2121

Philosophy, Religion & Society / Re: Piracy is a dangerous topic.

« on: May 11, 2014, 01:02:16 PM »

I notified him of the issue (by way of linking to this thread and providing no explanation whatsoever)

This may not be the most reliable method of communication.

Nevertheless, I just saw this and your thread is back. Locking this one.

2122

Arts & Entertainment / Re: Star Wars: Episode VII (cast list released!)

« on: May 03, 2014, 11:30:45 AM »

He will make a film where big things crash into big things. Featuring people falling off big things but then getting rescued at the last minute. This is what he does.

Sounds a lot like another Star Wars director.

2123

Announcements / Re: The library is up and running again!

« on: May 02, 2014, 12:07:08 AM »

Strictly speaking, we always had a library. The only thing we've restored is a pretty index page.

2124

Arts & Entertainment / Re: Supes' Must-Listen-To List (Recommend me albums!)

« on: April 30, 2014, 03:02:25 PM »

It's basically their equivalent of Creedence's Mardi Gras, a miserable end to a fine band.

Or Pink Floyd's The Division Bell.

2125

Arts & Entertainment / Re: Star Wars: Episode VII (cast list released!)

« on: April 30, 2014, 01:05:50 PM »

The Star Trek reboot films made terrible Star Trek, but would have been decent Star Wars. I'm hopeful.

2126

Philosophy, Religion & Society / Re: Drugs should be legal.

« on: April 27, 2014, 07:12:31 AM »

It's official. Cannabis makes you shoot people. The crazy liberals from Colorado have nowhere to hide now.

http://www.telegraph.co.uk/news/worldnews/northamerica/usa/10773592/Husband-shoots-dead-wife-after-eating-cannabis-in-Colorado.html

This would never have happened if he'd never been allowed to own a gun in the first place.

2127

Arts & Entertainment / Re: Supes' Must-Listen-To List (Recommend me albums!)

« on: April 24, 2014, 04:12:57 AM »

Frank Zappa - Italian Debris

Don't forget Italian Debris II. I actually prefer it to the first one; it flows better, has better selections and is better produced.

2128

Announcements / Change of copyright terms for the homepage and wiki

« on: April 22, 2014, 02:21:28 PM »

We intend to change the copyright terms for the homepage (http://www.tfes.org/) and wiki (http://wiki.tfes.org/) from unspecified (essentially "all rights reserved") to the Creative Commons Attribution-ShareAlike 4.0 International licence. You may wish to refer to the licence summary and legal text when considering this change proposal.

Of course, much of the content on the wiki (and a small amount on the homepage) is contributed by the users of this website and not just the admins. Therefore, I want to give you the opportunity to raise any objections or concerns about this change, and explain why we want to make it.

The reason for this change is simple: We want to spread Flat Earth Theory far and wide, and leaving ambiguous and non-specific copyright terms on our published material is contrary to that goal. By giving anyone the right to share, modify and even sell copies of our works, we maximise opportunities for people to hear about us and what we do. By using a ShareAlike licence, we empower them to share that with others in turn.

I plan to add a notice signifying this change no earlier than 2014-04-27 at midnight UTC (this Sunday if you're east of the Greenwich Meridian, or this Saturday if you're west of it), assuming no objections are raised. Please reply to this thread if you have contributed to the wiki or homepage and have any objections to your content being placed under this licence.

2129

Suggestions & Concerns / Re: Scripts on the forum

« on: April 20, 2014, 05:18:32 AM »

I also use NoScript. It's currently allowing scripts from tfes.org, and blocking them from Google Analytics. Nothing else shows up in my NoScript menu.

2130

Announcements / Re: IRC moved to a new server

« on: April 13, 2014, 01:53:28 PM »

Will Saddam finally be able to get onto IRC?

He's on there right now, so I'm guessing so.

2131

Announcements / IRC moved to a new server

« on: April 13, 2014, 01:20:08 PM »

Some of you may have missed the earlier discussion in the IRC thread, but due to problems with RelicNET's availability, we've migrated onto our own server. If you're already connecting using irc.tfes.org, you won't have to change anything. Otherwise, please connect to irc.tfes.org on port 6667 (no SSL yet) to access the new server.

2132

Technology & Information / Re: The Flat Earth Society official IRC chat

« on: April 13, 2014, 10:18:16 AM »

Well, now it says "connection timed out".

Sorry, that's me being a retard. Try again.

2133

Technology & Information / Re: The Flat Earth Society official IRC chat

« on: April 13, 2014, 09:55:15 AM »

Please try connecting again to irc.tfes.org, on port 6667, no SSL (for now).

2134

Technology & Information / Re: The Flat Earth Society official IRC chat

« on: April 13, 2014, 09:37:01 AM »

It says "connection refused" for both servers, and from both my PC and my phone.

Okay, stand by.

2135

Technology & Information / Re: The Flat Earth Society official IRC chat

« on: April 13, 2014, 09:26:12 AM »

ded server?

Works for me. Try connecting to irc.tfes.org, or failing that, tauri.relic.net. If that still doesn't work, let me know and I'll figure something out.

2136

Technology & Information / Re: HeartBleed - Why so long?

« on: April 13, 2014, 04:12:07 AM »

This is on point: http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security

That article is pretty spot on, on all counts. The only thing I'd point out (in response to paragraph 3) is that it's not just the American economy that's at stake; this is an international problem.

2137

Technology & Information / Re: HeartBleed - Why so long?

« on: April 12, 2014, 04:29:53 PM »

I can honestly say this: if the code or coder tells me that the client determines the length of the heartbeat separately from the heartbeat signal, I'd say its a problem.  I pretty much say that for anything really.

That isn't an answer to my question.

If the server isn't calculating length from the data given then you're just asking for problems.

You mean like how every binary-safe protocol ever works, including IP itself?

Put it this way: if you had a subroutine that accepted an array of unknown length as input, would you have that subroutine also accept the length of the array as a separate variable or would you have the subroutine calculate that yourself?

It depends on the nature of the contents of the array. If it's binary data and not a null-terminated string, you have to pass the length as a separate variable when you're working with C because there is no way to "calculate" the length of a piece of memory. All you get is a pointer; you need a size as well to know where to read up to.

You could use strlen() if you're passing a string and not binary data, but that's inefficient, particularly for large strings.

1. Reading this code is a great way to learn about encrypted connections so I'd see it being read by a lot of students.
2. As something that is vastly important to a lot of very large companies, I can see the code being poured over by people looking for exploits: both for good and not so good reasons.

That's probably true on both counts, which is why it's generally the subtler bugs that go unnoticed. In this case, all the existing code was doing the right thing; the bug was that there was missing code needed to do all the right things. It's a lot harder to read code and know what is missing than to see mistakes in what's already there.

Put another way, reading the buggy subroutines in isolation isn't sufficient to understand the problem. You need to understand where the function's inputs are coming from and what the server state is at the time it's executed before you realise that it's not doing all the validation it should be. Not just anyone skim-reading the code would pick up on it, especially if they're not specifically looking for bugs.

2138

Technology & Information / Re: HeartBleed - Why so long?

« on: April 12, 2014, 12:13:18 PM »

But I thought the whole point of open source was so that anyone can see the code and find bugs.

That is one of its advantages. If OpenSSL were proprietary, this bug would probably still exist.

I can understand it making it into production but it seems odd that not only was it obvious to me that this is a problem (clients dictating memory return?)

It's obvious to anyone after someone has found the problem. Can you say with absolute certainty that it would have been obvious to you reading the code with no knowledge of the bug?

But that it took 2 years of the open source community having full access to the source code before it was found.  I could understand 6 months but 2 years is a long time to not read and audit one of the most important pieces of software on the net.

Why does that surprise you?

2139

Status Notices / Re: Scheduled maintenance, 2014-04-12

« on: April 12, 2014, 07:07:48 AM »

And we're back. Thanks for flying Flat Earth Society.

2140

Technology & Information / Re: HeartBleed - Why so long?

« on: April 12, 2014, 05:56:09 AM »

As I understand it, the bug basically allowed the client to define the length of the heartbeat reply even though the data requested may be a different size.

That's kinda dumb.

Correct, but bugs happen all the time. In all the many millions of lines of open-source code written each year, there are going to be many thousands of bugs, some of them severe. Some of those are going to appear in crypto software, and of those, one every few years is going to make it into a production release without being noticed because neither coders nor code reviewers are perfect.

People make mistakes. If you don't want to risk using buggy software, switch off your computer.