Slashdot

SecurityBob writes "Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu." Reader RichiH also points to Debian's announcement and Ubuntu's announcement.

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes "When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."

coondoggie writes to tell us that the Federal Trade Commission (FTC) will be taking a look at contactless payment systems and the consumer protection issue surrounding them. "RFID technology provides obvious benefits, the FTC said. For example, the ability of producers using RFID to track exactly where in the supply chain their products are and by which retailer they were ultimately sold to a consumer has the potential to make product recalls more effective. However, there also may be costs regarding consumers' individual privacy rights associated with it."

stevegee58 writes "Tom Ricks' Inbox in the Sunday Washington Post reported that bootleg DVDs purchased in Iraqi markets ('souks') are frequently infected with viruses. Iraqi soldiers were affected as well; electronic interaction between Iraqi and US soldiers frequently resulted in a corresponding exchange of viruses from these infected DVDs."

Stony Stevenson alerts us to new information on the XP SP3-induced crashes that we discussed a few days back. Jesper Johansson, a former program manager for security policy at Microsoft, is maintaining an ongoing log and support site for users affected by any of several problems triggered by XP3. Machines using AMD hardware, particularly HP desktops, seem to have several modes of failure; others affect Intel machines.

thermian writes "I've been developing my open source project for several years now, and I've never found a solution to one fairly important issue. How can a small-scale project attract new members? My project is pretty specialist, (no URL, sorry, I can't afford to get my server nuked) and I find that while it gets a fair bit of use, most users come to my software out of a need to solve their problem, or use my tutorials to learn about the subject, and none seem inclined to stick around and help make the product better. This is a fairly serious problem for me now, because my software has recently been adopted by a university, and I'm just not in a position to manage the entire set of applications and update everything on my own. Just preparing a version for release to students has been especially hard. The open source maxim 'Many eyes make all bugs shallow' only works if those 'many eyes' are available. So do you have any suggestions as to how, and where, to find people who fancy joining open source projects?"

Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."

An anonymous reader sends in an IBM DeveloperWorks article detailing the changes coming in PHP V6 — from namespaces, to Web 2.0 built-ins, to a few features that are being removed.

Consul writes "What is the oldest piece of code that is still in use today, that has not actually been retyped or reimplemented in some way? By 'piece of code,' I'm of course referring to a complete algorithm, and not just a single line." The question would have a different answer if emulation, in multiple layers, is allowed.

Das Capitolin sends us to Benchmark Reviews for an in-depth feature on DDR3 memory that begins: "These are uncertain financial times we live in today, and the rise and fall of our economy has had [a] direct [effect] on consumer spending. It has already been one full year now that DDR3 has been patiently waiting for the enthusiast community to give it proper consideration, yet [its] success is still undermined by misconceptions and high price. Benchmark Reviews has been testing DDR3 more actively than anyone. ... Sadly, it might take an article like this to open the eyes of my fellow hardware enthusiast[s] and overclocker[s], because it seems like DDR3 is the technology nobody wants [badly] enough to learn about. Pity, because overclocking is what it's all about."