Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Submission + - Heartbleed Sparks 'Responsible' Disclosure Debate

bennyboy64 writes: IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed "responsibly". A number of selective leaks to Facebook, Akamai and CloudFlare occurred prior to disclosure on April 7. A separate, informal pre-notification program run by Red Hat on behalf OpenSSL to Linux and Unix operating system distributions also occurred. But router manufactures and VPN appliance makers Cisco and Juniper had no heads up. Nor did large web entities such as Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy, just to name a few. The Sydney Morning Herald has spoken to many people who think Google should've told OpenSSL as soon as it uncovered the critical OpenSSL bug in March, and not as late as it did on April 1. The National Cyber Security Centre Finland (NCSC-FI), which reported the bug to OpenSSL after Google, on April 7, which spurred the rushed public disclosure by OpenSSL, also thinks it was handled incorrectly. Jussi Eronen, of NCSC-FI, said Heartbleed should have continued to remain a secret and be shared only in security circles when OpenSSL received a second bug report from the Finnish cyber security centre that it was passing on from security testing firm Codenomicon. "This would have minimised the exposure to the vulnerability for end users," Mr Eronen said, adding that "many websites would already have patched" by the time it was made public if this procedure was followed.

Submission + - Heartbleed Disclosure Timeline Revealed 1

bennyboy64 writes: Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 2. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't get a heads up, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL and they freaked out and decided to tell the world about it.

Submission + - How Aussie Uni Creates World's Best Hackers (smh.com.au)

bennyboy64 writes: An Australian university appears to be excelling at cultivating some of Australia's best computer hackers. Following the University of NSW's students recently placing first, second and third in a hacking war game (the first place winners also won first place last year), The Sydney Morning Herald reports on what exactly about the NSW institution is breeding some of Australia's best hackers. It finds that a lecturer and mentor to the students with controversial views on responsible disclosure appears to the be the reason for their success.
Bug

Submission + - Aussie Student Responsible For Twitter Exploit

bennyboy64 writes: An Australian teen has caused havoc on Twitter by discovering an exploit that hit thousands of users, including Barack Obama's press secretary, and resulted in the tweets of a former British PM's wife linking to hardcore porn, The Sydney Morning Herald reports. Pearce Delphin, who is studying his last year at high school, said that he was surprised that "so many famous people got infected".
Space

Submission + - Aussie Lasers Stop Satellite Collisions, Death (zdnet.com.au)

bennyboy64 writes: An Australian company is developing a laser tracking system that will help prevent collisions between satellites and space debris, ZDNet reports . 'The trouble is it's [debris] in orbit and travelling at orbital speeds, which means that it is travelling at about 30,000 kilometres an hour," said the CEO of the Australian company. 'If even a tiny little piece runs into a satellite it'll destroy it or punch a hole through a person if they're out there space walking.'

Submission + - US Shows Interest In Zombie Quarantine Code (zdnet.com.au) 1

bennyboy64 writes: Barack Obama's cyber-security coordinator has shown interest in an e-security code of practice developed in Australia that aims to quarantine internet users infected by malware, also known as zombie computers. He reportedly said it would be a useful role model for the US to adopt. One suggestion within the code is to put infected users into a 'walled garden', which limits internet access to prevent further security problems until quarantined. Another is to throttle the speed of an infected users' internet connection until their computer fixed. The code is also being considered by other Asia-Pacific countries, ZDNet reports.
Australia

Submission + - Inside Australia's Data Retention Proposal (zdnet.com.au)

bennyboy64 writes: New details have emerged on Australia's attempt at getting a data retention regime into place, with meeting notes taken by industry showing exactly what has been proposed. In a nutshell, the Australian Government wants internet service providers to keep anything and everything they have the ability to log and retain for two years 'at this stage'.

Submission + - IBM Security Conference USB Infected With Malware

bennyboy64 writes: IBM has sent out an email to all attendees to the Australian Computer Emergency Response Team (AusCERT) 2010 conference this afternoon, warning them that some of the USB drives handed out to delegates contained malware. Telecommunications company Telstra distributed malware-infected USB drives at the conference in 2008. It appears history has repeated itself.
Idle

Submission + - Women in Oz Fight Over 'Geekgirk' Trademark (zdnet.com.au)

bennyboy64 writes: Two prominent women in the Australian IT industry are in a bitter dispute over the ownership of the trademark 'geekgirl'. A woman attempting to use 'geekgirl' on Twitter told ZDNet women had been advised by the trademark owner to stop doing so since she owned the trademark for the word.'She noted her trademark and asked me to stop calling myself a 'geekgirl' in general conversation and to cease using the hashtag '#geekgirl' on Twitter,' IT consultant Kate Carruthers said.
Security

Submission + - Mobile 'Remote Wipe' Thwarts Secret Service (zdnet.com.au)

bennyboy64 writes: Smartphones that offer the ability to 'remote wipe' are great for when your device goes missing and you want to delete your data so that someone else can't look at it, but not so great for the United States Secret Service, ZDNet reports. The ability to 'remote wipe' some smartphones such as BlackBerry and iPhone was causing havoc for law enforcement agencies, according to USSS special agent Andy Kearns, speaking on mobile phone forensics at a security conference in Australia.
Software

Submission + - In AU, Court Rules Downloaded Software Not "goods" (zdnet.com.au) 2

bennyboy64 writes: A court decision ruling that the supply of software through a digital download mechanism is not a supply of 'goods' has been upheld in the Supreme Court of New South Wales (NSW) in Australia, setting a precedent that software downloaded via the internet is not protected by the Sale of Goods Act, reports ZDNet. It's a court decision that lawyer Patrick Gunning said attorneys had been waiting to have clarified for some time. What this meant was that "people who purchase software will have more legal rights if they buy over the counter rather than downloading", Gunning said.
Security

Submission + - McAfee Retracts Bug Damage Estimate (zdnet.com.au) 1

bennyboy64 writes: McAfee has changed its official response on how many enterprise customers were affected by a bug that caused havoc on computers globally. It originally stated it affected 'less that half of 1 per cent' of enterprise customers. Today McAfee's blog states it was a 'small percentage' of enterprise customers. ZDNet is running a poll and opinion piece on whether McAfee should compensate customers. ZDNet notes a supermarket giant in Australia that had to close down its stores as they were affected by the bug, causing thousands of dollars to be lost.
Apache

Submission + - Serious Apache exploit discovered (zdnet.com.au) 2

bennyboy64 writes: An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit.

Submission + - AU Govt Wants ISPs To Sort Out Illegal Downloads (zdnet.com.au)

bennyboy64 writes: Australia's Minister for Communications wants internet providers and the film industry to sit down and work out a solution to stop illegal movie downloads, despite a judge ruling in favor of an internet provider not being responsible for policing illegal downloads.The film studios first dragged internet provider iiNet into the Federal Court back in November 2008, arguing that the ISP infringed copyright by failing to take reasonable steps — including enforcing its own terms and conditions — to prevent customers from copying films and TV shows over its network.

Slashdot Top Deals

"Open Channel D..." -- Napoleon Solo, The Man From U.N.C.L.E.

Working...