How come the Heartbleed vulnerability was not discovered by the OpenSSL code directly then? It was discovered by a firm intentionally hacking themselves instead of reading the OpenSSL code.
That is my point. People like to think being open source is this holy grail of bug free software when it is not.
I forget why in detail but if I remember right everyone just thought it was fine so no one really looked. Didn't it effect everything that was nix and almost Unix or it did that also and osx?
I forget but it even affected android if you used ssh. It exposed a problem with people reviewing open source and really helped correct that. If I remember people just over looked it and probably something else I don't remember.
Open source isn't perfect but it's better than for example the history of windows. No one is safe but the point is that the most secure is the one you can see and fix. At the same time with your code out there you may not be safe at first because of it.
I'd rather everyone see my OS and hope that people who know way more than me can fix it. Compared to someone like my own government or another who pays people to do so.
You have to hope that man is better than the money. But at the same time that's why you have the white hate contests and bug bountys. Pay them for their work to expose weird vulnerabilities.
I also worked in a couple of games one for the advertising company in second life. It was hilarious with some of the bugs/exploits.
Back then I had to use them from griefers. It would make a good story now and I got to know many of the lindens. I was banned more than a 100 times and they tried hardware bans as well.
Now I want to go back thinking about it lol. Nothing more satisfying than making a gm relog when they are wrong.
Im probably losing focus on the subject again but it was fun there for a few years.
[doublepost=1548741551][/doublepost]
I think his point is the FaceTime bug may be patched faster than that
Well I hope so. Wasn't that only for su and not having a different password or did I forget? I think part of it was the default set at the beginning when you enabled su.
[doublepost=1548742167][/doublepost]
Agreed the SSL failure was a significant realization for the open source community even their system was not perfect. Maybe group think was an issue. Perhaps there was something sinister. Or probably just **** happens.
I will also agree a close door system by a supposedly trusted corporation with financial interests in their success should make good results. Unfortunately we are now becoming suspicious it is no longer that simple. Am I paranoid, does not seem to just be me?
I don't think it's paranoid on a important system. I don't think many view mobile as that important when it might be one of the most important now as a individual.
And intels memory management crap with specter and all that. Also the efi issues now with things you can't remove.
We are so caught up in making things easier and make it less secure.
Last time I setup really secure chat and email I just stopped using it because it's a pain.
Then all of it goes out the window when I send the key to someone outside of it, which you have to to start lol.
Software hurts my head and that's why I am a mechanical engineer. Give me tolerances and a problem on something physical and I got it.
Can edit code to make things work how they are supposed to but I'm not making anything from the ground up. But if you need a measurement and piece of metal be exact to 0.001 I got you covered lol.
[doublepost=1548742392][/doublepost]
So open source is the way to go to avoid issues of this kind or really any issues supposedly because open source software wouldn't have something on this level. But then when it's pointed out that it can and in fact has we move to that it was patched quickly vs. that it supposedly can't have issues and would be the solution to all these problems. Inconsistencies like that demonstrate the underlying reality that in theory things can be made almost perfect, but in reality that isn't achievable, and even if it gets close, it's still not perfect and can still have issues nonetheless.
Some issues also lie in hardware more or less like specter and meltdown. For now it seems like we need updates until we throw all that stuff away. And I don't know when Intel is going to actually fix it. I have not kept up with it.
Another huge mess especially for servers running vms.
[doublepost=1548742842][/doublepost]Nice to see actual discussion here from all of you still talking about this.
It was enjoyable compared to what I normally see.
Im gonna get to bed but I do appreciate actual conversation and not the usual android/windows bad I see here anymore.
Might be interesting how Apple handles this and if they say anything.
I do hope they are the ones to introduce a cross platform end to end encryption that is open source. They could be the ones to make a standard instead of yet another.