Forgot your password?
typodupeerror

Comment: Re:Telling Everyone without Telling the Bad Guys (Score 1) 80

by Wootery (#46813509) Attached to: Heartbleed Pricetag To Top $500 Million?

You simply tell everyone that there is a vulnerability, but you do not tell them any details about what the vulnerability is. Instead, you simply announce a release date & time for a patch.

This is brilliant, and I'm kicking myself for not having thought of it.

The only problem I can see is that of whether the average repair-averse manager can be properly jolted by a good-faith announcement. Businesses often prefer PR bullshit to actual repairs, and will only invest in proper repairs if they're going to be utterly humiliated otherwise, and if they see no other way out. It's not unheard of for security researchers to be threatened with lawsuits should they disclose, for instance.

Even if this were to happen though, it would still be the responsible course of action for the developers/security researchers. That way there'd at least be no Well we did all we could weaseling on the part of vulnerable websites.

Comment: Re:2 years of NSA usage .. price way to low (Score 1) 80

by Wootery (#46807531) Attached to: Heartbleed Pricetag To Top $500 Million?

2 year use of the bug

Got a source for that? They might like to be (perceived to be) omniscient, but there's at least a chance that they're not.

Looking at Wiki pedia, it hardly seems certain that there was exploitation of the bug prior to the disclosure, or that the NSA knew.

There was some exploitation of the bug very soon after disclosure, but I can't see a way to win here. You can't tell everyone about the bug without telling the bad guys...

Comment: Re:Whatever you may think ... (Score 1) 446

by Wootery (#46723303) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

"Well shit, fuck me for trying. If you think you can do better - please do."

I, for one, would welcome new safe-programming-language-using overlords.

Apparently crypto in Ada need not be any slower than crypto in C. The programming language is just one piece of the puzzle of course (it wouldn't fix the lack of serious code scrutiny), but it would be a much more appropriate choice than C.

(I don't mean to trivialise the OpenSSL project, but if a safer alternative did exist, I'd be all for it.)

I'm surprised I haven't yet heard whether today's static-analysis/dynamic-analysis tools would have caught the Heartbleed bug.

Comment: Re:Are people not allowed to have opinions? (Score 1) 1482

by Wootery (#46699817) Attached to: OKCupid Warns Off Mozilla Firefox Users Over Gay Rights

No matter what he believes, he can be tolerant of what you believe in.

Let's be clear here, as you appear to have forgotten the significance of his actions: the man donated money to try to deny gays their equal rights. That's what a thousand dollars against gay marriage actually signifies. 'He can still be tolerant' doesn't even enter the equation - we know for a fact he is not!

Let's imagine a brief conversation:

Gay man: I hope to marry my long-term boyfriend just as soon as it's legal. We can hardly wait.

Eich: Yeah? I really hope the government continues to deny you two the right to marry.

Gay man: Oh, but you respect what we believe in, right?

Eich: Yeah, sure, I just advocate a law which doesn't.

...

No, Eich is not 'tolerant of what others believe'. Whether a gay couple wish to get married does not affect him in the slightest, yet he wants government policy to forbid them from doing so.

It is not a 'bigoted opinion' or 'bigoted cause' because no matter what he believes in he can be willing to tolerate your difference of opinion.

No. Not in any even vaguely meaningful sense. If neither personal belief nor personal action can qualify one as a bigot, what on Earth can? This is surely exactly analogous to saying a man who donates money to revoke the ability for black people to get married isn't necessarily a racist, no?

Being tolerant to the intolerant may be the harder path, but it is the path to a civil society.

Ah, the Paradox of Tolerance. (Which only applies if you concede that Eich is intolerant.) I agree on some level - where do we draw the line between an unusual opinion and one which ought to be punished? - but I'll shed no tears for Eich, and I would have no problem with, say, a neo-Nazi being passed-over for CEO.

Comment: Re:Where do you draw the line? (Score 1) 650

by Wootery (#46699557) Attached to: Should Microsoft Be Required To Extend Support For Windows XP?

Wootery says with a hint of disdain.

Wootery can see it comes off that way, but 'planned obsolescence' really is the correct term.

I hoped Depending on how you look at it would clarify that I'm not set against payware closed-source software.

their free email goes down for an hour

GMail (and co) isn't free. You pay in privacy for directed-advertising, rather than money, and as Eben Moglen has persuasively argued, the price of privacy should not be treated as transactional, but rather as ecological: Google now knows not only intimate details about you, but also about everyone with whom you communicate via email.

Comment: Re:Moo (Score 3, Informative) 469

They even trump holistic healers and political/religious leaders/zealots.

I don't think that's necessary the same crowd as the audiophiles and wine-tasters...

(Granted it's a similar form of bullshit: the kind which, in a happier alternate universe, is illegal by means of false-advertising law.)

Comment: Re:software (Score 1) 169

by Wootery (#46688035) Attached to: Fifty Years Ago IBM 'Bet the Company' On the 360 Series Mainframe

This depends on just how far we run with just for the sake of it.

They both have perfect/near-perfect X11 backward compatibility. Not quite the same as demanding that all that business-critical COBOL be rewritten in Scala.

(Apparently Ubuntu had hopes to phase out the X11 compatibility, though.)

Comment: Re:Complete access and indefinite support for free (Score 1) 650

by Wootery (#46683175) Attached to: Should Microsoft Be Required To Extend Support For Windows XP?

Proprietary software can be done right, with minimal effort to support it for decades.

(Emphasis mine)

Citation needed. Even if the software is near-perfect, you'll still need to have people on-staff who are familiar with the decades-old software. This alone surely makes it non-easy.

Comment: Re:Where do you draw the line? (Score 1) 650

by Wootery (#46682829) Attached to: Should Microsoft Be Required To Extend Support For Windows XP?

Not to mention it opposes Microsoft's business-model of planned obsolescence.

Depending on how you look at it, this can be either:

  • * They want to force people to buy their new offerings (Windows 8.1, or at least 7)
  • * They don't want to support their old products indefinitely

In addition, it would help the Wine and ReactOS projects enormously (indeed, it would render ReactOS rather pointless), and would harm Microsoft's 'lock-in'. A Free-and-Open-Source fork of Windows could do violence to Microsoft's prospects.

(I guess in doing so it might take away one reason to move to Linux, and so perhaps drive custom to Microsoft's ecosystems, but ultimately I doubt it would play out in MS's favour.)

It would be interesting to see how many new exploits could be uncovered by making the source public, though - a high-profile, real-world test of 'more eyeballs'/security-through-obscurity.

Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun

Working...