Forgot your password?

Comment: Re:It doesn't. (Score 3, Interesting) 579

by ratboy666 (#46761723) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

This myth gets trotted out again. It is arguably easier to find exploits without source. The source distracts from the discovery of an exploit. The binary simply is. The black-hat is looking for a way to subvert a system. Typically she is not interested in the documented (by source or documentation) functionality. That simply distracts from the issue which is finding out what the software actually does, especially in edge circumstances.

This is what fuzzers do. Typically not aware of the utility of the program, they simply inject tons of junk until something breaks.

Source availability tends to benefit people auditing and repairing more than black-hats.

Yes, it took years for heartbleed to surface. If heartbleed (or a defect like it), was discovered due to a code audit, that speaks to the superiority of open source over closed source. If this defect is found by fuzzing or binary analysis, it is much harder to repair, as users are now at the mercy of the holder of the source. Build a matrix of Open/Closed Source vs. Bug found in Source, Bug by fuzzing/binary analysis.

Bug found in source vs Closed Source is not applicable, giving three element. Found in source vs. Open Source (where the bug will be repaired in the source by anyone). Bug found by fuzzing... where the bug will be repaired in the source by anyone (Open Source) or the Vendor (Closed Source).

The question then is (as I started the article): Is it easier to find bugs by source inspection? Assume big threats will HAVE the source anyway. If it was easy to find by inspection, it would be easy to fix (for examples: OpenBSD continously audits, and security has been a priority at Microsoft for the past decade). Fuzzing and binary analysis is still the preferred (quickest) method, giving the edge to Open Source. The reason is simple -- the black-hat cares about what is actually happening, and not what the source says is happening.

Comment: Re:Blame GNOME 3 (Score 2) 687

by ratboy666 (#46742253) Attached to: The GNOME Foundation Is Running Out of Money

I have been using Gnome 3.10 (Fedora 20) on an Acer Iconia W700. This has no keyboard when I use it as a tablet. It does have multi-touch, and gyro/magnetic/ambient light/etc sensor.

Tried XFCE (my usual desktop for the past decade) -- it doesn't do well with the 192dpi display. I then decided to try Gnome 3, because of all the complaints (it forces tablet view on users).

- No keyboard means typing to find an application doesn't work. Adding the "Applications Menu" and "Places" Gnome Shell extensions solves this.

- The default on-screen keyboard doesn't support function keys, esc key, control keys. Solution: add florence

- Without a keyboard, yumex is not usable. Can't enter password to activate stuff.

- Can't activate the bottom panel reliably. Using "Frippery bottom panel" helps out (gnome shell extension). Tapping the "!" at the bottom right then does the job. The "Hi, Jack" extension almost works, but isn't reliable enough.

- Rotation doesn't work. I had to put a script on the desktop to activate rotation.

- No multi-touch support in Gnome 3 (really strange, I have a python program that demonstrates multi-touch).

- And now for the cake - Focus is very strange. I can launch a new application but the old application still has some focus! Nasty bug that in interacting with user input.

I would prefer to stay with Fedora. Is there any DE that supports touch better on Fedora? Or do I go with Ubuntu and Unity? Are improvements coming in Gnome 3.12 or 3.14?

Given that your Gnome 3 experience has been much more positive, what is your advice?

Comment: Re:It's time we own up to this one (Score 1) 149

by Bruce Perens (#46730395) Attached to: NSA Allegedly Exploited Heartbleed
I think we need to take a serious look at the "many eyes" theory because of this. Apparently, there were no eyes on the part of parties that did not wish to exploit the bug for close to two years. And wasn't there just a professional audit by Red Hat that caught another bug, but not this one?

Comment: Re:It's time we own up to this one (Score 3, Informative) 149

by Bruce Perens (#46729769) Attached to: NSA Allegedly Exploited Heartbleed
I'd say more than just the "community". We have a great many companies that incorporate this software and generate billions from the sales of applications or services incorporating it, without returning anything to its maintenance.I think it's a sensible thing to ask Intuit, for example: "What did you pay to help maintain OpenSSL?". And then go down the list of companies.

Comment: It's time we own up to this one (Score 4, Insightful) 149

by Bruce Perens (#46729661) Attached to: NSA Allegedly Exploited Heartbleed

OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

Comment: Re:Plan not grandfathered and minimum standard. (Score 1) 722

by Bruce Perens (#46718695) Attached to: Can the ObamaCare Enrollment Numbers Be Believed?

Jeff, I'm sorry that you're paying more. I'm envious that your state is implementing single-payer, though! California considers and rejects the bill every session, so far.

MVP itself is not-for-profit. Interesting that they think the pool in the two states they focus on is now that much more expensive. I can't imagine why.



Comment: Re:It's California (Score 1) 722

by Bruce Perens (#46718469) Attached to: Can the ObamaCare Enrollment Numbers Be Believed?

To pick a nit, if you require medical attention after an auto accident, typically the at-fault driver's auto policy would need to cover that.

If they are so kind to stick around and your expenses do not exceed the limits.

Certainly such scams existed, but 30 seconds of googling can typically separate the good from the fraud.

The web helps. At the time, I was not able to see the plan until the salesman was present.

Comment: Re:It's California (Score 1) 722

by Bruce Perens (#46718303) Attached to: Can the ObamaCare Enrollment Numbers Be Believed?

I think you are confusing laissez-faire capitalism with freedom. In this particular case the insurers had the task of operating a risk pool, but no incentive to allow any but the lowest risk customer into the pool. Freedom was harmed overall, as a significant number of people had no viable path to medical care.

There are a good number of people who, like you, would feel less encumbered if they were able to live on an island without any civil services and thus without any burden to pay for their fellow man rather than themselves. My surmise is that few of them would survive very long. However, I would encourage you to try if you are able to find such a place. Go ahead, prove me wrong.

What hath Bob wrought?