My weekly Guild Wars 2 community round-up at GuildMag is now online. There has been even more information about Feature Pack release coming on the 15th and there’s lots of reaction from the GW2 community. There’s also still a 50% off sale on digital copies of Guild Wars 2 running: get ’em while they’re cheap! In addition, there’s the usual assortment of blog posts, videos, podcasts, and fan fiction from around the GW2 community.
April 11, 2014
Virginia bans campus “free speech zones”
The way the fight for free speech has been going, you might be forgiven for reading that headline as “Virginia bans free speech”, but fortunately it’s actually a significant improvement in the right of university students to speak freely:
On Friday, Virginia Governor Terry McAuliffe signed a bill into law effectively designating outdoor areas on the Commonwealth’s public college campuses as public forums, where student speech is subject only to reasonable, content- and viewpoint-neutral time, place, and manner restrictions. Under this new law, college students at Virginia’s public universities will not be limited to expressing themselves in tiny “free speech zones” or subject to unreasonable registration requirements.
HB 258, championed by its lead patron Delegate Scott Lingamfelter, passed both houses of the Virginia General Assembly unanimously. The Foundation for Individual Rights in Education (FIRE) urged the passage of the bill and testified on behalf of the legislation in hearings in both legislative houses.
“FIRE thanks Governor McAuliffe, Delegate Lingamfelter, and all of Virginia’s delegates and senators for coming together and supporting this legislation,” said FIRE Legislative and Policy Director Joe Cohn. “One in six public colleges in the United States unjustly restricts student speech with free speech zones. Thanks to this new law, public institutions in Virginia will no longer be among them.”
Restricting student speech to tiny “free speech zones” diminishes the quality of debate and discussion on campus by preventing expression from reaching its target audience. Often, institutions that maintain these restrictive policies also employ burdensome permitting schemes that require students to obtain administrative permission days or even weeks before being allowed to speak their minds. Even worse, many of these policies grant campus administrators unfettered discretion to deny applications based on the viewpoint or content of the speakers’ intended message.
QotD: Romantic views of death in battle
And we ourselves? Let us not have too much hope. The chances are that, if we go to war, eager to leap superbly at the cannon’s mouth, we’ll be finished on the way by an ingrowing toenail or by being run over by an army truck driven by a former Greek bus-boy and loaded with imitation Swiss cheeses made in Oneida, N. Y. And that if we die in our beds, it will be of measles or albuminuria.
The aforesaid Crile, in one of his smaller books, A Mechanistic View of War and Peace, has a good deal to say about death in war, and in particular, about the disparity between the glorious and inspiring passing imagined by the young soldier and the messy finish that is normally in store for him. He shows two pictures of war, the one ideal and the other real. The former is the familiar print, “The Spirit of ’76,” with the three patriots springing grandly to the attack, one of them with a neat and romantic bandage around his head apparently, to judge by his liveliness, to cover a wound no worse than an average bee-sting. The latter picture is what the movie folks call a close-up of a French soldier who was struck just below the mouth by a German one-pounder shell a soldier suddenly converted into the hideous simulacrum of a cruller. What one notices especially is the curious expression upon what remains of his face an expression of the utmost surprise and indignation. No doubt he marched off to the front firmly convinced that, if he died at all, it would be at the climax of some heroic charge, up to his knees in blood and with his bayonet run clear through a Bavarian at least four feet in diameter. He imagined the clean bullet through the heart, the stately last gesture, the final words: “Therese! Sophie! Olympe! Marie! Suzette! Odette! Denise! Julie! … France!” Go to the book and see what he got … Dr. Crile, whose experience of war has soured him against it, argues that the best way to abolish it would be to prohibit such romantic prints as “The Spirit of ’76” and substitute therefore a series of actual photographs of dead and wounded men. The plan is plainly of merit. But it would be expensive. Imagine a war getting on its legs before the conversion of the populace had become complete. Think of the huge herds of spy-chasers, letter-openers, pacifist-hounds, burlesons and other such operators that it would take to track down and confiscate all those pictures!
H.L. Mencken, “Exeunt Omnes”, Prejudices: Second Series, 1920.
Open source software and the Heartbleed bug
Some people are claiming that the Heartbleed bug proves that open source software is a failure. ESR quickly addresses that idiotic claim:
I actually chuckled when I read rumor that the few anti-open-source advocates still standing were crowing about the Heartbleed bug, because I’ve seen this movie before after every serious security flap in an open-source tool. The script, which includes a bunch of people indignantly exclaiming that many-eyeballs is useless because bug X lurked in a dusty corner for Y months, is so predictable that I can anticipate a lot of the lines.
The mistake being made here is a classic example of Frederic Bastiat’s “things seen versus things unseen”. Critics of Linus’s Law overweight the bug they can see and underweight the high probability that equivalently positioned closed-source security flaws they can’t see are actually far worse, just so far undiscovered.
That’s how it seems to go whenever we get a hint of the defect rate inside closed-source blobs, anyway. As a very pertinent example, in the last couple months I’ve learned some things about the security-defect density in proprietary firmware on residential and small business Internet routers that would absolutely curl your hair. It’s far, far worse than most people understand out there.
[…]
Ironically enough this will happen precisely because the open-source process is working … while, elsewhere, bugs that are far worse lurk in closed-source router firmware. Things seen vs. things unseen…
Returning to Heartbleed, one thing conspicuously missing from the downshouting against OpenSSL is any pointer to an implementation that is known to have a lower defect rate over time. This is for the very good reason that no such empirically-better implementation exists. What is the defect history on proprietary SSL/TLS blobs out there? We don’t know; the vendors aren’t saying. And we can’t even estimate the quality of their code, because we can’t audit it.
The response to the Heartbleed bug illustrates another huge advantage of open source: how rapidly we can push fixes. The repair for my Linux systems was a push-one-button fix less than two days after the bug hit the news. Proprietary-software customers will be lucky to see a fix within two months, and all too many of them will never see a fix patch.
Update: There are lots of sites offering tools to test whether a given site is vulnerable to the Heartbeat bug, but you need to step carefully there, as there’s a thin line between what’s legal in some countries and what counts as an illegal break-in attempt:
Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL’s mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic.
Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission.
Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active — without permission from website owners — would take security researchers onto the wrong side of the law.
And you shouldn’t just rush out and change all your passwords right now (you’ll probably need to do it, but the timing matters):
Heartbleed is a catastrophic bug in widely used OpenSSL that creates a means for attackers to lift passwords, crypto-keys and other sensitive data from the memory of secure server software, 64KB at a time. The mega-vulnerability was patched earlier this week, and software should be updated to use the new version, 1.0.1g. But to fully clean up the problem, admins of at-risk servers should generate new public-private key pairs, destroy their session cookies, and update their SSL certificates before telling users to change every potentially compromised password on the vulnerable systems.