58858739
story
msm1267 (2804139) writes
"A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released today (PDF) by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.
The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly."
58849797
story
bennyboy64 (1437419) writes
"Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."
58814591
story
dcblogs (1096431) writes
"A study of New York City's tech workforce found that 44% of jobs in the city's 'tech ecosystem,' or 128,000 jobs, 'are accessible' to people without a Bachelor's degree. This eco-system includes both tech specific jobs and those jobs supported by tech. For instance, a technology specific job that doesn't require a Bachelor's degree might be a computer user support specialist, earning $28.80 an hour, according to this study. Tech industry jobs that do not require a four-year degree and may only need on-the-job training include customer services representatives, at $18.50 an hour, telecom line installer, $37.60 an hour, and sales representatives, $33.60 an hour. The study did not look at 'who is actually sitting in those jobs and whether people are under-employed,' said Kate Wittels, a director at HR&A Advisors, a real-estate and economic-development consulting firm, and report author.. Many people in the 'accessible' non-degree jobs may indeed have degrees. For instance. About 75% of the 25 employees who work at New York Computer Help in Manhattan have a Bachelor's degree. Of those with Bachelor's degrees, about half have IT-related degrees."
58809145
story
SpacemanukBEJY.53u (3309653) writes
"It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."
