The phrase “free, as in beer” is often used in connection with Open Source software, to indicate that the software is being given to users without any expectation of payment. This distinguishes it from “free, as in speech” which might erroneously suggest that the software could do whatever it liked.
Actually, were it not for Andres Freund’s recent discovery, a certain piece of software called xz utils might have actually become free to do whatever it liked (or more correctly, whatever its evil master desired). NIST gives it a criticality of 10/10. Freund announced his discovery a month after the tainted xz had been released, though thankfully before it had worked its way into production systems.
The xz utilities provide [click title to read more…]
How come all the talk about IPv6 comes with illustrations like 2001:db8:1234:abcd::321? When we eventually adopt IPv6, is some person or company going to find all the students, hackers and IT novices hitting the same network addresses just because they were mentioned in the IPv6 text books and cheat sheets? Will the eventual owners of these addresses be like current SlashDot victims, overloaded with unexpected traffic?
No. In fact, you are encouraged to use the 2001:db8 block of IPv6 addresses in your documentation (and possibly some illustrative code) precisely because it is reserved for that purpose. RFC 3849 explains that “the Asia Pacific Network Information Centre (APNIC) allocated a unicast address prefix for documentation purposes”, so we can safely use [click title to read more…]
It is a little disturbing to think that a reputable company like Sony could operate a network that allowed the private records of 77,000,000 (seventy seven million) customers be siphoned out. These records include passwords and answers to security challenges, according to an official statement from Sony. What I can’t understand is why, as this statement seems to imply, the passwords and answers were stored in plain text. Surely every good security geek knows that you don’t store access data in plain text.
I wrote about this issue a few years ago. It doesn’t take much to protect this sensitive data. Did Sony assume that because the data was within their private network that it was safe? If they did, [click title to read more…]
It would seem that someone in the browser community had the “brilliant” idea of disabling JavaScript Alert() boxes on pages that have a “lot” of these (i.e. more than a handful). Crazy. The Alert() mechanism is there for a very good reason, to alert the user to something of importance.
Like “Please confirm that you have read the terms and conditions before proceeding”
Or “Warning: this combination of medication is not advised for pregnant women”
So, the Web-based service keeps popping up these alerts and suddenly there’s a “helpful” checkbox on the alert that says “prevent this page from creating additional dialogs”. Tempting, isn’t it? You click it, and bye-bye alerts.
And possibly bye-bye your safety, your security, your failsafe, [click title to read more…]
They say you should never store or transmit passwords in plain text. Instead, encrypt them first, preferably “one-way” so that you can only compare the encrypted signatures and can’t actually retrieve the original passwords. MD5 produces a one-way signature. But what if the original password is some well-known word or phrase? For example, the MD5 of “password” is 5F4DCC3B5AA765D61D8327DEB882CF99, so if you find that code stored in a password file then you know the original password was “password”. A dictionary of MD5 signatures will easily break any MD5-based password store unless you take the precaution of adding a few extras to the password before you hash it. Add some secret constants to the beginning, middle and/or end. Add other bits of [click title to read more…]