Heartbleed Used To Bypass 2-Factor Authentication, Hijack User Sessions
It doesn't matter how clever you are... at some point, some session will have to run with more privileges than the user in order to be able to do something.
Or, as here, the session gets taken over as "just a user" and steals all their data / credentials anyway and tries to move deeper by finding more.
The problem of privilege separation can be fixed today, the tools are there. The problems described here aren't helped or hindered by privilege separation.
To be honest, what you have to have is an enormously fine-grained permission system no matter what, and that - in itself - is a recipe for disaster. Eventually you get to the point where you need to deploy tools to find out what permissions are given as certain users because it gets so complex.
Or you could just patch when a problem is noted, especially when it involves your SSL library.
Steam's Most Popular Games
With a laptop in idle? Pence.
10 hours with a 100W idle, even (nowhere close to screen-off usage, but let's over-estimate) - 1KWh. Unit price for that doesn't compare to even one trading card sold for penny-cheaper-than-every-other-similar-card for me.
Plus, I normally just have the game on in the background while I'm doing other things on the machine, so the actual "real" usage of electricity etc. is basically zero.
Steam's Most Popular Games
I'm not a $1-kind-of-guy. But, yes, I have made profit on the bundles. Especially if you buy quick, get the discount, and get the cards into the market before it gets flooded by all the other sellers.
But I don't buy bundles that don't have at least something worth the money in them, and don't beat-the-average unless there's a game I really want on that side either.
Steam's Most Popular Games
Especially since the trading cards.
I often buy a humble bundle, load up the games, leave them running to "earn" the badges, shut them down, uninstall them. (Then sell the cards, get Steam Wallet cash, buy more games, get more badges, etc....)
The Best Parking Apps You've Never Heard Of and Why You Haven't
Private Keys Stolen Within Hours From Heartbleed OpenSSL Site
When I looked into my server, I found out:
The OpenSSL library I'm using wasn't vulnerable.
Thus, my keys are as "safe" as they were before.
Also, to enable PFS, I would have to upgrade - to one of those OpenSSL versions that is vulnerable (but obviously there are "fixed" ones now).
I would also only be able to use EC cryptography with PFS with OpenSSL. I don't trust EC personally, yet. It's just not been around long enough for me. And I find it suspicious that every time something happens, the answer is "Let's go to EC!". If anything, I suspect it might well be something that people we don't want deciding algorithms are driving us towards.
Sorry, but until I trust EC, I can't trust PFS. And I can't use either until I upgrade to a version of OpenSSL that was vulnerable to this attack for a long time without anyone noticing (whereas my current version wasn't).
Ironically I "score" more on certain SSL test sites with old OpenSSL than with the newer one... and I get artificially capped because I don't support EC.
Until someone shows me that PKE is broken, then EC is not necessary for my usage. PFS is something I'd like but, as OpenSSL only supported it when using EC algorithms last I looked, I don't see it as any more secure.
Ask Slashdot: Are You Apocalypse-Useful?
I'm sorry? Why would "decades without computers ... render computer science and related professions useless"?
I don't think you get that "science" bit on the end of it. Nor that much of computer science goes back to extreme basics. Morse Code? That's coding theory. It's only if you take a narrow-minded view that it doesn't appear as computer science.
You can build a computer from the simplest of building blocks - it just so happens we prefer semiconductors - but as has been historically proven you can build a mechanical computer capable of just about anything (and that was proven how? Turing machines? Oops, that's computer science!). Maybe not fast, but accurate and useful when it comes to larger calculations. We had a need for such things several hundred years ago and, even big projects aside, we made them and used them (Abacus for thousands of years? Calculating machines were rife for centuries from the 1600's).
The fact is that computer science is, like any other science, not only useful as a nurturer of people with a logical mind, but also directly useful in any size society once it's settled a bit. Mostly because much of it is maths. And the rest of it is directly applicable to real-world calculations.
Sure, you can live without it. But you can live without an awful lot of things. But with it, you gain an advantage. Where best to site my defence towers against the pillaging hordes? How best to send a message asking for allies to appear without the enemy knowing what is in it? How to ensure we don't waste time dividing food equally with various random weights and measures?
It's the old fallacy - but it's wrong. You do not need a computer to perform computer science. And you do not need a computer to get useful data out of your computer science. It just helps, and speeds along the process.
Fact is, in any kind of apocalyptic even like this, you'll be glad of any academic, especially one that can provably solve practical problems like this. Hell, simple ballistics is a nightmare to solve by hand.
And, if it comes to it, you can build a computer out of blocks of wood (there are several examples of this), water-filled tubes (the Russians did concrete calculations on one), or pieces of paper. We're all taught how to do at least the last one of those in computer science courses, too.
A computer scientist may not be the immediate asset who scavenges food or heals the sick or welds defences. But you'll want one on your team before long, and they'll give you an advantage over any group that doesn't have one.
The New 'One Microsoft' Is Finally Poised For the Future
I don't think you have much of an idea of what a kernel is.
Just because you have the same kernel does not mean that you can run the same applications.
Future Airline Safety Instructions Will Be Given By Game Apps
More importantly, please tell me what's in the pre-flight safety check.
Chances are that you've heard it so many times that you could give it.
Your belt clips around your waist. You undo by lifting the buckle. Your oxygen mask will drop down from the overhead compartment. Your exits are here, here and here, etc. etc. etc.
The danger of the pre-flight "safety" check is that it's nonsensical to do it. Emergency measures should not be designed that people have to learn to use them. They should be clearly marked, with - at most - one simple diagrammatic instruction. If you can't make them that simple, redesign them.
Same goes for nautical safety but there's a lot more to go wrong by your own hands on a ship. In a plane, well, you're just holding onto your own backside and hoping it all goes okay no matter what.
Honestly, I think it's about time we scrapped them. They tell us nothing we'll remember in an emergency, even though we've memorised every step. They talk about extreme situations that happen in extraordinarily rare circumstances. They scare passengers who are nervous. And yet, pretty much, studies show that in an emergency it's every man for himself and we'll all forget the briefing anyway.
Take the briefing away. Take the flight safety card away, Put simplified instructions everywhere (oxygen mask is here, pull to start flow, with a little diagram). Let people relax on their flight without being FORCED to sit through a briefing they are desperate to shut the hell up so they can sleep.
If you want to have the briefing, do this - hand out a little app that lets you do it on a personal basis.
Most importantly - SHUT THE HELL UP on flights. Let people relax, sleep and journey and then - when an emergency happens - they won't be so stressed that they do quite so stupid things.
Theo De Raadt's Small Rant On OpenSSL
Can't say I'm surprised. OpenSSL is a pile of dung. It's nothing to do with being written in any language, it's just horrible.
There's not even any documentation. I mean, literally, none. Nothing vaguely useful. How do I programmatically load a certificate into the store, along with a chain of related trusted certificates, and then set my requirements (must be in-date, must be validly signed, etc.) and get out a "It's fine" / "Something's not right" response? The only answers I could ever find were to follow published examples and tweak.
And when it comes to working out where in the published examples structure X comes from, or how to convert it to structure Y, you're on your own unless you happen to have picked a comprehensive (and almost certainly not OpenSSL-supplied) example.
It's just that bad. I was writing a pseudo-DRM for a game / Steam-like distribution platform as a hobbyist project. It was literally horrible to even try to self-sign some certificate and then see if it all panned out later from another computer to guarantee integrity. In the end, I had to "imagine" every possible case and find a way to counter it (i.e. client cert expired, client cert invalid, server cert not signed client cert, server cert has bad chain of trust, client cert not signable for that purpose, etc.) - and almost always there was NOTHING to indicate what the recommended way to do it was.
There is no decent OpenSSL documentation at all. Not even a decent overview of the process of checking certificates. It scared me at the time, knowing how important the library is, and it can only lead to bad code.
In the end, I'm quite glad I don't have to program against it for a living. If I did, I'd be seriously looking for something else.
Ask Slashdot: Which NoSQL Database For New Project?
Welcome to English.
The language you copied, fucked with, and then claimed to have the definitive version of.
Pretty much if we end a word with -our (colour, flavour, honour) or -ise (optimise, etc.) then we're right.
Ask Slashdot: Which NoSQL Database For New Project?
Dyn.com Ends Free Dynamic DNS
1) Why only bind (it's not the only nameserver)?
2) Why is there not a "install and go" version of it?
Every tutorial I see starts with some huge parenthesised section of a bind zone and several scripts to manually update other bind files (like the comment a few below this one).
Surely, if you're not caring about anything else on the domain you give it, there must be a zero-config version of it that saves someone having to cock up a bind installation.
A Bid To Take 3D Printing Mainstream
Combine with Kinect-like scanning to make a 3D photocopier.
Then Games Workshop would go bust in a year...
Dyn.com Ends Free Dynamic DNS
I'm a Dyn.com customer of old so I got an email to tell me that the promise to be "always free" back then holds for me, even if not for newer customers.
But when I was looking for a more modern replacement, I was expecting to be able to set up a Dyn-compatible service for my old domains using an external Linux server. There doesn't seem to be anything easy for that.
What I'd like is a Linux package which you can install on a server, and have it provide Dyn-like updating, without me having to play with BIND and all sorts (I don't do nameserving, so it's no particular fuss to install a nameserver JUST for this purpose). I thought DNSMasq might do it, as it's so powerful it tends to do everything, but that doesn't seem to offer it.
And if it's Dyn.com compatible in the protocol it uses to accept reports from clients, it's just a matter of hacking in your IP instead of Dyn.com's. But I couldn't find anything that wasn't a case of "install this series of Perl scripts in such a way that they play with the internals of your existing, perfectly working BIND setup, and basically get called from web-requests with permissions enough to do just that".
Anyone know of some software that works like the server-side of Dyn.com so I could host my own DynDNS service for my home accounts using a static, external server?
How the Internet Is Taking Away America's Religion
Your friends tells you about this thing which he believes in and tries to convince you. But you're not sure.
a) Go along with them, get absorbed, spend hours listening to their arguments, ask around a circle of friends that you share with him about their opinion? (i.e. imagine pre-Internet generations where if you didn't know someone personally, or were a part of a group, you didn't even get to meet them, let alone communicate extensively)
b) Go to your social network online, look up vast resources, have the arguments for and against in front of you, find out all the dirty secrets, cliques, etc. hear tell from friends-of-friends-of-friends about things they do and believe in?
It's just a product of information availability. And it works both for and against us now. It's now harder to quash rumours started by a random person with no basis from spreading but it's much easier for such rumours to reach the ears of the interested - even if subject to court order in some cases!
And it's not just religion. It's products, services, celebrities, charities, you name it. Before, you didn't have a source of information likely to know both sides and the in and outs of everything that you could consult confidentially and extensively and get THOUSANDS of peoples opinions in a matter of minutes. Now it's a click away and you're taught to use it for school research before you're able to write.
On a personal note, I'm agnostic, so it's no great surprise to me that the more facts people have available to consult, the less seriously religion is taken. "Faith" is something I see as laziness - "I don't want to check this fact, I'll just trust it's true" isn't the best principle to live by. In fact, it's that exact principle that is being eroded by the simplicity of fact-checking nowadays (even if not perfect, there are still good sources of actual fact rather than common belief out there).
Religion has been on a bit of a death-spiral for years. My country is pretty much turning churches into nothing more than pretty historical buildings that you visit and feel obliged to drop a coin in the box to pay for your nice photos of the stained-glass. My father-in-law is religious and bemoans the complete lack of religion in his local area - he visited dozens of churches before he found one with any kind of active services, and they didn't suit his preference.
By contrast, he says that the US is a much more faithful country and you can still draw crowds of tens of thousands at certain churches.
But I think that's more about celebrity, and the older generation, than anything to do with religion itself.
Religion is dying a little, but to be honest we were in a kind of renaissance of religion the last couple of hundred years anyway.
Linux Developers Consider On-Screen QR Codes For Kernel Panics
Just over a kilobyte, I think.
But that can be compressed as it doesn't NEED to be human-readable any more. So you can easily fit in a few Kb of useful data, I should think.
And as data density rises, so does the error correction but if the QR code reads (you have a device that reads them directly, why bother to snap a shot then process the image separately?) then it was a success. Hover and hold until you get the beep, on almost any smartphone made this decade.
But, no, you won't get CORRUPT data. The QR code either works or doesn't, like barcodes either scan or don't. You don't scan a book and get sold a DVD. Same principle.
What you might have is trouble getting a decent QR read on a crappy low-res camera but that's - again - no worse than the prior situation where I've seen kernel-panic screenshots you can't even read, let alone decode.
Linux Developers Consider On-Screen QR Codes For Kernel Panics
You lose nothing.
Anything that could have been logged to disk will have been.
Anything that couldn't is probably FAR TOO LONG to even start taking down any other way and almost certainly will cut through the screen buffer limit anyway (every kernel panic I've had - which is about a dozen I think - was like that).
Let's compare and contrast to, say, Windows. Bluescreen with minidump and error code that has 7 million potential causes.
At least with a QR code, for those totally undumpable errors, you stand half a chance of snapping it and providing several kiloybytes of useful information for someone to work from - that they know hasn't been transcribed wrongly. And can be taken from even a completely hung machine.
It's a good idea. Someone needs to make a patch for it. The biggest problem - as always - will be making sure you can get to the point that you can write to the video memory and do so with enough processing / storage to be able to write something useful into the QR code.
British Domain Registrar Offers 'No Transfer Fees,' Charges Transfer Fee
The problem is the overlap between basic consumer rights ("statutory rights"? Heard the phrase anywhere? Like every contract ever "not affecting them"? Actually, they can't be affected by contracts whether the contract says or not!) and contract law.
Yes, you can sign away an awful lot. But you cannot be expected to be held to a contract held as "unfair" (which this one almost certainly would be). The problem is proving that can be expensive.
Never forget that what you sign is only one part of what you've got on your side. You can sign, for example, that you would become a slave that your employer can whip. Your employer CANNOT enforce that though. Some rights, including your consumer rights, cannot be signed away and automatically make such things null and void.
If you took this to even small claims court, it would be found to be unfair, it would be made void, and you would not pay anything.
If, however, they took reasonable steps to inform you of the change, and got consent (even implied, but that's tricky), and gave you time to disagree (usually by termination of said contract), then it would be binding on you. Then it would be considered "fair" as it's not asking you to do anything illegal or drastic.
For future reference, this applies to ALL KINDS of contracts. The law is in place to override your ability to do this to your customers in an unfair way and take priority over ANYTHING they've signed. It just might take a customer taking it through small claims (or larger) courts in order to prove that. And, chances are, unless a lot of them do, they will not retract the policy in the company unless the court orders them to. So you might win, but no other customer (who probably won't bother to take it to court) would, and things like that.
I've used 123-Reg in the past. They were atrocious. But you can be sure that if I were a customer, there'd be a letter winging it's way to head office to state the above. Given the track record I have (and I'm no lawyer), they might tie up any domain I had for a few weeks but in the end they've been transferring my domains for free. I don't care enough to make them do it for other customers, that's those customers problem.
And the problem is that 99% of consumers think, like you, that this is "legal" just because it's on paper. And when you get the first letter in reply saying that they don't agree with your interpretation, etc. etc. etc. and basically saying "Fuck off" in legalese, you'll accept it grudgingly and just pay the Â£12. It's only the pedantic fuckers like me who actually enjoy being proven right that will go through the system and bug the shit out of them until they admit it.
It's not legal.
Your consumer rights ride straight over it.
But that doesn't mean it'll be easy to "convince" them (they know, their lawyers know, but they'll fight you all the way until you cause them more hassle than you're worth).
But take it to court and it'll be laughed out, if you even get that far. But it will cost you money (which you *can* get back from them) but most importantly an awful lot of time to sort out. And that's exactly what they rely on.
UK Government Pays Microsoft £5.5M For Extended Support of Windows XP
You have a lab microscope that costs Â£100,000. It's been working for 10 years and does exactly what you need. Attached to it is a PC to do image processing. That PC is supplied as part of the machine and includes one-off software to operate the microscope.
Now you say, of course, just ask how much it costs to get the equivalent software for 7, eh? Simple. But the microscope manufacturer hasn't sold anything to you in ten years. So they'll sell you a Windows 7 version. They'll charge you Â£90,000 for it. Or for Â£95,000 they'll sell you it attached to a new microscope worth Â£90,000 on it's own.
What do you do?
Well, actually you work for the NHS. Which had fuck-all money as it pisses it away on management consultants. So instead of either option, you get fuck-all. Now when the attached PC dies, you need to hope your IT guys have an image. When your IT guys move to Windows 7 for the central system, you better hope it can connect to it to store the images. You can't virtualise it because the DRM on the interface cost the manufacturer at least Â£10,000 to implement to stop you doing precisely that.
Now you're screwed. You can't put your lab slides into the national health system without a lot of manual pissing about. You can't justify buying just the Windows 7 version of the software / drivers (because you might as well just buy a new microscope, and that would come under buildings budget or medical equipment, not IT upgrades). You can't negotiate them down anywhere near sense. You can't replace the machine and - eventually - it's going to die.
And every year the microscope manufacturer puts up their prices by Â£10,000.
Now multiply by every hospital in the country.
Now multiply by every piece of large equipment (genetics machines, blood samplers, X-Ray machines, ECG's, MRI's, etc.).
Soon, it just becomes better to leave it the fuck alone and wait until you NEED to do something. Then you can justify it, now that it's broken and you need it. And then you can get the government to step in and negotiate a deal. That's what's happened. And the government have said "For fuck's sake!" and gone to MICROSOFT rather than the multitude of equipment manufacturers.
Think I'm exaggerating? My girlfriend is a geneticist in an NHS hospital. The machine she works on is 15 years old, dog-slow compared to the state of the art, and runs off Windows XP embedded. When it dies, the IT team has to track down an old IDE hard drive to fit into it and image it back. And she has to manually transfer images to the "real" integrated system to put them on patient records.
And the NHS haven't even BEGUN to get off Windows XP on the desktop where she works. Precisely because of, and a contributing factor to, this shit.