Speaking infosec, when do you think the bubble will pop? Two weeks before my startup gets acquired and everything falls to shit?
1 Like
Not a security dude here, but how many items can be reordered?
Why couldnāt the installer recompile in a random order? Source is open, so there should be no issue in distribution.
(<ā installer dude)
1 Like
Ya can, but no one does. As an installer dude, to reorder any of that cryto shit would probably make you commit seppuku.
Plus I think they are in a preferred order, but I havenāt looked as openssl code in, oh, long enough 
When the government quits paying people stupid money?
3 Likes
So Iām in a protected industry like Lockheed, Boeing, and general dynamics? Sha-weet!!
If you saw consistent trends across from most platforms and then a mixed ordering of cipher suites coming from OpenSSL but the same cipher suites, itād probably be safe to guess it was the one Linux distro that did that. Also they are sent in the order of preference (strongest to weakest) so you could mix it up and get undesired results.
I usually reserve my infosec ramblings for other blogs, but since there are quite a few others on the Boings in the industry, and this thread is hereā¦
Does anyone have any impressions of the Software Assurance Marketplace? Iām not too enamored with a lot of what DHS has done, but it seems like an example of them throwing money behind a worthwhile project.
enh have you read the current news about Boeing?
1 Like
Ha-ha!! /nelson
3 Likes
Speaking of security, I wrote an internet facing api method thatās basically:
$param =~ s/[^a-zA-Z0-9]//g;
Thatās totes secure, right guys? ā¦guys?
4 Likes
I have never looked at the source, but getting ridiculous with things like preprocessor defines is why we pay C programmers well, no?
But of course non-trivial, and requires consideration in the source to begin with.
Preferential order is quite a bit more problematic.
Shipping a completely isolated compiler that exists for the duration of the install is another, but probably doable.
Why do data sanitization when you can pound your inputs with half assed regexes? I mean, who cares (Iāll actually fix that one tomorrow :D)
2 Likes
True, the attacks of the early/mid-90s were so easy, and things were so badly locked down, that there wasnāt as much digging needed. Back then there were still a lot of servers running fingerd and telnet was still running on everything (and not running an open SMTP relay was sort of impolite). Itās way hairier today in part because of the sophistication of attacks/attackers, and just due to the sheer volume of attackers. Iām glad I am only very peripherally involved.
I miss getting fingerdā¦
3 Likes
You should have a .plan for that
7 Likes
Someone types faster than me.
3 Likes
Itās PHP, so thereās no point in worrying.
1 Like
Oh, no, its muuuuuch worse.
1 Like
Assuming thatās PHP/not Perl, I hurt inside remembering it, but there are some filter_* builtins in PHP5 that are nice. I had to walk a hideously insecure PHP3 badly ported to PHP4 web tool Iād just inherited through a code audit with an InfoSec team. So, so fun. At least they paid me for it.
I still get calls from recruiters for PHP things, I now tell them I am emotionally unable to code PHP.
2 Likes
