secwatcher writes: When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll. In fact, almost 60 percent of 230 security pundits thought it was a "good idea" to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn't a good idea. Dr. Richard Gold, head of security engineering at Digital Shadows, told Threatpost that PoC code makes it easier for security teams to do penetration testing: "Rather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable," Gold told Threatpost. "This ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation." In fact, up to 85 percent of respondents said that the release of PoC code acts as an "effective motivator" to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been "instrumental" in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won't fix a bug in a timely manner... On the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched... Matt Thaxton, senior consultant at Crypsis Group, thinks that the "ultimate function of a PoC is to lower the bar for others to begin making use of the exploit... In many cases, PoC's are put out largely for the notoriety/fame of the publisher and for the developer to 'flex' their abilities...." This issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: "I believe the release of PoC code functions more like an implied threat to anyone that doesn't patch: 'You'd better patch . . . or else,'" he said "This kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability." And Joseph Carson, chief security scientist at Thycotic, tells them "Let's be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them."

Read more of this story at Slashdot.

secwatcher writes: When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll. In fact, almost 60 percent of 230 security pundits thought it was a "good idea" to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn't a good idea. Dr. Richard Gold, head of security engineering at Digital Shadows, told Threatpost that PoC code makes it easier for security teams to do penetration testing: "Rather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable," Gold told Threatpost. "This ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation." In fact, up to 85 percent of respondents said that the release of PoC code acts as an "effective motivator" to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been "instrumental" in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won't fix a bug in a timely manner... On the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched... Matt Thaxton, senior consultant at Crypsis Group, thinks that the "ultimate function of a PoC is to lower the bar for others to begin making use of the exploit... In many cases, PoC's are put out largely for the notoriety/fame of the publisher and for the developer to 'flex' their abilities...." This issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: "I believe the release of PoC code functions more like an implied threat to anyone that doesn't patch: 'You'd better patch . . . or else,'" he said "This kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability." And Joseph Carson, chief security scientist at Thycotic, tells them "Let's be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them."

Read more of this story at Slashdot.

"Cisco is urging customers to update its Firepower Management Center software," ZDNet reported Thursday, "after users informed it of a critical bug that attackers could exploit over the internet." Like many Cisco bugs, the flaw was found in the web-based management interface of its software. The bug has a severity rating of 9.8 out of a possible 10 and means admins should patch sooner rather than later. The vulnerability is caused by a glitch in the way Cisco's software handles Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. Remote attackers could exploit the flaw by sending specially crafted HTTP requests to the device. Devices are vulnerable if they've been configured to authenticate users of the web interface through an external LDAP server... How customers should remediate the issue will depend on which release of Firepower Management Center (FMC) they're running. There is no workaround, but hotfix patches are available for several new releases of FMC, and maintenance releases that address the flaw are scheduled for later this year. "Customers may install a fix either by upgrading to a fixed release or by installing a hotfix patch," Cisco notes... Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues. This FMC critical flaw follows updates made available earlier this month for three critical flaws affecting Cisco's Data Center Network Manager software. The researcher who reported the flaw has released proof-of-concept exploit code, but Cisco says it is not aware of any malicious use of the flaws.

Read more of this story at Slashdot.

mbadolato (Slashdot reader #105,588) shares this post from Belgium-based programmer Brent Roose: It's no secret among web developers and programmers in general: PHP doesn't have the best reputation. Despite still being one of the most used languages to build web applications; over the years PHP has managed to get itself a reputation of messy codebases, inexperienced developers, insecure code, an inconsistent core library, and what not. While many of the arguments against PHP still stand today, there's also a bright side: you can write clean and maintainable, fast and reliable applications in PHP. In this post, I want to look at this bright side of PHP development. I want to show you that, despite its many shortcomings, PHP is a worthwhile language to learn. I want you to know that the PHP 5 era is coming to an end. That, if you want to, you can write modern and clean PHP code, and leave behind much of the mess it was 10 years ago. The article notes PHP's opt-in type system and performance-enhancing rewrites (including the ability to store compiled chunks of PHP code in memory). And it argues that PHP "is still evolving today," with a package repository averaging over 25 million downloads a day. There's also PHP web application frameworks (as well as asynchronous frameworks), so "PHP isn't just WordPress anymore." And in keeping with the core team's yearly release cycle, PHP 8 is expected at the end of 2020, which will include a JIT compiler, "allowing PHP to enter new areas besides web development..."

Read more of this story at Slashdot.

Continue to be impressed with Brian Lehrer's Impeachment podcast. Highly recommend this episode with Susan Hennessey and Benjamin Wittes of Lawfare. I was going to ask Lehrer to do a show on what the US will be like after a Trump acquittal. This episode is a good start. Before watching another hour of CNN or MSNBC, listen to this. You'll learn a lot more.

"No, the luxurious Borgata Hotel, Casino and Spa isn't located in a central New Jersey wildlife preserve," reports a local news team in New York. But an ad for the casino in Waze was apparently tagged with the wrong geographical coordinates, CNN reports, and.... The Jackson township Police Department's public information officer Lt. Christopher Parise said the police department found out about the error when one his officers was out assisting a stranded car. The driver told the officer they were headed for the Borgata but wound up at the 12,000 acre wildlife area through unpaved roads after using Waze for directions... "My department towed 10 cars in 5 days that were stuck," Parise said. "A Waze response to the error report stated 249 others reported the same location error in the past couple days, so hundreds have been misled back there." Police complained of a "tremendous increase" in disabled motor vehicles -- one driver found themselves at least 10 minutes away from any paved roads. Long-time Slashdot reader Newer Guy tipped us off to the story, though Waze told CNN that after being made aware of it, they'd fixed the issue "within hours". But the casino is still urging future visitors "to check the route before they begin driving" to make sure they're actually being routed to Atlantic City. And the folks in Jackson Township (population 54,856) had a real good laugh, posting over 100 comments on the police department's Facebook page. "You can take the people out of the city but you can't take the city out of the people..." "who the hell is going on unpaved roads thinking it'll lead them to a casino?" "You would think when they go down a dirt road common sense would kick in..." "This must be a short cut to Atlantic City, just keep going. Ha ha ha..." "This is why you need to learn how to read a map!" "I keep picturing in my head these people driving into the woods thinking its Atlantic City..." "We could just put a couple of slot machines and poker tables out there.... " "I knew people were stupid but this is ridiculous." "Don't blame the app, Blame the morons driving." "How stupid do you have to be to not realize that you are nowhere near the ocean??!!" "So natural selection is going high tech?" "I was wondering how this lovely couple ended up way back by the lake when I was hunting there last week. They flagged me down and pleaded with me to show them the way out. "They must've thought they were in the middle of Deliverance."

Read more of this story at Slashdot.

Slashdot reader DevNull127 writes: NASA will launch a new rover to Mars this July — and 28,000 American schoolchildren wrote essays with suggestions for what NASA should name it. NASA has now selected the top nine finalists, which they'll let the public vote on through Monday on a special web page where they're also displaying the schoolchildren's essays. "Scientists are tenacious," wrote one student who suggested the name Tenacity. "It is what keeps them thinking and experimenting... When scientists make mistakes they see what they did wrong and then try again. "If they didn't have tenacity, Mars rovers wouldn't be a thing." The new rover will also be carrying the names of 10,932,295 earthlings, etched onto a microchip. Bloomberg points out that because Mars and Earth are unusually close in July and August -- a mere 39 million miles -- another rover will also be launched by the international ExoMars programme (led by the European Space Agency and the Russian Roscosmos State Corporation), while the United Arab Emirates will also try sending an orbiter to Mars, and China will deploy "an orbiter to circle the planet and a rover to land on it."

Read more of this story at Slashdot.

Amy Klobuchar is like a homemade chicken pot pie on a cold winter's day. I think after all the rock and roll the flyover folk would like a little peace and quiet. That's what I want. Not to have to worry about the US govt blowing the world up.

A former chair of America's Commodity Futures Trading Commission is working with Accenture to explore what Computerworld calls "a U.S. Central Bank Digital Currency" -- a cash-backed stablecoin, issued and controlled by America's central bank, where one token represents one dollar. Long-time Slashdot reader Lucas123 writes: A cryptocurrency based on a blockchain ledger would be a cheaper, faster and more inclusive global financial system than today's analog-based reserve currency that can take two or more days to clear, according to their Digital Dollar Project. The race to integrate cryptocurrency into global banking is speeding up as public sector projects are already driving interest in fiat-backed digital tokens by central and regional banks around the globe but primarily in Europe and Asia. Accenture already has "experience working with central banks on digital currency and related initiatives," Computerworld points out, and quotes the former CFTC chair as saying that "The digital 21st century is underserved by an analogue reserve currency. "A digital dollar would help future-proof the greenback and allow individuals and global enterprises to make payments in dollars irrespective of space and time."

Read more of this story at Slashdot.

Video demo of a new LO2 feature Doc asked for. Put the cursor in the middle of a paragraph. Press cmd-return to split the paragraph at the cursor position, creating two headlines. Simple, but I do this all the time, with copy-paste which is more tedious and error-prone. Also going to do the inverse, cmd-backspace to merge two headlines.

When SNL said the devil invented podcasting.

I never saw this SNL parody of a 2016 HRC commercial.

Long-time Slashdot reader gabebear writes: The FCC hasn't officially cleared 6 GHz for WiFi, but chipsets that support 6 GHz are starting to be released. 6 GHz opens up a several times more bandwidth than what is currently available with WiFi, although it doesn't penetrate walls as well as 2.4 GHz. Celeno has their press release and Broadcom has their press release. Still no news from Intel or Qualcomm on chipsets that support 6 GHz.

Read more of this story at Slashdot.

A debating point I wish the Dems would use.

1. Repubs say Dems have been trying to impeach Trump since the beginning to overturn the 2016 election.
2. Not quite. Trump lost the 2018 election. The voters wanted Trump impeached.

The credulous boomer rube demo that backs Donald Trump: "Donald Trump's the smart one, y'all elitists are dummmmb." There's more. This is the new mode for CNN. Laugh at the credulous boomer snowflakes that are wrecking the world.