Hackers don't give a shit about your change control, they're not going to give you a head start because you're slow to respond to threats.
How does not telling anyone that people are actively exploiting this change that?
Net result is that you and only you know who you voted for, and you can verify that your vote was counted.
Sorry for being dense, but how does that verify that my vote is affecting the the announced result of the election? Couldn't they just announce "X got 60% of the votes" anyway? (By jamming in a lot of false ballots, or by just lying?)
Odd question.
I don't know about three days, but certainly under a week, which is completely normal in free software. Proprietary vendors generally want between six months and two years, but free software vendors and projects very rarely ask for more than a week or two delay before publication.
In fact, Linus famously tells people not to tell him about any security issue you want kept secret for more than a week, as he will just go ahead and fix it.
Odd, I don't know why you're picking on me, but I assume "Android Kernel" is marketing-speak for "Linux", in which I've reported found and fixes dozens of flaws over the years.
As you're so interested, here are some from the last month or two that you can take a look at.
CVE-2010-3080, A use-after-free in snd_seq_oss_open
CVE-2010-2960, A to-userspace dereference in keyctl_session_to_parent.
CVE-2010-2954, Kernel panic and to-userspace dereference in AF_IRDA sockets.
CVE-2010-3067, Various problems with aio (things like aio_submit())
The coverity results I've seen in the past are generally very low quality with a high density of chaff. I haven't seen the report they're talking about, but would be surprised if there were any noteworthy findings with any significant security impact. The only report I've seen them publish that had any convincing vulnerabilities was in 2006, where they found a verifiable privilege escalation in XFree86 (due to a pretty horrendous typo).
I'm a little saddened that you so readily associate me with Windows security, where as I consider myself primarily a Linux security developer, but I guess I'm flattered that where I spend my time is so important to you.
(perhaps a little creepy, though).
This story was part of "The Transformation Age", a pubic TV documentary with Robert X Cringely back in 2008 from MPT and the Univ of MD. The whole Kodak segment is available to watch online at
http://www.rhsmith.umd.edu/transformationage/download/kodak.mov
Steve Sasson was a really nice guy. Alas, the first digital photo was lost forever. It was a pic of a co-worker, and was 10,000 pixels –
You didn't elect me your doctor either, but I'm sure you would like me to tell you if you water supply was poisoned.
Actually, his comment was entirely accurate.
I've reported dozens of critical vulnerabilities in Microsoft software over the years, and I still have multiple open cases with Microsoft security, this particular case wasn't as simple as you have assumed. I would not be so presumptuous to explain the ethics of your work to you, but evidently you believe you're qualified to lecture me in mine.
If I were to read the sensationalised lay-press coverage of your latest publication or project, would it prepare me to write a critique of your
work?
If you sign a non-disclosure agreement that he had to have to have access to classified, he is no hero. You do not get to decide when classified data should be released, regardless of how it makes you feel. There are proper channels for complaining about things and he could have availed himself of those, if he had a problem with what was happening around him.
Actually, your idea that he shouldn't reveal atrocities because he was ordered not to has not been in vogue since the Nuremberg trials.
I'm more concerned about invisible sharks with lasers on their heads.
He's dead, Jim.
