So... about that Heartbleed



  • You should have a peek at what the BSD crew is still finding hidden under the covers. Yikes!



  • I like how they seemed to just chuck anything they could find that looked randomish into the RNG.


  • Discourse touched me in a no-no place

    Doing a major reworking effort like this with CVS. (OK, better than Visual SourceSafe, but that's not a high bar.) At the very least, they ought to think about using something which at least has changesets, and not all of them have as high a barrier to entry as Git.

    Oh well, at least they're in there, draining the swamp and doing the Flying Spaghetti Monster's Work.



  • But, um, hasn't OpenBSD included OpenSSL for years?

    So is the gag here "Ha ha, look at all these stupid bugs (in the software we've been distributing to you for years)!"

    Well, I guess you can't blame the OpenBSD guys for not ever auditing the code they were distributing to people as "secure". I mean, there are still dozens of HP calculator models without a Nethack port; sometimes you have to prioritize!



  • The WTF is not that OpenSSL is terribly programmed and has bugs. The WTF is that a large part of the internet was using a terribly programmed security library maintained by less than 10 guys on their spare time that had obviously never passed a single security audit.


  • Discourse touched me in a no-no place

    FIPS == You have the standard set of security holes and vulnerabilities.



  • OpenBSD founder Theo de Raadt has created a fork of OpenSSL.  When asked why he wanted to start over instead of helping to
    make OpenSSL better, de Raadt said the existing code is too much of a
    mess.

    "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers"

    When asked what he meant by OpenSSL containing "discarded leftovers,"
    de Raadt said there were "Thousands of lines of VMS support. Thousands
    of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs
    and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

    There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and are still left alone."

    De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

     



  • @anonymous234 said:

    The WTF is not that OpenSSL is terribly programmed and has bugs. The WTF is that a large part of the internet was using a terribly programmed security library maintained by less than 10 guys on their spare time that had obviously never passed a single security audit.

    Time for Morbs' Law #372:

    @Morbs' Law #372 said:

    All software problems--every single one--can be solved by creating a new open source license



    @The OpenSSL License said:

    ...

    Section IV: Security Vulnerabilities

    If you use OpenSSL in your project, distribute OpenSSL with your OS, connect to a server running OpenSSL or even so much as take a peek at the OpenSSL source (even accidentally over a co-worker's shoulder while you were hoping to see him type his bank password), you are not permitted to find, reveal or talk about any security vulnerability which would expose the ineptitude of the OpenSSL developers. By reading this sentence in your head you agree to the terms of the OpenSSL license, in perpetuity throughout the universe.

    ...


  • Winner of the 2016 Presidential Election

    @morbiuswilters said:

    @The OpenSSL License said:
    Section IV: Security Vulnerabilities


    By reading this sentence in your head you agree to the terms of the OpenSSL license, in perpetuity throughout the universe.


    It's a good thing I was reading aloud.



  • @joe.edwards said:

    It's a good thing I was reading aloud.

    Eyes and mouth are still in your head. Therefore, I find that you read it in your head.

    @joe.edwards said:

    Filed under: What if it's read to me?

    Still reading it, just with your ears, not eyes!



  • de Raadt said there were "Thousands of lines of VMS support"
    ....... But what will I do on my VAXen without them????



  • @Buttembly Coder said:

    I like how they seemed to just chuck anything they could find that looked randomish into the RNG.

     

    I laughed at that first one hard enough that co-workers looked at me funny. Oh man.

     

    Then I found the real punchline, on their front page:

    The real punchline is that I'll be stuck with the shittier version of this fork, precisely because I'm writing security software for the government.


     



  • @aristurtle said:

    @Buttembly Coder said:
    I like how they seemed to just chuck anything they could find that looked randomish into the RNG.

    I laughed at that first one hard enough that co-workers looked at me funny. Oh man.

     

    Then I found the real punchline, on their front page:

    http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips

    The real punchline is that I'll be stuck with the shittier version of this fork, precisely because I'm writing security software for the government.

    http://www.tedunangst.com/flak/post/worst-common-denominator-programming#addendum

    Any one or two dozen hacks would be understandable. As would the
    diabolical brace formatting. Or the dreadful (in the sense of literally
    inspiring dread) comments:

     

    /* The reason I have implemented this instead of using sscanf is because
    * Visual C 1.52c gives an unresolved external when linking a DLL :-( */


    (Yes, you are running that code. Even on unix. OpenSSL uses it everywhere.)


    But taken all together, it’s like “drowning in an ocean composed of
    pufferfish that are pregnant with tiny Freddy Kruegers -- each detail is
    horrendous in isolation, but the aggregate sum is delightfully arranged
    into a hate flower that blooms all year.”

     

     



  • Someone wanna tell me what FIPS actually stands for? Blog doesn't bother to define it. Googling brings up something about Federal Information Processing Standards, but why would that be a "mode" in SSL?



  • @blakeyrat said:

    Someone wanna tell me what FIPS actually stands for? Blog doesn't bother to define it. Googling brings up something about Federal Information Processing Standards, but why would that be a "mode" in SSL?
    I don't actually know the answer, but I'll hazard the reasonable guess that complying with with Federal Information Processing Standards requires that SSL do something that makes it weaker and/or slower. Therefore, compliance is only enabled by users who are required to do so.



  • @HardwareGeek said:

    @blakeyrat said:
    Someone wanna tell me what FIPS actually stands for? Blog doesn't bother to define it. Googling brings up something about Federal Information Processing Standards, but why would that be a "mode" in SSL?
    I don't actually know the answer, but I'll hazard the reasonable guess that complying with with Federal Information Processing Standards requires that SSL do something that makes it weaker and/or slower. Therefore, compliance is only enabled by users who are required to do so.
    FIPS:
    Federal Information Processing Standards (FIPS) are standardizations developed by the United States federal government for use in computer systems
    by all non-military government agencies and by government contractors . . . . . . . The purpose of FIPS is to ensure that all federal government and
    agencies adhere to the same guidelines regarding security and
    communication.

    OpenSSL implemented an "FIPS Mode" so that people trying to get government contracts could check the box that says "Meets FIPS Standards".  Despite the fact that FIPS (like many government regulations) is less than worthless.



  • @aristurtle said:

    @Buttembly Coder said:

    I like how they seemed to just chuck anything they could find that looked randomish into the RNG.

     

    I laughed at that first one hard enough that co-workers looked at me funny. Oh man.

    You mean this commit?

    @cvs commit message said:

    Do not feed RSA private key information to the random subsystem as entropy. It might be fed to a pluggable random subsystem…. What were they thinking?!

    I would imagine that they were thinking that anyone with sufficient admin rights to install a malicious random subsystem could far more simply attach a debugger to the process and just read the keys straight out of RAM, without even having to figure out how to trigger the rare error condition that would lead to that codepath being executed.

    They'd already be on the other side of the airtight hatchway, to use a Chen-ism.



  • @blakeyrat said:

    Someone wanna tell me what FIPS actually stands for? Blog doesn't bother to define it. Googling brings up something about Federal Information Processing Standards, but why would that be a "mode" in SSL?

    That's the right definition. FIPS is a number of Federal standards for IT, with several dedicated to information security. Some of the FIPS standards deal with cryptography, hence why OpenSSL had a FIPS mode: to implement the features required to be in compliance with the standard. However: 1) some of the FIPS stuff is really no longer secure; and 2) apparently OpenSSL's implementation sucks (surprise), so OpenBSD is dropping it, rather than continuing to support it.

    Some people are going to be stuck using FIPS for a long time, though (mainly those developing software for government or big corporations where it is mandated) so this kind of sucks for them. I understand not wanting to support a buggy, shitty standard, but this is a good example of an open source project choosing to do what's easier/cleaner/simpler rather than what people actually need. Yeah, it sucks to support FIPS, but in the real world it's likely going to be around for a long time so what OpenBSD is doing doesn't help anyone working in those industries, which is lame.



  • @morbiuswilters said:

    Yeah, it sucks to support FIPS, but in the real world it's likely going to be around for a long time so what OpenBSD is doing doesn't help anyone working in those industries, which is lame.

     The OpenBSD guys seem to be saying that FIPS is so shitty that they can't write something that meets the standards AND is actually secure ("We have here a standard that includes worse than useless crypto, and a
    process that certifies useless implementations."). Since it's the federal government we're talking about, that could possibly be true.



  • @El_Heffe said:

    @morbiuswilters said:
    Yeah, it sucks to support FIPS, but in the real world it's likely going to be around for a long time so what OpenBSD is doing doesn't help anyone working in those industries, which is lame.

     The OpenBSD guys seem to be saying that FIPS is so shitty that they can't write something that meets the standards AND is actually secure ("We have here a standard that includes worse than useless crypto, and a
    process that certifies useless implementations."). Since it's the federal government we're talking about, that could possibly be true.

    It is true. Well, in a melodramatic nerd kinda way, but their criticisms are valid. The problem is, FIPS is still required in many industries. It would be better to FIPS on top of a more-secure OpenSSL rather than being forced to use the old OpenSSL, right? But OpenBSD is like "Nah, we wanna do what's fun" so instead a lot of people are going to be stuck using OpenSSL. Although I imagine somebody will eventually port the FIPS module to libressl.

    Edit: Oh, and I gotta say, creating a website to mock the people who wrote OpenSSL while you fix their bugs really sums up the FOSS community. Hey, it may keep people from contributing, but at least some nerd in Akron felt good about himself, briefly.



  • @morbiuswilters said:

    creating a website to mock the people who wrote OpenSSL while you fix their bugs
    I don' know . . .  I sort of like that. There's so much shitty software out there, maybe we need more "name and shame". @morbiuswilters said:
    it may keep people from contributing
    Or may  keep people from contributing more shitty software @morbiuswilters said:
    but at least some nerd in Akron felt good about himself
    Nerds in Akron need to have fun once in a while, too.



  • @El_Heffe said:

    @morbiuswilters said:

    creating a website to mock the people who wrote OpenSSL while you fix their bugs
    I don' know . . .  I sort of like that. There's so much shitty software out there, maybe we need more "name and shame". @morbiuswilters said:
    it may keep people from contributing
    Or may  keep people from contributing more shitty software @morbiuswilters said:
    but at least some nerd in Akron felt good about himself
    Nerds in Akron need to have fun once in a while, too.

    That's a nice theory, buuuuuut.. have you visited a FOSS project page recently? Read a GitHub bug conversation thread? Been to StackOverflow?

    The FOSS world is full of sneering nerds trying to one-up one another. It hasn't helped the quality so far, has it? Hell, I bet if you go back and look through the mail list archives, you'd probably find the authors of this current crop of OpenSSL WTFs ridiculing people. Did that help make OpenSSL a better product?

    Look, I'm a supporter of hatred for hatred's sake, but I'm not sure it helps make better software.



  • Actually, looking into it further, it looks like this particular FIPS standard (140-2) isn't one of the ones I give a shit about, but I'm sure there'll be some uninformed representative from The Customer coming by to ask why we're not compliant with the thing that we never claimed compliance with. So that's a relief(?).

     

    @morbiuswilters said:

    The FOSS world is full of sneering nerds trying to one-up one another.

     

    Well, fuck, good thing we don't have any of that here!



  • @morbiuswilters said:

    Oh, and I gotta say, creating a website to mock the people who wrote OpenSSL while you fix their bugs really sums up the FOSS community. Hey, it may keep people from contributing, but at least some nerd in Akron felt good about himself, briefly.
    Mocking other coders while making no contribution at all to their code is better?



  • @flabdablet said:

    @morbiuswilters said:
    Oh, and I gotta say, creating a website to mock the people who wrote OpenSSL while you fix their bugs really sums up the FOSS community. Hey, it may keep people from contributing, but at least some nerd in Akron felt good about himself, briefly.
    Mocking other coders while making no contribution at all to their code is better?

     Doesn't mocking other coders make it easier to test them???? 



  • @morbiuswilters said:

    The problem is, FIPS is still required in many industries. It would be better to FIPS on top of a more-secure OpenSSL rather than being forced to use the old OpenSSL, right? But OpenBSD is like "Nah, we wanna do what's fun" so instead a lot of people are going to be stuck using OpenSSL. Although I imagine somebody will eventually port the FIPS module to libressl.
     

    How dare they don't give you everything you want for free. The unwillingness to pay for crucial software components is what caused this mess in the first place.

    If people really need FIPS mode, somebody will fork again and
    create libfipssl.com and charge a million bucks for it. And then the
    ones who need FIPS mode can pay to get it, but they won’t pay us. The
    OpenBSD Foundation will gladly take donations to improve libressl, but
    some money is just too expensive to accept. Sitting on (or more
    accurately, under) a million dollars in custom contracts creates what
    I will charitably call a priority inversion.
    Nuff said.

     


  • Discourse touched me in a no-no place

    @TheCPUWizard said:

    Doesn't mocking other coders make it easier to test them????
    It certainly makes them testy!



  • @TheCPUWizard said:

    de Raadt said there were "Thousands of lines of VMS support"
    ....... But what will I do on my VAXen without them????

    SSH isn't affected, and the VAXen are firewalled so that except SSH they only communicate with up-to-date boxen in the same VLAN, so no problem.[/seriously] Oh, you weren't serious? Good for you . . .



  • @flabdablet said:

    Mocking other coders while making no contribution at all to their code is better?

    Honest question: would you feel better if Morbs started contributing to OpenSSL?

    Because me? I'd take the mocking.



  • @El_Heffe said:

    @morbiuswilters said:

    creating a website to mock the people who wrote OpenSSL while you fix their bugs
    I don' know . . .  I sort of like that. There's so much shitty software out there, maybe we need more "name and shame". @morbiuswilters said:
    it may keep people from contributing
    Or may  keep people from contributing more shitty software

    So if there were a website, call it, I dunno, "The Daily WTF" to expose someone every day... someone should definitely do this.

     


  • Winner of the 2016 Presidential Election

    @D-Coder said:

    @El_Heffe said:

    @morbiuswilters said:

    creating a website to mock the people who wrote OpenSSL while you fix their bugs
    I don' know . . .  I sort of like that. There's so much shitty software out there, maybe we need more "name and shame". @morbiuswilters said:
    it may keep people from contributing
    Or may  keep people from contributing more shitty software

    So if there were a website, call it, I dunno, "The Daily WTF" to expose someone every day... someone should definitely do this.

     


    Yeah, that Initech company sure has a lot of WTFs. I see them featured all the time!



  • @El_Heffe said:

    http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

    OpenBSD founder Theo de Raadt has created a fork of OpenSSL.  When asked why he wanted to start over instead of helping to
    make OpenSSL better, de Raadt said the existing code is too much of a
    mess.

    "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers"

    When asked what he meant by OpenSSL containing "discarded leftovers,"
    de Raadt said there were "Thousands of lines of VMS support. Thousands
    of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs
    and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

    There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and are still left alone."

    De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

     

    NINETY THOUSAND lines of dead code? Jesus fuck. Words just... I don't even know. And this is code that's being used by massive websites all over the world? The mind boggles. The term "Open Sores" has never been more appropriate.


  • Winner of the 2016 Presidential Election

    @The_Assimilator said:

    @El_Heffe said:

    http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

    OpenBSD founder Theo de Raadt has created a fork of OpenSSL.  When asked why he wanted to start over instead of helping to
    make OpenSSL better, de Raadt said the existing code is too much of a
    mess.

    "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers"

    When asked what he meant by OpenSSL containing "discarded leftovers,"
    de Raadt said there were "Thousands of lines of VMS support. Thousands
    of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs
    and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

    There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and are still left alone."

    De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

     

    NINETY THOUSAND lines of dead code? Jesus fuck. Words just... I don't even know. And this is code that's being used by massive websites all over the world? The mind boggles. The term "Open Sores" has never been more appropriate.

    I have to admit, my opinion of OpenSSL before this incident was, "seems to do what it says on the tin; if it's secure enough for thousands of large web applications then it must be pretty solid." I thought it was proof that the FOSS model could and did produce useful, dependable products. Surely such a large scale security library in widespread use with the source code available must have been peer reviewed by hundreds of seasoned hackers.

    I am so disillusioned.


  • @The_Assimilator said:

    NINETY THOUSAND lines of dead code? Jesus fuck. Words just... I don't even know. And this is code that's being used by massive websites all over the world? The mind boggles. The term "Open Sores" has never been more appropriate.


    It seems like most of the "dead code" is stuff that used to be useful and necessary but no longer is as time goes on. I'm pretty sure if you look at ANY codebase that's been in use for a long period of time, the same would be true for all of them.

    The real WTF there is simply that every code base ought to be have a back to the basics cleaning every 10 years.



  • @Snooder said:

    The real WTF there is simply that every code base ought to be have a back to the basics cleaning every 10 years.

    To be followed immediately with a scramble to fix regressions.


  • Winner of the 2016 Presidential Election

    @boomzilla said:

    @Snooder said:
    The real WTF there is simply that every code base ought to be have a back to the basics cleaning every 10 years.

    To be followed immediately with a scramble to fix regressions.


    Regressions? That's why we have unit tes- ahahaha. Fuck, sorry; I couldn't finish that line.



  • @boomzilla said:

    @Snooder said:
    The real WTF there is simply that every code base ought to be have a back to the basics cleaning every 10 years.

    To be followed immediately with a scramble to fix regressions.



    Well yes, fixing regression is part of the cleaning process.

    The sad truth though is that it would probably end up taking 10 years to do the cleaning.



  • @flabdablet said:

    @morbiuswilters said:
    Oh, and I gotta say, creating a website to mock the people who wrote OpenSSL while you fix their bugs really sums up the FOSS community. Hey, it may keep people from contributing, but at least some nerd in Akron felt good about himself, briefly.
    Mocking other coders while making no contribution at all to their code is better?

    Well, like I said, hatred for hatred's sake is fine, just don't think it's going to result in better product.



  • @derari said:

    How dare they don't give you everything you want for free. The unwillingness to pay for crucial software components is what caused this mess in the first place.

    I don't care if it's free or not, I'm just making the point (yet again) that with FOSS you get what you pay for. Want something easy and "fun" to make? FOSS will have 50 forks of the same mediocre project. Need something that's a PITA to implement and requires lots of testing and validation? Need something that requires work that can't be done in vim? The open source community could not care less. That's why FOSS is consigned to re-inventing the text-based wheel over and over again.

    @derari said:

    If people really need FIPS mode, somebody will fork again and
    create libfipssl.com and charge a million bucks for it. And then the
    ones who need FIPS mode can pay to get it, but they won’t pay us. The
    OpenBSD Foundation will gladly take donations to improve libressl, but
    some money is just too expensive to accept. Sitting on (or more
    accurately, under) a million dollars in custom contracts creates what
    I will charitably call a priority inversion.
    Nuff said.

    Yeah, that's the quote that started this. And I agree with him: if you want to get work done, you have to pay for proprietary software. If you want a toy that kinda works, FOSS is your friend. I just find it refreshing that he admits FOSS is an inferior system that delivers crap products that don't meet users' requirements.



  • @blakeyrat said:

    Honest question: would you feel better if Morbs started contributing to OpenSSL?

    That's it: we're doing a ground-up rewrite in Oz!



  • @The_Assimilator said:

    NINETY THOUSAND lines of dead code?

    I once worked on a project that had more dead code than that.

    @The_Assimilator said:

    The term "Open Sores" has never been more appropriate.

    What about when Stallman picks his foot scabs open?



  • @joe.edwards said:

    I am so disillusioned.

    I'm just happy to have my prejudices validated.


  • Winner of the 2016 Presidential Election

    @morbiuswilters said:

    I'm just happy to have my prejudices validated.

    Filed under: It's like [...] a Mexican eating a burrito.


    Is it a prejudice that people from Mexico eat Mexican food? Seems more like a tautology.



  • @morbiuswilters said:

    I just find it refreshing that he admits FOSS is an inferior system that delivers crap products that don't meet users' requirements.
    That's not actually his position; that's your uncharitable read on it for your own unfathomable ideological purposes. Context:[quote user="Ted Unangst"]

    "But I need FIPS mode for blah blah." I notice nobody claims that there’s any intrinsic value to FIPS mode. It’s widely recognized as a worthless checkbox; now it’s time to stand up to the clowns in charge and tell them the same thing. It’s funny to compare how many people like to quote Gandhi’s "Be the change that you wish to see in the world." with how few people actually like to be the change.

    Note that FIPS mode isn’t just worthless, it’s actively harmful. It creates perverse incentives that lead to a toxic development process where necessary work doesn’t happen and unnecessary work does. Our goal is to produce a TLS stack with the same objectives as OpenBSD itself: free, functional, and secure. FIPS mode is none of those things.

    [/quote]FIPS compliance is not a requirement for anyone who actually gives a shit about security; it's pointless bureaucratic hoop-jumping, it makes security worse, and it needs fixing or replacing at least as much as does OpenSSL itself.


  • @joe.edwards said:

    @boomzilla said:
    @Snooder said:
    The real WTF there is simply that every code base ought to be have a back to the basics cleaning every 10 years.

    To be followed immediately with a scramble to fix regressions.


    Regressions? That's why we have unit tes- ahahaha. Fuck, sorry; I couldn't finish that line.

    Unit tests in an open-source C project? I'd pay money to see that.

    @morbiuswilters said:

    @The_Assimilator said:
    NINETY THOUSAND lines of dead code?

    I once worked on a project that had more dead code than that.

    That project probably wasn't used by millions of webservers across the Internet and frequently touted as an example of how FOSS works.

    @morbiuswilters said:

    @The_Assimilator said:
    The term "Open Sores" has never been more appropriate.

    What about when Stallman picks his foot scabs open?

    Diseases should be FREE too, man!



  • @morbiuswilters said:

    I just find it refreshing that he admits FOSS is an inferior system that delivers crap products that don't meet users' requirements.
     

    Good thing commercial products are never crap that doesn't meet requirements.

    I have never used a FOSS product that didn't meet my requirements (at least not longer than I would try a commercial product before buying it). Then again, I don't have a multi-billion company to secure. I like "you get what you pay for" when, most of the times, I don't need much.

    frequently touted as an example of how FOSS works.

    It still is a good example of how FOSS works. It is broken, and now anyone can fix it. Imagine the same bug in a closed-source SSL library, because there will be similar bugs in any SSL library. You'd have no way to 1) get an independent code audit, 2) be sure that critical security flaws will be made public instead of being fixed silently, and 3) see that such flaws get fixed at all.



  • @joe.edwards said:

    @morbiuswilters said:
    I'm just happy to have my prejudices validated.

    Filed under: It's like [...] a Mexican eating a burrito.


    Is it a prejudice that people from Mexico eat Mexican food? Seems more like a tautology.

    You and I are white. Everything we think is prejudiced.



  • @flabdablet said:

    FIPS compliance is not a requirement for anyone who actually gives a shit about security; it's pointless bureaucratic hoop-jumping, it makes security worse, and it needs fixing or replacing at least as much as does OpenSSL itself.

    Yes, and I clearly stated that was the case. That's precisely my point: FIPS sucks, but unfortunately a lot of people need it. Rather than do the really, really unpleasant work of making it work, they're like "Nah, more fun to only work on our idealized system."

    See, in the Real World™ there are technical requirements and user requirements. The former are self-explanatory; the latter are things like "Does this comply with the laws or regulations for my industry? Does it work for people who are vision or hearing impaired? Will it actually run on the OSes my customers use, or does it only run on Linux?" FOSS can sometimes handle the former but it seems to not give a shit about the latter.

    Hence why I call it a toy. It's a lot easier and more gratifying to write technically-pure code. Maybe you're burnt out on the project and tired of fixing someone else's bugs. In the Real World™ you go and find another role in the same company or another job entirely, and someone else takes over. In FOSSLand, you dust off your Dragon Book and create your own programming language as a solution. Unfortunately, that's not what most people need.



  • @derari said:

    Good thing commercial products are never crap that doesn't meet requirements.

    I never said that. Did you people all fail Logic 101? I said that FOSS delivers shittier products than commercial, not that commercial is flawless. Fuck you people are dumb sometimes.

    @derari said:

    I have never used a FOSS product that didn't meet my requirements (at least not longer than I would try a commercial product before buying it). Then again, I don't have a multi-billion company to secure. I like "you get what you pay for" when, most of the times, I don't need much.

    Yeah, checking your mail with mutt is the sweet life. Why can't everyone else Get It?

    @derari said:

    It still is a good example of how FOSS works. It is broken, and now anyone can fix it.

    "Yeah, the wheels fall off every 5 miles and if a leaf lands on it the wrong way the gas tank will explode. But it's better than your Mercedes because there's a socket wrench in the glove box, so you can fix all of those problems yourself."

    @derari said:

    Imagine the same bug in a closed-source SSL library, because there will be similar bugs in any SSL library. You'd have no way to 1) get an independent code audit, 2) be sure that critical security flaws will be made public instead of being fixed silently, and 3) see that such flaws get fixed at all.

    This is another oft-repeated lie. Did "having more eyes on the source" help here? Do you really think SChannel is as fucked-up as this is? You FOSStards are such pathetic little jackwads.



  • @morbiuswilters said:

    See, in the Real World™ there are technical requirements and user requirements. The former are self-explanatory; the latter are things like "Does this comply with the laws or regulations for my industry? Does it work for people who are vision or hearing impaired? Will it actually run on the OSes my customers use, or does it only run on Linux?" FOSS can sometimes handle the former but it seems to not give a shit about the latter.
    Again, you're using a deliberately misleading line of reasoning here.

    The OpenBSD team is in the fortunate position of not having to prioritize regulatory compliance over security and code quality, because anybody who has chosen OpenBSD instead of FreeBSD or NetBSD or Linux does care more about security than about FIPS. They are looking after the interests of their users. The fact that they are not also looking after the interests of every freeloader who doesn't want to pay for a FIPS-compliant TLS stack is neither here nor there.

    But you ignore that, and imply that OpenBSD's attitude toward FIPS typifies FOSS developers' attitude toward regulation generally; then you lump that in with more completely unsubstantiated claims about FOSS being typically deficient in accessibility and cross-platform support. All of which runs so completely contrary to my own experience with using FOSS, especially as compared with expensive and inconveniently licensed commercial software, as to be laughable.

    If you truly do live in a world where the only way to obtain value is to pay for it, I suggest you give up the hookers and crack for a while and move somewhere that doesn't suck.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.