deeqkah - Slashdot User

Submission + - Google security engineer issues Sophos warning (cso.com.au)

Submitted by

angry tapir

on Tuesday November 06, 2012 @08:30PM

angry tapir writes: "Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster. Ormandy has released a scathing 30-page analysis (PDF) “Sophail: Applied attacks against Sophos Antivirus”, in which he details several flaws “caused by poor development practices and coding standards”, topped off by the company’s sluggishly response to the warning he had working exploits for those flaws. One of the exploits Ormandy details is for a flaw in Sophos‘ on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the “wormable, pre-authentication, zero-interaction, remote root” affected all platforms running Sophos. (Ormandy released the paper as an independent researcher, not in his role as a Google employee.)"

Comment Never Tried It Because... (Score 1) 4

by deeqkah on Saturday October 20, 2012 @06:40PM (#41717489) Attached to: Seamonkey vs. Firefox - any takers?

I've never tried SeaMonkey because i don't want an email client, a newsreader client, an rss reader, an irc client, and an html editor bundled with my browser. I already have some great solutions for those applications.

Submission + - Validating SSL Certs Completely Broken Outside the Browser (acm.org)

Submitted by deeqkah on Thursday October 18, 2012 @05:57PM

deeqkah writes: SSL Certificate Validation, in a nutshell, attempts to confirm to the user that the identity of the website that he or she is connnecting to is indeed that website, because a "Trusted Authority" said so. While it can be said that Certificate Validation is a bit sketchy in the browser, it can be said with certainty that outside of the browser, the majority of SSL implementations are completely broken.

In a paper submitted to the ACM Conference on Computer & Communications Security [PDF], six researchers from the University of Texas at Austin and Stanford University demonstrate the great lengths of which this SSL implmentation is broken. Most concerning is the fact that the vulnerable applications & libraries are widely used — Amazonâ(TM)s EC2 Java library and all cloud clients based on it, Amazonâ(TM)s and PayPalâ(TM)s merchant SDKs, integrated shopping carts (ZenCart, Ubercart, and PrestaShop), Chase mobile banking and several other Android apps and libraries... the list is of course expansive.

The researches state: "The root causes of these vulnerabilities are badly designed APIs of SSL implementations (such as JSSE, OpenSSL, and GnuTLS) and data-transport libraries (such as cURL) which present developers with a confusing array of settings and options."

Submission + - Carbon clock gets reset (nature.com)

Submitted by

ananyo

on Thursday October 18, 2012 @04:23PM

ananyo writes: "Climate records from a Japanese lake are set to improve the accuracy of carbon dating, which could help to shed light on archaeological mysteries such as why Neanderthals became extinct.
Carbon dating is used to work out the age of organic material. But the technique assumes that the amount of carbon-14 in the atmosphere was constant — any variation would speed up or slow down the clock. Since the 1960s, scientists have started accounting for the variations by calibrating the clock against the known ages of tree rings. The problem is that tree rings provide a direct record that only goes as far back as about 14,000 years.
Now, using sediment from bed of Lake Suigetsu, west of Tokyo, researchers have pushed the calibration limit back much further. Two distinct sediment layers have formed in the lake every summer and winter over tens of thousands of years. The researchers collected roughly 70-metre core samples from the lake and painstakingly counted the layers to come up with a direct record stretching back 52,000 years.
The recalibrated clock could help to narrow the window of key events in human history. Take the extinction of Neanderthals, which occurred in western Europe less than 30,000 years ago. Archaeologists disagree over the effects changing climate and competition from recently arriving humans had on the Neanderthals' demise. The more accurate carbon clock should yield better dates for any overlap of humans and Neanderthals, as well as for determining how climate changes influenced the extinction of Neanderthals."

Slashdot Top Deals