Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment use slashdotFS (Score 3, Funny) 217 217

I use slashdotFS which is a markovian random comment generator which effectively embeds data in a stegenographic comment. The FS handles the details of creating and saving these so it's all transparent and mounts on your desktop like a regular drive. It's slow but it's capacity seems unlimited and frequently gets modded insightful

Comment bUber (Score 5, Funny) 246 246

Perhaps that explains why my company bUber (pronounced Boob Urge) has bee so tied up in the courts. The concept is simple our company iPimp arranges meetings of escorts in hotel rooms. The contractors are all independent contractors, making a little money, but really they are their to give their single serving friends, we call them rides, a hand. This is completely different from normal prostitution, it's a different bussiness model even though it fills the same niche. In places where whore houses are well regulated, inspected and liscenced one can see that we don't need to meet such requirements since our service producers are independent contractors. Our rates are lower since were just making connections between people who might not be full time whores. They just notify us when they are available and we make use of what would otherwise would have been wasted time. We have surge pricing for conventions and with that can get more providers on the street when they are needed.

Recently Uber approached us because it fits well with there model. Our providers need delivery to addresses, and their drivers can act as sales agents for us as well. But they are reluctant to merge with us until we can shake these ridiculous legal problems. We certainly are not a traditional whore house.

Comment Re:I still don't understand (Score 1) 129 129

setuid is for executables. /etc/sudoers is root owned/readable but it's not executable, so there's no set UID on this file. I think the exploit you are describing is acutally another clever way to achieve a root priv escalation. using sudoers is more direct but also perhaps easier to detect.

Comment I still don't understand (Score 1) 129 129

That command is a riddle and, forgive me, but I think your explanation is wrong.
the final sudo -s is not there to create an error. it's a perfectly fine command and is that to just make you root on the spot.

I think a partial explanation of what goes on is this:

the first bin just creates the text you want to shove into the sudoers file. that's clear enough.

the pass to >&3 is saying send this text to file descriptor 3. This doesn't exist..yet...but it will shortly.

So how does the file open happen? Well if you put an environment variable definition in front of a command, what happens is the command runs with that environment variable temporarily set for the duration of the command. thus

DYLD_PRINT_TO_FILE=/etc/sudoers newgrp

says create the env DYLD_PRINT_TO_FILE temporarily and set it to /etc/sudoers and after setting that, then execute newgrp.

newgrp doesn't actually do anything at all here other than launch a new shell which promptly quits. However it does run with setuid root privilege.

guessing here: And while it's running but not doing anything the system goes, oh, I better open a stream to the DYLD_ file because there might be some output to log there. So it opens that file pre-emptively and duly assigns it to file descriptor 3 for input.

unfortunately DYLD has inherited the permission of newgrp to do that, so its doing a file open as root too.

  So we can now write to 3 and DYLD_ redirects that into the file.

at this point I'm not sure what happens exactly. One possibility is the obvious which is that what we write to file descitor 3 goes into the file represent file descriptor 3. that's simple if that's what bash would do. However the explanation of the exploit notes that DYLD_ also fails to close it's file descriptors. In which case what happens is that the newgrp command just exits but because the pipe made it a child, it's parent inherits the dangling filedesciptor. and then that's why we can write to that. I really don't know my bash well enough to say which of those might be the right mechanism here. if either.

anyone alse want to explain?

Another point I'm fuzzy on here is whether the writer needs to have the same setuid as the reader.

Comment Please explain more (Score 2) 129 129

Reading the explanation here: https://www.sektioneins.de/en/...
I don't fully understand how it works, but it seems to be more complex than what you just said. I suspect it depends on a parent process inheriting a child procesess setuid for accessing a file.

the bash script however is a riddle to me. I don't understand how the pipe to channel 3 ends up in the /etc/sudoers file. Where does channel 3 go. I suspect the newgrp statement is there to just be any process which does a setuid as root. Not sure. Again I don't understand how it's being called here.

What does the environment variable look like as this executes? which parts of it execute when? and how does the echo get to the file.

the final sudo -s I understand.

can someone break this down for me?

Comment Tetra Ethyl Lead (Score 4, Interesting) 108 108

Interestingly this isn't the first time this happened.. When they first started Isotopic dating there seemed to be no lab pure enough to get the lead out. Even water taken from the widdle of the ocean had the wrong lead isotope ratios. Eventually, years, they realized it was in the air from all the lead in gasoline. The gasoline companies had the guy's funding cut off to suppress this, and trotted out a bunch of "tobacco scientists" to ridicule the guy who discovered it. But eventually this too became fact. Now it's used in reverse, the isotopic ratio of lead is used to track gasoline spill origins.

https://en.wikipedia.org/wiki/...

http://pubs.acs.org/doi/abs/10...

Comment yes much more than 2Gbs (Score 1) 107 107

Do rabbit ears provide 2 gbps internet? Why are they even an option here?

Rabbit ears have way more than 2gbs/sec download but zero upload. You can easilyt watch 100 HD digital TV channels simultanously ig you have 100 rabbit ears, 100 Tv sets, and live in a city with 100 broadcast channels.

Comment the A in ADSL (Score 1) 107 107

After a two weeks of trying to get comcast to fix my lack of connection I switched to DSL. I'm getting the advertised DSL speeds. What I'm wondering is why the hell is the upload speed of ADSL pegged at such a crappy ratio to the download speed. Cable has about a 2:1 ratio but ADSL is about 30:1. My upload speed is 0.8Mbs on a 20Mbs download line. Why? what's the physical limit on DSL that cable doesn't have on the asymmetric division? It used to be that this wasn't a big deal since relatively few people upload much. But these days uploading for common people is ubiquitous: your phone by default wants to push every photo to the cloud, your backups go to the cloud, and it's not uncommon to want to e-mail a 20Mb word document. So upload speed has become an issue.

It becomes a major issue when a long duration upload (say a backup) chokes off even the modest handshaking upload that other download streams require and your Amazon prime fire TV stops working smoothly.

Are the DSL companies doomed by physics or their market price point if they can't increase this without raising prices dramatically? Why would this be costly? I'd gladly trade a megabit of download for another megabit of upload.

Comcast seems to have incentivized its india based outsourced customer service to optimally work against comcasts own interests. namely they first employ an incompetent first-line who cannot reason logically what the problem is and make you follow the script even after five previous calls (which apparently are not incentivized to make notes). thus they make their money from answering calls and getting you to just give up. then the next technique is to flat out lie("we will have technical call you in 30 minutes sir, this I promise to you. Now being such a good customer I have an upgrade deal to offer you"_) and finally even in the middle of the nightmare non-performing service they take the time to offer you additional costly upgrades. This only makes sense if you consider what the service center makes its profit on as opposed to comcast (retaining customers).

The DSL company also seems confused at well but at least they make as many errors in my favor as they do against it that it can't be a deliberate strategy.

Comment backdoor versus sidedoor. (Score 2) 102 102

Discussing this as a "backdoor" conflates this with the usual hidden backdoor which is a bad thing. Putting in a backdoor that is freely accessible and leaves no trace of its accession is ill advised. But I fail to see why there are no technological means to secure keys for multiple parties. you can even have crypto so multiple parties must agree so for example like my safe deposit box the bank and I both have to agree that I am me.

Now that's a different question of whether
1) I might encrypt the data on my own or use a thrird party client that uses googles services but keeps things encrypted in passage. That defeats the abililty to side door googles encryption.

2) I might off shore my data to someplace outside such laws (do I trust them is another matter).

3) the dent this might cause in googles popularity outside the US--I actually doubt this since de facto it has been the case in the past that the NSA had free range of google and no one cared deeply. But Will china also demand that google also let it have side door access as a condition of doing bussiness there? Still while a mess it's not technologically difficult.

4) an even stickier issue might be who all has to agree to unlock the data. Google+NSA. Google+China. those are doable. but Google+NSA+China is a problem. China might not want the NSA peeking at chinese national accounts without it's permission. Nor perhaps North Korean or any number of disputed places the NSA is interested in.

So there's a political mess here and some ways consumers can defeat it, but I fail to see why someone like Bruce Schneir would say there's no technical means to do this at the level of google or apple or major sites when there plainly is.

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0

Working...