* Posts by Tomato42

460 posts • joined 31 May 2011

Page:

Batten down the hatches! OpenSSL preps fix for high impact vuln

Tomato42
Bronze badge
Stop

All software has bugs. Software that is highly scrutinized will turn up a lot of bugs.

It would be far more worrying that if after Heartbleed we wouldn't be getting a semi-constant stream of security fixes for the library.

14
1

Microsoft's Windows 10 nagware storms live TV weather forecast

Tomato42
Bronze badge
Facepalm

Re: That's why you should always avoid complexity

Here, have a rock, it has all your computing needs covered.

2
6
Tomato42
Bronze badge
Linux

Re: GWX Control Panel might help here

> There are reasons not to?

you may need Win 7 for the occasional application that doesn't have Linux native version or doesn't work in wine

17
1
Tomato42
Bronze badge
Stop

Re: Do what I've done

at least Linux problems don't require an army of people hunting all the updates that normal people do not want, and even with that the little buggers get through

while if you install Gnome Classic desktop, you won't see TIKFAM forced on you next restart after update

26
5

Mozilla slings Firefox patches at flaw found by GCHQ's infosec arm

Tomato42
Bronze badge
Angel

what? GCHQ donating patches to open source projects used by millions of people. US Congress unanimously voting in a bill requiring warrants for accessing email, photos and all other documents stored in cloud.

Did I wake up in an opposite world today?

6
1

MoD contractor hacked, 831 members of defence community exposed

Tomato42
Bronze badge
Trollface

"Cyber"

No wonder they were hacked to death. They are experts in "cyber hacking", while they were brought down by a garden variety "computer security" shortcomings.

0
0

Ten years in the clink, file-sharing monsters! (If UK govt gets its way)

Tomato42
Bronze badge
Facepalm

> then _also_ proving who knew what.

ah, right, because the ignorance of the law does not protect proles, but does protect the inner party

Manslaughter and paedophilia, crimes that cause real, long lasting harm to very specific people have less severe penalties than this new law.

Piracy hurts only big fish in distribution, don't even try to give me the shit that it hurts artists. Artists get peanuts from MAFIAA for their work. (not to mention that there are hundereds of artists that release their work for free - ever heard of The Martian? the ebook was released for free

so, please, have some effing perspective

3
3

Not OK, Google! FTC urged to thrust antitrust probe into Android

Tomato42
Bronze badge

Re: Consumer Watchdog...

@Michael Habel: well, they could rule that it's illegal for Google to require an "all or nothing" approach to Play store. And rule that google can't revoke a phone manufacturer access to Play store just because they released a device with CyanogenMod preinstalled.

2
1

FBI's PRISM slurping is 'unconstitutional' – and America's secret spy court is OK with that

Tomato42
Bronze badge
Big Brother

Re: WHAT Constitution?

well Oceania, pardon, USA, has always been "at war". Just look at the homicide rates, it's a literal war zone.

3
1

NYPD anti-crypto Twitter campaign goes about as well as you'd expect

Tomato42
Bronze badge
Thumb Down

@Dan 55: yes, and it's a better place than we would be otherwise.

Even though we dropped it, there still are multiple exploits related to this broken "crypto" getting, well, broken. Look up: FREAK attack, DROWN attack, in part also LOGJAM attack. All because software had support for export crypto.

5
0

Intel literally decimates workforce: 12,000 will be axed, CFO shifts to sales

Tomato42
Bronze badge

Re: Wonder what this kind of news means for AMD

Remember that AMD is selling both processors and GPUs for all the consoles.

12
0

Belgian boffins breed 'digital canaries' to test your random numbers

Tomato42
Bronze badge
Boffin

Re: Uh ... harmonic discordance here ...

I don't think the idea was to expose this numbers anywhere near end user code, and rather have two modules - one HWRNG and one verifier. This way you can have independently designed RNG and the thing thing that performs the runtime checking.

This is rather good idea, as we know how to design whitening functions that pass all statistical checks on the output while fed no entropy at all. In other words, RNGs passing statistical tests doesn't mean it's a good RNG, it just means it's not horribly broken.

9
0

Linux command line mistake 'nukes web boss'S biz'

Tomato42
Bronze badge
Facepalm

Re: It's Friday

can't believe that anyone is stupid enough to make servers _push_ data to backup servers instead of the backup server pulling the data from the server.

Not only a troll but a stupid one at that.

1
0

You won't believe this, but… nothing useful found on Farook iPhone

Tomato42
Bronze badge
Facepalm

what? no latent cyber pathogens?! inconceivable!

this whole ordeal was pathetic on USGov part...

17
1

Flying Spaghetti Monster is not God, rules mortal judge

Tomato42
Bronze badge
Angel

Re: Theological Canons

example? The whole "666" thing referred to the contemporary Caesar Nero, with many scribes knowing the "joke" better than being able to read and transcribed it "616" instead.

1
3
Tomato42
Bronze badge
Facepalm

Re: HERESY!!!!

Exactly! What next?! That the religious texts weren't written by human hands with the guidance (inspiration) of His Noodly Appendage?

Seriously, all religions were created by humans, if "being created" is the disqualifying property, I want to see Christianity and Judaism next on the table.

58
5

Look who's here to solve the Internet of Things' security nightmare – hey, it's Uncle Sam

Tomato42
Bronze badge
Unhappy

Re: Stricy liability would help

the problem is that "reasonable lifetime" for them is a year tops, after all the PHB responsible would have changed department at least twice by that time

also, the vulnerabilities should be fixed not exceeding 6 months of them getting to know about, not the public

0
0

Read America's insane draft crypto-borking law that no one's willing to admit they wrote

Tomato42
Bronze badge

Re: You learn something new every day

To be honest, Bush wasn't so bad. He was stupid, but it was the stupid we knew. It was predictable.

Trump is a complete wild card.

1
0
Tomato42
Bronze badge
FAIL

or if you have any text written in Linear A

2
0
Tomato42
Bronze badge
Facepalm

Re: If Stupidity Were a Crime

don't worry, a bill legislating that pi is equal to exactly 3 is in the pipeline, no one has the time for all this .1415... rubbish!

2
0

Euro Patent Office board to hold emergency meeting

Tomato42
Bronze badge
Facepalm

Re: Must have filled in the wrong from

EPO is not legally bound to EU in any ways

oh, and the "straight bananas law"? also untrue

0
0

How do you build a cheap iPhone? Use a lot of old parts

Tomato42
Bronze badge

Re: Media Praise

Given that all flagships (bar Sony Xperia Compacts) are phablets now, the SE form factor indeed makes it a "small" phone. Not Nokia 2330 classic small, but "smartphone small" still.

5
0

Ever wondered what the worst TV show in the world would be? Apple just commissioned it

Tomato42
Bronze badge
Unhappy

Re: yep

@Destroy All Monsters: That's some industrial-grade optimism right there. With the things are going, surviving till the second half of the century will be a serious achievement.

1
2

How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

Tomato42
Bronze badge
FAIL

Re: Thames

Red Hat does this little thing called "review" and "Quality Assurance" before the code goes anywhere near release process, let alone signing and publishing in repository.

As does any other half-decent Linux distribution. Hell, even Apple and Google do at least cursory review of the fart apps they ship through their package managers.

While anyone can publish anything on sites like PyPI, NPN, RubyGems... Admins/Moderators/Owners of those simply Don't Care™

5
0

Labour: We want the Snoopers' Charter because of Snowden

Tomato42
Bronze badge
Big Brother

Re: You can see what they're aiming at

@ Voland's right hand: if that ever stopped politicos

they just need to look at Hungary and Poland for "inspiration"

2
0

Docker may be the dumbest thing you do today

Tomato42
Bronze badge
Coffee/keyboard

Re: have a CoW man

"Linux decline"

you sire, owe me a keyboard, but a good laugh is what I needed this Friday

2
0

Hardcoded god-mode code found in RSA 2016 badge-scanning app

Tomato42
Bronze badge
Boffin

Re: More likely to be found out

this problem was solved years ago: don't store password in plaintext, store it after hashing; preferably something standard like scrypt or PBKDF2 with large amount of rounds

1
0

Bruce Schneier: We're sleepwalking towards digital disaster and are too dumb to stop

Tomato42
Bronze badge
Boffin

Re: UL

because if you extend accounting auditors jobs to checking if IT procedures are followed you get Diginotar breach

electronics and software is sufficiently apart that they shouldn't be under the same certification program

0
1

'Boss, I've got a bug fix: Nuke the whole thing from orbit, rewrite it all'

Tomato42
Bronze badge
Trollface

Re: Beastly, Just Beastly

yeah, you go rewrite the kernel in C++, just don't be surprised you have two problems on your hand then

1
0

ICO fined cold-call firm £350k – so directors put it into liquidation

Tomato42
Bronze badge
Devil

Re: "lay down a marker"

yeah, liquefying him would show a nice precedent

no, not a typo

2
0

Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

Tomato42
Bronze badge
Boffin

Re: Oops!

*cough*CVE-2014-6321*cough*

all software is buggy, because OpenSSL is used by huge amounts of servers and is at the centre of many security systems, it is in the spotlight of all the researchers - for good reason, as it also in the spotlight of the crooks

1
0

Metel malware pops bank, triggers 15 percent swing in Russian Ruble

Tomato42
Bronze badge
Boffin

Re: Seems like banks are going to have to beef up at last

And Windows machines suffered from something even more catastrophic in TLS: CVE-2014-6321 (by some branded "Winshock")

Linux may or may not have less security-critical bugs than Windows.

But applications on Linux definitely have access (and more often than not, actually use) many more technologies for limiting the damage from those bugs; SELinux, ASLR, FORTIFY_SOURCE, stack protector, and so on.

5
2

OpenSSL patch quashes rare HTTPS nasty, shores up crypto chops

Tomato42
Bronze badge
Stop

Re: I'll ask the question...

notepad.exe is also not vulnerable to the OpenSSL bugs, that doesn't make it particularly useful crypto library

(LibreSSL guys aim to not support even a tenth of the features that OpenSSL supports - anything outside very simple web hosting is "out of scope" for them)

0
1

Safe Harbor 2.0: US-Europe talks on privacy go down to the wire

Tomato42
Bronze badge
Unhappy

Re: @skelband

thing is, no other government spends even a tenth as much money on spies as the US does

also, very few governments are as jingoistic as the US one (it's a single developed country like that) and as such are more interested in spying on their own citizens and foreign diplomats, not the whole world and the dog

I can at least pretend that I can do something about it in my own country, I can do jack shit about what the US does

finally, a defence in form "but he's also been hitting me" is applicable in a sandbox, when you're a 6 years old, not a nation aspiring to the label of "superpower"

7
0

Terrible infections, bad practices, unclean kit – welcome to hospital IT

Tomato42
Bronze badge
Stop

Re: This is does not compute

if you had severe latex allergy you'd be singing to a different tune

3
0

Bigger than Safe Harbor: Microsoft prez vows to take down US gov in data protection lawsuit

Tomato42
Bronze badge
Big Brother

Methinks that this Citizen will have to move a bit more taxable income back to the Republic before his case will be heard...

well, at least they have a chance, unlike us, little folk

2
0

Devs complain GitHub's become slow to fix bugs, is easily gamed

Tomato42
Bronze badge

People pay for hosting their private repos on github because their open source repos are already on github. If the OSS moves elsewhere, the paying customers will too.

1
0

Evil OpenSSH servers can steal your private login keys to other systems – patch now

Tomato42
Bronze badge
Happy

Re: Password [algorithim] strength

Putty is almost certainly not vulnerable - the bug is a feature that was implemented just on client side and never implemented on server side - dead code essentially. There was no reason for PuTTY to ever implement it.

1
0
Tomato42
Bronze badge
Flame

Re: W.T.F.?

Remember, that's the guys that say how better will be the OpenSSL in form of LibreSSL when they are done with it...

0
3

What's going on with X.org? Desktop software body could lose domain

Tomato42
Bronze badge
Flame

Re: No big deal, just add it to the long list of X.org fck ups

> Furthermore, it would appear that the concerns about X are not so much about its basic design

They are about its basic design. For one, there is no way to version X11 extensions, so if you want XInput 1.0 and XInput 2.0 applications side by side, one of them (at random) simply won't work.

The API is synchronous where it doesn't need to be. The X server includes independent of kernel and libc ELF and a.out executable interpreters. The whole window model is close to the braindeadness reached only by the likes of ASN.1, etc.

And don't get me started on X11 security model...

It's a train wreck that was put on rails again with a lot of chewing gum, duck tape and chicken wire. It works only because everybody that interacts with it directly is tiptoeing around any hairy stuff.

2
0
Tomato42
Bronze badge
Boffin

Re: No big deal, just add it to the long list of X.org fck ups

  • displays with differing DPI
  • Combined display horizontal (or vertical) size above 32768 pixels
  • Sane multitouch support
  • vsync that works, consistently

just few things that are in Wayland but are physically impossible to do in X11 without breaking backwards compatibility completely (you know, writing something like Wayland)

4
0
Tomato42
Bronze badge
Joke

Re: Is everyone braced?

[as they say... it's hip to be square]

4
0

How long is your password? HTTPS Bicycle attack reveals that and more

Tomato42
Bronze badge
FAIL

It is also mentioned in RFC 2246, but who cares!

TLS is pixie dust that you just sprinkle over your servers and magically everything becomes secure. /s

2
0
Tomato42
Bronze badge
Facepalm

Re: Not exactly a new idea surely

quote from TLS v1.0 definition, published in 1999:

Any protocol designed for use over TLS must be carefully

designed to deal with all possible attacks against it.

Note that because the type and length of a record are not

protected by encryption, care should be take to minimize

the value of traffic analysis of these values.

I think we can expect analysis of ROT13 from them, and their "shocking" conclusion that it is not secure.

1
0

Trend Micro: Internet scum grab Let's Encrypt certs to shield malware

Tomato42
Bronze badge
Facepalm

What....?

Certificates don't certify that the site you're connecting to is legitimate. They don't certify that the people using it are who they are claiming to be. And they definitely don't certify that the server you're connecting to is secure (unless by that you mean it supports TLS/HTTPS, period).

Certificates only certify that the people that were in control of the domain when the CA performed the check are the same people that are running the server you're connecting to now.

But if you don't read T&C of CAs that may come to you as a surprise...

so, please, tell me, where exactly is the failure on Let's Encrypt part?

27
1

Did North Korea really just detonate a hydrogen bomb? Probably not

Tomato42
Bronze badge
Trollface

let's assume for a second that what they say is true, wouldn't that make it the world's smallest thermonuclear detonation?

6
1

The sloth is coming! Quick, get MD5 out of our internet protocols

Tomato42
Bronze badge
Black Helicopters

since when informing about new exploits in widely used cryptographic protocols is advertising?

if anything, it more looks like you are paid by some TLA to spread FUD

9
0

Firefox-on-Windows users, rejoice: Game of Thrones now in HTML5

Tomato42
Bronze badge
FAIL

Sad, really...

All this effort just so that videos would show up with 24h delay instead of an 2h delay on Pirate Bay.

Just to make few suits in Hollywood think they have "achieved" something.

2
1

Facebook wants a kinder, gentler end for SHA-1

Tomato42
Bronze badge
FAIL

@BinkyTheMagicPaperclip: not to mention that the depreciation of SHA-1 impacts only Windows XP SP2 and older. Windows XP SP3 is just fine. So that's the problem not to people that run old software. It's a problem for people that run old software and never updated it.

Kill SHA-1, lets show that the industry can learn from its mistakes.

4
0

Linux Foundation wants open source projects to show you their steenking badges

Tomato42
Bronze badge
Trollface

"If you don't want features and use CVS in 21st century, just run OpenBSD and have done with it."

TFTFY

0
0

Page:

Forums