No, this isn’t good code

I saw this tweet go by. No, I don't think it's good code:




What this code is trying to solve is the "integer overflow" vulnerability. I don't think it solves the problem well.

The first problem is that the result is undefined. Some programmers will call safemulti_size_t() without checking the result. When they do, the code will behave differently depending on the previous value of *res. Instead, the code should return a defined value in this case, such as zero or SIZE_MAX. Knowing that this sort of thing will usually be used for memory allocations, which you want to have fail, then a good choice would be SIZE_MAX.

The worse problem is integer division. On today's Intel processors, integer multiplication takes a single clock cycle, but integer division takes between 40 and 100 clock cycles. Since you'll be usually dividing by small numbers, it's likely to be closer to 40 clock cycles rather than 100, but that's still really bad. If your solution to security problems is by imposing unacceptable tradeoffs, then you are doing security wrong. If you introduced this level of performance Continue reading

Yet Another new BGP NLRI: BGP-LS

Yes, that’s right, we have another new BGP NLRI: BGP-LS. In this post we will be looking at BGP with Link State (LS) extension which is an integral part of the Carrier SDN strategy. We will look at why we need BGP-LS, its internals and its applications. What I won’t cover is things like do we need SDN?, […]

The post Yet Another new BGP NLRI: BGP-LS appeared first on Packet Pushers.

Microsoft may offer some Windows 10 patch notes to enterprises

IT administrators may get more information than originally planned about Windows 10 patches, as Microsoft ponders how much to tell business customers about modifications to the new OS."We've heard that feedback from enterprise customers so we're actively working on how we provide them with information about what's changing and what new capabilities and new value they're getting," Jim Alkove, a vice president in the Windows group, said during a press briefing. It's a change in tone for the company, which previously said that it wouldn't provide detailed information about most Windows 10 patches. That original plan was bad news for IT managers and users who want to know what an update does before they install it. This is more of an issue now that Microsoft is supposed to release more frequent updates over the lifetime of Windows 10, as part of its "Windows as a service" plans, than it did for previous editions of Windows.To read this article in full or to leave a comment, please click here

On science literacy…

In this WIRED article, a scientifically illiterate writer explains "science literacy". It's as horrid as you'd expect. He preaches the Aristotelian version of science that Galileo proved wrong centuries ago. His thesis is that science isn't about knowing scientific facts, but being able to think scientifically. He then claims that thinking scientifically is all about building models of how the world works.

This is profoundly wrong. Science is about observation and experimental testing of theories.

For example, consider the following question. If you had two balls of the same size, one made of lead and the other made of wood, and you dropped them at the same time, which would hit the ground first (ignoring air resistance)? For thousands of years Aristotelian scientists claimed that heavier objects fell faster, purely by reasoning about the problem. It wasn't until the time of Galileo that scientists conducted the experiment and observed that these balls hit the ground at the same time. In other words, all objects fall at the same speed, regardless or size or weight (ignoring air resistance). Feathers fall as fast as lead on the moon. If you don't believe me, drop different objects from a building and observe for yourself.

The point here is Continue reading

US agency to seek consensus on divisive, volatile topic of security vulnerability disclosures

A U.S. agency hopes to gather security researchers, software vendors and other interested people to reach consensus on the sticky topic of how to disclose cybersecurity vulnerabilities.Beginning in September, the U.S. National Telecommunications and Information Administration (NTIA) will host a series of meetings intended to improve collaboration among security researchers, software vendors and IT system operators on the disclosure of, and response to, vulnerabilities.The first NTIA-hosted meeting will be Sept. 29 at the University of California, Berkeley, School of Law. Registration is open to all who want to participate, and the meeting will also be webcast, NTIA said.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Anatomy of an IoT hack

With Internet of Things penetration set for a trillion devices by 2025, according to recent McKinsey numbers, our thoughts are, or should be, turning to security.One question that could be posed is: Just how could a future IoT attack play out? What route could it take?A security company reckons it has an answer.'Terror in the kitchen' One World Labs, a security outfit that specializes in penetration testing, forensics, and security code review, presented a session at San Francisco's RSA Conference in April, where it attempted to address the question.To read this article in full or to leave a comment, please click here

Grsecurity will stop issuing patches citing trademark abuse

A major corporation is misusing grsecurity’s trademarks and tarnishing its brand – and as a consequence, the leader of the project said Wednesday, grsecurity will stop making its stable patches available to the general public.In an official announcement, grsecurity project leader Brad Spengler said that it was unfair to the project’s sponsors to allow the companies in the embedded Linux industry – which he declined to name, citing legal advice – to dilute grsecurity’s trademarks.+ALSO ON NETWORK WORLD: Massachusetts boarding school sued over Wi-Fi sickness + Access points with 802.11ac are taking over enterprise WLANsTo read this article in full or to leave a comment, please click here

iPexpert’s Newest “CCIE Wall of Fame” Additions 8/28/2015

Please join us in congratulating the following iPexpert students who have passed their CCIE lab!

This Week’s CCIE Success Stories

  • Mohan Mayilraj, CCIE #49942 (Data Center)
  • Zahari Georgiev, CCIE #49996 (Wireless)
  • Mohamed Enassiri, CCIE #46237 (Collaboration)

This Week’s Testimonial

Mohan Mayilraj CCIE #49942 (Data Center)
Thank you very much for help reach my goal. Your video and training and Boot camp helped lot and your proctor lab is gem and very much useful and I used your lab most of time and workbook.This is my first attempt on CCIE. I got through it .

We Want to Hear From You!

Have you passed your CCIE lab exam and used any of iPexpert’s self-study products, or attended a CCIE Bootcamp? If so, we’d like to add you to our CCIE Wall of Fame!

Apple rewards CEO Tim Cook with $58M for bang-up job on Wall Street

Apple CEO Tim Cook earlier this week was awarded 560,000 shares, worth approximately $57.7 million, receiving the full amount of a grant due him because of Apple's performance on Wall Street over the last two years. As it did in 2014, Apple withheld just over half of the total shares -- 290,836, worth about $30 million on Monday -- for tax purposes. The half-million shares were this year's allotment under a revised schedule designed at Cook's request in 2013. Then, Apple's board modified the executive's vesting plan, which had set two large stock handouts for a massive 1 million-share grant -- after last year's stock split, equal to 7 million -- when Cook assumed the lead role at the Cupertino, Calif. company just weeks before co-founder Steve Jobs' death.To read this article in full or to leave a comment, please click here

PlexxiPulse—What are your VMworld Predictions?

If you caught our webinar on Thursday, you know that we believe the success of future networks will be a combination of hardware and software to form a dynamic, application aware, converged network fabric. We covered the evolution of the network as well as a few of our predictions for the future. If you missed it, don’t worry—there will be more to come. In the meantime, I will be at VMworld in San Francisco next week from August 30—September 3. I’m always open to chat about networking at large and how we’re disrupting the networking norm here at Plexxi. Let me know if you’ll be there! Do you have any predictions for VMworld this year?

Below please find a few of our top picks for our favorite news articles of the week. Enjoy!

No Jitter: Network Change: Evolutions and Revolutions
By Tom Noelle
Networking, and its transformation, is more than just technology. Broadband Internet came along during an unfortunate shift in the politics of networking. In the ’80s and ’90s we were moving from a global vision of communications as a regulated monopoly or even a government agency to one of a free market. The Internet exploded on the scene Continue reading

Attention whitehats, The FTC wants you to lead new privacy, security push

FTC The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates.The FTC’s PrivacyCon will include brief privacy and security research presentations, along with expert panel discussions on the latest privacy and security challenges facing consumers. Whitehat researchers and academics will discuss the latest security vulnerabilities, explain how they can be exploited to harm consumers, and highlight research affecting consumer privacy and data security. During panel discussions, participants will discuss the research presentations and the latest policy initiatives to address consumer privacy and security, develop suggestions for further collaboration between researchers and policymakers, and highlight steps that companies and consumers can and should take to protect themselves and their data, the FTC stated.To read this article in full or to leave a comment, please click here

Stuff The Internet Says On Scalability For August 28th, 2015x

Hey, it's HighScalability time:


The oldest known fossil of a flowering plant. 130 million years old. What digital will last so long?
  • 32.6: Ashley Madison password cracks per hour; 1 million: cores in the Human Brain Project's silicon brain; 54,000: tennis balls used at Wimbledon; 4 kB: size of first web page; 1.2 million: million messages per second Apache Samza performance on a single node; 27%: higher conversion for sites loading one second faster; 

  • Quotable Quotes:
    • @adrianco: Apple first read about Mesos on http://highscalability.com  and for a year have run Siri on the worlds biggest cluster 
    • @Besvinick: Interesting recurring sentiment from recent grads: We lived most of our college lives on Snapchat—now we don't have any "tangible" memories.
    • Robin Hobb: For most moments of our lives, we have forgotten almost all of the world around us, except for what currently claims our interest.
    • @Carnage4Life: I'd like to thank all the Amazon employees who cried at their desks to make this possible ?? ????? 
    • Jim Handy: The single most interesting thing I learned at the 2015 Flash Memory Summit was that 3D NAND doesn’t have a natural limit, after Continue reading

Wi-Fi blocking debate far from over

Following the FCC’s warning in January that it would no longer tolerate the Marriotts of the world blocking visitors’ WiFi hotspots, I set a reminder on my calendar to revisit the topic six months later. After all, the issue of WiFi blocking sparked strong reactions from IT pros, end users and vendors of wireless LAN products early in the year, and I figured it wasn’t over yet. So I started by making an inquiry directly to Marriott Global CIO Bruce Hoffmeister, who foisted me on to a company spokesman, who “respectfully declined” to connect me with anyone for an update on how Marriott is now dealing with perceived threats to its network. He simply directed me back to Marriott’s statement from January that it would behave itself, no doubt hoping the hotel chain could further distance itself from the $600K fine that the FCC hit it with, as well as the rest of the bad publicity. I also inquired at the FCC, which in Marriott-like fashion, referred me back to the agency’s last statement on the matter from January, and in a follow up, said it can’t comment on whether any new investigations are underway. Continue reading

Researchers find many more modules of Regin spying tool

Security researchers from Symantec have identified 49 more modules of the sophisticated Regin cyberespionage platform that many believe is used by the U.S. National Security Agency and its close allies.This brings the total number of modules known so far to 75, each of them responsible for implementing specific functionality and giving attackers a lot of flexibility in how they exploit individual targets.Regin came to light in November last year, but it has been in use since at least 2008 and antivirus companies have known about it since 2013.To read this article in full or to leave a comment, please click here

1 3,341 3,342 3,343 3,344 3,345 3,841