Forgot your password?

Comment: Re:However.... (Score 1) 220

by jc42 (#46788805) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

To prevent double-use like this, a company should say that you don't get paid until they've fixed the bug and issued a patch for it in their software, all without the exploit ever being spotted in the wild.

One problem with this is that there's already a documented history of companies rejecting bug reports and not paying the bounty, and then some time later include a fix for it in their periodic updates. It's basically the same process that causes a company's "app store" to reject a submitted tool to do a particular job, and then a few months later releasing their own app that does the same thing.

I know a good number of people who've been bitten by the latter, from both MS and Apple. In the case of a bug, it's a lot harder to document that this has happened, but various software guys I know express a strong suspicion that it has been done to them.

It's widely believed that corporations don't have ethics at all, only costs and income, which would easily explain this sort of fraudulent "offers" of rewards with no intent to pay. We've heard here often from lots of people who think that this is right and proper, and that corporations should only be motivated by the bottom line.

When combined with the growing penchant for treating someone who reports a security bug as a criminal "security hacker" and prosecuting people who report bugs in software products, this should reasonably make a sensible developer reluctant to take rewards programs seriously. Given an offer which could get you thanks and some money, or could land you in jail for your efforts, and no way to know beforehand which the company will do, why would you even consider letting them know your name?

(Actually, my name has appeared in numerous companies' lists of honored contributors thanks to my bug reports and patches. But I haven't sent in security-related bug reports to many companies, only to the ones I have reasons to believe I can trust.)

Comment: Re:Eyeballs did not find bug ... (Score 1) 579

by jc42 (#46772133) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

A second and more important fact is that the bug was not discovered by eyeballs on source code. The techniques used seem to be the same applied to proprietary closed source code. "âoeWe developed a product called Safeguard, which automatically tests things like encryption and authentication,â Chartier said. âoeWe started testing the product on our own infrastructure, which uses Open SSL. And thatâ(TM)s how we found the bug.â"

So you're say that when I, as a (professional ;-) programmer, create a chunk of code that tests for something, you don't think I should get any credit for what it discovers, because it's the code that discovered it, not me. This pretty much shoots down the value of nearly everything I do, because like most programmers, I spend most of my time writing and running my test suites; the actual product itself usually takes only a small percent of my work time.

Maybe I'm overly arrogant, but I disagree with this. I think that whatever a chunk of code does, the credit (or blame ;-) should go to the programmer, not the code or the cpu.

By similar reasoning, we might argue that the "many eyes" never actually discover any bugs at all, because the real work is done by the brain behind the eyes, not the eyes themselves. And with computer bugs, the human brain almost never figures out the bugs; it merely writes code that does appropriate testing, providing the brain with information that it could never have figured out by itself.

This is sorta the inverse of the old saw that guns don't kill people; it's saying that the human that pulled the trigger should get no blame for a killing, because it was the bullet (or maybe the trigger mechanism) that actually did the job.

Comment: Re:Wat? (Score 5, Insightful) 579

by jc42 (#46763351) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

No, just no. No one with any sort of a clue ever argued these issues cannot happen with Free Software.

No, they haven't made that claim in so many words. But they've sure as hell implied it for years now. That's the whole line of thought that Raymond's statement (quoted in TFS) is based on.

Huh? The quote is "given enough eyeballs, all bugs are shallow." That's a clear admission that open software, like all other software, contains bugs; that's why you want the many eyeballs. Any claim otherwise is a symptom of not understanding plain English. Eric's whole point was that the bugs in open software will be found and fixed faster than the bugs in other software, due to the population of interested people who will study it, looking for the bugs. Nothing in that quote implies (to anyone with reasonable understanding of English and basic logic) that open software doesn't have bugs. I expect Eric would just chuckle at the very idea of software without bugs.

(Actually, someone near him should ask him. Tell us whether he chuckles, or snickers, or just gets a sad look on his face. Or maybe he'll say "Well, there is a conjecture that bug-free software exists, but in has never been observed in the field by reliable observers." ;-)

A much more useful conclusion from this story (if you're serious about computer security) is that this bug has been found and fixed in OpenSSL, but with its proprietary competitors, we have no way of knowing what horrible exploits they may be hiding. And you'd be a dummy to think they don't have exploits; every chunk of security-related software has exploits. The meaningful question is whether they can be found and fixed by the people using the software. If not, you'd be a fool to use that software.

Comment: Re:Wat? (Score 2) 579

by jc42 (#46763023) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Because OpenSSL is such a common tool and is arguably vital to the function of the Internet as we know it, this sort of a bug really is one of those "worst case scenarios"

True, but the main lesson to learn from it can be summarized by the old cliche saying "Don't put all your eggs in one basket". The warning about a "monoculture" also applies here. If one specific piece of software is universally used, even a minor bug in it can be a widespread disaster. If people had any sense, the very fact that something is so popular and widespread would be a strong argument for duplicating its functionality with independently-developed code.

Of course, in reality we humans tend to act like herds of sheep ("sheeple", to coin a term ;-), and we tend to think that if everyone is buying X, then X must be a good thing to buy. With software, this is a major failure of logic that should stand out in the current story. If everyone is using X, then all it takes is one exploit to take down everyone's favorite toys.

But history teaches us that, no matter how many times we warn people about a single basket, people in general don't learn.

(Actually, I've long thought that this was a major explanation of why computer geeks tend to have such a wide variety of systems, with different release levels from their neighbors and friends. They're usually not much impressed by popularity. But the geeks are a tiny minority of humanity.)

Comment: Re:"Taking away" (Score 1) 1037

by jc42 (#46680293) Attached to: How the Internet Is Taking Away America's Religion

The internet isn't "taking away" anything. ...

So far, your post is the only one I've found here that even attempts to talk about the article's actual topic. ;-)

The rest of it seems to be various theological and/or political and/or sociological arguments that have nothing whatsoever to do with the Internet's effects on society. I was sorta hoping to find such a discussion, but I guess this crowd isn't up to it these days.

I'd just add that religion has always required "belief", i.e., accepting a particular package of ideas without requiring any evidence, and continuing in a religion requires carefully ignoring any evidence that contradicts it. This hasn't changed with the Internet. It "merely" supplies a lot more evidence (and a lot more disinformation) than any previous communication mechanism we've had. But you can ignore its information exactly like you ignore information from any other source. It's not really all that difficult.

Comment: Re:jc42: resident troll (Score 1) 90

by jc42 (#46676011) Attached to: More On the "Cuban Twitter" Scam

Well, I didn't mention the propaganda on /. because it didn't occur to me that anyone would think it special. The astroturfers and other propagandists have been here since before I had an account, and a lot of their work is so blatant that it's hard to miss. So it's not that the propaganda here didn't occur to me; it's more like I thought it such a cheap shot that I'd be criticized (and possibly downloaded) for wasting reader time by mentioning something so obvious.

Not that there's anything about this that's special to /. either. A growing and well-known problem on sites to attempt to collect ratings of various sorts from users is that companies pay their people to spend time watching such sites and flooding the rating system with bogus positive ratings and reviews. Companies routinely set up hundreds or thousands of accounts for this purpose.

This goes back to the early days of online forums. An especially clumsy one showed up back in the 1980s, when a lot of BBs, newsgroups, etc. found that any occurrence of the string "Armenia" in any message would trigger the automated submission of thousands of bot-generated messages from Turkish extremists, filling up disk systems and making the site useless until they were purged.

The propagandists have gotten a bit more subtle since then, but they've always been with us. /. has had them since the early days of 5- and 6-digit id numbers.

And "blase" (only one 's', and the 'e' really should have an acute accent, but /. garbles it ;-) isn't really the right word. It's more like we need to acknowledge that propaganda is and will remain "part of the landscape". Rather than get all excited about it, we should be quietly working to limit the junk, and try to find ways to get the real info more visible. Exposing propaganda is most useful if it's done in a matter-of-fact manner, rather than as a shouting match.

Comment: Re:The Religious Right will have your head on a pl (Score 1) 470

by jc42 (#46673447) Attached to: It's Time To Bring Pseudoscience Into the Science Classroom

So instead of using a meaningless phrase like "critical thinking", why don't you say what you mean? What specific skills should the schools be teaching?

Yeah, that was pretty much my reaction, too.

A more to-the-point approach might be: Any school class described as "science" should include teaching scientific methodology, in a way that's understandable by the students at that grade level. This should include opportunities to apply the methods in situations that the students can understand.

One long-standing problem with the way that most school textbooks do this is by teaching only "the experimental method" as the way that science works. This has been widely criticized by presenting an obvious counter-example: Astronomers have never used experimental methods, but astronomy is generally considered one of the hardest of the "hard sciences" (in both senses of the term "hard' ;-). This is often used as a primary example explaining why you must teach scientific methods (plural). It's a big, complex subject, and different methods are used in different scientific fields. We can do lab experiments with bacteria or fungi; we can't (yet) with planets or stars.

But the phrase "critical thinking" isn't much used by scientists. Rather, you should try to teach the scientific meanings of terms like "conjecture", "hypothesis", and "theory", which in scientific jargon aren't polysyllabic synonyms for "guess". Figuring out how to produce understanding of such terms would go a long way toward fixing the problems with the way schools teach science these days. It'd also confound the religious folks who dismiss evolution as "just a theory".

Comment: Re:I don't think people care (Score 1) 470

by jc42 (#46673277) Attached to: It's Time To Bring Pseudoscience Into the Science Classroom

Yup. An even better example is the widespread use of fermentation processes, often several of them in the same society. It was generally explained by what are now semi-mystical terms, such as a "living essence" in the fermentation cultures. But, since a culture could be easily divided into many small pieces, which would then take over a new container of the food material, it was obvious to many that the active thingies were simply too small for the human eye to discern.

There were lots of examples of natural processes like this, caused by what we now call micro-organisms, and while some people did consider it ineffable magic, there have always been some that guessed right about the tiny agents at work.

The idea that there could be things that our eye can't quite make out isn't exactly radical. Just watching a small critter fly away shows that, as they slowly become smaller, they eventually disappear. Nobody with any sanity would think they're gone; the explanation is that our eyes just aren't good enough to see them. An obvious guess is that there are such things even smaller, that we can't even see close up.

Comment: Re:Unfalsifieable (Score 1) 470

by jc42 (#46673191) Attached to: It's Time To Bring Pseudoscience Into the Science Classroom

Oh, really? So you admit you have magic bracelets, and thus that magic exists? We got you now, Mr. Science-guy!

Heh. I've known a number of scientists who do magic as a hobby. All of them have talked about being bemused and saddened by the number of people who refuse to accept that they're being fooled by trickery, and insist that the "magic show" was real even when the magician tries to deny the reality.

It doesn't help to say that they can show people how the trick is done. The believers won't pay attention, and might actively interfere with the explanation, to maintain their beliefs. Explaining takes time, and requires the cooperative attention of the audience. Schools are quite likely to have the same kind of problems if their science teachers try to explain the trickery behind pseudo-science.

It's an interesting demo of how belief in magic and pseudo-science can maintain a hold on willing victims. Even when the trickster wants to be open and honest about it.

Comment: Re:Yawn (Score 1) 90

by jc42 (#46672653) Attached to: More On the "Cuban Twitter" Scam

... this is not spying, it is a propaganda campaign.

"Yawn" indeed. What baffles me is how anyone think this differs from any other propaganda campaigns throughout human history. It is because it's "on a computer", which means that most people will forget all precedent and pretend that it's something new?

In particular, the mass media here and everywhere else has always cooperated with the wishes of the people in power. That's part of the price of staying in business, regardless of what your local laws (or Constitutions) might say. The distribution of information is rapidly moving online, so of course the same medium becomes part of the distribution system for propaganda. Every government (and every marketing organization) in the world is hard at work trying to control what we can read here.

Why are we pretending that this is somehow new and unprecedented?

It has always been true that we need to learn to be skeptical of essentially everything anyone tells us. People are always trying to trick us into believing things for their own profit, and most people don't care if those things are true, only whether they can profit from others believing them.

So yeah: "Yawn."

Comment: Re:Don't bother. (Score 1) 509

by jc42 (#46663791) Attached to: The Problem With Congress's Scientific Illiterates

But we get the government we deserve ...

Yeah, this is a standard cop-out, but if you think about it briefly, it's rather illogical. We only get one government; we couldn't possibly all deserve exactly that government.

In fact, most of us don't "deserve" the government we've got. The political system (mostly bought and paid for by the one or two percent that we hear about but rarely have even met) is to a great degree "fixed", and isn't anything that most of us deserve.

Not to mention all of its victims in other parts of the world who have had no say whatsoever in the makeup of our government.

So what are you doing to change this? ;-)

Comment: Re:Stop using JavaScript! (Score 2) 1482

by jc42 (#46632321) Attached to: OKCupid Warns Off Mozilla Firefox Users Over Gay Rights

Stop using JavaScript

That's a good idea in general, considering its history of problems.

Maybe what we need is a push to persuade browser makers to link to perl and python implementations. Those are both much better languages for the purposes that JS was invented, and they're both completely open-source.

Actually, the right way to do it would be to replace all the embedded browsers' languages with tools for communicating efficiently with an arbitrary language plugin. Then we could use any programming language we like, including languages that haven't been developed yet. But what are the chances that we could persuade all the major browser makers to implement something as (conceptually ;-) simple as that?

Comment: Re:Autoplay audio or my account. Choose one. (Score 1) 142

by jc42 (#46631249) Attached to: The Inside Story of Gmail On Its Tenth Anniversary

I'm getting a robotic voice reading the stories. I'm hoping this is their April Fool's joke because if this is a serious new feature then it's idiotic.

Well, I wouldn't call it idiotic. It could be the start of a useful feature for the visually impaired. What seems to be missing is a way to disable it. I've poked around a bit, and didn't find any controls. It has the usual sound level widget, which works for the current window, but when I refresh or open a new discussion window/tab, the sound is back up where it was.

Anyone know how to turn it off?

Those who can, do; those who can't, simulate.