Forgot your password?

Comment: Re:WTF? (Score 1) 162

by Tom (#46794053) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

sysadmin, firewall admin - let's not pick nits here. The point is that there are mitigating measures, and if signing off on something that prevents your company secrets leaking out to the Internet without you even noticing takes more than 24 hours then your incident response procedures are retarded and you can hire me for a workshop to improve them dramatically.

Comment: Re:WTF? (Score 1) 162

by Tom (#46794047) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

Yeah, there was absolutely nothing anyone could do. Oh wait, except for this brutally complex and technically challenging thing right from the official vulnerability announcement:

This issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.

That was definitely not a feasabole option for anyone on the planet...

Comment: Re:Not sure about the recovery test (Score 1) 55

The rocket (1st stage) when empty needs almost no fuel (about 4% of the total fuel at launch) to return to the launch site and land.

That seems unbelievable, given its hypersonic speed and considerable downrange distance at the point of first stage separation. Any real numbers on that?

Comment: Re:Not sure about the recovery test (Score 1) 55

Was it an actual soft landing, though? Water seems much more problematic than dry land to me for this feat since rockets tend to be brittle and moving around such masses at single-meters-per-second levels of speed in the vicinity of other heavy masses (like water) without having control over pressure points (like landing gear) and impact impulses (in the presence of changing terrain contours, like water has) is going to break something. Rockets aren't designed to handle random dynamic stresses like that, they're designed for minimum dry mass (and some sustained axial stress), sometimes at extreme costs (look up the thickness of Atlas fuel tanks, up to but not including Atlas III).

Comment: Re:Frist pots (Score 1) 225

by K. S. Kyosuke (#46793897) Attached to: I expect to retire ...
First, I don't see what it has to do with ethics, as opposed to basic principles of economy and productivity. Second, I'm pretty sure quite a lot of people around the world (atheists, Buddhists, Muslims etc.) who are simply working their asses off (that's an religiously neutral technical term) would be profoundly offended if some American A-hole were to smile at them and tell them "Ah, I see you too have Calvinist work ethic!" That would piss me off to no end if anyone did that to me.

Comment: Re:Pilots crash planes (Score 1) 30

by K. S. Kyosuke (#46793887) Attached to: DARPA Developing the Ultimate Auto-Pilot Software
When I was playing with the Microsoft Flight Simulator 3.0 back then, I came away with the impression that I'm a total screw-up at flying and I should probably never sit in a cockpit, but the one thing I've learned is that you don't pull the stick when you're not sure your airspeed and AoA allows for it.

Comment: "...who exactly is the H1-B police..." (Score 1) 163

by tlambert (#46793523) Attached to: California Utility May Replace IT Workers with H-1B Workers

And who exactly is the H1-B police who come arrest the violators?

That would be:

= U.S. Immigration and Customs Enforcement (ICE)
= U.S. Citizenship and Immigration Services - Fraud Detection and National Security Division (FDNS)
= U.S. Department of Labor - Office of Inspector General
= U.S. Postal Inspection Service (USPIS)
= U.S. Department of State
= U.S. Attorney’s Office for the Southern District of Iowa

At least that's who it was for this case:

So perhaps you are an idiot for implying that these laws are unenforced and unpoliced, and it's a scaremongering tactic which actually has very little to do with the offshoring indicated by the original article, which in turn has very little to do with H1-B's at all, since off shore workers are in other countries, and don't require H1-B visas to be employed by a U.S. company, if they never leave their home country.

Comment: Underlying assumptions are false (Score 1) 226

by jd (#46793425) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Ok, the envelope game. You can rework it to say the second envelope contains the next vulnerability in the queue of vulnerabilities. An empty queue is just as valid as a non-empty one, so if there are no further flaws then the envelope is empty. That way, all states are handled identically. What you REALLY want to do though is add a third envelope, also next item inquire, from QA. You do NOT know which envelope contains the most valuable prize but unless two bugs are found simultaneously (in which case you have bigger problems than game theory), you absolutely know two of the envelopes contain nothing remotely as valuable as the third. If no bugs are known at the time, or no more exist - essentially the same thing as you can't prove completeness and correctness at the same time, then the thousand dollars is the valuable one.

Monty Hall knows what is in two of the envelopes, but not what is in the third. Assuming simultaneous bug finds can be ignored, he can guess. Whichever envelope you choose, he will pick the least valuable envelope and show you that it is empty. Should you stick with your original choice or switch envelopes?

Clearly, this outcome will differ from the scenario in the original field manual. Unless you understand why it is different in outcome, you cannot evaluate a bounty program.

Now, onto the example of the car automotive software. Let us say that locating bugs is in constant time for the same effort. Sending the software architect on a one-way trip to Siberia is definitely step one. Proper encapsulation and modularization is utterly fundamental. Constant time means the First Law of Coding has been broken, a worse misdeed than breaking the First Law of Time and the First Law of Robotics on a first date. You simply can't produce enough similar bugs any other way.

It also means the architect broke the Second Law of Coding - ringfence vulnerable code and validate all inputs to it. By specifically isolating dangerous code in this way, a method widely used, you make misbehaviour essentially impossible. The dodgy code may be there but it can't get data outside the range for which it is safe.

Finally, it means the programmers failed to read the CERT Secure Coding guidelines, failed to test (unit and integrated!) correctly, likely didn't bother with static checkers, failed to enable compiler warning flags and basically failed to think. Thoughtlessness qualifies them for the Pitcairn Islands. One way.

With the Pitcairns now overrun by unemployed automotive software engineers, society there will collapse and Thunderdome v1.0a will be built! With a patchset to be released, fixing bugs in harnesses and weapons, in coming months.

Nondeterminism means never having to say you are wrong.