Speaking infosec, when do you think the bubble will pop? Two weeks before my startup gets acquired and everything falls to shit?
Not a security dude here, but how many items can be reordered?
Why couldn’t the installer recompile in a random order? Source is open, so there should be no issue in distribution.
(<— installer dude)
Ya can, but no one does. As an installer dude, to reorder any of that cryto shit would probably make you commit seppuku.
Plus I think they are in a preferred order, but I haven’t looked as openssl code in, oh, long enough
When the government quits paying people stupid money?
So I’m in a protected industry like Lockheed, Boeing, and general dynamics? Sha-weet!!
If you saw consistent trends across from most platforms and then a mixed ordering of cipher suites coming from OpenSSL but the same cipher suites, it’d probably be safe to guess it was the one Linux distro that did that. Also they are sent in the order of preference (strongest to weakest) so you could mix it up and get undesired results.
I usually reserve my infosec ramblings for other blogs, but since there are quite a few others on the Boings in the industry, and this thread is here…
Does anyone have any impressions of the Software Assurance Marketplace? I’m not too enamored with a lot of what DHS has done, but it seems like an example of them throwing money behind a worthwhile project.
enh have you read the current news about Boeing?
Ha-ha!! /nelson
Speaking of security, I wrote an internet facing api method that’s basically:
$param =~ s/[^a-zA-Z0-9]//g;
That’s totes secure, right guys? …guys?
I have never looked at the source, but getting ridiculous with things like preprocessor defines is why we pay C programmers well, no?
But of course non-trivial, and requires consideration in the source to begin with.
Preferential order is quite a bit more problematic.
Shipping a completely isolated compiler that exists for the duration of the install is another, but probably doable.
You stole that code from Bobby Tables, didn’t you?
Why do data sanitization when you can pound your inputs with half assed regexes? I mean, who cares (I’ll actually fix that one tomorrow :D)
True, the attacks of the early/mid-90s were so easy, and things were so badly locked down, that there wasn’t as much digging needed. Back then there were still a lot of servers running fingerd and telnet was still running on everything (and not running an open SMTP relay was sort of impolite). It’s way hairier today in part because of the sophistication of attacks/attackers, and just due to the sheer volume of attackers. I’m glad I am only very peripherally involved.
I miss getting fingerd…
You should have a .plan for that
Someone types faster than me.
It’s PHP, so there’s no point in worrying.
Oh, no, its muuuuuch worse.
Assuming that’s PHP/not Perl, I hurt inside remembering it, but there are some filter_* builtins in PHP5 that are nice. I had to walk a hideously insecure PHP3 badly ported to PHP4 web tool I’d just inherited through a code audit with an InfoSec team. So, so fun. At least they paid me for it.
I still get calls from recruiters for PHP things, I now tell them I am emotionally unable to code PHP.