The legal world is a pseudowolrd constructed of rhetoric. It isn't real. The law doesn't actually exist. Justices aren't interested in justice, ethics or morality.
They are interested in paying the bills, having a good time and power like almost everyone else.
They don't have special immunity from ego, debt, or hunger.
The legal system is flawed because people are flawed.
Corporations aren't people. Not even legally. The legal system knows that because all people know that.
If you think that's true legally, then you agree the legal system is fraudulent rhetoric.
Corporations do have a special immunity to being killed though. If I killed a person, I'd go to prison for a long time. Executed for it, even. Corporations can kill someone and get off with a fine.
I think I’ll set up a local leaderboard with friends this year. I was never going to make it to the global board anyway but it is sad to see it go away.
I legitimately do not understand this kind of behavior.
A: "I have an excellent example that clearly illustrates my point."
B: "Great, what is it?"
A: "Uhm, if you don't already know, then you're stupid. You can easily find it anywhere."
We're gatekeeping evidence that supports our claims now?
I'll be honest I think that dying on the hill of "putting stickers on your laptop [...] is the least authentic thing for a software developer to do" makes you look pretty ridiculous.
And yet here you are, signaling to others your uniqueness by saying how much you hate the way that they signal theirs. It's not that deep, man. This sounds like a really tough way to live and I genuinely wish you the best of luck with your vendetta against *checks notes* people expressing themselves with stickers on their laptops.
I think that on its face the term "sacred knowledge" kind of communicates an intimacy that indicates that it's not something that's shared with people who don't have a privileged relationship with you.
I think the big difference now is that people have a megaphone in the form of social media and they forget just how wide the statements they shout through it can spread.
Yeah it's more effort, but I'd argue that security through obscurity is a super naive approach. I'm not on Google's side here, but so much infrastructure is "secured" by gatekeeping knowledge.
I don't think you should try to invoke the idea of naivete when you fail to address the unhappy but perfectly simple reality that the ideal option doesn't exist, is a fantasy that isn't actually available, and among the available options, even though none are good, one is worse than another.
"obscurity isn't security" is true enough, as far as it goes, but is just not that far.
And "put the bugs that won't be fixed soon on a billboard" is worse.
The super naive approach is ignoring that and thinking that "fix the bugs" is a thing that exists.
More fantasy. Presumes the bug only exists in some part of ffmpeg that can be disabled at all, and that you don't need, and that you are even in control over your use of ffmpeg in the first place.
Sure, in maybe 1 special lucky case you might be empowered. And in 99 other cases you are subject to a bug without being in the remotest control over it since it's buried away within something you use and don't even have the option not to use the surface service or app let alone control it's subcomponents.
It's a heck of a lot better than being unaware of it.
(To put this in context: I assume that on average a published security vulnerability is known about to at least some malicious actors before it's published. If it's published, it's me finding out about it, not the bad actors suddenly getting a new tool)
it's only better if you can act on it equal to the bad guys. If the bad guys get to act on it before you, or before some other good guys do on your behalf, then no it's not better
remember we're not talking about keeping a bug secret, we're talking about using a power tool to generate a fire hose of bugs and only doing that, not fixing them
"The bug" in question refers to the one found by the bug-finding tool the article claims triggered the latest episode of debate. Nobody is claiming it's the only bug, just that this triggering bug highlighted was a clear example of where there is actually such a clear cut line.
Google does contribute some patches for codecs they actually consume e.g. https://github.com/FFmpeg/FFmpeg/commit/b1febda061955c6f4bfb..., the bug in question was just an example of one the bug finding tool found that they didn't consume - which leads to this conversation.
Given that Google is both the company generating the bug reports and one of the companies using the buggy library, while most of the ffmpeg maintainers presumably aren't using their libraries to run companies with a $3.52 trillion dollar market cap, would you argue that going public with vulnerabilities that affect your own product before you've fixed them is also a naive approach?
Sorry, but this states a lot of assumption as fact to ask a question which only makes sense if it's all true. I feel Google should assist the project more financially given how much they use it, but I don't think Google shipping products using every codec they find bugs for with their open source fuzzer project is a reasonable guess. I certainly doubt YouTube/Chrome let's you upload/compiles ffmpeg with this LucasArts format, as an example. For security issues relevant to their usage via Chrome CVEs etc, they seem to contribute on fixes as needed. E.g. here is one via fuzzing or a codec they use and work on internally https://github.com/FFmpeg/FFmpeg/commit/b1febda061955c6f4bfb...
In regards whether it's a bad idea to publicly document security concerns found regardless whether you plan on fixing them, it often depends if you ask the product manager what they want for their product or what the security concerned folks in general want for every product :).
I made the switch to Ubiquiti from TP Link last year. 1000% worth it. The "Just Works (tm)" thing is true, but the ceiling of what you can do with it is so much higher. I'll also say that the Unifi nerds out there are legion and you can find support and comment threads all over the place for pretty much any project you want to do.
It is, though? I also had the same map come up about five times, showing a picture of the Parthenon and the Athenian acropolis, but it consistently insisted that these were of Orchomenos, which also had an acropolis but AFAIK is not the same; they are about 80 miles apart.
edit: it appears that Orchomenus also has an area of the city that Wikipedia refers to as the acropolis; I'm wondering if the game pulls the acropolis data from the Athenian Acropolis but then mistakenly attributes it to Orchomenus? I thought it might be because some great physics discovery was made there (given the daily challenge genre) but I haven't seen anything.
