Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×

Comment It's called a DeWitt clause (Score 2) 373

Contract clauses that forbid benchmark publication (unless the vendor likes them) are called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal, but Oracle certainly rigorously enforces them. There was a law passed in 2016 that prevented similar problems for Yelp, but DeWitt clauses haven't been struck down yet (and should be). See my post, "The DeWitt clause’s censorship should be illegal" by David A. Wheeler (2017-06-25): https://www.dwheeler.com/essay...

Comment No, that amendment died in conference (Score 5, Informative) 99

Won't happen, that amendment died in the conference reconciliation. The merged version does have an open source software pilot, but that's it: Section 875: (a) DoD shall “initiate the open source software pilot program” (b) NLT 60 days enactment of this Act, the SECDEF shall “provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a).”

Comment #1 problem: Lack of education (Score 1) 335

The #1 problem is lack of education. A large number of software developers have had no formal training in software development. Almost all who HAVE had formal education don't receive any education or training in how to develop SECURE software.

I teach a graduate course at George Mason University (GMU) on how to design and implement secure software. So there are people who are learning, but there are many more to go.

For the most part, countering the OWASP top 10 doesn't cost more, so cost has nothing to do with it. At the high end of security requirements it definitely costs more, but stuff like parameterized statements (countering SQL injection) and using web frameworks that automatically counter XSS injection don't cost any more.

Comment This is about third party software, not esp. OSS (Score 1) 132

This isn't about open source software, or "compliance" regarding open source software. This is about failing to do timely security updates of reused third-party software. It doesn't matter if it's open source software or not. If you use third-party software, you need to update that software when a security update happens, and you have to do it BEFORE an attacker exploits it. This has been necessary for decades. Haven't you ever updated an operating system because a vulnerability was found in it? Of course you have. If you reuse software, and you embed it in something you use or deploy, then you need to update when the reused software has a security vulnerability. One advantage of open source software today is that there are tools that make it easier to monitor and update. But you still have to be prepared for security updates. You can do this by monitoring updates, using package managers to let you easily update, having automated tests so you can verify that the update is okay, and by having a deployment system so you can send out your update. All of this is available. Check out this video for an example: https://www.youtube.com/watch?... . If you don't keep your software patched in a timely way, you get p0wned. That's how it works. That's ALWAYS been how it works.

Comment E-mail is not that hard to define (Score 1) 127

"E-mail" is not a hard term to define. It's just "electronic mail". You can split email into "local on one computer" and "distributed across a network", since those were created separately, but it really isn't that complicated. There really is something called "truth", it'd be nice to acknowledge that sometimes.

Comment Re:Malignant narcissist upset, news at 11. (Score 1) 760

Nazi Germany was not a "Christian nation". Nazi leaders like Joseph Goebbels, Martin Bormann, and Heinrich Himmler saw the kirchenkampf campaign against the Churches as high priority, and anti-church and anticlerical sentiments were strong among the grassroots party activists. The Nazi propaganda minister, Joseph Goebbels, said that there was "an insoluble opposition between the Christian and a heroic-German world view". Hitler's chosen deputy, Martin Bormann, advised Nazi officials in 1941 that "National Socialism and Christianity are irreconcilable.".
Earth

Scientists Finally Turn Hydrogen Into a Metal, Ending a 80-Year Quest (arstechnica.com) 334

An anonymous reader quotes a report from Ars Technica: In 1935, scientists predicted that the simplest element, hydrogen, could also become metallic under pressure, and they calculated that it would take 25 GigaPascals to force this transition (each Gigapascal is about 10,000 atmospheres of pressure). That estimate, in the words of the people who have finally made metallic hydrogen, "was way off." It took until last year for us to reach pressures where the normal form of hydrogen started breaking down into individual atoms -- at 380 GigaPascals. Now, a pair of Harvard researchers has upped the pressure quite a bit more, and they have finally made hydrogen into a metal. All of these high-pressure studies rely on what are called diamond anvils. This hardware places small samples between two diamonds, which are hard enough to stand up to extreme pressure. As the diamonds are forced together, the pressure keeps going up. Current calculations suggested that metallic hydrogen might require just a slight boost in pressure from the earlier work, at pressures as low as 400 GigaPascals. But the researchers behind the new work, Ranga Dias and Isaac Silvera, discovered it needed quite a bit more than that. In making that discovery, they also came to a separate realization: normal diamonds weren't up to the task. "Diamond failure," they note, "is the principal limitation for achieving the required pressures to observe SMH," where SMH means "solid metallic hydrogen" rather than "shaking my head." The team came up with some ideas about what might be causing the diamonds to fail and corrected them. One possibility was surface defects, so they etched all diamonds down by five microns to eliminate these. Another problem may be that hydrogen under pressure could be forced into the diamond itself, weakening it. So they cooled the hydrogen to slow diffusion and added material to the anvil that absorbed free hydrogen. Shining lasers through the diamond seemed to trigger failures, so they switched to other sources of light to probe the sample. After loading the sample and cranking up the pressure (literally -- they turned a handcrank), they witnessed hydrogen's breakdown at high pressure, which converted it from a clear sample to a black substance, as had been described previously. But then, somewhere between 465 and 495 GigaPascals, the sample turned reflective, a key feature of metals The study has been published in the journal Science.

Comment Huh? Most are software exploits (Score 1) 57

Their argument mostly disproves their claim. I agree that security is much more than eliminating software exploits, but at least 3 of their "top" 5 examples ARE software exploits (because of either a fault in the implementation or in its spec). 1. abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks The software should prevent bad passwords by default, but for the sake of argument I'll grant them that one. 2. broadcast name resolution poisoning (like WPAD) -- 64% That's a software exploit. If your protocol is vulnerable to poisoning, your protocol has a problem. 3. local admin password attacks (pass-the-hash attacks) -- 61% Software exploit. Hashes are supposed to *not* be equivalent to the password they were derived from. This is a well-known software exploit. 4. attacks on cleartext passwords in memory (like those using Mimikatz) -- 59% If an untrusted program can see cleartext passwords in memory, there's a software exploit, they're not supposed to do that. 5. insufficient network segmentation -- 52% Okay, that's not a software exploit. So #5 is not a software exploit, #1 is arguably not a software exploit (though it suggests a software problem), and the rest (#2, #3, #4) are software exploits (there's a software vulnerability in the protocol or its implementation). I would agree with them that security is much more than software, but software has an important role to play. The *REASON* that #2, #3, and #4 are problems is because people weren't paying enough attention to security.

Comment Re: This is not Open Source.. (Score 1) 61

You mean "unlimited rights" not "unlimited use rights". Once the government has unlimited rights it can release the software as open source software. For more details, see my paper "Publicly Releasing Open Source Software Developed for the U.S. Government" by David A. Wheeler, Software Tech News, Volume: 14 Number: 1 - DoD and Open Source Software. https://www.csiac.org/journal-...

Comment 'Open Source Software' has reasonable definition (Score 1) 61

I don't think that "open source software" has been significantly redefined. Here's the definition of Open Source Software in this memo: "Software that can be accessed, used, modified, and shared by anyone. OSS is often distributed under licenses that comply with the definition of "Open Source" provided by the Open Source Initiative (https://opensource.org/osd) and/or that meet the definition of "Free Software" provided by the Free Software Foundation (https://www.gnu.org/philosophy/free-sw.html)." That's a little laxer than I'd prefer, but it seems reasonable enough.

Slashdot Top Deals

As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.

Working...