Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×

Comment Re: Only the beginning (Score 1) 236

by peppepz (#48001849) Attached to: First Shellshock Botnet Attacking Akamai, US DoD Networks

In terms of the ratio of Linux distributions which use Bash as the default shell versus those that do not, the vast majority still use Bash.

Even if this is true, and no I haven't checked it, it has no relevance over the reality of how many people are effectively using Bash together with the Linux kernel, which is a matter of which distributions people effectively use. I do aknowledge that RedHat-derived distributions are probably more common on servers, but I'm just guessing that out of prejudice.

Debian-based distributions use dash as the default system shell, but Bash remains the default interactive shell,

If you really had a server of any kind which spawned a *real user login shell* as a result of a remote client request of any kind, then you would already have a huge security problem. Moreover, I expect lots of people will use Bash as their persoanl shell even on BSDs as it's so much better than Tcsh.

and many scripts specify #!/bin/bash in their shebang line.

Then they are as broken on FreeBSD (or any other OS) as well as they are on Linux distributions that haven't Bash as the system shell.

That last bit is important, because we're living in times where an increasing number of developers are releasing code for network daemons which are designed to be easily run under unprivileged user accounts by those same users. Regardless of how secure the daemons themselves may be, the simple fact that they're executed with Bash as their parent process means they're vectors for system compromise from bugs like Shellshock.

How so? The bug is triggered when you start a buggy Bash shell having a malicious environment variable set up by the parent. Having Bash itself as a parent isn't a problem, because the bug is triggered when the environment is parsed at Bash's startup time (the shell might even crash afterwards).

The karma bonus posting option is enabled by default for a reason. When people who have an established track record of saying meaningful things (as determined by the up-modded metric) post comments, those comments are automatically ranked higher. Likewise, the moderation system provides for down-modding of any given comment, which has the side effect of karma reduction for the "offending" poster. The fact that you don't like what someone has to say is really of little consequence unless you have mod points; this is by design.

The karma bonus is there as a measure to let *you* moderate your own comments. If you consider 2,000 characters of condescendension as something that is worth promoting, good for you, but don't expect other readers to share your conviction.

Comment Re: Only the beginning (Score 2) 236

by peppepz (#48001215) Attached to: First Shellshock Botnet Attacking Akamai, US DoD Networks
Now you just have to find some server package which allows an unnprivileged remote client to trigger the execution of a Zimbra init script.

The funny thing is that, should you find it, such package would be vulnerable on FreeBSD in the exactly same way as it were on Linux, nullifying the argument that you are trying to make, about the Bash bug being a "Linux bug" that FreeBSD users shouldn't worry about.

Comment Re: Only the beginning (Score 1) 236

by peppepz (#48001187) Attached to: First Shellshock Botnet Attacking Akamai, US DoD Networks

I have never seen this even by the BSD folks. I think you are delusional.

Look at the comments of every slashdot story about some BSD, when the topic of market share comes out.

I won't post links to individual comments here, because I would find it both rude and pedantic.

For most users OSX will have no exposure even though it has the vulnerable Bash.

It depends on wether /bin/sh points to bash on OSX.

It does not use dhclient nor does it use a shell for processing DHCP, instead it uses the ipconfig agent.

Not to mention the fact that if people are connecting their machines to rogue DHCP servers, they're compromised anyway.

Sharing is disabled by default and this includes SSH. Only folks that explicitly run remote services or use the Server product will be exposed.

It's not that the typical Linux distribution opens telnet to the world by default, either.

Comment Re: Only the beginning (Score 1) 236

by peppepz (#48000837) Attached to: First Shellshock Botnet Attacking Akamai, US DoD Networks

Please tell us all how many Linux-based systems you operate that run only a bare kernel.

In the meantime I've told you how many Linux-based systems don't use bash as their default shell. The reality being opposite to your arbitrary statement that "the vast majority" of them do.

and the Karma Bonus

Who cares about that?

You should. Its purpose is to override other people's posts when you have something important to say.

Wrong. It's not personal, really.

[...]

You can always phone RMS up if want to have a nice "omg yes Linux is not GNU and GNU is not Linux" conversation.

Plonk.

That particular point has no value in this context, as the discussion here is on complete operating systems, not bare kernels.

Did he laugh about Debian/kFreeBSD? Did he laugh about OSX? Did he laugh about Cygwin or SUA? No, but he laughed about a minority subset of Linux distributions, and called them "Linux", having an uninformed reader believe that the bug is in Linux (it isn't) or that all Linux distributions are affected (many aren't). He was so aware of this fact, that he posted anonymously.

Which is not to say that this bug isn't serious, because it's huge. It's to say that this is not a "Linux bug", in any possible meaning of the phrase, strict or lax.

Comment Re: Only the beginning (Score -1, Flamebait) 236

by peppepz (#48000551) Attached to: First Shellshock Botnet Attacking Akamai, US DoD Networks
You fail to appreciate the difference between Linux and Bash (there's Linux with no Bash, there's Bash with no Linux). You fail to appreciate the fact that no, the most popular Linux distributions don't ship with Bash as the default shell. And yet you invest almost two thousand letters, and the Karma Bonus, doing the condescendent and attacking me personally. If you were trying to appear funny, in my opinion, you aren't. If you were trying to appear smart, then you had better get your facts right before attempting to.

Comment Re: Only the beginning (Score 3, Interesting) 236

by peppepz (#48000483) Attached to: First Shellshock Botnet Attacking Akamai, US DoD Networks
Debian doesn't. Ubuntu doesn't. Anything embedded doesn't. OSX does. There's nothing to "laugh at Linux" for, because even leaving aside the fact, as huge as a house, that this is not a bug of Linux, we must take into account that Bash isn't used on all Linux distributions, is used on many non-Linux unices, and can be installed on non-Unix systems where it'll see environment variables too. I also register with amusement the fact that OSX gets pulled by the coat into the BSD family when it's time to calculate market share, but is carefully set aside now that the distinction is convenient.
Science

Study: Chimpanzees Have Evolved To Kill Each Other 224

Posted by samzenpus from the battle-of-the-apes dept.
sciencehabit writes A major new study of warfare in chimpanzees finds that lethal aggression can be evolutionarily beneficial in that species, rewarding the winners with food, mates, and the opportunity to pass along their genes. The findings run contrary to recent claims that chimps fight only if they are stressed by the impact of nearby human activity—and could help explain the origins of human conflict as well.
Privacy

Apple's "Warrant Canary" Has Died 236

Posted by samzenpus from the get-out-of-the-mine dept.
HughPickens.com writes When Apple published its first Transparency Report on government activity in late 2013, the document contained an important footnote that stated: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Now Jeff John Roberts writes at Gigaom that Apple's warrant canary has disappeared. A review of the company's last two Transparency Reports, covering the second half of 2013 and the first six months of 2014, shows that the "canary" language is no longer there suggesting that Apple is now part of FISA or PRISM proceedings.

Warrant canaries are a tool used by companies and publishers to signify to their users that, so far, they have not been subject to a given type of law enforcement request such as a secret subpoena. If the canary disappears, then it is likely the situation has changed — and the company has been subject to such request. This may also give some insight into Apple's recent decision to rework its latest encryption in a way that makes it almost impossible for the company to turn over data from most iPhones or iPads to police.
Cloud

Once Vehicles Are Connected To the Internet of Things, Who Guards Your Privacy? 130

Posted by timothy from the I-hope-it's-rob-ford dept.
Lucas123 (935744) writes Carmakers already remotely collect data from their vehicles, unbeknownst to most drivers, but once connected via in-car routers or mobile devices to the Internet, and to roadway infrastructure and other vehicles around them, that information would be accessible by the government or other undesired entities. Location data, which is routinely collected by GPS providers and makers of telematics systems, is among the most sensitive pieces of information that can be collected, according to Nate Cardozo, an attorney with the Electronic Frontier Foundation. "Not having knowledge that a third party is collecting that data on us and with whom they are sharing that data with is extremely troubling," Cardozo said. in-vehicle diagnostics data could also be used by government agencies to track driver behavior. Nightmare scenarios could include traffic violations being issued without law enforcement officers on the scene or federal agencies having the ability to track your every move in a car. That there could be useful data in all that personally identifiable bits made me think of Peter Wayner's "Translucent Databases."
Windows

What To Expect With Windows 9 545

Posted by Soulskill from the solid-color-rectangles dept.
snydeq writes: Two weeks before the its official unveiling, this article provides a roundup of what to expect and the open questions around Windows 9, given Build 9834 leaks and confirmations springing up all over the Web. The desktop's Start Menu, Metro apps running in resizable windows on the desktop, virtual desktops, Notification Center, and Storage Sense, are among the presumed features in store for Windows 9. Chief among the open questions are the fates of Internet Explorer, Cortana, and the Metro Start Screen. Changes to Windows 9 will provide an inkling of where Nadella will lead Microsoft in the years ahead. What's your litmus test on Windows 9?
Cellphones

Apple Edits iPhone 6's Protruding Camera Out of Official Photos 425

Posted by Soulskill from the truthiness-in-advertising dept.
Sockatume writes: If you've been browsing Apple's site leading up to the iPhone 6 launch, you might've noticed something a little odd. Apple has edited the handset's protruding camera out of every single side-on view of the phone. (The camera is, necessarily, retained for images showing the back of the device.) The absence is particularly conspicuous given the number of side views Apple uses to emphasize the device's thinness.

Slashdot Top Deals

No man is an island if he's on at least one mailing list.

Close