Forgot your password?

OpenSSL Cleanup: Hundreds of Commits In a Week 93

Posted by timothy
from the the-good-kind-of-competition dept.
New submitter CrAlt (3208) writes with this news snipped from BSD news stalwart "After the news of heartbleed broke early last week, the OpenBSD team dove in and started axing it up into shape. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls. ... All combined, there've been over 250 commits cleaning up OpenSSL. In one week.'" You can check out the stats, in progress.

Comment: Counter? (Score 1) 3

by Jeremiah Cornelius (#46797933) Attached to: What's the Difference?

"By holding up modern China as an example of Communism, Smith expressly shows us that he is fucking propagandist scum inhabiting the more clever of propagandist echelons as the peon is then seemingly left with NO OPTIONS as to how they could potentially reorder or rethink their society."

The Almighty Buck

Journal: Abraham Lincoln 1

Journal by Jeremiah Cornelius

"Labor is prior to, and independent of, capital. Capital is only the fruit of labor, and could never have existed if labor had not first existed. Labor is the superior of capital, and deserves much the higher consideration."

Comment: Re:As a skeptic, this alarms me. (Score 1) 333

by EmagGeek (#46794201) Attached to: VA Supreme Court: Michael Mann Needn't Turn Over All His Email

This isn't Mann's critics pursuing him. This is part of a lawsuit that Mann filed against a journalist who criticized his work.

Mann filed the lawsuit, and the person he sued filed for subpoenas to get at Mann's emails because he believed that would reveal information he could use to defend the lawsuit.

This is a terrible decision, because it means you can be sued for libel (which is saying something abot someone that is alleged to be untrue) and then be prohibited from obtaining material to defend yourself (by showing that what you said is, in fact, true).

It is made worse by the fact that Mann is a government employee, because if this becomes the precedent, it will open the flood gates for government oppression via the civil court system, which has a lower standard of proof than the criminal system. If you criticize the government or its political employees, they can sue you, and you will be prohibited from obtaining evidence to defend yourself with.

"Shut up and swallow what we tell you" is basically what the court signed off on in this case.

Comment: Re:Militia, then vs now (Score 1) 1575

by shutdown -p now (#46793873) Attached to: Retired SCOTUS Justice Wants To 'Fix' the Second Amendment

in Australia the gun ban has 90% popular support

And in Afghanistan, the idea that a person renouncing Islam should be put to death, or that it is okay to marry girls at age 9, also enjoys 90% popular support. So what?

"There had been 11 gun massacres in the decade preceding 1996, but there have been no mass shootings since. "

Yet murder rate did not change significantly - it kept going down at the same rate as before the last ban.

(which is because those massacres are a statistically insignificant event, basically)

documented that after the laws were changed, the risk of an Australian being killed by a gun fell by more than 50 percent.

Yet again, one of those bullshit "by a gun" statistics. Who cares about a subset of murders where guns specifically are used? What matters is the overall murder rate regardless of tools. That did not show any correlation to gun bans.

Australia’s gun homicide rate, 0.13 per 100,000 people, according to, is a tiny fraction of that of the United States (3.6 per 100,000 people).

Another pointless "gun ..." stat.

BTW, it's true that Australia (and most other First World countries) has an overall lower homicide rate, and generally violent crime rate. But that has to do with the different approach to healthcare and other forms of welfare in US, which results in significantly higher income inequality, stratification, high poverty rates and low social mobility - which translates to more crime. Guns don't really play any role in this, as is evident when looking at crime rates within US - they correlate strongly with poverty, and not at all with lax/strict gun laws.

It should be noted that our gun homicide rates were already in decline, but the gun laws accelerated that slide."

Another pointless "gun ..." stat. As noted before, the overall homicide rate was going down before the bans, and kept going down after them at the same rate - i.e. the decline was caused by other factors. It should be noted that this is a trend that is observed in all Western countries, including US, and in the latter said decline does not correlate with gun law changes (like AWB).

In a 2010 paper, economists Andrew Leigh and Christine Neill found that the law change had led to a 65 percent decline in the rate of firearm suicides. Firearm homicides fell by 59 percent.

Another pointless "gun ..." stat. The overall suicide rate did not change, people just used different methods (hangings in particular spiked as firearm suicides dropped).

The US is an exceptionally dangerous place to live - to be at more risk, you have to go to countries in complete anarchy or at war.

This is an utterly stupid statement. You are much more likely to be shot in my home country - Russia - that despite it not being even remotely "in complete anarchy or war" - and despite the much more stringent gun laws, which are only marginally more liberal than Australian ones. Heck, US has lower homicide rates than a good half of Europe.

Then, of course, the rate varies wildly within US from state to state, so much so that the average is meaningless. In my state of residence, it's the same as in Finland and Norway, and it's not some kind of rural depopulated place.

Comment: Underlying assumptions are false (Score 1) 232

by jd (#46793425) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Ok, the envelope game. You can rework it to say the second envelope contains the next vulnerability in the queue of vulnerabilities. An empty queue is just as valid as a non-empty one, so if there are no further flaws then the envelope is empty. That way, all states are handled identically. What you REALLY want to do though is add a third envelope, also next item inquire, from QA. You do NOT know which envelope contains the most valuable prize but unless two bugs are found simultaneously (in which case you have bigger problems than game theory), you absolutely know two of the envelopes contain nothing remotely as valuable as the third. If no bugs are known at the time, or no more exist - essentially the same thing as you can't prove completeness and correctness at the same time, then the thousand dollars is the valuable one.

Monty Hall knows what is in two of the envelopes, but not what is in the third. Assuming simultaneous bug finds can be ignored, he can guess. Whichever envelope you choose, he will pick the least valuable envelope and show you that it is empty. Should you stick with your original choice or switch envelopes?

Clearly, this outcome will differ from the scenario in the original field manual. Unless you understand why it is different in outcome, you cannot evaluate a bounty program.

Now, onto the example of the car automotive software. Let us say that locating bugs is in constant time for the same effort. Sending the software architect on a one-way trip to Siberia is definitely step one. Proper encapsulation and modularization is utterly fundamental. Constant time means the First Law of Coding has been broken, a worse misdeed than breaking the First Law of Time and the First Law of Robotics on a first date. You simply can't produce enough similar bugs any other way.

It also means the architect broke the Second Law of Coding - ringfence vulnerable code and validate all inputs to it. By specifically isolating dangerous code in this way, a method widely used, you make misbehaviour essentially impossible. The dodgy code may be there but it can't get data outside the range for which it is safe.

Finally, it means the programmers failed to read the CERT Secure Coding guidelines, failed to test (unit and integrated!) correctly, likely didn't bother with static checkers, failed to enable compiler warning flags and basically failed to think. Thoughtlessness qualifies them for the Pitcairn Islands. One way.

With the Pitcairns now overrun by unemployed automotive software engineers, society there will collapse and Thunderdome v1.0a will be built! With a patchset to be released, fixing bugs in harnesses and weapons, in coming months.

"Stupidity, like virtue, is its own reward" -- William E. Davidsen