SoylentNews is people
SoylentNews
This humourous essay [PDF] on modern computer security, I thought would be an interesting read for SN; here's an excerpt.
Security research is the continual process of discovering that your spaceship is a deathtrap. However, as John F. Kennedy once said, "SCREW IT WE'RE GOING TO THE MOON." I cannot live my life in fear because someone named PhreakusMaximus at DefConHat 2014 showed that you can induce peanut allergies at a distance using an SMS message and a lock of your victim's hair. If that's how it is, I accept it and move on. Thinking about security is like thinking about where to ride your motorcycle: the safe places are no fun, and the fun places are not safe. I shall ride wherever my spirit takes me, and I shall find my Gigantic Martian Insect Party, and I will, uh, probably be rent asunder by huge cryptozoological mandibles, but I will die like Thomas Jefferson: free, defiant, and without a security label.
[Also Covered By]: Schneier on Security
Original Submission
(Score: 4, Insightful) by Gravis on Sunday August 30 2015, @07:23PM
I feel it might just be bad timing but I think it's worth noting that James Mickens is an employee for Microsoft and Microsoft just dropped one hell of a security threat on the world. So he may be just putting out a paper as expected or maybe his employer asked him to turn up the hyperbole to make light of a serious problem. Either way, we are left with a serious security breach that is only getting wider.
(Score: 0) by Anonymous Coward on Sunday August 30 2015, @07:42PM
... or it goes to show that even the great Satan has some fun employees.
(Score: 5, Interesting) by fritsd on Sunday August 30 2015, @08:36PM
Yeah, the article was fun to read, but I can't tell if it makes a lot of sense. Is he trying to tell us: "ignore SELinux, give up on security, and just keep paying for Microsoft products"?
The thing with computer programs is, that *one programmer or small team* can write software that can then be verified by *even more programmers* and used by *a lot more people*, so his premise "security is difficult, YOU can't do it, so give up" is wrong: He may be correct about the "security is difficult. you can't do it" part, but then there's always the option of choosing to trust people that you believe to be reliable experts, or that you believe your distro-makers believe to be reliable experts.
I use OpenSSL (post-heartbleed patched) because I have some (posibly misjudged) faith in its code, I don't decide to just use telnet or HTTP because "some people say HTTPS is not secure either, so let's just give in".
I once studied a bit of bitcoin code, out of curiosity; and there was a *VERY SUSPICIOUS* function to discard keys based on certain patterns. So, I wrote a little test program, generated a million keys, and what do you know... about 10 (don't recall the exact number) of those 1000000 test keys were rejected by this function. So I trust it (I wouldn't have if it had rejected a substantial number of keys, because that sounds like it tried to make brute-forcing a lot easier for the authors of that bitcoin code). But reject 10 in a million keys for a reason I don't understand? Go ahead. Later I made a guess that those rejected keys might have had really small RSA mantissas or something (if that big number is called the mantissa). My point is, you'd have to be a really clever security-oriented programmer to think of this, if you were asked to implement RSA. You'd have to understand the underlying integer maths.
About the previous paragraph: try do that if the code had been Microsoft proprietary closed-source code. So there!
(Score: 3, Insightful) by frojack on Sunday August 30 2015, @09:04PM
My point is, you'd have to be a really clever security-oriented programmer to think of this, if you were asked to implement RSA. You'd have to understand the underlying integer maths.
But also a really bad programmer to not include even a single comment as to why that code existed.
Non trivial, obscure, and unexplained code is always suspect.
I've sent even senior programmers back to their desk with red marked listings for that kind of stuff.
No, you are mistaken. I've always had this sig.