KevLar's Space

my little space on the interwebs

Bug Bounties Don’t Help If Bugs Never Run Out

Bennett Haselton writes: “I was an early advocate of companies offering cash prizes to researchers who found security holes in their products, so that the vulnerabilities can be fixed before the bad guys exploited them. I still believe that prize programs can make a product safer under certain conditions. But I had naively overlooked that under an alternate set of assumptions, you might find that not only do cash prizes not make the product any safer, but that nothing makes the product any safer — you might as well not bother fixing certain security holes at all, whether they were found through a prize program or not.” Read on for the rest of Bennett’s thoughts.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1le95Th

Heartbleed Sparks ‘Responsible’ Disclosure Debate

bennyboy64 writes: “IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed ‘responsibly.’ A number of selective leaks to Facebook, Akamai, and CloudFlare occurred prior to disclosure on April 7. A separate, informal pre-notification program run by Red Hat on behalf OpenSSL to Linux and Unix operating system distributions also occurred. But router manufacturers and VPN appliance makers Cisco and Juniper had no heads up. Nor did large web entities such as Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy, just to name a few. The Sydney Morning Herald has spoken to many people who think Google should’ve told OpenSSL as soon as it uncovered the critical OpenSSL bug in March, and not as late as it did on April 1. The National Cyber Security Centre Finland (NCSC-FI), which reported the bug to OpenSSL after Google, on April 7, which spurred the rushed public disclosure by OpenSSL, also thinks it was handled incorrectly. Jussi Eronen, of NCSC-FI, said Heartbleed should have continued to remain a secret and be shared only in security circles when OpenSSL received a second bug report from the Finnish cyber security center that it was passing on from security testing firm Codenomicon. ‘This would have minimized the exposure to the vulnerability for end users,’ Mr. Eronen said, adding that ‘many websites would already have patched’ by the time it was made public if this procedure was followed.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1hTpavk

RCMP Arrest Canadian Teen For Heartbleed Exploit

According to PC Mag, a “19-year-old Canadian was arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data.” That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1isZQLj

Cleaning up a departed MCITP mess

One thing MS doesn’t teach you is how to adapt what you learned in their eccentric training is to the environment you are working in. Especially if you are using something other than MS Hyper-V. In most cases, minimum requirements are bogus only because the flexibility of virtualization. A reduction in vCPU count in our environment greatly increased performance because of so much gross over allocation. I mere one additional vCPU on a machine can send it tipping over the edge of CPU ready and CPU waiting on I/O.

Can you smell what I am cooking, do you want to drink the koolaid? Want to be the cool kid on the block? Then just take time and research and evaluate your environment and plan around what you have. Minimum requirements are for those in the physical world with unlimited resources. We all sometimes forget that even in the virtual world physical practices lead to a quick demise of your infrastructure.

Switching From Sitting To Standing At Your Desk

Hugh Pickens DOT Com (2995471) writes “Chris Bowlby reports at BBC that medical research has been building up for a while now, suggesting constant sitting is harming our health — potentially causing cardiovascular problems or vulnerability to diabetes. Advocates of sit-stand desks say more standing would benefit not only health, but also workers’ energy and creativity. Some big organizations and companies are beginning to look seriously at reducing ‘prolonged sitting’ among office workers. ‘It’s becoming more well known that long periods of sedentary behavior has an adverse effect on health,’ says GE engineer Jonathan McGregor, ‘so we’re looking at bringing in standing desks.’ The whole concept of sitting as the norm in workplaces is a recent innovation, points out Jeremy Myerson, professor of design at the Royal College of Art. ‘If you look at the late 19th Century,’ he says, Victorian clerks could stand at their desks and ‘moved around a lot more’. ‘It’s possible to look back at the industrial office of the past 100 years or so as some kind of weird aberration in a 1,000-year continuum of work where we’ve always moved around.’ What changed things in the 20th Century was ‘Taylorism’ — time and motion studies applied to office work. ‘It’s much easier to supervise and control people when they’re sitting down,’ says Myerson. What might finally change things is if the evidence becomes overwhelming, the health costs rise, and stopping employees from sitting too much becomes part of an employer’s legal duty of care ‘If what we are creating are environments where people are not going to be terribly healthy and are suffering from diseases like cardiovascular disease and diabetes,’ says Prof Alexi Marmot, a specialist on workplace design, ‘it’s highly unlikely the organization benefits in any way.’”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1l7aRWb

Ubuntu Linux 14.04 LTS Trusty Tahr Released

An anonymous reader writes with this announcement: “Ubuntu Linux version 14.04 LTS (code named “Trusty Tahr”) has been released and available for download. This updated version includes the Linux kernel v3.13.0-24.46, Python 3.4, Xen 4.4, Libreoffice 4.2.3, MySQL 5.6/MariaDB 5.5, Apache 2.4, PHP 5.5, improvements to AppArmor allow more fine-grained control over application, and more. The latest release of Ubuntu Server is heavily focused on supporting cloud and scale-out computing platforms such as OpenStack, Docker, and more. As part of the wider Ubuntu 14.04 release efforts the Ubuntu Touch team is proud to make the latest and greatest touch experience available to our enthusiast users and developers. You can install Ubuntu on Nexus 4 Phone (mako), Nexus 7 (2013) Tablet (flo), and Nexus 10 Tablet (manta) by following these instructions. On a hardware front, ARM multiplatform support has been added, enabling you to build a single ARM kernel image that can boot across multiple hardware platforms. Additionally, the ARM64 and Power architectures are now fully supported. See detailed release note for more information here and a quick upgrade to a newer version of Ubuntu is possible over the network.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1j8axzG

Tor Blacklisting Exit Nodes Vulnerable To Heartbleed

msm1267 (2804139) writes “The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1j7SWsG

The Dismal State of SATCOM Security

An anonymous reader writes “Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive foundwhile analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws but also features in the devices themselves that could be of use to attackers. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1hPUv20

Ask Slashdot: System Administrator Vs Change Advisory Board

thundergeek (808819) writes “I am the sole sysadmin for nearly 50 servers (win/linux) across several contracts. Now a Change Advisory Board (CAB) is wanting to manage every patch that will be installed on the OS and approve/disapprove for testing on the development network. Once tested and verified, all changes will then need to be approved for production. Windows servers aren’t always the best for informing admin exactly what is being ‘patched’ on the OS, and the frequency of updates will make my efficiency take a nose dive. Now I’ll have to track each KB, RHSA, directives and any other 3rd party updates, submit a lengthy report outlining each patch being applied, and then sit back and wait for approval. What should I use/do to track what I will be installing? Is there already a product out there that will make my life a little less stressful on the admin side? Does anyone else have to go toe-to-toe with a CAB? How do you handle your patch approval process?”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1pcyNt2

How ‘DevOps’ Is Killing the Developer

An anonymous reader writes “Python guru Jeff Knupp writes about his frustration with the so-called ‘DevOps’ movement, an effort to blend development jobs with operations positions. It’s an artifact of startup culture, and while it might make sense when you only have a few employees and a focus on simply getting it running rather than getting it running right, Knupp feels it has no place in bigger, more established companies. He says, ‘Somewhere along the way, however, we tricked ourselves into thinking that because, at any one time, a start-up developer had to take on different roles he or she should actually be all those things at once. If such people even existed, “full-stack” developers still wouldn’t be used as they should. Rather than temporarily taking on a single role for a short period of time, then transitioning into the next role, they are meant to be performing all the roles, all the time. And here’s what really sucks: most good developers can almost pull this off.’ Knupp adds, ‘The effect of all of this is to destroy the role of “developer” and replace it with a sort of “technology utility-player”. Every developer I know got into programming because they actually enjoyed doing it (at one point). You do a disservice to everyone involved when you force your brightest people to take on additional roles.’”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1iX1MrW

Follow

Get every new post delivered to your Inbox.