Google discovered the vulnerability on March 21 and communicated it to Codenomicon and the OpenSSL Project. Codenomicon disclosed it to the public before it was patched. On April 07 the OpenSSL Project released a patch.
@anon: 'If you don't know what you are doing, then you don't know what to test for. Anonabox crisis team meeting; "IPv6??? What is that? Why didn't anyone say anything about it? Where did that come from?'
I suspect the crisis team consists of some uni student who scraped the code off the Intertubes:) Seriously Anonabox, if you are serious about security, then hire a pen testing team that does nothing but hammers on your device seeking out potential security vulnerabilities. At the end of about ten months then you can declare it as safe as is humanly possible. But then again no one, including the major players does this. The usual method is, if it compiles then ship it and fix the (user reported) bugs in the next version.
Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?
Anonymous Troll: "The struggle now is how to keep people from destroying things. FireFox is a disaster. Gnome is useless. Seems like people take over these projects and tear them to pieces."
'Pale Moon is an Open Source, Firefox-based web browser available for Microsoft Windows, Android and Linux (with other operating systems in development), focusing on efficiency and ease of use. Make sure to get the most out of your browser!'
Anon: 'Having an "OS" which downloads random bits of the Internet and *executes* that is the big elephant in the room.'
Reason being is that it is technically easier to run scripts to achieve such usability. What used to be known as 'keyboard macros' are essentially commands that execute as if you typed them at the keyboard. Can anyone in Apple/Google/Microsoft/Oracle come up with a better solution. Suns JAVA was sold as being multi-platform and secure as it came in a sandbox. Turned out later not to be the case. Please don't bore me with reasons why it's not possible to design a secure "OS".
'Tonight Brad Smith, general counsel for Microsoft, delivered the “footnote” address at the Open Source Business Conference 2008. I asked Brad to speak because I figured it was the shortest path to getting clarity from Microsoft vis-a-vis open source and the nettlesome legal issues that have plagued Microsoft’s relationship with open source' ref.
"I understand that Microsoft may be using the OSI's license approval process to its own ends, and potentially ends that may be anti-open source. I'm still not sure, however, that it's appropriate to treat an incoming license from Microsoft any differently than one that comes from Linus Torvalds ref"
"We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them."
"Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?"
I don't have to imagine, I'm doing so right now on this Ubuntu desktop, and DDoS attacks are only viable because of all those compromised Windows computer desktops out there on the Internet. Meanwhile for those still afflicted, how about getting the security vendors to design a 'computer' that don't run malware by clicking on a URL or opening an email attachment?
Don't connect computers to the Internet that can so easily be compromised by clicking on a URL or opening an email attachment. I would suspect that the reason current security is so easily compromised is that the manufacturers were compelled to dilute security in order for state security services to that better keep an eye on us - in order to protect us from the terrorists.
So basically Baidus search results is being hijacked to run a JS script in the client computers. Unlike a normal DDOS the client computer hasn't yet been compromised.
@sjbe: "There is a reason why I generally use LTE . I don't have nearly as many security or connectivity problems 99% of the time."
You have got to be shitting me? Folks, you would think the designers of these 'secure' base stations would have wondered how to protect against cell site spoofing. Besides which, it is currently illegal in the EU to sell mobile phones that cannot be intercepted regardless of the level of 'security'
I wonder is this part of the lawful intercept they mention in the manual? I mean what are the odds of accidentally leaving unauthorized rsync active in the device. Who did ANTlabs get to do the work?
Lawfull Intercept
- Monitoring of Networks
- Comply with legistative requirements
- Local storage of logs
"Gaining access to a guest room through a compromised key lock system wouldn’t just be of interest to thieves. One of the most famous cases involving the subversion of a hotel’s electronic key system.. It’s not known exactly how the attackers compromised that key system.
Again, the locks were compromised by plugging an Arduino microcontroller into the DC socket on the lock. The lock then disgorged the 32 bit passcode to the device - in the clear - no encryption. A curious design decision on behalf of the locks manufacturers to say the least.
"Fortunately the Superintendent told CBS 3’s Walt Hunter the hackers, using a program called Ransomware, did not access any personal information about students, families or teachers"
So we can be pretty sure the 'program called ransomware' isn't a Unix/Apple or Android hack:) While I do take the assurances of the Superintendent in good faith, it did occur to me to ponder why CBS 3’s Walt Hunter didn't ask the question as to how this 'program called ransomware' got onto the 'computers' in the first place?
"Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987", Thursday March 14, 2013
Under the pretext of protecting us from the Islamo-Fascist bogyman and other such phantasms, the Aussie gov legalized warrentless spying on its own citizens. And this will be totally ineffective against organized crime, arms dealers, drug smugglers and state sponcered versions of all three. __
sectokia: "I like bias... they don't mention that the labor party all voted it through as well. Greens only opposed it after they learned labor wouldn't, so they would get to claim moral high ground, while it sailed through with bi partisan support. The two year data retension has been in place since the first ISPs started as an industry code of practice decades ago. This law is just formalising and making it clearly mandatory. The meta data has been available and used for decades."
Do you have any verifiable citations for that? What part of timothys' synopsis do you deem biased? Please provide specifics.
"Despite hearing months of evidence that the mandatory data retention proposal is dangerous, expensive and open-ended, the Labor Party appears to have caved", Scott Ludlam
@Anonymous Coward: "How do you have a fraction of a bit?"
I dunno, I do know my brain hurts:)
"Here we describe a proof-of-principle experiment that indicates the feasibility of high-dimensional QKD based on the transverse structure of the light field allowing for the transfer of more than 1 bit per photon."
'For example, “COM supports an undocumented feature called channel hooks. Well, they are semidocumented in the Win32 header files and in Don Box's ActiveX/COM column (MSJ, January 1998). Microsoft does not officially support channel hooks on either Windows NT 4.0 or Windows 2000 If you're still reading, then you've acknowledged that disclaimer and I can get into the details”' ref
"It really doesn't matter. Stop asking this question on every article you comment on, Doug. You hate Windows; we get it. Also, stop putting quotation marks around quote blocks. It looks wrong."
It's beat trolling slashdot under Anonymous Troll..
Slashdot Mirror
Google discovered the vulnerability on March 21 and communicated it to Codenomicon and the OpenSSL Project. Codenomicon disclosed it to the public before it was patched. On April 07 the OpenSSL Project released a patch.
@anon: 'If you don't know what you are doing, then you don't know what to test for. Anonabox crisis team meeting; "IPv6??? What is that? Why didn't anyone say anything about it? Where did that come from?'
:) Seriously Anonabox, if you are serious about security, then hire a pen testing team that does nothing but hammers on your device seeking out potential security vulnerabilities. At the end of about ten months then you can declare it as safe as is humanly possible. But then again no one, including the major players does this. The usual method is, if it compiles then ship it and fix the (user reported) bugs in the next version.
I suspect the crisis team consists of some uni student who scraped the code off the Intertubes
Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?
What is OpenWrt?
Anonymous Troll: "The struggle now is how to keep people from destroying things. FireFox is a disaster. Gnome is useless. Seems like people take over these projects and tear them to pieces."
'Pale Moon is an Open Source, Firefox-based web browser available for Microsoft Windows, Android and Linux (with other operating systems in development), focusing on efficiency and ease of use. Make sure to get the most out of your browser!'
Anon: 'Having an "OS" which downloads random bits of the Internet and *executes* that is the big elephant in the room.'
Reason being is that it is technically easier to run scripts to achieve such usability. What used to be known as 'keyboard macros' are essentially commands that execute as if you typed them at the keyboard. Can anyone in Apple/Google/Microsoft/Oracle come up with a better solution. Suns JAVA was sold as being multi-platform and secure as it came in a sandbox. Turned out later not to be the case. Please don't bore me with reasons why it's not possible to design a secure "OS".
Anonymous Troll: "A business is trying to make money RAWWWWWWWWWWWWWWWWWWWWWWWWWWWR"
.. BUWWWWWWWWWWWWWWWWWWWWWWWWWWWR ...
Comcast bribes people to write letters to the FCC Comcast bribes people to write positive letters to the FCC
'Tonight Brad Smith, general counsel for Microsoft, delivered the “footnote” address at the Open Source Business Conference 2008. I asked Brad to speak because I figured it was the shortest path to getting clarity from Microsoft vis-a-vis open source and the nettlesome legal issues that have plagued Microsoft’s relationship with open source' ref.
"I understand that Microsoft may be using the OSI's license approval process to its own ends, and potentially ends that may be anti-open source. I'm still not sure, however, that it's appropriate to treat an incoming license from Microsoft any differently than one that comes from Linus Torvalds ref"
A BIG YES - mod this comment up right now !
And the solution is to not connect your Drug Infusion Pumps to the Intertubes !
Nuff sed .. been totally Open Source for the past year .. no thanks to MICROS~1
"We've been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them."
This document from 2005 sets out why relying on detecting malware doesn't work. 'The Six Dumbest Ideas in Computer Security'
"Do you imagine an internet, 20 years from now, where we don't have to worry about what links we click or what attachments we open? Or is it the other way around, with threats so hard to block and DDoS attacks so rampant that the internet of the future is not as useful as it is now?"
I don't have to imagine, I'm doing so right now on this Ubuntu desktop, and DDoS attacks are only viable because of all those compromised Windows computer desktops out there on the Internet. Meanwhile for those still afflicted, how about getting the security vendors to design a 'computer' that don't run malware by clicking on a URL or opening an email attachment?
Don't connect computers to the Internet that can so easily be compromised by clicking on a URL or opening an email attachment. I would suspect that the reason current security is so easily compromised is that the manufacturers were compelled to dilute security in order for state security services to that better keep an eye on us - in order to protect us from the terrorists.
So basically Baidus search results is being hijacked to run a JS script in the client computers. Unlike a normal DDOS the client computer hasn't yet been compromised.
Baidu’s traffic hijacked to DDoS GitHub.com
@sjbe: "There is a reason why I generally use LTE . I don't have nearly as many security or connectivity problems 99% of the time."
You have got to be shitting me? Folks, you would think the designers of these 'secure' base stations would have wondered how to protect against cell site spoofing. Besides which, it is currently illegal in the EU to sell mobile phones that cannot be intercepted regardless of the level of 'security'
'Stingrays Go Mainstream: 2014 in Review'
I wonder is this part of the lawful intercept they mention in the manual? I mean what are the odds of accidentally leaving unauthorized rsync active in the device. Who did ANTlabs get to do the work?
.. It’s not known exactly how the attackers compromised that key system.
Lawfull Intercept
- Monitoring of Networks
- Comply with legistative requirements
- Local storage of logs
"Gaining access to a guest room through a compromised key lock system wouldn’t just be of interest to thieves. One of the most famous cases involving the subversion of a hotel’s electronic key system
Again, the locks were compromised by plugging an Arduino microcontroller into the DC socket on the lock. The lock then disgorged the 32 bit passcode to the device - in the clear - no encryption. A curious design decision on behalf of the locks manufacturers to say the least.
"Fortunately the Superintendent told CBS 3’s Walt Hunter the hackers, using a program called Ransomware, did not access any personal information about students, families or teachers"
:) While I do take the assurances of the Superintendent in good faith, it did occur to me to ponder why CBS 3’s Walt Hunter didn't ask the question as to how this 'program called ransomware' got onto the 'computers' in the first place?
So we can be pretty sure the 'program called ransomware' isn't a Unix/Apple or Android hack
"Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987", Thursday March 14, 2013
Under the pretext of protecting us from the Islamo-Fascist bogyman and other such phantasms, the Aussie gov legalized warrentless spying on its own citizens. And this will be totally ineffective against organized crime, arms dealers, drug smugglers and state sponcered versions of all three.
__
"A watched population is a compliant one"
sectokia: "I like bias... they don't mention that the labor party all voted it through as well. Greens only opposed it after they learned labor wouldn't, so they would get to claim moral high ground, while it sailed through with bi partisan support. The two year data retension has been in place since the first ISPs started as an industry code of practice decades ago. This law is just formalising and making it clearly mandatory. The meta data has been available and used for decades."
Do you have any verifiable citations for that? What part of timothys' synopsis do you deem biased? Please provide specifics.
"Despite hearing months of evidence that the mandatory data retention proposal is dangerous, expensive and open-ended, the Labor Party appears to have caved", Scott Ludlam
Just who in their right minds connects critical infrastructure to the cybertubes? I call BS on this whole story ..
@Anonymous Coward: "How do you have a fraction of a bit?"
:)
I dunno, I do know my brain hurts
"Here we describe a proof-of-principle experiment that indicates the feasibility of high-dimensional QKD based on the transverse structure of the light field allowing for the transfer of more than 1 bit per photon."
A possible bug in Foxconn boards BIOS affects Linux ACPI
Windows Update drivers bricking USB serial chips
One thing I find myself wondering about is whether we shouldn’t try and make the "ACPI" extensions somehow Windows specific.
'For example, “COM supports an undocumented feature called channel hooks. Well, they are semidocumented in the Win32 header files and in Don Box's ActiveX/COM column (MSJ, January 1998). Microsoft does not officially support channel hooks on either Windows NT 4.0 or Windows 2000 If you're still reading, then you've acknowledged that disclaimer and I can get into the details”' ref
"It really doesn't matter. Stop asking this question on every article you comment on, Doug. You hate Windows; we get it. Also, stop putting quotation marks around quote blocks. It looks wrong."
..
It's beat trolling slashdot under Anonymous Troll
What Operating System did these successful browser hacks work on?