Forgot your password?

Comment: Re:Fristy Pawst! (Score 1) 449

by Bodhammer (#48031325) Attached to: Ebola Has Made It To the United States
Didn't you just describe the progressive, individual tax scheme in the US?

"Lets say you work really hard and do everything right. You keep a reasonable budget, work hard, behave sensibly , and generally just do a good job.

Then lets say your neighbor is a complete fucktard that spend more money then they have, slack off doing nothing half the time, engage in dumb counter productive activities, and generally make every mistake possible one after the other...

Should I be punished for the incompetence of my neighbor?

Comment: Re:Now how about the third party ad networks (Score 1) 66

by squiggleslash (#48026031) Attached to: CloudFlare Announces Free SSL Support For All Customers

Looking at the Wikipedia page, the two EOL'd environments that stand out are:

- Android browser on Gingerbread (and older) - hopefully this'll be solved soon, Gingerbread is finally disappearing but it's taken a while.
- Internet Explorer on Windows XP.

Everything else seems to be the kind of environment where if you're still using a browser that cannot support SNI then you're probably running into all kinds of problems anyway.

(I would like to think that Windows XP users are using Firefox these days, but...)

Question: aren't there privacy issues associated with SNI? shows no attempt to munge the server name. So even though a third party might not be able to determine what content you're trying to access, they probably can intercept - albeit with the victim experiencing an interuption in service - the hostname and determine whose content you're trying to view.

Comment: Re:Can someone explain how someone is exploited? (Score 3, Interesting) 326

by squiggleslash (#48019297) Attached to: Bash To Require Further Patching, As More Shellshock Holes Found

Kinda. With "Mark 2" it becomes considerably more difficult, as you have to find a way to set an environment variable to the same name as a command that'll be executed - at least, from the proof of concept exploits I'm seeing. So even if a badly configured webserver sets HTTP_HOST to "() { wget ; chmod +x; ./; }", unless your script actually tries to run a program called HTTP_HOST it shouldn't be called.

(If I'm wrong, expecting angry flames now ;-) Please though include details of why.)

Comment: Re:Issue with FSF statement... (Score 2) 208

by squiggleslash (#48009263) Attached to: Apple Yet To Push Patch For "Shellshock" Bug

I suspect large numbers of people saw the bug, but didn't realize the implications and took no action knowing that the last thing you want to do with a programming language (which a shell like a bourne implementation implements) is change what constitutes valid code.

What does this mean? Unsure. It's always been bad practice to use system() or similar calls to start other apps. What this issue has revealed is not so much that bash has a bug in it, but that rather too many applications rely upon bash and shouldn't. Bash is always a vector, and writing code that calls it already means working a great deal on input validation exercises that risk failure.

The scary part is that a significant amount of the *ix community doesn't care - they call system() anyway, or blindly allow the shell environment to be modified, without asking themselves whether this is a good idea.

Comment: Re:Full Disclosure can be found on oss-security... (Score 1) 399

by squiggleslash (#48008409) Attached to: Remote Exploit Vulnerability Found In Bash

One thing missing in all of this is how do I exploit it? In the example you give, that's not clear.

So far as I can determine, the only time this is going to be exploited is if you have some way of manipulating the environment of the shell. I can't think of a CGI variable that's directly set to the content of something the caller has enough control over, pretty much all of them are munged, have mandatory punctuation incompatible with use as a function placed at the beginning, or are impossible to put parentheses and punctuation in.

Perhaps I'm wrong. But I'm inclined to think the entire thing is overblown for two reasons. First, the difficulty of setting the environment in the first place, and secondly the fact making system() calls, etc, is always a red flag for those checking for security holes (and is rare and usually unnecessary) because of the other potential issues with calling a program that literally has direct control over a substantial amount of your computer.

Which is not to say that, for example, the DHCP exploit that's been mentioned isn't terrifying, but even that... why the hell does the DHCPD client, by default, allow the environment to be changed via an insecure DHCP environment anyway?

Facts are stubborn, but statistics are more pliable.