Slashdot Mirror

I think you're conflating the patents themselves with the licensing. Many royalty-free licensed codecs are covered by patents such as, for example, baseline JPEG, VP8 and VP9. Cisco's new Thor video codec for netvc is covered by patents Cisco owns and has chosen to license under royalty-free terms.

Patents and the terms patents are licensed under are separate issues.

This list should clarify things a bit.
While OpenBSD had ASLR it is lacking in many other ways.
That is the thing with security, it isn't the doors you locked that matters, it's that single one you didn't lock that is the problem.

Hmmm... While I agree with you on the general principle, here are a couple of things, off the top of my head:

1. False positives ("Vulnerable" tests in your example) do exist, you know. How are you sure that OpenBSD (or FreeBSD) is vulnerable in such and such case? Have you created an exploit specifically for the things being tested by paxtest? Maybe OpenBSD has other capabilities

2. False negatives are also a thing. Even if paxtest says: "such-and-such is OK", how do you know if a clever hacker won't be able to find a way around the ASLR protection?

Also important: paxtest dates back to 2004, and, as far as I know, has never been updated since (web site here). Not that this is a bad thing, but ASLR, and security, has changed a lot since then...

Good point on LibreCrypt, it is on my radar already, good candidate for people who won't use any command-line or script.
We have an issue open to support Tomb volumes, fairly easy to implement https://github.com/t-d-k/Libre...

Tried in RFP 611660, did not went well so far https://bugs.debian.org/cgi-bi...
Here is a debian/ packaging setup ready for Tomb, contributed by maintainers of the Freepto distro https://github.com/AvANa-BBS/T...
Arch has a package since long already.

cryptsetup has luksHeaderBackup and luksHeaderRestore commands.

We have an issue open on github, thinkering on how to avoid bit-rot here https://github.com/dyne/Tomb/i...
The LUKS header recovery comes handy, a single corrupted bit in the header of a Tomb could be fatal, so there are plans to backup the header also inside the key, perhaps starting from the next major version of Tomb.
To fight bit-rot a filesystem like ZFS is pretty effective, but then that must be the "outer" FS, used by the storage support hosting the tomb.

If its Linux only don't present it as a successor to TrueCrypt. A very important feature of TrueCrypt is(was) that it targets Linux, Mac OS X and MS Windows. Any archive being available to any of the three platforms.

I don't know about Mac support, but if Tomb is just a wrapper around LUKS, the volumes it creates should be accessible on Windows as long as you use a filesystem Windows knows about. Ext2IFS doesn't work on anything newer than Windows Vista, so you're most likely looking at FAT32, exFAT, or NTFS if you want your LUKS volume to be portable.

Assuming a suitable LUKS volume, you can mount it on Windows with LibreCrypt, which is the successor to FreeOTFE (by way of DoxBox). My work machine still has FreeOTFE on it, but I just installed LibreCrypt on Windows 10 at home and the encrypted volume on my flashstick mounted right up.

I recently bought a Foscam HD camera (the FI9821W V2), and basic setup works okay using their web interface. For actually seeing images, in addition to the useless (for me) ActiveX and Mac plugins, it provides an RTSP stream (easily playable in VLC) and MJPEG stream (seems a bit buggy).

More importantly, Foscam provides an SDK ( http://foscam.us/forum/new-sdk-cgi-application-t13426.html ) that makes it possible to roll your own interface. For example (shameless self-promotion):

https://github.com/ccoff/FoscamView

https://github.com/RookLabs/mi...

See here. Context: Github adds a code of conduct to its own repositories, and advocates other repos doing the same. Some are complaining that it striped some language from the coc it's partly based on, which explicitly says some forms of racism/sexism/prejudice are okay. The implemented code of conduct (as it stands, minus some iffy language that could potentially be abused to force people to accept bad commits) could be considered feminism. The issues some raise, the code of conduct they want to see implemented, is feminazism.

Thank you for your comments!

In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to make sure we are completely transparent with how our tool operates. In lieu of executing the binary the .py script on GitHub can be leveraged. We have learned a lot during our releases to include, leaving '.DS_Store' within the zip, consistent folder/file names, etc.

This is the first time we have released tools to the public for free. We will continue to develop, improve, and grow our processes as these opportunities are identified. We truly appreciate the feedback and suggestions and will continue to take them into account with every release.

GitHub Repo: https://github.com/RookLabs/mi...
Blog Post: https://www.rooksecurity.com/w...

I think the author, using the "offensive-computing" nick, knew very well that this would trigger a discussion and that's probably the reason this project was created in the first place.

Yes, mod this up as the most insightful contribution to the thread so far. Although the author is careful to use other example in the readme, the code and example application are (provocatively) written to discriminate against everyone except the usual racist definition of 'white Europeans'. The 'European' group of reference populations defined by 23andme would normally include Ashkenazi Jews:

https://customercare.23andme.c...

but this group is explicitly excluded by offensive-computing:

https://github.com/offapi/rbac...

I have been playing with a 'firewall' for the browser in Opera. It is called uMatrix (micro-matrix) and it is actually not all that bad. It is annoying at first but you eventually get the settings dialed in. They are on a per-site basis and, once dialed in, you do not have to play with the settings any longer. As I tend to flit about the web like a schoolgirl at her first drinking party this has been a neat addition to my browsing.

Git is here:
https://github.com/gorhill/uMa...

You may find it is available for Chrome at least. There may be a Firefox version as well. If not then the source is at the Git that is linked above.

1. 1. Install the app from the Play Store
2. 2. Click on the option to install MultiROM's bootloader (and patched kernel if yours doesn't have kexec)
3. 3. Once the app has taken care of that for you, click on the other option in it to install Ubuntu.

It's all pretty automatic, nearly zero user knowledge needed. And then you can test it out for yourself instead of doing something both scandalous and in this case useless anyways like RTFA'ing. But no, seriously, if you're curious at all, it really is quite easy to set up, and I do think worth it since you'll far more easily discover what Ubuntu Phone (and any other Linux-based smartphone platform you feel like tinkering with, or other Android ROMs) really is and how you do or don't like it.

https://github.com/botherder/d...
https://github.com/botherder/d...
https://resistsurveillance.org...

A shame their latest release was Dec 4, 2014.

This software has the potential for doing good, but it looks quite limited in scope at the moment. Someone needs to give the developer some cookies or something to push further development.

https://github.com/botherder/d...
https://github.com/botherder/d...
https://resistsurveillance.org...

A shame their latest release was Dec 4, 2014.

This software has the potential for doing good, but it looks quite limited in scope at the moment. Someone needs to give the developer some cookies or something to push further development.

While we're at it, Python Tools for Visual Studio 2.2 has also been released at the same time. In addition to VS 2015 support, this is mainly a bugfix and do-small-features-that-never-make-the-bar release. If you're a Python developer on Windows, please give it a try, especially if you've never heard about it before. Feel free to tell me that we suck so long as you also file a bug in the tracker. ~

(Full disclosure: I am a developer on the PTVS team.)

The example Roger Leigh posted above, for libtiff, is compelling. If you read it, you'll see it is a 1:1 mapping to what autoconf does, and it's a lot neater and more maintainable.

Hi Bruce,

As an example, take a look at the script for libtiff, lines 180-402 in particular since these are copying exactly what the original configure script does. The rest is also copying the configure script (options, etc.), but this section is the feature tests.

Few people realize this. I am a long-term fan of Opera and have noted such frequently in the past. One thing to note is that Opera has now changed and is based on the same engine that Chrome uses. There is now a stable version of the new version though there is also a beta track (I have one Windows PC on it) but I have no idea how to get back onto it with other computers.

The others, including this, are all on stable releases. I have not actually looked to see how to get onto the beta track though and the version numbers are different after updating. I have not found a repo with the latest Opera build in it either so one must go to the site to get it. There is also a beta (maybe stable - I have not checked) developer's version of Opera available.

It is also open source so you can poke at the source, fork it, or do whatever you want with it now. This is a bonus for those who are interested. I have yet to find anything compelling enough to make me delve into it. I have found (and reported) a few bugs however. They are not dire enough to impact my browsing experience so I have not bothered to try to fix them and I am not at all sure that I could.

The Git is here:
https://github.com/operasoftwa...

Enjoy.

RDP Wrap made short work of that for me.

Generally most home users, even power users, don't NEED Professional versions.

Your real limitations are:
-Can't join a domain (I've only met one home user with a domain. He's super IT geek, and the whole setup seems to be massive overkill)
-No remote desktop server. RDP Wrap can provide RDP server on home versions, and on all versions can allow concurrent logins (one user can be on the console while another user logs in via RDP).
-RAM limitations (W7 Home Pre: 16GB, Pro 192GB. W8.1 Home: 128GB, Pro 512GB). For a 5.5 year old OS, only recently would W7 home users be running up to that 16GB wall.

In any case, with Windows 10 it seems that KMS based activation is still the only route to "illegitimate" copies, as such it will be easier for home users to pirate and activate Enterprise than Home.

Apparently... https://github.com/chrislusf/s...

The Github link in the summary isn't to the code.

https://github.com/simp

My apologies. When I submitted the story I didn't check that link because.... well I guess because I chickened out.

In libpurple (read: Pidgin and other apps that might use it for messaging) you can connect via purple-facebook, which is a Facebook chat protocol plugin. There are still some glitches but it's definitely usable.

The Github link in the summary isn't to the code.

https://github.com/simp

We don't have to look far to see how what are called "open standards" actually aren't open at all.

Let's start with modern Web standards. They're paraded around as some of the most "open" of the open standards. Yet realistically, unless you're directly affiliated with one of Google, Mozilla, Microsoft, Apple, and maybe Opera, you won't really be able to have any meaningful impact on the standard of these directions.

That's not "open" to me!

It's similar when it comes to Linux init systems. Systemd is now the standard init system on the major Linux distros. Even though it is open source software, it's still not the kind of standard that its users can have much say over. The vendor decides how it's going to work, what it's going to do, and everyone else who uses it has no choice but to submit to it.

I'd only consider a standard open if it was possible to contribute to it like it is possible to contribute to Rust. It has almost 1100 contributors! That is openness! Average users can really make a difference when they contribute to Rust.

What would you suggest to convert existing SWF vector animations to HTML5 format or to create new vector animations in HTML5 format?

I'd use Flash Professional. Converting an existing Flash project is pretty easy. I imagine WebAssembly might offer further opportunities to build a Flash interpreter over what Shumway offers so far. Adobe themselves might compile Flash player to WebAssembly.

It would be nice if Mozilla completed their project of a javascript-based interpreter for flash. It would be the same thing that they’ve done for PDF. The overlap between flash and javascript + HTML5 is complete so it should be viable, and as a bonus SWFs would run under the same security sandbox as javascript.

try microblock instead. And dont rely on just adblocking plugins to keep the network clean. null route known ad servers at home and work using a blacklist http://pgl.yoyo.org/adservers/. the same process can be applied to rooted android phones as well, creating an ad-free experience that saves you money.

I tried uBlock but it let through a whole pile of crap that Adblock+ didn't so I had to go back. Seriously.. WTF?

Adblock Plus is old and busted, uBlock Origin is the new hotness.

Adblock plus has a coloured history of cherrypicking advertisers to quietly ignore. It was accused of accepting bribes from google to allow their ads. it has a whitelist of ads it considers tasteful enough to allow as well. Its also been fingered for slowing the browser experience for many users.

try microblock instead. And dont rely on just adblocking plugins to keep the network clean. null route known ad servers at home and work using a blacklist http://pgl.yoyo.org/adservers/. the same process can be applied to rooted android phones as well, creating an ad-free experience that saves you money.

You can write WebAssembly by hand, in the same way you can write Java bytecode by hand.

Not exactly. WebAssembly uses an Abstract Syntax Tree, which, while available in text and binary format, is quite a bit different than just listing out a sequential series of bytecode instructions.

https://github.com/WebAssembly/design/blob/master/AstSemantics.md

This bug was introduced recently in https://github.com/openssl/ope... to add support for "In certain situations the server provided certificate chain may no longer be valid" This bug doesn't affect libressl, boringssl, or vigortls.

V8 actually has two JIT compillation modes exactly because of things like this. One handles "easy" functions and the other handles "hard" functions (functions that contain eval or try and catch for example), the "easy" compiller has worse performance. This link explains it well:

https://github.com/petkaantono...

Great read for people who want to optimize for V8, many of the tips should be valid for other javascript engines as well.

From the article:

Currently not optimizable (ie will use the slower compilation method):
Generator functions
Functions that contain a for-of statement
Functions that contain a try-catch statement
Functions that contain a try-finally statement
Functions that contain a compound let assignment
Functions that contain a compound const assignment
Functions that contain object literals that contain __proto__ , or get or set declarations.

Likely never optimizable:
Functions that contain a debugger statement
Functions that call literally eval()
Functions that contain a with statement

it was actually the great Saint RMS himself who started all the FUD about GPL infection, when he forced the guy who wrote common Lisp to change his license to the GPL

RMS didn't "force" anyone to do anything. I read the whole conversation and what happened here is RMS told Bruno Haible he was distributing someone else's code in violation of the GPL, which it was licensed under.

Bruno had a choice - stop distribution, fight the claim, relicense, or write his own code to replace the GPL'd stuff. He chose to relicense.

It's the same choice everyone has when using GPL'd code - if you abide by the terms of the license, you have permission to redistribute. If not, you have no rights under copyright law.

Bottom line: if you don't plan to share your code, don't use someone else's GPL'd code with it.

https://github.com/hackedteam/...
No mention of iceweasel and family. I may delete my X server after reading all those stuff, they hate GUI programs.

Well lets assume it's the PSK allowing the buffer overflow

We can see the fix here, so lets look at the code they are replacing.. specifically:

- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
- if (s->ctx->psk_identity_hint == NULL) {
+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
+ if (s->session->psk_identity_hint == NULL) {

Looks like they went from strdup() to strndup(). Lets look when strdup() was introduced

  git grep "BUF_strdup(" $(git rev-list --all) | grep s3_clnt |awk -F':' '{print $1}' | uniq

returns ddac197404f585b8da58df794fc3beb9d08e8cd2

add initial support for RFC 4279 PSK SSL ciphersuites

PR: 1191
Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
Reviewed by: Nils Larsch

        OpenSSL_0_9_8k

Nils Larsch authored on Mar 10, 2006

Since this was added in 2006 and 0.9.8 is not vulnerable it is possible this is not the urgent vulnerability. But similar analysis can be done against the 1.0.2 branch and then looking back at the history of commits as I showed here. Good luck.

-dk

Well lets assume it's the PSK allowing the buffer overflow

We can see the fix here, so lets look at the code they are replacing.. specifically:

- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
- if (s->ctx->psk_identity_hint == NULL) {
+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
+ if (s->session->psk_identity_hint == NULL) {

Looks like they went from strdup() to strndup(). Lets look when strdup() was introduced

  git grep "BUF_strdup(" $(git rev-list --all) | grep s3_clnt |awk -F':' '{print $1}' | uniq

returns ddac197404f585b8da58df794fc3beb9d08e8cd2

add initial support for RFC 4279 PSK SSL ciphersuites

PR: 1191
Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
Reviewed by: Nils Larsch

        OpenSSL_0_9_8k

Nils Larsch authored on Mar 10, 2006

Since this was added in 2006 and 0.9.8 is not vulnerable it is possible this is not the urgent vulnerability. But similar analysis can be done against the 1.0.2 branch and then looking back at the history of commits as I showed here. Good luck.

-dk

Why? OpenSSL is opensource. Perusing Github gives me these potential vulnerabilities after the 1.0.2o release (12-Jun-2015)

Remove one extraneous parenthesis
Multiple fixes to mttest.c
Fix PSK handling (best guess this is it as quick review shows it fixes a null pointer exception)

Also let this be a lesson to releasing "WARNING BUG TO BE PATCHED". I'm sure this exploit is already in the wild, I am giving the poor sysadmins out there a chance to identify and patch bugs from 0-day exploits.

-dk

Why? OpenSSL is opensource. Perusing Github gives me these potential vulnerabilities after the 1.0.2o release (12-Jun-2015)

Remove one extraneous parenthesis
Multiple fixes to mttest.c
Fix PSK handling (best guess this is it as quick review shows it fixes a null pointer exception)

Also let this be a lesson to releasing "WARNING BUG TO BE PATCHED". I'm sure this exploit is already in the wild, I am giving the poor sysadmins out there a chance to identify and patch bugs from 0-day exploits.

-dk

Why? OpenSSL is opensource. Perusing Github gives me these potential vulnerabilities after the 1.0.2o release (12-Jun-2015)

Remove one extraneous parenthesis
Multiple fixes to mttest.c
Fix PSK handling (best guess this is it as quick review shows it fixes a null pointer exception)

Also let this be a lesson to releasing "WARNING BUG TO BE PATCHED". I'm sure this exploit is already in the wild, I am giving the poor sysadmins out there a chance to identify and patch bugs from 0-day exploits.

-dk

Tell that to:

Automattic
Mozilla
GitHub
Basecamp (formerly 37signals) (who even wrote a book about how great remote working can be)

along with a myriad of other companies who work either entirely remotely, or have very liberal policies around remote working.

Most, if not all of whom, can be considered to be quite successful within their field.

Reddit, the closed-source, privately owned message board

The reddit platform is open source. Just as Soylent News runs on modified Slashcode, there are already other sites out there using reddit's codebase or forks thereof.

Brilliant, people can start translating the comments in the source code from Italian to English!

Comments in Italian is actually a blessing for English speaking coders. Dijkstra's dictum was: "Never debug the comments. Always debug the code". (I could not find the reference, if he did not say it, someone equally great said it, because it is certainly not my original idea. ) Often comments are redundant, insanely stupid, misleading or obsolete. The only useful comments I find in my own code are along the lines of: "Yes, this function searches through the entire edge list, we tried to speed it up, but the complexity and the cost of maintaining a sorted set of edges were not worth it". Something that documents a dead end code that had been removed.

Git repositories, with history going back... Now on Github for your convenience: https://github.com/hackedteam?...

Can someone please explain the significance and consequences of publishing this:

GeoTrust_SigningCertificateExported_2011.pfx

https://github.com/hackedteam/...

Brilliant, people can start translating the comments in the source code from Italian to English! Would be even funnier it people started filing issues and fix bugs in their code.

But more to the point, will this help bona fide security researchers with their work on fighting exploits on all platforms or is there not much of interest there? Any experts on the matter?

>> https://github.com/hackedteam/...
>> https://github.com/hackedteam/...

ndisk, eh? With a couple of components to collect, report and transmit?

This thing kind of looks like the kit used in Shamoon, Sony, Icefog/Korea, etc.

>> https://github.com/hackedteam/...
>> https://github.com/hackedteam/...

ndisk, eh? With a couple of components to collect, report and transmit?

This thing kind of looks like the kit used in Shamoon, Sony, Icefog/Korea, etc.

Someone started uploading all the HackingTeam source code to GitHub: https://github.com/hackedteam?...
There are also some signing keys for kernel drivers in here.

That's a bad day for Hacking Team and a good day for everyone else.