From my side of the coin, I've always thought that the best solution is ground level support.
Ensure that students of any type have excellent public schools. Ensure that people without resources, of any background, have access to higher education. This can be by grants for the very poor, just as it can be by government backed, guaranteed approved student loans.
Healthy, stable food in schools is an excellent way to keep a child's mind on education.
These things level the playing field. There are plenty of white males who need such help to be on a level playing field with wealthier families too. I grew up in a rural community in Canada, and saw many smart but underprivileged(including trouble with keeping food on the table) families end up with grants to go to university.
If you do this, if you provide the capability for merit to shine, and ensure that merit can be fed intellectually, you're doing much of the work required for true equality.
I frankly don't give a rat's ass about women being in any specific field, or someone of whatever skin tone. I do 100% care if people want to, but cannot!! I want all who are capable, to be able to express that capability.
If this is done, and done correctly, then the numbers of candidates applying for jobs will result in numbers indicative of candidates in the field. And more importantly, of people wanting to be in those fields. If you get 11% women in the field, and 11% women applicants, and nothing prevented women from entering that field, you're where you want to be.
We don't need to encourage people to enter a field. We need to only ensure they can if they want to.
This sort of "women are weak and are scared of entering fields" is bizarre, from an equality standpoint. The same for people with different skin tones. Why do people seem to think women, for example, are weak and incapable of pursing their dreams? They are not!
The women I've known in my life have been strong in opinion and in drive, the same goes for people of any racial background. There are of course those that are not, but I've seen lazy, undriven white males too.
People don't need to be prodded, dragged, pulled into a field.
They just need to have no way that they are hindered. They just need the freedom to choose. To know that they can pursue that which they desire.
I think what's happening here is, people don't have time to assess. And frankly, can you blame them?
A person might be implementing dozens or hundreds of pieces of software from multiple vendors. Now there are CVEs on their radar. They have to deal, and assess.
What do they do?
Do a deep dive on every CVE, including looking at code, validating what the CVE represents, and assessing security risk org wide, no matter how and where and in what way the software is used? Is code even available?
Or, is the prudent thing to say "CVE -- we need the vendor to resolve".
How much work must an end user put in, when a CVE is there?
I agree 100% that this is terrible, but my point is to at least understand it from the side of implementation. What I tend to do is use my distro for everything I possibly can. This provides an entity that is handling CVEs, and even categorizing them:
This helps reduce the need to handle CVEs directly. Not eliminate of course, but vastly reduce it. Output of clicking on a CVE is helpful with a rating:
This rating may be because it does not affect debian in its default config, or because something isn't compiled in, or the impact is truly low, or so on.
This gives me something to read if I must, and to grasp when I have no time to deep dive. I trust debian to be reasonably fast and work well to resolve CVEs of importance, and properly triage the rest.
Yes, I know of edge cases, yes I know of the fact that seldom used packages often need an end user to report a CVE. It can and does happen. But the goal here is "doing our very best" and "proving we'd doing that".
So this helps by allowing me to better focus on CVEs of vendor products I use, and get a better grasp on how to pursue vendors.
Yet when dealing with the infrastructure of smaller companies -- they just don't have the time. They still have to manage the same issues as a larger company, that being SoC2 compliance or what not, as well as liability issues in their market sphere.
And the thing is, I'm willing to bet larger companies are far worse at this CVE chicanery. It's just rote to them. Smaller companies have flexibility.
Here's a hotlist for making at least some of this manageable, because if you give people information, you don't have to respond as much:
* have a RSS feed, or a webpage which is only updated if there is a security update for your software
* have a stable and development(bleeding edge) branch. One branch only has security updates and never new code. Maybe, possibly bugfixes, but bugfixes must not break the API, config files, or create requirements for newer versions of libraries
* provide a mailing list never ever ever used for marketing purposes, which alerts users to new updates for software. never spam that email address. ever.
Important:
If you have outstanding CVEs, list them somewhere on a static page, with a description of what the issue is, and how you've triaged it. If you believe it's a bogus CVE, say so. If you think it only causes issues in certain circumstances, and is thus less important that other CVEs you are working on, say so.
Keep all CVEs here by simply updating the page to indicate a CVE was resolved, but also with a version/commit and date of when. Again, information resolves so many issues.
Do these things, and your end users will love you, and it will engender more trust that security issues are being dealt with seriously. (Note: not saying that aren't, but if you make it easy for people to know when updates come out, lots of questions stop being asked)
When engineers see this sort of thing, they love you. They become stronger advocates. It falls under marketing as much as technical due diligence.
As an open source software vendor I can say two things:
1) The CVE system allows vendors to deny CVEs that relate to their product. I don't know the exact rules, so I don't know if it applies in this case. We take anything that can crash our software seriously.
2) For users without a support contract, your priority does not automatically become out priority. If you want your issues fixed then make sure we have the money to do so. Just because you got a free download doesn't give you any rights to support.
What started this is a case where you have to put weird stuff in a config file to trigger the CVE. If the people behind dnsmasq don't get paid or not enough, then it is perfectly fine if this is not a priority.
We have a very popular product, lots of use in what is really the foundation of the internet and almost no support contracts.
So you can turn the argument around, if you are not paying for software, consider it a hobby project. Feel free to report and issue and create a ticket. But don't expect anything to happen. And don't complain on mailing lists how your issue is not taken seriously. Just fix the issue yourself or switch to a different product.
I think you're missing my point. Your code is your resume. It's also an advertisement for whether your product is worth donating to, helping with, buying, and whether you are an excellent coder and project maintainer or not.
A CVE, bogus or not, needs to be handled. If you don't, it reflects upon you. Hands down. No amount of "but it's for free" works to negate this. Ever. No one can demand anything of you, but your reputation will 100% be graded upon how you deal with such things.
This is the way the world works. This is how reputation works. Get over it. Deal with it. Understand it. No, you're not going to ever change this, unless you genetically engineer new humans. This is how humans, and human society has existed for millennia. You will never, ever, ever, change this. You will never explain an alternate to anyone. Ever.
Even if the CVE is bogus, you need to set the record straight, and it's almost akin to libel against your project and you. My suggestions about having a page listing all CVEs are fairly clear and to the point.
These suggestions help people asses your project and your reliability and competency. Yet at the same time? They reduce your effort and work!
Instead of debating endlessly on a mailing list, and instead of repeated bug reports, a well placed security page will take the lion's bulk of such things, answer them, and leave the project team free to not deal with questions on each CVE.
Such a list gives you an authoritative reason why the CVE is triaged as it is, you can point mailing list inquiries at it, WONTFIX bug reports at it, and you can even put your project's stance at the top of the page!
What I've been saying in these posts, is that organization overrules chaos. And that even if some weirdos disagree with you, or have silly expectations, you're crystal clear on things.
I think this is what you want. Your concerns about what people should expect, are dealt with via this method. I actually think we're aligned here, except (perhaps?) you think doing this is work.
It's not. It's the opposite of work. It's saving time.
Why?
Because you will never, ever, ever change human behaviour. Ever. Literally nothing has ever changed in, for example, how commercial transactions occur. This exact complaint could happen today over a used car:
Every problem you've had with humans has been done endlessly billions of trillions of times. Just because it's a software project, doesn't mean it's any different than any other project. There have been volunteer, for free works since the inception of humanity. There have been people with unrealistic expectations, and the tug and pull therein.
I'll reiterate my original stance, just make it clear. Make it clear that you're dealing with CVEs. Part of this makes it eminently clear that the fly in the ointment is the persistent person with crazy expectations. Not your project.
Israel's intelligence services (not Mossad) did collect valid signals, such as sim cards in Gaza being swapped out for Israel sim cards, but it was ignored as another false positive. What the public don't see are all the false positives (like many drills for an attack that don't materialize) that drown out valid signals when the attack is actually going to happen. There's also hesitancy to act on signals because drills are used to expose intelligence.
It's one of the many asymmetries that changes when you are the defender versus the attacker. As the defender, you have to be right 100% of the time. As the attacker, you have the luxury of being right only 30% of the time. The law of large numbers is on the side of the attacker. This applies to missile offense/defense and to usage of intelligence.
This information asymmetry is also one of the key drivers of the security dilemma, which in turn causes arms races and conflict. The defender knows they can't be perfect all the time, so they have an incentive to preemptively attack if the probability of future problems based on their assessment of current information is high enough.
In the case of Gaza there was also an assessment that Hamas were deterred, which were the tinted glasses through which signals were assessed. Israel also assumed a certain shape of an attack, and the minimal mobilisation of Hamas did not fit that expected template. So the intelligence failure was also a failure in security doctrine and institutional culture. The following principles need to be reinforced: (i) don't assume the best, (ii) don't expect rationality and assume a rival is deterred even if they should be, (iii) intention causes action, believe a rival when they say they want to do X instead of projecting your own worldview onto them, (iv) don't become fixated on a particular scenario, keep the distribution (scenario analyses) broad
Avoiding a car accident has a low cost, you just have to take it slowly and be 1 min late to your meeting or whatever, but deciding wether you should attack first based on a small suspicion, that a hell of a problem, because if you're wrong, you're seen as the bad guy. And maybe even if you're right and can't prove it.
> because if you're wrong, you're seen as the bad guy. And maybe even if you're right and can't prove it.
An example of this is France cutting off all support after Israel's initiation of the Six Day War, which followed signals such as Egypt massing troops on the border. The problem for Israel was the lack of strategic depth combined with the geographical low ground, which creates these hair trigger scenarios with no room for error, reducing the threshold to act preemptively. The more abstract problem was the absence of a hegemon in the late 20th century that had security control over West Asia, which is a necessary and sufficient condition for resolving the security dilemma.
A gentle note to anyone reading, fiberglass insulation requires wearing air filters, for the same reasons noted else in this thread. Wear them expecially to cut it, but also just putting it up or working in a crawlspace with it.
That’s not what the manufacturers of modern glass fiber insulation would have you believe. Plenty of people cutting and handling it with no PPE at all in their promotional literature.
Fiberglass is at least pretty easy one to figure out. Don't have to get that stuff in your skin more than once to realize it's probably really, really bad to breathe.
My understanding is that fiberglass and mineral wool [1] are classified as skin (yes, it itches), eye, and lung irritants (coughing), but they're not carcinogenic. Considering how extremely widely they have been used for a long time, if they were we'd most likely have seen it by now.
Sure it's not good for you, so using PPE is certainly warranted, but it's on a whole different level of badness compared to asbestos.
[1] Per wikipedia, there are some varieties of mineral wool used for high temperatures (think insulating industrial furnaces and such) which are carcinogens.
Apparently it and other missing episodes were found and shipped to the BBC archives in 2013, but that one episode never arrive. It was presumably stolen en route and sold to a private collector.
Google knows precisely who you are, if you have a cell phone and give them the number. Telcos boast about this, and sell that data for a price.
The only way to avoid this, is to buy a sim card anonymously, phone anonymously, and only pay cash to top up the minutes. The second you pay with a card for minutes, the telco links that and your ID is known.
And of course, if you use Google services on your phone, no way is your ID concealed for long.
This effort cancels out as soon as you give your mobile number to pretty much anyone. Most people have contacts stored at Google, so friends add your number with name, and Google again knows.
Google doesn't care about raw ID much, it cares about networks of people. Who you know, and who has who as contacts says a lot.
Anyhow. Point is, never give your phone number to anyone or you are never anonymous.
I cancelled my only cellular account 11 years ago. Maybe Google's algorithm targeted my account as not having identified my cellular footprint they assume I must have?
This sounds very plausible. If I had to make a list of ways to identify a child, not yet having a cell phone would likely be on that list. I think I’d assume older people without one would be those who have limited internet activity, or none at all.
I don’t like this assumption, but so many things these days assume a mobile phone, and even a smartphone, that it seems hard not to have one. I need one just to login to my laptop for work. On top of that, a significant number of businesses I need to interact with have automatically opted me in to 2FA using text messaging. QR code scanning is being required more and more, even just to go out to eat.
Flipping the read only tab on every floppy was the first thing I did, after my first infection.
reply