Nice anecdote, but there's plenty scientific evidence
Nice anecdote, but there's plenty scientific evidence
You simply tell everyone that there is a vulnerability, but you do not tell them any details about what the vulnerability is. Instead, you simply announce a release date & time for a patch.
This is brilliant, and I'm kicking myself for not having thought of it.
The only problem I can see is that of whether the average repair-averse manager can be properly jolted by a good-faith announcement. Businesses often prefer PR bullshit to actual repairs, and will only invest in proper repairs if they're going to be utterly humiliated otherwise, and if they see no other way out. It's not unheard of for security researchers to be threatened with lawsuits should they disclose, for instance.
Even if this were to happen though, it would still be the responsible course of action for the developers/security researchers. That way there'd at least be no Well we did all we could weaseling on the part of vulnerable websites.
2 year use of the bug
Got a source for that? They might like to be (perceived to be) omniscient, but there's at least a chance that they're not.
There was some exploitation of the bug very soon after disclosure, but I can't see a way to win here. You can't tell everyone about the bug without telling the bad guys...
I thought it was an unchecked memcpy that was at fault, but you're not the only one I've seen mention memory-management weirdness. Would using ordinary malloc/free have prevented this?
"Well shit, fuck me for trying. If you think you can do better - please do."
I, for one, would welcome new safe-programming-language-using overlords.
Apparently crypto in Ada need not be any slower than crypto in C. The programming language is just one piece of the puzzle of course (it wouldn't fix the lack of serious code scrutiny), but it would be a much more appropriate choice than C.
(I don't mean to trivialise the OpenSSL project, but if a safer alternative did exist, I'd be all for it.)
I'm surprised I haven't yet heard whether today's static-analysis/dynamic-analysis tools would have caught the Heartbleed bug.
What the NSA does with itself in the privacy of the its comically failed oversight process, is its own business.
No matter what he believes, he can be tolerant of what you believe in.
Let's be clear here, as you appear to have forgotten the significance of his actions: the man donated money to try to deny gays their equal rights. That's what a thousand dollars against gay marriage actually signifies. 'He can still be tolerant' doesn't even enter the equation - we know for a fact he is not!
Let's imagine a brief conversation:
Gay man: I hope to marry my long-term boyfriend just as soon as it's legal. We can hardly wait.
Eich: Yeah? I really hope the government continues to deny you two the right to marry.
Gay man: Oh, but you respect what we believe in, right?
Eich: Yeah, sure, I just advocate a law which doesn't.
No, Eich is not 'tolerant of what others believe'. Whether a gay couple wish to get married does not affect him in the slightest, yet he wants government policy to forbid them from doing so.
It is not a 'bigoted opinion' or 'bigoted cause' because no matter what he believes in he can be willing to tolerate your difference of opinion.
No. Not in any even vaguely meaningful sense. If neither personal belief nor personal action can qualify one as a bigot, what on Earth can? This is surely exactly analogous to saying a man who donates money to revoke the ability for black people to get married isn't necessarily a racist, no?
Being tolerant to the intolerant may be the harder path, but it is the path to a civil society.
Ah, the Paradox of Tolerance. (Which only applies if you concede that Eich is intolerant.) I agree on some level - where do we draw the line between an unusual opinion and one which ought to be punished? - but I'll shed no tears for Eich, and I would have no problem with, say, a neo-Nazi being passed-over for CEO.
Wootery says with a hint of disdain.
Wootery can see it comes off that way, but 'planned obsolescence' really is the correct term.
I hoped Depending on how you look at it would clarify that I'm not set against payware closed-source software.
their free email goes down for an hour
GMail (and co) isn't free. You pay in privacy for directed-advertising, rather than money, and as Eben Moglen has persuasively argued, the price of privacy should not be treated as transactional, but rather as ecological: Google now knows not only intimate details about you, but also about everyone with whom you communicate via email.
They even trump holistic healers and political/religious leaders/zealots.
I don't think that's necessary the same crowd as the audiophiles and wine-tasters...
(Granted it's a similar form of bullshit: the kind which, in a happier alternate universe, is illegal by means of false-advertising law.)
This seems the right way to run things: require that innovation go through the 'proper route' of becoming an industry standard.
This depends on just how far we run with just for the sake of it.
They both have perfect/near-perfect X11 backward compatibility. Not quite the same as demanding that all that business-critical COBOL be rewritten in Scala.
(Apparently Ubuntu had hopes to phase out the X11 compatibility, though.)
Proprietary software can be done right, with minimal effort to support it for decades.
Citation needed. Even if the software is near-perfect, you'll still need to have people on-staff who are familiar with the decades-old software. This alone surely makes it non-easy.
Not to mention it opposes Microsoft's business-model of planned obsolescence.
Depending on how you look at it, this can be either:
In addition, it would help the Wine and ReactOS projects enormously (indeed, it would render ReactOS rather pointless), and would harm Microsoft's 'lock-in'. A Free-and-Open-Source fork of Windows could do violence to Microsoft's prospects.
(I guess in doing so it might take away one reason to move to Linux, and so perhaps drive custom to Microsoft's ecosystems, but ultimately I doubt it would play out in MS's favour.)
It would be interesting to see how many new exploits could be uncovered by making the source public, though - a high-profile, real-world test of 'more eyeballs'/security-through-obscurity.
Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun