Computer security is shit

ha ha ha ha

/me cries

Oracle really has announced they are killing the Java browser plugin though.

So y’all ready for DROWN hysteria?

I honestly like the custom of assigning cutesy names to exploits. So much easier than trying to remember a CVE number or something! Still, it seems like it’s just a matter of time before we get one named OMIGODWEREALLGONNADIE.

I haven’t finished reading the paper yet, but so far it looks like if you’ve already got SSLv2 turned off on your systems (like you obviously should have) this drown vulnerability is a non-event.

Most browsers, for example, don’t even support SSLv2 or only support if you explicitly go turn it on (like a dumbass).

The problem seems to have resulted from people saying “I don’t have to bother turning off SSLv2 in the server, it’s already turned off in the browser”.

But I’ve been turning it off in the servers for a coon’s age. You’d think FIPS would be a stock item on the server security checklist at this point… but… well… see the title of this thread…

It’s weird that there are still are servers out there running SSLv2 (or at least the DROWN people make that claim). It’s had known weaknesses for a decade or so, and is among of the first things to turn off when you’re setting up https.

In other computer security is shit fun… we are updating to Rational 8 right now. IT STILL REQUIRES AN ACCOUNT WITH LOCAL ADMIN ACCESS (and this is a domain account so it can talk to the license server and of course we can’t have one for each user) to run the license broker so you can get license tokens. WTFF? (I just had to walk over to a desk and type in the password on a users machine as they were installing a non standard component that wanted that typed in again) Also it isn’t smart card aware (well technically the fat client is cause it uses your cached login credentials). I have been using chip+pin log in for 10+ fucking years and IBM can’t figure out how to integrate that with the windows clients already? It is still ‘in the next version’ but also the next version is where they are pushing everyone to the Eclipse/Web Client which even if you have stored windows credentialss on your machine you have to enter a userid/password and no way to insert a smart badge if you need a separate login.

Head>Desk.

Well who thought this was a good idea?

http://krebsonsecurity.com/2016/03/spammers-abusing-trust-in-us-gov-domains/

The kind of people willing to work for government pay?

This topic was automatically closed after 373 days. New replies are no longer allowed.