them. So, the automated checks should have spotted this problem (at run time, rather than compile time, but there are other tools for that), but they were turned off.

Comment: Re:Bloody Idiot (Score 1) 586

by PhilHibbs (#46746471) Attached to: Jenny McCarthy: "I Am Not Anti-Vaccine'"

I watched that Penn and Teller piece with the glass wall, and although it's entertaining, it's statistically misleading, which is unforgiveable in that context.

They knocked over a single pin and said that that was representative of any potential link with autism. They then went on to throw balls to represent all the different diseases that vaccines protect against. But the "cost" of all vaccines was only counted once. The "benefit" of vaccine protection was counted dozens of times.

The implication is that that one pin being knocked over is the only thing that can happen for all of the vaccines against the diseases that they mentioned. Maybe that is statistically representative, I'd like to know. I am pro-vaccine, but I'm also pro-telling-it-straight, which they did not.

Comment: Re:The vessel matters (Score 1) 586

by PhilHibbs (#46746397) Attached to: Jenny McCarthy: "I Am Not Anti-Vaccine'"

If taking faith out of the equation, namely the belief that "all deaths are bad", the picture becomes less clear.

Is culling of the herd necessarily a bad thing for humanity in the long perspective?

Faith is not necessary in order to hold all human life to be precious. As an agnositc-almost-atheist (in that you cannot prove a negative) I am actually rather offended at the suggestion.

Comment: Re:Sloppy code (Score 1) 445

by PhilHibbs (#46723317) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

If some software that is released has problems, people should point it out. If a development process is flawed, people should point it out. If you work in open source software, specifically in security software, you should be prepared for people to criticize both your code and your development and testing safeguards. Maybe billrp could do better. Maybe (unlikely) I could do better. Maybe a hundred people on Slashdot could do better. But do we really want a hundred different open source SSL implementations all written by unknown people? That would not help the situation at all. Maybe all we need is one competing implementation by a different team with different methods, and maybe enough people saying "OpenSSL is not up to the job" might just inspire someone to build that team.

Free and open criticism is vital in security software. Nobody should ever be told to shut up about this kind of thing.

Comment: Re:He's sorry now ... (Score 1) 445

by PhilHibbs (#46723261) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

https://www.openssl.org/source...

If you never agreed to that license, you're violating their copyright.

You're only violating their copyright if you distribute it. If I legally acquire a copy of a piece of software, I can use it without agreeing to any other stipulations. Depending on jurisdiction, of course, different legal systems may rule in different ways on that point. And I'm not sure what the jurisdiction that this guy lives in has said about it.

The GPL has a specific clause pointing this out, and it's there because the authors of the GPL believe that they have no authority to prevent you from using their software. I agree with them. It always amuses me when GPL'd software contains a clickthrough insisting that you press an "Agree" button, when the licence specifically says that no such agreement is necessary.

If you're not part of the solution, you're part of the precipitate.

Working...