Tue Oct 19 17:11:17 2021
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2014-06-01

HANGOUT

2021-10-19 | 2021-09-19 | 2021-08-19 | 2021-07-19 | 2021-06-19 | 2021-05-19 | 2021-04-19 | 2021-03-19 | 2021-02-19 | 2021-01-19 | 2020-12-19 | 2020-11-19 | 2020-10-19 | 2020-09-19 | 2020-08-19 | 2020-07-19 | 2020-06-19 | 2020-05-19 | 2020-04-19 | 2020-03-19 | 2020-02-19 | 2020-01-19 | 2019-12-19 | 2019-11-19 | 2019-10-19 | 2019-09-19 | 2019-08-19 | 2019-07-19 | 2019-06-19 | 2019-05-19 | 2019-04-19 | 2019-03-19 | 2019-02-19 | 2019-01-19 | 2018-12-19 | 2018-11-19 | 2018-10-19 | 2018-09-19 | 2018-08-19 | 2018-07-19 | 2018-06-19 | 2018-05-19 | 2018-04-19 | 2018-03-19 | 2018-02-19 | 2018-01-19 | 2017-12-19 | 2017-11-19 | 2017-10-19 | 2017-09-19 | 2017-08-19 | 2017-07-19 | 2017-06-19 | 2017-05-19 | 2017-04-19 | 2017-03-19 | 2017-02-19 | 2017-01-19 | 2016-12-19 | 2016-11-19 | 2016-10-19 | 2016-09-19 | 2016-08-19 | 2016-07-19 | 2016-06-19 | 2016-05-19 | 2016-04-19 | 2016-03-19 | 2016-02-19 | 2016-01-19 | 2015-12-19 | 2015-11-19 | 2015-10-19 | 2015-09-19 | 2015-08-19 | 2015-07-19 | 2015-06-19 | 2015-05-19 | 2015-04-19 | 2015-03-19 | 2015-02-19 | 2015-01-19 | 2014-12-19 | 2014-11-19 | 2014-10-19 | 2014-09-19 | 2014-08-19 | 2014-07-19 | 2014-06-19 | 2014-05-19 | 2014-04-19 | 2014-03-19 | 2014-02-19 | 2014-01-19 | 2013-12-19 | 2013-11-19 | 2013-10-19 | 2013-09-19 | 2013-08-19 | 2013-07-19 | 2013-06-19 | 2013-05-19 | 2013-04-19 | 2013-03-19 | 2013-02-19 | 2013-01-19 | 2012-12-19 | 2012-11-19 | 2012-10-19 | 2012-09-19 | 2012-08-19 | 2012-07-19 | 2012-06-19 | 2012-05-19 | 2012-04-19 | 2012-03-19 | 2012-02-19 | 2012-01-19 | 2011-12-19 | 2011-11-19 | 2011-10-19 | 2011-09-19 | 2011-08-19 | 2011-07-19 | 2011-06-19 | 2011-05-19 | 2011-04-19 | 2011-03-19 | 2011-02-19 | 2011-01-19 | 2010-12-19 | 2010-11-19 | 2010-10-19 | 2010-09-19 | 2010-08-19 | 2010-07-19 | 2010-06-19 | 2010-05-19 | 2010-04-19 | 2010-03-19 | 2010-02-19 | 2010-01-19 | 2009-12-19 | 2009-11-19 | 2009-10-19 | 2009-09-19 | 2009-08-19 | 2009-07-19 | 2009-06-19 | 2009-05-19 | 2009-04-19 | 2009-03-19 | 2009-02-19 | 2009-01-19 | 2008-12-19 | 2008-11-19 | 2008-10-19 | 2008-09-19 | 2008-08-19 | 2008-07-19 | 2008-06-19 | 2008-05-19 | 2008-04-19 | 2008-03-19 | 2008-02-19 | 2008-01-19 | 2007-12-19 | 2007-11-19 | 2007-10-19 | 2007-09-19 | 2007-08-19 | 2007-07-19 | 2007-06-19 | 2007-05-19 | 2007-04-19 | 2007-03-19 | 2007-02-19 | 2007-01-19 | 2006-12-19 | 2006-11-19 | 2006-10-19 | 2006-09-19 | 2006-08-19 | 2006-07-19 | 2006-06-19 | 2006-05-19 | 2006-04-19 | 2006-03-19 | 2006-02-19 | 2006-01-19 | 2005-12-19 | 2005-11-19 | 2005-10-19 | 2005-09-19 | 2005-08-19 | 2005-07-19 | 2005-06-19 | 2005-05-19 | 2005-04-19 | 2005-03-19 | 2005-02-19 | 2005-01-19 | 2004-12-19 | 2004-11-19 | 2004-10-19 | 2004-09-19 | 2004-08-19 | 2004-07-19 | 2004-06-19 | 2004-05-19 | 2004-04-19 | 2004-03-19 | 2004-02-19 | 2004-01-19 | 2003-12-19 | 2003-11-19 | 2003-10-19 | 2003-09-19 | 2003-08-19 | 2003-07-19 | 2003-06-19 | 2003-05-19 | 2003-04-19 | 2003-03-19 | 2003-02-19 | 2003-01-19 | 2002-12-19 | 2002-11-19 | 2002-10-19 | 2002-09-19 | 2002-08-19 | 2002-07-19 | 2002-06-19 | 2002-05-19 | 2002-04-19 | 2002-03-19 | 2002-02-19 | 2002-01-19 | 2001-12-19 | 2001-11-19 | 2001-10-19 | 2001-09-19 | 2001-08-19 | 2001-07-19 | 2001-06-19 | 2001-05-19 | 2001-04-19 | 2001-03-19 | 2001-02-19 | 2001-01-19 | 2000-12-19 | 2000-11-19 | 2000-10-19 | 2000-09-19 | 2000-08-19 | 2000-07-19 | 2000-06-19 | 2000-05-19 | 2000-04-19 | 2000-03-19 | 2000-02-19 | 2000-01-19 | 1999-12-19

Key: Value:

Key: Value:

MESSAGE
DATE 2014-06-16
FROM From: "Michael L. Richardson"
SUBJECT Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
From owner-hangout-outgoing-at-mrbrklyn.com Mon Jun 16 10:20:44 2014
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix)
id 50D0E161139; Mon, 16 Jun 2014 10:20:44 -0400 (EDT)
Delivered-To: hangout-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id 3E99316113E; Mon, 16 Jun 2014 10:20:44 -0400 (EDT)
Delivered-To: hangout-at-mrbrklyn.com
Received: from gateway14.websitewelcome.com (gateway14.websitewelcome.com [69.93.179.25])
by mrbrklyn.com (Postfix) with ESMTP id 6E793161139
for ; Mon, 16 Jun 2014 10:20:42 -0400 (EDT)
Received: by gateway14.websitewelcome.com (Postfix, from userid 5007)
id 259C75D481666; Mon, 16 Jun 2014 09:20:41 -0500 (CDT)
Received: from gator3169.hostgator.com (gator3169.hostgator.com [198.57.247.133])
by gateway14.websitewelcome.com (Postfix) with ESMTP id 6B4195D45EDC3
for ; Mon, 16 Jun 2014 09:17:41 -0500 (CDT)
Received: from [50.14.250.110] (port=45080 helo=[192.168.0.173])
by gator3169.hostgator.com with esmtpa (Exim 4.82)
(envelope-from )
id 1WwXiZ-0005mE-2R
for hangout-at-mrbrklyn.com; Mon, 16 Jun 2014 09:17:03 -0500
Message-ID: <539EFC5D.5050108-at-mycouponmagic.com>
Date: Mon, 16 Jun 2014 10:17:01 -0400
From: "Michael L. Richardson"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130119 Firefox/10.0.11esrpre Iceape/2.7.12
MIME-Version: 1.0
To: hangout-at-mrbrklyn.com
Subject: Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
References:
In-Reply-To:
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3169.hostgator.com
X-AntiAbuse: Original Domain - mrbrklyn.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - mycouponmagic.com
X-BWhitelist: no
X-Source-IP: 50.14.250.110
X-Exim-ID: 1WwXiZ-0005mE-2R
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([192.168.0.173]) [50.14.250.110]:45080
X-Source-Auth: mlr52-at-michaellrichardson.com
X-Email-Count: 1
X-Source-Cap: bWxyNTI7bWxyNTI7Z2F0b3IzMTY5Lmhvc3RnYXRvci5jb20=
Sender: owner-hangout-at-mrbrklyn.com
Precedence: bulk
Reply-To: hangout-at-mrbrklyn.com

Last I heard you can get taken to court for pointing out security flaws
in non-open source products, (if none are reported they must not be there).

einker wrote:
> Articles like this truly PISS ME OFF! Now, only Open Source Projects
> by their sheer adherence to open source philosophy are hampered by
> security flaws? BULLSHIT.
> I guess all Microsoft and Apple products never had any security issues
> (You wish!) and were pristine because commercial vendor tested them to
> a greater degree than open source projects.
> Give me a break! Commercial products are riddled with security and
> basic programming issues. Best of all, you will never know since you
> can't see the source/test and until its way too late and you've been
> screwed.
> One of my favorites, OpenBSD (Calm down Ruben! Nothing personal and
> Theo does love you...) has only to remote holes in their base OS
> install in the late 10 or more years.
>
> It's amazing that Paul Rubens calls out open source / free software
> yet has the audacity to reference free and open source security
> programs on his website (rubens.org linking to
> http://www.clippings.me/paulrubens).
> Isn't it amazing how you use the products but then bash their security
> status and have the nerve to say that security reviews were never done.
> For what its worth, if you have doubts/concerns about open source /
> free software, do the rest of the planet a real service, don't use it.
> More importantly, dig your head from out of your ass and check out the
> plethora of opens ource / free source projects that have been
> responsible for running and maintaining the internet for years. I
> would strongly suggest looking ta netcraft surveys and then ask why is
> everyone using free OS / servers to host on as opposed
> to commercial offerings. Could it be SECURITY, VIABILITY or even
> should i say it..... Best software going for the job!
>
> For the Rubens of the World, please all turn off your computers
> whatever you are suing and please go live in a cave with the other
> Neanderthals!
>
>
> Why open source software isn't as secure as you think
>
> A failure to spot a necessary validation in OpenSLL code before an
> update caused the Heartbleed bug
>
> Paul Rubens (CIO (US))
> on 13
> June, 2014 08:56
>
>
> The OpenSSL Heartbleed fiasco
>
> proves beyond any doubt what many people have suspected for a long
> time: Just because open source code is available for inspection
> doesn't mean it's actually being inspected and is secure.
>
> It's an important point, as the security of open source software
> relies on large numbers of sufficiently knowledgeable programmers
> scrutinising the code to root out and fix bugs promptly. This is
> summed up in Linus's Law :
> "Given enough eyeballs, all bugs are shallow."
>
> But look at what happened with OpenSSL. Robin Seggelemann, a German
> programmer from Munster University, updated the OpenSLL code by adding
> a new Heartbeat keep-alive function. Unfortunately, he missed a
> necessary validation in his code to check that one particular variable
> had a realistic value.
>
> The member of the OpenSSL development team who checked the code before
> the update was released also missed it. This caused the Heartbleed bug.
>
> One reviewer, even a handful of reviewers, can easily miss a trivial
> error such as this if they don't know there's a bug to be found.
> What's worrying is that, for two years, the Heartbleed bug existed in
> OpenSLL, in browsers and in Web servers, yet no one in the open source
> community spotted it. Not enough eyeballs scrutinised the code.
>
> *Commercial vendors don't review open source code*
>
> Also alarming is that OpenSSL was used as a component in hardware
> products offered by commercial vendors such as F5 Networks, Citrix
> Systems, Riverbed Technology and Barracuda Networks - all of whom
> failed to scrutinise the code adequately before using it, according to
> Mamoon Yunus, CEO of Forum Systems , a
> secure cloud gateway vendor.
>
> "You would think that it would be my responsibility as a vendor, if I
> commercialise OpenSSL, to put my eyeballs on it," he says. "You have
> to take a level of ownership of the code if you build a company based
> on an open source component."
>
> Instead, Yunus believes vendors just regarded OpenSSL as a useful
> bolt-on to their hardware products - and, since it was open source,
> assumed other people were examining the code.
>
> "Everyone assumed other eyeballs were looking at it. They took the
> attitude that it was a million other people's responsibility to look
> at it, so it wasn't their responsibility," he says. "That's where the
> negligence comes in from an open source angle."
>
> **
>
> Yunus suggests that commercial vendors should run effective peer
> review programs for any open source code that they use, run static and
> dynamic analysis tools over it and "fuzz" the code to ensure it's as
> bug-free as possible. "What have these companies been doing for the
> last 10 or 15 years? If I were them, I would be taking a long, hard
> look at QA processes."
>
> In fact, Yunus questions whether OpenSSL should ever have been written
> in a relatively low-level language such as C
> ,
> echoing security expert Bruce Schneier
>
> by suggesting it could be seen as "criminal negligence" to use a
> language that lacks memory management for such a security sensitive
> application.
>
> Jeffrey Hammond, a security analyst at Forrester Research, contradicts
> this view. He points out that performance is a key attribute of
> OpenSSL as it has to deal with huge volumes of packets.
>
> "If you have access to memory you are going to be open to some types
> of attacks, but you get the performance," Hammond points out. "I
> wouldn't say they should never have developed OpenSSL in C, but it's
> true that with performance comes responsibility."
>
> *OpenSSL, Truecrypt show limits of open source code review*
>
> One problem facing many open source projects - and the reason it's
> hard to blame Seggelemann or the rest of the OpenSSL team - is that
> carrying out a rigorous code security review is immensely time
> consuming and requires a high level of skill. That means it's very
> expensive.
>
> This is illustrated by another open source project: The TrueCrypt
> encryption program. The code has been open to anyone who cares to look
> at it since the project started 10 years ago - but it's only very
> recently, following fundraising campaigns on Indiegogo and Fundfill
> that yielded US$60,000, that the code has undergone a proper security
> audit.
>
> **
>
> An initial report
>
> into just the bootloader and Windows kernel driver of the program
> identified 11 vulnerabilities, said that the quality of the source
> code was bad and pointed out that compiling TrueCrypt from source
> required using outdated (in one case, 21-year-old) and unsigned build
> tools that could be modified maliciously and that are hard to access
> from trustworthy sources.
>
> The code auditors said, "Overall,
> the source code for both the bootloader and the Windows kernel driver
> did not meet expected standards for secure code. "
>
> What's worrying is that this only came to light after funds where
> raised to hire the resources to carry out a code review. The open
> source community had plenty of opportunities to do this over the last
> 10 years - but the truth is that the community doesn't have the time,
> skills or resources (including money) to do the job properly.
>
> A new problem will affect the security of OpenSSL going forward, too:
> The code is being forked, thanks to an initiative called LibreSSL
> led by the OpenBSD
> team. LibreSSL is intended to be a stripped
> down version of OpenSSL; in the first week of the LibreSLL project,
> more than 90,000 lines of code were removed, including those
> supporting operating systems such as VMS and OS/2.
>
> The problem, simply stated: Since it's easy to see what's being
> removed from LibreSSL, and which bits are being replaced as they're
> deemed insecure, OpenSSL users are left exposed to malicious hackers
> who may exploit the weaknesses that LibreSSL discovers and removes -
> that is, unless the OpenSSL project can keep up with LibreSSL's progress.
>
> Security by obscurity is never a good idea, but once vulnerabilities
> are made public, they need to be fixed right away. It's not clear that
> the OpenSSL team is in a position to do that - it's said that the
> project only had one full-time maintainer - or that software and
> hardware products that use OpenSSL will necessarily be updated
> promptly even if the OpenSSL software itself is.
>
> *Taking open source security seriously after Heardbleed*
>
> The good news for those concerned about the security of open source
> projects like OpenSSL is that help could be on its way in the shape of
> the Core Infrastructure Initiative (CII)
> ,
> a new project founded by the Linux Foundation in response to
> Heartbleed. Its purpose is to funnel needed money into software
> projects such as OpenSSL that are critical to the functioning of the
> Internet.
>
> "Our global economy is built on top of many open source projects,"
> says Jim Zemlin, the Linux Foundation's executive director. "We will
> now be able to support additional developers and maintainers to work
> full-time supporting other essential open source projects."
>
> Support from the CII may also include funding for security audits,
> computing and test infrastructure. So far, about US$4 million has been
> pledged over the next three years by companies including Google,
> Microsoft and Facebook.
>
> /Paul Rubens is a technology journalist based in England. Contact him
> at paul-at-rubens.org ./
>
>
>
>
>
>
>
> --
> Regards,
>
> Evan M. Inker

  1. 2014-06-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Section 8
  2. 2014-06-08 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Section 8
  3. 2014-06-08 eminker-at-gmail.com Re: [NYLXS - HANGOUT] Section 8
  4. 2014-06-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Meeting
  5. 2014-06-09 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Re: Meeting
  6. 2014-06-10 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Movie Night!
  7. 2014-06-11 From: "Michael L. Richardson" <mlr52-at-michaellrichardson.com> Re: [NYLXS - HANGOUT] Movie Night!
  8. 2014-06-12 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Movie Night!
  9. 2014-06-13 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] Movie Night!
  10. 2014-06-15 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Movie Night!
  11. 2014-06-15 Ron Guerin <ron-at-vnetworx.net> Re: [NYLXS - HANGOUT] Movie Night!
  12. 2014-06-16 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Movie Night!
  13. 2014-06-16 einker <eminker-at-gmail.com> Subject: [NYLXS - HANGOUT] Stupidity of the highest order ...
  14. 2014-06-16 From: "Michael L. Richardson" <mlr52-at-mycouponmagic.com> Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
  15. 2014-06-16 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
  16. 2014-06-16 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
  17. 2014-06-16 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
  18. 2014-06-17 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Movie Night II
  19. 2014-06-18 Ruben Safir <mrbrklyn-at-panix.com> Re: [NYLXS - HANGOUT] Oh look! It is the cops
  20. 2014-06-27 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] Movie Week III
  21. 2014-06-27 Ron Guerin <ron-at-vnetworx.net> Subject: [NYLXS - HANGOUT] The Internet's Own Boy
  22. 2014-06-30 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] [info-at-fegs.org: NYNP - FEGS Gets $925K Robin Hood Grant for
  23. 2014-06-30 Ruben Safir <mrbrklyn-at-panix.com> Subject: [NYLXS - HANGOUT] NYNP - FEGS Gets $925K Robin Hood Grant for Integrated Care Model
  24. 2014-06-30 From: "Redpill" <red.pill-at-verizon.net> RE: [NYLXS - HANGOUT] NYNP - FEGS Gets $925K Robin Hood Grant for

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!