Domain: codenomicon.com
Stories and comments across the archive that link to codenomicon.com.
Comments · 6
-
How has slashdot come to this?
Who's paying these researchers at Codenomicon to research Android vulnerabilities? Howard A. Schmidt, Chairman of the Board at Codenomicon.
“Some people might have been providing a vulnerability on purpose in order to do something nasty .. Who are they working with? Do they have sideline jobs somewhere else? The developers might be getting their dollars from ad networks"
Is this what slashdot has been reduced to, regurgitating anti Open Source FUD on behalf of a most probably a false-front for the MICROS~1 organization? -
Heartbleed disclosure timeline ..
"Ever since the "Heartbleed" flaw in encryption protocol OpenSSL was made public on April 7 in the US there have been various questions about who knew what and when."
Company | Codenomicon: "Howard A. Schmidt, Chairman of the Board .. His private-sector experience includes serving as Vice President, Chief Information Security Officer and Chief Security Strategist at eBay and as Chief Security Officer for Microsoft ." -
Re:Lucky for me
I use MS Windows and the
.Net framework... I'm safe ;)So it seems, lucky you. I do not know what are you doing here, though.
;)But note that:
"We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only." (from: (Codenomicon XML Page on the topic)
No freebies for commercial stuff. These guys are doing a favor for the open source, and need to earn their bread and butter. Lucky us at
/. ;) -
Re:Article??
More details are now available:
http://www.codenomicon.com/labs/xml/Also the CERT advisory is finally out:
https://www.cert.fi/en/reports/2009/vulnerability2009085.htmlYou call that more details?!
I assume you want the dirty details, i.e. full disclosure?
Come on, this is open source. Read the code. You are not going to get any more help than that from the good guys. There will soon be a wide range of exploits and demos that you can use, though. I am not sure anyone but you actually wants that.
;)Check out how many Linux distributions have issued an advisory on this problem. Look at the number of vulnerable software projects. Pick your side guy! Are you working for your own interest and trying to find a way to make your own profit from this flaw or trying to motivate all those open source software projects (that do not have a clue on security) into updating... finally!
If your comment is not a troll, then nothing here is. There is no other comment here that is more counter-productive, with my quick read of the things discussed here. I am not sure who do you want to help with comments like that.
-
Re:Article??
More details are now available:
http://www.codenomicon.com/labs/xml/Also the CERT advisory is finally out:
https://www.cert.fi/en/reports/2009/vulnerability2009085.htmlYou call that more details?! The first link tells me nothing much other than "OMG! XML is used in lots of places!" and the second is unclear about which libraries actually have the problem (e.g., is expat itself vulnerable or just the version that Python uses?) This is important because it determines who else has to worry about these things. If there are fundamental problems, it's important that they get fixed right back at the root and then the fixes pushed out. Otherwise you just have duplication of effort, warring developers, and people who are vulnerable and don't know it.
-
Re:Article??
Since XML is handled by these projects using libraries (libxml2 in Gnome and Xerces, Xerces2 and Xalan for Apache), wouldn't fixing these libraries effectively fix the "millions of these applications"?
Yes. Unless you have statically linked them.
More details are now available:
http://www.codenomicon.com/labs/xml/Also the CERT advisory is finally out:
https://www.cert.fi/en/reports/2009/vulnerability2009085.html