Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

+ - Security Vulnerability in GNU Bash through 4.3->

Submitted by Wannabe Code Monkey
Wannabe Code Monkey (638617) writes "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution."
Link to Original Source

Comment: Re:Slippery slope? (Score 1) 604

by Wannabe Code Monkey (#43512633) Attached to: Bruce Schneier On the Marathon Bomber Manhunt

I have to agree the Boston PD acted rationally and with the exception of not reading him his Miranda (somebody needs to be FIRED for screwing that up) they acted VERY professionally.

Hey, I haven't visited slashdot in years, but I thought I'd see what everyone's saying about the marathon bombings since I work and live in Boston. I just have to stop you right here. No, I don't have any specific information as to who first cuffed the suspect (Watertown PD, Boston PD, state police, FBI... etc) and I don't have any specific information as to his medical condition past what has been released about his non-communicative state. But I really don't think Boston PD had anything to do with deciding whether or not to read him his Miranda rights, nor do I think he was in any state to receive or understand those rights. He had been bleeding out since the shootout (for over 12 hours) and had just been in another shootout where some sort of flash-bang grenade was thrown at him. The first thing they did was bring him to a hospital, not a police station. If a suspect can't talk, you can't really interrogate them and the right to have a lawyer present and the right to remain silent aren't physically necessary. The time to read him his rights would be after he regained consciousness/ability to communicate. And by then I would expect that the feds would be the ones in charge of how he's handled. I really don't think that local cops were calling the shots at that point. I think it was a little less, "Hey Frank, what do you think, should I read him his rights or just give him a few punches?", and a little more, "US Attorney Ortiz, what is your legal opinion on whether we should interrogate the suspect as to possible on-going public safety risks prior to informing him of his Miranda rights?".

Comment: Re:Error My Ass (Score 1) 1005

by Wannabe Code Monkey (#39580965) Attached to: NBC Apologizes For Editing Zimmerman 911 Call

You might want to rethink your opposition to stand your ground laws while you're at it. If you're legally obligated to run away instead of defending yourself then you can be herded like a lamb to the slaughter.

You really think if the government is at the point of herding people like lambs to the slaughter that a state law about standing your ground is going to help you in any way? Here's a hint, if you need to revolt against your government, you're going to need to break all sorts of laws. No revolutionary has ever stayed a law abiding citizen, and no stand-your-ground law has ever saved the life of an active rebel.

Comment: Re:Furor about the conservation... not the co-opt (Score 1) 265

No shit? Beloved character reduced to shill by Hollywood?? You don't say? That really would be news. NOT.

It's not just about a character being used to shill for a product. That's not news, that's been going on for decades (centuries?)

Tell me, if Mr. Lorax had been shanghai'ed into being a spokesman for toothpaste, toys, or floor wax, would this be a story? No. This story just fans the flames of the culture wars. Whoever started this meme knew that the word "Conservation" and the phrase "liberal propaganda" would propagate the meme with his target audience, who likes to get all a-quiver and indignant and victimized when mass media propagate memes they disagree with.

Dude, take a deep breath. Relax. The point of the article was that the Lorax stands staunchly against pollution and he's being used to sell something that pollutes quite a bit. Yes, it pollutes less than the competition, but still way more than walking, biking, public transportation, or just keeping your old car. It's the height of hypocrisy for a car company to claim that the Lorax would be on their side. It wouldn't have been news if he were a spokesman for toothpaste because the Lorax isn't fanatically anti-toothpaste.

This kind of greenwashing has been going on for years now. In commercials cars drive by and flowers and trees pop up in its wake, as if the flowers prefer the slightly (instead of very) polluted air that the new car generates rather than the completely clean air that was hanging around a second before the car drove through. These cars are in no way 'good for the environment'. They are less bad for the environment than their competition, but the marketing makes it seem like these cars suck CO2 and pollutants from the air and clean the environment as they drive by. That's bad enough, but what they did to the Lorax is just forehead slappingly wrong. Imagine the furor if some company took the image and voice of John Wayne and made him say things completely antithetical to what he really believed, have him advocate for more welfare and entitlement programs, and say that he's glad the North Vietnamese won the Vietnam War.

Comment: Re:Master/slave (Score 1) 262

by Wannabe Code Monkey (#39016347) Attached to: Why Microsoft Developers Need a Style Guide

The offence stems from drawing attention to something that should be obvious and well-known to a person of his profession... and it's deeply disappointing that he took the chance to exploit it for a chance to rib Microsoft

I don't believe he was ribbing Microsoft at all. Here's some more context of the quote:

Especially treacherous are those words that have become part of the standard computing jargon but that may carry negative associations for some English speakers... Similarly, the relationship between USB peripherals could be described as "master/slave," but these terms could also be considered offensive.

The author's saying these words are treacherous and this guideline is a good point to think about. There was nothing negative towards Microsoft in any of this. Also that story coming out of LA caused a minor stir in the tech world for a limited amount of time. As it happens I do remember the controversy, but if you weren't paying attention to the news for a few weeks you may have completely missed it. And what of developers just graduating college right now? They would have been 12 in 2003 when this happened. I wouldn't expect them to be well versed in the story. Plus, I don't believe McAllister's audience is necessarily the type that would have heard about the original controversy.

Comment: Re:Master/slave (Score 1) 262

by Wannabe Code Monkey (#39015673) Attached to: Why Microsoft Developers Need a Style Guide

Similarly, the relationship between USB peripherals could be described as "master/slave," but these terms could also be considered offensive. (The "Microsoft Manual of Style" says such language is prohibited in "at least one U.S. municipality.")

Dear Neil McAllister,

That terminology originally comes from disk drive buses, and the municipality is Los Angeles. Are you really a tech writer?

Sincerely,

Suspicious

Dear Suspicious,

The first thing I'm going to do is dispense with this pseudo-formal fake letter writing style you've for some reason chosen for an internet message board.

I really don't understand your problem with this part of the article. The terminology can apply to disk drives buses, USB, and many other technologies. Does he have to mention every single technology where this terminology exists in order for you to take him seriously as a tech writer? And he was quoting directly from the manual of style when he said "at least one U.S. municipality." Why are you trying to take him down a peg for that?

Comment: Re:They're both delusional (Score 1) 94

by Wannabe Code Monkey (#38851557) Attached to: Deathmatch On Mars: an Interview With Warren Ellis

Some good points, but you're forgetting the beneficially technological offshoots of the space program. If Kennedy hadn't pushed us to the Moon in the 1960s, we wouldn't have gotten the offshoot technologies that we did as soon as we did

I totally agree, but the moon is way different than what they're talking about. I think striving for human space travel to Mars and back is possibly in the same realm. But permanent self-sufficient colonies on multiple planets that could survive after the destruction of the Earth is simply a delusion. They're talking like going to Mars will lead us onto the path of interstellar travel. That's beyond delusional. It's like saying, "Let's work really hard on our steam technology and maybe it'll turn into atomic energy."

Comment: They're both delusional (Score 2, Interesting) 94

by Wannabe Code Monkey (#38850161) Attached to: Deathmatch On Mars: an Interview With Warren Ellis

I'm sorry, I've had enough of this crap from science fiction writers about space flight. I don't want them, (or crony politicians promising money for votes) to be guiding our government's decisions. Just because space flight is romantic and awe-inspiring doesn't mean we should do it. There's only one good reason for the kind of space travel they're advocating and it's the old don't-put-all-your-eggs-in-one-basket idea. But if the Earth were destroyed I don't have a lot of hope for people making it on the Moon or Mars. They'd still be completely dependent on resources from back home. Just try running a self sufficient society in the middle of the Sahara and see how long it lasts. At lest in the desert you still have oxygen to breathe and the temperatures are in the realm of habitable. Neither of which are true for the Moon or Mars.

They're also completely ignoring the fact that technology has become completely unpredictable for anything over 20 years from now. They have no idea what new things we'll discover in the next 100 years that could have profound impacts on space travel. Impacts that would make their current proposals completely meaningless. They sound like a salesman in the late 70s telling his company that they need to make their mainframes bigger and add more tape drives.

Our space-tech is either going to advance at a humdrum, linear pace, in which case we're never getting out of this solar system. Or it'll advance by leaps and bounds in which case just going back to the Moon, or building a rocket capable of going to Mars is pointless in the long run.

There's also no reason to have people on these flights other than to have a good old fashion feel-good PR story. You can have robots do anything you'd want a human to do and more. And you don't have to waste any money on food, oxygen, extra fuel, extra space, waste expulsion, and a return trip.

But what I love most about the interview is this quote:

I tentatively suspect that if President Obama gets his second term, and loosens up some cash...

You know, we must have already perfected space travel because I have no clue what planet Warren Ellis currently inhabits, but it's certainly not ours. Yeah, Obama has a whole bunch of cash lying around that he can just 'loosen up' at any given moment. It's not like we're running a huge deficit with programs and funding being cut left and right.

Comment: The Chart in the Article (Score 1) 275

by Wannabe Code Monkey (#38818041) Attached to: Google's SPDY Could Be Incorporated Into Next-Gen HTTP

Can anyone tell me what the chart in the article is actually measuring? The x-axis is labeled "Packet Loss Rate" and goes from 0% to 2.5% and the y-axis is labeled "AvgPLT" and goes from 500 to 3,500. I'm assuming the testers introduced artificial packet loss at the percentages on the x-axis and then measured how each protocol (HTTP and SPDY) responded to these conditions. But what the heck is "AvgPLT" and what exactly was their test? Was it requesting one page with 30 components each around 500KB, or 100 page requests with 20 components of 100KB, or 5,000 requests for 5MB files? or what?

Comment: Re:Huh? [Re:Is that all?] (Score 1) 629

These bonds don't need to be honored and the behavior of Social Security doesn't change if they're done away with. The general fund would just be tapped to cover Social Security deficits.

Why wouldn't these bonds need to be honored? I understand what you're saying from an accounting perspective: we could wipe out these bonds, we no longer 'owe' social security this money, and we'll just payout the yearly social security benefits from the general fund. I get that, I'm not saying I agree with that approach, but I see what you're saying. What I'm talking about though, is how you could legally not honor these bonds. What makes them any different than the bonds you or I could buy from the Treasury? Let's say I bought a Treasury bond that paid me interest, could the government just decide that my bond was now erased and that my former interest payments would now be paid via the general fund? No investor would trust the government if they tried to pull a stunt like that. Their credit rating would tank and no one would buy these bonds any more.

Furthermore, you don't address the one question in my post, which is "How do these bonds represent an accounting fiction?" Is my mortgage an accounting fiction? Do I really not owe Wells Fargo any money? Maybe I'll call them up and inform them that the debt they invested in was fictional and I'll just be paying them out of my 'general fund' now. But of course the disbursements from this fund are at the discretion of my house budget sub-committee (which consists of my cat and dog both of whom want to increase spending on treats instead).

Comment: Re:Huh? [Re:Is that all?] (Score 1) 629

There is no concept of "solvency" for Social Security. The bonds it supposedly holds are an accounting fiction (and wouldn't come close to covering its future obligations as you admit). It has no assets to speak of. And it is running a deficit now.

Can you explain how those bonds are an accounting fiction? As far as I know, the Social Security surpluses are invested in US Treasury securities (from wikipedia "Under the law, the government bonds held by Social Security are backed by the full faith and credit of the U.S. government."). So how are these Social Security investments an "accounting fiction"? Why isn't it an "accounting fiction" when any other bank, institution, or individual invests in treasury securities? The United States has never failed to pay back these securities.

If the US didn't pay back treasury bonds, it would be a huge deal. That's exactly what the debt ceiling crisis was all about over the summer. And it wouldn't just affect Social Security, it would affect every holder of US debt. So how are the Social Security bonds different from anyone else's? Either everyone's investment in US debt is a fiction, or Social Security is just as safe as everyone else's investment.

Comment: Re:Temporal Displacement of Comments (Score 1) 763

by Wannabe Code Monkey (#37638322) Attached to: Help Shape the Future of Slashdot

One of the things that I find disappointing is that probably the single largest factor in terms of whether a comment is promoted or demoted is the time after the post hits the main page. It is extremely common to see average posts (i.e. limited informational or insightful quantity/quality) rated very highly (probably too highly) simply because they are submitted shortly (within 1-2 hours, often much less) after the parent post hits the main page. Conversely, insanely high quality posts (i.e. those with tons of useful information or insight) that are submitted after the magic window either do not get voted up or are only voted up to a minor degree.

Absolutely, I've made some comments that I've meticulously researched, sourced, and massaged to get the wording just right. But because the post is old, it never gets modded up. On the other hand I've made some quick barely researched comments on a new post that get modded highly and get lots of replies. I wish there were some way to keep discussion going after an hour or two.

Comment: Re:Why would that dispel anything? (Score 1) 458

by Wannabe Code Monkey (#37572004) Attached to: Canadian Ice Shelves Halve In Six Years

Yes there is warming, but it appears our activities are unrelated.

The link you gave says this:

Salby analyzed the annual variations in atmospheric CO2 levels as measured at Mauna Loa with temperatures and found a strong correlation. The largest increases year-to-year occurred when the world warmed fastest due to El Nino conditions. The smallest increases correlated with volcanoes which pump dust up into the atmosphere and keep the world cooler for a while.

Let's first address the word 'correlation' in the first sentence. In any discussion of global warming, the anti-global warming crowd jumps all over any use of 'correlation', screaming up to the heavens 'correlation does not equal causation'. So much so that I now immediately discredit anyone who uses that phrase. I'd just like to point out the hypocrisy of relying on correlation when it suits your findings and attacking correlation when it does not.

Secondly, what he found, and I'm not saying I believe the findings, I haven't seen them/analyzed them/heard anyone else mention them, but the strongest conclusion you could come to from that summary is that year-to-year, humans don't push atmospheric CO2 as much as natural causes like El Nino. However these year-to-year natural causes are generally cyclic. El Nino doesn't keep causing CO2 to enter the atmosphere because it comes and goes. Over several years, El Nino is a net-zero contributor of CO2, it's like zooming out on a sine graph, whereas human CO2 additions is a monotonically increasing line.

Thirdly, "The smallest increases correlated with volcanoes which pump dust up into the atmosphere and keep the world cooler for a while." Okay, so even when natural causes are doing their best to keep the world cool, CO2 still increases. I think that goes to show that there is some more fundamental force pushing up CO2 year-over-year-over-year.

BASIC is to computer programming as QWERTY is to typing. -- Seymour Papert

Working...