back to article OpenBSD bugs, Microsoft's bad update, a new Nork hacking crew, and more

Welcome to yet another El Reg security roundup. Off we go. OpenBSD a little too true to its name The freely available OpenBSD operating system is the host of some annoying security holes. Researchers at Qualys found and reported authentication bypass flaws that can be exploited locally, and potentially remotely, to log into …

  1. Version 1.0 Silver badge
    Facepalm

    Weinberg’s Law applies

    "If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization." although, living close to New Orleans and watching the Hard Rock hotel collapse (as they added floors to the building they thought that each floor only needed to support the one above it, not every one above it), it seems that the end of the world is neigh.

    This days software updates just move the bugs around - the sales department loves it - updates keep you close to the company. Has anyone ever seen an update that fixed problems and didn't introduce new ones?

    1. This post has been deleted by its author

    2. Cardinal

      Re: Weinberg’s Law applies

      "it seems that the end of the world is neigh."

      So THAT'S why all the long faces eh?

  2. Pascal Monett Silver badge

    "the reason why some companies are behind on their patching"

    There's a twofold reason for that : one is that companies, contrary to Microsoft, like it when their databases are accessible 24/7, thus any change is viewed with suspicion because, yes, Microsoft and others have a track record of patches breaking things. The other reason is that there aren't all that many companies that have a dev environment that mirrors the production environment exactly, thus patching the dev environment and testing is not always representative what will happen when the production environment is patched - meaning more suspicion and delays.

    Because Microsoft still hasn't understood that patching your production database and then not being able to use it is something companies don't like. At all. And I just can't understand how Microsoft can write code that breaks its own effing tools. It's not like Microsoft doesn't have the ability to actually test its own stuff, but here we all are.

    1. Anonymous Coward
      Anonymous Coward

      Re: "the reason why some companies are behind on their patching"

      "It's not like Microsoft doesn't have the ability to actually test its own stuff"

      They don't, Satya, to save money got rid of the QA department.

      More modern approach, rely on your users to test and solely automated tests created by the developer writing the code (so will not be very extensive).

    2. herman Silver badge

      Re: "the reason why some companies are behind on their patching"

      Bill Gates ran QA - he left a long time ago and he wasn't particularly good at QA either.

      1. Claptrap314 Silver badge

        Re: "the reason why some companies are behind on their patching"

        If Bill Gates ran QA, then he was a royal ****-up. M$ software has been shot through with bugs & security fails at least since DOS 1.0.

    3. chivo243 Silver badge

      Re: "the reason why some companies are behind on their patching"

      I like to error on the side of caution regarding any Windows related update. WSUS lets us roll out updates after the fallout... not approving any malcontents foisted by MS. Before WSUS I picked Monday at 23:55 to check, and download only WU.

      As far as other shops, not knowing you have something running that was installed by a vendor can happen quite often.

  3. mark l 2 Silver badge

    "Bogdan Nicolescu and Radu Miclaus, the Romanian duo behind the Bayrob fraud operation, have been sentenced to 20 and 18 years in prison, respectively."

    US justice are very harsh on financial crime compared to the UK. To be getting sentences of 18+ years here in the UK you would be expecting the victims to have suffered physical injury or even death from the criminals actions.

    I am not saying that they should not be punished for their crimes but surely locking up criminals who are not a danger to the public for such long periods is counter productive as it costs a lot of money per year to have criminals in prisons. I personally think it would be better to give them a shorter sentence and make them pay off their debt to society with unpaid community service work on release. And seize and assets or money to repay the money they stole

    1. Gene Cash Silver badge

      They won't serve more than 4 years, I'll bet, with time off for good behavior and other things.

      That's why US sentences are longer. Crims rarely spend half their sentence in jail.

      1. Kabukiwookie

        Unless you happen to be incarcerated in a California for-profit prison and there's a large bush fire where you can risk your life for $1 a day.

      2. mrobaer

        Prisoners must serve at least 85% of their federal prison sentences here in the USA.

      3. Michael Wojcik Silver badge

        That's why US sentences are longer. Crims rarely spend half their sentence in jail.

        That's two. Care to try for a third strike?

        US sentences are longer because of the "tough on crime" push that started with Reagan, as a sop to the scared-of-its-shadow white middle class, and the contemporaneous transformation of senior prosecutorial jobs into stepping-stones to higher political office. This trend has been extensively documented and analyzed. For example, a 2017 study by Urban Institute showed on average a 5-year increase in time served over the interval 2000-2014.

        Historically, time served in US prisons has been much longer for similar crimes than in the UK. See this study from the BJS, for example.

        Over half the states now conform to the Federal Truth-In-Sentencing guidelines which require 85% of the sentence to be served for violent offenses.

        In 1996, the average percentage of sentence served for all offenders was 44%, which makes it highly unlikely that "[offenders] rarely spend half their sentence in [prison]". Since 1996, the trend appears to be toward longer incarceration periods, thanks to TIS, "victims' rights" lobbying, and - as someone else pointed out - for-profit prisons and the Prison-Industrial Complex.

  4. arctic_haze

    Today is December 8

    An update for the database tool, released on November 12 borks the database. Now, you tell me???

    Seriously, I would never use a Microsoft database for anything important.

    1. jake Silver badge

      Re: Today is December 8

      "Seriously, I would never use a Microsoft product for anything important."

      FTFY

  5. Anonymous Coward
    Anonymous Coward

    OpenBSD a little too true to its name?

    “We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published patches for these vulnerabilities less than 40 hours after our initial contact.”

    https://seclists.org/bugtraq/2019/Dec/8

    1. elip

      Re: OpenBSD a little too true to its name?

      ...well, yes, but apparently only under a specific contrived configuration. :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like