* Posts by ascasc

8 posts • joined 4 May 2010

CVE bug system has bugs – quick, use this alternative, say hackers

ascasc

Re: Distributed Weakness Filing, enough volunteer labour

So I (Kurt Seifried) have some experience with this, I've assigned almost 5,000 CVE's myself (4,760 as of October 18, 2015 when I last counted) and I've been involved with vulnerability management/analysis for almost 2 decades.

The problem is you, and I suspect Mitre are caught in the trap of thinking about this problem as a single issue when in fact (as Art Manion of CERT pointed out) it's actually two problems:

1. Assigning IDs

2. Analysis, deconfliction, write-up

https://cve.mitre.org/data/board/archives/2016-03/msg00004.html

DWF aims to address problem #1 by making it much simpler to get a DWF, and to push DWF assignment as close to the vulnerability as possible, e.g. by getting major researchers on board and assigning, and also getting vendors and vulnerability coordinating bodies on board. A perfect example of this is the first official DWF assigned, DWF-2016-89000:

https://bugzilla.redhat.com/show_bug.cgi?id=DWF-2016-89000

https://patrick.uiterwijk.org/DWF-2016-89000/

https://www.google.ca/search?q=DWF-2016-89000

The second problem is also largely already solved by the community, but there are no good feedback mechanisms with CVE (I should know, I've been reporting errors to them as I find them for over a decade), DWF solves this problem by being fully transparent and open and using the GitHUB platform to make feedback (in the form of pulls/issues) really easy, and more importantly to make correcting things easy (multiple DWF project people will have commit access). So if you do find an error or conflict you can easily report it, if you want to add information to an issue, you can also do so easily through the Artifact Database. As for write ups the community already does this, witness security researcher reports and advisories, or vendor advisories, there is no need to rewrite these things constantly.

So in conclusion: This is pretty much classic Cathedral vs. the Bazaar, the DWF Open Source model is a lot easier to participate in, and we've specifically picked a platform (GitHUB) that makes it trivial for people to interact with DWF and help the community help itself.

https://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar

Patch Bash NOW: 'Shellshock' bug blasts OS X, Linux systems wide open

ascasc

Re: Can you hear that sound?

I'm guessing it'll be the same vendors that never upgraded for the heartbleed vulnerability.

50,000 sites backdoored through shoddy WordPress plugin

ascasc

Old news - WordPress plugins are a disaster

WordPress plugins are a huge pile of fail/mess.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress+plugin

423 results.

Thanks for nothing, OpenSSL, grumbles stonewalled De Raadt

ascasc

As usual the press is wrong and there's a lot more to this story

Except I invited Theo to join distros@ publicly:

http://seclists.org/oss-sec/2014/q2/232

and he turned it down:

http://seclists.org/oss-sec/2014/q2/233

I then privately emailed beck@ and invited him to join on June 1st, and he also turned it down.

So not for lack of trying.

And then Theo sent a large number of abusive emails privately and publicly:

http://marc.info/?l=openbsd-tech&m=140202939732165&w=2

And he has now decided he wants to join the list.

So .. the only story here is that he chose not to participate, and then when he wasn't told he threw a tantrum. Classic Theo. And like most press you took the easy story and did no research. Shame on you.

I'm so very tired of this.

Running OpenSSL? Patch now to fix CRITICAL bug

ascasc

RHEL updates are available:

https://rhn.redhat.com/errata/RHSA-2014-0376.html

CentOS updates are available:

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

Fedora updates are available, hitting the mirrors, but you can get it earlier, instructions here:

https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html

https://lists.fedoraproject.org/pipermail/announce/2014-April/003206.html

NSA to world+dog: We're only watching 1.6% of internet, honest

ascasc

But most Internet traffic by volume can be eliminated easily...

E.g. in Canada 1/3 of all evening Internet traffic is Netflix, which the NSA wouldn't care about. Ditto for most video streaming (oh user pulled a Justin Bieber video, who cares). So that 1.6% of traffic of everything is probably a significant chunk of the actual Internet traffic that is interesting (email, VOIP, instant messaging, etc.).

Schmidt: Erase your identity to escape Google shame

ascasc

Name change won't help due to facial recognition

Changing your name/etc. won't matter. Facial recognition is here, to quote Apple: "iPhoto introduces Faces: a new feature that automatically detects and even recognizes faces in your photos. iPhoto uses face detection to identify faces of people in your photos and face recognition to match faces that look like the same person."

So once Facebook/etc. start providing facial recognition (or third party vendors like credit bureaus/etc.) a company will simply submit a photo and your name and get back a nice report a few minutes later with your posts, online photos, etc. of all the embarrassing things you have done.

Your shame/embarrassment will truly be forever, since the data is already out there, new ways to manipulate and interact with it can't be stopped.

Opera betas 10.5 for Linux and FreeBSD

ascasc

I'd drop Solaris to

Looks like OpenSolaris is withering on the vine and Solaris proper is no longer free to download and use (90-day eval/trial only). Unless you're making money selling it I can't imagine why anyone would go out of their way to support Solaris (case in point beanstalkd, it's supported but not well, and nobody seems to complain so I guess that's your answer).

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020