In any case there's nothing to worry about, both NIST and the EU Common Criteria guys have certified it as being completely secure, so the vulnerability is all just a figment of our imagination.
The other thing is, are we really 100% completely totally sure this is Minix? I mean... Minix? A (no offence to ast) toy operating system written as a teaching tool in the 1980s? That Minix? Of all the endless, full-featured, modern, well-supported embedded OSes in existence, why would Intel use Minix?
The title for the story should be "Equifax Execs Absolve Themselves of any Wrongdoing". They set up the inquiry, of course it's going to find they did nothing wrong, that was the whole point of having it.
And that's the problem with this proposal. IoT doesn't get updated because of a lack of standards for doing so (there's been firmware-update standards around for a lot longer than IoT, e.g. this one), but because the vendors don't care about it, or the device can't be updated. Proposing a standard isn't going to change this.
In any case this isn't a standard, it's a bunch of ruminations jotted down on paper. To be a standard, it has to be at least 100 pages long, include XML, HTTP, TCP, and LDAP, and require five different parsing engines for different portions of the protocol in order to work.
Apparently you've never heard of Let's Encrypt? No one is required to pay for a "license" to put a secure web page online these days
With Lets Encrypt you still pay, it's just in terms of time and effort, not money. No matter how you slice it, you still need to ask a CA for permission to put a secure web site online. You can't just stand up a server and get crypto, even though SSL/TLS allows for that. The browser vendors have made sure of that.
Linux is fully open source and highly customizable, with default permissions hardened (the user is not in an admin state without using the sudo command) and most software also open source and coming from trusted repositories.
It doesn't matter what software you use, you need to actually have both the ability and the incentive to use it correctly. Otherwise, you're going to and up with crap whether it's Windows, Linux, OS X, or AmigaDOS.
The problem with it was that it was off by default, not on by default. When Chrome throws up a warning that you haven't paid your CA for a license to put a web page online and people will be scared away from your site if you don't, its enabled by default. Pinning, the same thing that SSH has been successfully doing for twenty years, was turned off by default for web sites. So now they can say it didn't work, and we can all go back to waiting for PKI to start working, as we've been doing for close to thirty years. I mean, it's got to start working at some point if we wait long enough, doesn't it?
Or use the money to pay the other side to go back home. Or contract out the killing to the Russians, or Israel, or ISIS. Or... well, just about anything has got to be better value for money than this ongoing boondoggle.
A side benefit of outsource-to-ISIS is that that'll keep them busy doing other stuff, and hopefully a pile of them will get killed in the process.
The problem isn't the use of the X9.17/X9.31 PRNG, it's the use of a hardcoded key with the PRNG and misuse of the PRNG's output. So OpenBSD could be quite vulnerable to all sorts of things that don't involve this particular PRNG. Conversely, something using this PRNG isn't automatically vulnerable.
That's right. Whenever I buy an iPhone, I destructively test it to make sure it's everything that Apple promises it to be. If it passes, I buy another one.
Of course then I have to destructively test that one, and then buy another one.
I think I personally make up about 97% of Apple's iPhone sales.
I'm not worried about Symantec being used for spying, it's that Symantec ES is practically malware itself in the way it behaves, and doesn't offer much protection in any case. So I'd rather have decent protection even if it involves the FSB, than Symantec crapware.
What Microsoft could do to block this is implement a licensing activation system in all their software where it won't run unless activated online. Then they could track which software was being illegally used in Russia and prevent it from running. I think they should get to work on that immediately.
Slashdot Mirror
In any case there's nothing to worry about, both NIST and the EU Common Criteria guys have certified it as being completely secure, so the vulnerability is all just a figment of our imagination.
I did RTFA. It was someone quoting someone else citing someone else referencing someone else who made an unsupported assertion that it was Minix.
The other thing is, are we really 100% completely totally sure this is Minix? I mean... Minix? A (no offence to ast) toy operating system written as a teaching tool in the 1980s? That Minix? Of all the endless, full-featured, modern, well-supported embedded OSes in existence, why would Intel use Minix?
facebook is good for kids and retired ones.
I can understand that it's the perfect medium for stalking and grooming kids, but retired people? They're old, and smell of mothballs.
Or is it so you can rob them?
Flushing that down the toilet might cause a loss of another half or more of their users.
Which they can ill afford. If the other six remaining users jump ship as well, they're toast.
The title for the story should be "Equifax Execs Absolve Themselves of any Wrongdoing". They set up the inquiry, of course it's going to find they did nothing wrong, that was the whole point of having it.
And that's the problem with this proposal. IoT doesn't get updated because of a lack of standards for doing so (there's been firmware-update standards around for a lot longer than IoT, e.g. this one), but because the vendors don't care about it, or the device can't be updated. Proposing a standard isn't going to change this.
In any case this isn't a standard, it's a bunch of ruminations jotted down on paper. To be a standard, it has to be at least 100 pages long, include XML, HTTP, TCP, and LDAP, and require five different parsing engines for different portions of the protocol in order to work.
Apparently you've never heard of Let's Encrypt? No one is required to pay for a "license" to put a secure web page online these days
With Lets Encrypt you still pay, it's just in terms of time and effort, not money. No matter how you slice it, you still need to ask a CA for permission to put a secure web site online. You can't just stand up a server and get crypto, even though SSL/TLS allows for that. The browser vendors have made sure of that.
Linux is fully open source and highly customizable, with default permissions hardened (the user is not in an admin state without using the sudo command) and most software also open source and coming from trusted repositories.
Equifax blames open-source software for its record-breaking security breach.
It doesn't matter what software you use, you need to actually have both the ability and the incentive to use it correctly. Otherwise, you're going to and up with crap whether it's Windows, Linux, OS X, or AmigaDOS.
"You're typing it wrong".
The problem with it was that it was off by default, not on by default. When Chrome throws up a warning that you haven't paid your CA for a license to put a web page online and people will be scared away from your site if you don't, its enabled by default. Pinning, the same thing that SSH has been successfully doing for twenty years, was turned off by default for web sites. So now they can say it didn't work, and we can all go back to waiting for PKI to start working, as we've been doing for close to thirty years. I mean, it's got to start working at some point if we wait long enough, doesn't it?
Or use the money to pay the other side to go back home. Or contract out the killing to the Russians, or Israel, or ISIS. Or... well, just about anything has got to be better value for money than this ongoing boondoggle.
A side benefit of outsource-to-ISIS is that that'll keep them busy doing other stuff, and hopefully a pile of them will get killed in the process.
They could call it Windows for Pen Computing.
Could someone explain to me why implementing the PRNG in Rust would have prevented this vulnerability?
The problem isn't the use of the X9.17/X9.31 PRNG, it's the use of a hardcoded key with the PRNG and misuse of the PRNG's output. So OpenBSD could be quite vulnerable to all sorts of things that don't involve this particular PRNG. Conversely, something using this PRNG isn't automatically vulnerable.
Philistine! You don't discard the ashes, you put them in a terracotta urn and play test cricket over who gets to hold onto it.
Reviews of its software, which is used on some 400 million computers worldwide, will begin by the first quarter of next year,
after the backdoors have been removed
it said.
That's right. Whenever I buy an iPhone, I destructively test it to make sure it's everything that Apple promises it to be. If it passes, I buy another one.
Of course then I have to destructively test that one, and then buy another one.
I think I personally make up about 97% of Apple's iPhone sales.
I think we can assume that any water definitely would be in the form of ice?
It's condensation from the exogorth's breath.
I'm not worried about Symantec being used for spying, it's that Symantec ES is practically malware itself in the way it behaves, and doesn't offer much protection in any case. So I'd rather have decent protection even if it involves the FSB, than Symantec crapware.
Some security companies are being told to only provide U.S. products
Given the choice between Kaspersky and the FSB vs Symantec Endpoint Security, I'd feel better protected by Kaspersky + FSB.
She's a meremistress. He likes the fishy smell all over, not just in one spot.
Wow, much sophistication in the Australian loginname/password scheme,
I was expecting at least username = fosters, password = xxxx.
If no-one was out to get me I'd be paranoid too. As a government employee I'm required to be nondiscriminatory.
What Microsoft could do to block this is implement a licensing activation system in all their software where it won't run unless activated online. Then they could track which software was being illegally used in Russia and prevent it from running. I think they should get to work on that immediately.