There's a bit more information available now:
An elevation of privilege affecting the entire domain is certainly critical, particularly when it's already being used in attacks.
This means that if the attacker has control of one machine in the domain, he or she can take control of every other machine, including the servers.
No, the security bulletin is very clear that the vulnerability doesn't affect client versions of Windows. The patch has been made available anyway only as a defense in depth precaution.
If you look at the "Affected Software" table, you will note that the "Maximum Security Impact" is "None" for client versions.
(OK, I guess it depends on what you mean by "affect". But the upshot is that you only need to patch servers - more specifically DCs - now, everything else can wait and be done with next month's updates.)
Hmmm. Good points. Well, I don't suppose it matters to me any more, it's been years since I wrote anything in Java. (It was a major pain at the time, though; I had a small but significant investment in Java code, and I pretty much had to abandon it. At the time, at least, Microsoft's Java was the only one that produced executables that would just run without needing something else installed first.)
(If Google wins, does that mean Microsoft can put Java back into Windows again?)
Very cool technically speaking, and good for system designers
It isn't clear to me that Google ever intended this to be a commercial product, or at least not in the short-to-medium term. Treated as a research project, it is impressive regardless of the practical limitations.
In reality, in nations like New Zealand (and Japan, I believe) criminals rarely use guns. A well-connected crook can get a gun if he wants one, but the risks generally outweigh the benefits. (For a start, using a gun to commit a crime guarantees much more police attention than you would otherwise get. And if you do get caught, you can expect a much harsher sentence.)
Doesn't surprise me at all, and hardly seems a fair criticism. I would expect most hosting services would prohibit sites that are likely to cause disproportionate load, unless they have a charging model that allows for it.
That's a slight misrepresentation. The surveillance was thought to be legal at the time it was carried out, and it *should* have been legal - that is, the original law was not intended to prohibit it but was merely badly drafted. In circumstances like that, prosecution would be grossly unjust.
The article says "Experts suggested that the FBI didn't see leakage from the site's login page but contacted the site's IP directly and got the PHPMyAdmin configuration page." That's the technical claim I'm talking about, and the only one that I've seen so far in support of the contention that the site was hacked.
If this claim is credible, then the site was in fact responding on its routable address, and might (at least in principle) have been found by scanning the internet.
If this claim is not credible, then I'd like to know what credible evidence *has* been presented.
(As an aside, a few days back I saw someone claim to have identified a specific mistake in the configuration file that caused the site to allow connections that didn't come through Tor, but I can no longer locate this claim and can't speak for its technical accuracy.)
Has the defense presented any actual evidence that the site was hacked?
The Ars Technica article says: "Experts suggested that the FBI didn't see leakage from the site's login page but contacted the site's IP directly and got the PHPMyAdmin configuration page. That raises the question of how the authorities obtained the IP address and located the servers."
You're quite right, I hadn't read the article you were referring to - assumed it was more of the same, to be honest - and so was reading your post out of context. Sorry about that and thanks for the clarification.
As far as I know, though, bash itself (the upstream version) hasn't accepted the comprehensive patch yet? I think that's what the writer meant, not that none of the individual distributions have applied it.