Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:A shot at Ernst & Young also (Score 2) 71

It's actually "Ernst & Young (Hong Kong)" - i.e. "China" - specifically, rather than Ernst and Young in general, but that caught my eye as well. In fact, there's a lot of things about the write up that imply that Mozilla at least suspects some high level corruption on behalf of multiple actors in this but is just being politic about it, and especially so if you keep in mind what some of WoSign's "errors" might enable in terms of censorship and surveillance.

Comment Re:Are they big enough? (Score 1) 71

Firefox alone, possibly not. However, Mozilla's certificate store is also the one commonly used by NSS on Linux which might not be so big on the web browser front, but that's going to cause a lot of problems for people trying to use any post-revocation WoSign/Startcom certificates to send email through Linux gateways using TLS. Also, while I didn't mention it in the submission since it's far from certain, there's a reason the response is on GoogleDocs; one of the authors (Ryan Sleevi) is a Google employee heavily involved in CA management for Chromium, so it's possibly just a matter of time before Google Chrome drops them as well. Historically on CA trust violations Mozilla, Google and Microsoft have generally all done the same thing in roughly the same timeframe, so if both Mozilla and Google are going to revoke...

Comment Re:It's not that bad. (Score 1) 71

You've read the list of hoops that they'll have to jump through to get re-listed, right? Assuming they survive the suspension to even try and get re-listed that is. The real kicker is that they have to be audited by an agency appointed by Mozilla before that happens, which doesn't seem like something they'd be too keen on at the best of times. If you look at some of the issues Mozilla has with them in the light of the normal modus operandi of the Chinese government and it would seem the chances of them actually requesting to have a someone outside their control come along and subject them to an audit is pretty close to zero.

Comment Re:Draconian? (Score 3, Interesting) 71

As the submitter, I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code? There's also the issue of Startcom - until around year ago they were their own (Israeli) business and a lot of people took advantage of Startcom's free certificates - they were in many ways the forerunner of Let's Encrypt in bringing SSL/TLS to the masses - and those users are going to get at least slightly singed as well.

Anyway, since the story isn't really the place for the writer's opinion and the comments are, for the the record I think that WoSign really screwed up, they deserve what they get, and this a good solution for this and future CA incidents that minimises the fallout on those customers who already have one of their certs. Also, once they finalise this, I think Mozilla's next step should be to write this up as policy and then try and get Google, Microsoft and Apple on board with it as an agreed template for multilaterally handling the inevitable future incidents. The whole root CA system is only as strong as its weakest link, and if it's going to survive as a viable means of establishing trust then when weak links are identified they need to be removed with prejudice as soon as possible - it's not just great power that requires great responsibility; it's trust too.

Submission + - Game over for WoSign and Startcom? ( 1

Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.

This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe — and potentially business ending — penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where — hardly good PR!

What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?

Submission + - OpenSSL Patches Bug Created by Patch From Last Week

Trailrunner7 writes: Four days after releasing a new version that fixed several security problems, the OpenSSL maintainers have rushed out another version that patches a vulnerability introduced in version 1.1.0a on Sept. 22.

Last week, OpenSSL patched 14 security flaws in various versions of the software, which is the most widely used toolkit for implementing TLS. One of the vulnerabilities fixed in that release was a low-risk bug related to memory allocation in tls_get_message_header.

The problem is, the patch for that vulnerability actually introduced a separate critical bug. The new vulnerability, which is fixed in version 1.1.0b, only affected version 1.1.0a, but it can lead to arbitrary code execution.

Comment Re:Control and management (Score 2) 267

In the specific context of whether the IoT devices under discussion have been rooted or not, abnormal traffic actually does tend to stick out a bit. Legit traffic will generally be restricted to your internal network, plus a selection drawn from the vendor (and possibly a few "partners"), a cloud service operator or two, and a small pool of ISPs/MNOs that are are used to access the device remotely, depending on the device type and usage patterns - a finite set of IP ranges that will come up continually. Botnet activity is going to consist of periods of extra high activity to either one fixed address that probably isn't in that pool (e.g. a DDoS of Brian Kreb's website) or periods of extra high activity to lots of IP addresses not in that pool (e.g. co-opted to send spam). You can also draw a pretty firm conclusion that you've been hacked from things like time of day when activity occurs (why is it streaming data all night?), protocols being used (why is my DVR sending lots of email?), and so on.

Not something that a typical user is likely to be able to do, of course, but if you've got a basic grasp of networking fundamentals and can put that together with your knowledge of how you are using the device, then getting a yes/no on whether a device has been compromised from logs isn't that hard to do, even without some baseline data of what's "normal".

Submission + - Should we bring extinct species back from the dead? (

sciencehabit writes: For decades the notion of “de-extinction” hovered on the scientific fringes, but new advances in genetic engineering, especially the CRISPR-Cas9 revolution, have researchers believing that it’s time to start thinking seriously about which animals we might be able to bring back, and which ones would do the most good for the ecosystems they left behind. Science Magazine explores why and how we might do this, which animals might be first, and the big risks involved.

Comment Re:How do you know? (Score 3) 267

these days a lot of equipment ships with unique random passwords

True, but more often than not it's derived from the MAC address (probably programmatically on boot with a defaulted config so they don't have to program each device in the factory) which is an absolutely horrible idea for WiFi enabled devices. If a (l)user sees an apparently random string of hex, conveniently also printed onto a sticker on the box so they don't have to remember it, it's a pretty safe bet that they are going to think it's secure and, quite possibly, not something they should change because that sticker looks important. Not a major problem for someone connecting over the Internet (although if they can ID the device make/model, they've got the OID and hugely reduced the brute force effort), but a serious issue if someone happens to be coming in over your WiFi and can connect directly.

ALWAYS change your default password, and the username too, if it'll let you.

Submission + - Switzerland Votes For Legal State Surveillance In Referendum

Mickeycaskill writes: Secret service agents are able to legally hack computers in Switzerland after the country voted for a law that allowed them to do so in order to prevent terrorist attacks.

Switzerland practices ‘direct democracy’, a model which allows citizens to propose a referendum to be held on any law.

Two thirds of voters came out in favour of the law despite critics warnings that it could lead to arbitrary surveillance. It is likely this was galvanized by the spate of terrorist attacks that have occurred in Europe this year.

“It gives Switzerland modern tools to respond to current threats,” Defence Minister Guy Parmelin said.

Comment Re:Control and management (Score 4, Informative) 267

Pretty much this, and given how bad many IoT devices are, even if you do change the passwords, etc., it's safer to just assume that they already have been compromised, or that they will be. Since we're talking retrospectively here, set up some connection logging on your outbound router. See if there's anything in the logs that's not what you were expecting, bearing in mind that they'll almost certainly be phoning home to "check for updates" and "backup your data to the cloud" (AKA "monetize your data"). Done. A better approach would have been to be more proactive (because the typical SoHo router vendor sure as hell won't be); as a minimum lock down anything you don't need, put all the IoT type devices on a dedicated network away from the stuff that matters, and configure the router to send an alert when anything anomalous happens. Bonus points for things like implementing BCP38 locally so even when you are compromised at least tried to minimise the damage, enabling syslog and actually monitoring the output, and other basic security principles.

Submission + - Ask Slashtot: How to determine if your IOT device is part of a botnet? 1

galgon writes: There has been a number of stories of IoT devices becoming part of
Botnets and being used in DDOS Attacks. If these devices are seemingly working correctly to the user how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?

Submission + - New formula massively reduces prime number memory requirements.

grcumb writes: Peruvian mathematician Harald Helfgott made his mark on the history of mathematics by solving Goldbach's Weak Conjecture, which every odd number greater than 5 can be expressed as the sum of three prime numbers. Now, according to Scientific American, he's found a better solution to the Sieve of Erasthones:

In order to determine with this sieve all primes between 1 and 100, for example, one has to write down the list of numbers in numerical order and start crossing them out in a certain order: first, the multiples of 2 (except the 2); then, the multiples of 3, except the 3; and so on, starting by the next number that had not been crossed out. The numbers that survive this procedure will be the primes. The method can be formulated as an algorithm.

But now, Helfgott has found a method to drastically reduce the amount of RAM required to run the algorithm:

Helfgott was able to modify the sieve of Eratosthenes to work with less physical memory space. In mathematical terms: instead of needing a space N, now it is enough to have the cube root of N.

So what will be the impact of this? Will we see cheaper, lower-power encryption devices? Or maybe quicker cracking times in brute force attacks?

Comment Re:Slime-balls (Score 0) 289

Excellent point and well made. People who are coming out saying the drone operators are perfectly fine obviously haven't though more than six inches in front of their face. Short-sighted idiots, they can't envision a situation because they refuse to think about it from the "how could a bad guy misuse this" perspective.

Comment Re: Rule of thumb (Score 2) 289

It is just kids having fun.

I wonder how you'd feel if someone parked a drone over your back yard with a camera watching your comings and goings, what time you went to bed and woke up, what kind of property you leave out, who visits your house and when, how many kids you have and what ages they are, and so forth. That's just the tip of the iceberg. Someone WILL eventually do that, most likely a LOT of someones, because there are some fucked up people in this world. A law that says it's perfectly alright for someone to fly a drone in close proximity to your home would enable this exact behavior.

And please don't go with the "so what, I have nothing to hide" defense. Even if you didn't mind a private citizen doing it, I'm willing to bet you'd be out of your mind upset if the government did it. If it's not good for one to be doing it, it's not good for either to be doing it.

Slashdot Top Deals

It is surely a great calamity for a human being to have no obsessions. - Robert Bly