Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×

Submission + - Bob Beck gives a 30-day status update on LibreSSL at BSDCan in Ottawa

Submitted by ConstantineM
ConstantineM writes: Bob Beck — OpenBSD, OpenSSH and LibreSSL developer and the director of Alberta-based non-profit OpenBSD Foundation — gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing for a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL — RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment — Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.

Submission + - LibreSSL Update (openbsd.org)

Submitted by the_B0fh
the_B0fh writes: Bob Beck reports on the progress the OpenBSD team has made on LibreSSL. Some highlights:

Code was horrible. Nobody wanted to touch it. OpenSSL Foundation appears to be a million dollar a year for-profit company doing FIPS consulting. Bugs rot for years in bug tracker. ROP coding function — allows you to jump to any arbitrary address — ROP coder's wet dream! Current third party ports are all insecure. Need funding. Linux Foundation has not committed to support LibreSSL.

Submission + - Robbery Suspect Tracked by GPS and Killed (nytimes.com)

Submitted by Lew Lorton
Lew Lorton writes: Relying on a GPS device placed in a decoy pill bottle, police officers tracked an armed man suspected of robbing a pharmacy on Friday afternoon and fatally shot him during a confrontation on the Upper East Side. When the man was confronted while his car was in a traffic jam, according to police he raised a gun to shoot and an officer shot and killed him.
The pill bottles sit on the pharmacy shelf in a special base; when the bottles are lifted from the base, they begin to emit a signal.
The decoy bottles were developed by Purdue Pharma, which makes OxyContin, a brand of oxycodone,

Submission + - Waterloo WeBike Project (uwaterloo.ca)

Submitted by Anonymous Coward
An anonymous reader writes: A research group at University of Waterloo — ISS4E is planning to use electric bikes to study many different problems facing today's Electric Vehicles (EVs).

Academic studies of EVs are limited by the fact that they are expensive. The idea is to deploy a fleet of sensor-equipped electric bicycles or e-bikes to UW faculty, staff, and students, analyze data collected from them to study the problems of EV range, battery performance, battery life, and battery temperatures (given the recent Tesla fire mishaps)! Given that both EVs and e-bikes use very similar battery technology.

Not only does it go a long way in benefitting EV research, but it also may present in the future, a cost-effective completely off-grid transportation solution.

Submission + - George R R Martin Reveals His Secret Weapon for Writing GOT- Wordstar

Submitted by Hugh Pickens DOT Com
Hugh Pickens DOT Com writes: Ryan Reed writes that when most Game of Thrones fans imagine George R.R. Martin writing his epic fantasy novels, they probably picture the author working on a futuristic desktop (or possibly carving his words onto massive stones like the Ten Commandments). But the truth is that Martin works on an outdated DOS machine using Eighties word processor WordStar 4.0, as he revealed during an interview on Conan. "I actually like it," says Martin. "It does everything I want a word processing program to do, and it doesn't do anything else. I don't want any help. I hate some of these modern systems where you type a lower case letter and it becomes a capital letter. I don't want a capital. If I wanted a capital, I would have typed a capital. I know how to work the shift key." “I actually have two computers," Martin continued. “I have a computer I browse the Internet with and I get my email on, and I do my taxes on. And then I have my writing computer, which is a DOS machine, not connected to the Internet."

Submission + - OpenBSD 5.5 Released (openbsd.org)

Submitted by ConstantineM
ConstantineM writes: Just as per the schedule, OpenBSD 5.5 was released today, May 1, 2014. The theme of the 5.5 release is Wrap in Time, which represents a significant achievement of changing time_t to int64_t on all platforms, as well as ensuring that all of the 8k+ OpenBSD ports still continue to build and work properly, thus doing all the heavy lifting and paving the way for all other operating systems to make the transition to 64-bit time an easier task down the line. Signed releases and packages and the new signify utility are another big selling point of 5.5, as well as OpenSSH 6.6, which includes lots of DJB crypto like chacha20-poly1305, plus lots of other goodies.

Comment OPENSSL_NO_HEARTBEATS (Score 1) 144

by ConstantineM (#46883737) Attached to: OpenSSH No Longer Has To Depend On OpenSSL

You're referring to the exploit-mitigation-mitigation in OpenSSL, which indeed couldn't be disabled, as per tedu@openbsd, but OPENSSL_NO_HEARTBEATS was a separate option that noone has volunteered to claim of not working.

OPENSSL_NO_HEARTBEATS has since been made the default and only option in LibreSSL, and the heartbeats were removed.

Comment Didn't Target had Chip and Pin back in 2005? (Score 1) 210

by ConstantineM (#46880893) Attached to: Target Moves To Chip and Pin Cards To Boost Security

Didn't Target already had Chip and Pin back in 2005 or 2004? What happened to all of those?

I remember I got a Chip and Pin card from Fleet around that time (just on the edge of them being acquired by B of A); Fleet has even sent me a free card reader, which I've never used, actually.

Slashdot Top Deals

"Luke, I'm yer father, eh. Come over to the dark side, you hoser." -- Dave Thomas, "Strange Brew"

Close