<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 2023-02-22 14:17, Gilbert Detillieux
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a1707038-7f76-202e-0396-ee98d0801429@umanitoba.ca">You'd
think with the combined wealth and resources of Alphabet/Google,
Apple, and Microsoft, they'd find it in their best collective
self-interest to fund a project to replace this garbage with some,
you know, actually secure code.
<br>
</blockquote>
<p>1) not having to pay for it; and <br>
</p>
<p>2) having a scapegoat for stuff that goes sideways.</p>
<p>Both sound awful to me, but I am not a CEO for a reason...</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 2023-02-22 15:12, Adam Thompson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:YT2PR01MB4622CCF2A34BC75471E71AE8ABAA9@YT2PR01MB4622.CANPRD01.PROD.OUTLOOK.COM">The
OpenSSL team, however, appear to be rather resistant to help.
Serious NIH syndrome. Also they're more focused on preserving
backwards compatibility than correctness or security. And also
don't respond well to criticism, from what I've seen.</blockquote>
<p>Amusing, isn't it? Every once in a while someone shows up
smearing the OpenBSD developers for *reasons*, but as far as I
can tell they strike a good balance between stability - avoiding
changes for the sake of it - while regularly dropping the dead
weight to make things secure and to move forward. A reasonable
compromise, if you will.<br>
</p>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2023-02-22 15:37, Gilbert Detillieux
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:3e575e54-7475-f3c2-d675-3bb4f3beebaf@umanitoba.ca">Longer
term, maybe a complete re-imagining is what the industry will need
to move forward. Most companies and developers are motivated more
by new features than by correctness or security, sadly.
</blockquote>
Let me present the Schrödinger's SysAdmin:<br>
<p>- If things break, well, it's your fault. You shouldn't have
messed with anything, it was working before. Don't fix what isn't
broken.<br>
- If things work, are you even doing anything? If nothing is
breaking, you must be useless.<br>
</p>
<p>It's hard to sell something that, when done, won't change
anything as far as most people are concerned. No new apparent
features; instead, potential for disruption and costs. All of that
to protect from the *threat* - as in something that may or may not
happen - of an attack.</p>
<p>At best, you can try and argue that something <i>could have
happened</i>, but didn't. Even if you can prove it, more often
than not, someone could easily think you're exaggerating to prove
a point.<br>
</p>
<p>The optimist wishes executives could see the light. The realist
knows that, as long as someone other than themselves can be
blamed, more often than not they won't let you do what you
must.... until the moment where you <i>should have done it. </i>Then,
it's <i>your fault.</i> Or, instead, they just buy insurance for
it, pretend no one could ever have seen it coming, and move along.</p>
<p>Yes, some places do see past all the cynicism, and have some
accountability. But we would not have landed where we are if that
weren't the exception to the rule, so it is what it is. Let's hope
it finds a way to go that does not involve a huge BANG.<br>
</p>
<p></p>
<p></p>
<pre class="moz-signature" cols="72">--
Kind regards,
Alberto Abrao</pre>
</body>
</html>