Forgot your password?
typodupeerror

Comment: "Many eyes" did *not* find heartbleed bug (Score 1) 289

by perpenso (#46800861) Attached to: OpenSSL Cleanup: Hundreds of Commits In a Week

Didn't that make a mockery of all the "many eyes" arguments oft touted in favor of Open Source?

Nope. Once the bug was noticed it was fixed very quickly: i.e. it was a shallow bug. If you think than phrase means OSS is bug free, you have misunderstood it.

The quote is often misunderstood, its hyperbole. It illustrates a point nicely but in reality few users are developers and few developers are qualified readers.

More importantly the bug was not discovered by eyeballs on source code. The techniques used seem to be the same applied to proprietary closed source code. They were testing the binary.
"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
http://readwrite.com/2014/04/1...

Comment: Re:Eyeballs did not find bug ... (Score 1) 580

by perpenso (#46774881) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

A second and more important fact is that the bug was not discovered by eyeballs on source code. The techniques used seem to be the same applied to proprietary closed source code. "âoeWe developed a product called Safeguard, which automatically tests things like encryption and authentication,â Chartier said. âoeWe started testing the product on our own infrastructure, which uses Open SSL. And thatâ(TM)s how we found the bug.â"

So you're say that when I, as a (professional ;-) programmer, create a chunk of code that tests for something, you don't think I should get any credit for what it discovers, because it's the code that discovered it, not me. ...

You are offering a strange misinterpretation of what I have said. I am saying that this bug was not found by someone examining source code. That if you fuzz or otherwise test the binary then whether the code is proprietary or FOSS is irrelevant.

Comment: Re:Access to lib source does not require FOSS ... (Score 1) 580

by perpenso (#46771951) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

OK fine. It would not be possible if you did not have access to the source code. It is true that you can buy access to the source from some closed source software. But the fact that you are choosing software based on whether you are able to access the source code, I would argue is a point in favor of open source software rather than closed source proprietary software (the vast majority of which you can not buy source code access).

I never said I was against FOSS. I'm merely pointing out that access to source code is hardly unique to FOSS.

As far as how common access to source is in proprietary software, I think it is far more common than most FOSS advocates are aware of. For some of what we had used in the past there was no public offering of a source license. Yet when we specifically asked about it a deal was made. Many things that appear set are in fact negotiable. FWIW, we were a small company with no particular leverage.

Comment: Re:Proprietary or open seems irrelevant to discove (Score 1) 580

by perpenso (#46770551) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Proprietary or open seems irrelevant to this discovery.

You can't make such conclusions from one bug.

Good thing I was commenting on only this one bug. That said, one can absolutely make the statement that fuzzing and other penetration testing works equally well on proprietary and FOSS code. The binary being tested doesn't care about the nature of it license.

Bugs will happen, and bugs will go unnoticed. The question is about whether the open source nature of a piece of software decreases the frequency of those events.

No one is arguing whether bugs will occur and go unnoticed. What is being argued is that the value of the "many eyeballs" concept is often exaggerated. Few users are developers. Few developers are qualified readers.

Comment: Access to lib source does not require FOSS ... (Score 1) 580

by perpenso (#46770423) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

At my company we use open source software libraries for our commercial products. When we find anomalies, we are actually able to figure out if bugs are in our own software or in the open source libraries we use. In fact, we actually run static analysis tools on every piece of open source software that we use because we care about the security of our own applications. We don't use openSSL, but if we did, we may have actually found this bug. That wouldn't be possible if the source was closed.

That is not true. At past jobs where we used proprietary libraries in our commercial products, I always advocated for buying the more expensive source licenses rather than the less expensive binary only licenses. We even chose vendor A over vendor B due to A have a source option and B not having one. Fortunately all the libraries we used had source options, obviously YMMV. Management was always reluctant until we found and resolved problems in these proprietary libraries just as you describe doing in open source. Management quickly became believers in buying the source licenses so that our fate was not in a 3rd party's hands.

Comment: Re:Proprietary or open seems irrelevant to discove (Score 1) 580

by perpenso (#46770291) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Why are you so adamant that it was not "eyeballs". So they fizzed their own infrastructure and found the issue. The article you posted is scant on the details if the tool and a google search did not turn up any salient details on the tool. From the description it appears to be black box testing SSL/TLS for obvious overruns.

And such testing would find such a bug equally well in proprietary or open source code. It seems fairly clear that the bug was not discovered by someone reading the source code, despite the code being available for two years and the code being absolutely critical to networking.

The value of many eyeballs is often exaggerated. Few users are developers. Few developers are qualified readers.

Comment: Isn't prop 13 irrelevant to buyers? (Score 1) 359

by perpenso (#46764441) Attached to: San Francisco's Housing Crisis Explained

All property owners pay based on their date of purchase, which is entirely fair.

I pay five times what my neighbor pays in property tax for the same model simply because my neighbor bought in 1977 and I bought in 2010. Prop 13 is good for older people who have been here a while but not so good for people trying to buy their first home.

How is it not so good for buyers? It seems buyers would be paying taxes based on a current assessment with or without prop 13? In other words prop 13 seems irrelevant to that initial assessment and tax rate, that it only affects increases not the initial rate.

Comment: Proprietary or open seems irrelevant to discovery (Score 4, Informative) 580

by perpenso (#46763939) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

The visibility doesn't make it so bugs don't exist. It makes them more likely to be found. This one existed and was found.

After two years in the wild. And apparently *not* by eyeballs on source code. Proprietary or open seems irrelevant to this discovery.

"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
http://readwrite.com/2014/04/1...

Comment: Eyeballs did not find bug ... (Score 2, Informative) 580

by perpenso (#46763917) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

The quote is "given enough eyeballs, all bugs are shallow." That's a clear admission that open software, like all other software, contains bugs; that's why you want the many eyeballs. Any claim otherwise is a symptom of not understanding plain English. Eric's whole point was that the bugs in open software will be found and fixed faster than the bugs in other software, due to the population of interested people who will study it, looking for the bugs.

Perhaps it is not being stated clearly but the point that you are missing is the fact that this bug in some of the most critical network software in use had been around for 2 years. This fact demonstrates the hyperbole of the quote. Its a well crafted quote, illustrates a concept well, but people read way too much into it. Few FOSS users are developers, few developers are qualified readers. Eyeballs are a plus, but not a panacea. The gap between proprietary and open exists but it is exaggerated.

A second and more important fact is that the bug was not discovered by eyeballs on source code. The techniques used seem to be the same applied to proprietary closed source code.
"“We developed a product called Safeguard, which automatically tests things like encryption and authentication,” Chartier said. “We started testing the product on our own infrastructure, which uses Open SSL. And that’s how we found the bug.”"
http://readwrite.com/2014/04/1...

Nothing in that quote implies (to anyone with reasonable understanding of English and basic logic) that open software doesn't have bugs.

Straw man.

Comment: Passenger can not influence destination ... (Score 3, Interesting) 269

My understanding is that this is treading on very dangerous grounds with respect to FAA guidelines.

A "share" of the cost includes all expenses of the flight. Rental, fuel, etc. The pilot and passenger must each pay half of total expenses.

The passenger can have no influence on the destination. If the pilot is flying from A to B and the passenger tags along, OK. But if the pilot just wants hours and goes to B because the passenger needs to go there then I think there is an FAA regulations problem and the FAA will consider the flight commercial.

That said I am not a lawyer nor a FAA guidelines expert. All I know is what my instructor told me many years ago in ground school. "The person showing you their FAA ID is never ever there to help you. Never hand your license to the FAA official to help them read / inspect it, that can be considered surrendering your license if the FAA official wishes to interpret the act as such. Keep the license in your hand and move it closer to their face if they are having a hard time reading it, pull it away if they reach for it. If they ask for it tell them you will be handing it to your attorney and they can speak with him/her."

Comment: The anti-vaccine movement grew with the internet (Score 1) 1037

by perpenso (#46677541) Attached to: How the Internet Is Taking Away America's Religion

access to unfiltered information will make people THINK! who would have thought? :)

Unfiltered information is not necessarily correct information. A peer reviewed scientific journal is an example of filtering. Filtering is not necessarily a bad thing, it depends on the who and why of the filtering.

People sometimes think more emotionally than critically, are easy to deceive. The anti-vaccine movement grew with the internet too.

Comment: Re:Av rev per app, Android $1,125 and iOS $4,000 . (Score 2) 161

by perpenso (#46668253) Attached to: Illustrating the Socioeconomic Divide With iOS and Android
While the number of apps downloaded is coming from 3rd parties we are still left with Google's financial reports indicating $900M paid to developers compared to Apple's claim of $5,000M paid to developers.

Plus its not just Forbes indicating a huge disparity.
http://www.businessinsider.com...
http://techland.time.com/2013/...
http://venturebeat.com/2013/07...
http://www.forbes.com/sites/ay...

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees

Working...