Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
GNU is Not Unix

Serious Network Function Vulnerability Found In Glibc 113

Posted by Soulskill
from the audits-finding-gold dept.
An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.

Comment: Re:So what will this accomplish? (Score 1) 124

by Rich0 (#48915767) Attached to: Uber Capping Prices During Snowmageddon 2015

Since the national guard wasn't around to give people a lift, maybe we should offer additional compensation to the folks who take the risk of getting into an accident so that you don't have to.

I'm sure your local police, fire department, national guard, and other emergency services accept donations. Those are your "folks who take risk so you don't have to".

Uber drivers are "folks who take risk so they might make a buck". They're a company. They're there to make a profit. Remember Adam Smith on how we get our bread.

I'm not suggesting that they're motivated by anything other than making a buck (though the reality is somewhere in-between - workers are motivated by more than money).

The thing is, I bet that even with the price caps Uber drove a whole lot more people home than the local police department did. I bet that if prices were higher they'd have driven more people home (after all, the goal of the algorithm is to charge the highest price possible while utilizing drivers 100%).

So, if you want to feel good then donate money to the police. If you want to get home, then offer to pay a driver whatever they feel the ride is worth.

Comment: Re:The system is corrupt ... (Score 1) 172

I won't argue that governments created the cable monopolies, but network effects tend to create many others. What government action prevented anybody from buying an alternative OS pre-installed on their home PC without paying a fee to Microsoft in the process?

If you want to believe that monopolies are harmless you can do so. It really doesn't matter - corruption like the one in this article will ensure we never get rid of the government-sponsored monopolies let alone get rid of the ones I'd want to see go away.

Comment: Re:Well... (Score 1) 193

by Rich0 (#48915601) Attached to: White House Drone Incident Exposes Key Security Gap

I suspect you could also use an unregulated trebuchet to launch something over a fence, or perhaps an unauthorized weather balloon with a payload to drop something on your neighbor's lawn from altitude. Or a slingshot (although those might be illegal within city limits). The notion of a serious "security gap" is farcical because any reasonably intelligent person could come up with a number of clever ways to outwit fences and exclusion zones.

Yup. If it is THAT important to protect the president's life, then he shouldn't be anywhere near a window or wall that isn't armored.

Comment: Re:low-tech countermeasures (Score 1) 193

by ColdWetDog (#48915297) Attached to: White House Drone Incident Exposes Key Security Gap

High-pressure, wide-spread water canons should take out low-flying drones pretty quickly. The only advanced tech bit would be the targeting system.

Cool! Let's turn the White House into a giant fountain. That should spruce up the neighborhood nicely.

Really, the problem isn't the drone. It's the White House. If it wasn't there, then all of this whining and wailing would never see the light of day.

We just need to move the White House away from everyone who could possibly want to hurt it's inhabitants. Given our new found relationship with Cuba, I'm going to suggest we move the complex down to Guantanamo Bay.

Comment: Re:So what will this accomplish? (Score 1) 124

by Rich0 (#48914509) Attached to: Uber Capping Prices During Snowmageddon 2015

If you are freezing to death and the only thing that can save your life would be using that check in your pocket for a million dollars, you would burn that check, in order to save your life.

If this were literally a matter of life and death then the national guard should be herding people onto trucks to get them out of danger, and shooting looters in the street.

Since the national guard wasn't around to give people a lift, maybe we should offer additional compensation to the folks who take the risk of getting into an accident so that you don't have to.

Comment: Re:So what will this accomplish? (Score 4, Insightful) 124

by Rich0 (#48914477) Attached to: Uber Capping Prices During Snowmageddon 2015

Correct me if I'm wrong, but in normal operation on a busy night you can see Uber prices surge up to 500% or more. If you want to see anti-gouging laws implemented like they have in New Jersey, where gas stations and service providers are not allowed to increase their prices during a disaster situation, go ahead and support Uber's right to surge pricing whenever they want it.

What a surprise that during hurricane Sandy there were huge lines in NJ and it was impossible to buy gas there. Maybe if they allowed prices to float people would have reconsidered the importance of their trip, but anybody with a need to drive could pay the $20/gallon to drive, or at least easily obtain enough gas to drive to someplace where it was cheaper (you only need a few gallons to get to an area not impacted by the storm). Also, if prices were higher you'd see everybody with a tanker truck driving east to fill up and offering the gas for sale at a street stand, which would provide far more gas to the region.

Instead it worked a bit like the USSR. If you knew somebody you could go buy cheap gas from FEMA, and if not you either stood in line all day long, drove 150 miles yourself for gas, or went without.

Comment: Re:only trying to help? (Score 2) 124

by Rich0 (#48914425) Attached to: Uber Capping Prices During Snowmageddon 2015

Exactly my point. They are only trying to make money for themselves, and if exploiting a disaster make them more money, they will do that. Yet here we have people (like the OP) trying to claim that they are 'ensuring there are enough drivers'. Bullshit.

Free market pricing is desirable BECAUSE it ensures that there aren't shortages. That doesn't mean that this is the primary motivation of the participants in a market.

When you buy a smartphone you're not doing it to reward some kid for studying hard to become an engineer, but that is the result of your actions all the same. The smart kid isn't building the phone so that you personally can have one, but that is the result of his actions all the same.

All the benefits of a free market tend to be side-effects, but they're benefits all the same.

What is the alternative, capping prices and watching everybody stay home, so that you're stuck freezing on the side of the street when nobody wants to go pick you up?

Comment: Re:The system is corrupt ... (Score 1) 172

Free market does not require people to play by the rules or anything like that because there cannot be government rules.

Even most conservatives don't believe that free markets can work unless there is government restraint on monopolies, which tend to form in any free market due to economies of scale. Ironic that I have to point this out in the middle of a discussion about a cable company merger.

Comment: Re:We Really Don't (Score 1) 151

by Rich0 (#48914261) Attached to: How Do We Know the Timeline of the Universe?

Being testable against observations is an essential characteristic of a hypothesis. If it isn't testable against observations, it isn't a "non-ideal" hypothesis, it is pseudoscience.

How adorable that you can simply throw away the observational sciences.

I said that a hypothesis has to be "testable against observations." Presumably the observational sciences have observations. If their theories aren't testable against observation, then they aren't science.

Comment: Re:Misdirected Rage (Score 1) 535

by Rich0 (#48914225) Attached to: Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

I don't really understand the rage being directed at Google here. They have fixed the issue in new versions of Android. If they back-ported the fix to 4.3 (assuming that's even possible) what would make carriers/manufacturers implement the fix when they already aren't updating the core version? Nothing. And they wouldn't. The carriers/manufacturers have financially abandoned these older models in favor or their new stuff.

They could deploy it to their own phones. Half of the Google-sold phone models are vulnerable to this bug.

People are used to a big brother company controlling everything about a software experience (Apple, Microsoft). The google approach is open. Unfortunately this requires the user to do a little bit of thinking, make an informed choice, and support the right companies with their money.

Which company would you buy an Android phone from to ensure that it received updates for the life of the contract, assuming your contract started on the last day the phone was available for sale?

Comment: Re:To be fair... (Score 1) 535

by Rich0 (#48913911) Attached to: Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

What are the chances that a vendor that declines to update 4.3 to 4.4 would be willing to do an update for a 4.3.x if Google bothered to do it.

Considering that Google won't even do this for their pre-4.4 Nexus phones, I'd say that the chances are pretty low. The fact that Google still won't fix its own phones doesn't let it off the hook. They don't actually make ANY commitment to update Nexus devices at all, and have no documented end of life policy. They're basically not serious about security.

Comment: Re:Not to be an apologist for Google, but (Score 1) 535

by Rich0 (#48913877) Attached to: Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.

They control the updates on the GSM Galaxy Nexus phone. It isn't getting the security patch.

Comment: Re:The solution is obvious (Score 1) 535

by Rich0 (#48913781) Attached to: Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

My point was that it would not be microsoft's fault in this scenario, not that this scenario happened often. So maybe in the same way that people are not dumb enough to buy computers from comanies selling computers with windows XP in 2014, they should become smart enough not to buy phones with locked bootloaders (making them dependent on hardware vendors to get android updates).

So, people should be smart enough to not buy any phone that works on the Verizon network, any phone sold in an AT&T store as part of a contract, and any phone in a T-Mobile store sold under a purchase plan other than 1-2 models in the US?

You're basically saying that Android is great as long as you don't buy 99% of the devices on the market.

And even if you guy, eg, a Galaxy Nexus with an unlocked bootloader, the company that sold it to you (Google) only provided support for 1.5 years from the date the device FIRST went on sale. MS supports Windows for 10 years after the NEXT version of Windows goes on sale. That is why 95% of the PCs in businesses are STILL running Windows despite all the talk about the death of the desktop. I don't really have a problem with the death of the desktop, but businesses aren't going to buy into an alternative that isn't supported for a long time. They're fine with BYOD, since they're not the ones paying for support.

A complex system that works is invariably found to have evolved from a simple system that works.

Working...