Which is the case on most Apache Web server configs: the client has full control over the HTTP_REFERER and HTTP_USER_AGENT variables... And the exploit in question works with any environment variable, including those 2.

Well, starting from here, you are vulnerable as soon as:

1. You have a CGI script written as a #!/bin/bash script on your system

1. You have /bin/sh symlinked to /bin/bash (used to be common in many Linux distribution), so as soon as a script calls system(), /bin/bash gets executed, along with the scripts full environment...

Nowadays, on most systems, /bin/sh is a proper Bourne Shell (either ash or dash), and no longer bash. So system() should no longer be an issue, but explicitly calling bash still would be...

Or, more easily: the exploit string could be packed into the TERM variable, which almost all ssh's and even telnet daemons pass on the the shell: env TERM='() { :;}; echo vulnerable ssh some_user@some_server'

Good. And now on to the next level:

env X='() { (a)=>\' bash -c "echo /usr/bin/id"; cat echo

Well, actually, there's plenty of sex shops around where you can buy custom-molded dildos, sold by the pound of plastic or latex... (saw some in Brussels, but most likely other large cities have those too).

Doesn't all this depend on the software? On a milling machine intended for the end user, the software could know about some of these constraints, and automatically reduce the speed to safe levels where needed. And also, this iModela machine works with soft materials (plastics, woods), not steel, which (probably) means it's not quite as likely to destroy its bits if mis-driven.

5) The official might think your bribe is too modest, and post the amount publicly on Facebook to shame you: A Restaurant Tried to Tip-Shame a Football Star

Good to know... if this indeed the case. I just wonder whether they will have to reply to messages from neighbouring countries as well, or only from Germans...

Indeed, google is notoriously hard to reach...

For not replying to an e-mail? I'd only wish :-)

The court, while certainly not stupid, is very probably lazy. And won't continue bothering google out of its own initiative once a "settlement" is reached.

It will take a continued action by the consumer watchdog organization to keep the court interested, but it's a very fine line to walk between "keeping the court interested" and "not annoy the court by pestering it too much"

More likely outcome is that they change the auto-reply text of the mail to "thank you for your valuable feedback", and then still continue to ignore it. The customer will be none-the-wiser, and unable to prove that feedback gets ignored.

And even Google Webmaster tools still works with the "old" browser user-agent string. However, in webmaster tools, it doesn't dump the javascripts yet, unfortunately :-(

Well said! I fullheartedly agree, and set the user agent of my firefox to version 0.10: the experience is a breeze! And yes, it even prevents google from inserting its own tracking into some of the links...

... however, the normal site (for "recent" browsers) does insert tracking cookies.

A test with google news shows that this is fortunately not the case, it shows news from within today. So if it is outdated, it's certainly outdated by less than one day.

I tried it (by setting the user-agent of my firefox to "Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10"), and I'm delighted. Image search works again and it feels faster too.

I didn't notice the problem you're mentioning about link visited being broken. I searched twice for myself, the first time I clicked on one of my links. After the second search, that link was correctly colored purple, as it should. However, I did notice a small delay before it turned from blue to purple.

And there are no tracking cookies or similar inserted into the links, just the plain links. Overall a good experience :-)

I didn't check though whether the results were maybe outdated (newer pages not listed...), that would be nasty...