Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:News: Not just webservers use OpenSSL! (Score 2) 59

The key thing to note is that the main vulnerability here is through the use of OpenVPN with an affected SSL library. IIRC OpenVPN is only affected when used in "pre shared key" mode instead of using client certificates (which is the recommended way of running things anyway), so there is further mitigation there (but anyone using OpenVPN needs to check they config and confirm that the server end (if using another party for that) has done so too.

There are other parts of DD-WRT that could potentially be a problem too (tor particularly as it runs a listening service) if you have them turned on. See their own advisory for more details:

Comment Re:NSA is so annoyed right now (Score 2) 59

Somebody would have caught the unusual requests.

Not if they were careful about it. Someone with access to credit cards details in mind would get it discovered pretty quickly as they would be poking everywhere as quickly as they could in order to try get information so they could get as much out of the flaw as quickly as they could. This is more likely to be seen as there would be unusual amounts of traffic. But a security agency trying to find a VPN's private key? Where the VPN isn't employing FPS techniques the time you have to perform the attack it pretty long so they could easily have managed some useful penetration with much more subtle traffic, that would just look like background noise. OK so they wouldn't get something nearly as quickly that way, but a good security service plays the long game instead of looking for quick wins. Heck, even a burst of traffic would be written off by many as a random DoS attempt or some fool with a misconfigured client, so someone could have used this maliciously in bulk a few times without raising significant suspicions that would lead people to dig in and find the flaw they were trying to exploit..

This doesn't mean that the NSA did, or that they even knew about the flaw, but it means if they did know about it they certainly could have (and most probably would have) made good use of it without anyone suspecting.

Comment Re:https is dead (Score 2) 151

Your bank can send you their public key.

That is the key problem with schemes that don't involve a CA. A bank will be sending me bits of paper anyway when I open a new account, the better ones will be sending me a fob for two-factor auth too in fact, so sending an extra bit of paper with "this is the fingerprint of our signing key, when your browser asks you to confirm a certificate make sure the signer finger-print matches this one" is no hardship. But what about sites that don't have any other comms channel with their users? How do they prove that they are who they say they are?

There is also the problem of people simply clicking "OK" instead of checking the fingerprint which is what usually happens with SSH. If this is the case all you have assurance of is that the keys have not changed, not that the keys indicate you are definitely talking to the right server directly.

Comment Re:Create a fake Facebook account (Score 1) 384

That's a criminal offense in some jurisdictions.

So is spouting hate or other language people find offensive. Making something illegal does not automatically stop people from doing it, especially without enforcement. What are facebook gonig to do? Ban the acconut? Too late, the posts have already been made. Call the authorities? They likely don't have sufficient evidence and even if they did I doubt any enforcement personage is going to consider it really worth their time. Sue? Certainly not worth the cost of their lawyer's time.

Comment Re:Yes, because moderation is oh so hard to do (Score 3, Interesting) 384

/. is a for-profit business.

Not in the same sense as the examples given by the posts above, from the point of view of the man on the street. /. manages to maintain a certain amount of its "community spirit" so people are willing to put that little bit of effort in, but having navigated through the LA Times paywal people are not going to want to give even that much extra ("I'm paying for this, someone else should be making sure it is worth me paying for" would be a common thought on the matter).

Then again epopel spend time making reviews on Amazon and the like (the good reviews that is: the bad ones are peope with an axe to grind so that isn't quite the same) so perhaps it could work, though they'd still have the problem of the moderation being "off message" and to avoid that they'd be back to paying someone (thsi time paying them to moderate the moderators).

Comment Re:Newsworthy? (Score 1) 102

That works for many thing, but not games with online interaction or access to other online resource. While some will ignore Steam once lanuched and implement their own communication to the outside worlds, some will expect you to reconnect your Steam account before enabling online features (or running at all).

Comment Re:I hope there's an easy social integration disab (Score 2) 365

I don't see a problem here?

If the company has a policy of not permitting social media sites like facebook to be used on-site (because they have geniune security concerns that mean they want strong control on communication from withing the company, or they are just grumpy old fuddy duddies that don't want anyone else to have a good time) then this appearing will be a red flag - it may be decided that the update can not go in until the change has been reviewed by a security team to make sure it does not circumvent their blocks in any way (intentionally or otherwise), that review could be delayed behind a pile of higher priorities, and older versions of firefox pulled from desktops due to not being the latest and therefore possibly not contained all the latest security updates.

Do you know how hard it is, to this very day, to get some companies to take of the blinkers long enough to take half a look at considering anything other than Internet Explorer onto their machines? This could change their minds back.

(yes, I know IE10 is actually said to be pretty decent, many people have already told me, but I'm so bitter about the years of stagnation caused by "classic" IE that I'll not be using it by choice any time soon)

Comment Re:Eh? (Score 1) 193

I grok this to mean that a backdoor exists for customer service ...

If the backdoor existed for customer service reasons, the customer would be told about it rather than HP having to admit it exists only after someone spotted it and went public.

This could mean we can't consider purchasing HP equipment and have to get rid of any we already have - our contracts with some of our clients (banks, a police force or two, and so forth) demand that every one working for our company and any third party that has access to our equipment in any way is fully background checked. If there are accounts on there for which we don't control the credentials then we can not give them assurances that such due diligence clauses are satisfied. While needing network access is a mitigating factor limiting opportunities to abuse this hole, may not satisfy such contract clauses as we need to account for breaks in security elsewhere in our provisions (theft of equipment, unexpectedly clueless or gruntle-less individuals in the DC, ...).

... which can be activated by a customer

TFS doesn't say the user has to activate it, just they they intend to gain permission before using it. This might be by means of it being disabled until the user takes action to allow access, but the wording does not explicitly say that and if it is open aside from proper firewalling and other provisions it might be exploitable by a bad actor with your DC.

Indeed, whatever the case: Please post a not-purposefully-scary summary of the actual problem below, because right now it sounds a whole lot like the not-backdoor that Remote Assistance is under Windows.

The key concern from my PoV is more that it exists but was "hidden", rather than what it actually does. It causes the appropriately paranoid to ask "what else is in there that we do not know about?". While there is an assurance that it does not allow access to data they confirm it allows enough access to be used for DoS purposes and as the feature was not previously documented at all (hidden, to take a more negative spin on "not documented") I would prefer some 3rd party confirmation before taking that statement as any sort of assurance.

Comment Probably a non-issue (Score 1) 251

There are a few reasons more likely than the simply no longer supporting XP at all:

* Perhaps this release changes nothing that is relevant to XP. Perhaps all the changes are in codepaths only touched under DX10 or later which is irrelevant to XP.

* Perhaps the early testing was done on limited systems. OK so it is odd for a platform to be ignored in beta tests, but I perhaps if the expected impact on XP is low or zero (see above) they didn't publically release the alpha for XP and someone forgot to update the release details for the beta.

... to state two.

While XP's market share is dropping rapidly now, there are still plenty of home installs out there - plenty enough that ATI/AMD aren't going to risk creating uproar by not supporting them until the official death date from MS (April next year).

Slashdot Top Deals

"There is no statute of limitations on stupidity." -- Randomly produced by a computer program called Markov3.