Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
GNU is Not Unix

Serious Network Function Vulnerability Found In Glibc 197

Posted by Soulskill
from the audits-finding-gold dept.
An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.

Comment: Re:yeah... (Score 4, Interesting) 208

by POPE Mad Mitch (#48863671) Attached to: US Army Wants Weapon To Destroy Drone Swarms

Go look at the source code to one of the open source projects like OpenPilot,
they integrate accelerometers, gyros, magnetometers, barometric altimeter and GPS for their navigation system,
modern GPS chips also have anti-hijacking/jamming, eg SiRFstarIV GSD4t consumer device chipset,
and the off the shelf radio control kit can do encrypted spread-spectrum comms.

It is not trivial to stop one by jamming, a shotgun up close is way more effective

Comment: Line of sight? (Score 3, Interesting) 123

Will it have the same line of site limitations as current satellite Internet? I'm in Seattle, and with providers like HughsNet you need a very good line of sight to the south to get service. IIRC, where I used to work we had the dish pointed only 24 degrees above the horizon.

These sats are going into LEO, not GEO, so their position in the sky won't be fixed. I imagine you'll used a phased array antenna to track them. The good points being: lower latency, no requirement to see the southern horizon specifically. The bad point being that you'll need a view of a bigger chunk of the sky to avoid signal dropouts as the satellites move - how big a chunk depends on how many satellites they have up there (and therefore how many are above the horizon at the same time). If they have enough satellites, it may work out better for you.


Ask Slashdot: Migrating a Router From Linux To *BSD? 403

Posted by timothy
from the hiring-a-new-traffic-cop dept.
An anonymous reader writes I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs. Question one is: which BSD? Question two: where's some good documentation regarding setting up a home router/firewall on your favorite BSD?
It's fine if the documentation is highly technical, I've written linux kernel drivers before :)

SystemD Gains New Networking Features 553

Posted by samzenpus
from the making-things-better dept.
jones_supa writes A lot of development work is happening on systemd with just the recent couple of weeks seeing over 200 commits. With the most recent work that has landed, the networkd component has been improved with new features. Among the additions are IP forwarding and masquerading support (patch). This is the minimal support needed and these settings get turned on by default for container network interfaces. Also added was minimal firewall manipulation helpers for systemd's networkd. The firewall manipulation helpers (patch) are used for establishing NAT rules. This support in systemd is provided by libiptc, the library used for communicating with the Linux kernel's Netfilter and changing iptables firewall rulesets. Those wishing to follow systemd development on a daily basis and see what is actually happening under the hood, can keep tabs via the systemd Git viewer.

Comment: Re:Malware (Score 1) 181

by FireFury03 (#48755437) Attached to: Inside Cryptowall 2.0 Ransomware

If a program needs to look at stuff in other file structures then give it read access

Great! $malware got read access to your bank details.

You want it to be able to write to files in those other directories, fine, it reads in a file it isn't allowed to overwrite or change, and then saves it's own copy that it can molest in whatever way it wants.

So now instead of having a single copy of the file, you have a separate copy saved by each application that has been used to process it - creating a mountain of almost-identical files that the user has to keep track of is not a user friendly way of doing things.

Better is to have a versioned filesystem - each time a file is changed (by any application!) the delta is saved and the filesystem keeps the old data hidden away. Most of the time everything behaves as normal - you have one copy of a file, no matter how many times it is edited. If you need to roll back some changes then you just ask to see previous versions of that file, much like a source control system. And indeed, there are a number of file systems that do exactly this - if you care about such things there's nothing stopping you doing it.

It doesn't stop malware reading your files or modifying them, but it does mean you can recover the unmodified versions... but then doing backups (which everyone should be doing anyway) gives you similar protection.

Comment: Re:Malware (Score 1) 181

by FireFury03 (#48753745) Attached to: Inside Cryptowall 2.0 Ransomware

And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?

Because anything else would require popping up numerous "would you like to allow this application to do $foo" boxes, and then you end up training the user to just hit "yes" on everything because it's too damned annoying to make a decision every time when the vast vast majority of access requests really are legitimate.

Sandboxing based on applications making their own decisions and being relatively trustworthy might not be a bad plan though - i.e. if your web browser has an immutable list of files it needs access to, and you trust your web browser, that provides some level of protection when some malware compromises the browser, so long as the immutable list really is immutable and the malware can't modify it.

I'm sorry, but the very concept of a virus scan happening "at scheduled intervals" or after you've already double-clicked on the file just tells you that it's too late before you start.

Well no, if you can roll back everything that happened between the "all clear" scan and the "you've been cracked" scan then that's certainly much better than nothing.

Fact is, I didn't install it and I have no idea what it ACTUALLY does.

You don't know what most software ACTUALLY does, even if you did install it - most software people use is closed source, but even the open source is a black box unless you actually audit it.

Comment: Re:As a former scientist: (Score 1) 287

by FireFury03 (#48744681) Attached to: Should We Be Content With Our Paltry Space Program?

True to a point, but the knowledge gained from the ISS is nothing to sneeze at either. I do agree that a manned mars mission is a bit silly at this point though, we don't really have the technology yet to make it feasible. More research into alternate energy sources should be where most of the money should be going.

I suspect a manned Mars mission will always be "a bit silly" at any point until people start actually doing it. And whilst I can't really point to much tangible return on the investment, "blue skies" project do have a habit of producing some quite unexpected returns.

To my mind, governments seem to be mostly concerned with themselves at the moment, with nothing to unify those in power towards some common (non-selfish) goal. With the few top-richest people being as rich as they are now I wouldn't be surprised if a few of them banded together to put together a manned Mars mission long before any government (so long as they do so before a revolution comes and redistributes the wealth a bit more fairly).

Comment: Re:ROI (Score 4, Insightful) 287

by FireFury03 (#48744635) Attached to: Should We Be Content With Our Paltry Space Program?

That's not really true. You can look at a research lab and measure the ROI retrospectively quite easily and use this to make forward looking decisions, and that's what a lot of companies do. They'll close research labs that haven't produced anything useful in the last 5-10 years, but they'll increase funding to ones that have.

And what about research that takes longer than 5-10 years to come to fruition (which actually isn't very long)?

Lets take fusion research as an example - that has spent decades sucking money out of governments and has produced very little return on that investment. It may never produce much return. But if we ever do crack fusion for commercial power generation, that would be a serious game changer - probably a big enough return to justify a couple of hundred years of otherwise fruitless investment.

Comment: Re:No we shouldnt (Score -1, Troll) 287

by FireFury03 (#48744591) Attached to: Should We Be Content With Our Paltry Space Program?

But that doesn't mean that the government should be paying for it, because not all of us agree we should be paying for it. Using Tax to pay for something should only happen for things we can only collectively purchase, like National Defense. We should be able to pay for it ourselves, and reap the rewards individually

Umm, I don't agree with my taxes being spent on "National Defence" (when I can sum up the current "defence" ideas as "go into foreign countries and blow up some brown people").

Guess what - you don't get to choose what your tax gets spent on. In theory, it should be apportioned democratically, but even that doesn't happen - a significant number of people objected to the Iraq war and were ignored.

Comment: Re:No we shouldnt (Score 5, Informative) 287

by FireFury03 (#48744539) Attached to: Should We Be Content With Our Paltry Space Program?

Compare NASA to, for example, Xerox PARC (Ethernet, the GUI, laser printers, etc.) or Bell Labs (the transistor, access control lists, UNIX, etc.) and see which produced more inventions that benefitted the economy as a whole per dollar spent.

Each shuttle launch cost, on average, $1.5bn. The cost of one launch would fund over ten thousand PhDs, or several hundred DARPA programs. Do you really think that NASA is the best ROI for taxpayers?

The problem with NASA is largely the senators dictating how the money will be spent, which leads to a huge amount of wastage. The shuttle is a good example - NASA could only get the funding if they made a space craft that fitted some fairly mutually exclusive specifications - the result was a space craft that could do none of those things especially well and almost certainly more expensively than building several separate craft tailored to specific jobs.

Look at the A-3 test stand as another example: it was designed for the Constallation programme, and when Obama cancelled the programme the partially constructed test stand was of no use. Congress demanded that NASA keep constructing this useless piece of hardware and they spent about $200M on it _after_ it was known that there was no use for it. How can you expect NASA to be value for money when it is treated as a jobs creation programme and forced to waste money like that?

SLS is probably another good example - insanely expensive, not least because congress are actually dictating the engineering requirements, and no doubt the government will order NASA to scrap it before completion, completely wasting all the money that was invested in it. Despite its huge cost, I kinda hope that SLS doesn't get scrapped, because then at least the money has gone into something that can be used instead of yet another useless cancelled project.

Far better would be to just give NASA a lump of money and tell them to do with it as they please - the money would still end up invested in paying people to do jobs (the jobs might not be in the various senator's chosen locations, but they would still happen), and we'd probably have a lot more science at the end of it instead of a huge pile of half-completed scrapped projects.

Comment: "Google Now" and "OK Google" are different (Score 1) 35

by Sits (#48654201) Attached to: Chromebook Gets "OK Google" and Intel's Easy Migration App

If you have an appropriate Android device Google Now will (apparently) display information based on your current context (e.g. if your phone learns where work and home are it might display information about traffic jams on the route home around the time it believes you will be traveling). You need a logged in Google account to use this feature.

OK Google is a way of using your voice to interact with your device (or Chrome web browser). So if I have the appropriate phone and it's been set to listen I can say "OK Google" and it will activate an app/mode where it will accept further voice input. On the Android phone I saw (and in my Chrome web browser on OS X) I can then ask it "What's the weather like?" and it pops up some weather related information and speaks back "It's ten degrees in ". Sometimes when you ask it questions just does a web search other times (on the device) it would start applications (e.g. mail) and so on. You do not need to be logged into Google to use this feature.

Comment: Re:Sly (Score 1) 396

by FireFury03 (#48634825) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

And whilst I use StartSSL, it's a pain that you can't get free wildcard certs for your domain...

And it fucking pisses me off that the grocery store won't just give me free food, too.

StartSSL is a business, and its business model is to give out free Class 1 certs with the hope of converting you into a paying customer.


The conversation was about it being so very cheap to roll out SSL because its trivial to get free SSL certificates. I'm not criticising StartSSL, I'm simply stating that it *isn't* trivial to get wildcard certificates. So the whole "you should use SSL everywhere coz it's free" premise kinda falls down there, since it isn't in fact free.

All theoretical chemistry is really physics; and all theoretical chemists know it. -- Richard P. Feynman