Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:duplicated effort? (Score 2) 101

10. The companies listed do large amounts of business with the U.S. government, which requires FIPS certification of crypto software.

20. OpenBSD has explicitly stated that FIPS certification is off the table for OpenSSH. NOT one of their goals.

30. Taking that off the table leaves a large pile of money ON the table.

40. GOTO 10

Comment Re:Get it FIPS certified (Score 2) 360

The core encryption functions of an older version (0.9.8, I think) was spun off into a separate module and certified for FIPS. The certification process is that the code is provably correct and the implementation is flawless, which is why it takes so damn long. It is also why only the core crypto transforms are certified.

You CAN, and vendors DO update the wrapper module around the core functions and update things without having to go back under certification.

Case in point. The Red Hat version of FIPS-OpenSSL was susceptible to HeartBleed, even though the core FIPS module was based off of an older version that was produced before the code error was introduced! Why? Because the error wasn't in the core crypto but rather the wrapper, non-crypto code. The actual cryptographic transforms (AES, HMAC-SHA, etc.) functioned perfectly, but information was leaked by the non-crypto code.

LOTS of people -- like almost everyone in the U.S. Gov't or contractors that work on their systems -- use the FIPS certified module for OpenSSL. Or, at least, Red Hat's version of it.

Comment Re:Okay, Go! (Score 3, Interesting) 304

Not necessarily. It looks like they're removing what they can't support, such as VMS, Netware and OS/2. The few people that care can still use the original OpenSSL code.

I'd expect them to ensure it support the hardware platforms OpenBSD supports at the very least. Then, if they go the "portable" route like they did for OpenSSH, support for the other Unix and Unix-like systems.

http://www.openssh.com/portable.html

More power to them.

Submission + - Theo De Raadt's Small Rant on OpenSSL (gmane.org) 1

raides writes: Theo De Raadt has been on a better roll as of late. Since his rant about FreeBSD plating catch up (here), he has something to say about OpenSSL. It is worth the 5 second read because it is how a few thousand of us feel about the whole thing and the stupidity that caused this panic. Enjoy

Comment Re:No Wireless? (Score 3, Insightful) 97

Uh, no thanks.

I much prefer that wireles to be on a mini-PCIe card so I can upgrade it if necessary.

Damn near everything that comes with Wifi/BT ends up being single-band b/g/n and BT 2.0. For $35 I can get a dual-band, a/b/g/n/ac card w/BT 4.0.

Slapping it on the board greatly reduces options.

Comment Re:If BITC are property.. (Score 1) 273

No, you're supposed to pay your taxes in the form the government with the military SAYS you're supposed to pay your taxes regardless of what you personally use for a medium of exchange.

See: Split Tally Sticks, especially their use in England, for an example. It is still the longest in-use form of currency in history. Started by King Henry I around 1100, they persisted until 1826.

Comment Maybe... (Score 1) 8

Given my experiece with Best Try, it might be "Betta" testing. They dunk the tablets in fishbowls and see how the fish handle it. Honestly, I'd probably trust the technical opinions of a Siamese Fighting Fish over that of a Geek Squad member.

Comment Re:Voice messages? (Score 1) 166

Those are for when you are driving and it is so much easier to just leave a VM. Also, when the background noise in the car makes a dictated e-mail look like it written by a drunk, illiterate wombat.

Comment Re:Maybe the company's not actually doing it? (Score 1, Insightful) 572

It isn't an attack, it is a proxy. The company's node (computer) is configured to use the company's proxy to get out to the Internet. The connection to the end system is between the company's proxy and the end system. The user has no equipment in play.

Where I work (U.S. Gov't Agency) does this, though they exempt links to known online banking addresses.

Employees are trained annually and sign papers acknowledging they understand what is going on. Don't like it? Don't work here. Or, as most people do, use your own device on a cellular connection and don't use the company's equipment or network.

Slashdot Top Deals

1.79 x 10^12 furlongs per fortnight -- it's not just a good idea, it's the law!

Working...