Massassi Forums Logo

This is the static archive of the Massassi Forums. The forums are closed indefinitely. Thanks for all the memories!

You can also download Super Old Archived Message Boards from when Massassi first started.

"View" counts are as of the day the forums were archived, and will no longer increase.

ForumsDiscussion Forum → Desktop Thread
123
Desktop Thread
2014-08-25, 8:08 AM #41
I don't think Walmart's new logo is as bad as YAHOO's one. I blame Marissa Mayer.
SnailIracing:n(500tpostshpereline)pants
-----------------------------@%
2014-08-25, 9:17 AM #42
Well, open-source is about sharing, but then again, I too always scoffed at Canonical's branding as sterile mumbo-jumbo.
2014-08-25, 9:43 AM #43
Yeah, I prefer logos that don't really have a meaning or can have, like, a few million of them.
Star Wars: TODOA | DXN - Deus Ex: Nihilum
2014-08-25, 10:00 AM #44
That's a copy of this.
2014-08-25, 10:12 AM #45
Not of this?
Star Wars: TODOA | DXN - Deus Ex: Nihilum
2014-08-25, 3:22 PM #46
.
2014-08-25, 7:18 PM #47
That's just total nonsense. "Open-source" isn't about any one thing (you picked security) any more than the academic community of atomic physicists isn't solely about exploding atom bombs on civilians.

You mean to tell me that Richard Stallman started project GNU in order to help the government break into people's computers? What the hell are you talking about here?
2014-08-25, 7:24 PM #48
Originally posted by Reid:
the narrative about the open source community should be treated with pure cynicism


Reid's philosophy seems to be to treat the world with pure cynicism.
2014-08-25, 7:29 PM #49
.
2014-08-25, 7:32 PM #50
.
2014-08-25, 7:41 PM #51
Okay--interesting and disturbing, but it doesn't damn the idea of sharing source code per se, which was Stallman's ideology when he started GNU in 1983. The hacker ethos of sharing code goes further back still, which Stallman probably absorbed while at the MIT media lab.

I have no idea about Ubuntu. I never bothered to see who developed it and why, since it feels like a decroded piece of crap.
2014-08-25, 7:42 PM #52
.
2014-08-25, 7:45 PM #53
.
2014-08-25, 7:56 PM #54
I'm not disagreeing with any of that. The open source community needs to be vigilant about rogue contributors with dubious motives, and the most seasoned open source hackers in the crypto community must be painfully aware of what a cluster**** the general security situation is.

But, for Christ's sake, we were talking about a logo that simply embodied what Richard Stallman had previously stated with words (his "four freedoms"). No conspiracies here, just branding. Okay?
2014-08-25, 8:12 PM #55
Originally posted by Reid:
Except for kernel development, which is more or less controlled by an organization that gets most of its funding from the U.S. military.


Are you saying that the Linux kernel is controlled by Redhat? I don't think that any one company can control kernel development. Last I checked, Linus Torvalds has the final say on everything that goes in.
2014-08-25, 8:24 PM #56
.
2014-08-25, 8:30 PM #57
.
2014-08-25, 9:28 PM #58
Originally posted by Reid:
Linus isn't the Linux dictator and he has complained about stupid development directly (http://www.phoronix.com/scan.php?page=news_item&px=MTY1MzA)


Did you read the article you linked to? Here are some excerpts:

Quote:
Linus says he will refuse to merge any code from Red Hat's Kay Sievers until their code is cleaned up and not constantly causing problems.


Quote:
Linus also said, "I'm not willing to merge something where the maintainer is known to not care about bugs and regressions and then forces people in other projects to fix their project.


Quote:
"Greg - just for your information, I will *not* be merging any code from Kay into the kernel until this constant pattern is fixed."


You introduced the word dictator to this thread to say that Linus isn't the Linux dictator. Yet Linus Torvalds is one of a handful of open source project leaders that the phrase "Benevolent dictator for life" brings to mind, and is even listed as one on the Wikipedia article for the phrase.

I am willing to concede that your point doesn't necessarily depend on these things, but your post seems a tad ironic in light of these facts!
2014-08-25, 9:31 PM #59
Perhaps the flavor of dictator you had in mind was one who "rules with an iron fist" instead of with benevolence. :P
2014-08-25, 10:28 PM #60
.
2014-08-25, 10:35 PM #61
Quote:
He may have final say, but that doesn't mean he can fully scrutinize every piece of code.


Well that's certainly true. Even the president of the United States has appease those who wield "soft" power over him. It's certainly possible for the dictator to be forced to pick his/her battles in order to prevent those "underneath" said dictator from revolting.

In fact, I'm not sure if there has ever been a figure in history that approached having "god"-like, arbitrary power.
2014-08-25, 10:38 PM #62
Originally posted by Reid:
open source is about developing libraries with intended "bugs" for government agencies cf. openssl, also consider who pays redhat and is doing a majority of the development on the linux kernel, and what some say about such changes viz.

I work for a company which develops tools for software quality, a company which not only offers its services for free to open source developers but also unilaterally runs its own tools against many high-profile open source projects, and Debian packages in particular. This company also publicly pursues and promotes awareness of the sorts of bugs you're talking about, because the fact that we can find them and our competitors can't is a major selling point.

So bear that all in mind when I tell you that you're full of ****.

Closed-source software is universally worse than open-source. Most people who write closed-source software are five flavors of don't-give-a-**** between boredom and bad management, and that's before you consider the (I would have expected) even more obvious and direct means for a closed-source project to be sabotaged under a secret court order than to hide security flaws inside code anybody can read or even just run cppcheck against. All of this compounds against the fact that software development is an inherently difficult activity requiring utter perfection the first time around, which isn't something that human beings can deliver, and is the real reason that open-source software is buggy.

Let's look at a couple of recent open-source SSL bugs, since you seem to be interested in those sorts of bugs specifically.

Apple's open source SSL bug from back in February looked like this:
Code: 
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;
    goto fail;


What does this mean? If the conditional branch isn't taken, it jumps to the fail label. If the conditional branch is taken, it jumps to the fail label. So any code following the conditional is skipped. Sure hope it isn't important! (Spoiler: it is).

Clearly a dastardly NSA plot, right? Except this sort of bug shows up all the time, thanks to distracted developers resolving merge conflicts under a time crunch. You want to know who's the real culprit here? Here are some clues for you: open concept offices where nobody can concentrate, poor code style guidelines, no institutional use of static analysis (which can detect that a huge chunk of code can no longer be entered), poor testing standards (since the tests covering the rest of the method should always fail after this change), and no measurement of test coverage (since you'd immediately notice that some of this code is no longer covered by tests). i.e. poor management and technical leadership company-wide.

Heartbleed is an out-of-bounds array access bug in OpenSSL. Clearly a dastardly NSA plot, right? Except this is the most common form of C/C++ security bug. It's practically guaranteed that any significant C codebase has at least one of these bugs, because C is among the worst possible languages for writing secure code and it's actually impossible to do without invoking at least some non-portable behavior. On top of the inherent difficulty of writing secure C, the developers of OpenSSL are frankly very poor engineers in a lot of ways. The internet has beaten them up a lot so I won't expound on this, but it's just not very surprising that they would accidentally introduce an error like this one.


And finally, be realistic here. The NSA isn't dropping security vulnerabilities in SSL. They don't need to. SSL is terrible and it doesn't work; the chain of trust is already controlled by American companies, users are trained to ignore all potential MITM attacks, and for the rare few people technically sophisticated enough to self-sign they will just threaten and shoot and subpoena until they control the endpoint, which statistically speaking is in a Five Eyes nation anyway. And even if your conspiracy isn't bull****, now that Raytheon employees carry burner laptops there are an awful lot of folks in the world who'd love to crack their VPN, and lil hint: none of those folks work for the NSA.
2014-08-25, 11:02 PM #63
Originally posted by Wookie06:
"I would rather claim to be an uneducated man than to be mal-educated and claim otherwise." - Wookie 03:16


Educated stupid?
2014-08-25, 11:55 PM #64
I now want to play the Stanley Parable (Mentat's non-Ubuntu-NSA-conspiracy desktop--thanks, Google-NSA-conspiracy reverse image search).
2014-08-25, 11:56 PM #65
(In NSA-America, Google images searches you?)
2014-08-26, 12:00 AM #66
Pardon me for interrupting Jon`C's effort-post.

+1 post #62
2014-08-26, 9:14 AM #67
.
2014-08-26, 9:37 AM #68
.
2014-08-26, 10:02 AM #69
.
2014-08-26, 11:16 AM #70
Reid, scrutiny is important, especially in a post-Snowden world, so you're probably right on many specifics.
Aside from that, though, your perspective on software publishing is just plain :tinfoil:, and is oddly hostile to open-source, which makes me wonder how much time you've really spent using and understanding open source software.

Originally posted by Reid:
The original point I was making was that community-driven open source should be treated with proper skepticism; precisely, the narrative that open-source software, primarily in the form of Linux distributions, is secure and pro-social. The appeal to some greater sense of community and higher human values is precisely what I'm targeting. Obviously the open-source model is the preferred option given what practical solutions exist for software demand.


Community driven scholarship predates and includes as a subset open source development, and should not be treated with any skepticism, per se. I can't think of many technological advances since the days of sputnik and project ARPA (especially related to computing) in which the state-of-the art didn't initially emerge from a university, government agency, or in a corporate R&D lab that took a very long view, like Bell Labs.

It would be a terrible shame if you were to conflate the idea of sharing research with this straw-man of yours: specifically, that because the conventional wisdom is that open-source software is more secure than the proprietary, closed-source alternative, that somehow too many people (in your opinion) are therefore complacent in scrutinizing the security of their systems, ostensibly due to some misplaced "appeal to some greater sense of community and higher human values". Whereas, I see those "higher human values" as both genuine and innocent, while having little if anything to do with the realm of security, and at the same time being incredibly important to advancing academic scholarship in a public way. In other words, you've foolishly allowed your conspiracy theory implicate academia, which is a sacred cow of mine. If you tone down the paranoid rhetoric a bit, you're less likely to overstep the domain of what you know and say something stupid.

Also, I don't know what kind of global software utopia you have in mind, but I fail to see how refraining from relying on publicly published source code could change that.
2014-08-26, 11:21 AM #71
BTW, nothing in my post exonerates the activities of the NSA. I just don't see the connection between open source ideology and your conspiracy theory.

I mean, you're basically calling open source advocates the 21st century version of the "useful idiot", but with the NSA replacing the USSR.
2014-08-26, 11:43 AM #72
.
2014-08-26, 11:48 AM #73
.
2014-08-26, 12:08 PM #74
.
2014-08-26, 3:19 PM #75
I still fail to see the connection between open source and NSA backdoors. Do you think closed source software is better in this aspect?
2014-08-26, 3:35 PM #76
Originally posted by Reid:
The Ubuntu logo is the painting of a flower on the side of a burnt-out Gaza city block. You see, I would really like that "community, trust" model to work, but the fact is in this specificity, it doesn't.


I'm guessing the Ubuntu log was intended to reflect the positive aspects of the Ubuntu project, which directly result from the values of open source, and have a direct impact on users (e.g., a free product, excellent customization, a supportive community, and a platform for compiling code should you so desire), which must have been possible because the people who designed it weren't cynical ****s that only see the negatives in anything.

Edit: Just to clarify, I meant "must have been possible (to design the logo without cognitive dissonance) because...".
2014-08-26, 4:31 PM #77
Mark Shuttleworth started Ubuntu as a philanthropic venture. What a cynical guy! Don't buy into it, it's a trick.

Edit: Nevermind, it looks like I made that up.
2014-08-26, 7:07 PM #78
.
2014-08-26, 7:34 PM #79
What should he have done instead? Designed an operating system from scratch? Developed closed-source versions of all crypto libraries (I'm sure that'd go over well with the community!)? Placed a big red disclaimer on the Ubuntu website telling users that it is not secure?
2014-08-26, 10:25 PM #80
.
123

↑ Up to the top!