“I suspect that over the past eight months, many companies have taken a real hard look at their existing policies about tipping off the U.S. government,” he said. “That’s the price you pay when you’re acting like an out-of-control offensive adversary.”
A novice asked of master Bawan: “Say something about the Heartbleed Bug.”
Said Bawan: “Chiuyin, the Governor’s treasurer, is blind as an earthworm. A thief may give him a coin of tin, claim that it is silver and receive change. When the treasury is empty, which man is the villain? Speak right and I will spare you all blows for one week. Speak wrong and my staff will fly!”
The novice thought: if I say the thief, Bawan will surely strike me, for it is the treasurer who doles out the coins. But if I say the treasurer he will also strike me, for it is the thief who takes advantage of the situation.
When the pause grew too long, Bawan raised his staff high. Suddenly enlightened, the novice cried out: “The Governor! For who else made this blind man his treasurer?”
Bawan lowered his staff. “And who is the Governor?”
Said the novice: “All who might have cried out ‘this man is blind!’ but failed to notice, or even to examine him.”
Bawan nodded. “This is the first lesson. Too easily we praise Open Source, saying smugly to each other, ‘under ten thousand eyeballs, every bug is laid bare’. Yet when the ten thousand avert their gaze, they are no more useful than the blind man. And now that I have spared you all blows for one week, stand at ease and tell me: what is the second lesson?”
Said the novice: “Surely, I have no idea.”
Bawan promptly struck the novice’s skull with his staff. The boy fell to the floor, unconscious.
As he stepped over the prone body, Bawan remarked: “Code as if everyone is the thief.”
Note that not all code, even in the same project, is equally exposed. It’s tempting to say it’s a needle in a haystack. But I promise you this: Anybody patches Linux/net/ipv4/tcp_input.c (which handles inbound network for Linux), a hundred alerts are fired and many of them are not to individuals anyone would call friendly. One guy, one night, patched OpenSSL. Not enough defenders noticed, and it took Neel Mehta to do something.
We fix that, or this happens again. And again. And again.
No more accidental finds. The stakes are just too high.
Amazon.com hopes the workers in its scores of fulfillment centers across the USA are happy in their jobs.
But if they’re not and would rather be doing something else, Amazon has a deal: The company will pay them a bonus — up to $5,000 — to leave.
A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interest of efficiency on production runs. Unanimously, they urged us not to—they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law.
– C. A. R. Hoare, from his Turing Award speech 34 years ago
On Tuesday, we dusted off the source code for early versions of MS-DOS and Word for Windows. With the help of the Computer History Museum, we are making this code available to the public for the first time.
From the constant harping about the supposed “failure” of Apple’s iPhone 5c, you’d think the phone is selling poorly. The reality is that middle tier model, while dramatically less popular than Apple’s top of the line iPhone 5s, still managed to outsell every Blackberry, every Windows Phone and every Android flagship in the winter quarter, including Samsung’s Galaxy S4.
Microsoft is not unique in claiming the right to read users’ emails – Apple, Yahoo and Google all reserve that right as well, the Guardian has determined.
The broad rights email providers claim for themselves has come to light following Microsoft’s admission that it read a journalist’s Hotmail account in an attempt to track down the source of an internal leak. But most webmail services claim the right to read users’ email if they believe that such access is necessary to protect their property.
Millions and millions of people use iMessage every day. But how many people know exactly what’s going on behind the scenes, or what happens to a message once you send it?
Maybe a handful. Up until now, the vast majority of what we knew about iMessage’s inner workings came from reverse engineering and best guesses. This week, however, Apple quietly released a document that breaks it all down.
Mr. Cook’s comments came during the question and answer session of Apple’s annual shareholder meeting, which the NCPPR attended as shareholder. The self-described conservative think tank was pushing a shareholder proposal that would have required Apple to disclose the costs of its sustainability programs and to be more transparent about its participation in “certain trade associations and business organizations promoting the amorphous concept of environmental sustainability.”
As I covered in depth yesterday, the proposal was politically-based, and rooted in the premise that humanity plays no role in climate change. Other language in the proposal advanced the idea that profits should be the only thing corporations consider.
That shareholder proposal was rejected by Apple’s shareholders, receiving just 2.95 percent of the vote. During the question and answer session, however, the NCPPR representative asked Mr. Cook two questions, both of which were in line with the principles espoused in the group’s proposal.
The first question challenged an assertion from Mr. Cook that Apple’s sustainability programs and goals—Apple plans on having 100 percent of its power come from green sources—are good for the bottom line. The representative asked Mr. Cook if that was the case only because of government subsidies on green energy.
Mr. Cook didn’t directly answer that question, but instead focused on the second question: the NCPPR representative asked Mr. Cook to commit right then and there to doing only those things that were profitable.
What ensued was the only time I can recall seeing Tim Cook angry, and he categorically rejected the worldview behind the NCPPR’s advocacy. He said that there are many things Apple does because they are right and just, and that a return on investment (ROI) was not the primary consideration on such issues.
“When we work on making our devices accessible by the blind,” he said, “I don’t consider the bloody ROI.” He said that the same thing about environmental issues, worker safety, and other areas where Apple is a leader.
As evidenced by the use of “bloody” in his response—the closest thing to public profanity I’ve ever seen from Mr. Cook–it was clear that he was quite angry. His body language changed, his face contracted, and he spoke in rapid fire sentences compared to the usual metered and controlled way he speaks.
He didn’t stop there, however, as he looked directly at the NCPPR representative and said, “If you want me to do things only for ROI reasons, you should get out of this stock.”
It was a clear rejection of the climate change denial, anything-for-the-sake-of-profits politics espoused by the NCPPR. It was also an unequivocal message that Apple would continue to invest in sustainable energy and related areas.
A total of 99.9% of new mobile threat detections target the Android platform.
At WWDC in 1997, Steve Jobs, having just returned to Apple, held a wide-open Q&A session. There’s video — albeit low-quality VHS transfer? — on YouTube. It’s a remarkable session, showing Jobs at his improvisational best. But more importantly, the philosophies and strategies Jobs expressed correctly forecast everything Apple went on to do under his leadership, and how the company continues to work today. In short, he’s remarkably open and honest — and prescient.
It would appear that if Apple wants to rein in the targeted negativity the tech media loves to dish out, it will need to begin spending billions like Samsung to promote tweets, push favorable reviews, pay spiffs as incentives to retail sale promotion and generously ply journalists with free products.
The US Postal Service hopes Steve Jobs can do for it what he once did for Apple.
The late Apple co-founder will be featured on a commemorative US postage stamp in 2015, according to a US Postal Service list of approved subjects obtained by The Washington Post. Usually kept secret to maximize buzz over stamps’ subjects, the list includes subjects the post office plans to commemorate on stamps for the rest of this year and the next couple of years.
The stamp will be a little bit more expensive than usual and it comes only in 2 colors, it will have rounded corners.
And finally Apple haters can give his backside a lick…
Jeffrey Grossman, on Twitter:
I have confirmed that the SSL vulnerability was introduced in iOS
6.0. It is not present in 5.1.1 and is in 6.0.
According to slide 6 in the leaked PowerPoint deck on NSA’s PRISM program, Apple was “added” in October 2012.
These three facts prove nothing; it’s purely circumstantial. But the shoe fits.
Following Tuesday’s announcement that company vice president Satya Nadella had been named Microsoft’s new chief executive officer, many of the software giant’s older employees reportedly reminisced about an earlier era in the tech industry’s history when CEOs were so large they took up entire rooms. “When you look at our brand-new thin, mobile CEO, it’s hard to even imagine that these guys were once so gigantic that a warehouse-sized space was needed to hold one of them,” Microsoft senior developer Glenn Maloney told reporters, noting that despite Nadella’s impressive memory capabilities and ability to engage in complex operations, there was something “kind of charming” about relying on a bulky old CEO that weighed several tons and required an extended staff of engineers to maintain. “Sure, those giant executives were a little cumbersome and a whole lot slower, but I always liked being able to walk into a climate-controlled vault and see a humming CEO crunching numbers.” Maloney noted, however, that despite their difference in size and ability, tech CEOs of today were still essentially the same calculating, unfeeling machines underneath their exteriors.
PETER MCWILLIAMS: I think they’re hoping people are going to fork out $2,500 for a computer for their home. And I can’t see it.
ADAMS: What do you get for the $2,500 now?
MCWILLIAMS: What you get is a screen, a nine-inch screen. You get a keyboard. You get 128K of RAM, which is internal disk storage. And you get a 3-1/2-inch disk drive.
ADAMS: Let me translate a bit here or try to translate. You’re saying it has a very good memory. It has a 3-1/2-inch disk drive, which is not compatible with other computers. What’s the standard size, then?
MCWILLIAMS: The standard is five-and-a-quarter inch. And they have made a corporate decision that the 3-1/2-inch drive is going to make it. I don’t see it myself. But this whole computer is a calculated risk on Apple’s part. If the world is ready to accept a brand-new standard, this machine will make it. If it’s not, the machine won’t make it.
And it will have certain specialized applications like in architectural firms and so forth. But on the whole, it’s gambling that the world is ready to accept a new standard. My personal point of view is that the world is not.
BLOCK: That’s the late author Peter McWilliams, talking with our former host Noah Adams 30 years ago tomorrow, January 25th, 1984. They were talking about Apple’s Macintosh computer, which had just been introduced.
A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the “Add to Feedly” extension. One morning, Agarwal got an e-mail offering “4 figures” for the sale of his Chrome extension. The extension was only about an hour’s worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome’s extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer’s intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension’s user base.
And although extensions are sand-boxed, they can replace URL’s in a request. They will replace a 70mb download of DELL_AiOXXXX.exe from dell.com with a 1.7mb setup.exe full of real nasty stuff from a less reputable site..
It’s hard to believe that the people who did the recent Apple ad and the people who did the recent Samsung ads live on the same planet.
A certain monk, known for the elegance of his code, had a habit of refactoring the code of his fellows to match. “For inconsistency multiplied becomes chaos,” he would explain, “and chaos breeds complexity, and complexity brings confusion, and confusion is the mother of ten thousand defects.”
Master Suku< — who above all prized the cleanliness of code—heard of this. She approached the monk, saying, “I require your assistance in correcting a problem.”
Suku revealed to the monk a great repository, home to the source code for the Temple’s most ancient application. Over the course of decades an uncounted procession of monks and nuns had passed through its hallowed directories: adding, removing, refactoring, refining, trying a new framework here, a new approach there. Several times the entire code base had been migrated from one language to another, scarring the deeper layers with unfathomably bizarre design patterns. Within one utility class the naming conventions were so wildly inconsistent that the monk grew dizzy and had to lie down on the floor.
“Bring order to chaos,” said Suku, and went out.
The monk proceeded in earnest to rewrite the application in the style he had perfected over so many years. He chose a glittering new framework to replace the many rusty ones, then picked one dusty corner of the repository and worked slowly outwards: adding, removing, refactoring, refining.
The monk had converted the merest fraction of the files when there came a pounding on his door.
“Emergency!” said the breathless abbot outside, grabbing the monk by his robe and pulling him out the door. “Disaster! Disorder! Deadline! Doom! Not enough people and not enough time; you’re needed at once, come on, come on!”
The monk protested, calling for someone to fetch master Suku that she might intervene, but the abbot merely flipped the monk onto his backside and dragged him down the hallway like a noisy sack of rice.
That evening Suku found the monk, tied to his new workstation by many coils of strong rope.
“I have seen your commits in the great repository,” said the master, drawing a long knife which she placed at his throat. “Where once there had been a hundred styles, there now are a hundred and one.”
She made a quick motion. The monk cringed, expecting to feel his life blood spilling inside his robe. Instead the knife only severed one strand of his hempen bonds.
“Not perfect, but better,” said Suku, and went out.
She did likewise for one hundred evenings until the monk was freed.
Afterwards the monk meddled less with the code of his fellows, and instead began to pride himself on his ability to mimic the design patterns of others when modifying their applications.
“It is still a truth of refactoring,” he now said, “that sometimes one must introduce chaos to bring order, just as the road to the sea must sometimes scale a mountain before it turns downward again. Yet order is not a destination: merely a direction from complex to simple, from more to less. The master asked for less but I thought only of one, and chose a path worthy of a hailstone when simple subtraction would have sufficed.”
“Apple kicked everybody in the balls with this. It’s being downplayed, but it set off panic in the industry.”
The key role private companies play in National Security Agency surveillance programs is detailed in a top-secret document provided to the Guardian by whistleblower Edward Snowden and published for the first time on Friday.
One slide in the undated PowerPoint presentation, published as part of the Guardian’s NSA Files: Decoded project, illustrates the number of intelligence reports being generated from data collected from the companies.
In the five weeks from June 5 2010, the period covered by the document, data from Yahoo generated by far the most reports, followed by Microsoft and then Google.
Between them, the three companies accounted for more than 2,000 reports in that period – all but a tiny fraction of the total produced under one of the NSA’s main foreign intelligence authorities, the Fisa Amendents Act (FAA).
It is unclear how the information in the NSA slide relates to the companies’ own transparency reports, which document the number of requests for information received from authorities around the world.
Yahoo, Microsoft and Google deny they co-operate voluntarily with the intelligence agencies, and say they hand over data only after being forced to do so when served with warrants. The NSA told the Guardian that the companies’ co-operation was “legally compelled”.
Canada-based telecom Nortel went bankrupt in 2009 and sold its biggest asset—a portfolio of more than 6,000 patents covering 4G wireless innovations and a range of technologies—at an auction in 2011.
Google bid for the patents, but it didn’t get them. Instead, the patents went to a group of competitors—Microsoft, Apple, RIM, Ericsson, and Sony—operating under the name “Rockstar Bidco.” The companies together bid the shocking sum of $4.5 billion.
Patent insiders knew that the Nortel portfolio was the patent equivalent of a nuclear stockpile: dangerous in the wrong hands, and a bit scary even if held by a “responsible” party.
This afternoon, that stockpile was finally used for what pretty much everyone suspected it would be used for—launching an all-out patent attack on Google and Android. The smartphone patent wars have been underway for a few years now, and the eight lawsuits filed in federal court today by Rockstar Consortium mean that the conflict just hit DEFCON 1.
Google probably knew this was coming. When it lost out in the Nortel auction, the company’s top lawyer, David Drummond, complained that the Microsoft-Apple patent alliance was part of a “hostile, organized campaign against Android.” Google’s failure to get patents in the Nortel auction was seen as one of the driving factors in its $12.5 billion purchase of Motorola in 2011.
Rockstar, meanwhile, was pretty unapologetic about embracing the “patent troll” business model. Most trolls, of course, aren’t holding thousands of patents from a seminal technology company. When the company was profiled by Wired last year, about 25 of its 32 employees were former Nortel employees.
The suits filed today are against Google and seven companies that make Android smartphones: Asustek, HTC, Huawei, LG Electronics, Pantech, Samsung, and ZTE. The case was filed in the Eastern District of Texas, long considered a district friendly to patent plaintiffs.
Several monks of the Laughing Monkey Clan found their brother in a state of great anguish, typing frantically at his workstation.
“What vexes you so?” they asked.
Said the monk: “When new business rules are delivered next year, my code will need to be updated. Today the abbot told me who will be assigned this task, and my heart sank. He is an impatient fool who scorns documentation and breezes by comments, electing instead to guess the purpose of everything by name alone. Thus I must idiot-proof every class and method.”
The monk pointed to his screen. “Here he will be tempted to modify this object’s properties, so I must make it immutable to prevent disaster. Here he will surely mistake the purpose of this parameter, so now I must check for an illegal argument wherever it is used.” The monk collapsed upon his keyboard. “Ten thousand curses upon that imbecile, Taw-Jieh!” he wailed. “That he of all people should be chosen to maintain my code!”
The other monks looked at each other uncomfortably.
“But you are Taw-Jieh,” said one.
One of those analyses showed that when a human was behind the wheel, Google’s cars accelerated and braked significantly more sharply than they did when piloting themselves. Another showed that the cars’ software was much better at maintaining a safe distance from the vehicle ahead than the human drivers were.
“We’re spending less time in near-collision states,” said Urmson. “Our car is driving more smoothly and more safely than our trained professional drivers.”