Slashdot Mirror


User: mysidia

mysidia's activity in the archive.

Stories
0
Comments
13,354
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 13,354

  1. Re:Don't keep vulnerable servers running! on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 1

    I would also only be able to use EC cryptography with PFS with OpenSSL. I don't trust EC personally, yet. It's just not been around long enough for me.

    The promise of PFS is that a private key compromised or lost after the fact does not compromise the contents of all sessions. Which means it's useless for an attacker to intercept thousands of SSH sessions, and then later make an attempt to break into the server --- they need private key at the time of any attack.

    You're argument is the equivalent of saying "I would use SSH, but I just don't trust PAM yet for my password authentication, which SSH seems to require. So I'll keep on using Telnet."

    By the way, ECDSA has been around over 10 years. In computer industry terms, that is quite ancient.

  2. Re:The CA should not revoke the certificates, on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 2

    Which only tells us they're patched now, it doesn't tell them how much time the site was vulnerable.

    That's true, BUT for the ones that are patched now --- the admin probably understands the issue. The sites with negligent, clueless, or sloppy admins, will be unpatched sites mostly (or sites running earlier releases before the vulnerable version).

  3. Re:The CA should not revoke the certificates, on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 1

    Which only tells us they're patched now, it doesn't tell them how much time the site was vulnerable.

    If they're patched now but were vulnerable 1 month ago; there is a pretty good chance >90% that the keys have not been stolen.

  4. Re:Impossible on Using Supercomputers To Predict Signs of Black Holes Swallowing Stars · · Score: 1

    How can a black hole swallow a star if the star's clock slows to a stop as it approaches the event horizon?

    It stops from the star's perspective, maybe. From the perspective of an outside observer: the star is absorbed into the blackhole and ceases to exist.

    but according to Hawking, there is no event horizon as previously believed; just an apparent horizon.

  5. Re:A really slow news day on Mathematicians Use Mossberg 500 Pump-Action Shotgun To Calculate Pi · · Score: 1

    what's next? researchers use beads to do arithmetic?

    Next article is on how to use paper logarithm tables to perform calculations in a post-apocalyptic world.

  6. Re:Oh, man, what a mess on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 2

    You are correct about there being other IIS security vulnerabilities. There have also been other OpenSSL, Apache, and Nginx remote code execution vulnerabilities.

    The Nginx RCE could also be used to compromise key storage.... could do even better than that, could load an eavesdropping trojan into memory.

    The past IIS vulns did not necessarily easily compromise key storage.

    The Heartbleed bug is MUCH easier to exploit than any RCE bug, even though the RCE bugs are more useful for an attacker, if a server is known to be vulnerable to one.

  7. Re:Even root CA certificates may be at risk. on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 2

    You would not believe what VP's will force you to do to get their $20 million flagship project out the door and then quickly forgotten about after the guy that was forced to do it quits in disgust.

    Fraud that can get you in jail is not one of those things that some VP can force you to do.

    The CA has to be validated by third party auditors, before it can even be trusted. One of the aspects that must be audited is the governance of that CA and the policies and controls of the CA designed to ensure the CA operates only according to the policies, and that would include that no system admin or member of management is capable of bypassing the rules.

  8. Re:Why would I work for free to make Apple rich? on Apple's Spotty Record of Giving Back To the Tech Industry · · Score: 0

    GPL doesn't restrict people from using the software any way they want. It restricts them from preventing anyone else from using the software any way they want.

    No... you're missing the big picture. It restricts the following use right: The right to use the code by modifying it and making a copy of the software and sell or give it to a friend or client, without giving the friend or client access to the source code.

    Modifying the code and redistributing just the binary is one way of using the program. This use of the program is restricted by the GPL.

    So the GPL does indeed restrict use.

    You are prohibited from adding proprietary changes and keeping the nature and form of your changes confidential and protecting your rights to your changes and modifications.

  9. Re:Oh, man, what a mess on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 5, Informative

    pretty much every current web server cert in existence also needs to be revoked. Are the CAs even willing/able to do something on that scale in a short amount of time?

    Calm down. A majority of web servers are not vulnerable and never were. All in all... less than 30% of SSL sites need to revoke any keys.

    Some websites are running with SSL crypto operations performed by a FIPS140-2 hardware security module; these are not vulnerable, since OpenSSL doesn't have access to the private key stored in the server's hardware crypto token.

    Many web sites are running on Windows IIS. None of these servers are vulnerable.

    Plenty of web sites are running under Apache with mod_nss, instead of mod_ssl. None of the websites using the LibNSS implementation of SSL are vulnerable.

    Many web sites are running on CentOS5 servers with Redhat's openssl 0.9.x packages. None of these servers were ever vulnerable.

    Many web sites are running on CentOS6 servers, that had not updated OpenSSL above 1.0.0. These websites weren't vulnerable.

    Many websites are running behind a SSL offload load-balancer; instead of using OpenSSL. Many of these sites were not vulnerable.

  10. Re:Even root CA certificates may be at risk. on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 1

    I'm sure some places will have their root CA on an externally connected machine, then try to place blame, likely saying how insecure UNIX is (when it isn't any particular flavor of UNIX that is at fault.)

    Since this is in violation of the CA/Browser forum rules and Mozilla policies that pertain to trusted CA certificates; they are either lying, grossly negligent, OR both: if they have a root CA's private key ever loaded into an externally connected machine.

    In fact.... a CA root certificate itself, is not a trusted certificate for ANY domain name. They'd have to go out of their way to compromise it --- such as by issuing a OCSP responder certificate with the same keypair.

  11. Re:The CA should not revoke the certificates, on Private Keys Stolen Within Hours From Heartbleed OpenSSL Site · · Score: 5, Insightful

    the user of the keys should do this. Would you want to pay for new certs even if you were not affected by heartbleed?

    It's within the CA's right, however, to scan the URLS certified by each certificate, test for Heartbleed vulnerability --- and automatically revoke, if they determine that the site is vulnerable.

  12. Re:Steve Jobs' culture on Apple's Spotty Record of Giving Back To the Tech Industry · · Score: 1

    Then perhaps Apple HAS given back significantly more than we know about?

  13. Re:Why would I work for free to make Apple rich? on Apple's Spotty Record of Giving Back To the Tech Industry · · Score: 1

    3)if you want to redistribute it, in any way shape or form, give us credit

    Yes... Unfortunately number (3) is a bit lost, for most redistributions of OSes or large software packages that happen to have BSD licensed elements --- there is no meaningful show of credit.

    There used to be an advertising requirement in the original 4-clause BSD license, that would require mention of the developer's organization in advertising material --- but that bit got raped/essentially forced out, mainly due to the GPL being arbitrarily incompatible with it.

  14. Re:Why would I work for free to make Apple rich? on Apple's Spotty Record of Giving Back To the Tech Industry · · Score: 3, Insightful

    You can't stop someone from using the software the way they want.

    Yes you can. You can release it under a restrictive license such as the GPL Version 3, then they either cannot legally use it, OR they must distribute the source back.

    You can also choose a GPL-incompatible free software license with even more restrictions, if you like.

  15. Re:The magical scenario is "gradual social decay." on Ask Slashdot: Are You Apocalypse-Useful? · · Score: 1

    Can you seriously imagine a disaster that would destroy all of these locations (and thus all of their knoweledge and infrastructure) entirely and near simultaneously that would also leave any significant number of human survivors such that they'd have a shot at rebuilding society anyway?

    My suggestion is that for the first 20 or 30 years after the apocalyptic event; there might be no use for the knowledge contained in those books. People will largely prioritize survival over the preservation of the pieces of their former civilization.

    When you are freezing to death.... the materials in old buildings, such as libraries... are attractive firewood

    The apocalpytic event may have been a meteor shower that compromised the roofs of all these buildings, so by the time the knowledge is useful in over 100 years --- these places have all been torn apart

  16. Re:Not necessarily on Ask Slashdot: Are You Apocalypse-Useful? · · Score: 1

    That's assuming they even have a vaccine. Ebola has no cure and has a 90%+ kill rate.

    Yes.... well.... there have been cases of the Ebola fever in 6 African countries since 1976.

    But so far, the survival rate is so low and the death rate so high, that the virus tends to kill its hosts, before the disease can spread much, and the infectious dead bodies have generally been in isolated areas --- thus limiting the spread of the virus so far.

    Of course.... in the event of a worldwide infectious disease pandemic, the #1 survival trait to have, would be a unique biology, and (by pure luck) resistance to the infection....

  17. Re:The magical scenario is "gradual social decay." on Ask Slashdot: Are You Apocalypse-Useful? · · Score: 1

    In an apocalypse scenario... those libraries might all burn to the ground, or targetted by insurgents for book burning, so the information could still be lost. How many redundant copies of the information are available to educated people but Protected and adequately vaulted against both natural disaster and human sabotage?

  18. Re:It is a Hobby on FAA Shuts Down Search-and-Rescue Drones · · Score: 1

    This is solely for the IRS' purposes, to ensure that you cannot subtract losses related to your non-profitable business, from your other income or inflows into your business: in other words, the IRS "HOBBY" definition is for the purpose of maximizing government tax revenues.

    Other regulators are not beholden to their position. IRS Will also reclassify as non-Hobby when it is in their interests to do so.

  19. Re:"It's Not a Tumor" - Oh Wait, It Is on Theo De Raadt's Small Rant On OpenSSL · · Score: 1

    Correct. If your organization engages Geotrust with that service, then you can setup a certificate authority within your own organization chained to their certificate.

    However, you have to follow rules that are even more restrictive than what that a CA has to follow with their root certificate, and you have to be audited like a CA.

    This is very expensive, and it is not immediately clear: what organizations would be willing to go through the tremendous expenses, and not take the additional few steps to get on the browser trust lists.

    It is certainly not something you will see Mom and Pop firms doing. Perhaps some companies in the top 50 of the Fortune 500.

  20. Re:So you CAN buy a license to speed on Can You Buy a License To Speed In California? · · Score: 1

    I do care that we've created a pool of privileged drivers who are no longer receiving any feedback when they engage in higher-risk driving behaviors.

    I don't think that's true. If they are driving recklessly, they are still going to get pulled over.

    "Go ahead and drive as fast as you want; we'll trust your judgement on that until after your first high-speed collision..." probably isn't a real solid basis for road safety.

    No. However.... speeding tickets for drivers apparently going 75mph in a 70mph zone are bullshit. There are a large number of tickets that have everything to do with generating revenue for police officers and government, which have absolutely nothing in fact to do with "road safety".

    The arbitrariness of "Well.. you gave to these charitable causes" is no more arbitrary than the basis for the speeding ticket in the first place, in many cases.

    There are plenty of miscreants engaging in high-risk road behaviors such as tailgating, drunk driving, cutting other drivers off --- turning in front of oncoming traffic, slamming on the breaks for no reason, repeatedly swerving around traffic from lane to lane (with high-risk lane changes directly in front of another driver), that manage to never get any tickets ----- and they don't seem to need special stickers or license plates to get away with it.

  21. Re:So you CAN buy a license to speed on Can You Buy a License To Speed In California? · · Score: 1

    I'm not entirely sure they get special treatment. I have heard stories about cops saying they'd pull people over, just because they saw the special license plate frame adornment.

    They might get leniency on some offenses.... but they might also be more likely to get pulled over and issued a minor citation

  22. Re:So you CAN buy a license to speed on Can You Buy a License To Speed In California? · · Score: 1, Insightful

    No one really cares about the tickets themselves. For someone making $200k a year, they would gladly pay $200 every week for the right to zip through crawling traffic.

    Did it not occur to you that someone making >$200k a year might feel some obligation or desire to contribute sizable amounts to some charities, in order to bolster the community, not because they expect to be exempted from enforcement of the law?

    Especially law enforcement, since their expensive cars and other bling put the high-income folks at greater risk of a crime targetting them: the availability and cooperation/assistance from law enforcement is potentially very important to these folks' safety and peace of mind.

    If indeed they were speeding to a ridiculous degree, and it was a safety issue, and it caused them to be at fault in an accident --- some silly license plate frame is not going to get them out of it, or protect them from the multi-million$ personal injury lawsuit from the impacted driver.

  23. Re:Not a Myth on Stung By File-Encrypting Malware, Researchers Fight Back · · Score: 1

    So which OS that has a large marketshare has never had a privilege escalation bug?

    VMware ESXi. (*Privilege escalations within a Windows guest operating system don't count; only, escalations from a lower privileged user, or OS running in the hypervisor, to privileged hypervisor control).

  24. Re:Don't forget your yellow ribbon sticker on Can You Buy a License To Speed In California? · · Score: 1

    If they refer you a close friend or relative, hire that person on the spot.

    This can backfire, if their friend or relative turns out to be a terrible employee, and your business incurs the expense of paying them with little benefit and perhaps net harm...

  25. Re:So you CAN buy a license to speed on Can You Buy a License To Speed In California? · · Score: 1

    So what he is saying is you DO get love (aka get out of jail free) if you show the card.

    He is implying that you might get some love on a one-off stop; perhaps a warning or a more-lenient ticket.

    On the other hand... is donating $2500 to a charity, really worth avoiding a couple potential traffic tickets?