« First...102030...2,3312,3322,3332,3342,335...2,3402,3502,360...Last »

Interview: Post-Heartbleed, is it time to consider an alternative to OpenSSL?

Posted on by

The Heartbleed Bug (and it's definitely a bug - not a virus) has ignited a debate around the security and reliability of open source software in recent months.

Discovered by researchers at Google and Codenomicon, the vulnerability was found in the open source OpenSSL cryptographic software library that provides Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protection for anything from emails and web browsing to internet banking.

The programming mistake that led to Heartbleed - which was accidentally introduced by German programmer Dr. Robin Seggelmann, a frequent contributor of OpenSSL code - allows attackers to download 64k chunks of data stored in the supposedly secure main memory of servers.

It was an honest mistake, but one with far-reaching consequences. According to Errata Security, around 320,000 of 600,000 detected vulnerable servers are still vulnerable to Heartbleed. Post-Heartbleed, every private key on servers running OpenSSL are now suspect and could be potentially used by attackers to impersonate secure websites so long as those servers remain unpatched.

Is it time to switch from OpenSSL to a commercial solution (or another alternative) when it comes to web security? We spoke to industry experts at Infosec 2014 to find out more.

James Sherlow, SE Manager WEUR at Palo Alto Networks, thinks that ditching OpenSSL in the wake of Heartbleed would be something of a knee-jerk reaction:

"OpenSSL is still highly relevant and has scalability. It has a community of highly skilled developers, which is extremely valuable and still valid. Every software at a certain point in time will have some sort of vulnerability associated with it, but it doesn't mean we switch it off; it means we learn from our lessons."

"I think that the open source community needs to start putting mechanisms in different areas that could cross-check others. That's better than finger pointing and blame which doesn't get anyone anywhere. It would mitigate the risk, reduce the chance of attack and raise the bar. To get to zero errors is difficult, but let's aim for it. That's the bar."

The question of whether we should get rid of OpenSSL isn't so black-and-white, according to JD Sherry, VP of Technology & Solutions for Trend Micro. He believes that instead of turning down the services of dedicated and talented open source contributors, rewards should be offered to others who seek out errors in their work:

"Open source is always going to be an innate part of what we do, primarily because there's lots of great engineering involved with it - a lot of people pour their passion into these projects and a lot of excellent work comes out of them."

More:
Interview: Post-Heartbleed, is it time to consider an alternative to OpenSSL?

Physicists Turn 8MP Smartphone Camera Into a Quantum Random Number Generator

Posted on by

59859023 story Posted by Soulskill on Friday May 09, 2014 @03:10PM from the more-than-one-way-to-skin-schrodinger's-cat dept. KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics." You may like to read: Post

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...

Here is the original post:
Physicists Turn 8MP Smartphone Camera Into a Quantum Random Number Generator

Bitcoin wins US election panel’s approval for political donations

Posted on by

Federal regulator finds the cryptocurrency qualifies as "money or something of value" but imposes restriction on its use.

Bitcoin

Bitcoins may soon be helping fund an election campaign near you.

The US Federal Election Committee on Thursday unanimously approved a proposal for political action committees to accept donations in the form of Bitcoin, finding that the cryptocurrency qualified as "money or anything of value" as defined by the Federal Election Campaign Act of 1971. However, with its 6-0 vote, the commission that enforces US campaign finance laws imposed several conditions on its acceptance.

PACs must sell the bitcoins they received and convert them to into US dollars before depositing the proceeds into a campaign account. The commission did not approve the use of Bitcoin to acquire goods and services.

The decision came in response to a proposal by the Make Your Law committee to accept individual Bitcoin donations up to $100. To address the anonymous nature of Bitcoin use, the MYL promised that all Bitcoin contributors would be required to provide their name, physical address, and employer.

While the decision was issued as guidance and not as new regulations, the commission's vote suggests that other PACs will be allowed to operate under similar conditions.

In its decision, the commission acknowledged that "government agencies, courts and others are grappling," but said it "expresses no opinion regarding the application of federal securities law, tax law, or other law outside the Commission's jurisdiction to MYL's proposed activities."

Bitcoin's acceptance has grown dramatically in the past couple of months. Cryptocurrency ATMs have begun to pop up, some casinos have said they would accept digital currency payments, and even eBay has begun allowing for limited sales of Bitcoins on its US and UK sites.

The FEC's decision comes a day after the US Securities and Exchange Commission issued an advisory warning investors to be wary of Bitcoin and other virtual-currency related investments. Noting that the cryptocurrency is uninsured, unregulated, and volatile, the SEC said its chief concern was the risk of fraud.

Original post:
Bitcoin wins US election panel's approval for political donations


« First...102030...2,3312,3322,3332,3342,335...2,3402,3502,360...Last »