Forgot your password?

Comment: Re:NSA (Score 1) 580

by hawguy (#46761827) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

The huge problem with OSS is that if no one takes the responsibility to do a good code audit for a project, the NSA will do that independently, file the found exploits, and tell nobody.

Of course, the flip side is that if you *want* to do a good code audit for software you're using, you can do it on your own with open source software (and you can review code changes in patches before applying them). However, with closed source software, you can (usually) only take the word of the closed source company and have to trust that they haven't purposely inserted back doors into the code.

And once one company does the audit, they can share it with others (or a group of companies could share the costs of the audit), and all users, no matter how large or small, can validate that the code they are running matches the audited code.

Of course, an audit isn't a guarantee of finding a bug (which is just as true for closed source software as it is for open source software), but at least with open source code, a company that finds a bug can choose to fix it immediately without waiting for it to filter through a large company's release process.

Comment: How does a language remediate anything? (Score 1) 188

by hawguy (#46760323) Attached to: The Security of Popular Programming Languages

I don't understand this:

Perl remediates 85% of all Cross-Site Scripting vulnerabilities, the highest rate among all languages but only 18% of SQL Injection.

There is no Perl language support to remediate cross site scripting. That's all done by the developer and/or framework he's using, so I don't see how it's useful to say that Perl remediates 85% of XSS vulnerabilities when the language itself has no idea what XSS is or how to remediate it.

I'm also having trouble reconciling this statement:

Perl has an observed rate of 67% Cross-Site Scripting vulnerabilities, over 17% more than any other language.

So Perl re mediates 85% of XSS vulnerabilities -- the highest rate of any language, yet it has a 17% higher rate of XSS vulnerabilities?

This study would be slightly more useful if they gave details on web frameworks instead of just languages.

I'm surprised Ruby and Python didn't make the list, I figured that either one of those languages would be more popular than Perl for web development today

Comment: Re:Climate engineering? (Score 1) 341

by hawguy (#46751365) Attached to: Climate Scientist: Climate Engineering Might Be the Answer To Warming

Considering this is a non-problem to start with, we'd absolutely be doing more harm than good. This was the most brutal winter I've seen in over 20 years. It seems like every other day I was plowing more global warming off my driveway and we just got another 5" of global warming last night that I had to shovel off my walk.

Why do so many people confuse weather with climate?

Comment: Re:Why in the FUCK (Score 5, Informative) 41

by hawguy (#46750597) Attached to: Google Buys Drone Maker Titan Aerospace

would either Google or especially Facebook be buying drone companies? These companies obviously have WAY too much money and are WAY overvalued. I suppose it is smart that rather than wait for the bubble to burst and the share price to crash, wiping out billions in value, they're trying to get stuff that is worth something while they still can. Still, this is actually kind of unsettling to me and makes me wonder if we may cruising obliviously towards the next text meltdown, sooner rather than later?

It's alluded to in the summary, and spelled out in TFA - both companies have shown interest in providing internet access in underserved areas through aerial platforms:

Both Ascenta and Titan Aerospace are in the business of high altitude drones, which cruise nearer the edge of the earth’s atmosphere and provide tech that could be integral to blanketing the globe in cheap, omnipresent Internet connectivity to help bring remote areas online. According to the WSJ, Google will be using Titan Aerospace’s expertise and tech to contribute to Project Loon, the balloon-based remote Internet delivery project it’s currently working on along these lines.


The main goal, however, is likely spreading the potential reach of Google and its network, which is Facebook’s aim, too. When you saturate your market and you’re among the world’s most wealthy companies, you don’t go into maintenance mode; you build new ones.

Comment: Why not? (Score 3, Interesting) 236

by hawguy (#46730399) Attached to: GM Names Names, Suspends Two Engineers Over Ignition-Switch Safety

The next time your mail goes down, should we know the name of the guy whose code flaw may have caused that?"

Why not let software engineers take responsibility for their work just like "real" engineers do when they sign off on a project?

The developer responsible for the Heartbleed bug that put the privacy of millions of users at risk stood up and took responsibility for his mistake.

If you know that the world is going to hear about it if you screw up, then maybe you'll take a little more time to vet your work before you sign off on it.

Comment: Re:It's time we own up to this one (Score 3, Interesting) 149

by hawguy (#46730341) Attached to: NSA Allegedly Exploited Heartbleed

It was discovered and fixed so quickly *because* it's open source

For crikessakes, the heartbleed vulnerability existed for over 2 years before being discovered and fixed!

Sorry my bad, that sentence was confusing -- I meant the fix was fast, not finding the bug.

An exact timeline for Hearthbleed is hard to find, but it looks like there was some responsible disclosure of the bug to some large parties about a week before public disclosure and release of the fixed SSL library.

In contract, Apple learned of its SSL vulnerability over a month before they released an IOS patch and even after public disclosure of the bug, it was about a week before they released the OSX patch. And just like the OpenSSL bug, Apple's vulnerability was believed to have been in the wild for about 2 years before detection. (of course, since the library code was opensourced by Apple, several unofficial patches were released before Apple's official patch).

Comment: Re:It's time we own up to this one (Score 1) 149

by hawguy (#46729753) Attached to: NSA Allegedly Exploited Heartbleed

OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

If it's just as likely to happen to closed source software, then why is it a failure of the Open Source process? It was discovered and fixed so quickly *because* it's open source - there may be similar holes in closed source software that are being exploited today, yet no white hats have discovered them yet.

Comment: Re:NSA put the bug there, of course they exploited (Score 1) 149

by hawguy (#46729735) Attached to: NSA Allegedly Exploited Heartbleed

We need to find out if the author of this bug is or was on the NSA payroll. It would not be surprising to find out he was paid to put it there.

The author responsible for the bug has already admitted that it was a mistake (and it's not like buffer overflows are unheard of, so it really is plausible). Sure, it's possible that the NSA secretly paid him (or ever coerced him by holding some incriminating evidence over his head), but it would likely take someone with the resources of the NSA to uncover such a secret NSA payout. Something of that nature probably wouldn't even be available in Snowden's document archive.

Comment: Re:Rebooting is not a fix (Score 1) 136

by hawguy (#46729679) Attached to: Seven Habits of Highly Effective Unix Admins

Bullshit. Windows admins are not trained to reboot when there is a problem

It's amusing that in the post right before yours (and not an AC like you), a Windows Admin explained why he does reboot first:

Because in the Windows world, I usually don't have the luxury of digging into the kernel's or driver's source code to figure out exactly why it has stopped behaving correctly

Comment: Rebooting is not a fix (Score 5, Insightful) 136

by hawguy (#46726957) Attached to: Seven Habits of Highly Effective Unix Admins

As someone who's managed a team of sysadmins that moved to the Linux world from Windows, I have this tip: "Reboot does not fix anything, it just hides things".

For some reason, Windows admins have been trained to reboot immediately when things don't work well rather than to figure out why something is failing. I'm sure this was a valid "fix" in older versions of Windows, but Windows has been stable for quite some time, and things shouldn't mysteriously stop working for no reason. Take a bit of time to figure out *why* the CPU is suddenly spiking on the database server, since if you reboot it, you will have lost most of the evidence for why it's happening, and it's likely to happen again. If it's a production server and you can't spend much time, run a few diagnostics (ps, "top", lsof, etc) and save to a file for the postmortem, but don't just go in and reboot before looking around.

Comment: Why does it have to be "coding"? (Score 2) 578

by hawguy (#46726015) Attached to: Michael Bloomberg: You Can't Teach a Coal Miner To Code

There's no reason to train every worker to "code", we don't suffer from a lack of coders, we suffer from a lack of "developers", and no 6 week software bootcamp is going to turn someone with no programming experience into a developer. Besides, the average coal miner is probably not going to want to sit in front of a computer all day (many in my family work in the heavy construction industry, and I am 100% certain that although you could probably teach my brother to code, you're not going to be able to teach him to sit behind a desk all day).

But there are plenty of other jobs that you *could* teach a former coal miner to do -- not everyone in the economy needs to be a coder any more than everyone needs to be an auto mechanic just because we all (well, mostly) drive cars.

Comment: Re:Convenient malfunctions (Score 1) 322

by hawguy (#46709031) Attached to: LA Police Officers Suspected of Tampering With Their Monitoring Systems

The WTOP article drops the story in 2007.

The Wikipedia article tell us that the case went to court -- you know, like when you feel you've been wronged, and you put the people who wronged you on trial, and the thing is judged by a jury of your peers (normal people not cops), and the jury awarded $5,000 in damages -- the size of some medical bills.

A jury -- of normal people -- thought, after getting much more insight into this case than you or I, that the cops were a little rough on her, and nothing more.

It seems like that's the problem -- the evidence that should have proved her story was non-existent because *seven* police cameras (cameras that we all paid for with our taxes and were *required* to be running due to a settlement with the DoJ) somehow malfunctioned and did not capture any video. How many cameras do you think would have malfunctioned if they backed up the story of the police? All the jury had to go on was her testimony and the testimony of 7+ police officers. I wonder if anyone involved had any vested interest in lying about the events?

Finally, the case is nearly A DECADE OLD.

What's next? Some cases where a firehose got turned on the colored in Mississippi?

7 years ago doesn't seem like that long ago, but are you really holding up past discrimination against blacks by those in authority as a good example of why the past doesn't matter?

At these prices, I lose money -- but I make it up in volume. -- Peter G. Alaquon