Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Original premise is false (Score 1) 582

Yes, exactly. (My day job is static analysis)

"Many Eyes" are great for identifying and fixing the broken build... but have no good track record for monitoring security design and implementation flaws.

For security infrastructure critical code, the available tools should be coming up spot clean. This is absolutely not the case with Openssl.

Comment: Re:well, almost (Score 1) 143

by FormOfActionBanana (#46486893) Attached to: Weak Apple PRNG Threatens iOS Exploit Mitigations

repeatedly hashing a counter that is set with a random seed

But I think that's exactly why you don't roll your own. That would be a predictable sequence. I could make a rainbow table of sha1('1'), sha1('2') etc. up to 4 trillion, and then by sampling a few numbers from your stream I could very quickly identify the current counter value and the next sequences for ever. Total fail, and if the seed is the system time this is only a level of abstraction more difficult. (Chess & West, p. 398)

Comment: Re:Many Eyes (Score 1) 88

by FormOfActionBanana (#46415951) Attached to: Ask Slashdot: Reviewing 3rd Party Libraries?

That's utterly crap advice. Since a lot of softwares in popular, active use have critical vulnerabilities.

The example quoted just above ( in which nobody got the sarcasm... says:

You know there won't be any bugs in those, or if there are they'll be very quickly fixed and not sit there unnoticed for years.

He was referring to and, not to mention which also sat unnoticed for years.

Comment: OpenBSD and the 1000M limit (Score 1) 290

by FormOfActionBanana (#46413543) Attached to: Interview: Ask Theo de Raadt What You Will

The last time I tried to run OpenBSD, it was so I could test our static analyzer Fortify SCA on the kernel.

One thing that really held me back in my research is that processes were limited to about 1 Gigabyte of RAM each. What exactly is the reasoning behind this hard limit?

Note: I never finished my work, but it would be totally cool to compete this someday.

You know you've landed gear-up when it takes full power to taxi.