@Chris Thomas
>1) if I was at a company and personally created a disaster that caused millions of >pounds of damage, it doesnt matter
Millions of pounds of damage? Evidence? Even if some bigwigs lost "millions of pounds" because of this patch they have no legal grounds for complaint. They used the code under the license it was offered.
RSA have sold console makers like Nintendo encryption and it hasn't worked,.. Nintendo haven't sued. Figure that out.
>ONE LITTLE BIT that they have insurance you dumbass, it has NO RELEVENCE >WHATEVER on the fact that at the end of the day, I am collecting my P45, they are >covered, thats true, but I AM OUT OF THERE.
You need something like 3 warnings of increasing severity to be fired unless your mistake can be considered "gross misconduct". I hope silly human mistakes aren't considered gross misconduct, I think that assumes intent to commit wrong doing.
Companies actually give courses on how to fire people these days....
>2) it depends on whether you want to be taken seriously or not, if I had an employee >who did this and basically if you work for "me" you're my employee
Far be it for me to tell you how to run your business, but you should have code review, a peer should be checking for an obvious blunder. It's very easy to miss things. The DD that patched OpenSSL tried to get peer review from the OpenSSL developers.
>3) If the TV was straight out of the box and then at night set fire to my house killing >my wife and children, yeah I'd be around your house to find out what happened with >that TV that made it do that and if you tell me it was standing in a puddle of water!!
You didn't check it for signs of damage before plugging it in? I offered you no warranty of the fitness of the goods and you should have expected as much. If you don't have the common sense to protect what is important to you these things will happen. What if it was stolen? You'd be liable for handling stolen goods.
>4) but he obviously isnt, because if he was, he wouldnt make such a f**king n00b >mistake would he.
So your informed critique comes down to the DD being a "n00b". Pat on the back.
>5) Since I learned that debian is for idiots, I pretty much stayed away from it and I >have nothing to do with it, and I enforce that with everything I do, I dislike their entire >band of brothers do much, I never run into this problem. However, some of my friends, >have.
You will never run into this problem? Chances are you have communicated with a server running Debian that has been using weak keys. Everyone is affected.
There must be billions and billions of pounds of damages outstanding from dodgy webservers, broken MTA's,... You'd think having to brute force thousands of keys would be a minor issue in comparison.
>6) Thankfully, I've never had to directly deal with idiots from debian, so I've been >mostly free from having to interact with them and be "infected" with cool 1337 ideas >like removing parts of RNG code.
So you don't actually understand what happened? The intent was to disable an almost unless part of the entropy generation process (uninitialised memory isn't a good source of entropy), but by mistake the DD managed to knock out a fundamental part of OpenSSL's entropy generating process.
>Seriously man, get a grip, millions of pounds of damage has been done and >thousands of man hours wasted over a f**king valgrind fix, this shit does not happen >to good developers. Stop protecting the weak, their death is SUPPOSED to happen. >It's called nature.
Earth quakes cause millions of pounds of damage, I think the damage this has caused is subjective at best. Maybe someone is replaying old SSL encrypted credit card transactions against the known weak keys in a hope of getting some usable data? Otherwise I'm totally lost as to where these $18.500.000 Million dollars (Eighteen Million Five Hundred Thousand
us dollars Only) have been lost. You would have thought all those big companies that rely on SSL to protect their loot would have to use encryption accelerators anyhow.