Forgot your password?

Comment: Re:WTF? (Score 1) 176

by Tom (#46798505) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

True, most of my experience is with companies 10k, but you're just being arrogant calling that "really small". Almost all of those companies are part of a larger corporation, and you don't manage IT operating activities in multinational corporations on the corporate level. The corporate level decides if you go with SAP or Oracle, but not which patch level of Apache is used on the website of one of 20 subsidiaries.

At least that's the way it was in my last two companies (one a subsidiary of a 65k employee corporation, one part of a 30k employee corporation). If you know of any multinational corporations where the CTO of the top-level holding has to sign off on patch deployment, let me know.

We're talking operative emergency response here, not rollout of new corporate IT infrastructures. I hope you see the difference.

Comment: Re:WTF? (Score 1) 176

by Tom (#46797065) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

You're cute. I've done this shit for a living for a while. Yes, many companies' incidence response procedures are crap, but they shouldn't, and it is perfectly possible to get an emergency countermeasure deployed within 24 hours with all the t's crossed and i's dotted and perfect SOX compliance and whatever else you need. It's just something you need to think about before the emergency hits you.

Comment: Re:Not that good (Score 1) 176

by Tom (#46797047) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

Of course everything else is never equal.

But what are you trying to accomplish here? Argue that a project with 100 developers has more eyes on the code than one with 4? Moot point, no argument.

We don't get the luxury of having 50 identical software projects with different team sizes and a size control, so we have to go with the real world and "everything else being equal" is just a way of saying that you if you want to compare closed vs. open source, you need to compare comparable projects, not an open source project with a handful of people with a closed source project two orders of magnitude larger - or the other way around.

Comment: Conditional probability... (Score 1) 159

by Idarubicin (#46794855) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

In other words, for every year Citicorp Center was standing, there was about a 1-in-16 chance that it would collapse.

Well, no. That figure only applies if a power outage (affecting both the city power and the building's emergency power, so as to disable the building's tuned mass damper) occurs simultaneously with every occurrence of high winds. Or if the building's owners decide to just turn off the tuned mass damper for giggles, and leave it turned off for a decade and a half.

Far more interesting - and potentially scary - was the fact that even with the mass damper, the building would expect to see winds sufficient to cause toppling approximately once every 55 years. As the building is now approaching its fortieth birthday, there's a better than even chance that it would have fallen by now.

Comment: Re:WTF? (Score 1) 176

by Tom (#46794053) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

sysadmin, firewall admin - let's not pick nits here. The point is that there are mitigating measures, and if signing off on something that prevents your company secrets leaking out to the Internet without you even noticing takes more than 24 hours then your incident response procedures are retarded and you can hire me for a workshop to improve them dramatically.

Comment: Re:WTF? (Score 1) 176

by Tom (#46794047) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

Yeah, there was absolutely nothing anyone could do. Oh wait, except for this brutally complex and technically challenging thing right from the official vulnerability announcement:

This issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.

That was definitely not a feasabole option for anyone on the planet...

Comment: Re:Will most consumers care? (Score 1) 92

by plover (#46792755) Attached to: How Nest and FitBit Might Spy On You For Cash

Would you like your food data shared with your insurance company? How about your weight? Your BMI went above 22 this month. Not good, lower it or else. Your running? You didn't meet your jogging goals for the week. That's it, we're raising your health care premiums. That's a lot of beer you're drinking, and you put a lot of miles on your car, so it looks like we'll have to cancel your auto policy because statistically you're likely a drunk driver.

If you say "OK, share my data", it can go a lot of places you may not intend.

Small is beautiful.