Well, yes, I stated the fact that anything running Bash is vulnerable; I never denied that. Where, dear sir, did I state that they were equally vulnerable? We're back to "you can't quote it because I never said it", despite what you claim.

Shellshock is a fixed issue on 'nix systems, for anyone keeping their system up to date. Well, except for OSX Yosemite beta testers, for whom an incomplete patch was released on 9-30; still vulnerable to one of seven known exploits. Windows systems that are vulnerable, no matter how few those might be (MinGW has over a half million weekly downloads, so I would still posit that the number is higher than you admit), remain vulnerable as MinGW hasn't seen an update in nearly a year and Cygwin in almost 5.

I'm not ragging on Windows here; like I said, it's a platform I make use of fairly consistently. I'm just saying, while Shellshock was a doozey of a bug, in the end it cost me maybe an hour of my life to patch well more than a handful of systems and it's done; were I running a POSIX layer on my Windows machines, however, that would not be the case; and, with over a half million weekly downloads of one of the most popular Windows POSIX layers, I'm thinking it's not safe to assume it's a non-issue for Windows servers.

Clearly, we're going to have to agree to disagree on this point, but the facts are as I've stated.

Regarding the CMD example, heres my source for that; fuck me for sharing it, right? Google "PowerShell command injection" and realize that every shell is vulnerable in one way or another; in fact, check out "PowerShell remote exploit" and realize that some of these flaws still exist in the wild.

Nothing's perfect, but I do have to stand by a system that gets patches out quickly; assuming your point about testing patches before deployment stands (and in most cases, it does; in this case, any application broken by the patch was broken to begin with), Bash users had a patch to test against within hours. Do you not test Microsoft's patches before you apply them? You know, weeks or months after the vulnerability is disclosed publicly.

You are correct, Cygwin hasn't seen an update since December 2009. However, I said MinGW, which has been updated a bit more recently. Please don't make assumptions about what I run and how I administer my systems based on my stated observations of the *rest* of the industry; you'll note that I said, and I quote:

Which probably means I use Windows where I need Windows and I use Linux where I need Linux; OSX is my desktop of choice at the moment, though that is subject to change, as it has changed a number of times over the past 20 years. That doesn't change the fact that I see a fair number of shared hosting providers (of which I am not one) running MinGW on Windows as a means to reduce the incidence of having to tell a customer who insists on using Windows they have to switch to Linux hosting to do what they want. I'm not saying this is the correct way that the user should be running their site, just that yes, less administratively-inclined users sometime make ridiculous demands that you, as a business owner, must bend over and cater to if you want their money. If you simply tell them "You have to move to Linux hosting if you want to do that", they'll tell you when you can deactivate their account after they find a host who'll make it work on Windows. That's how the shared hosting market currently works; there are a million providers and, no matter how ridiculous one's requirements, at least thousands of those millions will cater to those needs without a second though as long as the bill is getting paid.

My best friend got tired of it and sold his hosting company last year, after a very successful 13 year run. As a customer of his (who did not make such ridiculous demands; rather, I opted for Linux hosting, as that's what I needed) for several years, I volunteered my time in his support chat (a few hours a week, whenever I was bored, usually while BSing with him in the evenings) and fielded quite a number of these ridiculous requests (anything at that level of ridicule was beyond my power, as a volunteer, to handle and was forwarded to him) so I can tell you first hand, the idiots who want to do something like this are not only out there, they're plentiful.

I'll repeat the question (and correct a typo; thanks, autocorrect):

Of course, I'm repeating this in response to this bit of snark:

It was originally said in response to this bullshit:

In case you missed the question the first two times, here it is again:

And, in case you decide to say something along the lines of "Yes, you said both are equally vulnerable" I might ask that you quote me.

PROTIP: You won't be able to, because I never said it. If you want to win an argument with me, you have to attack what I'm actually saying; the minute you start attacking what you say I said, you've already lost. You're attacking your own words, not mine. Game. Set. Match.

The CDC is now saying that the transmission in TX was caused by a "breach of protocol", which is not surprising given that the barrior protocols are exacting and onerous.

I don't want to misattribute something to the CDC, but what I read was glaringly clear on this point.

What the unnamed party said, was, "there HAD to be a breach of protocol, because this person is infected. However, we haven't identified what the breach was yet"

Circular reference?

Any protocol that results in you dying if you make a single mistake in a very long list of mundane tasks is a poor protocol.

Organizations with operational excellence have basic things like written checklists and safety tags and other stuff. The USAF for instance has methods of managing risk and mitigating risk that can be carried out by people who aren't anywhere near as well educated as most American medical professionals.

I have no idea what tree you are barking up, but I'm not in it.

Your mechanic doesn't advertise that he is providing a free service. It is entirely clear to both parties what is changing hands.

In the case of FB, google, and most other online services that are free-to-use, you are absolutely the product, because the revenue model depends on selling data about you to 3rd parties. These services also don't make it abundantly clear that this is their business model. In fact, facebook in 2011 advertised that it would "always be free"

I actually raise bees, chickens, and sheep. I'm quite familiar with the sacrifices involved in keeping livestock. I also know why I'm putting my money and effort into keeping them alive.

They don't.

I'm not seeing another post from you in this thread... What claim did you make? I think we're in agreement, though; by necessity, shells give you all kinds of ways to hang yourself, most of which are in o way obvious to an unseasoned user. That's just the price of the added power and control, and it comes with a responsibility to learn your tools and lear and afollow best practices when developing on or for an environment that makes use of a shell, whether you're using that shell directly or not. Best practices, like sanitizing your inputs, mitigate this on all platforms.

Am I attempting to divert negative PR, or am I simply stating facts? Did I say bithe are equally vulnerable, or are you making shit up in an attempt to discredit me?

I don't have a dog in this race, I use Windows, OSX, and Linux in roughly equal proportions. More people run POSIX layers on their Windows servers than you likely realize; in the hosting world, you give your users what they want, and users want to run that prewritten PHP script that relies on some UNIX userland element that Windows doesn't provide, and some subset want to run it on Windows. Hosts offering a Windows solution often install MSYS/MinGW by default to cut down on support calls for rhese scenarios, so the incidence of it being installed will naturally be higher than the incidence of it being necessary.

Also... give this a try on your Windows machine:
C:\Usersl>set foo=bar^&ping -n 1 google.com
C:\Usersl>echo %foo%

Seems as though you don't need Bash for Windows to be vulnerable, after all. C U Next (patch) Tuesday.

Yes.

Another adage seems appropriate.

If a for profit company is taking care of you for free, you aren't the customer.. you're the product.

You should feel like a pig on a farm....well fed and happy right until the end.

Google's business model has always been about analyzing your data and selling "you" to others.
They need your data.

Each person needs to decide for themselves if what they're getting (free web email?) is worth what they're "selling" to google and others..

btw, I started using facebook's ads manager earlier this week for a project. If you haven't looked at it before, you should. The amount of data facebook thinks it knows about people and that it is willing to let advertisers target is pretty interesting.

The NYT drove the car in circles in a parking lot to run down the battery, then lied about the range. Musk pulled the GPS data and PROVED they were lying.

http://www.teslamotors.com/blo...

Hahahahahaha that's awesome! Now, does IIS pass headers along to CGI scripts the same way Apache does?

Holy shit if that's legit it's fucking amazing... booting my Win dev box now

From the FreeDSB Wikipedia page:

The network stack and VFS are kernel components. Other than that, though, you are correct, Darwin's kernel is XNU. But, wait a minute...

It seems that XNU is derived from BSD, alongside components from two other kernels.

Specifically, FreeBSD, after Apple took it over.

You would have had to build a patched Bash from scratch on that system to secure it, as Apple only released patches for 10.7-10.9. Even if you were running a more recent version of OSX, you'd still have had to build it yourself to patch it *in time*. I'm really disappointed in Apple's response to this.

I never said no competently written code was affected, just that examples are exceedingly rare. Moreso, Toreo asesino's example was an application breaking as a result of patching this vulnerability, which would seem to indicate that said application was exploiting the vulnerability in the first place; zero competently written applications do that.

Heh, looks like they did push an update for Yosemite on the 30th, too bad it's incomplete: Still vulnerable to exploit 7 on this page.