Become a fan of Slashdot on Facebook


Forgot your password?

Comment Re:Worse than that (Score 2, Interesting) 225

Did you bother even reading the article? The code is in httpd.c, which obviously handled both types of connections. I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity, but that somehow it's a magical fix-all for whatever the security flaw is. I see this kind of thinking in IT people in charge of the enterprise and it scares me. Security is not about having a setting enabled, and it certainly requires much more analysis than a simple dismissive suggestion.

Comment Re:Why do we trust Javascript all of a sudden (Score 2, Insightful) 156

But there have been many browser exploits recently, and they've been in virtually every component of the browser. This flaw has nothing to do with JavaScript itself, just the implementation. Flaws have been found in XML and HTML rendering engines, third-party components, URL handlers and many other pieces of the browser. If we're going to disable every feature that's potentially vulnerable, we might as well stay off the Web.

Comment Postini works (Score 1) 176

In my humble and largely anecdotal experience, Postini works well. We send out e-mail that can often be flagged as SPAM when we perform penetration testing, and Postini seems to be the toughest to get around. We see in-house devices such as IronMain, and outsourced services such as MXLogic and FrontBridge/hosted Exchange, but Postini seems to do the best at stopping illegitimate messages. The company I work for uses this it as well, and logging into my Postini inbox I see a lot of spam but no false positives. I think it's a pretty good solution if you don't want to handle SPAM in-house.

Comment Re:ATM != desktop computer (Score 3, Interesting) 257

They run XP embedded, which allow you to customize which components are used much more so than regular XP. That is not to say I don't see your point -- we've broken into plenty of Diebold XP ATMs during authorized penetration tests using regular Windows exploits. After that, it's game over with the software this product mentions. Then again, regular OS's have been running on ATMs for a long time, and many still run OS/2.

Comment Flash security often overlooked (Score 2, Insightful) 82

Though I haven't had a chance to evaluate it just yet, I think this is a step in the right direction. Flash security is often overlooked, while Flash itself is often overused by designers who think that pretty effects make the web page. It gets especially bad when Flash is used for activities that require some sort of security, such as a login form. 99% of the time, instead of POST'ing that information to a server side script, it's handled inside the SWF file. Since these can be easily decompiled (grab a copy of Flare or any other decompiler), the password is easily revealed. I recently found a network product which went through the trouble of XOR'ing a password and storing in a text file. Two problems: the text file was in the web root, and the XOR key was inside the SWF. Tools like this can only raise awareness of these types of issues.

Comment Nearly crashed the Internet? (Score 3, Interesting) 196

I don't know about it nearly crashing the Internet. How many people actually noticed a difference that day, for that matter?

A lot of admins, especially after the alert went out over the NANOG list, set their routers to reject long ASPATHs (or I assume, from what I saw on those list, I am not a BGP admin myself.) Many routers simply rejected these ASPATHs as well; correct me if I'm wrong, but weren't old versions of IOS the only ones affected? It was a serious issue, but I'm not sure if it came anywhere near a disaster scenario.

Comment Backwards thinkings (Score 1) 674

Closed source applications have to be audited with fuzz testing and other techniques, and this means that bugs can hide from the "white hats" (or the company) for a long time. Look at the bug fixed by MS08-067; it was discovered in the wild as part of a trojan and is now at the center of one of the biggest worm breakouts in history. Open source software can be fully audited by third-parties, including through techniques such as static analysis. I am not anti-closed source per se, but calling it somehow more secure because it "can't be verified" is the opposite of the truth. Tell your customers to talk to a security professional, not a salesman.

Comment Other TV hacks (Score 5, Informative) 526

I love when stuff like this happens. In the past, there have been incidents such as when someone switched over a feed of Jeopardy to the Playboy Channel. Other notable incidents:

Max Headroom Incident:
HBO "Captain Midnight" incident:

Slashdot Top Deals

Vax Vobiscum