Forgot your password?
typodupeerror

Comment: Re:Update to Godwin's law? (Score 4, Insightful) 477

by TheCarp (#48040537) Attached to: Obama Administration Argues For Backdoors In Personal Electronics

> I'm far more afraid of a terrorist/criminal organization getting access to these back doors, and reading all of the
> encrypted documents that companies (including government contractors) want to secure, than hidden
> communication allowing them to get away.

Well overall, terrorists are the least concern since there are really so few of them and they hardly need this sort of break. If anything, they are helped more by the encryption than hindered by it....but....who cares? They are a minor concern at best, regardless of what they want you to think.

Criminal orgs however, now we are talking. This sort of backdoor can be used for everything from extortion to corperate espionage. I am far more afraid that this will be used by someone with an agenda to find people in positions of power he can blackmail. I am FAR more worried about the influences of modern day J Edgars than a few organized criminals so despised that they need to hide from everyone at every turn already.

Thing is, we would never really even know the extent of the damage done because so much of it would be so quietly kept.

Comment: Re:How much money does Brown get from police union (Score 2) 111

by TheCarp (#48026823) Attached to: California Governor Vetoes Bill Requiring Warrants For Drone Surveillance

The thing is, search and rescue efforts, wildfire inspection, all make sense for this sort of exception; but you are right a blanket "emergency situation" may as well be no requirement at all because anything can be viewed as an emergency and anyone claiming emergency is almost always given the benefit of the doubt for anything short of an outright hoax.

Comment: Re:What about recursion? (Score 1) 125

> Another technique would be leaking a fake script, claiming to have read a draft manuscript, etc.

Of course, the interesting thing about this techinique is you can only tell it if it fails to work, because the case where it works, and the case where it fails but the desired result was going to happen anyway are indistinguishable unless the author actually pipes up and comments on it.

This reminds me of a friend of mine who used to flash his high beams erratically as he came up to red lights because he knew thats how the fire trucks signal to give them a green. I tried to tell him that there was no way this was going to work, but he was convinced it did because....of course.... fairly often he would flash his lights and the light would turn green for him....

I do the same thing with my hand pretending I have the force....it "works" pretty well too. Which is to say....the light always changes.

Comment: Re: Hodor (Score 1) 125

I really have to say, deus ex machina endings are one of my personal pet peeves across literature, its the hallmark of lazy uninteresting story telling. In fact, about the only place I was amused to see one was at the end of the one Deus Ex game I played to the end.... and not because I thought it was even particularly good, it wasn't, its just.... its the name of the game, so its at least amusing in that one context.

Comment: Re:Ironically, blame HIPAA (Score 2) 78

by TheCarp (#48022149) Attached to: Medical Records Worth More To Hackers Than Credit Cards

Then please explain why the single most common reason for a person to be fired from the entire network of hospitals I worked for was inappropriate records access? Perhaps you would like to tell me why one of the major projects then was to move from offline records access auditing to real time auditing and flagging?

Perhaps you might have some insight into how it failed by causing us to start encrypting all of our laptops? \

The problem with healthcare is momentum. Its huge, there is a lot of it, and its highly federated and highly disorganized.In fact its often less a case of "we don't care" and more a case that they tend to be in over their heads keeping up with the infrastructure they have and the way its growing, and balk at allocating more resources to IT, since it already has eaten up more than they naively expected.

I have had to watch entire presentations that boil down to "we want to generate terabytes of data at an alarming rate and we don't see why it should cost very much based on just ignoring any other costs and looking at hard drive prices"

Seriously, the disconnect in healthcare is serious, and I agree the law is only somewhat helping but.... fact is the institutions really are scared of the penalties and those penalties really do trump their other considerations many times.

Its not perfect, but, on the security front, I have to say, I really think nearly all forward progress on security in healthcare can be directly attributed to it. I mean, I can think of a few minor exceptions like.... general concern about certain rare but frightening events like baby swaps or thefts that caused a good bit of increased security around birthing areas, but aside from that, I can't think of much that wasn't directly HIPAA requirement driven.

Comment: Re:Only CGI scripts affected? (Score 1) 399

by TheCarp (#48020507) Attached to: Remote Exploit Vulnerability Found In Bash

Why, yes it would, that is a good point. That was hardly the only real issue.

To add insult to injury, it would change the password by generating ldiff files, and storing them in /tmp, then running command line ldap utils on them. So in addition to that, you could likely arbitrarily set someone else's password with a little finagling.

Which, is pretty much why I just verified it could be exploited to touch a file in tmp and immediately began re-writing it.

Comment: Re:Ironically, blame HIPAA (Score 2) 78

by TheCarp (#48020365) Attached to: Medical Records Worth More To Hackers Than Credit Cards

I don't disagree that it has problems but, lets not pretend that things were better without it. I worked for several years in healthcare IT. I was there when we started encrypting our laptops by policy.... it was because of HIPAA. Prior to that, there were no exceptions.

A good part of the problem is that hospitals grew up doing their own systems support for medical devices and tried to grow IT out of that, and they tend to be non-profits that budget their departments like universities do. Its a huge mess.

They just never cared about security because they built up their entire system for a single purpose of providing medical care, they were so focused on that the idea that they were exposing themselves was an afterthought, security has always been an afterthought in the the industry that brought us the word "triage"

Comment: Re:Only CGI scripts affected? (Score 2) 399

by TheCarp (#47987003) Attached to: Remote Exploit Vulnerability Found In Bash

If you think that is bad, you should see the parts I didn't mention, the contents of that if statement was something like "$ERRORNO = 101"

The structure of the program was very simple....it had 4 functions which were called in sequence, each one would set global variables, which would be read by the other. So, if ERRORNO was set, a whole nother function with a whole different big if statement block would then print out the error message..... which is why I opened the code up...one of the errors was wrong.

So basically, it was written in the era of perl 5, to a perl 4 standard, by someone who really liked BASIC.

Comment: Re:Test string here: (Score 1) 399

by TheCarp (#47985807) Attached to: Remote Exploit Vulnerability Found In Bash

> I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.

lol well, as annoying as they can be, I have beaten a fork bomb before without rebooting so, I was confident enough after a quick perusal to not be afraid, especially since....come on, the function isn't even being called how can it possibly exec.....fuck

Comment: Re:Only CGI scripts affected? (Score 3, Interesting) 399

by TheCarp (#47985613) Attached to: Remote Exploit Vulnerability Found In Bash

Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.

That said, you know someone does this. Hell, I have had to deal with web applications written mostly in shell and did much of their processing in shell.... the only thing that really topped it for idiocy was when I dove into some perl4 code for a password change form and found this gem:

$password = $q->param('password');
if "`grep $password /usr/dict/words`" != "" {
}

No taint checking, nothing, just shell out with whatever someone put in the form. I loaded it up and added a "; touch /tmp/foo" on the end and verified there was no protection, then I found 4 more similar errors and figured that since security issues were not even why I opened the code to read it....I re-wrote it from scratch.

Work continues in this area. -- DEC's SPR-Answering-Automaton

Working...