After Apple's "goto fail", GNU TLS library has similar bug

Guest

@morbiuswilters said:

Why, Go is the most secure platform out there right now, assuming no one starts using it!

You forget Rust, which is doubly secure because: 1) no one uses it; b) any potential exploit will be incompatible between one version and the next.

morbiuswilters

@Zecc said:

@morbiuswilters said:

Why, Go is the most secure platform out there right now, assuming no one starts using it!

You forget Rust, which is doubly secure because: 1) no one uses it; b) any potential exploit will be incompatible between one version and the next.

And 3) Its status might be in question after the rise and fall of the Nerd Eich by the Gaystapo's fabulously-manicured hands. I mean, at this point it sounds like the only tech skills left at Mozilla are "giving hotshots" and "tying cherry stems into bows with your tongue". On the bright side, that means they won't be able to make Firefox any worse.

Guest

@morbiuswilters said:

On the bright side, that means they won't be able to make Firefox any worse.

I wouldn't bet your next paycheck on that one.@morbiuswilters said:

Filed under: If Mozilla is staffed entirely by queers then why does Firefox look like shit?

Actually, the new Assholius version of Firefox looks exactly what I would expect from a company full of queers. All "hip design" and no actual functionality.

morbiuswilters

@El_Heffe said:

@morbiuswilters said:

On the bright side, that means they won't be able to make Firefox any worse.

I wouldn't bet your next paycheck on that one.

At Mozilla failure springs eternal, eh?

bstorer

@morbiuswilters said:

@El_Heffe said:

@morbiuswilters said:

On the bright side, that means they won't be able to make Firefox any worse.

I wouldn't bet your next paycheck on that one.

At Mozilla failure springs eternal, eh?

That's the difference between the cathedral and the bazaar. In the bazaar, because you have many eyes on the code, you're guaranteed that at least one set is horribly cross-eyed and color blind.

morbiuswilters

@bstorer said:

In the bazaar, because you have many eyes on the code, you're guaranteed that at least one set is horribly cross-eyed and color blind.

I will say one nice thing about FOSS: at least you don't have to pay to find out if it's awful. Hell, you don't even have to try it to find out if it's awful!

morbiuswilters

Quinnum

@The_Assimilator said:

Apparently this bug colossal fuckup has been there since 2005. Which is nearly a decade. GOGO LINUX SECURITY, how's that "many eyes" thing working out for you?

And in latest news, we now have the Heartbleed bug in OpenSSL for the last two years. Those many eyes must be getting pretty bloodshot by now.


Makes me glad our infrastructure is on windows :)

Quinnum

@heterodox said:

So this has been a fun morning for me so far.

Bah, that'll teach me not to just skim the thread.

flabdablet

@Quinnum said:

Makes me glad our infrastructure is on windows :)

Quite so; it's completely obvious that code with fewer scrutinizing eyes could not possibly be hiding security-critical bugs as stupid as these. If it's obscure, it's quite clearly secure. And it's not as if Windows is a large target.

Quinnum

@flabdablet said:

@Quinnum said:

Makes me glad our infrastructure is on windows :)

Quite so; it's completely obvious that code with fewer scrutinizing eyes could not possibly be hiding security-critical bugs as stupid as these. If it's obscure, it's quite clearly secure. And it's not as if Windows is a large target.

I understand your point, but I don't remember any windows server vulnerabilities (that are remotely exploitable) being quite so mind-bendingly fucked up and critical as this in at least the last 10 years.


Most of the windows vulns tend to be between the keyboard and chair.

morbiuswilters

@flabdablet said:

@Quinnum said:

Makes me glad our infrastructure is on windows :)

Quite so; it's completely obvious that code with fewer scrutinizing eyes could not possibly be hiding security-critical bugs as stupid as these. If it's obscure, it's quite clearly secure. And it's not as if Windows is a large target.

The flipside is most of those eyes on FOSS code are only thinking one thing: making the snottiest, most passive-aggressive mailing list posting possible which triggers a huge flamewar resulting in them getting to rewrite half the project as if it were their plaything*. At least the Windows people are being paid to do a good job and genuinely want to because they have families to go home to and don't want to spend their weekends recompiling.

Another way to put it might be that Microsoft builds software where as FOSS builds software projects. The distinction might be a bit subtle, but you're a smart bloke and I'm sure you get what I'm saying even if you do not agree.

(*Except for Eric S. Raymond, who probably spends most of his time wondering if Lasik is finally cheap enough for him to fix his goddamn eyes. And Stallman, who I have on good authority only ever thinks about junk food.)

Guest

@morbiuswilters said:

@flabdablet said:

@Quinnum said:

Makes me glad our infrastructure is on windows :)

Quite so; it's completely obvious that code with fewer scrutinizing eyes could not possibly be hiding security-critical bugs as stupid as these. If it's obscure, it's quite clearly secure. And it's not as if Windows is a large target.

The flipside is most of those eyes on FOSS code are only thinking one thing: making the snottiest, most passive-aggressive mailing list posting possible which triggers a huge flamewar resulting in them getting to rewrite half the project as if it were their plaything*. At least the Windows people are being paid to do a good job and genuinely want to because they have families to go home to and don't want to spend their weekends recompiling.

The truth is that the number of "scrutinizing eyes" is more or less the same, regardless of whether something is open or closed source. The only people spending any meaningful amount of time scrutinizing any source code, open or closed, are those people who are approved to submit patches.

 

blakeyrat

Windows is a large target. But it's developed by a company that has their shit together-- static analysis, code reviews, using an IDE that underlines unreachable code, unit tests, the works. They do everything right, every time. That's not to say their process is problem-free, obviously. But it's telling that people haven't had any major criticism, security-wise, in years.

Note that any ONE of those things listed* would have saved Apple from major embarrassment. Meaning: Apple is doing NONE of those well-known and long-established process improvements for their most security critical code. ZERO of them.

*) With the possible exception of unit testing

Guest

@blakeyrat said:

*) With the possible exception of unit testing

And code reviews with reviewers just as blind.

HardwareGeek

@morbiuswilters said:

And Stallman, who I have on good authority only ever thinks about junk food.

There was some creepy-looking guy walking through our parking lot this morning. I caught a glimpse of him, and my first thought was, "He looks like Stallman." He couldn't have been RMS, though; he was too well-dressed.

dkf

@blakeyrat said:

Note that any ONE of those things listed* would have saved Apple from major embarrassment. Meaning: Apple is doing NONE of those well-known and long-established process improvements for their most security critical code. ZERO of them.

*) With the possible exception of unit testing

Unit testing only really helps if you also do test coverage analysis. Writing a test suite to cover every damn failure mode can very annoying (and isn't a replacement for a QA department) but it highlights all sorts of screwups and greatly improves code quality.

morbiuswilters

@blakeyrat said:

But it's developed by a company that has their shit together-- static analysis, code reviews, using an IDE that underlines unreachable code, unit tests, the works.

I love that we're at the point where that's "having your shit together", and yet so many projects actually fail it.

Oh, and don't forget a real debugging tool that actually gets used. Considering that every new flash-in-the-pan FOSS toy language comes out without debugging (if it's ever added at all) is soul-crushing.

blakeyrat

@morbiuswilters said:

I love that we're at the point where that's "having your shit together", and yet so many projects actually fail it.

I assume Apple's own IDE does underline unreachable code, right? Which means the guy they had working on this shit was cowboy-coding in Vim or Emacs or whatever shitty piece of open source bullshit he had installed, and his boss was perfectly ok with that. And it never occurred to him, "hey this code is pretty important, maybe I should have someone look it over before committing it..."

Basically, it's shocking to me the SHEER AMOUNT OF SHIT THAT HE DID WRONG. How is it even possible to do EVERYTHING WRONG and yet still hold a full-time job at a major software company? Then, because it's Apple, the tech press completely glosses the whole thing and a week later it's practically forgotten. What the fuck?

I know I'm obsessing over the "goto fail;" thing it's because it's fucking AMAZING to me. Everything about it.

dkf

@morbiuswilters said:

Oh, and don't forget a real debugging tool that actually gets used. Considering that every new flash-in-the-pan FOSS toy language comes out without debugging (if it's ever added at all) is soul-crushing.

Which do you want: get to use the code now or wait until every last tool that can be thought of on top of it is available? Or somewhere in-between?

Different people have different answers to that particular conundrum: some love being on the bleeding edge, and others are ultra-conservative. I guess it's something of a marker of personality differences.

DrakeSmith

@blakeyrat said:

@morbiuswilters said:

I love that we're at the point where that's "having your shit together", and yet so many projects actually fail it.

I assume Apple's own IDE does underline unreachable code, right? Which means the guy they had working on this shit was cowboy-coding in Vim or Emacs or whatever shitty piece of open source bullshit he had installed, and his boss was perfectly ok with that. And it never occurred to him, "hey this code is pretty important, maybe I should have someone look it over before committing it..."

Basically, it's shocking to me the SHEER AMOUNT OF SHIT THAT HE DID WRONG. How is it even possible to do EVERYTHING WRONG and yet still hold a full-time job at a major software company? Then, because it's Apple, the tech press completely glosses the whole thing and a week later it's practically forgotten. What the fuck?

I know I'm obsessing over the "goto fail;" thing it's because it's fucking AMAZING to me. Everything about it.

It probably didn't matter what IDE was used, as the code was probably not seen in that final state, as it looks to me like a bad merge. Which of course it is just as bad they didn't review the merged code...

blakeyrat

@dkf said:

Different people have different answers to that particular conundrum: some love being on the bleeding edge, and others are ultra-conservative.

What you're describing as "bleeding edge" is the featureset of Microsoft Basic 1.0 for Mac, circa 1984. Most of the idiots, by far, hacking away at Ruby (which doesn't have 1984-level tools) are younger than that.

morbiuswilters

@dkf said:

Which do you want: get to use the code now or wait until every last tool that can be thought of on top of it is available?

That's not "every last tool that can be thought of". A language with a debugger is not a language, it's a joke. How is it that we can even be having this discussion? In what industry would that be acceptable? "Do you want a bridge that you can drive on now, or one that's not made of popsicle sticks? Personally I'm just gonna strap on a bicycle helmet and make motorcycle noises as I plunge to my death!"

morbiuswilters

@blakeyrat said:

Most of the idiots, by far, hacking away at Ruby (which doesn't have 1984-level tools) are younger than that.

To fair, Ruby doesn't really need a debugger. It runs slow enough you can whip out a magnifying glass and watch the transistors switching.

dhromed

@morbiuswilters said:

It runs slow enough you can whip out a magnifying glass and watch the transistors switching.

 

When real programmers set a breakpoint, they use a scanning-tunneling microscope to move the transistor's atoms.

bstorer

@morbiuswilters said:

@blakeyrat said:

Most of the idiots, by far, hacking away at Ruby (which doesn't have 1984-level tools) are younger than that.

To fair, Ruby doesn't really need a debugger. It runs slow enough you can whip out a magnifying glass and watch the transistors switching.

Not any more. Since the move to YARV, you can't keep up with individual transistors. Instead, you just glance at the program counter now and then to see whether it has changed yet. I recommend videotaping the program's run, and playing it back at 6X FF using SSDS.

The_Assimilator

@morbiuswilters said:

@El_Heffe said:

@morbiuswilters said:

On the bright side, that means they won't be able to make Firefox any worse.

I wouldn't bet your next paycheck on that one.

At Mozilla failure springs eternal, eh?

They found the spring of eternal youth, except it turned out to be the spring of eternal failure. But they still wired it up to their building's water supply.

bstorer

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

morbiuswilters

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it's a saltwater fountain and they're using it to power some kind of ionic battery.

error

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it was this building:

morbiuswilters

@joe.edwards said:

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it was this building:

I have no idea what I'm looking at. Somebody should probably tell that guy that complex visual jokes don't work when you have the drawing skills of a retarded 3 year-old addicted to Ritalin.

Ben L.

@morbiuswilters said:

@joe.edwards said:

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it was this building:

I have no idea what I'm looking at. Somebody should probably tell that guy that complex visual jokes don't work when you have the drawing skills of a retarded 3 year-old addicted to Ritalin.

Actually, that's a photo of Rosie O'Donnell

Snooder

@morbiuswilters said:

@joe.edwards said:

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it was this building:

I have no idea what I'm looking at. Somebody should probably tell that guy that complex visual jokes don't work when you have the drawing skills of a retarded 3 year-old addicted to Ritalin.

tldr; Silicon Valley hipsters are crazy.

 

HardwareGeek

@morbiuswilters said:

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it's a saltwater fountain and they're using it to power some kind of ionic battery.

Could be, but they're about 3 miles, or so, from the Bay. That's a long way to pump the saltwater just to power a battery, and that's assuming they could run the pipe through (or under) Moffett Federal Airfield; it's even farther if they have to go around it.

error

@morbiuswilters said:

I have no idea what I'm looking at. Somebody should probably tell that guy that complex visual jokes don't work when you have the drawing skills of a retarded 3 year-old addicted to Ritalin.

He's got soup coming from what appears to be a power outlet. I posted this as a response to someone saying that they had "wired it up to their building's water supply."

morbiuswilters

@HardwareGeek said:

@morbiuswilters said:

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it's a saltwater fountain and they're using it to power some kind of ionic battery.

Could be, but they're about 3 miles, or so, from the Bay. That's a long way to pump the saltwater just to power a battery, and that's assuming they could run the pipe through (or under) Moffett Federal Airfield; it's even farther if they have to go around it.

It's a naturally-occurring fountain so maybe it's a saltwater spring.

morbiuswilters

@joe.edwards said:

He's got soup coming from what appears to be a power outlet.

Um.. what?

Jesus Christ why can't that guy get HIV already..

HardwareGeek

@joe.edwards said:

@morbiuswilters said:

I have no idea what I'm looking at. Somebody should probably tell that guy that complex visual jokes don't work when you have the drawing skills of a retarded 3 year-old addicted to Ritalin.

He's got soup coming from what appears to be a power outlet.

My first thought was that he was using the bare wires of a power cord to heat his soup (the "fssh" sound being an electrical arc). After looking at it a couple more times, I reached the conclusion you stated.

heterodox

@morbiuswilters said:

Jesus Christ why can't that guy get HIV already..

Really, morbs?

morbiuswilters

@heterodox said:

@morbiuswilters said:

Jesus Christ why can't that guy get HIV already..

Really, morbs?

Hey, HIV is totally treatable now and people live full lives yada yada.

Heck, he could even find another HIV-positive web cartoonist and they could have kids.

bstorer

@joe.edwards said:

@bstorer said:

@The_Assimilator said:

But they still wired it up to their building's water supply.

Jeez, they can't even do basic plumbing correctly.

Maybe it was this building:

Fuck xkcd. As always, I present a superior comic.

Guest

 @bstorer said:

pbfcomics.com

That guy doesn't update frequently enough.

morbiuswilters

@Zecc said:

 @bstorer said:

pbfcomics.com

That guy doesn't update frequently enough.

• Quality
• Frequent updates
• A string trimmer to the groin

Pick two.

morbiuswilters

@bstorer said:

The funny thing is, I think we all agree they made the right choice.

Guest

@morbiuswilters said:

• Quality
• Frequent updates
• A string trimmer to the groin

Pick two.

Is the string trimmer implemented using regular expressions? I hate that.

 

morbiuswilters

@Zecc said:

@morbiuswilters said:

• Quality
• Frequent updates
• A string trimmer to the groin

Pick two.

Is the string trimmer implemented using regular expressions? I hate that.

No, it's implemented using rusty barbed wire and a lemon juice bath.

dkf

@morbiuswilters said:

No, it's implemented using rusty barbed wire and a lemon juice bath.

Nothing to worry about then. (I was concerned that it might've been using transitive inference in OWL/RDF, but torture and self-mutilation are much better.)

Guest

@dkf said:

OWL/RDF

[Trigger warning].

Lorne Kates

@morbiuswilters said:

Maybe it's a saltwater fountain and they're using it to power some kind of ionic battery.

 

Maybe it's a saltwater drinking fountain and they're using it to power some kind of ironic battery.

bstorer

@Lorne Kates said:

@morbiuswilters said:

Maybe it's a saltwater fountain and they're using it to power some kind of ionic battery.

 

Maybe it's a saltwater drinking fountain and they're using it to power some kind of ironic battery.