So... about that Heartbleed
-
@flabdablet said:
Again, you're using a deliberately misleading line of reasoning here.
The rest of your argument is reasonable, but lacking in graphic metaphors and hyperbolic rhetoric. For instance:
@flabdablet said:
I suggest you give up the hookers and crack for a while and move somewhere that doesn't suck.
Too vanilla. This would be better received by the likes of morbiuswilters:
@flabdablet said:
I suggest you
give up the hookersstop fellating the underaged transsexual Thais in your basement andcrackbath salts dissolved in butane for a while and move somewhere that doesn't suck.Readers are encouraged to provide their own suggestions.
-
@flabdablet said:
... especially as compared with expensive and inconveniently licensed commercial software....If you truly do live in a world where the only way to obtain value is to pay for it....
I have always found this interesting.... Few who expouse such a view have really thought out the ramifications. The vast majority of people to contribute to FOSS (and other volunteer efforts) also work in a paying job in the same (or similar) field. If the "expensive and inconveniently licensed commercial software" did not exist, then these people would (statistically) not be in a position to make the contributions....
FOSS (and related) is a viable and valuable part of the ecosystem, but there is no way (givent real world contraints) that it could ever be the ONLY way.
-
@flabdablet said:
The fact that they are not also looking after the interests of every freeloader who doesn't want to pay for a FIPS-compliant TLS stack is neither here nor there.
If they don't like (in your words) "freeloaders", why would they choose a software license which enables "freeloading"?
I've seen your same line of reasoning on Slashdot before, people griping about companies using FOSS and not "giving back", and I just sit there thinking: "duh! Isn't that the ENTIRE POINT?" That's like a 7-11 having a "give a penny, take a penny" tray, then getting pissed off when people take a penny out of it. (Except the penny is more useful than most FOSS software, ziing!)
@flabdablet said:
then you lump that in with more completely unsubstantiated claims about FOSS being typically deficient in accessibility and cross-platform support. All of which runs so completely contrary to my own experience with using FOSS, especially as compared with expensive and inconveniently licensed commercial software, as to be laughable.
FOSS programming tools usually break on Windows if you install them in the correct location, because "Program Files" has a space in the name. I find this both shocking and amusing because the OS these tools were built on allows spaces in folder names. So either these tools are completely busted on their native OS (most likely), or the "port" to Windows somehow introduced a devastating regression they haven't fixed in years.
-
@morbiuswilters said:
@derari said:
Good thing commercial products are never crap that doesn't meet requirements.
I never said that. Did you people all fail Logic 101? I said that FOSS delivers shittier products than commercial, not that commercial is flawless. Fuck you people are dumb sometimes.
I know you didn't say that. You didn't say the other thing, either. Which is a good thing, because it would be wrong often enough.
@derari said:
I have never used a FOSS product that didn't meet my requirements (at least not longer than I would try a commercial product before buying it). Then again, I don't have a multi-billion company to secure. I like "you get what you pay for" when, most of the times, I don't need much.
Yeah, checking your mail with mutt is the sweet life. Why can't everyone else Get It?
Picking on one software that sucks and concluding that all FOSS projects suck is a fallacy. Did you people all fail Logic 101? Fuck you people are dumb sometimes.
@derari said:
Imagine the same bug in a closed-source SSL library, because there will be similar bugs in any SSL library. You'd have no way to 1) get an independent code audit, 2) be sure that critical security flaws will be made public instead of being fixed silently, and 3) see that such flaws get fixed at all.
This is another oft-repeated lie. Did "having more eyes on the source" help here? Do you really think SChannel is as fucked-up as this is? You FOSStards are such pathetic little jackwads.
I don't think SChannel has the same amount of deprecated code, because they probably never made the effort to support that many older platforms. Want something easy and "profitable" to make? They will sell you 50 rip-offs of the
same mediocre project. Need something that's a PITA to implement and
requires lots of testing and validation? Need something that requires
work that can't be done in vim? The quick-cash community could not care
less. That's why commercial software is consigned to re-inventing the cash-cow wheel
over and over again. Want proof? http://en.wikipedia.org/wiki/List_of_ERP_software_packages or http://en.wikipedia.org/wiki/List_of_project_management_software (sort by license) (Also notice that of the FOSS products, many are effectively owned and developed by a single company and just happen to have their code published)Aside from that, yes I think that SChannel has severe security bugs. Feel free to prove me wrong.
-
@blakeyrat said:
FOSS programming tools usually break on Windows if you install them in the correct location, because "Program Files" has a space in the name.
What, like this well-known shitty FOSS tool?
@blakeyrat said:
I find this both shocking and amusing because the OS these tools were built on allows spaces in folder names. So either these tools are completely busted on their native OS (most likely), or the "port" to Windows somehow introduced a devastating regression they haven't fixed in years.
You're a complete fucking cargo-cult coder Blakey. If a FOSS tool receives a path with a space in it as an argv entry and passes it to fopen(), nothing goes wrong. Of course, shitty user scripts that don't quote the args they pass to tools correctly exist, just like shitty .bat files that don't quote their args correctly also exist, but that's not the fault of the tools. You are spouting some half-remembered mish-mash of unrelated facts and pointing the finger in the wrong direction when it's really just a PEBKAC/GIGO issue. You're probably also thinking of the CreateProcess guess-where-the-spaces-go dance as a good thing, rather than the stupid attempt to second-guess the user's intentions that leads to shit like the "C:\Program.exe" vulnerability that it actually is.
In short, your complaint reflects only your incompetence, and not the supposed flaw with FOSS that you imagine it to show.
-
@derari said:
Aside from that, yes I think that SChannel has severe security bugs. Feel free to prove me wrong.
Of course, Blakey can't be expected to prove a negative here (particularly without access to the source for auditing purposes!), but if past experience is anything to go by, it's fairly likely that SChannel has bugs. Let's just refresh our memories:
[quote user="https://msisac.cisecurity.org/advisories/2010/2010-057.cfm"]A vulnerability has been discovered in Microsoft SChannel which could allow an attacker to take complete control of a vulnerable system. Microsoft SChannel, or Secure Channel, implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. SSL and TLS are commonly used to implement secure communications for web browsing and other network services. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of this vulnerability. If successfully exploited, the attacker could gain SYSTEM level privileges and install programs, view, change, or delete data, or create new accounts with full user rights. Unsuccessful attempts to exploit this vulnerability will likely result in a denial-of-service condition.[/quote]
[quote user="http://blogs.technet.com/b/srd/archive/2009/03/10/assessing-the-risk-of-the-schannel-dll-vulnerability-ms09-007.aspx"]MS09-007 resolves an issue in which an attacker may be able to log onto an SSL protected server which is configured to use certificate based client authentication with only the public key component of a certificate, not the associated private key.[/quote]
[quote user="http://www.symantec.com/security_response/vulnerability.jsp?bid=24416"]The Microsoft Windows Schannel security package is prone to a remote code-execution vulnerability. This vulnerability occurs when processing and validating server-sent digital signatures by the client application. A remote attacker could exploit this issue by convincing a victim to visit a malicious website. Remote code execution is possible, but may be extremely difficult. In most cases, denial-of-service conditions will occur.[/quote]
[quote user="http://cvedetails.com/cve/2010-3229"]The Secure Channel (aka SChannel) security package in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when IIS 7.x is used, does not properly process client certificates during SSL and TLS handshakes, which allows remote attackers to cause a denial of service (LSASS outage and reboot) via a crafted packet, aka "TLSv1 Denial of Service Vulnerability."[/quote]
There you go. Remote privileged code execution, authentication bypass and DoS conditions.
Of course, Blakey won't point to these as proof that all proprietary software is bug-ridden shit, because his arguments are not based on logic, but on inconsistent emotional knee-jerk responses prompted by his arbitrary and irrational hatred of FOSS.
-
@DaveK said:
Of course, Blakey can't be expected to prove a negative here (particularly without access to the source for auditing purposes!), but if past experience is anything to go by, it's fairly likely that SChannel has bugs.
I didn't say anything about SChannel in this thread, what the fuck are you talking about? Jesus, you people need pills.
-
I bet DaveK is one of those guys who thinks it's okay for Obama to be a bad president because Bush was a bad president.
-
@mott555 said:
I bet DaveK is one of those guys who thinks it's okay for Obama to be a bad president because Bush was a bad president.
Hey, Bush was a bad president before it was cool.
Edit: thanks for the new avatar, mott555!
-
@DaveK said:
What, like this well-known shitty FOSS tool?
Har har. Or do you think I'm actually so fucking stupid that I don't know the difference between "supports spaces if you quote the path" and "doesn't support spaces"?
Try this little experiment: install MongoDB on Windows in Program Files (where it belongs-- the installer defaults to C:\mongo, without even bothering to check whether C: is a valid drive letter). Seems to work fine, right? Now configure it to run as a Windows Service. Service won't start? Hm! Oh lookee there, it put a broken path in the registry because the morons who write Mongo forgot to quote it. And apparently they never bothered to actually QA the code either, because Jesus how easy is THIS bug to find?
That's one of a billion "open source development tools don't support spaces in paths" bugs I've found. But here's my question: what if you're on Linux, and install Mongo to a folder named like, I dunno, "/bin/mongodb runtime/", and then try to install it as a Ubuntu Service... do you get the same bug? or phrased differently, is this bug due to the guy who ported it to Windows being an idiot, or is this a bug in Mongo in all environments?
Either way, it doesn't really reflect well on the open source development process, does it?
@DaveK said:
If a FOSS tool receives a path with a space in it as an argv entry and passes it to fopen(), nothing goes wrong.
From my experience they don't even get that far, because the space in Program Files fucks them up at install-time before you even get a chance to run the thing. Mongo's the exception to the rule there.
@DaveK said:
Of course, shitty user scripts that don't quote the args they pass to tools correctly exist, just like shitty .bat files that don't quote their args correctly also exist, but that's not the fault of the tools.
If they're shipped with the tool, then yes it is.
@DaveK said:
You are spouting some half-remembered mish-mash of unrelated facts and pointing the finger in the wrong direction when it's really just a PEBKAC/GIGO issue.
The Mongo issue I just outlined is easily reproducible. Try it out.
@DaveK said:
You're probably also thinking of the CreateProcess guess-where-the-spaces-go dance as a good thing, rather than the stupid attempt to second-guess the user's intentions that leads to shit like the "C:\Program.exe" vulnerability that it actually is.
I don't even know what this sentence means, or what it has to do with anything.
@DaveK said:
In short, your complaint reflects only your incompetence, and not the supposed flaw with FOSS that you imagine it to show.
Of course, the bug in Mongo is a result of my incompetence. Obviously if I were more skilled, Mongo would not have that bug. Due to... magic? Elves? Magical elves?
-
@TheCPUWizard said:
FOSS (and related) is a viable and valuable part of the ecosystem, but there is no way (givent real world contraints) that it could ever be the ONLY way.
Quite right, and I doubt that even folks who license their stuff under a GPL believe that it should be; the GPL is an attempt to make sure FOSS stayed visible and available, designed at a time where it looked like there was a real possibility that the way things were heading meant that the only way it would be viable to make a living as a working programmer was to assign property rights in the things that you wrote to your employer. And it has to be said that it's been largely successful in that regard: there are now many many skilled programmers employed to write and maintain FOSS by organizations with very deep pockets. Thirty years ago, who would have thought that IBM or HP would be in the business of contributing to the creation and publishing of source code for stuff that runs on anything but their own machines? I certainly didn't.
-
@blakeyrat said:
@DaveK said:
Try copying notepad.exe to C:\program.exe on a Windows box and watch how many things break. Hint: most of them won't be FOSS. This behavior is by design.You're probably also thinking of the CreateProcess guess-where-the-spaces-go dance as a good thing, rather than the stupid attempt to second-guess the user's intentions that leads to shit like the "C:\Program.exe" vulnerability that it actually is.
I don't even know what this sentence means, or what it has to do with anything.
-
@blakeyrat said:
@flabdablet said:
The fact that they are not also looking after the interests of every freeloader who doesn't want to pay for a FIPS-compliant TLS stack is neither here nor there.
If they don't like (in your words) "freeloaders", why would they choose a software license which enables "freeloading"?
"Freeloader" is indeed my word, not OpenBSD's. If you want to know why the OpenBSD licence is the way it is, ask Theo, not me.
-
@flabdablet said:
Try copying notepad.exe to C:\program.exe on a Windows box and watch how many things break. Hint: most of them won't be FOSS. This behavior is by design.
Ok now get to the part where you explain what the fuck it has to do with anything?
Oh BTW: let's make this a tit-for-tat, since you've turned this discussion into Windows vs. Linux. On Linux, create a file named "-rf". Now try to delete just that file in the standard way-- look at all that stuff that got deleted! This extremely destructive moronic behavior is by <font style="font-size: 66%">lack of</font> design. NOW OUR ANECDOTES HAVE DUELED EACH OTHER!
-
@joe.edwards said:
Edit: thanks for the new avatar, mott555!
Yeah, saw that coming a mile away.
-
@blakeyrat said:
@flabdablet said:
Try copying notepad.exe to C:\program.exe on a Windows box and watch how many things break. Hint: most of them won't be FOSS. This behavior is by design.
Ok now get to the part where you explain what the fuck it has to do with anything?
Oh BTW: let's make this a tit-for-tat, since you've turned this discussion into Windows vs. Linux. On Linux, create a file named "-rf". Now try to delete just that file in the standard way-- look at all that stuff that got deleted! This extremely destructive moronic behavior is by <font style="font-size:66%;">lack of</font> design. NOW OUR ANECDOTES HAVE DUELED EACH OTHER!
OK. OK. All the software sucks, including but not limited to open/closed source security software, operating system software, and shell software.
Now I need a stiff drink and a new career.
-
@joe.edwards said:
Now I need a stiff drink and a new career.
Get 2 for 1 with a career in inbibing stiff drinks.
-
@TheCPUWizard said:
@joe.edwards said:
Now I need a stiff drink and a new career.
Get 2 for 1 with a career in inbibing stiff drinks.
I just noticed The Art of Computer Programming is finally available for Kindle. Hopefully Knuth can cure my ennui and existential dread.
-
@blakeyrat said:
@DaveK said:
Of course, Blakey can't be expected to prove a negative here (particularly without access to the source for auditing purposes!), but if past experience is anything to go by, it's fairly likely that SChannel has bugs.
I didn't say anything about SChannel in this thread, what the fuck are you talking about? Jesus, you people need pills.
I mis-remembered the source of the quote. It was Morbs who said that, and my comment should have been directed at him. Sorry.
-
@mott555 said:
I bet DaveK is one of those guys who thinks it's okay for Obama to be a bad president because Bush was a bad president.
Obvious troll is indeed obvious, but what I was actually arguing was actually that Obama bring a bad president doesn't somehow prove that Bush was not one.
-
@DaveK said:
If a FOSS tool receives a path with a space in it as an argv entry and passes it to fopen(), nothing goes wrong. Of course, shitty user scripts that don't quote the args they pass to tools correctly exist, just like shitty .bat files that don't quote their args correctly also exist, but that's not the fault of the tools.
Here's the official build instructions for Firefox:"Please note that Mozilla will not build if some of the tools are installed at a path that contains spaces" (emphasis theirs, not mine)
How exactly is that a PEBKAC problem and NOT the fault of poorly designed tools?
-
I'm mildly impressed Mozilla at least documents it, instead of just making all its users do hours of Googling when things don't work for mysterious reasons.
-
@El_Heffe said:
"Please note that Mozilla will not build if some of the tools are installed at a path that contains spaces" (emphasis theirs, not mine)
How exactly is that a PEBKAC problem and NOT the fault of poorly designed tools?
It is not the programs fault...a developer made the program do that... so it definately is PEBKAC, but on the development side.
-
@TheCPUWizard said:
It is not the programs fault...a developer made the program do that
headdesk The same could be said of every bug in every program ever, yes?
-
@flabdablet said:
Try copying notepad.exe to C:\program.exe on a Windows box and watch how many things break. Hint: most of them won't be FOSS
That's a completely irrelevant and contrived argument, just like Blakey's example of creating a file called "-rf". Renaming notepad.exe to C:\program.exe is not something anyone would have a reason to do, just like nobody would have a good reason to create a file called -rf..On the other hand, installing an application into a directory with spaces is something that has been standard (on Windows) since 1995.
-
@El_Heffe said:
That's a completely irrelevant and contrived argument,
It's not even an argument. As far as I can tell, it has NOTHING to do with the discussion and people bringing it up haven't deigned to bother explaining why it's relevant. (In their eyes.)
-
@blakeyrat said:
@El_Heffe said:
The Official Spaces in Path Names FAQ:That's a completely irrelevant and contrived argument,
It's not even an argument. As far as I can tell, it has NOTHING to do with the discussion and people bringing it up haven't deigned to bother explaining why it's relevant. (In their eyes.)
Q: Why can't many FOSS programs handle paths that contain spaces?
A: Look . . . over there . . . behind those bushes . . . if you rename notepad.exe to program.exe something bad happens.
See? It makes perfect sense.
-
@joe.edwards said:
@TheCPUWizard said:
It is not the programs fault...a developer made the program do that
*headdesk* The same could be said of every bug in every program ever, yes?Except for some SkyNet,Cylon, and a few other projects....yes...
-
@TheCPUWizard said:
@joe.edwards said:
@TheCPUWizard said:
It is not the programs fault...a developer made the program do that
headdesk The same could be said of every bug in every program ever, yes?Except for some SkyNet,Cylon, and a few other projects....yes...
Killing all humans is a feature, not a bug.
-
@El_Heffe said:
Renaming notepad.exe to C:\program.exe is not something anyone would have a reason to do, just like nobody would have a good reason to create a file called -rf..
Copying notepad.exe to c:\program.exe is not something that anybody would normally do, but what does happen is that somebody places a file (or directory) named Program to C:\ - and that creates a havoc on the system, precisely because a bunch of programs don't handle spaces in pathnames properly, and instead rely on Windows to work around their failures (which stops happening when Windows sees C:\program as an existing file/directory).
As for FOSS programs not handling space in Program Files, I never had any problems with 7-zip, AbiWord, AegiSub, AutoHotKey, AviSynth, Bochs, Calibre2, Dia, FileZilla, Firefox, GIMP, GhostScript, GnuPG, ImageMagick, Inkscape, Inno Setup, LibreOffice, OpenVPN, Paint.NET, PopFile, smartmontools, TigerVNC, Wireshark...
-
@ender said:
As for FOSS programs not handling space in Program Files, I never had any problems with 7-zip, AbiWord, AegiSub, AutoHotKey, AviSynth, Bochs, Calibre2, Dia, FileZilla, Firefox, GIMP, GhostScript, GnuPG, ImageMagick, Inkscape, Inno Setup, LibreOffice, OpenVPN, Paint.NET, PopFile, smartmontools, TigerVNC, Wireshark...NetBeans, Notepad++, Putty and friends, R, Tortoise{svn,git,hg}
MikTeX has problems with UAC, though.
-
@flabdablet said:
The OpenBSD team is in the fortunate position of not having to prioritize regulatory compliance over security and code quality, because anybody who has chosen OpenBSD instead of FreeBSD or NetBSD or Linux does care more about security than about FIPS. They are looking after the interests of their users.
Okay, but this does not contradict what I said at all. You're conceding that not supporting FIPS is something that will exclude a number of users, which is exactly what I said. They've chosen the easy, "pure" path at the expense of their users.
@flabdablet said:
The fact that they are not also looking after the interests of every freeloader who doesn't want to pay for a FIPS-compliant TLS stack is neither here nor there.
Blakey already pointed out that "freeloading" is pretty much the entire point of FOSS. I would just add: you are being hypocritical, because if someone was like "This commercial software product sucks! They completely took the easy path and left out FIPS support!" what would your response be? I'm betting it wouldn't be a full-throated defense of the developer and of commercial software in-general; probably something like "Well, if it doesn't do what you want, you shouldn't pay for it." Which is what I would say, too. But when someone does that with FOSS you people are like "You can't criticize, it's free, you could just fork the source if it doesn't do what you want, blah blah blah". You want FOSS to be taken seriously but then when someone actually tries to hold you to the same standards you whine that it's not fair.
Look, rather than paying for a house, I could live in an alley for free. Rather than buying food, I could get free food from a dumpster. Being free does not automatically make something superior to something you pay for, nor does it mean someone can't be like "Hey, this jelly donut has tire tracks on it!"
@flabdablet said:
But you ignore that, and imply that OpenBSD's attitude toward FIPS typifies FOSS developers' attitude toward regulation generally
How does it not? Are you implying this is the first time a FOSS project chose convenience for the developers over convenience for the users?
@flabdablet said:
I suggest you give up the hookers and crack for a while
Over my dead, STD-and-crack-riddled body.
-
@ender said:
As for FOSS programs not handling space in Program Files, I never had any problems with 7-zip, AbiWord, AegiSub, AutoHotKey, AviSynth, Bochs, Calibre2, Dia, FileZilla, Firefox, GIMP, GhostScript, GnuPG, ImageMagick, Inkscape, Inno Setup, LibreOffice, OpenVPN, Paint.NET, PopFile, smartmontools, TigerVNC, Wireshark...What kind ob crazy argument is that? "Here is a list of stuff that works". Where is the discussion supposed to go from here? A list of everything that doesn't work? And whichever list is the longest wins?
The original argument was: There is FOSS software out there that is shitty, for example MongoDB and countless others. This is supposedly a general indicator about the quality of the development model and how systematic failure and missing test cases are. You aren't exactly contributing to that discussion, since both the type of bug and the software product itself were examples.
Also, since I contributed to some of the dev tools surrounding emscripten (meaning I am in the unique position of being one of the developer scrups that get insulted here), I'm finding it hard to disagree with the general princible of blakeys argument, even if the way and polemic that got him there are, as always, insane. The truth is, with the insanity surrounding most build processes, even of high profile projects like Firefox, the fact that most of the stuff out there is horribly broken doesn't exactly come out of nowhere.
The old repeated mantra of hundreds of eyes looking over your source code, and increasing its quality, is bunk. Now for OpenSSL obviously the entry level itself (hands up, anybody in here that knows the full source code to an encryption standard by heart) and the general unpopularity of the topic (even the OpenBSD-guys, people that get paid for writing secure code, played the "It'll be fine"-card until it blew up), but it certainly doesn't help that the normal developer setup involves summoning effin cthulu. I would love to contribute to more projects, but until Open Source (generalized) gets it's shit together, and starts writing and maintaining good development tools, every project just ends up pissing into a poorly writting wiki instructing you to manually fuck around in your registry.
-
@morbiuswilters said:
@flabdablet said:
But you ignore that, and imply that OpenBSD's attitude toward FIPS typifies FOSS developers' attitude toward regulation generally
How does it not? Are you implying this is the first time a FOSS project chose convenience for the developers over convenience for the users?
The validity of that statement in this case sort of depends whether or not there actually still users desperately in need of FIPS-support. So far that has just been some kind of unchallenged assumption here.
-
@derari said:
I know you didn't say that. You didn't say the other thing, either. Which is a good thing, because it would be wrong often enough.
So.. you're just making up the arguments you want to have in your head and then posting the results here? How's that working out for you?
@derari said:
Picking on one software that sucks and concluding that all FOSS projects suck is a fallacy.
I'm sorry, I don't have a trillion free hours to write about every single piece of shit residing on GitHub. It would be easier to just tell you about the good FOSS projects: Chromium. Even Firefox, which used to be on my short list of "Good FOSS Projects" no longer makes the cut, because the idiots at Mozilla are delusional sociopaths who only care about hurting their users and making their product sucks more.
@derari said:
I don't think SChannel has the same amount of deprecated code, because they probably never made the effort to support that many older platforms.
And that's supposed to be a point in OpenSSL's favour? Shit, even the OpenBSD people realize that's dumb.
@derari said:
Want something easy and "profitable" to make?
I like that you put "profitable" in quotes.
@derari said:
Need something that requires
work that can't be done in vim? The quick-cash community could not care
less.Now, see, I don't think I've ever seen a commercial product that only works in vim.
@derari said:
That's why commercial software is consigned to re-inventing the cash-cow wheel
over and over again. Want proof? http://en.wikipedia.org/wiki/List_of_ERP_software_packages or http://en.wikipedia.org/wiki/List_of_project_management_software (sort by license) (Also notice that of the FOSS products, many are effectively owned and developed by a single company and just happen to have their code published)So your coup de grace against commercial software is that it gives you dozens of competing choices? Do you think the same thing about FOSS window managers, or did you just stumble into that contradiction by accident?
@derari said:
Aside from that, yes I think that SChannel has severe security bugs. Feel free to prove me wrong.
Well, for one, I never said SChannel was bug-free; there you go again, having the argument you want to have in your head.
Ignoring that, you want me to prove that SChannel has undiscovered bugs in it?? Are you people actually capable of reasoning about the words that spill out of your keyboards or is this the best I can hope for?
Here's the thing: I'm sure SChannel still has bugs. Just as I'm sure that libressl (the OpenBSD patch-up of OpenSSL, since you people seem to terrible at following the fucking thread of conversation) will still have bugs, even after the OpenBSD guys are done with it. I never made a statement contrary to that, or one that would even imply that. I used OpenSSL's inferiority to SChannel (which, God, I hope is something we can all agree about now) as evidence of the inferior nature of FOSS in-general. So far, nobody has effectively countered that, you've just fabricated statements I did not make and then tried vainly to argue against them.
I also pointed out that OpenBSD's decision to drop FIPS is a great example of how FOSS usually cares more about its own developers than it does about users. They choose the easy, interesting, gratifying work over the drudgery. Once again, please prove me wrong.
-
@DaveK said:
(particularly without access to the source for auditing purposes!),
Wow, are you people still falling back on that? Even after the OpenSSL fiasco? I guess "We have over a dozen X terminals, and most support 256 colors!" wasn't the selling point you people thought, huh?
@DaveK said:
There you go. Remote privileged code execution, authentication bypass and DoS conditions.
Cool, so SChannel HAD four severe bugs exposed in the last seven-ish years. Now all we have to do is verify that OpenSSL has had fewer bugs during the same time period, and you will have successfully challenged my assertion that FOSS is producing shittier results.
Oh. Hell, I'll do you a solid and we can exclude all of the bugs since HeartBeeps was found. It still looks pretty grim, eh?
@DaveK said:
Of course,
BlakeyMorbsy-Worbsy won't point to these as proof that all proprietary software is bug-ridden shitI actually would never make that argument. My argument was along the lines of "FOSS is buggier and shittier than commercial", if you cared to read.
I'd like to add, regarding the "many eyes" thing: I think HeartBeeps pretty effectively killed the idea that this works. I mean, OpenSSL was a high-profile, high-security project that was considered a success until a month or so ago. The FOSStafarians were like "Sure, it's had more bugs than SChannel, but not many, and we've got lots of eyes on the code so any real bugs are quickly found and fixed."
Instead, I think what this has shown is that having the source open only makes it easier for horrific bugs to be seen but not fixed for years. So "'many eyes' means any real bugs are quickly found and fixed" has become "'many eyes' means real bugs are quickly found by someone, with fixes coming several years after the bugs were introduced." I mean, do you think the NSA didn't know about at least half of these bugs years ago?
As much like "security through obscurity" as it is, I'm going to say it's pretty well-settled at this point that giving everyone access to your source only makes it easier for the nefarious to discover those bugs and exploit them. And meanwhile, it seems the FOSS development model isn't doing a hell of a lot to keep bugs from slipping in in the first place (apparently snotty web sites making fun of people who give away their time for free weren't the incentive that you guys thought, eh?)
-
@flabdablet said:
And it has to be said that it's been largely successful in that regard: there are now many many skilled programmers employed to write and maintain FOSS by organizations with very deep pockets.
That always felt like cheating. Is that a success of FOSS, or is it that cheap companies would rather throw a few shekels at trying to use something free?
@flabdablet said:
Thirty years ago, who would have thought that IBM or HP would be in the business of contributing to the creation and publishing of source code for stuff that runs on anything but their own machines? I certainly didn't.
Yeah, it's a strange, dystopian future we live in.
-
@blakeyrat said:
I'm mildly impressed Mozilla at least documents it, instead of just making all its users do hours of Googling when things don't work for mysterious reasons.
Don't worry, they'll "fix" that in the next ground-up rewrite of the docs.
-
@fire2k said:
even the OpenBSD-guys, people that get paid for writing secure code, played the "It'll be fine"-card until it blew up
I really love that, by the way. The OpenBSD guys are hardcore when it comes to security. They spend so much time trying to improve the security of various packages and implement things in a secure manner, but, hey, they were including this insecure piece of shit they'd never bothered auditing as a central piece of their OS. Fan-tastic.
-
@fire2k said:
@morbiuswilters said:
@flabdablet said:
But you ignore that, and imply that OpenBSD's attitude toward FIPS typifies FOSS developers' attitude toward regulation generally
How does it not? Are you implying this is the first time a FOSS project chose convenience for the developers over convenience for the users?
The validity of that statement in this case sort of depends whether or not there actually still users desperately in need of FIPS-support. So far that has just been some kind of unchallenged assumption here.
Well, it's a government standard that's still used by a lot of large organizations. I'd love for it to go away, but it probably won't.
-
@morbiuswilters said:
@fire2k said:
It will go away when our government becomes rational.@morbiuswilters said:
@flabdablet said:
But you ignore that, and imply that OpenBSD's attitude toward FIPS typifies FOSS developers' attitude toward regulation generally
How does it not? Are you implying this is the first time a FOSS project chose convenience for the developers over convenience for the users?
The validity of that statement in this case sort of depends whether or not there actually still users desperately in need of FIPS-support. So far that has just been some kind of unchallenged assumption here.
Well, it's a government standard that's still used by a lot of large organizations. I'd love for it to go away, but it probably won't.
-
@morbiuswilters said:
@fire2k said:
even the OpenBSD-guys, people that get paid for writing secure code, played the "It'll be fine"-card until it blew up
I really love that, by the way. The OpenBSD guys are hardcore when it comes to security. They spend so much time trying to improve the security of various packages and implement things in a secure manner, but, hey, they were including this insecure piece of shit they'd never bothered auditing as a central piece of their OS. Fan-tastic.
I guess that does indeed make the whole setting up a blog making fun of how insane OpenSSL is somewhat of an own goal. "Haha, look at how broken this software we used and vouched for in our distributed security product really was all along"
I'm somewhat torn on putting all that blame on them here nevertheless. The truth is that OpenBSD (which maintains many of the core libraries and software systems the Internet runs on, and thanks to their lenient licensing, is in fucking everything), has ridiculously little funding in comparison to what you put up as the alternative - commercial, closed-source software. The reasons for that are complex and a lot of people come off badly in this argument, but that is just the status quo. And that being as it is, this whole thing sort of feels like making fun of Africa volunteers failing to keep steady programm going. It's hardly fair that insecurity and hacking are billion-dollar industries, fighting some volunteers IBM pays to somehow keep the infrastructure of things they themselves make billions off barely afloat.
But all of this never goes anywhere. Some dick jokes here, a few slashdot-level debates about how "Micro$oft is the worst" or "all OSS is broken!!11", a few guys screaming about leaving the developers alone because it's free software and you didn't pay anything for it (yes, I fucking did, with advertising money, donations, word of mouth, software usage, bug reports, etc.), a few guys naming all the best and worst OSS products, a few memes. Doesn't go anywhere. The end result is that we fucking lost this. Both the intelligence agencies and some script kiddies from Canada ended up with our effin credit data (again), all the software is still broken, and in just about three weeks, we will do the same spiel again, if not with SSL then maybe with HTTPS/SHH/TSL or whatever, except now BSD has a fork that will never ever backport it's security work.
The question, or the debate I would like to have is: What do we do about this?
-
@HardwareGeek said:
@morbiuswilters said:
@fire2k said:
It will go away when our government becomes rational.@morbiuswilters said:
@flabdablet said:
But you ignore that, and imply that OpenBSD's attitude toward FIPS typifies FOSS developers' attitude toward regulation generally
How does it not? Are you implying this is the first time a FOSS project chose convenience for the developers over convenience for the users?
The validity of that statement in this case sort of depends whether or not there actually still users desperately in need of FIPS-support. So far that has just been some kind of unchallenged assumption here.
Well, it's a government standard that's still used by a lot of large organizations. I'd love for it to go away, but it probably won't.
Hillary/Jeb 2016
-
@morbiuswilters said:
@HardwareGeek said:
@morbiuswilters said:
@fire2k said:
It will go away when our government becomes rational.@morbiuswilters said:
@flabdablet said:
But you ignore that, and imply that OpenBSD's attitude toward FIPS typifies FOSS developers' attitude toward regulation generally
How does it not? Are you implying this is the first time a FOSS project chose convenience for the developers over convenience for the users?
The validity of that statement in this case sort of depends whether or not there actually still users desperately in need of FIPS-support. So far that has just been some kind of unchallenged assumption here.
Well, it's a government standard that's still used by a lot of large organizations. I'd love for it to go away, but it probably won't.
Hillary/Jeb 2016
rational.c: In function ‘main’: rational.c:4:15: error: expected ‘;’ before numeric constant Hillary/Jeb 2016 ^
-
@fire2k said:
The truth is that OpenBSD (which maintains many of the core libraries and software systems the Internet runs on, and thanks to their lenient licensing, is in fucking everything), has ridiculously little funding in comparison to what you put up as the alternative - commercial, closed-source software.
Which is why I don't blame the OpenBSD developers, I blame FOSS and people who promote FOSS as superior to commercial development. The OpenBSD guys are probably all sharp guys, but the entire goal of FOSS works against it: to build high-quality, usable software with mostly-volunteer resources, little money and no incentive to actually make anything usable.
In fact, it seems to me there is a distinct disincentive to make things usable, because if you put effort into making a good GUI, people will still ravage you over it (see M$.) But if you just churn out a CLI-based interface in the year 2014, when people criticize you can just say "Hey, it's a more efficient way to work and you just don't get it."
@fire2k said:
It's hardly fair that insecurity and hacking are billion-dollar industries, fighting some volunteers IBM pays to somehow keep the infrastructure of things they themselves make billions off barely afloat.
Of course. And I think companies like IBM deserve a lot of blame here. In the late 90s IBM realized they could make more profit by using inferior, "free" products and throwing a few shekels at the projects, rather than maintaining their own code. It does mean IBM's customers get stuck with crap software, but they were already used to that; FOSS is just the terminal end stage of being a loyal IBM customer. Plus, from IBM's perspective it's a PR win.
If this was their proprietary code that had bugs this awful, they'd rightly be savaged for it. Instead, they get to surreptitiously pin the blame on someone else, while still getting the play the role of gracious hero by putting out some press release peppered with phrases like "community" and "in this together". Then IBM contributes back a tiny fraction of the money they would have spent building their own product and the Slashtrolls eat it up. Meanwhile, FOSS plays the role of fall-guy, hatchetman and journeyman for a cynical multi-billion dollar corporation. Is this what you planned, Stallman?
@fire2k said:
bug reports
Or as I like to call them "Automated emails I get seven years later telling me my bug was closed without being fixed because they re-wrote the entire thing in Go and if it still happens I should open a new bug." Then I'm like "When the hell did I file a bug on GIMP?" and I get to spend a couple hours reminiscing about my teenage years, my first taste of beer and the smell of the road on hot summer night.
@fire2k said:
The question, or the debate I would like to have is: What do we do about this?
Here's the debate I would like to have: should M$ fund open sores projects like OpenSSL so they will continue to serve as lightning rods for script kiddies, lazy hackers and the U.S. Government? Personally, I can see it as a worthwhile investment.
-
@morbiuswilters said:
Instead, I think what this has shown is that having the source open only makes it easier for horrific bugs to be seen but not fixed for years. So "'many eyes' means any real bugs are quickly found and fixed" has become "'many eyes' means real bugs are quickly found by someone, with fixes coming several years after the bugs were introduced." I mean, do you think the NSA didn't know about at least half of these bugs years ago?
Our solution was to run an older version that wasn't affected by the bug. Eh...we were on RHEL6, and I'm not a sysadmin, so I don't know if we were behind because we didn't keep up with OpenSSL updates or that's just where RHEL6 was. Maybe this is a weird case where sysadmin laziness or whatever actually mitigates the real damage?
-
@morbiuswilters said:
@flabdablet said:
And it has to be said that it's been largely successful in that regard: there are now many many skilled programmers employed to write and maintain FOSS by organizations with very deep pockets.
That always felt like cheating. Is that a success of FOSS, or is it that cheap companies would rather throw a few shekels at trying to use something free?It's hard to imagine the various companies contributing to the same / complementary projects in any other way. It's probably an unforseen consequence, though of course, that sort of collaboration is probably what Stallman was really hoping for all along.
-
-
@boomzilla said:
@HardwareGeek said:
Sorta. In that case, the standard would probably still be there. There would be no real reason to comply with it (not that there is now), but I'll bet some B2B contracts would still require it because they were written when one of the businesses was trying to sell stuff to the government.It will go away when our government becomes
rationalirrevocably insolvent.FTFY
-
@boomzilla said:
@morbiuswilters said:
Instead, I think what this has shown is that having the source open only makes it easier for horrific bugs to be seen but not fixed for years. So "'many eyes' means any real bugs are quickly found and fixed" has become "'many eyes' means real bugs are quickly found by someone, with fixes coming several years after the bugs were introduced." I mean, do you think the NSA didn't know about at least half of these bugs years ago?
Our solution was to run an older version that wasn't affected by the bug. Eh...we were on RHEL6, and I'm not a sysadmin, so I don't know if we were behind because we didn't keep up with OpenSSL updates or that's just where RHEL6 was. Maybe this is a weird case where sysadmin laziness or whatever actually mitigates the real damage?
I think there were still a lot of distros that used pre-HeartBeeps OpenSSL. Not cutting-edge distros, but ones that are a couple of years behind the curve, like Debian testing.
