Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

FormOfActionBanana Re:Original premise is false (582 comments)

Yes, exactly. (My day job is static analysis)

"Many Eyes" are great for identifying and fixing the broken build... but have no good track record for monitoring security design and implementation flaws.

For security infrastructure critical code, the available tools should be coming up spot clean. This is absolutely not the case with Openssl.

about 5 months ago
top

Weak Apple PRNG Threatens iOS Exploit Mitigations

FormOfActionBanana Re:well, almost (143 comments)

And I am not even a crypto expert! Well, this is a very long-winded way of saying that the GP "DigitAl56K" was probably right; that we do need a clearing-house of good software cryptographic random number generators.

about 6 months ago
top

Weak Apple PRNG Threatens iOS Exploit Mitigations

FormOfActionBanana Re:well, almost (143 comments)

repeatedly hashing a counter that is set with a random seed

But I think that's exactly why you don't roll your own. That would be a predictable sequence. I could make a rainbow table of sha1('1'), sha1('2') etc. up to 4 trillion, and then by sampling a few numbers from your stream I could very quickly identify the current counter value and the next sequences for ever. Total fail, and if the seed is the system time this is only a level of abstraction more difficult. (Chess & West, p. 398)

about 6 months ago
top

Weak Apple PRNG Threatens iOS Exploit Mitigations

FormOfActionBanana well, almost (143 comments)

That was for fast secure hashes, and not for psuedorandom numbers. They aren't really the exact same thing, are they?

about 6 months ago
top

Ask Slashdot: Reviewing 3rd Party Libraries?

FormOfActionBanana Re:Many Eyes (88 comments)

That's utterly crap advice. Since a lot of softwares in popular, active use have critical vulnerabilities.

The example quoted just above (http://ask.slashdot.org/comments.pl?sid=4862577&cid=46414687) in which nobody got the sarcasm... says:

You know there won't be any bugs in those, or if there are they'll be very quickly fixed and not sit there unnoticed for years.

He was referring to https://www.gitorious.org/gnut... and https://www.imperialviolet.org..., not to mention http://bsd.slashdot.org/story/... which also sat unnoticed for years.

about 6 months ago
top

Interview: Ask Theo de Raadt What You Will

FormOfActionBanana OpenBSD and the 1000M limit (290 comments)

The last time I tried to run OpenBSD, it was so I could test our static analyzer Fortify SCA on the kernel.

One thing that really held me back in my research is that processes were limited to about 1 Gigabyte of RAM each. What exactly is the reasoning behind this hard limit?

Note: I never finished my work, but it would be totally cool to compete this someday.

about 6 months ago
top

Companies Getting Rid of Reply-all

FormOfActionBanana Re:actions become automatic (248 comments)

It's a design error, plain and simple. I don't know what the real solution is however.

about 2 years ago
top

This Is What Happens When You Deep Fry a Frozen Turkey

FormOfActionBanana Re:Don't use ice to cool the oil (164 comments)

If you dump enough ice that it actually cools the oil, then it's fine.

Obviously, risky behavior if you don't know the equipment you're working with.

about 2 years ago
top

Airlines Face Acute Pilot Shortage

FormOfActionBanana Re:ups and down in the industry (421 comments)

All of this already exists. Type rated Captains, First Officers, ATPLs, CPLs

about 2 years ago
top

Ask Slashdot: Best Practices For Collecting and Storing User Information?

FormOfActionBanana OWASP (120 comments)

OWASP has guidance; for instance, here: https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet#Insecure_Data_Storage_.28M1.29

From https://www.owasp.org/images/5/5e/Mobile_Security_-_Android_and_iOS_-_OWASP_NY_-_Final.pdf
2. Insecure data storage
Solution
  Avoid local storage inside the device for sensitive information
  If local storage is “required” encrypt data securely and then store Use the Crypto APIs provided by Apple and Google
  Avoid writing custom crypto code – prone to vulnerability

about 2 years ago
top

Assange Makes Statement Calling For an End To the "Witch Hunt"

FormOfActionBanana Re:Go to China (915 comments)

Chinese need an exit visa to leave China.

about 2 years ago
top

Breakthrough In Drawing Complex Venn Diagrams: Goes to 11

FormOfActionBanana Re:Misses the point... (83 comments)

Looks like it's going to be the University of Illinois!

more than 2 years ago

Submissions

top

Gary McGraw interviews Ross Anderson, who debunks Trusted Computing

FormOfActionBanana FormOfActionBanana writes  |  more than 2 years ago

FormOfActionBanana writes "Security expert Dr. Gary McGraw interviews security expert Dr. Ross Anderson of Cambridge University in a great podcast. Dr. Anderson opens with a debunking of UEFI and Trusted Boot; he makes multiple references to the balance of power in the Middle Ages and compares that to the modern struggle of power inherent in the establishment of Certification Authority infrastructures."
Link to Original Source
top

Security expert Gary McGraw interviews security expert Ross Anderson

FormOfActionBanana FormOfActionBanana writes  |  more than 2 years ago

FormOfActionBanana writes "Dr. Gary McGraw interviews Dr. Ross Anderson of Cambridge University in a great podcast. They cover a variety of current topics in computer security.
Among other choice quotes, Dr. Anderson warns the preliminary output of some recent world wide web research is "Don't click on ads.""

Link to Original Source
top

OpenBSD IPSEC implementation compromised by FBI

FormOfActionBanana FormOfActionBanana writes  |  more than 3 years ago

FormOfActionBanana writes "From the email received by Theo van der Raadt: "My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms...[into OpenBSD's IPSEC implementation]""
Link to Original Source
top

Security review summary of NIST SHA-3 round 1

FormOfActionBanana FormOfActionBanana writes  |  more than 5 years ago

FormOfActionBanana writes "The security firm Fortify Software has undertaken an automated code review of the NIST SHA-3 round 1 contestants' (previously Slashdotted) reference implementations. After a followup audit, the team is now reporting summary results.

According to the blog entry, "This just emphasizes what we already knew about C, even the most careful, security conscious developer messes up memory management."

Of particular interest, Professor Ron Rivest's (the "R" in RSA) MD6 team has already corrected a buffer overflow pointed out by the Fortify review. Bruce Schnier's Skein, also previously slashdotted came through defect free."

Link to Original Source

Journals

FormOfActionBanana has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>