Forgot your password?
typodupeerror

+ - One week of OpenSSL cleanup ->

Submitted by CrAlt
CrAlt (3208) writes "After the news of heartbleed broke early last week, the OpenBSD team dove in and started axing it up into shape. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls.

Then Jonathan Grey (jsg@) and Reyk Flöter (reyk@) come next, followed by a group of late starters. Also, an honorable mention for Christian Weisgerber (naddy@), who has been fixing issues in ports related to this work.

All combined, there've been over 250 commits cleaning up OpenSSL. In one week. Some of these are simple or small changes, while other commits carry more weight. Of course, occasionally mistakes get made but these are also quickly fixed again, but the general direction is clear: move the tree forward towards a better, more readable, less buggy crypto library.

Check them out at http://anoncvs.estpak.ee/cgi-b..."

Link to Original Source

Comment: Grandparent had it right. (Score 1) 47

by Ungrounded Lightning (#46797973) Attached to: Preventative Treatment For Heartbleed On Healthcare.gov

The word you are looking for is "preventive".

No, it's not. The usage you're complaining about is perfectly valid.

"Preventative" has been in use since 1666 as an alternate pronunciation and spelling for "preventive".

In some regions (including where I grew up - almost in the center of the region natively speaking the "radio accent", which has been the de facto standard speech for the U.S. since the advent of commercial broadcasting) it is the preferred form.

If you want to be a spelling NAZI, you should avoid being provincial about it. Check the online dictionaries before correcting others, to distinguish between being helpful and imposing your local speech on others.

Unlike French ("a dead language spoken by millions"), American English does not have a regulatory body prescribing an official standard (though some educators have tried, since at least Daniel Webster). It grows and changes by usage. Dictionaries play a game of catch up and try to document how it's realy used.

(Yes, I know how it grates on your nerves when someone uses a different spelling or pronunciation than you're used to. I feel the same way when my wife pronounces "legacy" as if she was talking about a ledge. But apparently that's actually the first pronunciation listed in The Oxford.)

Comment: Re:Kansas City Hyatt Regency Skywalk (Score 1) 155

by Ungrounded Lightning (#46797897) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

(Slashdot timed out on me and I lost the start of my post.)

As built the skywalk was so overloaded that eventual collapse was possible even without any load. Naturally when it did fail it would be at a time when both the upper and lower skywalks were heavily loaded with people, and the floor crowded below. 114 died, 216 were injured - many seriously.

Of course loads on things like bridges and skyways vary a lot. You can expect them to go in times of high load, which happens to be when there are a lot of people around to be injured or killed.

Comment: Re:Kansas City Hyatt Regency Skywalk (Score 0) 155

by Ungrounded Lightning (#46797549) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

n this case it failed when there was a celebration in progress. The ground floor level was crammed with dancing people and the crowd had overflowed onto the skywalks. Pogo dancing was current at the time, and apparently the failure occurred when people on the bridges, synchronized by the live music, were jumping up and down in unison. (It's the inverse of the way soldiers are required NOT to march in step when crossing a bridge.)

Thus you can expect such structures to go when there are a lot of people around to get hurt.

(Interestingly, a crowd of people is MUCH more of a load, even without synchronized jumping, than vehicular traffic. San Francisco's Golden Gate Bridge was reported to have had its greatest load ever during its anneversary, a few years back. The bridge was closed to vehicular traffic and the public invited to hike over it. Normally the bridge span has a substantial arc. This stretched the springy cables and broght the span down until it was flat.

During the planning the load on the bridge had been anticipated and computed to be safe. But there were plenty of boats standing by to try to save people if the deck DID collapse, and the people had been warned of the possibility and asked not to dance or walk in step.

Comment: Re:What poetry is this? (Score 1) 155

by Alsee (#46795773) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

Or flip the view:
A towering bank undercut by a small church.

----------------------

In the intersection between religion and the modern world
Religion razes grandeur to the ground for 20 pieces of silver.
In the intersection between religion and the modern world
Religion refuses to budge from barren historical ground.
In the intersection between religion and the modern world
A towering bank undercut by a small church nearly kills us.

-

Comment: Underlying assumptions are false (Score 1) 232

by jd (#46793425) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Ok, the envelope game. You can rework it to say the second envelope contains the next vulnerability in the queue of vulnerabilities. An empty queue is just as valid as a non-empty one, so if there are no further flaws then the envelope is empty. That way, all states are handled identically. What you REALLY want to do though is add a third envelope, also next item inquire, from QA. You do NOT know which envelope contains the most valuable prize but unless two bugs are found simultaneously (in which case you have bigger problems than game theory), you absolutely know two of the envelopes contain nothing remotely as valuable as the third. If no bugs are known at the time, or no more exist - essentially the same thing as you can't prove completeness and correctness at the same time, then the thousand dollars is the valuable one.

Monty Hall knows what is in two of the envelopes, but not what is in the third. Assuming simultaneous bug finds can be ignored, he can guess. Whichever envelope you choose, he will pick the least valuable envelope and show you that it is empty. Should you stick with your original choice or switch envelopes?

Clearly, this outcome will differ from the scenario in the original field manual. Unless you understand why it is different in outcome, you cannot evaluate a bounty program.

Now, onto the example of the car automotive software. Let us say that locating bugs is in constant time for the same effort. Sending the software architect on a one-way trip to Siberia is definitely step one. Proper encapsulation and modularization is utterly fundamental. Constant time means the First Law of Coding has been broken, a worse misdeed than breaking the First Law of Time and the First Law of Robotics on a first date. You simply can't produce enough similar bugs any other way.

It also means the architect broke the Second Law of Coding - ringfence vulnerable code and validate all inputs to it. By specifically isolating dangerous code in this way, a method widely used, you make misbehaviour essentially impossible. The dodgy code may be there but it can't get data outside the range for which it is safe.

Finally, it means the programmers failed to read the CERT Secure Coding guidelines, failed to test (unit and integrated!) correctly, likely didn't bother with static checkers, failed to enable compiler warning flags and basically failed to think. Thoughtlessness qualifies them for the Pitcairn Islands. One way.

With the Pitcairns now overrun by unemployed automotive software engineers, society there will collapse and Thunderdome v1.0a will be built! With a patchset to be released, fixing bugs in harnesses and weapons, in coming months.

+ - Minerva CEO Details His High-Tech Plan to Disrupt Universities->

Submitted by waderoush
waderoush (1271548) writes "In April 2012, former Snapfish CEO Ben Nelson provoked both praise and skepticism by announcing that he’d raised $25 million from venture firm Benchmark to start the Minerva Project, a new kind of university where students will live together but all class seminars will take place over a Google Hangouts-style video conferencing system. Two years later, there are answers – or the beginnings of answers – to many of the questions observers have raised about the project, on everything from the way the seminars will be organized to how much tuition the San Francisco-based university will charge and how it's gaining accreditation. And in an interview published today, Nelson share more details about how Minerva plans to use technology to improve teaching quality. ‘If a student wants football and Greek life and not doing any work for class, they have every single Ivy League university to choose from,’ Nelson says. ‘That is not what we provide. Similarly, there are faculty who want to do research and get in front of a lecture hall and regurgitate the same lecture they’ve been giving for 20 years. We have a different model,’ based on extensive faculty review of video recordings of the seminars, to make sure students are picking up key concepts. Last month Minerva admitted 45 students to its founding class, and in September it expects to welcome 19 of them to its Nob Hill residence hall."
Link to Original Source

Comment: Re:However.... (Score 1) 232

by jc42 (#46788805) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

To prevent double-use like this, a company should say that you don't get paid until they've fixed the bug and issued a patch for it in their software, all without the exploit ever being spotted in the wild.

One problem with this is that there's already a documented history of companies rejecting bug reports and not paying the bounty, and then some time later include a fix for it in their periodic updates. It's basically the same process that causes a company's "app store" to reject a submitted tool to do a particular job, and then a few months later releasing their own app that does the same thing.

I know a good number of people who've been bitten by the latter, from both MS and Apple. In the case of a bug, it's a lot harder to document that this has happened, but various software guys I know express a strong suspicion that it has been done to them.

It's widely believed that corporations don't have ethics at all, only costs and income, which would easily explain this sort of fraudulent "offers" of rewards with no intent to pay. We've heard here often from lots of people who think that this is right and proper, and that corporations should only be motivated by the bottom line.

When combined with the growing penchant for treating someone who reports a security bug as a criminal "security hacker" and prosecuting people who report bugs in software products, this should reasonably make a sensible developer reluctant to take rewards programs seriously. Given an offer which could get you thanks and some money, or could land you in jail for your efforts, and no way to know beforehand which the company will do, why would you even consider letting them know your name?

(Actually, my name has appeared in numerous companies' lists of honored contributors thanks to my bug reports and patches. But I haven't sent in security-related bug reports to many companies, only to the ones I have reasons to believe I can trust.)

Simplicity does not precede complexity, but follows it.

Working...