Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
It's funny.  Laugh.

Submission + - Music Video Revenge: United Breaks Guitars (youtube.com)

Philip K Dickhead writes: "I almost don't hate country music, after seeing this!
"The Sons of Maxwell" were traveling to Nebraska for a one-week tour and my Taylor guitar was witnessed being thrown by United Airlines baggage handlers in Chicago. I discovered later that the $3500 guitar was severely damaged. They didn't deny the experience occurred but for nine months the various people I communicated with put the responsibility for dealing with the damage on everyone other than themselves and finally said they would do nothing to compensate me for my loss. So I promised the last person to finally say no to compensation (Ms. Irlweg) that I would write and produce three songs about my experience with United Airlines and make videos for each to be viewed online by anyone in the world." Spot the Sarah Palin lookalike, for extra credit."

Medicine

Submission + - Only 7 swine flu deaths, not 152, says WHO (smh.com.au)

Philip K Dickhead writes: "A member of the World Health Organisation (WHO) has dismissed claims that more than 150 people have died from swine flu, saying it has officially recorded only seven deaths around the world. Vivienne Allan said in an interview with Australian Broadcasting, that the body had confirmed worldwide there had been just seven deaths — all in Mexico — and 79 confirmed cases of the disease. Ms. Allen, of WHO's patient safety program stated "Unfortunately that [150-plus deaths] is incorrect information and it does happen, but that's not information that's come from the World Health Organisation. That figure is not a figure that's come from the World Health Organisation and, I repeat, the death toll is seven and they are all from Mexico." Ms Allan said WHO had confirmed 40 cases of swine flu in the Americas, 26 in Mexico, six in Canada, two in Spain, two in Britain and three in New Zealand."
Privacy

Journal SPAM: AT&T Throws Lavish Party for "Blue Dog" Dems: Press Barred 10

Glenn Greenwald from Salon.com tried to cover an event in Denver by AT&T, held to thank Blue Dog Democrats in Congress for their support. "we were told... that the press was barred from the event... inside was a meeting between one of the nation's largest corporations and the numerous members of the most influential elected faction in

Security

Submission + - Flaws in the OpenSSL FIPS Object Module v1.1.1 (blogspot.com)

jmwci1 writes: "A significant flaw in the PRNG implementation for the OpenSSL FIPS Object Module v1.1.1 (certificate #733, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has been reported by Geoff Lowe of Secure Computing Corporation. Due to a coding error in the FIPS self-test the auto-seeding never takes place.

That means that the PRNG key and seed used correspond to the last self-test. The FIPS PRNG gets additional seed data only from date-time information, so the generated random data is far more predictable than it should be, especially for the first few calls (CVE-2007-5502).

Note that this PRNG bug is only present in the v1.1.1 implementation and not in the regular OpenSSL product or in the OpenSSL FIPS Object Module v1.2 now undergoing validation testing. Only those applications using v1.1.1 of the OpenSSL FIPS Object Module which enter FIPS mode are affected. Applications which do not enter FIPS mode or which use any other version of OpenSSL are not affected.

Bugs like this in open source software are routinely found and corrected with a patch and/or updated source distribution. In this case two separate patches have been developed by Dr Stephen Henson (steve@openssl.org):

http://www.openssl.org/news/patch-CVE-2007-5502-1.txt

(the simplest direct fix) and:

http://www.openssl.org/news/patch-CVE-2007-5502-2.txt

(a workaround which avoids touching the PRNG code directly). However, for FIPS 140-2 validated software no changes are permitted without prior CMVP approval so neither of these patches can be applied to the v1.1.1 distribution for the purposes of producing a validated module.

We have supplied the information needed for a "letter change" update request based on the latter of these two patches to the CMT Laboratory for their submission to the CMVP. Once (and if) approved the new distribution containing this patch will be posted as

http://openssl.org/source/openssl-fips-1.1.2.tar.gz to replace the current distribution at http://openssl.org/source/openssl-fips-1.1.1.tar.gz.

Note that in addition to this real-world vulnerability there is a separate problem in this same PRNG implementation concerning the FIPS 140-2 continuous self-test, about which we have received multiple reports. The resolution of that problem hinges on interpretation of FIPS 140-2 scripture and we're still working on crafting a fix consistent with the conflicting opinions we've received.

At this point I have no estimate as to when the change letter(s), for either or both fixes, will be approved. From the perspective of those who must deal with events on "Internet time" the CMVP process is glacially slow. In the absence of any realistic expectation of quick results in that regard OSSI has chosen to make this announcement now in the hope of minimizing the disruption for the many products and "private label" validations known to use or be derived from the v1.1.1 validation and currently undergoing FIPS 140-2 validation.

-Steve M.


Steve Marquess
Open Source Software Institute
marquess@oss-institute.org"

Slashdot Top Deals

"How do I love thee? My accumulator overflows."

Working...