Obligatory comic here: http://owlturd.com/post/730466...

xkcd's "Significance" pithily explains p-hacking.

If you don't like this idea, send an email (as they request) to Sharron Cook, publiccomments@bis.doc.gov. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments. Explain why you think it's a bad idea, with reasoned arguments. Before commenting, you should read the proposal first: https://www.federalregister.go...

Don't even ask. On the initial start-up, start calculating those new keys. You want the DEFAULT to be secure.

Put away the bingo card. Some languages, like Lisp and Haskell, actually DO bring seriously different ideas to the table, and there are tasks where their ideas are useful. A few examples may help. Once a "variable" is set, you cannot change its value (though it CAN go out of scope). This has serious reasoning and optimization advantages, but it requires a different way of thinking. Haskell has lazy evaluation, i.e., it computes nothing until you ask for it. It's routine to define infinitely-large data structures, which is a non-problem because only the parts you need are calculated. If you're only familiar with the ALGOL language family (C, C++, Objective-C, Java, C#, PHP, Python, etc.), you'll need to do some real learning.

My article How to Prevent the next Heartbleed lists in detail different ways that Heartbleed could have been found ahead-of-time. The point isn't to find it now, it's to learn from Heartbleed so we prevent a recurrence. There are many ways to detect vulnerabilities like this ahead of time... we need to start using some of them.

At one time a number of constructed languages were created and got some speakers (including Esperanto). But relatively few people learn a language just for fun (yes, I know about Klingon and Elvish, but they will not be replacing English). Most people will only learn a language if they have a strong need to USE that language to communicate with some large group of people. Esperanto is actually much easier to learn than English; it's a reasonable constructed language. I spent a little time learning some of it, and I appreciate its clever approaches to making it easier to learn (e.g., the "mal-" prefix). The problem is that you can only speak with other Esperanto speakers in it. English is a mess of complications, like all natural languages. In some ways English is easier; in others it is harder. But when you learn English, you can talk to the other 1 billion people who can speak English as a first or second language. For most people, THAT is what makes English worth learning. Again, you normally learn a language specifically so you can communicate with others. Chinese actually has more speakers than English, but they are concentrated in China; worldwide, it's easier to find an English speaker than any other specific language. If you want an easier-to-learn language than standard English, you might consider an English-based controlled language like "Basic English" https://en.wikipedia.org/wiki/... or the "Special English" used by Voice of America https://en.wikipedia.org/wiki/... ; these are more complicated than Esperanto, but you can talk with many more speakers. I can imagine "mostly compatible with existing English" could be a necessary criteria for "new" constructed language, if you need to create one at all.

One reason I bought an earlier Samsung is *specifically* because it supports a micro-SD card. Nice specs, but no micro-SD is a weakness to me.

I agree that Apache web server support is vital if HTTP/2 is to get much use. That said, the mod_spdy plug-in for Apache supports SPDY, and has been accepted into Apache trunk. See: http://googledevelopers.blogsp... https://svn.apache.org/viewvc/...

Since HTTP/2 is based on SPDY, it seems likely that this plug-in will be tweaked to support HTTP/2. That said, I suspect the Apache Foundation would say something like, "patches welcome".

The vast majority of people who use the term "open source software" use it with roughly the same meaning as OSI does, which is all that matters. You can confirm this with a quick Google search. Also, note that many organizations that require something to be be "open source software" will point to the OSI definition.

By the commonly-used definition of "open source software", you MUST be able to fork the project and maintain your own version. You cannot legally do that with TrueCrypt, therefore, by definition it is not open source software. Case closed.

TrueCrypt isn't open source software, in spite of the author incorrectly claiming it is. More detail is here, which the author could have learned in 2 minutes of Googling: http://en.wikipedia.org/wiki/T... ... for your amusement, I have quoted it below:

TrueCrypt was released under the "TrueCrypt License" which is unique to the TrueCrypt software. It is not part of the pantheon of widely used open source licenses and is not a free software license according to the Free Software Foundation (FSF) license list, as it contains distribution and copyright-liability restrictions. As of version 7.1a (the last full version of the software, released Feb 2012), the TrueCrypt License was Version 3.0.

Discussion of the licensing terms on the Open Source Initiative (OSI)'s license-discuss mailing list in October 2013 suggests that the TrueCrypt License has made progress towards compliance with the Open Source Definition but would not yet pass if proposed for certification as Open Source software.

According to current OSI president Simon Phipps:

...it is not at all appropriate for [TrueCrypt] to describe itself as "open source." This use of the term "open source" to describe something under a license that's not only unapproved by OSI but known to be subject to issues is unacceptable.

As a result of its questionable status with regard to copyright restrictions and other potential legal issues, the TrueCrypt License is not considered "free" by several major Linux distributions and is therefore not included in Debian, Ubuntu, Fedora, openSUSE, or Gentoo.

The wording of the license raises doubts whether those who use it have the right to modify it and use it within other projects. Cryptographer Matthew Green noted that "There are a lot of things [the developers] could have done to make it easier for people to take over this code, including fixing the licensing situation", and speculates that since they didn't do those things (including making the license more friendly), their intent was to prevent anyone from building on their code in the future.

End of life and license version 3.1

The 28 May 2014 announcement of discontinuation of TrueCrypt also came with a new version 7.2 of the software. Among the many changes to the source code from the previous release were changes to the TrueCrypt License — including removal of specific language that required attribution of TrueCrypt as well as a link to the official website to be included on any derivative products — forming a license version 3.1.

On 16 June 2014, the only alleged TrueCrypt developer still answering emails, replied to an email by Matthew Green about the licensing situation. He is not willing to change the license to an open source one, believes that Truecrypt should not be forked, and that if someone wants to create a new version they should start from scratch.

This is straight from The Dictator's Practical Internet Guide to Power Retention (recommended).

If you transfer bitcoins to some other organization, then THEY have the bitcoins, not you. If you just want to give money to someone else, there are easier ways to do that than by using bitcoin :-).

it seems to me that if you want to use bitcoins, then you should keep the bitcoins in YOUR OWN wallet and under your OWN control until you want to spend them. Don't hand your bitcoins to a so-called "bank", a "trading company", or anyone else unless you purpose is to GIVE THEM the money. I don't know how successful bitcoins will be in the long term, but if they succeed it will be because people seriously protect the bitcoins.

90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

Leap seconds work perfectly well for most situations. If you need precision monotonically-increasing seconds, use TAI time (or "GPS time", which is at a fixed offset from TAI). Leap seconds keep atomic clocks and the real world reasonably synchronized; any other approach will have its own problems.