nist.gov · Domains · Slashdot Mirror

NIST begs to differ by mschaffer · 2019-04-13 12:23 · Score: 1 · on The Black Hole Image Data Was Spread Across 5 Petabytes Stored On About Half a Ton of Hard Drives (vice.com)

You are making a common mistake. The kilogram is the standard weight, but naming nomenclature is based on the gram:

Names and symbols for decimal multiples and submultiples of the unit of mass are formed by attaching prefix names to the unit name "gram," and prefix symbols to the unit symbol "g."

from https://www.nist.gov/pml/weigh...

Re:Seven most popular by Anonymous Coward · 2019-03-25 00:27 · Score: 0 · on Which Programming Language Has The Most Security Vulnerabilities? (techrepublic.com)

.Net is only behind C and Java. VB.Net and C# individually are behind C++ in addition to the first two. Yet not mentioned in the post. Why?

You need to understand their method of quantifying first. You need to follow the 2nd link in the summary and look for another link to get to OWASP A9 site. On the site, you need to scroll down a bit to find National Vulnerability Database which gives you all the list of vulnerabilities found for any languages. From there, you simply collect the data and categorize them into each language/technology/framework. That's it! Though, I believe that TFA doesn't really look into each vulnerability but rather count the number...

Re: Trump owns it by muffen · 2019-01-21 11:13 · Score: 1 · on Shutdown Hits Industries Nationwide (wsj.com)

Nobody turns off websites during a shutdown, you fucking liar.

https://www.nist.gov/

Re:Contract Requirements by Anonymous Coward · 2018-12-14 12:09 · Score: 2, Interesting · on Chinese Hackers Breach US Navy Contractors (wsj.com)

Since December 31, 2017, contract requirements do require showing engagement in best practices of network and data security.

https://www.nist.gov/mep/cyber...

Re:Huh? by Rob+Riggs · 2018-12-04 09:23 · Score: 2 · on Kubernetes' First Major Security Hole Discovered (zdnet.com)

There are two scoring methods used by CVE, CVSS 2.0 and CVSS 3.0. You may find this link to the vulnerability enlightening: https://nvd.nist.gov/vuln/deta...
Still, your point is well taken. This is not the first.

Re:Holy shit, Microsoft is more evil than usual by ElizabethGreene · 2018-11-28 10:17 · Score: 1 · on Microsoft Warns Of Two Apps That Installed Root Certificates Then Leaked the Private Keys (zdnet.com)

The underlying paper is here:
https://www.secorvo.de/publika...

The CVE is here:
https://nvd.nist.gov/vuln/deta...

Here's the CVE... CVE-2018-17612 by ElizabethGreene · 2018-11-28 10:11 · Score: 1 · on Microsoft Warns Of Two Apps That Installed Root Certificates Then Leaked the Private Keys (zdnet.com)

Here's the CVE with a link to the details https://nvd.nist.gov/vuln/deta...

Re:relies on 2 and 5 year old exploits... by TheDarkener · 2018-11-24 09:23 · Score: 1 · on New Linux Crypto-miner Steals Your Root Password and Disables Your Antivirus (zdnet.com)

Beat me to it:

CVE-2016-5195
CVE-2013-2094

Seriously, this has nothing to do with "Linux is more secure than Windows". If you're running this old ass code in the wild, you sort of deserve it at this point.

Re:This is news in 2018? by thrig · 2018-11-15 06:31 · Score: 1 · on The Internet Has a Huge C/C++ Problem and Developers Don't Want to Deal With It (vice.com)

Rust you say... https://github.com/jwilm/alacr... https://nvd.nist.gov/vuln/deta... off by ones, and where were the unit tests? progress in coding... as for how one regards all the "have you heard the good word of Rust" evangelism and that cod of conduct, well now that's opinion territory

Re:Architecture and Design by ytene · 2018-11-14 19:14 · Score: 1 · on Why is Antivirus Software Still a Thing? (vice.com)

It is my understanding that it is, indeed possible. For example, consider the DoD Orange Book security classifications for Operating Systems.

See here.

In fairness, the DoD Evaluation Criteria go back to 1983 - I am sure that there are more recent versions that could be referenced.

But rather than focus on the Orange Book specifically, consider instead as an example of a principle. That principle was a determined effort to design a set of operating criteria and behaviours that would result in a secure operating system. So yes, I think it can be done.

Re:The "kilo" remains at exactly 1000 by CustomSolvers2 · 2018-11-10 04:06 · Score: 1 · on The Future of the Kilo: a Weighty Matter (theguardian.com)

Yes, I know that traditionally kilo was assumed to be 1024 when dealing with bits/bytes. Yes, this new version does sound a bit ridiculous. But it is the standard now: "Because the SI prefixes strictly represent powers of 10, they should not be used to represent powers of 2. Thus, one kilobit, or 1 kbit, is 1000 bit and not 2^10 bit = 1024 bit. To alleviate this ambiguity, prefixes for binary multiples have been adopted by the International Electrotechnical Commission (IEC) for use in information technology.".

Actually, I only knew about this kilo/kibi weirdness a few years back when doing some research to develop a library dealing with units of measurement. Curiously, I am currently studying a reasonably deep mixture of computer/telecommunication engineering and most of the references there are Kbit/Kbyte. I understand that this is an informal convention to indicate that they mean the 1024 versions (because 1000/kilo should be lower k).

Re:The "kilo" remains at exactly 1000 by CustomSolvers2 · 2018-11-10 04:06 · Score: 1 · on The Future of the Kilo: a Weighty Matter (theguardian.com)

Yes, I know that traditionally kilo was assumed to be 1024 when dealing with bits/bytes. Yes, this new version does sound a bit ridiculous. But it is the standard now: "Because the SI prefixes strictly represent powers of 10, they should not be used to represent powers of 2. Thus, one kilobit, or 1 kbit, is 1000 bit and not 2^10 bit = 1024 bit. To alleviate this ambiguity, prefixes for binary multiples have been adopted by the International Electrotechnical Commission (IEC) for use in information technology.".

Actually, I only knew about this kilo/kibi weirdness a few years back when doing some research to develop a library dealing with units of measurement. Curiously, I am currently studying a reasonably deep mixture of computer/telecommunication engineering and most of the references there are Kbit/Kbyte. I understand that this is an informal convention to indicate that they mean the 1024 versions (because 1000/kilo should be lower k).

Re:"Chaos" is overstated by mjdrzewi · 2018-11-06 10:41 · Score: 5, Informative · on The Future of the Kilo: a Weighty Matter (theguardian.com)

The USA is technically metric. Just about all of the US units a defined as some number of metric units. Example.1 inch is defined as 25.4 mm and has been that way since 1959. https://www.nist.gov/pml/weigh... https://www.nist.gov/physical-...

Re:"Chaos" is overstated by mjdrzewi · 2018-11-06 10:41 · Score: 5, Informative · on The Future of the Kilo: a Weighty Matter (theguardian.com)

The USA is technically metric. Just about all of the US units a defined as some number of metric units. Example.1 inch is defined as 25.4 mm and has been that way since 1959. https://www.nist.gov/pml/weigh... https://www.nist.gov/physical-...

Re:No, they will not by Minupla · 2018-10-19 05:02 · Score: 1 · on Quantum Computers Will Break the Encryption that Protects the Internet (economist.com)

There are classes of secrets for which "decades" is a reasonable threat model. Communications can be an example. If I'm recording everything you send NOW, are you sure there's nothing in there that won't be a problem for you in 20, 30 years? Consider some person is going to be present of the US in 20, 30 years.

If you're on the Nation State side of this, recording everything you can and decrypting later is a totally legitimate strategy, as SOMEONE will be the leader of $otherCountry then, and having all their emails ever is going to be valuable, even if only for putting together a psychological profile.

So people who work for companies whose job it is to protect your information SHOULD be looking ahead. I know I'm writing policy documents with words like "Quantium Horizon" in them and looking at up and coming post-quantum algorithms. You're welcome :).

Min

PS: https://csrc.nist.gov/projects...

Re:Not just 5.6 by amicusNYCL · 2018-08-31 04:33 · Score: 1 · on As PHP 5.6, Still Used By a Large Number of Websites, Approaches Its End of Life Deadline, Some Worry About the Consequences (linkedin.com)

Haha, well PHP CVEs certainly don't impact my sleep schedule. For example, I've never needed to use com_print_typeinfo, and it's not used in the framework that our application uses, and even if it did it probably wouldn't take user-supplied data as an argument, and even if it did our servers do not run Windows. So I don't need to worry about arbitrary code execution using this.

This is what I'm talking about. Yes, that vulnerability exists. But the vulnerability is not "run PHP and you're vulnerable to this." It is

1. Run PHP earlier than 5.4.3
2. Do it on Windows
3. Use com_print_typeinfo
4. Allow user-supplied data as a parameter

It's just not as simple as "if you're running PHP, you're vulnerable to this." Slashdot is full of stories of various MacOS vulnerabilities or whatever which require physical access or some other constraint that attackers normally cannot take advantage of. This is the same thing. Yes, there are vulnerabilities, but the requirements for those vulnerabilities mean that the vast, vast majority of servers and sites are not actually vulnerable to them.

Now, SOMEONE was vulnerable to that, and they became aware of that fact apparently in May 2012. But a successful exploit requires several things to happen. In this case, it is enough if someone runs PHP 5.4 on Windows and allows unauthorized people to upload and run PHP files. That's not a vulnerability though, that's stupidity. Sadly, there is no patch for stupidity.

Re:Well, yeah. by Hotawa+Hawk-eye · 2018-08-21 08:37 · Score: 1 · on 'Calculators Killed the Standard Statistical Table' (sas.com)

According to Wikipedia (https://en.wikipedia.org/wiki/Abramowitz_and_Stegun) "Because the Handbook is the work of U.S. federal government employees acting in their official capacity, it is not protected by copyright in the United States." At the end of the article are links to places you can download it. The successor to A&S, the NIST Handbook of Mathematical Functions (which has an online companion, https://dlmf.nist.gov/) omits the tables (referring to A&S or to other papers.)

Re:WWV[H][B] by SteveSgt · 2018-08-15 09:15 · Score: 1 · on WWV Shortwave Time Broadcasts May Be Slashed In 2019 (qrz.com)

Although I omitted WWVB in the summary I submitted, there's no information that it wouldn't be included in the general statement:

...including the shutdown of NIST radio stations in Colorado and Hawaii.

Because WWVB is in Colorado [ https://www.nist.gov/pml/time-... ].

Re:WWVB will still work by SteveSgt · 2018-08-15 04:05 · Score: 1 · on WWV Shortwave Time Broadcasts May Be Slashed In 2019 (qrz.com)

Most of the devices mentioned use WWVB which I understand will continue to operate.

WWVB is one of the, "NIST radio stations in Colorado and Hawaii." [ https://www.nist.gov/pml/time-... ]

What references can you cite that say it won't be shut down?

Re:if that happens by SteveSgt · 2018-08-15 04:03 · Score: 1 · on WWV Shortwave Time Broadcasts May Be Slashed In 2019 (qrz.com)

Or, Megane, you could read not only the source article, but follow the other links and discover that WWVB is also one of the, "NIST radio stations in Colorado and Hawaii."
[ https://www.nist.gov/pml/time-... ]

Re:WWVB affected? by SteveSgt · 2018-08-15 03:59 · Score: 1 · on WWV Shortwave Time Broadcasts May Be Slashed In 2019 (qrz.com)

Someone didn't RTFOA. And I neglected to include WWVB in the summary. But the source document [ https://www.nist.gov/director/... ] indicates that all radio broadcast operations in Colorado and Hawaii are on the chopping block.

According to this page, WWVB is also in Colorado:
[ https://www.nist.gov/pml/time-... ]

NIST radio station WWVB is located on the same site as NIST HF radio station WWV near Fort Collins, Colorado.

Re:WWVB affected? by SteveSgt · 2018-08-15 03:59 · Score: 1 · on WWV Shortwave Time Broadcasts May Be Slashed In 2019 (qrz.com)

Someone didn't RTFOA. And I neglected to include WWVB in the summary. But the source document [ https://www.nist.gov/director/... ] indicates that all radio broadcast operations in Colorado and Hawaii are on the chopping block.

According to this page, WWVB is also in Colorado:
[ https://www.nist.gov/pml/time-... ]

NIST radio station WWVB is located on the same site as NIST HF radio station WWV near Fort Collins, Colorado.

Not irrelevant at all by Anonymous Coward · 2018-08-14 19:35 · Score: 3, Informative · on WWV Shortwave Time Broadcasts May Be Slashed In 2019 (qrz.com)

I couldn't disagree more. From the NIST budget request summary:

This budget request is consistent with the administration’s priorities to redirect domestic discretionary resources to rebuild the military and make critical investments in the nation’s security, and keep the nation on a responsible fiscal path.

Funding for discretionary programs is being reduced to allocate more funding for the military and "national security", which I suspect refers largely to the President's idea of border security. That makes it fair game to discuss defense and border security when commenting on the proposed shutdown of the WWV stations.

While we can debate a reasonable level of defense spending, let's use NATO's 2% of GDP standard. US defense spending is around 3.6% of GDP, and President Trump's requested FY 2019 budget increases DOD spending by 13% over 2017 levels. Proposed military spending is outpacing GDP growth. At the same time, President Trump is requesting a long list of reforms and spending cuts.

In fairness, it's necessary to understand the context of proposed cuts. For example, NOAA is proposing to cut VORTEX-SE, which is a project that studies tornadoes in the Southeast US. Taken out of context, one might think NOAA isn't prioritizing the improvement of tornado warnings. In reality, VORTEX-SE was supposed to collect high quality in-situ data for a few events each spring over the span of 2-3 years and fund a number of related research projects, many of which use the data collected during the field campaign. Most field campaigns such as the original VORTEX (1994-5) and VORTEX2 (2009-10) have been just as short in duration. VORTEX-SE has run longer and wasn't cut in FY 2018 because Congress never passed the relevant appropriations bill and kept funding basically at FY 2017 levels in the continuing resolutions. Context is important to understand proposed cuts, such as if a program has already achieved its goals.

I looked for justification for the proposed cutting of WWV stations and I couldn't find anything that explains why these stations are being targeted for shutdown. Absent any good context for why funding cuts for these stations is requested, it's fair to assume it would be a casualty of the President's overall budget goals. For that reason, it's certainly fair game to criticize our excessive defense spending.

Re:Clocks do not set to WWV by SteveSgt · 2018-08-14 17:06 · Score: 1 · on WWV Shortwave Time Broadcasts May Be Slashed In 2019 (qrz.com)

The budget proposal says:

...including the shutdown of NIST radio stations in Colorado and Hawaii

So perhaps all broadcast operations in Colorado will be shut down.
According to this page, WWVB is also in Colorado:
[ https://www.nist.gov/pml/time-... ]

NIST radio station WWVB is located on the same site as NIST HF radio station WWV near Fort Collins, Colorado.

So it looks to me like WWVB could also be on the chopping block.

Re:Software security condundrum by Anonymous Coward · 2018-08-09 04:15 · Score: 0 · on Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties (threatpost.com)

If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.

Thanks for the bullshit false dichotomy. The guy has found 30 bugs over the last couple years. While it'd be unreasonable to expect that every form of bug that he's discovered to be fixed, it's clear that Apple follows more closely the

You have software that took months/years to plan and develop.
A problem is found.
You need to Fix it Fast, before it goes out to the wild.
It will need to be tested to make sure it doesn't break compatibility or break something else.

approach but without actually learning any lessons for the "plan and develop" step for the future. That's the complaint. Just a few of the exploits he's found old and new seem to suffer from the same sort of incompetence that should have been addressed a long time ago.

I say, look at Microsoft. By no means was or is Microsoft a bastion of bug-free software, but they did in the mid/late-00s actually strive to actually take security seriously and work to minimize bugs and discover what practices were creating them. There's already whole classes of static code analysis tools that likely would have found at least have the bugs Mr Beer found. They didn't/don't need to wait until 2018 to finally do something especially when it was released at precisely the time Microsoft, a clear industry leader, was finally getting its act together and pushing towards the reasonable position that connected devices should put security as a high priority.

Perhaps if Apple was focused less on UI "design" and more on architectural "design" we wouldn't be in this mess? Certainly, they've had plenty of time to shift their focus. Perhaps now with some urging from outsiders, just like how Microsoft had to change maybe Apple will too.

Re:Software security condundrum by Anonymous Coward · 2018-08-09 04:15 · Score: 0 · on Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties (threatpost.com)

If asked to change the infrastructure for every time there is a bug. The fix will take years to get out, and a new infrastructure will introduce new flaws untested.

Thanks for the bullshit false dichotomy. The guy has found 30 bugs over the last couple years. While it'd be unreasonable to expect that every form of bug that he's discovered to be fixed, it's clear that Apple follows more closely the

You have software that took months/years to plan and develop.
A problem is found.
You need to Fix it Fast, before it goes out to the wild.
It will need to be tested to make sure it doesn't break compatibility or break something else.

approach but without actually learning any lessons for the "plan and develop" step for the future. That's the complaint. Just a few of the exploits he's found old and new seem to suffer from the same sort of incompetence that should have been addressed a long time ago.

I say, look at Microsoft. By no means was or is Microsoft a bastion of bug-free software, but they did in the mid/late-00s actually strive to actually take security seriously and work to minimize bugs and discover what practices were creating them. There's already whole classes of static code analysis tools that likely would have found at least have the bugs Mr Beer found. They didn't/don't need to wait until 2018 to finally do something especially when it was released at precisely the time Microsoft, a clear industry leader, was finally getting its act together and pushing towards the reasonable position that connected devices should put security as a high priority.

Perhaps if Apple was focused less on UI "design" and more on architectural "design" we wouldn't be in this mess? Certainly, they've had plenty of time to shift their focus. Perhaps now with some urging from outsiders, just like how Microsoft had to change maybe Apple will too.

Re:0wned by Google by flink · 2018-07-25 09:54 · Score: 2 · on Google Launches Its Own Physical Security Key (cyberscoop.com)

In all seriousness, though, why should we trust Yubikey, Google, or any security key that doesn't publicly post its design and firmware for independent external audit? FST-01 or bust.

The USB flavor of the Yubi key is FIPS-140 certified, so it has been independently audited, albeit not in a public manner.

Re:Fairly straightforward solution... by Train0987 · 2018-07-18 04:54 · Score: 1 · on Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States (vice.com)

Yes, and that was done in 2002 with the Help America Vote Act.

https://www.nist.gov/itl/votin...

Re:Hardcoded passwords by scdeimos · 2018-03-08 09:40 · Score: 3 · on Hardcoded Password Found in Cisco Software (bleepingcomputer.com)

Yes, this is 2018 and we're still seeing hardcoded passwords in Cisco products. How could anyone be surprised by this?

These are just the first page of results for hardcoded passwords relating to Cisco software and appliances [CVE Cisco hardcoded password site:nvd.nist.gov] - according to Google there are over 300 of them. You'd think Cisco would have been burned enough on this already but I guess some companies never learn.