Really? You've been sending him checks for your share of this mass education, have you? While a professor and occasional host of science programs, his job is no more to explain things to the masses than mine, or yours.

Hey, I'm not saying the practices that make people vulnerable are wise - just that they exist and that unless positive steps are taken to test and, where necessary, fix, systems will be vulnerable. After all, we are seeing reports of the vulnerability being exploited in the wild, so we know there are affected systems out there. If we've done our jobs right, they won't be ours - but we cannot just hope that we've done our jobs right - and we do need to advise management that a) we're aware of the issue, b) we did our jobs right, and c) we're double checking, just to be safe.

Folks, for what it's worth, here is a management briefing I wrote this morning. Please feel free to re-use, but please do give proper attribution. Please do comment and correct as appropriate.

Summary: Briefing for management on activities to minimize impacts of the "shellshock" computer vulnerability.

Status: Testing underway. Our initial scans and appraisals are that our public-facing systems are likely not subject to shellshock. NOTE: The situation is fluid, due to the nature of the vulnerability. Personnel are also reaching out to hosting providers to assess the status of intervening systems.

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability "shellshock" since it affects computer command interpreters known as shells.

How does it work? Command interpreters, or "shells", are the computer components that allow users to type and execute computer commands. Anytime a user works in a terminal window, they are using a command interpreter - think of the DOS command prompt. Some GUI applications, especially administrative applications, are in fact just graphical interfaces to command interpreters. The most common command interpreter on Linux and UNIX is known as the "bash shell". Within the last several days, security researchers discovered that a serious vulnerability has been present in the vast majority of instances of bash for the last twenty years. This vulnerability allows an attacker with access to a bash shell to execute arbitrary commands. Because many web servers use system command interpreters to fulfill user requests, attackers need not have physical access to a system: The ability to issue web requests, using their browser or commonly-available command line tools, may be enough.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a "web server" in the sense of a server providing content of interest to the casual or "normal" user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

What is the primary risk? There are two, data loss and system modification. By allowing an attacker to execute arbitrary commands, the shellshock vulnerability may allow the attacker to both obtain data from a system and to make changes to system configuration. There is also a third risk, that of using affected systems to launch attacks against other systems, so-called "reflector" attacks: The arbitrary command specified by the attacker could be to direct a network utility against a third machine.

How easy is it to detect the vulnerability? Surprising easily: A single command executed using ubiquitous system tools will reveal whether any particular web device or web server is vulnerable.

What are we doing? Technical personnel are using these commands to test all web servers and other devices we manage and are working with hosting providers to ensure that all devices upon which we depend have been tested. When devices are determined to be vulnerable, a determination is made whether they should be left alone (e.g., if they are not public facing and patches are either not yet available or would be disruptive at this time, or if there are other mitigations or safeguards in place), patched (e.g., if patches are available and are low impact), or turned off (e.g., if patches are not available, risk is high, and the service is not mandate critical).

Updates to this briefing will provided as the situation develops.

I've known for 30 years that I was colour confused, it was diagnosed during my pre-hire medical at IBM. I've always described it symptomatically, as in "certain pinks and purples appear grey, my favourite brown shirt is green, but occasionally, I'll see a hint of green". And I've long thought that my CC was partly influenced by diet (the shirt would be greener after meals in certain restaurants, but I could never pin down the magic ingredient combo).

I have it on good authority that Mars is red, but I see it as a faint light of undetermined colour.

I had my eyes checked last week. I said all of the above to the examiner. He said something along the lines of "Huh, I've never heard of that before".

Then I described how I have a hard time scooping the yard: I have to work really hard to see the shit for the grass, but when I do, it becomes more obvious. There isn't enough contrast for me to pick it out without cognitive effort, but with said effort it becomes clear.

"Huh", he said, "It sounds like you have a very mild form of red-green colour blindness".

Interesting. I've never had a problem with traffic lights, red is one of my favourite colours, and I love the infinite variety of greens of spring. But picking a cardinal out in a dark green tree is tough - do-able, but tough. It's much easier in a light green tree.

So two weeks ago I would have answered "different form" but today I chose "mild R-G".

As my daughter would say, "That was a great old man story, thanks for sharing".

This was on HN a few days ago; my comment there was the same: In the case of LastPass, the headline is misleading and a little fearmongery.

There were two issues with LastPass and NEITHER affected its storage of persistent passwords, that is, neither affected the feature the vast majority of us use passwords managers for!

One concerned a targeted attack against one-time passwords (OTP), the other concerned bookmarklets, which are used by less than 1% of the user base, according to LastPass. Personally I didn't know either feature existed until I read the LastPass blog entry about these two vulnerabilities.

A truer headline would have been Vulnerabilities found in less-frequently used features of LastPass; persistent site password storage unaffected".

Yeah, /. needs both an edit function and a +1.

Just a little nit: Her title is Madam Justice Fenlon, so your expression of gratitude needs a tweak. :->

If you are being spied upon by CSEC or GCHQ, you are being spied by the NSA - and the Aussies and the Kiwis - and vice versa.

Reading about ECHELON left as an exercise for the reader.

We have a c.2003 52" Viera and love it.

The brightness is not an issue: it's on the North wall of the living room, facing a large window, and if it is "too sunny", I close the drapes. Done.

The viewing angle is amazing. Sunday night suppers are often prepared standing at the counter "just this side" of the family room, watching football.

I've stayed away from L[CE]D TVs because plasma just seemed like a better solution.

And now they will go the way of Betamax.

Silly consumers, believing hype and myth, buying poorer tech, and not saving a whole lot doing it....

Oops, posted on wrong thread. Mea culpa.

Off topic indeed.

I don't use iTunes or iBooks or any other Apple media apps. I've only had my Air for a few months, and I do love it so, but.... If Mavericks is free, why does the App Store need a credit card in order for me to download it?

I do not plan on purchasing anything through iTunes. Never say never, sure, but I don't. Ever.

Guess I can't have Mavericks.

Even though it's free.

Kudos, Apple, you've given me my first reason to feel less than happy about a hardware purchase I reveled in.

(Originally posted in wrong discussion, mea culpa; since then, I've discovered one can bootstrap iTunes/AppStore integration without a CC, but it requires attempting to download a free app and entering tombstone info - still too much for a free OS update, IMHO, but better in a kludgey, hackish way.)

I don't use iTunes or iBooks or any other Apple media apps. I've only had my Air for a few months, and I do love it so, but....

If Mavericks is free, why does the App Store need a credit card in order for me to download it?

I do not plan on purchasing anything through iTunes. Never say never, sure, but I don't. Ever.

Guess I can't have Mavericks.

Even though it's free.

Kudos, Apple, you've given me my first reason to feel less than happy about a hardware purchase I reveled in.

Well, not quite random - to the polar opposite of current weather conditions.

It's winter (I live in Ottawa - think Minnesota with Chicago's wind and Houston's humidity).

Dude cuts me off.

I press the button

Dude finds himself in Kandahar.

It's summer (think Kandahar temperatures with Houston's humidity - detect a theme yet?).

Dude cuts me off.

I press the button

Dude finds himself in McMurdo.

I used to think I wanted photon torpedoes, but those would create debris, which might damage my vehicle. Or me.

Then I thought phasers. But that would still take life and teach nothing.

So semi-random, climactic-coupled teleportation. That's the ticket.

And the car should fly. Of course. VTOL.

In addition to the excellent comments previously made, consider investigating the Center for Open Science, specifically their information for developers, and the associated Open Science Framework (note: will display only if cookies are enabled; I've no idea what value they provide in this context and will be contacting them about that).

They may not have anything that can help you. Or they might. Or you might be able to help them. Or not. YMMV, etc.

Worth taking a peek, anyway.

main power-use for me would be occasional command line stuff to automate things... cron jobs... should work similar on OS-X

In general, yes, all the command line goodness is there. However! The OSX version of many utility functions has obviously suffered from lack of care and feeding. For example, grep under Linux will quite happily deal with pathnames with embedded dashes and spaces; OSX grep interprets these as additional, unrecognized switches. Sigh.