The whole internet standards process works based on "asking nicely". You can tell people they shouldn't use an option or even that by using that option they will be non-compliant with the latest version of the standard but you can't really stop them from using it if they decide that compatibility with old clients outweighs security.
Slashdot videos: Now with more Slashdot!
dunno whereabout in europe you live but here in the UK it's still fairly common to see traditional doors/frames with only a single point lock and with the door hung so it opens inwards. A well-aimed kick, a handheld battering ram or a correctly placed crowbar will more than likely break the lock from the frame on such a door.
and trying really hard to do it wrong.
Putting everything internal on one network is the lazy option. Seggregating stuff onto VLANS is extra work and cost and is only generally done by places large enough to have an IT department.
And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.
Exactly and in most cases the exception says "openssl". Does a slightly patched version from a distro still count as "openssl"? Does a forked and renamed version with substantial changes still count as "openssl"?
AIUI people (and retailers) take them seriously enough that game developers typically choose an ESRB rating and then tailor the content of their game to hit it (this tailoring can happen in either direction). In particular they try very hard to avoid the AO rating as many retailers refuse to stock games that have it.
Which ESRB rating they try to hit depends on the audiance they have in mind.
There was a big blowup with GTA san andreas about a minigame that was disabled but not removed causing the ESRB to re-rate the game as AO with a subsequent replacement of most stock in the retail channel and a class-action lawsuit (though the number of members of the class who actually claimed anything was pretty small)
Theres also a thorny license issue, some projects released under the GPL make a exception for openssl and it's not always clear whether that would apply to forks of openssl.
With ssh the original project had moved to a propietary license so linux distros that only accepted free software had to go with a fork or stick with a very outdated version. With openssl the original project is still alive. So the developers of linux distros will have to have a big argument over whether the reduced security exposure outweighs the reduced feature set.
because the larger an epidemic grows the more expensive it is to deal with and the greater the chance of an infected person escaping and starting an outbreak elsewhere. The ebola epidemic got big enough to suck badly for the three main countries involved and there were a few minor outbreaks in other countries but fortunately the outbreak was contained in time to avoid any signficant outbreaks in the rest of the world.
2K had rail, dunno about the original.
If the shit hits the fan at a domain registrar there is a good chance your domain will remain active but with no way to reconfigure it until things are straightened out. If the shit hits the fan at a hosting provider there is a good chance your server will disappear.
So putting both at the same place seems stupid to me.
My question is how could OpenSSL still have had this potential backdoor? Why was this not removed at first opportunity?
The trouble with removing old/weak modes is that you break interoperability with systems that only support those modes. Implementations that were limited to export modes only didn't disappear the instant the export restrictions were lifted. In some cases old versions of software stick around for many years because there is some problem that blocks upgrading.
So someone has to make the difficult call as to when the risk posed by supporting the old/weak modes outweighs the interoperability issues that will be caused by removing support for them. Inevitablly making changes is harder than doing nothing so said calls tend to err on the side of "too late" rather than "too early".
Furthermore SSL/TLS is supposed to protect against downgrade attacks. So removing support for old modes doesn't seem as urgent as it otherwise would be. Recently however we are finding that the protection against downgrade attacks is not as good as it should be.
The thing is with a petrol/diesel/lpg/etc powered car you can drive until the tank is nearly empty. Then at a conviniant location along the route stop, fill the fuel tank, go to the toilet, stretch grab a snack etc and be back on the road quickly. Especially if you have more than one person in the car and so can share the burden of driving this allows travelling for long periods with minimal stopped time.
With an electric car so far you can't do that. You have to go out of your way to find a charging station (which are far less common than petrol stations) and then wait a considerable time for your vehicle to charge (how long depends on the particular station but even tesla superchargers which are few and far between apparently take 40 minuites to bring the car to 80% charge)
What about vets? do they take any oaths that would prevent them acting as executioners or assisting in the planning?
Like all companies, they are worth what someone is willing to pay.
And like all companies some sucker paying $x for y% of of the company does not imply that there is anyone who will pay $(x*y/100) for the whole company.
time_t has been 64 bits on every *nix system I've used for over a decade.
all widely used 32-bit linux ports still have 32-bit time_t (x32 has 64-bit time_t but that is not widely used and it's debatable whether it counts as a 32-bit system). While x86-64 is taking over on the desktop and dedicated servers many embedded systems and low cost hosted vms are still 32-bit (the latter due to the lower memory footprint).
Why in the name of any sanity at all would NTP not have been updated by now?
Afaict it has, the NTP "DATE" format provides a 32-bit era number and a 32-bit era offset number which between them provide a 64-bit seconds count. The NTP "timestamp" format uses a 32-bit seconds count but AIUI that is only supposed to be used for comparing to other nearby timestamps.