Clarificiation on the IP Address Security in Dropbox Case
ARRRGGGHHHHH.... CLARIFIC-I-ATION. I can't even spell it wrong when I WANT to!
Clarificiation on the IP Address Security in Dropbox Case
Don't you wanna read about "clarificiations"?
Indeed. Now, most of you are out in the world seeking clarity. But, as long-time contributor Bennett Haselton writes, much more important than that is 'clarifice', the ability to explain truthiness without resorting to expertise or insight. Keep reading to see Bennett's clarification of how over two hundred years or jurisprudence can be usefully transposed onto decades-old technology....
The People Who Are Branding Vulnerabilities
You don't get points for media mentions.
You're right. You don't get points. You get funding and awareness which is far more important.
Not necessarily. If the vulnerability du jour is catching media attention the way Ebola did, then you're probably not doing work you should be doing because you've got a CEO who just publicly pronounced that not one of your customers ever is going to get $EBOLA because of you. And suddenly your entire development cycle is in ruins, every manager everywhere has to explain in voluminous detail why his business unit will not be the cause of the next $EBOLA crisis, consultants will be hired to waste your time confirming that you really never were going to contribute to the global $EBOLA scare anyway....
... and meanwhile, your maintenance cycle is fucked, you have no budget left to do the upgrades that you need to avoid good old-fashioned data loss due to hardware failure, your children have forgotten who you are, and your wife just accidentally emailed her entire carpool pictures of her naughty bits (instead of her little piece on side, as she intended).
And your dog ran away.
NOW how does all that funding and awareness feel, eh kid?
How Intel and Micron May Finally Kill the Hard Disk Drive
So you would pay $1200 for a hard drive "without hesitation"?
Don't scoff. There are a number of scenarios where even several thousand bucks can go over the board without a second thought as long as there's some demonstrable benefit. In photography or video editing, your billing rate can be such that a couple of hours saved waiting on disk I/O can be sufficient to justify some serious spending on storage.
I've got 10 TB on my desk at home, and photography is not my primary work. It was nothing to me to drop over a thousand bucks on a decent hardware RAID controller and disk array. I'd seriously consider moving to SSDs as my primary storage medium if the price got down to 2-2.5 times the cost of a traditional disk.
Two Google Engineers Say Renewables Can't Cure Climate Change
Careful, you'll give yourself a aneurysm.
Ask Slashdot: Who's the Doctors Without Borders of Technology?
Heyya - just a quick tip of the hat - sounds like we got started much the same way. What part of the Canadian frontier you tame? Yukon here, early 90s with a NPO.
Eastern Arctic, at about the same time. Worked with Jeff Philippe a bit, too. He was operating out of Yellowknife back then. We set up what was at the time the most remote commercial ISP in the world. It was a great lesson in doing more with less, but still operating in a place where the broader context was more or less sane.
The thing that people forget when they're working in developing countries is that you can't take even the smallest things for granted. The movement of goods can resemble Brownian motion more than anything else. I've been in situations where the tool (or part) I needed simply didn't exist in the country. And I'm not talking about arcane, hard-to-find items - I mean things like the proper allen key to mount drives into their enclosures in a rack mount server. Power is abysmally poor, and UPSes degrade about as fast as bread on a hot day - and they're all hot days.
Long story short: It's tedious, difficult work with few rewards. Often you measure success in disasters averted. I wouldn't recommend it for most people, and I wish that some well-meaning people would stay the fuck away. But those who end up here, end up living a life to be envied.
Ask Slashdot: Who's the Doctors Without Borders of Technology?
Stay home. Seriously. As someone who has spent the last decade working on technology in the developing world, I can tell you that most of what I do is clean up after well meaning people who don't know enough about technology to avoid making simple mistakes, and who know next to nothing about local conditions. I cut my teeth working on the Canadian frontier, and I suggest you do something similar. Don't try to help until you're confident you can.
President Obama Backs Regulation of Broadband As a Utility
Thank you for giving us the Netflix perspective.
That's not just the Netflix perspective. It's the perspective that most sane individuals have.
1) Residential broadband networks were never engineered as video delivery systems. The advent of mainstream streaming video completely changed the engineering calculus for last mile networks. Over subscription ratios need to change to accommodate the higher peak hour bitrates; this takes time and costs money. Where should this money come from?
Erm, even in the 1990s it was clear that point to point video was going to be an integral part of the internet. And I don't mean 'clear to me in hindsight', I mean clear to the guys selling fibre and switching gear to telcos and ISPs. I consulted with one of the largest and most advanced network equipment companies in the world, at one of their development labs. They were already talking about video on demand as a certainty in 1998, and rushing to get products to market.
If Comcast's management, in their infinite wisdom, were unable to see the writing on the wall 15 years ago, then they have only themselves to blame. The problem is that they have little incentive to invest aggressively, because they don't face substantive, effective competition in the majority of their marketplaces. So now, their complacency is such that they feel they have a right to bitch about the expense of providing a level of service that is well behind the state of the art in Europe, even lagging behind powerhouses like Estonia?
To answer your question, therefore: The money should come from reinvestment of profits. Just like it every other ISP and telco that has managed to leave them in the technological dust. If you plan to make the case that Comcast is somehow struggling to get by on the pittance they charge because of vanishingly small margins, then I'd suggest that the answer there is for them to give way to a company that actually knows how to make money in a sure-fire profitable business that features some of the more profitable corporations in the world. The fact is, they're making more and investing less than ever before.
Why should I pay the same for my connection as the household that's running three or four simultaneous HD streams during peak hours? My 95th percentile is less than 0.5mbit/s, yet I pay the same as my neighbor who regularly runs three HD streams at the same time. Hardly seems fair, does it?
You should pay the same because the baseline level of service should be minimum 10-20 Mbps these days. The fact that you use a vanishingly small percentage of that capacity should be your problem, not everyone else's. Pulling one or two video streams is baseline operability these days. For fuck's sake, I can do it and I live in the developing world in a place with some of the most obscenely high prices in the world!
I know that misery loves company, but just because your usage is unusually low is not justification for limiting the capacity of Comcast's entire customer base.
Joey Hess Resigns From Debian
You missed the point completely.
I missed part of the point, yes. But...
The point is that people complaining that Debian changed the default init system and that there is currently a GR to make it mandatory for upstream developers to make sure their packages run at least systemd plus something else.
Which is kind of a sour grapes reaction to the fact that systemd is a pretty much of an all-or-nothing proposal. Back in the day, I worked on a distro that was based on RedHat, but which used DJB's service management system in order to handle the status of a couple of particularly bedeviling services. It wasn't pretty, so I have sympathy both with sysadmins who don't want to see things change utterly, and with systemd devs who don't want to have to try to shim service management onto the existing pile of cruft.
People just used sysvinit because it was the default one....
They did not. They bitched and moaned and wrote their own alternatives.
... and nobody complained "but I want to replace sysvinit with xxxx and still have everything function easily".
They did, actually, if only implicitly. This is why none of the would-be replacements ever really took off. People do want any sysvinit replacement to be more or less transparent. And their expectation has yet to be met. You can argue the merits of systemd, you can claim that it's worth the pain, but you cannot with a straight face ignore a lot of history that led to the place we are today.
It's been tacitly understood that when introducing an incompatible system, you're swimming against a very strong tide. The refusal of both camps to achieve a workable compromise is a problem of mutually incompatible visions. The willingness of both sides to impute irrationality on the opposite camp without pausing to reflect on their own stance is a primary source of the continuing rancour.
Washington Dancers Sue To Prevent Identity Disclosure
First they came for the strippers...
Then they needed about half an hour to recover.
Then they came for the strippers again.
Berlin's Digital Exiles: Where Tech Activists Go To Escape the NSA
How times have changed...
Er, not so much. Berlin in the 1920s was an island of intellectual freedom and experimentation in all kinds of artistic, social and political philosophy before the corruption and incompetence of the Weimar regime brought everything crashing down.
In the 1970s, it was haven for an entire generation of the European avant-garde. David Bowie's song Heroes is pretty much a story about two lost young lovers living in a besieged Berlin:
I can remember
standing by the wall
while guns shot above our heads
and we kissed as though nothing could fall.
It's no accident that the song is available in German as well as English.
You can go back even farther if you like. Similar to London's position as the maritime gateway to the Continent, Berlin's position at the crossroads between East and West, North and South in Europe has ensured that it's a popular mixing spot for political, social and artistic cultures.
Joey Hess Resigns From Debian
I think this whole thing would be a non-issue if you could swap out systemd with another system and still have everything function easily.
There was no complains with sysvinit in the same regard. People just used sysvinit because it was the default one and nobody complained "but I want to replace sysvinit with xxxx and still have everything function easily".
It's pretty astounding, really, that you could feel so comfortable stating the exact opposite of the truth.
If you had actually paused long enough to RTFA, you would have found that people have been complaining about sysvinit - and writing their own supplements and drop-in alternatives - pretty much for as long as it's existed.
You've fallen exactly and precisely into the hole that the article warns systemd supporters are most likely to fall into.
I'm not suggesting this as evidence that systemd opponents are right. I am suggesting that systemd supporters, in spite of their protestations of open-mindedness and good intentions, are consistently, persistently wrong about the reasons why things are the way they are in the Linux world. They would never have invented and implemented systemd in the way they have if they weren't bull-headedly insistent on ignoring history.
... Which explains, of course, why you couldn't even be arsed to read the fucking article.
Joey Hess Resigns From Debian
IMO: the article is wrong. Many of the reason that systemd is hated are technical. And those technical reasons have expressed, and then ignored, many times.
I think you misunderstand. The technical arguments are real; of that there's no doubt. But the reason this particular issue could not be resolved entirely in the technical arena is because of the nature of the change. Poettering and his ilk are expressing a fundamentally different vision for Linux through the design and implementation of systemd. In its essence, systemd is kind of an anti-POSIX. It is premised on the primacy of Linux, it espouses a holistic (as opposed to piecemeal) approach, and while it's liberal about third party libs and utilities playing in its sandbox, it shits in everyone else's.
An example: If their version of libpam detects that it's NOT running in a systemd context, it does nothing and simply returns a success token, which is probably the least obnoxious thing to do, but which still could cause some significant issues, depending on the circumstances. The obvious alternatives of integrating more generic behaviour into the library, or using someone else's, just don't pass muster with Team SystemD, because that's pretty much the opposite of what they believe to be important.
So although the conflict is playing itself out tactically on the technical level, this really is a schism between two significantly different FOSS philosophies.
Joey Hess Resigns From Debian
BINGO. In spite of Joey being on the 'winning' side of the systemd debate, his resignation seems to be a direct reaction to the schism that systemd has driven into the linux community. As someone far brighter than me said:
the systemd debate is rarely a technical argument for either side, instead it is an ideological and cultural war waged by two opposing demographics that inhabit the same general sphere of Linux and FOSS. This isn’t about technical merits, it’s about politics.
Read the whole piece. It's one of the best round-ups of the state of the debate.
(And by 'debate', I mean 'debacle' of course.)
LibraryBox is an Open Source Server That Runs on Low-Cost Hardware (Video)
With that said, I am working to find interesting educational content, and have talked with Project RACHEL (http://rachel.worldpossible.org/) which works very well on a LibraryBox. I would love to be able to provide "content packs" of educational content for various levels and uses.
Interesting. We're evaluating RACHEL too.
But please do give some thought to performance. It's underrated as an issue.
Most people - even many of my colleagues - think that something, anything is better than nothing. And that's true, as far as it goes. Our immediate challenge is getting broadband internet to a part of the world that doesn't have any automation whatsoever, unless you count horses. It's quite remarkable the lengths they're willing to go to in order to see their children's lives improved. But it's equally interesting how people's attitudes change as ease of access improves.
Right now, there's one village where they need to climb a nearby mountain in order to get mobile coverage. There are phones in the village, but they're few in number and reserved for particular uses. There's almost a tabu built up around their use, and nobody is particularly proficient with them, nor is there much sophistication or even process optimisation in their use. The point is that children can't really get the most out of the material unless it's immediately available all the time. There's enough effort required in terms of language and technological process that even a small amount of additional inconvenience will be enough disincentive for the majority that uptake is no longer generalised.
Of course, that has to be balanced against being able to run the damn thing at all.
New Website Offers Provably Fair Solutions To Everyday Problems
But what if there are three people?
Then you vote on who cuts, and you can't vote for yourself. You clearly have never had a tabletop covered in dope in front of you.
Nor have I, of course, but I'm told that those who do, would do it that way.
First Experimental Demonstration of a Trapped Rainbow Using Silicon
Or use an Arduino. Toooootally fake.
Mos def. I mean, look at the shadows along the edges, and the borders between the colours. Moiré patterns all over the place! I use Photoshop professionally, and I'm telling you, it's photoshopped.
LibraryBox is an Open Source Server That Runs on Low-Cost Hardware (Video)
I see several post on here that talk about how we've been able to do this for quite some time now. I can think of several other devices that do the same thing as what this guy made.
Yep, just like the Aptus Classroom Without Walls (sorry, PDF only - not my site) or any one of a dozen other attempts at this.
I am right at this moment putting together the ground work to deliver tablets and computers to some of the most remote areas in the developing world, and we've been looking very carefully at this kind of stuff. Right now, we're leaning heavily toward just reappropriating the software and using better hardware. The big problem with this kind of server-in-a-dongle is that, although it's possible to make a cute knick-knack with a tiny processor, it doesn't handle a class of 40 children (and more) well at all.
As far as this particular one is concerned: would it be too much to ask to see a listing of the content in this 'library'? I checked the site, and there's basically nothing.
The Great IT Hiring He-Said / She-Said
+10000 pre-whoosh points.
There's a point past which it ceases being a whoosh and becomes sonic boom.
(I was so like, 'FUUUUUCCKK YOOUU --- oh.')
Pirate Bay Founder Gottfrid Warg Faces Danish Jail Time
And you would be wrong about that. I'm a multi-millionaire who risked everything to create software programs that are used worldwide to make the car you drive better, the airplane you fly safer and make the heart pump that saves your lazy junk food eating ass safer.
I mean this in all sincerity: Good for you.
Those things happen only because I can protect my IP from the likes of you.
Let's be clear about this, though: When you say 'those things', you're referring to those specific things that you and your company did. Because there is a very large volume of life-changing —and life-saving— software that came about without any thought of recompense, and with very different ideas about copy-protection and ownership.
Without copyright protection, enforceable EULAs and copy protection/licensing software, I would never have created my products and all those products that impact your life would be more expensive.
I don't know why I spend my time trying to convince people like you that you are utterly, hopelessly wrong in your idea that it is OK to steal other people's work without compensating them the price they demand. I think it's because I have tons of spare time now that my wife and I spend our days travelling the world first class.
Again, in all sincerity: Good for you and your wife.
Having traveled in first class, I found it to be full of pampered, self-important twits with more money than sense, but hey, it wouldn't exist if there weren't a demand for it. I'll take business class myself, thanks.
So in summary, suck it bitch. I'm laughing all the way to the bank.
Ah, the famous 'I'm all right, Jack' defence. Astonishingly, this self-aggrandising approach to entitlement doesn't breed a lot of sympathy among those of us who have other considerations than ourselves. But that's okay. I've saved lives, you've saved lives —that's what counts. At the end of the day, the fact that the lives I saved were in the developing world and yours (probably mostly) weren't is not going to count for much when we're both rotting in the ground. The fact that I'm largely at peace with myself and don't get too exercised about what people do with the fruits of my labours is likely secondary as well. I daresay you're pretty content, too.
But there is this: My way of living and doing business is just as workable as yours, and my way doesn't serve only the rich. So fuck you, you self-satisfied, closed-minded, smug little shit. You think there's no other way but yours? You're wrong and I'm living proof.
Just reposting this here, because apparently Mr I'm All Right Jack has a problem with actual dialogue. In spite of my original comment being modded all the way to 5, he's used a bunch of sock-puppets to take it all the way back to -1, because 'Flamebait'. It seems we're supposed to remain civil when told to: 'Suck it, bitch.'
About once a month or so, I'm tempted to dump 25 bucks on Flickr to upgrade to a 'Pro' account, just so I can plop more than 200 photos into that particular bucket. I admit I've been on the cusp a couple of times.
But I never do. The plain fact is that Flickr is a terrible photo viewing interface.
A bright white background is possibly the worst neutral background they could have chosen. White washes out colours and destroys one of the things that I personally love best: subtle shading on very dark and earth-toned pictures. It's got the point where a lot of self-respecting photographers actually have a 'View on Black' link, pointing to one of several services that do nothing other than render the very same photo with a dark background. The difference is stunning.
But Flickr, in its infinite marketing wisdom, would rather emulate Google's 'any colour as long as it's white' mantra. In Google's case, there's wisdom in the approach; they are a utility, like power or water, not a creative service. Flickr does not benefit in the least from an engineer's design sense, and it's high time someone told them that.
One Hundred's Spartan
When viewing photos in groups - or any aggregation, for that matter - one is usually presented with a hodge-podge of 100 pixel thumbnails. Viewing photo sets is even worse. the screen is filled with a patchwork quilt of arbitrarily cropped 75×75 pixel postage stamps. No, wait, I take that back. Postage stamps are larger.
I can't imagine a worse fate for any decent photo. To be reduced to a smudge of light among dozens or hundreds of others on a glaring white page. I'm not sure even Ansel Adams could survive that.
Of course, there are some photos that do just fine in such an environment. Too often, they're from the 'Ooh Shiny!' school of art. To everyone's credit, some genuinely lovely photos can be found, if you know where to look. But they're lovely in spite of Flickr, not because of it.
There are any number of technical arguments for crowding dozens of blots of colour together and call them a collection, but none of them wash when it comes to aesthetics, or even usability, for that matter.
Flickr's groups are subject to the same AOL-ish devaluation that most large scale communities suffer from. The absolute preciousness of users who troll through other galleries, bestowing silly trophy and ribbon icons on pretty photos in a desperate attempt to burnish their collective karma by associating with only the best types... it's off-putting in a way that I'd rather not characterise in a public medium.
Let's just leave it at this: Any group of more than a few dozen people who are mostly unknown to one another can never merit the descriptor 'exclusive'.
Worst of all, Flickr is a vortex. It's a gravity well whose debris can be found throughout the Web, but which is entirely self-referential. Once you're in there, you don't come out. I've had over 14,000 visitors to my main photo stream, yet a mere 18 referrals from Flickr show up in my imagicity.com server logs. People who use Flickr don't go elsewhere.
Flickr, in other words, is good for Flickr. Any benefit that derives to individual photographers seems to be purely coincidental.
All of of this isn't Flickr's fault, per se. The fault lies in our technical inability to render - and more importantly, to manage - images efficiently through a standard GUI, and to share them effectively.
It seems almost paradoxical. Digital technology has allowed revolutionary advances in photography. It has made possible one thing that I love more than any: the ability to draw with light rather than pigment. Sometimes when I'm engrossed in my work I find myself getting almost drunk on colour. There is nothing more rewarding than watching a well-built slide show wash the room with light and shape, to see human vision captured, distilled and transformed in the process.
It astounds me, therefore, how poorly most websites handle photos.
But this is the environment that Flickr has chosen. With few tools to effectively deal with social economies of scale, people are left to their own devices, so they crowd together (as people always do), creating cacophony where contemplation might once have been. Flickr has embraced (in the embarrassing cloying-college-drinking-buddy sense of the word) conventional wisdom with regards to UI, and have spent all their effort on the engineering challenge of handling photos in volume. They've tacked on a few trendy bloggy/webbish bits, like tagging with keywords and location data, but done nothing whatsoever to innovate how photos are viewed.
And that, it seems to me, should be the very essence of innovation where photography is concerned.
I won't demur for a moment if you counter that thumbnails are a necessary evil, that larding a page up with binaries slows down load times, that we're unfortunately bound by the lowest common denominator where display and download capacity are concerned. Nor will I argue if you express admiration for their ability to handle the data volumes that they do. Just storing and serving up 2 billion photos is a decidedly non-trivial task.
But let's be clear here: I expect more from Flickr. I judge them by a higher standard.
They want to set themselves apart? Then let them deal intelligently - dare I say it? creatively - with their popularity. The engineering challenge is interesting; I'll be the first to admit it. But dammitall, this is a photography site. It's for creative people. Is it too much to ask that they should actually take a little of their revenue and use it for basic research and innovation? Where's the research into lossless compression, peer-to-peer content distribution, point-and-click monitor calibration, optimal display environments, click-and-drag online image resizing? Where's the community for UI geeks?
How many of Flickr's 10-30 million monthly visitors have paid accounts there? My guess would be: Several. Surely some of that revenue could go into renewal, exploration and invention.
Perhaps it's no surprise that Flickr founders Catarina Fake and Stewart Butterfield left Yahoo! just as soon as they reasonably could. I don't doubt for a moment that they've thought a great deal more about these issues than I have. Perhaps they'll be the ones who manage to pull a rabbit or two out of their digital cap.
If they do, they'll get my money, too.
[Cross-posted from the Scriptorum.]
Sometimes you have to destroy the document in order to save it....
I give up. I can't support OpenOffice Write any more, and it's nobody's fault but their own. For anything more than simple tasks, the application is terrible. Their only saving grace is that Microsoft Office has its own brand of polished turd, named Word. Collectively, they are racing to the bottom of a decade-long decline in useability.
No, that's too generous. The thing is, they're at the bottom. They are useless for any but the most trivial tasks, and the most trivial tasks are better accomplished elsewhere, anyway.
Yes, I'm ranting. Let's put this into a proper context:
I hate word processors. For any but the simplest tasks, their interfaces are utterly ridiculous. I haven't liked a word processing interface since WordPerfect circa version 5, and if I had my own way, I'd author all my documents in either emacs or vi, depending on the circumstances.
Why do word processors suck so badly? Mostly, it's because of the WYSIWYG approach. What You See Is What You Get, besides being one of the most ghastly marketing acronyms to see the light of day in the digital era, is ultimately a lie. It was a lie back in the early 1990s when it first hit the mainstream, and it remains a lie today. The fact of the matter is that trying to do structuring, page layout and content creation at the same time is a mug's game. Even on a medium as well understood as paper, it's just too hard to control all the variables with the tools available and still have a comprehensible interface.
But the real sin that word processors are guilty of is not that they're trying to do WYSIWYG - okay it is that they're trying to do WYSIWYG, but they way they go about it makes it even worse. Rather than insisting that the user enter data, structure it and then lay it out, they cram everything into the same step, short-circuiting each of those tasks, and in some cases rendering them next to impossible to achieve.
Learning how to write, then structure, then format a document (or even just doing each through its own interface) is easier to learn and easier to accomplish than the all-in approach we use today. For whatever reason, though, we users are deemed incapable of creating a document without knowing what it's going to look like right now, and for our sins, that's what we've become. And so we are stuck with word processors that are terrible at structuring and page layout as well as being second-rate text authoring interfaces. They do nothing well, and many things poorly, in no small part because of the inherent complexity of trying to do three things at once.
It doesn't help that their technical implementation is poor. The Word document format is little better than a binary dump of memory at a particular moment in time. For our sins, OpenOffice is forced to work with that as well, in spite of having the much more parse-worthy ODF at its disposal these days.
There's no changing any of this, of course. The horse is miles away, and anyway the barn burned down in the previous millennium. The document format proxy war currently underway at the ISO is all the evidence I need to know that I'll be dealing with stupid stupid stupid formatting issues for years to come. I will continue to be unable to properly structure a document past about the 80th percentile, which is worse than not at all. I will continue to deal with visual formatting as my only means to infer context and structure, leaving me with very little capacity to do anything useful with the bloody things except to print them out and leave them on someone's desk.
Maybe I'll just stop using them at all. Maybe I'll just start doing everything on the web and never print again. I'm half serious about this, actually. At least on the Web, the idea that content and presentation are separate things isn't heresy. At least on the Web, I can archive, search, contextualise, comment, plan, structure and collaborate without having to wade through steaming piles of cruft all the time.
At least on the Web, I can choose which steaming piles I step into.
I'm going to start recommending people stop using Word as an authoring medium. There are far better, simpler tools for every task, and the word processor has been appropriate for exactly none of them for too long now. Sometimes you have to destroy the document in order to save it.
Trust Works All Ways
[Cross-posted from the Scriptorum.]
The Debian OpenSSL vulnerability apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it?
Over the weekend, I've been thinking about last week's disclosure concerning Debian's OpenSSL package, which in effect stated that all keys and certificates generated by this compromised code have been trivially crackable since late 2006.
There's a pretty good subjective analysis of the nature of the error on Ben Laurie's blog (thanks, Rich), and of course the Debian crew itself has done a fairly good job of writing up the issue.
The scope of this vulnerability is pretty wide, and the ease with which a weak key can be compromised is significant. Ubuntu packaged up a weak key detector script containing an 8MB data block which, I'm told, included every single possible key value that the Debian OpenSSL package could conceivably create.
The question that kept cropping up for me is: This one-line code change apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it? Numerous exploits on Microsoft Windows would have required far more scrutiny and creativity than this one. Given the rewards involved for 0-day exploits, especially in creating platforms for cross-site scripting attacks, why is it nobody bothered to exploit this?
My hypothesis - sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn't notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.
The change itself was small, but not really obscure. It was located, after all, in the function that feeds random data into the encryption process. As Ben Laurie states in his blog, if any of the OpenSSL members had actually looked at the final patch, they would almost certainly have noticed immediately that it was non-optimal.
In all this time, apparently, nobody using Debian's OpenSSL package has actually (or adequately) tested to see whether the Debian flavour of OpenSSL was as strong as it was supposed to be. That level of trust is nothing short of astounding. If in fact malware authors were guilty of investing the same trust in the software, then I'd venture to state that there's a fundamental lesson to be learned here about human nature, and learning that lesson benefits the attacker far more than the defender:
Probe the most trusted processes first, because if you find vulnerabilities, they will yield the greatest results for the least effort.
P.S. Offhand, there's one circumstance that I think could undermine the credibility of this speculation, and that's if there's any link between this report of an attack that compromised not less than 10,000 servers and the recent discovery of the Debian OpenSSL vulnerability.