Main Area and Open Discussion > General Software Discussion
ironshield antivirus
Tinman57:
Basically it just comes down to who codes the best and without shortcuts. I've owned a lot of commercial programs that were very poorly coded and have some awesome open source programs....
40hz:
Basically it just comes down to who codes the best and without shortcuts. I've owned a lot of commercial programs that were very poorly coded and have some awesome open source programs....
-Tinman57 (March 20, 2013, 05:33 PM)
--- End quote ---
+1. That's been my experience too.
40hz:
Linux does have the advantage of getting bugs patched faster once they're found - but there's also been reeeeal oopsies like Debian getting rid of proper SSH randomization because a developer didn't understand Valgrind properly (why does a person like that deal with security-crucial code?)
-f0dder (March 19, 2013, 04:12 AM)
--- End quote ---
@f0dder - maybe you should ask the guys over at Cisco that question?
This from The Register
Cisco slip puts hardware at risk
Borg announces weak password feature
By Richard Chirgwin
Posted in Security, 20th March 2013 22:46 GMT
Cisco has issued a security advisory revealing that it mis-coded the implementation of a new password hashing algorithm.
Its “Type 4” password implementation was supposed to salt passwords and then run them through 1,000 iterations of SHA-256 for storage, following the Password-Based Key Derivation Function (PBKDF) version 2 described in RFC 2898.
In what Cisco calls an “implementation issue”, its engineers forgot to salt passwords, and set the SHA-256 iteration count to 1. As its advisory states: “This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”
The problem was discovered by Philipp Schmidt and Jens Steube from the Hashcat project. Because of the weak protection, they were able to decode a hash that had been posted to inetpro.org, and as noted by Ars, enough information has leaked to permit “millions” of hashes to be cracked in hours, if anyone gets their hands on the stored hashes.
The vulnerability affects kit running Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base, the advisory says, along with instructions for determining whether a user is running vulnerable code.
Adding insult to injury, the implementation of the broken Type 4 password also disabled the Type 5 hashing it replaced...
--- End quote ---
ironshield antivirus
f0dder:
@f0dder - maybe you should ask the guys over at Cisco that question?-40hz (March 20, 2013, 10:19 PM)
--- End quote ---
Yeah, saw that yesterday - efiin' insane.
Oh, and nice pic you chose to go along with the story :Thmbsup:
40hz:
@f0dder - maybe you should ask the guys over at Cisco that question?-40hz (March 20, 2013, 10:19 PM)
--- End quote ---
Yeah, saw that yesterday - efiin' insane.
Oh, and nice pic you chose to go along with the story :Thmbsup:
-f0dder (March 21, 2013, 07:46 AM)
--- End quote ---
Did the wording myself. Glad you liked it! ;D
(Also spent a while yesterday checking HW inventory lists to see which of my clients might be affected by it so I could put an advisory out. :-\)
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version