Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Submission + - LibreSSL Update (openbsd.org)

the_B0fh writes: Bob Beck reports on the progress the OpenBSD team has made on LibreSSL. Some highlights:

Code was horrible. Nobody wanted to touch it. OpenSSL Foundation appears to be a million dollar a year for-profit company doing FIPS consulting. Bugs rot for years in bug tracker. ROP coding function — allows you to jump to any arbitrary address — ROP coder's wet dream! Current third party ports are all insecure. Need funding. Linux Foundation has not committed to support LibreSSL.

Comment Re:Fuzz Testing. Next! (Score 1) 116

They are all tools that can be applied to improve the quality of the code. No one thing is "The Solution".

* Test Driven Development (TDD) is a good approach to ensure that the code you write is testable. This will not work for things like UI code, but other code will benefit.

* Unit Tests can either be developed via a TDD-like approach (easier to do), or after the code is written (harder to do).

* Automated Regression Tests (a superset of Unit Tests) provide good coverage for ensuring code works as expected without involving a large manual testing team. These will only detect the things covered by the automated tests.

* Static Code Analysis tools can pick up a lot of problem areas, but will not detect every problem. These results can be used to identify what tests need to be created to prevent future regression.

* Fuzz testing is good at providing strange data to e.g. a protocol or file format parser. These are intended to be soak tests -- e.g. "does my regular expression parser handle all these strange and possibly invalid constructs". Fuzz testing would have most likely found the heartbleed bug (because it would have permutated the length of data to request). Any failures here should be converted to Unit/Regression tests to ensure that the problem is (a) fixed by any code changes made and (b) does not occur in the future. Fuzz testing will typically find hard to identify bugs (e.g. data races) that are not easy to identify from manually constructed tests or static analysis.

* Manual/ad hoc testing is important as it can uncover bugs that the developers are not aware of.

* Code and Security Reviews help identify potential issues (e.g. if you have someone knowledgeable about SQL injection, they can assess whether some code is vulnerable to that attack).

None of these is a silver bullet, but the more you have the better the code will be.

Submission + - British government willing to block EU net neutrality deal (buzzfeed.com)

An anonymous reader writes: The British government has said it will block the EU's recently signed net neutrality deal if it stops it censoring the internet. The European Parliament passed net neutrality legislation last month, but member state governments have to sign off the plan before it can become law.

Submission + - Australian government devastates game industry (digitallydownloaded.net)

angry tapir writes: Australia's new conservative government has just handed down its first budget, which includes stripping all funding from the Interactive Games Fund which helps fund the development of video games in the country. The games industry in Australia has had a rough time, with some big names, such as Team Bondi shutting down over the last half decade (that last link is from 2011 and notes that even then the industry was in dire straits).

Submission + - Columbus ship "Santa Maria" has been found near Haiti after 500 Years

rtoz writes: The British Newspaper The Independent has reported that a team led by underwater archaeological explorer Barry Clifford found the wreck of the Christopher Columbus' flagship, the Santa Maria which sank in 1492.

"All the geographical, underwater topography and archaeological evidence strongly suggests that this wreck is Columbus’ famous flagship, the Santa Maria," said Barry Clifford.

Santa María was the largest of the three ships used by Christopher Columbus in his first voyage.

The Santa Maria was built at some stage in the second half of the 15 century in northern Spain’s Basque Country. In 1492, Columbus hired the ship and sailed in it from southern Spain’s Atlantic. After 37 days, Columbus reached the Bahamas. But after few weeks Santa Maria drifted at night onto a reef off the northern coast of Haiti and had to be abandoned.

Submission + - UK ISPs to send non-threatening letters to pirates (bbc.co.uk)

echo-e writes: A deal has been made between groups representing content creators and ISPs in the UK concerning how the ISPs should respond to suspected illegal file sharers. In short, the ISPs will send letters or emails with an "educational" rather than threatening tone, alerting users to legal alternatives. The rights holders will be notified of the number of such alerts that have been sent out, but only the ISPs will know the identity of the offenders. Only four of the UKs ISPs have agreed to the "Voluntary Copyright Alert Programme" so far, but the remaining ISPs are expected to join the programme at a later stage. The debate between rights holders and ISPs has raged on for years. This agreement falls short of the of the proposals put forward by the rights holders groups, but the ISPs have argued that it is not their responsibility to police users and that a legal process already exists for going after individuals.

Submission + - McAfee accused of McSlurping Open Source Vulnerability Database (theregister.co.uk)

mask.of.sanity writes: Intel security subsidiary McAfee may be in hot water after it allegedly scraped thousands of records from the Open Source Vulnerability Database instead of paying for them. The slurp was said to be conducted using fast scripts that rapidly changed the user agent, and was launched after McAfee formally inquired about purchasing a license to the data. Law experts say site's copyright could be breached by individuals merely downloading the information in contravention to the site's policies, and did not require the data to be subsequently disseminated.

Submission + - The upcoming Windows 8.1 apocalypse 2

arglebargle_xiv writes: As most people will have heard, Microsoft will end support for anyone who hasn't upgraded to Win8.1 Update 1 on May 8. What fewer people have heard is that large numbers of users can't install the 8.1 Update, with over a thousand messages in this one thread alone, and that's for tech geeks rather than home users who won't find out about this until their PC becomes orphaned on May 8. Check your Windows Update log, if you've got a "Failed" entry next to KB2919355 then your PC will also become orphaned after May 8.

Submission + - Oklahoma Moves To Discourage Solar and Wind Power

Hugh Pickens DOT Com writes: Paul Monies reports at NewsOK that Oklahoma's legislature has passed a bill that allows regulated utilities to apply to the Oklahoma Corporation Commission to charge a higher base rate to customers who generate solar and wind energy and send their excess power back into the grid reversing a 1977 law that forbade utilities to charge extra to solar users. "Renewable energy fed back into the grid is ultimately doing utility companies a service," says John Aziz. "Solar generates in the daytime, when demand for electricity is highest, thereby alleviating pressure during peak demand."

The state’s major electric utilities backed the bill but couldn’t provide figures on how much customers already using distributed generation are getting subsidized by other customers. Oklahoma Gas and Electric Co. and Public Service Co. of Oklahoma have about 1.3 million electric customers in the state. They have about 500 customers using distributed generation. Kathleen O’Shea, OG&E spokeswoman, said few distributed generation customers want to sever their ties to the grid. “If there’s something wrong with their panel or it’s really cloudy, they need our electricity, and it’s going to be there for them,” O’Shea said. “We just want to make sure they’re paying their fair amount of that maintenance cost.” The prospect of widespread adoption of rooftop solar worries many utilities. A report last year by the industry’s research group, the Edison Electric Institute, warns of the risks posed by rooftop solar (PDF). “When customers have the opportunity to reduce their use of a product or find another provider of such service, utility earnings growth is threatened,” the report said. “As this threat to growth becomes more evident, investors will become less attracted to investments in the utility sector.”

Submission + - Koch brothers get efficient bus system banned in Tennessee

Andy R writes: Just as the city of Nashville was prepared to invest in Bus Rapid Transit, an efficient bus system that has been found effective in other countries both in reducing cars on the road and stimulating economies, the state of Tennessee bans them. Why? Because the Koch brothers opposed it and twisted the arms of politicians they control. For a while I thought they were another left-wing bogie man, but this is downright corrupt.

Submission + - Taking humor to a Heartbleed'ing new level!

fries writes: It is not news that OpenBSD is ripping OpenSSL a new one, and with good cause. The code has torn the industry a new one in a multiple platform debut of the heartbleed saga. When you are having so much pain from the server updates and password resets, it is time to laugh. Head over to http://opensslrampage.org/ for your dose of humor as related to the latest OpenBSD efforts.

Submission + - Quality: Open Source vs. Proprietary (ciol.com)

just_another_sean writes: Coverity Inc., a Synopsys company, released the 2013Coverity Scan Open Source Report.
The report details the analysis of 750 million lines of open source software code through the Coverity Scan service and commercial usage of the Coverity Development Testing Platform, the largest sample size that the report has studied to date.

A few key points:

* Open source code quality surpasses proprietary code quality in C/C++ projects.

* Linux continues to be a benchmark for open source quality.

* C/C++ developers fixed more high-impact defects. Analysis found that developers contributing to open source Java projects are not fixing as many high-impact defects as developers contributing to open source C/C++ projects.

Submission + - Study Finds U.S. is an Oligarchy, Not a Democracy

An anonymous reader writes: Researchers from Princeton University and Northwestern University have concluded, after extensive analysis of 1,779 policy issues, that the U.S. is in fact an oligarchy and not a democracy. What this means is that, although 'Americans do enjoy many features central to democratic governance', 'majorities of the American public actually have little influence over the policies our government adopts.' Their study (PDF), to be published in Perspectives on Politics, found that 'When the preferences of economic elites and the stands of organized interest groups are controlled for, the preferences of the average American appear to have only a minuscule, near-zero, statistically non-significant impact upon public policy.'

Submission + - PayPal Giving Nonsense Answers about OpenSSL/Heartbleed Vulnerability

Jammerwoch writes: In the process of verifying that my critical accounts had patched their OpenSSL implementation and re-issued their SSL certificate before changing my password, I noticed that PayPal had not addressed issue: not on their blog, in their support pages, or anywhere on my account page. I also noticed that their SSL certificate was issued in February of 2014, before the vulnerability was discovered. So I contacted support to ask if they had addressed the vulnerability. The first response I got was this:

"Your PayPal account details were not exposed at any time in the past and remain secure. You do not need to take any additional action to safeguard your information."

Undaunted, I replied, asking specifically if they were (or had ever) used one of the vulnerable versions of OpenSSL (1.0.1 through 1.0.1f). The response I received was amusing, to say the least:

"I assure you that your password is not compromised. We do not use an Open SSL in our servers. The SSL certificate that we are using is hyper encrypted and beyond the versions of the usual SSL certificate. It is not affected by the ongoing HeartBleed issue."

Well! Now I'm completely reassured, knowign that they don't use "the Open SSL", and that their certificate is "hyper encrypted".

Unimpressed.

Slashdot Top Deals

They are called computers simply because computation is the only significant job that has so far been given to them.

Working...