With open-source software, a monoculture isn't that bad a thing, as the Heartbleed exploit has shown.... How fast was a fix available for Heartbleed?
Heartbleed showed that a monoculture, particularly one relying on poorly written and barely reviewed code is a bad thing. OSS or not. That the source code was fixed so easily just highlights to me how the heartbeat feature it was never properly reviewed or tested, and how people using openssl or incorporating it into their products never questioned it. The many eyes argument fails when you realize how few qualified programmers looked at the code. Given how wide spread openssl is, getting that fix rolled out to all the s/w and h/w that have it embedded is a nightmare. Just think of the Billions being spent to audit and test across enterprise networks, and update all that software.
Sure openssl will get more scrutiny for a while, but it doesn't fix the underlying fallacy that OSS automatically means quality code regardless of whether its commercial, free, or otherwise licensed. Or that OSS projects quite often have a shoestring budget, lower quality programmers, and less far less review than closed, proprietary software.
You seriously think that black hats bother with reading millions of lines of code in the hope of finding an exploit when all they have to do is play with the data sent to services/applications and see if it misbehaves. Which is why exploits are equally found among closed and open softwares.
This is true, and exactly how this was found by Codenomicon. Having access to the source code actually makes it far easier to turn the bad behavior into a working exploit, particularly for something like buffer overflows. Although in this case, there wasn't much work needed as the bad behavior was returning the contents of memory in response to a bad parameter.
I think this says more about the prevailing view of security. Every programmer is told "NEVER roll your own encryption". The default result is that most programmers never even look at the code and instead assume it MUST be safe since the infallible "experts" wrote it. What we are seeing here is not the fault of open source vs closed source; it is about voodoo programming being considered good security practice.
I'm not saying that everyone should be rolling their own encryption, but people should be looking over the experts implementations instead of assuming they are perfect (this bug could have been caught by any number of "normal" programmers had they simply taken the time to looked).
The irony is that the openssl authors chose to roll their own malloc implementation instead of using the default, trusted one which would have likely crashed instead of facilitating the leakage of memory. (I still blame the fundamentally flawed nature of C for even allowing this)
An NHSTA sponsored study says at any given moment during the day, 5% of Americans are driving while using a cell phone.. The study has some caveats - it relied on phone surveys, visual road-side observations, and only goes up to 2011, so may be significantly under-reporting cell phone usage. I estimate that number is closer to 10% based on casual observation while driving. So in a two -car accident that gives a 10% chance of a cell phone used in one of the cars. If the real cell-phone usage number is closer to 15%, then the 26% number is meaningless as it's typical of the overall population regardless of cell phone use.
When I see a stupid driving move, the person is invariably holding a cell phone to their face, talking and gesticulating wildly while they're the only person in the vehicle (hands-free), looking down at something (texting or dialing), or it's a woman putting on makeup while driving.
And then, how many people are keeping the bitcoins themselves without adequate off-site backup?
In the general population maybe 5% of people have off site backups. Do they suddenly become wiser when they have bitcoins? Maybe a bit. But I'll bet it's still far less than half that have a proper backup system.
How exactly do you "backup" a bitcoin to protect it from theft? Backing up the coin info does zero good if someone already managed to effect a transfer of that coin. It's no more helpful than having a copy of your last bank statement after someone cleaned out your account (expect perhaps for FIDC insurance might payout on the loss).
Certainly, you're an idiot if you only keep the information in one place and risk losing it due to a simple HD crash. Safety of the coins from accidental loss was the allure of these exchanges. No-one really considered the theft aspect hard enough.
So has anyone tracked those coins to see where they went? The good (or bad) aspect of bitconis is their traceability. Did they eventually end up buying goods or getting cashed out somewhere?
Sixteen years after Jon Postel attempted to bring DNS root zone control authority under IANA, finally, the dream of internationalization of the root DNS/internet infrastructure is becoming a reality. A moment of silence please, for Jon Postel, IANA.
This carries big implications in NSA's spying/QUANTUM program, which use U.S. control of the DNS system to exploit systems.
Really? Tampering with the DNS root servers is something that everyone would notice. It's not something NSA would be likely to start tampering with. Manipulating DNS at local levels perhaps, but certainly not at the root.
I'm more concerned about US Govt manipulation of DNS at the behest of corporations for copyright enforcement by killing websites. We've already seen that happen
LIGO is enormously more sensitive (~12 orders of magnitude), than this seismic measurement but in a different frequency band (~100Hz), so both are valuable measurements sensitive to different types of GW sources.
LIGO itself is a phenomenally difficult project, but with big payoffs. There is the basic physics of understanding how gravity works, but there are also technology spinoffs. The extremely low loss mirror technology developed for LIGO is not being used for other applications, including telecom. The high Q optical cavities are used in commercial measurement devices for measuring tiny concentrations of materials in gasses . There are likely many other spin-offs from the project.
Near as I can tell, most of the technology flow (at least recently) is in the other direction, i.e. now that extremely low loss mirrors, etc are available they are upgrading LIGO to use them. Obviously they have a special use case and deserve kudos for developing their own fabrication techniques and applications of the technology.
The "big payoff" hasn't happened yet and isn't clearly defined. What exactly would the payoff be? I can see how correlating an observed perturbance as measured by this large scale interferometer with xray telescope data from an observed cosmic event could lend credence to therories about gravity waves.
They've sunk over a billion into the Hanford and Livingston observatories. The LIGO observatories from 2002 to 2010 were only operational for a very small fraction of the time, plagued by equipment problems, never acheived the design sensitivity, and NEVER detected anything useful. Most of their data was contaminated by local noise, including the highway a few miles away. They blindly collected terabytes of raw data that has never been fully analyzed and they have minimal local data analysis capability.
Now NSF is pouring even more money into it in the hopes they can improve the sensitivity and actually detect something? At best they might record a perturbance that is correlated between multiple sites (they also partner with an Australian site I believe), of which the value of that data is still debatable.
I wish the NSF would pull the plug on this waste of resources and invest in something more useful like cleaner nuclear power.
You do realize that performing https proxying and packet inspection to protect against malware is not the same thing as actively recording the sessions right? Regardless of whether they are proxying via MITM, they can still record the urls visited.
Also, the exact situation that the OP was attempting (a VPN that could expose the internal network) is one reason for using https proxying and filtering.
"Open Source Software is more secure because the code can be reviewed."
That's why this bug has existed since 2005. gg, guys. Thumbs up.
What do you mean? The many eyes found said bug that is why we are reading about it if thay had not it would still be sitting there undiscovered. Ever wonder how many bug go completely unnoticed in proprietary software because no one actually reads said code? Like for example a Windows bug affecting all 32 bit Windows OS's for 17 years: http://www.computerworld.com/s....
Um no, code review didn't find this - at least not the people that are supposed to. The bad guys apparently found and have been using this bug for quite some time. So obviously the black hats are more motivated to review the code than the white hats.
It wont' happen if you use a couple of switches and some relays for the wipers instead, and mechanics for the wheel/accel/brake etc....a lot cheaper too.
But then you can't have a smart car with a moisture sensor and rain detector to automagically turn the wipers on for you. Although, I have gotten spoiled by not having to remember to turn on/off the headlights. Same deal for interior lights, - you could go with the old school mechanical switches but it is nice to have them turn on at the appropriate times and turn them selves off if your toddler left the light on and you didn't notice.
The only thing AFDX has in common with ethernet is the mac layer. It's incompatible with and looks nothing like standard tcp/udp you normally see running around on ethernet nowadays.
There are multiple busses in vehicles already, separated by function. Engine controls are usually on a higher speed can bus, stuff like the speedo and body (lights, doors, etc) on a low speed can bus. I can see adding a third bus for entertainment type stuff such as the radio sat nav, wireless hotspot etc.
There are finally affordable real Windows (8.1) tablets out. I just got a Dell Venue 8 Pro for $300 at Walmart.
Meh, it's a low end netbook without a keyboard. I'm still waiting for anyone besides Apple to produce something with decent resolution. 1280x800 is a bit low in an 8" tablet for trying to do MS Office (which also sucks if you don't have a mouse and keyboard. But still it's an affordable option if you don't want the limitations of Android, can't afford an iPad mini, and don't mind crappy windows 8.
Also although the article does a decent job of showing that a stack overflow is possible and might result in unexpected behavior, what's needed is a simulated failure scenario to see if that's what actually happens.
That's what he did. He showed several methods where a key task could get corrupted and killed, why it wouldn't be detected, and the results of that death. He also deliberately killed the tasks and demonstrated that it results in a loss of control of throttle.
So you're going to blame jQuery for trying to standardize the non-consistent implementations of a standardized API? Sounds like you're the kludge. Get over yourself.
Certainly this extra layer of isn't needed when the API is going to be consistent across all of the Viera Connect devices right? Perhaps there is already an existing Panasonic written API that should be used?
Net deficit spending is a net savings to the private sector.
Why do you keep repeating this bullcrap? The US deficient spending is funded by uncontrolled borrowing from foreign countries. It's sending US dollars out of the country not into our private sector. In laymans terms, you're basically saying that going on a spending spree and running up your credit cards is an acceptable way to preserve your savings account.
Also, it is a fallacy to think that taxes fund expenditures at the Federal level, since the federal government has a fiat currency, It can always pay its debts, not withstanding the limits of inflation).
True, but doing so will drive down the value of the dollar to the point of collapsing it's economy. This US citizens will enjoy discovering their dollar is worth half of what it was? Of course, it's already worth 1/3 of it's previous value in the world economy. Devalue the dollar much more in the world economy and it will stop being the prevailing currency used to trade important things like oil.
With all of the organized cheating that happens in american schools too (and to move up the ranks in out businesses), I'm not surprised. Cheating is as american as apple pie.
That's probably the best comparison so far. With No-Child-Left-Behind (aka - no kids gets ahead), the schools had financial incentive to pass kids who would not have otherwise passed and teachers were directly penalized for failing kids. The predictable result was teachers helping kids cheat on the tests and fudging scores. In this case, the wing commander knew cheating was rampant but didn't intervene because they didn't want the wing to look bad.
What's next, the fact that the answers to the Postal exam are available on the internet?
Last time I checked, Russia's continual asylum was conditional on not releasing more information,
Easy for him to live up to since he gave the entire trove to Greenwald, et al. Snowden hasn't released anything since, because he doesn't have anything left. Same reason all the talk about the FSB getting access to the files is also baseless speculation.
I would be naive to assume that Greenwald has the only electronic copy of these documents. The speculation is Snowden could have stashed them in other safe places, to which he would have access. I almost guarantee the govt has done an automated search of the popular cloud sharing sites for keywords. The recent rumors that he planned this ahead of time with Russia is most likely wild speculation by an irresponsible congress critter. If the US knew that as fact, they wouldn't have told us.
I think an underrated component of libraries is the librarians. I think I'm imagining a modern library as more than just a place for the public to connect to information. It's a place where the public can go to learn about something and get help in finding the information. Sometimes having access to the internet just isn't enough. You need to find a *person* who has specific expertise.
Librarians are becoming irrelevant just as hard copy books are. If you have internet access, Google is a far more valuable resource than a Librarian even if they are the master of their domain and know every single book in the building.
Slashdot Mirror
With open-source software, a monoculture isn't that bad a thing, as the Heartbleed exploit has shown. ... How fast was a fix available for Heartbleed?
Heartbleed showed that a monoculture, particularly one relying on poorly written and barely reviewed code is a bad thing. OSS or not. That the source code was fixed so easily just highlights to me how the heartbeat feature it was never properly reviewed or tested, and how people using openssl or incorporating it into their products never questioned it. The many eyes argument fails when you realize how few qualified programmers looked at the code. Given how wide spread openssl is, getting that fix rolled out to all the s/w and h/w that have it embedded is a nightmare. Just think of the Billions being spent to audit and test across enterprise networks, and update all that software.
Sure openssl will get more scrutiny for a while, but it doesn't fix the underlying fallacy that OSS automatically means quality code regardless of whether its commercial, free, or otherwise licensed. Or that OSS projects quite often have a shoestring budget, lower quality programmers, and less far less review than closed, proprietary software.
You seriously think that black hats bother with reading millions of lines of code in the hope of finding an exploit when all they have to do is play with the data sent to services/applications and see if it misbehaves. Which is why exploits are equally found among closed and open softwares.
This is true, and exactly how this was found by Codenomicon. Having access to the source code actually makes it far easier to turn the bad behavior into a working exploit, particularly for something like buffer overflows. Although in this case, there wasn't much work needed as the bad behavior was returning the contents of memory in response to a bad parameter.
I think this says more about the prevailing view of security. Every programmer is told "NEVER roll your own encryption". The default result is that most programmers never even look at the code and instead assume it MUST be safe since the infallible "experts" wrote it. What we are seeing here is not the fault of open source vs closed source; it is about voodoo programming being considered good security practice.
I'm not saying that everyone should be rolling their own encryption, but people should be looking over the experts implementations instead of assuming they are perfect (this bug could have been caught by any number of "normal" programmers had they simply taken the time to looked).
The irony is that the openssl authors chose to roll their own malloc implementation instead of using the default, trusted one which would have likely crashed instead of facilitating the leakage of memory. (I still blame the fundamentally flawed nature of C for even allowing this)
http://www-nrd.nhtsa.dot.gov/P...
An NHSTA sponsored study says at any given moment during the day, 5% of Americans are driving while using a cell phone.. The study has some caveats - it relied on phone surveys, visual road-side observations, and only goes up to 2011, so may be significantly under-reporting cell phone usage. I estimate that number is closer to 10% based on casual observation while driving. So in a two -car accident that gives a 10% chance of a cell phone used in one of the cars. If the real cell-phone usage number is closer to 15%, then the 26% number is meaningless as it's typical of the overall population regardless of cell phone use.
When I see a stupid driving move, the person is invariably holding a cell phone to their face, talking and gesticulating wildly while they're the only person in the vehicle (hands-free), looking down at something (texting or dialing), or it's a woman putting on makeup while driving.
Fortunately, our equipment is not internet-connected (though it is networked), so security isn't really a principle concern.
Didn't the power industry say the same thing? Never, ever, assume the network is safe and not internet accessible if you don't own the network.
And then, how many people are keeping the bitcoins themselves without adequate off-site backup?
In the general population maybe 5% of people have off site backups. Do they suddenly become wiser when they have bitcoins? Maybe a bit. But I'll bet it's still far less than half that have a proper backup system.
How exactly do you "backup" a bitcoin to protect it from theft? Backing up the coin info does zero good if someone already managed to effect a transfer of that coin. It's no more helpful than having a copy of your last bank statement after someone cleaned out your account (expect perhaps for FIDC insurance might payout on the loss).
Certainly, you're an idiot if you only keep the information in one place and risk losing it due to a simple HD crash. Safety of the coins from accidental loss was the allure of these exchanges. No-one really considered the theft aspect hard enough.
So has anyone tracked those coins to see where they went? The good (or bad) aspect of bitconis is their traceability. Did they eventually end up buying goods or getting cashed out somewhere?
PCI compliance.
Citing PCI compliance don't do much. After all, look at how badly the credit card companies are doing with intrusions and compromises.
Sixteen years after Jon Postel attempted to bring DNS root zone control authority under IANA, finally, the dream of internationalization of the root DNS/internet infrastructure is becoming a reality. A moment of silence please, for Jon Postel, IANA.
This carries big implications in NSA's spying/QUANTUM program, which use U.S. control of the DNS system to exploit systems.
Really? Tampering with the DNS root servers is something that everyone would notice. It's not something NSA would be likely to start tampering with. Manipulating DNS at local levels perhaps, but certainly not at the root.
I'm more concerned about US Govt manipulation of DNS at the behest of corporations for copyright enforcement by killing websites. We've already seen that happen
LIGO is enormously more sensitive (~12 orders of magnitude), than this seismic measurement but in a different frequency band (~100Hz), so both are valuable measurements sensitive to different types of GW sources .
LIGO itself is a phenomenally difficult project, but with big payoffs. There is the basic physics of understanding how gravity works, but there are also technology spinoffs. The extremely low loss mirror technology developed for LIGO is not being used for other applications, including telecom. The high Q optical cavities are used in commercial measurement devices for measuring tiny concentrations of materials in gasses . There are likely many other spin-offs from the project.
Near as I can tell, most of the technology flow (at least recently) is in the other direction, i.e. now that extremely low loss mirrors, etc are available they are upgrading LIGO to use them. Obviously they have a special use case and deserve kudos for developing their own fabrication techniques and applications of the technology.
The "big payoff" hasn't happened yet and isn't clearly defined. What exactly would the payoff be? I can see how correlating an observed perturbance as measured by this large scale interferometer with xray telescope data from an observed cosmic event could lend credence to therories about gravity waves.
They've sunk over a billion into the Hanford and Livingston observatories. The LIGO observatories from 2002 to 2010 were only operational for a very small fraction of the time, plagued by equipment problems, never acheived the design sensitivity, and NEVER detected anything useful. Most of their data was contaminated by local noise, including the highway a few miles away. They blindly collected terabytes of raw data that has never been fully analyzed and they have minimal local data analysis capability.
Now NSF is pouring even more money into it in the hopes they can improve the sensitivity and actually detect something? At best they might record a perturbance that is correlated between multiple sites (they also partner with an Australian site I believe), of which the value of that data is still debatable.
I wish the NSF would pull the plug on this waste of resources and invest in something more useful like cleaner nuclear power.
You do realize that performing https proxying and packet inspection to protect against malware is not the same thing as actively recording the sessions right? Regardless of whether they are proxying via MITM, they can still record the urls visited.
Also, the exact situation that the OP was attempting (a VPN that could expose the internal network) is one reason for using https proxying and filtering.
"Open Source Software is more secure because the code can be reviewed."
That's why this bug has existed since 2005. gg, guys. Thumbs up.
What do you mean? The many eyes found said bug that is why we are reading about it if thay had not it would still be sitting there undiscovered. Ever wonder how many bug go completely unnoticed in proprietary software because no one actually reads said code? Like for example a Windows bug affecting all 32 bit Windows OS's for 17 years: http://www.computerworld.com/s....
Um no, code review didn't find this - at least not the people that are supposed to. The bad guys apparently found and have been using this bug for quite some time. So obviously the black hats are more motivated to review the code than the white hats.
It wont' happen if you use a couple of switches and some relays for the wipers instead, and mechanics for the wheel/accel/brake etc....a lot cheaper too.
But then you can't have a smart car with a moisture sensor and rain detector to automagically turn the wipers on for you. Although, I have gotten spoiled by not having to remember to turn on/off the headlights. Same deal for interior lights, - you could go with the old school mechanical switches but it is nice to have them turn on at the appropriate times and turn them selves off if your toddler left the light on and you didn't notice.
Brakes and steering are still mechanical, btw.
The only thing AFDX has in common with ethernet is the mac layer. It's incompatible with and looks nothing like standard tcp/udp you normally see running around on ethernet nowadays.
There are multiple busses in vehicles already, separated by function. Engine controls are usually on a higher speed can bus, stuff like the speedo and body (lights, doors, etc) on a low speed can bus. I can see adding a third bus for entertainment type stuff such as the radio sat nav, wireless hotspot etc.
We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.
You guys need better network admins. Proper firewalling and proxying should block traffic like that.
Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.
There are finally affordable real Windows (8.1) tablets out. I just got a Dell Venue 8 Pro for $300 at Walmart.
Meh, it's a low end netbook without a keyboard. I'm still waiting for anyone besides Apple to produce something with decent resolution. 1280x800 is a bit low in an 8" tablet for trying to do MS Office (which also sucks if you don't have a mouse and keyboard. But still it's an affordable option if you don't want the limitations of Android, can't afford an iPad mini, and don't mind crappy windows 8.
Because a full meltdown would resemble Chernobyl?
Also although the article does a decent job of showing that a stack overflow is possible and might result in unexpected behavior, what's needed is a simulated failure scenario to see if that's what actually happens.
That's what he did. He showed several methods where a key task could get corrupted and killed, why it wouldn't be detected, and the results of that death. He also deliberately killed the tasks and demonstrated that it results in a loss of control of throttle.
So you're going to blame jQuery for trying to standardize the non-consistent implementations of a standardized API? Sounds like you're the kludge. Get over yourself.
Certainly this extra layer of isn't needed when the API is going to be consistent across all of the Viera Connect devices right? Perhaps there is already an existing Panasonic written API that should be used?
Net deficit spending is a net savings to the private sector.
Why do you keep repeating this bullcrap? The US deficient spending is funded by uncontrolled borrowing from foreign countries. It's sending US dollars out of the country not into our private sector. In laymans terms, you're basically saying that going on a spending spree and running up your credit cards is an acceptable way to preserve your savings account.
Also, it is a fallacy to think that taxes fund expenditures at the Federal level, since the federal government has a fiat currency, It can always pay its debts, not withstanding the limits of inflation).
True, but doing so will drive down the value of the dollar to the point of collapsing it's economy. This US citizens will enjoy discovering their dollar is worth half of what it was? Of course, it's already worth 1/3 of it's previous value in the world economy. Devalue the dollar much more in the world economy and it will stop being the prevailing currency used to trade important things like oil.
With all of the organized cheating that happens in american schools too (and to move up the ranks in out businesses), I'm not surprised. Cheating is as american as apple pie.
That's probably the best comparison so far. With No-Child-Left-Behind (aka - no kids gets ahead), the schools had financial incentive to pass kids who would not have otherwise passed and teachers were directly penalized for failing kids. The predictable result was teachers helping kids cheat on the tests and fudging scores. In this case, the wing commander knew cheating was rampant but didn't intervene because they didn't want the wing to look bad.
What's next, the fact that the answers to the Postal exam are available on the internet?
Last time I checked, Russia's continual asylum was conditional on not releasing more information,
Easy for him to live up to since he gave the entire trove to Greenwald, et al. Snowden hasn't released anything since, because he doesn't have anything left. Same reason all the talk about the FSB getting access to the files is also baseless speculation.
I would be naive to assume that Greenwald has the only electronic copy of these documents. The speculation is Snowden could have stashed them in other safe places, to which he would have access. I almost guarantee the govt has done an automated search of the popular cloud sharing sites for keywords. The recent rumors that he planned this ahead of time with Russia is most likely wild speculation by an irresponsible congress critter. If the US knew that as fact, they wouldn't have told us.
I think an underrated component of libraries is the librarians. I think I'm imagining a modern library as more than just a place for the public to connect to information. It's a place where the public can go to learn about something and get help in finding the information. Sometimes having access to the internet just isn't enough. You need to find a *person* who has specific expertise.
Librarians are becoming irrelevant just as hard copy books are. If you have internet access, Google is a far more valuable resource than a Librarian even if they are the master of their domain and know every single book in the building.