Recent Comments

So they're at "T" with Trusty Tahr. That leaves six more versions before they either have to think of a new naming scheme or restart at "A." Any insight into what they're thinking they'll do?

That's kind of the issue: the author points out you can use the xtest application to essentially record keystrokes as they happen, even from someone typing into a root terminal. Her preference is for apps to be unable to communicate with each other, as I understand it, and she claims Windows Vista and up do a better job of addressing this weakness.

X is from a time when flexibility was considered more important than security. So I'm not surprised it is weak in this respect.

If you create a second login session at the display manager, I think that would be shielded from the first: they would be talking to the same X server, but to different displays. If I understand X correctly, snooping is possible between applications connected to the same display (X display, not a physical monitor).

I add, not because I think it's a great solution for you but because I can't resist: Bodhi Linux is Ubuntu-based but with E17 (Enlightenment) as a desktop, and it's really lovely. It's just different enough that your teachers wouldn't be comfortable with it, but try it on your own equipment and see what a great distro it really is.

I hear almost nothing about Edubuntu these days and wonder how active its community is. Mint on the other hand, is all over the news. I thought one of the advantages of Edubuntu was the fact that you could turn machines into thin clients. Doesn't seem like that's advantageous to you so maybe Mint is a good choice?

These days I would think the "ditch XP" movement on hardware that's basically still good should lead to a lot of Linux installs. One can only hope!

Now I'm really confused - will BIND9 and BUNDY then be "competing" products in the open source sense? Will they address different issues or usage scenarios? Also, even if the name has the magic combination of letters, 'Bundy' is an awful name that only evokes Al Bundy of Married with Children fame. How about BooNDoggle? BorNDangerous? BerkeleyNextgenDaemon? Just a starting point.

I think ISC is actually only ending development of BIND 10, and it is this tree that is being renamed to Bundy and transferred to GitHub. As ISC notes in the article, BIND 9 is a separate project for which there is no mention of development ending, so I assume this to mean they will continue to develop BIND 9.

If you are looking for familiarity, I'd suggest avoiding Unity or Gnome Shell (including Edubuntu) based versions. XFCE, KDE, and LXDE are far more friendly toward new converts. XFCE and LXDE have significantly "lighter" computer requirements. Since your computers have XP they are likely over 10 years old and may have limited resources. Also, all flavors of Ubuntu share the same base package libraries. You will still be able to easily download the same educational programs from the package manager.

I have to replace about 40 Windows XP desktops in a charter school with almost no technology budget. I updated two of the desktops to different versions of Linux Mint to see if they were similar enough to Windows that the teachers and students could use them.

Would Edubuntu be a better option, or is there another flavor of Ubuntu that would be an easy transition from Windows?

This is an almost luddite approach to technology. Yes, most (if not all) of it can be used for nefarious purposes. But you can't limit technology because it *may* be used for evil. Let's consider something simple, like a cell phone charger. You can swing it around and hurt people. You can use it to strangle people. You can use it to tie up people. You can make a trip wire with it. With enough dedication, you could wrap it around a pipe and make a coil gun out of it. The list of evil things that can be done with a cell phone charger is very long. Does that mean we should outlaw cell phone chargers? The answer is obviously no. The same goes for all other technology.

Thanks for letting me know. This link is now fixed. I will try to fix the others in the next week.
How far have you got with the distributed network? Is it just an idea at the moment or have you written some code?

Good point. The sites for which I did create new passwords had issued new certs within the last week or so, but I hadn't really given adequate consideration to the possible ramifications of what might occur were I to create a new password on a site that did not yet have all its ducks in a row.

"... expected standards for secure code. This includes issues such as lack of comments ..."

I've worked in some security-related areas, and I hate 99% of comments. Make the code intrinsically readable and obvious. If you have to explain your code, then it's not written clearly enough. And heaven forfend that the comment says something nice and reassuring, yet the code itself actually has a flaw - that comment would be worse than useless, it's downright dangerous.

I can imagine this revolutionizing manufacturing, but I think history shows most revolutions were unforeseen. So this team will invent a cool, swarming micro-robot technology, and then some other team will find some extraordinary use for it, like heart surgery or something. Then the mafia and drug lords will find some new use for it that will be unethical and vaguely horrifying. This has potential way beyond just circuit boards. Stick a microphone on one of these things and send it into your competitor's HVAC system? That's just the start!

Always thought I'd be looking up when the robot wars begin. Might actually be looking down, as they pool around my feet.

And I use Bodhi, which is an Ubuntu derivative, so also a Debian beneficiary. Debian is hugely important. I wish they'd do a bit of marketing and outreach though. I'm pretty handy with Linux and even I am apprehensive about installing Debian because I think/believe/suspect it's hard to install. That's almost certainly not the case, but that rumor has stuck in my mind.

But, what an awesome distro. And apt-get is one of the best things ever invented. I also use openSUSE and I much prefer apt-get as a package manager. Ian, you kick ass!

I think it goes a step further: it shows a need for extremely stringent code analysis to be done by *qualified* people. We need more Theo de Raadts looking at code that affects internet security. These people exist, but most of them are either looking at software that powers your car or airplane, or they are in the military, reviewing code that's used in weapons. These are places that don't have much leeway when it comes to errors. I don't understand why encryption protocols should be any different.

And frankly I don't mind if stories are run by All Three Sites -- each has its own personality and one gets a different perspective from the comments on each. Because I saw it one place doesn't prevent me from looking again at another site.

Most sites have no new certificates issued (and even if, it would be of little use), so I consider password changes or any login at the moment rather dangerous. It is highly possible that if you change your passwords now, the NSA will get a full set as well.

But must be thankful for the great debian project that provides its foundation.

Could gravity resist or regulate the growth rate? So that in the lower gravity environment the growth is less resisted and therefore faster. I did not rtfa.

Probably ought not to mean free or volunteer only. I definitely feel that government agencies globally should be pushing for adoption of open source software with free licenses, but where public money is paid to drive forward the development and auditing and such.

My coworker has stated a few times that he once encountered a corruption with an encrypted volume he created using TrueCrypt. I've never experienced this myself. From an outsider perspective, I thought the application was fairly stable myself. It has worked quite well. I welcome this analysis. Could they do the same for Keepass? http://www.keepass.info

Debian? *ducks*

I'd rather take the approach of ownCloud . Offer a usable example with reasonable limits on pipedot.org - then point advanced users to the GPL package. That way, if you want to upload gigs of family pictures to your pipecode blog, you will be using your own server and won't take away resources from the main site. News articles, friends lists, and karma tracking are still all linked in the network, but the burden of allocating hard drive space and bandwidth are distributed.

Ditto. I went through the list on Mashable ( http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ ) and changed what needed changing. I've not yet checked other sites for which I have logins that were not in Mashable's list, though I could/should be doing so at either LastPass ( https://lastpass.com/heartbleed/ ) or 1Password ( https://heartbleed.agilebits.com/ ). This is mainly because I'm super lazy, but also because, like you, I've got a unique password for each site. I feel less urgently inclined to change those passwords on sites that are largely unimportant to me. That's possibly the equivalent of "Put my fingers in my ears and chanted La-La-La-La" and, if so, I'll just have my own laziness to blame.

Btw, if anyone's got a good list of sites whose passwords need changing, a la Mashable's but more complete/updated, I'd be much obliged if you posted the link.

Perhaps Truecrypt can be considered mature software, but I highly doubt (with all that it does), that there aren't bugs requiring fixes. The last release was early 2012, and about one per year before that. With all that it does, I'd expect a far more frequent update releases. Truecrypt has always worked well for me, but I wonder how much the project is stagnating.

It's long overdue for an independant audit, IMHO, but the OpenSSL code is now getting a review and code clean up by the OpenBSD team and they certainly know their stuff. Whether the results and reporting on their findings will be as in-depth as the TrueCrypt audit remains to be seen, but it's still infinitely better than nothing. Really this ought to be the kind of the thing that the various FL/OSS projects should be pushing for from their commercial users as well as contributions to the code base itself. No in-house devs to help with contributions to the code, fine, then how about contributing some funds for an independant code audit instead? Help us make your systems more secure!

Thanks Bryan! Please don't take my comment as any kind of derision or pro-soylent/anti-pipe kind of trolling comment. I have particular interest in seeing slash rewritten using newer tech, a rewrite that stays true to the original discussion forum, which is why I am interested in pipedot (along with the fact that I have lower uid here :p). But I will ask one question: as I understand you are funding the website from your own. But as the website grows pipedot is bound to run into monetization. This way or the other we will have to have large (enough) audience for that to be possible. What are your thoughts about that?

Well, I am still visiting pipedot regularly so, I don't know about what sour grapes. I am a C++ guy so it is not like I will be contributing a lot of the project. But again, there will be a need to fund the website and for that a critical mass needs to be achieved. That is what I was worrying about.

That is a good point.

Pastebin I found with some more info:

http://pastebin.com/XaTZJdW9

burst into blossom on April 1, possibly a full six years ahead of Mother Nature's normal schedule.

Pffffft....Those crazy cherry trees and their jokes :D

Not sure where I saw it yesterday, but someone else made a similar statement in that the changes they are making over at openBSD might never end up merged back into openSSL proper. If they do merge the changes into openSSL proper, excellent. If they don't merge the changes from openBSD, then I don't really mind a fork in the name of security. If that were the case, hopefully other *nix OSs would switch.

Hehehehe, I managed to put that much time into it due to a back injury that has had me grounded for a little over a year now. I don't watch very much television.

I built a space station, mainly to practice orbital rendezvous, in preparation for launching an orbital built 'grand tour' ship.

The main propulsion and living quarters (acting as a makeshift station) are in orbit, but I need more testing on my atmospheric lander,(designed to be used on airless worlds afterward as it drops it heat shielding) and need to build a satellite (the ship carries four, so I'll just duplicate it).

Using LLL, NP, FAR, DR, TAC, KAS, Spherical tanks, and visual enhancements...
Hope you get notified of this reply as well, I just came back to lift the XKCD link above to the ADD panel.

Contributing would had been much easier.

In fact the article is much more specific "..suddenly produced nine flowers, each with the normal five petals, compared with about 30 flowers on the parent tree."

So, does the cherry blossom normally have 30 petals, or does the cherry tree normally have 30 blooms instead of 9?

Pedantic minds want to know.

The links in the article are to OpenBSD's version of OpenSSL, OpenSSL proper is NOT an OpenBSD project (can be found here: http://www.openssl.org/source/repos.html). The naming is unfortunate. Just to straighten this out, OpenSSH is by OpenBSD.

Now if I was going to pick one group that I would trust to do a proper OpenSSL it would be the OpenBSD group, hoping they do a full on fork and provide a cross-platform version like OpenSSH.

>1 eSATA/USB 2.0 (somehow sharing the same port)

"Somehow"? It's not magic. It's a port that fits both plugs.

http://en.wikipedia.org/wiki/ESATAp

When you resize the width of the browser to a very narrow window, the story icons float over the story title, and eventually over the links on the left, blocking them. I realize this is not something commonly done, so feel free to not consider it a bug. Tested on Windows 7 and 8.1 with the latest version of Firefox and Internet Explorer.

Yes. I read your 3 part series. However, some of the links are broken. For example, is there a way to get a cached version of http://squte.com/whats-wrong-with-blogs ?

On the other hand: the site looks good and continues to look better, works well, and I haven't seen any posts here airing dirty laundry, nor is there a constant stream of "what should we do?" posts.

Basically, this site comes across as solid. Once the Bryan in charge feels code base and site are ready for it, he'll tell us.

(As an aside: feel free to comment more and feel free to submit more news stories)

Thirded! Thanks Bryan, great work.

But how do space cherries taste? I could see a lucrative specialty ice cream opportunity here: Our cherry tastes out of this world!

About time there is a distributed news network

Are you suggesting that many instances of the pipedot code will be able to share comments and stories?
It's good news if you are.
I have proposed a network based on email to distribute comments and stories around websites. And as you may know, Usenet is mostly accessed through the web now, so is already a kind of distributed web news network. But if someone is prepared to do the work for a more modern system that would be even better.

Whilst it doesn't apply to heartbleed, large number of problems can be detected with static analysis.

OK, Coverity doesn't (yet) spot heartbleed, but it soon will:
: http://security.coverity.com/blog/2014/Apr/on-detecting-heartbleed-with-static-analysis.html

OpenSSL have a history of deliberately ignoring the results of such scans:
: http://openssl.6102.n7.nabble.com/Coverity-coverage-of-OpenSSL-td42651.html

I agree that the false positives are annoying, but you can mark them as false positives, and you won't be warned about them again.

I smell sour grapes. Maybe I'm biased because I've volunteered to help edit, but I think in the long run Pipedot is going to be more sustainable. Soylent might currently be bigger but I'm not impressed with the quality of the comments, and the never ending trying to sort out who is the boss and what the site's mantra will be is tiring, to say the least. I think your comment about "most people" is somewhat premature, as it's not a zero-sum game.

There's room for more than one news site out there - they will differentiate themselves, behave differently, and attract different or overlapping crowds. That's a good thing!

I think lots of open source projects could stand to be fuzz-tested just to see if they have any soft spots. Just because people can get access to the source code doesn't mean they do. Some bits of software are higher vulnerability than others. It's the equivalent of peer review in the scientific world.

I've seen my 3 year old crash my Linux distro by banging on the keyboard - I have no idea how he does it. Maybe hire mylittle dude to fuzz-test your software by inputting crazy strings into your text fields to see what it takes to crash it.

[resisting the urge to compare average users to a 3 year old.]

Selective password changes here too, made much easier by having unique passwords per site already, and increased the password length on a few of them too. Those that use OpenSSL and have data I care about got reset, the rest I just let be for now but will change them if anything unusual happens.

Given the breaches we've seen lately, and after going through a few sites on https://lastpass.com/heartbleed/ I'd be wary of believing what they tell you. How can you verify the person you communicated with was indeed educated enough, and had accurate knowledge of the infrastructure to make that statement?