Forgot your password?

Comment: Re:Reading all the comments 'defending' Windows .. (Score 1) 389

by TechyImmigrant (#48044441) Attached to: Will Windows 10 Finally Address OS Decay?

>The last 50 years of research have no impact at all at current day computing, except for silicon and SOCs etc.


Doing new stuff in silicon is like shooting fish in a barrel. You just go find some research paper that has a good idea, then go and design it in hardware. I little hard math is enough to ensure that no one else is doing it.

Software seems stuck in a research time warp. Plan 9 was how long ago? Yet we don't have network transparent multi processing and per process name spaces in popular OSs.

Comment: Re:There's no W3C or IETF for healthcare (Score 1) 225

by TechyImmigrant (#48039453) Attached to: Back To Faxes: Doctors Can't Exchange Digital Medical Records

I've worked on-and-off in healthcare and the standards for transmitting *anything* are ancient and bad. Formats like HL7 and ASTM are ancient delimited-text formats with no UTF-8 support, no encryption, and even have RS232 ACK/NAK packets in the standard.

RS232 didn't have packets. It had wires. It didn't have ACK/NACK either. It had CTS/RTS and DCR/DTR. There were some secondary signals (STD, SRD etc) that were rarely implemented after 1980.

Comment: Re:I have an idea (Score 1) 163

by TechyImmigrant (#48038637) Attached to: Apple Fixes Shellshock In OS X

I just tried and successfully passed the variable "_BASH_FUNC_thingy" with the value "my_attack" through my apache web server to a CGI script using a url entered into a browser.

No, you get something like QUERY_STRING="_BASH_FUNC_thingy=my_attack", which is harmless because function definitions inside QUERY_STRING are not being evaluated after the last update.

No I didn't. I'll play with bash versions and see if there was a change. I don't think so though.

Comment: Re:Why isn't this auto-update? (Score 1) 163

by TechyImmigrant (#48031415) Attached to: Apple Fixes Shellshock In OS X

Fortunately for the evil doers, they don't have to be bound by past vulnerabilities.

Just give it a name that the script already uses.

If the script uses functions passed through the environment variables, it is now going to be written such that those variable names are prefixed with _BASH_FUNC_ because the new changes require it. So the attacker follows suit. The point being that the attacker can indeed modify the name and he or she or it can modify it to suit the script being attacked.

The underlying problem is using environment variables (I.E. data) that get executed by the interpreter. Don't do that. You can write CGI programs that are invulnerable, but you can't be sure every CGI program in every bit is system and web bloatware is invulnerable.

Better to fix CGI. Give it a new interface. E.G. It calls the program and hands it a pointer to a file that contains the variables. Or uses any other form of IPC. Just make sure it can't get executed unless intentionally by the idiot writing the receiving end.

Facts are stubborn, but statistics are more pliable.