IT Funny

1 in 10 Americans think HTML is an STD, study finds

Leave a comment

If you’re talking tech with Americans, you may want to avoid using any jargon.

A recent study found that many Americans are lost when it comes to tech-related terms, with 11% saying that they thought HTML — a language that is used to create websites — was a sexually transmitted disease. The study was conducted by Vouchercloud.net, a coupons website, as a way to determine how knowledgeable users are when it comes to tech terms.

“Technology is a huge interest for our user base, and month after month we see thousands of people visiting our site to look for coupons and deals to use when purchasing their favorite tech products,” a company spokeswoman said in a statement. “It seems that quite a few of us need to brush up on our tech definitions.” Besides HTML, there were some other amusing findings:

  • 77% of respondents could not identify what SEO means. SEO stands for “Search-Engine Optimization”
  • 27% identified “gigabyte” as an insect commonly found in South America. A gigabyte is a measurement unit for the storage capacity of an electronic device.
  • 42% said they believed a “motherboard” was “the deck of a cruise ship.” A motherboard is usually a circuit board that holds many of the key components of a computer.
  • 23% thought an “MP3” was a “Star Wars” robot. It is actually an audio file.
  • 18% identified “Blu-ray” as a marine animal. It is a disc format typically used to store high-definition videos.
  • 15% said they believed “software” is comfortable clothing. Software is a general term for computer programs.
  • 12% said “USB” is the acronym for a European country. In fact, USB is a type of connector.

Despite the incorrect answers, 61% of the respondents said it is important to have a good knowledge of technology in this day and age. The study involved 2,392 men and women 18 years of age or older. The participants were not told that the study was specifically looking into their knowledge of tech terms. They were presented with both tech and non-tech terms and were asked to choose from three possible definitions. “Hence why a mix of both normal and technology-related words were used,” the company said in a statement.

Source  L.A. Times

Tech News

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Leave a comment

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.

“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as “an important (and at the same time embarrassing) bug discovered during an audit for Red Hat.” Debian’s advisory is here.

Distant relative of “goto fail”

As was the case with last week’s critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced “goto fail” command, the mistakes involve errors with several “goto cleanup” calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It’s significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.

Security researchers are still studying the vulnerability and assessing its effect on the wide array of OSes and applications that depend on GnuTLS. For the moment, readers should assume that the severity is critical given the dizzying amount of downstream code that may be affected. One example: the apt-get installer some distributions of Linux use to distribute and update applications relies on GnuTLS, although exploits against the package can probably be caught by cryptographic code-signing of the downloaded program (thanks to readers for pointing out this secondary level of protection). Version 3 of lib-curl, which is distributed in Debian and Ubuntu, also depends on GnuTLS. Some Debian- and Ubuntu-based virtual private networking applications that work with Cisco Systems hardware are also affected. This list goes on and on.

Matt Green, a Johns Hopkins University professor specializing in cryptography, characterized the vulnerability this way: “It looks pretty terrible.”

Kenneth White, a principal security engineer of Social & Scientific Systems, agreed, saying the vulnerability “has a lot of side effects.”

This article will be updated if important additional details become available.

Article updated to add details in fourth-to-last paragraph. Article updated to correct misstatements about Cisco virtual private networking software.

Source: Ars Technica