With all the noise about OpenSSL lately, running this Coverity test on it (and other security software like GNUTLS) and sharing the results seems like it would be a good thing...

Here in Australia, my experience is that the genuinely local newspapers (limited to specific suburbs or council areas and usually available for free every week) are great as a way of finding out whats going on in the local area. The normal daily newspapers are full of crap and not worth reading.

Here in Oz we dont have state income taxes or state returns to worry about and if you don't want to use an accountant or tax agent to do the return (because you have a simple return), you can just file it electronically with the free government-supplied etax app. (or as a paper form if you really want to)

How do we know that serious security flaws don't exist in the SSL implementations used by Microsoft or other proprietary vendors?

IMO the NSA should be split into 2 agencies.
One would be tasked with protecting the security of data, information, communications and networks of the United States government, its agencies and any entity deemed to be vital to national security. And this does include finding and fixing (or giving to vendors to fix) bugs in software being used by those entities it is tasked with protecting. And developing new protocols and algorithms and systems and hardware and software to protect the stuff it is tasked with protecting. And certifying software, hardware, algorithms, protocols and systems (developed in-house or externally) as being safe (or unsafe) for use in storing, manipulating, handling, transmitting or receiving the stuff it is tasked with protecting.

The other would be tasked with spying on threats to national security. Including monitoring communications, email, data, computers and software belonging to those threats. Yes that includes hacking into the computer of a bad guy who stole classified secrets or launched malware that compromised government systems.

This agency would have constraints placed on it so that it was only monitoring threats and not anyone else and so that it was not compromising global security in the course of carrying out its mission (e.g. it would be prohibited from trying to weaken the security of software/hardware/protocols/algorithms/etc in order to be able to spy on entities using those things)

Remember that when Truman created the NSA, a computer was a device that took up several rooms, there were only a handful in the entire world and only a small number of of people even knew what one was, let alone were able to use one. And the closest thing to digital communications networks were teleprinters. And the biggest threat to national security was a Soviet Tupolev Tu-95 bomber with a nuclear bomb underneath.

These days, computers are everywhere and being used for all sorts of things never imagined in the 50s. And the biggest threat to US national security is not a Russian bomber or missile but a terrorist with a suitcase bomb or hijacked airliner. Or a hacker from a foreign intelligence agency.

FPGA vendors probably don't want to open up their specs and stuff because they are worried that opening up everything will give their competitors the secrets to what makes their FPGA "good".

Patents may come into it as well (I dont know how the patent situation is in the FPGA marketplace). And possibly a desire to stop people from being able to just buy the FPGAs at x amount per unit and force them to pay up for the toolchain too.

https://www.openssl.org/docs/a... suggests that OpenSSL (the official upstream version at least) does in fact support DHE and PFS without EC.

The problem with replacing HTTPS is that you will need to maintain regular HTTPS for all those clients that cant upgrade to a newer browser. (which exposes web sites to these threats) And you have to convince browser and web server vendors to support the new HTTPS replacement.

Google would probably do it (on desktop, ChromeOS, Android and its custom web/SSL server software) especially if it made it harder for the kind of man-in-the-middle-using-fake-certificates type attacks the NSA have been using (the ones that let the NSA serve up fake copies of popular web sites as a vector to infect other machines). Opera and others that use the Google rendering engine would probably use the Google support.

Mozilla would probably do it if you could convince them that its not just going to be bloat that never gets used.

Apache would probably support it via a mod_blah and if they dont, someone else would probably write one.

Other FOSS browsers and servers (those that do HTTPS) would probably support it if someone wrote good patches.

But good luck convincing commercial vendors like Microsoft and Apple to support a new protocol. And the Certificate Authorities would fight hard against anything that made them obsolete (which any new protocol really needs to do)

What might be useful would depend on how bad the catastrophe is. If its something like the TV show "Revolution" where electricity magically stops working, different people would be useful vs a situation where electricity is still available.

I think the parent was referring to the IRS paying to make ReactOS a replacement for Windows and not Microsoft doing it.

If you search for "computer immersion cooling" with Google it will throw up a bunch of people (and companies) doing PC systems totally immersed in mineral oil and things as a way to get even more power out of a system (even more than regular liquid cooling gets you)

If OpenSSL is (as quite a few people who know what they are talking about have claimed) poorly written and hard to maintain, why no-one has tried to come up with a simple, easy to evaluate solution.

Or is SSL/TLS really that hard to properly implement?

Last I checked, no international flights are using Gogo.

And if you get paid electronically via bank transfer, its a good bet that the machines at both your bank and your employers bank that handle the transactions are mainframes of some sort.

Just introduce a 0.001% tax on all transactions
(not just shares but other traded instruments like bonds and commodities).

Anyone buying shares or bonds or whatever to keep long term will see almost no impact from the tax. Even on a million dollar transaction, the tax would only be $1000 (so even big funds or corporate buy-outs or whatever wouldn't be affected by the tax). It would make high frequency trading (and day traders etc) unviable though.