Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:2 factor authentication would have. (Score 1) 142

Don't get cocky kid. In the RSA breach the hackers went after material used in SecurID (RSA's 2FA product). They're going after phones with the 2FA apps on them too.

Yeah 2FA is good security practice and its use will it make it significantly harder to breach a system using legitimate credentials, but the notion that it's full proof (or fool proof) is a myth.

Comment It's Better and Worse Than This... (Score 1) 130

It's better in that just because a component has a vuln doesn't mean that vuln is exploitable in all situations. Unfortunately, people are TERRIBLE at determining if a vulnerability is potentially exploitable or not.

It's worse in that the data in the NVD is often wrong and has lots of missing versions. For example, CVE-2013-5960 says "The ... in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.1 " and it lists the affected versions only as 2.0.1. The description is wrong (the issue was fixed in 2.1.0) and the list of versions is incomplete as there are more versions that are affected. Another example, CVE-2014-3604 says "Certificates.java in Not Yet Commons SSL before 0.3.15 ..." and then lists the affected versions as 0.3.15 - which is the version it was fixed in and it doesn't list the versions that were actually affected.

Comment Re:The root cause : poor unit testing (Score 1) 130

Sorry, but no, it's not that simple. Lots of vulnerabilities come into a project because of dependencies that are poorly managed. Project A depends upon project B which in turn depends upon project C and C has the vuln. All the unit testing of A in the world will not turn up that vuln. That requires system testing and that's a lot more involved.

Comment Re:The two things that have led me to oppose the D (Score 0) 649

There is disagreement over that.

"The new deterrence research has been discussed favorably and uncritically by national news outlets and has been declared persuasive in leading academic journals and by prominent scholars and jurists. Legal academics, such as Professors Cass Sunstein and Adrian Vermeule, both of the University of Chicago, find the new deterrence evidence "powerful" and "impressive." They couple it with "many decades of reliable data about [capital punishment's] deterrent effects" as the "foundation" of their argument, which holds that since "capital punishment powerfully deters killings," there is a moral imperative to aggressively prosecute capital crimes. Prof. Becker concurs, finding the evidence "persuasive," while Judge Richard Posner brushes aside worries about the possible execution of the innocent as we ramp up executions to achieve even greater deterrent effects. Twice, authors of some of the articles have appeared before the U.S. Congress, stating the case for deterrence."


Byte your tongue.