Email or username:

Password:

Forgot your password?
3 posts total
hanno

Let's cut the bullshit and spell out a few things. The IT security industry is about as trustworthy as the food supplement and vitamin industry, but somehow they escaped the same reputation. Their products are overwhelmingly based on flawed ideas, and the quality of their software is exceptionally bad. And while not everyone will agree with the harshness of my words, I'll say this: Essentially everyone in IT security who knows anything in principle knows this.

Show previous comments
Daniel Marks

@hanno It's sort of the health care industry approach. You can't sell more medications if you cure diseases, right? So why would anyone work on a pill that you taken once and cures something?

Simon Cozens

@hanno Also, the people. At some point in the early 2000s we collectively decided that foxes were *exactly* the people we wanted to guard the henhouse.

hanno

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? 16years.secvuln.info/

Show previous comments
Leif Davisson

@hanno Possible you could check the DNS records for entries that haven't been modified since 2008.

Would you rather have an email from someone that has no DKIM or a DKIM from 2007?

StrawberryPuding

@hanno@mastodon.social i´m using one of the email providers mentioned- oh no ​:neocat_googly_shocked:​

hanno

Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: github.com/libexpat/libexpat/b

Go Up