recentpopularlog in

kme : vulnerability   65

The Shame of Pair Programming | Diary of a ScrumMaster |
To pair requires vulnerability. It means sharing all that you know and all that you don’t know. This is hard for us. Programmers are supposed to be smart, really-crazy-smart. Most people look at what we do and say “I could never do that.” It makes us feel a bit special, gives us a sense of pride and pride creates invulnerability. I often hear stories that infer “I’ll just go and do some magic and if it takes a long time you can bet I made miracles happen”.

When done well, the shame of pairing quickly evaporates. As you start to realise that, between the stuff you know and the stuff they know, you can be twice as good; pairing becomes joyous. Together we find solutions that would be out of reach if we were alone.

Also, a shout-out to Brené Brown:
It’s hard. Pairing well takes empathy, empathy evaporates shame, allowing courage. As Brené Brown says “Vulnerability is the birthplace of Innovation, Creativity and Change”
pairing  pride  collaboration  devel  programming  pairprogramming  vulnerability 
december 2018 by kme
SecurityTeam/KnowledgeBase/SpectreAndMeltdown - Ubuntu Wiki
The one for CVE-2017-5753 is listed as "pending" as of 19 January 2018.
ubuntu  spectre  meltdown  vulnerability  kpti  patch  sysadmin  reference 
january 2018 by kme
kernel - How to check that KPTI is enabled on my Ubuntu? - Ask Ubuntu
<code class="language-bash">
grep -q "cpu_insecure\|cpu_meltdown\|kaiser" /proc/cpuinfo && \
echo "patched :)" || echo "unpatched :("

Not super-reliable, since there are several separate vulnerabilities (and several mitigations); try
linux  kernel  kpti  meltdown  spectre  security  vulnerability  howto 
january 2018 by kme
Falling through the KRACKs – A Few Thoughts on Cryptographic Engineering |
The IEEE has been making a few small steps to ease this problem, but they’re hyper-timid incrementalist bullshit. There’s an IEEE program called GET that allows researchers to access certain standards (including 802.11) for free, but only after they’ve been public for six months — coincidentally, about the same time it takes for vendors to bake them irrevocably into their hardware and software.

This whole process is dumb and — in this specific case — probably just cost industry tens of millions of dollars. It should stop.

In the end we all know that the answer is for humans to stop doing this work. We need machine-assisted verification of protocols, preferably tied to the actual source code that implements them. This would ensure that the protocol actually does what it says, and that implementers don’t further screw it up, thus invalidating the security proof.
formalverification  security  crypto  wifi  wpa2  vulnerability  humanerror 
november 2017 by kme
Getting "Can't connect to server" error message on Windows app - Evernote - Evernote User Forum
I had the same problem with the sync not working (unable to connect to server).

On the tech blog they noted that evernote no longer supports SSL3.0 and it will be disabled. I went to internet options on my computer and unchecked the option for SSL 3 and enabled the TLS option.

I am now able to access evernote on my PC

Hopefully this was the only issue.
evernote  bug  ssl3.0  poodle  vulnerability  windows  solution 
january 2015 by kme
existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug
What can we learn from this?

I'm a fan of C. It was my first programming language and it was the first language I felt comfortable using professionally. But I see its limitations more clearly now than I have ever before.

Between this and the GnuTLS bug, I think that we need to do three things:

Pay money for security audits of critical security infrastructure like OpenSSL
Write lots of unit and integration tests for these libraries
Start writing alternatives in safer languages

Given how difficult it is to write safe C, I don't see any other options. I would donate to this effort. Would you?
openssl  blog  vulnerability  ssl  programming  security  clanguage 
april 2014 by kme
'[Full-disclosure] Administrivia: The End' - MARC

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.
fulldisclosure  disclosure  vulnerability  announcement  thisistheend 
march 2014 by kme
Twitter / Jeffrey903: I have confirmed that the SSL ...
I have confirmed that the SSL vulnerability was introduced in iOS 6.0. It is not present in 5.1.1 and is in 6.0 /cc @markgurman
ios  apple  vulnerability  ssl 
february 2014 by kme
Should You Worry About the Mac OS X Sudo Password Bypass Vulnerability | Low End Mac
Wow, that’s a lot of hoops to jump through just to be vulnerable to the attack. Seriously, when is the last time you used sudo on your Lion or Mountain Lion Mac?

Shyeah, like every day.
mac  osx  sudo  vulnerability  bug  solution 
october 2013 by kme
What The Rails Security Issue Means For Your Startup | Kalzumeus Software
"Have a plan for responding to security incidents. I call mine the Big Red Button. Thomas, a security consultant friend of mine, accurately observed that these probably caused the first Big Red Button events that many folks in the Rails community have ever had to deal with. We should learn from our experiences here.

For example: I pushed the Big Red Button at 3 AM in the morning, twice this month, to apply critical security patches and work-arounds."
rails  vulnerability  ruby  security  apocalypse  sysadmin  webmaster  securityresponse  cya 
february 2013 by kme

Copy this bookmark:

to read