Forgot your password?

Please create an account to participate in the Slashdot moderation system

Open Source

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion? 409

Posted by Soulskill
from the or-at-least-marginally-less-unsafe dept.
jammag writes: "Heartbleed has dealt a blow to the image of free and open source software. In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily. As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.' Many users of proprietary software, tired of FOSS's continual claims of superior security, welcome the idea that Heartbleed has punctured FOSS's pretensions. But is that what has happened?"

Heartbleed Disclosure Timeline Revealed 62

Posted by samzenpus
from the when-did-you-know dept.
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty 55

Posted by samzenpus
from the try-it-again dept.
SpacemanukBEJY.53u (3309653) writes "It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."

Private Keys Stolen Within Hours From Heartbleed OpenSSL Site 151

Posted by samzenpus
from the that-didn't-take-long dept.
Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."
The Courts

Wi-Fi Problems Dog Apple-Samsung Trial 80

Posted by timothy
from the it's-the-little-things dept.
alphadogg (971356) writes "There's a new sign on the door to Courtroom 5 at the federal courthouse in San Jose, the home to the Apple v. Samsung battle that's playing out this month: 'Please turn off all cell phones.' For a trial that centers on smartphones and the technology they use, it's more than a little ironic. The entire case might not even be taking place if the market wasn't so big and important, but the constant need for connectivity of everyone is causing problems in the court, hence the new sign. The problems have centered on the system that displays the court reporter's real-time transcription onto monitors on the desks of Judge Lucy Koh, the presiding judge in the case, and the lawyers of Apple and Samsung. The system, it seems, is connected via Wi-Fi and that connection keeps failing."

GM Names Names, Suspends Two Engineers Over Ignition-Switch Safety 236

Posted by timothy
from the laying-blame dept.
cartechboy (2660665) writes "GM said it has placed two engineers on paid leave in connection with its massive recall probe of 2 million vehicles. Now, GM is asking NASA to advise on whether those cars are safe to drive even with the ignition key alone. Significantly, individual engineers now have their names in print and face a raft of inquiries what they did or didn't know, did or didn't do, and when. A vulnerability for GM: One engineer may have tried to re-engineer the faulty ignition switch without changing the part number—an unheard-of practice in the industry. Is it a good thing that people who engineer for a living can now get their names on national news for parts designed 10 years ago? The next time your mail goes down, should we know the name of the guy whose code flaw may have caused that?"

NSA Allegedly Exploited Heartbleed 149

Posted by Soulskill
from the according-to-somebody-who-may-or-may-not-be-a-person dept.
squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.

Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake 444

Posted by samzenpus
from the only-human dept.
nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."

Google Chrome Flaw Sets Your PC's Mic Live 152

Posted by timothy
from the lives-of-others dept.
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."

Canada Halts Online Tax Returns In Wake of Heartbleed 49

Posted by timothy
from the worse-than-a-syrup-heist dept.
alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."

Heartbleed OpenSSL Vulnerability: A Technical Remediation 239

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Since the announcement malicious actors have been leaking software library data and using one of the several provided PoC codes to attack the massive amount of services available on the internet. One of the more complicated issues is that the OpenSSL patches were not in-line with the upstream of large Linux flavors. We have had a opportunity to review the behavior of the exploit and have come up with the following IDS signatures to be deployed for detection."

MtGox's "Transaction Malleability" Claim Dismissed By Researchers 92

Posted by Unknown Lamer
from the did-you-check-the-couch-cushions? dept.
Martin S. (98249) writes "The Register reports on a paper at the arXiv (abstract below) by Christian Decker and Roger Wattenhofer analyzing a year's worth of Bitcoin activity to reach the conclusion that MtGox's claims of losing their bitcoins because of the transaction malleability bug are untrue. The Abstract claims: 'In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a transaction do not provide any integrity guarantee for the signatures themselves. ... In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no widespread use of malleability attacks before the closure of MtGox.'" Quoting El Reg: "By extracting transaction keys from the transaction set, the researchers say, they were able to identify more than 35,000 transaction conflicts and more than 29,000 “confirmed attacks” covering more than 300,000 Bitcoins." And less than 6000 were actually successful.

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks 303

Posted by Unknown Lamer
from the check-your-bounds dept.
Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012." Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros 144

Posted by timothy
from the holes-to-plug dept.
According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

Linux Developers Consider On-Screen QR Codes For Kernel Panics 175

Posted by timothy
from the take-a-picture-it'll-last-longer dept.
An anonymous reader writes "Linux kernel developers are currently evaluating the possibility of using QR codes to display kernel oops/panic messages. Right now a lot of text is dumped to the screen when a kernel oops occurs, most of which isn't easily archivable by normal Linux end-users. With QR codes as Linux oops messages, a smart-phone could capture the display and either report the error string or redirect them to an error page on The idea of using QR codes within the Linux kernel is still being discussed by upstream developers."

Bugs In SCADA Software Leave 7,600 Factories Vulnerable 70

Posted by timothy
from the about-that-skeleton-key dept.
mspohr (589790) writes with this news from the BBC: "The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software. 'We went from zero to total compromise,' said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software which was first released to run on Windows 98 to monitor and control machinery in many large industrial installations. The researchers also explored other SCADA software: 'We ended up finding over 1,000 bugs in 100 days.'" The vulnerabilities reported are in Yokogawa's Centum CS 300 industrial control software.

Nest Halts Sales of Smart Fire Alarm After Discovering Dangerous Flaw 128

Posted by Soulskill
from the out-of-the-frying-pan dept.
fructose writes: "The Nest Protect has a flaw in its software that, under the right circumstances, could disable the alarm and not notify the owners of a fire. To remedy this flaw, they are disabling the Nest Wave feature through automatic updates. Owners who don't have their Nest Protects connected to their WiFi net or don't have a Nest account are suggested to either update the device manually or return it to Nest for a full refund. While they work out the problem, all sales are being halted to prevent unsafe units from being sold. There have been no reported incidents resulting from this flaw, but they aren't taking any chances."

Microsoft To Allow Code Contributions To F# 100

Posted by Soulskill
from the also-debating-renaming-it-to-hashtag-F dept.
An anonymous reader writes "The F# programming language team has been providing source code releases for years, but all contributions to the core implementation were internal. Microsoft is now changing that. They've announced that they'll be accepting code contributions from the community for the core F# language, the compiler, library, and Visual F# tools. They praised the quality of work currently being done by the F# community: 'The F# community is already doing high-quality, cross-platform open engineering using modern tools, testing methodology and build processes. Some particularly active projects include the Visual F# Power Tools, FSharp.Data, F# Editing Support for Open Editors, the Deedle DataFrame library and a host of testing tools, web tools, templates, type providers and other tools.' Microsoft is actively solicited bug fixes, optimizations, and library improvements."

Russian GLONASS Down For 12 Hours 148

Posted by timothy
from the high-level-intrigue dept.
An anonymous reader writes "In an unprecedented total disruption of a fully operational GNSS constellation, all satellites in the Russian GLONASS broadcast corrupt information for 11 hours, from just past midnight until noon Russian time (UTC+4), on April 2 (or 5 p.m. on April 1 to 4 a.m. April 2, U.S. Eastern time). This rendered the system completely unusable to all worldwide GLONASS receivers."

Scientists Solve the Mystery of Why Zebras Have Stripes 190

Posted by samzenpus
from the leopards-took-the-spots dept.
Hugh Pickens DOT Com (2995471) writes "There have been many explanations for the zebra's impressive stripes including Darwin who thought that the stripes help males and females make sensible choices about whom they mate with. Now Henry Nicholls reports at The Guardian that Tim Caro at the University of California, Davis, has taken a completely original approach, stepping back from one species of zebra and attempting to account for the differences in patterning across different species and subspecies of zebras, horses and asses to see if there is anything about the habitat or ecology of these different equids that hints at the function of stripes. To answer that question, Caro and his colleagues created a detailed map charting the ranges of striped vs. non-striped species and subspecies. Then they worked on a map for the bloodsuckers that targeted those species — specifically, abanid biting flies (horse flies) and tsetse flies.

'I was amazed by our results,' says Caro. 'Again and again, there was greater striping on areas of the body in those parts of the world where there was more annoyance from biting flies.' Where there are tsetse flies, for instance, the equids tend to come in stripes. Where there aren't, they don't. Biologists who buy into the bug-repellent hypothesis say that, all other things being equal, striped animals would have an evolutionary advantage because they wouldn't suffer from the loss of blood, reduced weight gain and lowered milk production that's associated with bug bites. Tsetse flies are also associated with the transmission of diseases. 'There are a lot of them, such as sleeping sickness, equine anemia and equine influenza,' Caro says. Why would zebras evolve to have stripes whereas other hooved mammals did not? The study found that, unlike other African hooved mammals living in the same areas as zebras, zebra hair is shorter than the mouthpart length of biting flies, so zebras may be particularly susceptible to annoyance by biting flies. 'It's clear that the flies can get through that hair and get to the skin.'"

FORTRAN is for pipe stress freaks and crystallography weenies.