Forgot your password?
typodupeerror

Comment: Re:Helping the poor (Score 1) 311

You're wrong.

Once they're comfortable in their current state they can work on improving it. You can't focus on learning new skills or searching for a job if you have to find a blanket for tonight or you'll freeze to death. Almost everyone isn't going to hire a homeless bum, so they need enough stuff to make themselves not look homeless. They get those things as handouts on the street, from picking through the trash, or from robbing people.

The problem is that when we give them money for begging, they go use that money for a little bit of food and a whole lot of whatever it is they are self medicating with. Change is uncomfortable and doubly so for someone who is a substance abuser. There are charities who help people who want to get off the street and your money is much better spent there since they can help more effectively by providing food, clean clothing, a place to stay and help for whatever emotional problems or mental illness that made them end up on the streets to begin with.

Comment: Ted Unangst's article (Score 4, Informative) 285

by grub (#46758065) Attached to: OpenBSD Team Cleaning Up OpenSSL

Ted Unangst wrote a good article called "analysis of openssl freelist reuse"

His analysis:

This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security focused malloc, just one that frees memory every now and again). Instead, it lay dormant for years until I went looking for a way to disable their Heartbleed accelerating custom allocator.

it's a very good read.

+ - NSA said to have used Heartbleed bug for years->

Submitted by grub
grub (11606) writes "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts."

Link to Original Source

Comment: Re:Whatever you may think ... (Score 5, Informative) 444

by grub (#46721719) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

From the proof-of-concept page I mentioned above.

Conclusion

It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed.

Here is the Github repo for the PoC code.

This PRNG is not the NSA making a crypto system stronger ala DES, it's a backdoor.

Comment: Re:Whatever you may think ... (Score 4, Informative) 444

by grub (#46721219) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

RSA has denied having knowledge of the backdoor, says NSA tricked them, and has never denied the $10M payout. Some of Snowden's leaks mention it.
Reuters has a summary

proof-of-concept backdoor with a link to the github repo.

None of that is a smoking gun, but there is enough smoke to tell me there is a fire.

Comment: Re:Whatever you may think ... (Score 5, Insightful) 444

by grub (#46721009) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

Boy, if there's one thing that could ever kill Open Source it would be being held legally liable for a commit with a bug in it.

It burns me that RSA is not held liable for their $10M NSA backdoor in Dual_EC_DRBG PRNG. Customers should be flocking in droves but RSA gives enough swag at conferences that the suits don't care.

Your privacy sold off for $10M and some mouse pads.

The end of labor is to gain leisure.

Working...