There's a difference?
sysadmin, firewall admin - let's not pick nits here. The point is that there are mitigating measures, and if signing off on something that prevents your company secrets leaking out to the Internet without you even noticing takes more than 24 hours then your incident response procedures are retarded and you can hire me for a workshop to improve them dramatically.
Yeah, there was absolutely nothing anyone could do. Oh wait, except for this brutally complex and technically challenging thing right from the official vulnerability announcement:
This issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.
That was definitely not a feasabole option for anyone on the planet...
You are right on those.
Except for the "nothing can be done" part. That's not your judgement call to make. There is always at least one option - pulling the power plug - and it might well be a feasable temporary solution for some people affected.
The rocket (1st stage) when empty needs almost no fuel (about 4% of the total fuel at launch) to return to the launch site and land.
That seems unbelievable, given its hypersonic speed and considerable downrange distance at the point of first stage separation. Any real numbers on that?
Thats what was flying Flight 370 !!
Shall we call it Flight S/370, then?
But what about Detroit?!?!
There was an article earlier about it on Slashdot and everything?!?
And who exactly is the H1-B police who come arrest the violators?
That would be:
= U.S. Immigration and Customs Enforcement (ICE)
= U.S. Citizenship and Immigration Services - Fraud Detection and National Security Division (FDNS)
= U.S. Department of Labor - Office of Inspector General
= U.S. Postal Inspection Service (USPIS)
= U.S. Department of State
= U.S. Attorney’s Office for the Southern District of Iowa
At least that's who it was for this case: http://exbay.blogspot.com/2009...
So perhaps you are an idiot for implying that these laws are unenforced and unpoliced, and it's a scaremongering tactic which actually has very little to do with the offshoring indicated by the original article, which in turn has very little to do with H1-B's at all, since off shore workers are in other countries, and don't require H1-B visas to be employed by a U.S. company, if they never leave their home country.
Is it in either the Kerbal Space Program or Elite: Dangerous?
If I can't launch it or blow it up, how can I know if it really exists?
Ok, the envelope game. You can rework it to say the second envelope contains the next vulnerability in the queue of vulnerabilities. An empty queue is just as valid as a non-empty one, so if there are no further flaws then the envelope is empty. That way, all states are handled identically. What you REALLY want to do though is add a third envelope, also next item inquire, from QA. You do NOT know which envelope contains the most valuable prize but unless two bugs are found simultaneously (in which case you have bigger problems than game theory), you absolutely know two of the envelopes contain nothing remotely as valuable as the third. If no bugs are known at the time, or no more exist - essentially the same thing as you can't prove completeness and correctness at the same time, then the thousand dollars is the valuable one.
Monty Hall knows what is in two of the envelopes, but not what is in the third. Assuming simultaneous bug finds can be ignored, he can guess. Whichever envelope you choose, he will pick the least valuable envelope and show you that it is empty. Should you stick with your original choice or switch envelopes?
Clearly, this outcome will differ from the scenario in the original field manual. Unless you understand why it is different in outcome, you cannot evaluate a bounty program.
Now, onto the example of the car automotive software. Let us say that locating bugs is in constant time for the same effort. Sending the software architect on a one-way trip to Siberia is definitely step one. Proper encapsulation and modularization is utterly fundamental. Constant time means the First Law of Coding has been broken, a worse misdeed than breaking the First Law of Time and the First Law of Robotics on a first date. You simply can't produce enough similar bugs any other way.
It also means the architect broke the Second Law of Coding - ringfence vulnerable code and validate all inputs to it. By specifically isolating dangerous code in this way, a method widely used, you make misbehaviour essentially impossible. The dodgy code may be there but it can't get data outside the range for which it is safe.
Finally, it means the programmers failed to read the CERT Secure Coding guidelines, failed to test (unit and integrated!) correctly, likely didn't bother with static checkers, failed to enable compiler warning flags and basically failed to think. Thoughtlessness qualifies them for the Pitcairn Islands. One way.
With the Pitcairns now overrun by unemployed automotive software engineers, society there will collapse and Thunderdome v1.0a will be built! With a patchset to be released, fixing bugs in harnesses and weapons, in coming months.