top Google Pressure Cookers and Backpacks: Get a Visit From the Feds
The NSA could also be getting duplicate copies of customer certs issued by CAs in order to play MITM.
Presumably you mean certificates using NSA-generated key pairs, but that are otherwise identical to the "customer certs".
about a year and a half ago
top Trade Group: US Software Developer Wages Fell 2% Last Year
winning the day. Didn't work our so well for Corel did it? Or Novel? Or Sun?
I assume you meant Novel
Yeah, you're few good programmers will make better code, but my 100 code monkeys will make more of it.
Novell isn't really a good example. Starting in the late 90's, they began laying off employees in the states and replacing them with cheap labor in Bangalore. That didn't work out so well.
Especially telling was a blog post by then-CTO Jeff Jaffe sometime around 2008, where he talked about the superior quality of Novell's software. Only problem was that quality had been steadily declining for the past ten or so years. The comments section was full of Novell customers telling the CTO that he was full of shit.
Jaffe was fired (er, resigned) a year or so later, so that blog post is long-gone. Fortunately, the wayback machine has a copy. about a year and a half ago
top Azure Failure Was a Leap Year Glitch
The story yesterday said that they were having a problem with certificate validation. The routine they were using to validate certificate expiration must not have been able to handle the leap year. I wonder what non-standard API they were using to process the expiration date. That reminds me of another
article that I read yesterday.
top RSA Admits SecurID Tokens Have Been Compromised
With RSA doing the keyfill at point of manufacture, the customer just needs to load the seed file for the entire batch onto their authentication server and then hand out the token
Don't forget that the tokens also expire every couple of years. If it customers were able to load a new seed themselves, then they wouldn't need to purchase new ones as often.
top How Facebook Ships Code
Interesting article, especially this little snippet:
re: surprise at lack of QA or automated unit tests — “
most engineers are capable of writing bug-free code. it’s just that they don’t have an incentive to do so at most companies. when there’s a QA department, it’s easy to just throw it over to them to find the errors.” [EDIT: please note that this was subjective opinion, I chose to include it in this post because of the stark contrast that this draws with standard development practice at other companies]
This guy's obviously fresh out of college. It would be interesting to hear from someone with a little more real-world experience.
top Security Lessons Learned From the Diaspora Launch
If it were, say, a private company producing this product, wouldn't they have subjected it to the normal quality control processes in software companies...
But what exactly is that process? The QA process can vary widely from company to company and product to product.
There are several factors that can influence the quality of QA:
How important is the product to the team/company/manager and middle-managers involved?
Is the QA team responsible for more than one product? If so, which product is given the most priority?
Is the QA team staffed to adequately test each product assigned to them?
What is the individual skill and experience level of each team member? Does anyone on the team have experience finding and testing for security vulnerabilities?
Does the company actually have a qualified "in house security specialist"? How involved is he/she in the product design and QA process? Such a specialist should review and approve both the initial product design and the test plan.
How much testing goes into each release? IE: Does the team perform a full regression (re-executing the entire test plan, which can take weeks or months), or do they focus their efforts only around the new features that were added, potentially missing bugs that may arise due to an unanticipated affects that new features might have on other components in the system?
Commercial software companies often ship products with serious security flaws, in spite of the reasons you listed. Some products receive through testing and others don't. It doesn't matter much whether or not the product is a commercial offering.
top Calculating Password Policy Strength Vs. Cracking
Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.
You're missing the point. This isn't so much about guessing the password in network logon attempts as it is about guessing passwords on already-compromised machines. Since users frequently use the same password on multiple systems, a password file from a compromised workstation will sometimes yield valid passwords for other not-yet-compromised systems. Local passwords can also be useful in decrypting hard drive contents in cases where the encryption key is stored locally, wrapped with the user's password.
The faster an attacker is able to crack passwords in the password file, the more time he has to further compromise the network without being noticed.
top Town Fights Cricket Plague With Led Zeppelin
Rock music blaring from boomboxes has proved one of the best defenses against an annual invasion of Mormon crickets.
Yeah, but you get one alone and he'll drink all your beer.
Unfortunately, it probably went over the head of anyone who hasn't lived in Utah.
Always take at least two Mormons fishing with you or the damned Jack Mormon will drink all your beer.
top Sandals and Ponytails Behind Slow Linux Adoption
I could not have said it better. I experienced this first-hand just after finishing college. I had long hair reaching about half way down my back through most of my twenties. I noticed a significant difference in the way I was treated after cutting my hair. Having been on both sides of the issue now, I think there's a lot to be said to matching your dress and other aspects of your personal image (hair, accessories, etc.) to the impression you want to create.
The most notable difference was when I would go out with my wife. When I had long hair, about half the time the waiter would give her the check. Now that I'm clean-cut this almost never happens.
I was already a couple of years into my career before I cut my hair. I'm a software developer with a large company (not Microsoft), and managed to land this job and two previous jobs in this industry before cutting my hair. I'm happy with my job, but I wish I had cut my hair earlier. If I had, I belive that I would have had more opportunities after college, and as a result could probably have negotiated an ever higher salary.
Everyone judges you on your apperance whether they are aware of it or not.