Forgot your password?

Comment: Testing and validation is what's needed (Score 1) 374

by putaro (#46798725) Attached to: OpenSSL Cleanup: Hundreds of Commits In a Week

Code fixes are all fine and well but where the real thought needs to be going is how to verify these protocols. The basic problem with security is that "working" doesn't mean "secure". Most people focus on testing for "working" and given the bugs that have shown up in OpenSSL and its cousin in the last month or so, the problem is not that they don't work (that is, interoperate and transmit data) but that they have corner cases and API holes that are major security concerns. Some real thought needs to be put into the testing of secure systems and how to verify that they not only "work" but are actually secure.

Comment: Just because you can doesn't mean you should (Score 5, Insightful) 226

by putaro (#46763475) Attached to: How 'DevOps' Is Killing the Developer

There's definitely truth to what he's saying but it cuts the other direction as well. Having your lead guru developer swapping disk drives on a machine isn't the best use of his time. However, I've also seen environments where the developers can't/won't/aren't allow to do the system admin tasks and wind up waiting around or being frustrated when their development systems have a problem. Likewise, with QA - I've seen developers that will just toss any old crap over the wall and expect QA to catch all of their bugs. And, developing tests is often software engineering, often complex software engineering that needs an experienced developer to establish at least the outline of how everything works.

Personally, I expect any developers I'm working with to have at least basic sys admin abilities and know how to setup/fix any other part of the stack they might touch. Those skills should be used when working with the dev systems and in establishing the base line for production. I would then expect that someone who is more specialized in those other roles to actually setup and run production and also be available when the developers get in over their heads on system admin, hardware troubleshooting, etc. In the same way I would expect a systems admin to at least be able to write a script to automate something and not go running to the developers for everything.

For test development, I always like to set groups against each other and develop the test suite for each other's code. Most people are a lot more comfortable and eager to break someone else's code than they are their own.

Comment: Focusing on the wrong hand (Score 2) 146

by putaro (#46757607) Attached to: How Amazon Keeps Cutting AWS Prices: Cheapskate Culture

The article focused on how Amazon cuts hardware costs. The first step there is a big one - once you let go of buying name brand hardware, especially for storage, the price drop dramatically. So dramatically, in fact, that hosting (largely electricity, cooling and network connectivity) becomes the major cost in the equation. Amazon is pushing for extremely high density, however, that has a ripple effect throughout your whole datacenter design. If you're not in a high cost area, you might ask why focus on density because floor space is relatively cheap.

Comment: Re:"It's Not a Tumor" - Oh Wait, It Is (Score 1) 301

by putaro (#46733277) Attached to: Theo De Raadt's Small Rant On OpenSSL

How about this

I haven't tried setting up a large PKI infrastructure so I'm curious if you know more. Technically it's possible but I could see why a CA wouldn't do it. The info for this GlobalSign "Trusted Root" seems to imply that you get to sign keys with your own existing root CA but that GlobalSign will sign it as well so you don't need to distribute your own root cert. Am I reading it wrong?

Comment: Re:"It's Not a Tumor" - Oh Wait, It Is (Score 1) 301

by putaro (#46721123) Attached to: Theo De Raadt's Small Rant On OpenSSL

It depends on where you are in the chain.

If you're a CA, then yes, the intermediate key would be used for automated signing. It STILL shouldn't be on hosts that are directly connected to the Internet.

If you're a company that is not a CA, then the intermediate key signed by the CA is pretty much your root key. It shouldn't be on your web servers, you should keep it offline if possible and you should be generating another layer of keys that are used to sign actual server certificates.

Comment: Re:It's really annoying (Score 1) 303

by putaro (#46691333) Attached to: OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

Yah, like all that oh-so-secure code that used to float around back in the 70's and 80's? I remember when systems used to get hacked by dial-up modem on a regular basis. There were and have been security holes in things forever. It just used to be harder to exploit most of them remotely and there were fewer people trying to exploit them.

Numeric stability is probably not all that important when you're guessing.