I don't think it's that funny anymore. It's funny until you realize lots of readers believe him.
If you want to roll the discussion up to the original claim on this thread:
* Yes, closed-source vendors, Google included, do not as a rule announce severe flaws they find (or contract to find) in their own code. On the other hand, when we're talking about Google, Microsoft, and Apple: they are actually finding sophisticated flaws in their own product, which is something very few open source projects can credibly claim.
* Open source projects are not as a rule particularly awesome about handling disclosures either. See, for instance, AFNetworking.
* Nobody made logos for HTTP.sys (that I know of). On the other hand, HTTP.sys was a bigger deal in the industry than POODLE or pretty much any other vuln with a name besides Heartbleed, which, because it implicated a library used by lots of products, was particularly prevalent among Internet SAAS sites, and was easier to quietly exploit than an RCE, was a legitimately more important flaw. The idea that Microsoft gets a free pass for vulns is something you can only believe if your only contact with them is HN.
* There's no evidence Microsoft hid those vulnerabilities. They were there for 10+ years because nobody found them. In Microsoft's case, you can't reasonably claim that's because they weren't looking. Minesweeper gets more pentesting effort at Microsoft than most open source crypto projects.
I strongly prefer open source software to closed-source software, but I'm not unrealistic about how open source security works. See security tire fires such as: OpenSSL, Rails, PHP, Cryptocat, BIND --- each distinctive not just for having vulns but for the manner in which they've historically handled them.
If you want to roll the discussion up to the original claim on this thread:
* Yes, closed-source vendors, Google included, do not as a rule announce severe flaws they find (or contract to find) in their own code. On the other hand, when we're talking about Google, Microsoft, and Apple: they are actually finding sophisticated flaws in their own product, which is something very few open source projects can credibly claim.
* Open source projects are not as a rule particularly awesome about handling disclosures either. See, for instance, AFNetworking.
* Nobody made logos for HTTP.sys (that I know of). On the other hand, HTTP.sys was a bigger deal in the industry than POODLE or pretty much any other vuln with a name besides Heartbleed, which, because it implicated a library used by lots of products, was particularly prevalent among Internet SAAS sites, and was easier to quietly exploit than an RCE, was a legitimately more important flaw. The idea that Microsoft gets a free pass for vulns is something you can only believe if your only contact with them is HN.
* There's no evidence Microsoft hid those vulnerabilities. They were there for 10+ years because nobody found them. In Microsoft's case, you can't reasonably claim that's because they weren't looking. Minesweeper gets more pentesting effort at Microsoft than most open source crypto projects.
I strongly prefer open source software to closed-source software, but I'm not unrealistic about how open source security works. See security tire fires such as: OpenSSL, Rails, PHP, Cryptocat, BIND --- each distinctive not just for having vulns but for the manner in which they've historically handled them.