×
Security

Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake 447

Posted by samzenpus from the only-human dept.
nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."
Chrome

Google Chrome Flaw Sets Your PC's Mic Live 152

Posted by timothy from the lives-of-others dept.
First time accepted submitter AllTheTinfoilHats (3612007) writes "A security flaw in Google Chrome allows any website you visit with the browser to listen in on nearby conversations. It doesn't allow sites to access your microphone's audio, but provides them with a transcript of the browser's speech-to-text transcriptions of anything in range. It was found by a programmer in Israel, who says Google issued a low-priority label to the bug when he reported it, until he wrote about it on his blog and the post started picking up steam on social media. The website has to keep you clicking for eight seconds to keep the microphone on, and Google says it has no timeline for a fix." However, as discoverer Guy Aharonovsky is quoted, "It seems like they started to look for a way to quickly mitigate this flaw."
Businesses

Ask Slashdot: How To Start With Linux In the Workplace? 452

Posted by timothy from the sounds-like-mint-works-for-you dept.
An anonymous reader writes "Recently my boss has asked me about the advantages of Linux as a desktop operating system and if it would be a good idea to install it instead of upgrading to Windows 7 or 8. About ten boxes here are still running Windows XP and would be too old to upgrade to any newer version of Windows. He knows that i am using Linux at work on quite outdated hardware (would have gotten a new PC but never requested new hardware — Linux Mint x64 runs quite well on it) and i always managed to get my stuff done with it. I explained to him that there are no licensing issues with Linux, there is no anti-virus software to deal with and that Linux is generally a bit more efficient on old hardware than operating systems from Microsoft. The boss seems interested." But that's not quite the end; read on for this reader's question.
Crime

Stung By File-Encrypting Malware, Researchers Fight Back 85

Posted by timothy from the picked-the-wrong-guys dept.
itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."
Encryption

Theo De Raadt's Small Rant On OpenSSL 301

Posted by timothy from the heartbleed-of-the-matter dept.
New submitter raides (881987) writes "Theo De Raadt has been on a better roll as of late. Since his rant about FreeBSD playing catch up, he has something to say about OpenSSL. It is worth the 5 second read because it is how a few thousand of us feel about the whole thing and the stupidity that caused this panic." Update: 04/10 15:20 GMT by U L : Reader badger.foo pointed out Ted Unangst (the Ted in the mailing list post) wrote two posts on the issue: "heartbleed vs malloc.conf and "analysis of openssl freelist reuse" for those seeking more detail.
Canada

Canada Halts Online Tax Returns In Wake of Heartbleed 50

Posted by timothy from the worse-than-a-syrup-heist dept.
alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."
United States

Cuba: US Using New Weapon Against Us -- Spam 139

Posted by samzenpus from the filling-the-pipes dept.
mpicpp (3454017) writes in with news about accusations from Cuban officials about a spamming campaign against the country by the U.S.. "Cuban officials have accused the U.S. government of bizarre plots over the years, such as trying to kill Fidel Castro with exploding cigars. On Wednesday, they said Washington is using a new weapon against the island: spam. 'It's overloading the networks, which creates bad service and affects our customers,' said Daniel Ramos Fernandez, chief of security operations at the Cuban government-run telecommunications company ETECSA. At a news conference Wednesday, Cuban officials said text messaging platforms run by the U.S. government threatened to overwhelm Cuba's creaky communications system and violated international conventions against junk messages. The spam, officials claim, comes in the form of a barrage of unwanted text messages, some political in nature. Ramos said that during a 2009 concert in Havana performed by the Colombian pop-star Juanes, a U.S. government program blanketed Cuban cell phone networks with around 300,000 text messages over about five hours."
Intel

Intel and SGI Test Full-Immersion Cooling For Servers 102

Posted by samzenpus from the cooling-it-down dept.
itwbennett (1594911) writes "Intel and SGI have built a proof-of-concept supercomputer that's kept cool using a fluid developed by 3M called Novec that is already used in fire suppression systems. The technology, which could replace fans and eliminate the need to use tons of municipal water to cool data centers, has the potential to slash data-center energy bills by more than 90 percent, said Michael Patterson, senior power and thermal architect at Intel. But there are several challenges, including the need to design new motherboards and servers."

Slashdot Top Deals