×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Heartbleed Sparks 'Responsible' Disclosure Debate

Anonymous Brave Guy Re:PS: how do you think it gets on the distro mirr (176 comments)

I think there is a qualitative difference between notifying large end users like Facebook in advance, and notifying people in the distribution system for a general release. It's the former that inherently means the people who aren't large end users with privileged access get left exposed for longer than necessary, and that's what I'm objecting to.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Anonymous Brave Guy Re:Wrong math. 2 years of vulnerability. (176 comments)

You're latching onto this specific case, perhaps because you have some connection to it, but I'm talking about the general principle here. In general, it is not unreasonable to assume that if a vulnerability has been found by two parties in rapid succession, there may be a common factor involved, which may mean that other parties will also find it in the same time frame, and that an extra day may therefore be very significant.

Obviously most serious security bugs don't sit there for years, then have two groups discover them at almost the same time, as seems to have happened in this case, and need half the known Internet to update their systems as a precaution because no-one really knows whether they've been damaged by the vulnerability at any time over the past couple of years.

ROTFL. Yep, large corporate bureaucracies, they ALWAYS do exactly the right thing, in a matter of hours.

If it's that funny to you, why are you defending giving them a day of advanced warning? Some of us did have a patch rolled out within a couple of hours of the public announcement, but presumably we could have had the patch rolled out a day earlier in the alternative situation. Once again, in this case, one day in two years obviously isn't that significant as we're all going to have to assume keys were compromised and set up new ones anyway. But if this was something that only got committed three days ago, it's a different story.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Anonymous Brave Guy Re:Not that good (176 comments)

Since "people" cannot be negative, by necessity (dev team) + (other people) >= (dev team)

You're still assuming that the dev teams, or to be more precise the parts of the dev teams who will actively review new code, are the same size. That isn't necessarily true at all, so the "provided everything else is equal" part of your last sentence is the problem here.

2 days ago
top

Click Like? You May Have Given Up the Right To Sue

Anonymous Brave Guy Re:The power of EULAs only goes so far (214 comments)

My point is there's no "might" about it - as long as the arbitration clause applies to both parties and the arbiter is a neutral one, it's a perfectly legal and enforceable clause...

It's still highly uncertain whether a court would find a contract to exist at all under these conditions.

Even if it does, you can always go to court and argue for your right to be there because the other guy's term about arbitration is unenforceable for whatever reason. The court might disagree and send you back to arbitration, but they won't stop you coming in the door in the first place.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Anonymous Brave Guy Re:False sense of security (176 comments)

What I really don't like about the whole statement behind it is the implied assumption that closed source offered any kind of better protection.

Which statement do you think implied that? I don't see anything about it in this thread.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Anonymous Brave Guy Re:Not that good (176 comments)

However, no matter how you look at it, the number of people who actually do will always be equal or higher than for closed source software.

Why? I see little evidence that this is happening in general.

Most established OSS projects seem to require no more than one or two reviewers to approve a patch before it goes in, and then there is no guarantee that anyone will ever look at that code again later.

How does that guarantee that more experts will review a given piece of security code than in a proprietary, closed-source, locked-up development organisation that also has mandatory code reviews?

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Anonymous Brave Guy False sense of security (176 comments)

The whole point of OSS is that I do not need to trust it. I can review it if I please.

But you didn't review it and find the vulnerability, did you?

And apparently, despite the significance and widespread use of this particular piece of OSS, for a long time no-one else did either, or at least no-one who's on our side did.

Your argument is based on theory. The AC's point is based on pragmatism. It's potentially an advantage that OSS can be reviewed by anyone, but a lot of the time that gives a false sense of security. What matters isn't what could happen, it's what actually does happen.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Anonymous Brave Guy But what if someone *is* harmed by the delay? (176 comments)

Nobody was harmed by hearing about it on Tuesday rather than on Monday

Isn't that assumption where the whole argument for notifying selected parties in advance breaks down?

If you notify OpenSSL, and they push a patch out in the normal way, then anyone on the appropriate security mailing list has the chance to apply that patch immediately. Realistically, particularly for smaller organisations, it will often be applied when their distro's mirrors pick it up, but that was typically within a couple of hours for Heartbleed, as the security and backporting guys did a great job at basically all of the main distros on this one.

As soon as you start picking and choosing who else to tell first, yes, maybe you protect some large sites, but those large sites are run by large groups of people. For one thing, they probably have full time security staff who will get the notification as soon as it's published, understand its significance, and act on it immediately. For another thing, they probably have good automated deployment systems that will systematically patch all their affected servers reliably and quickly.

(I accept that this doesn't apply to those who have products with embedded networking software, like the Cisco and Juniper cases. But they can still issue patches to close the vulnerability quickly, and the kinds of people running high-end networking hardware that is accessible from outside a firewall are also probably going to apply their patches reasonably quickly.)

On the flip side, as long as you're giving advance warning to those high profile organisations, you're leaving everyone else unprotected. In this case, it appears that at least two different parties identified the vulnerability within a few days of each other, but the vulnerability had been present for much longer. There is no guarantee that others didn't already know about it and weren't already exploiting it. In general, though it may not apply in this specific case, if some common factor prompted the two contemporaneous discoveries, it might well be the case that additional, hostile parties have found it around the same time too.

In other words, you can't possibly know that nobody was harmed by hearing about it a day later. If a hostile party got hold of the vulnerability on the first day, maybe prompted by whatever also caused the benevolent parties to discover it or by some insider information, then they had a whole day to attack everyone who wasn't blessed with the early knowledge, instead of a couple of hours. This is not a good thing.

2 days ago
top

Click Like? You May Have Given Up the Right To Sue

Anonymous Brave Guy Re:The power of EULAs only goes so far (214 comments)

As I did say in my previous post, but you omitted when quoting it, this might stand up if all parties agreed to the arbitration. Sometimes C2C contracts include these kinds of terms, for example.

However, it's going to be tough in most jurisdictions (obviously not everyone in the world is subject to the US legal system) to convince a judge that such a heavyweight term in a contract of adhesion that one of the parties may not even have realised existed should be enforced. For example, in my country we have the Unfair Terms in Consumer Contracts Regulations 1999. If you like, you can search down that page for the words "Compulsory arbitration clauses are automatically unfair for the purposes of most consumer disputes" and you can look up the law itself to see why.

Of course, all of this presumes that a contract even exists in the first place, which is another obvious avenue of attack against this strategy. For example, contracts generally require some form of consideration in both directions. What is in it for the guy who clicked 'Like' to accept such a draconian restriction in return? And if the original action was simply buying cereal from your local store, then the contract is almost certainly between you and the store, not the cereal company. While legal systems have been known to recognise third party rights under some conditions (again, varying by jurisdiction etc.) you'd probably come back to things like whether such terms were an expected part of the contract of sale, and whether they were unfair/unconscionable. And guess who is going to rule on that...

2 days ago
top

Click Like? You May Have Given Up the Right To Sue

Anonymous Brave Guy Re:The power of EULAs only goes so far (214 comments)

Indeed. Good luck arguing in court that someone gave up their right to sue. The legal profession tends to be awfully sceptical of such measures, and none more so than judges. While it might stand up if, for example, all parties agreed to use some reasonable form of binding arbitration instead, it's hard to imagine the big company would get anywhere against the little customer under these conditions.

2 days ago
top

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Anonymous Brave Guy Need for better systems programming languages (580 comments)

I suspect you meant that sarcastically, but if system software (meaning OS kernels, network stacks, device drivers, etc.) were written in better languages, our computer systems could be far safer and more robust, quality of life could be better, and the benefit to productivity and the global economy could be substantial.

For the computing industry, it is one of the great tragedies of our time that C and its derivatives have become so entrenched. There is absolutely no reason we can't have a systems programming language that offers the necessary low-level control without the limited programming model, error-prone syntax and weak safety features of C.

Unfortunately, it is momentum and ubiquity that keep most of the industry using C and its brethren, not technical merit. The vast ecosystem surrounding C is hard to beat for scale. There is promising work being done in some places, Rust for example, but I know of no practical alternative that is ready for production use today.

Of course, OpenSSL itself isn't running at the level of an OS kernel, so it doesn't need the same degree of low-level access anyway. But there is a wider point here about much more than just OpenSSL.

4 days ago
top

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Anonymous Brave Guy Re:Why is Raymond's claim theoretically sound? (580 comments)

Please read what Raymond actually wrote in The Cathedral and the Bazaar. My criticism applies equally to his more formal definition of Linus's Law, and to his extended argument as a whole.

No-one (sensible) claims that any code review process will find absolutely all bugs. But Raymond's article seems to be arguing that having enough developers and testers on a project will inevitably get you very close.

And yet, we are talking about this in a discussion about a severe bug in one of the most widely used OSS projects on the planet that went undiscovered (or at least unreported and unfixed) for years.

4 days ago
top

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Anonymous Brave Guy Re:Why is Raymond's claim theoretically sound? (580 comments)

It is only by having hundred or thousands of them that you can hope to catch those ones that would otherwise go unnoticed.

But how many FOSS projects really have diligent review of all their code by anything like that many people? For many projects, getting a change accepted requires only the approval of one or two others. Activities like the current detailed review of TrueCrypt are the exception, not the rule.

If you really want a dramatic improvement in catching these kinds of bugs and you've already got a respectable code review process in place, you'd probably do better by considering complementary strategies instead of pursuing ever diminishing returns from throwing more people into the same informal code review process. Choose safer programming languages that don't admit certain kinds of programmer error in the first place. Employ formal methods to make sure the underlying algorithms are sound. Adopt different testing strategies.

Sadly, using safer programming languages is still swimming against the flow of mainstream programming tools, while using formal methods or many testing strategies outside of having an automated unit test suite sounds like heavyweight design to some people, and this upsets all the newbies who think being "agile" and "moving fast and breaking things" are the way you make good software when quality really matters.

Improving software quality is in significant part a social problem, but the solution is not requiring more people to be reviewers, it's getting more people to understand that just having more reviewers is not enough.

4 days ago
top

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Anonymous Brave Guy Why is Raymond's claim theoretically sound? (580 comments)

Raymond's proposition is theoretically sound

No, it isn't. It's nonsense and it always has been.

There is plenty of evidence for the effectiveness of good code reviews, but most of it shows rapidly diminishing returns with the number of reviewers. You get much of the benefit from having even one or two additional people read over something. By the time you've had more than four or five people take a look, the difference in effectiveness from adding more barely even registers, unless one of the additional reviewers has some sort of unique perspective or expertise that makes them not like the others.

Given that almost every major FOSS system software project has had its share of security bugs, there is really very little evidence to support Raymond's claim at all. It's not like it has ever been taken seriously outside the FOSS fan club, but there are a lot of FOSS fans on Slashdot, and so plenty of comments (and positive moderations) reinforce the groupthink as though it's some inherent truth.

4 days ago
top

LA Police Officers Suspected of Tampering With Their Monitoring Systems

Anonymous Brave Guy Re:Easy fix (322 comments)

Justice is never found in applying the law differently to different groups.

Perhaps. However, there is an inherent inequality here because the law inevitably grants certain additional rights and powers to police officers that are not enjoyed by the common citizen. It is not unreasonable to assign proportionately greater responsibility to them as well.

about two weeks ago
top

LA Police Officers Suspected of Tampering With Their Monitoring Systems

Anonymous Brave Guy Re:Easy fix (322 comments)

If their union is so powerful, how come they're subject to routine monitoring in this way at work?

It looks like the negative publicity from a not so great track record is exerting more pressure than anyone's union right now.

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

Anonymous Brave Guy Re:Complete access and indefinite support for free (650 comments)

That's certainly a plausible alternative, I agree. Any way you cut it, the bottom line is that providing ongoing support for ageing software is very expensive, not to mention actively harming efforts to migrate a customer base to newer and better versions. No business is going to accept that kind of obligation without charging a realistic amount of money for meeting it, one way or another.

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

Anonymous Brave Guy Re:Complete access and indefinite support for free (650 comments)

And Mark Zuckerberg has a lot more money than me, so I should go start a social network and then I'll surely become a billionaire in a few years.

You can't base credible economic policy and market regulation on carefully selected outliers like that. For every out-of-the-park success story like XP, there is a Vista (or usually many Vistas) where other developers put in time and money on the same scale and failed spectacularly.

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

Anonymous Brave Guy Re:Complete access and indefinite support for free (650 comments)

If you want to use technology that works on that basis, nothing is stopping you from restricting yourself to Open Source software where you know it will be a viable option.

Microsoft has advertised the length of support that will be available for its major product lines for years in advance of their retirement dates, has already supported some of those products far beyond what any similar software developer in the industry offers, and offers newer products of similar types with ongoing support for many years to come. No-one can seriously claim they thought they were entitled to more than this when they bought Microsoft, and the failure of any large organisations to plan an effective IT strategy given, again, several years of advance notice of what was going to happen, is neither Microsoft's fault nor their responsibility.

about two weeks ago
top

Should Microsoft Be Required To Extend Support For Windows XP?

Anonymous Brave Guy Re:Complete access and indefinite support for free (650 comments)

to support they could simply release their internal documentation, source code, diagrams etc. to the public

That isn't a simple matter at all if you're still developing new versions of your product based on the same materials. You are proposing that a business whose primary asset is its collective knowledge should be required to give away the most important knowledge it has accumulated, at great cost, up to a certain point, just to absolve it of a hypothetical liability that it was never realistic to assign to that business in the first place.

That would be a fair compromise considering that IT is one of the very few industries that get away with delivering faulty, unstable and insecure products as the accepted norm. If houses or clothes or refrigerators were produced like software...

...then a lot of houses would need expensive repairs after a few years to fix damage caused by subsidence, pests, unanticipated weather conditions, or the neighbours causing damage while doing work on their own property, while cheap clothes would be some of the most frequently returned items in stores because they fall apart after they've hardly been worn due to economising on manufacturing techniques and materials?

People talk a lot about how software is unreliable and breaks all the time, but the reality is that most consumer software is remarkably resilient given the many and varied jobs it needs to do and the cost of making it. I'm writing this on a Windows 7 PC that I've had for several years. I can count on my fingers the total number of times Windows has fallen over, and as far as I know all of them were actually caused by either a hardware failure or a dodgy update to some additional system software like a device driver or security tool, not by Windows itself. Sure, some software isn't up to scratch and the people who make it deserve to be criticised, but I don't think it's fair to claim that software in general is some sort of unusable, bug-ridden mess.

about two weeks ago

Submissions

top

YouTube blocking premium music videos in UK

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 5 years ago

Anonymous Brave Guy (457657) writes "What happens when the might of Google clashes with the might of Big Media? We're about to find out: after failing to negotiate a licensing deal with the PRS (one of the UK's collective licensing bodies for music), YouTube has simply pulled the plug, and as of 6pm Monday, premium music videos will start disappearing for visitors from the UK. From the BBC article, it seems the PRS asked for an unspecified but large increase in the royalties, and when Google worked out that they would actually be losing money on the service at that price, they firmly declined. The PRS has asked YouTube to reconsider as a "matter of urgency"."
Link to Original Source
top

Virgin's demise: illustrating the problem with DRM

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 6 years ago

Anonymous Brave Guy (457657) writes "The BBC have an interesting article up today about the demise of Virgin Digital, which has offered music on a monthly subscription system, and how this is leaving their customers in a jam because they signed up to a DRM-based subscription service. This is no doubt not a new concern to many here, but it's the second real-life example of such a service folding within a matter of weeks, and interesting that a well-regarded mainstream news source is now openly condemning DRM and vendor lock-in, and advising people to avoid such services."
Link to Original Source
top

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 6 years ago

Anonymous Brave Guy (457657) writes "The BBC reports that CD-Wow, the third largest on-line music retailer in the UK after Amazon and Play, has been found in contempt of court for selling illegally imported CDs into the UK. Describing the verdict as "CD woe", the company claimed that all they were doing was bringing CDs into the UK that had been legitimately purchased from the big media companies elsewhere, with any breach of copyright down to human error, and that "At a time when the record industry is losing vast revenue to piracy, it seems ludicrous that they can set out to destroy a section of the market that is actually making them money.""
top

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 7 years ago

Anonymous Brave Guy (457657) writes "The Gowers Review of Intellectual Property, a large-scale, government-commissioned review of the current IP framework in the UK, has today published its final report. The report itself doesn't seem to be available yet, but the government's response (which includes a summary of the Gowers recommendations) is contained in the pre-budget report, linked from the same site.

Highlights include: proposing much stronger enforcement/penalties for infringement of IP rights, possibly including a fast-track litigation process and up to 10 years in prison for on-line copyright infringement; introducing a "private copying" exception to legalise format-shifting; and a recommendation that the European Commission should not extend copyright protection in sound recordings and performers' rights any further than the existing 50 years.

The government seems to be endorsing the Gowers recommendations pretty much in their entirety, and in particular has acknowledged the recommendation on not extending copyright terms via the European back door."
top

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 7 years ago

Anonymous Brave Guy (457657) writes "It looks like Tesco, the UK's biggest supermarket, is planning to take on software giants like Microsoft with a new range of cheap, own-brand software covering office apps, photo editing and more. Tesco's Daniel Cook said, "When it comes to software there is little choice and prices are high. Our new range of software changes this." There's no sign yet on Tesco's web site, but an October date is mentioned in the BBC article. Sounds like a good time to be buying sell options... But in which company?"

Journals

Anonymous Brave Guy has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...