Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: What's the term for a prophylactic prediction? (Score 5, Insightful) 677

by myvirtualid (#49039595) Attached to: Empirical Study On How C Devs Use Goto In Practice Says "Not Harmful"

There is an implication that Dijkstra was wrong about the goto - the implication being based on how conservatively it is used.

Perhaps it is wiser to conclude that the goto is used so conservatively because Dijkstra was right and that programmers have, in general, taken his wisdom to heart and avoided the goto except for those instances where, properly documented, it is the best tool for the job.

(By prophylactic prediction I mean the sort of warning or planning that completely forestalls the danger predicted, through awareness, preparation, etc. Kind of like the Y2K non-event.)

Comment: Re:Briefing for management - reuse with attributio (Score 1) 318

by myvirtualid (#47997167) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild
Hey, I'm not saying the practices that make people vulnerable are wise - just that they exist and that unless positive steps are taken to test and, where necessary, fix, systems will be vulnerable. After all, we are seeing reports of the vulnerability being exploited in the wild, so we know there are affected systems out there. If we've done our jobs right, they won't be ours - but we cannot just hope that we've done our jobs right - and we do need to advise management that a) we're aware of the issue, b) we did our jobs right, and c) we're double checking, just to be safe.

Comment: Briefing for management - reuse with attribution (Score 5, Interesting) 318

by myvirtualid (#47996319) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Folks, for what it's worth, here is a management briefing I wrote this morning. Please feel free to re-use, but please do give proper attribution. Please do comment and correct as appropriate.

Summary: Briefing for management on activities to minimize impacts of the "shellshock" computer vulnerability.

Status: Testing underway. Our initial scans and appraisals are that our public-facing systems are likely not subject to shellshock. NOTE: The situation is fluid, due to the nature of the vulnerability. Personnel are also reaching out to hosting providers to assess the status of intervening systems.

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability "shellshock" since it affects computer command interpreters known as shells.

How does it work? Command interpreters, or "shells", are the computer components that allow users to type and execute computer commands. Anytime a user works in a terminal window, they are using a command interpreter - think of the DOS command prompt. Some GUI applications, especially administrative applications, are in fact just graphical interfaces to command interpreters. The most common command interpreter on Linux and UNIX is known as the "bash shell". Within the last several days, security researchers discovered that a serious vulnerability has been present in the vast majority of instances of bash for the last twenty years. This vulnerability allows an attacker with access to a bash shell to execute arbitrary commands. Because many web servers use system command interpreters to fulfill user requests, attackers need not have physical access to a system: The ability to issue web requests, using their browser or commonly-available command line tools, may be enough.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a "web server" in the sense of a server providing content of interest to the casual or "normal" user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

What is the primary risk? There are two, data loss and system modification. By allowing an attacker to execute arbitrary commands, the shellshock vulnerability may allow the attacker to both obtain data from a system and to make changes to system configuration. There is also a third risk, that of using affected systems to launch attacks against other systems, so-called "reflector" attacks: The arbitrary command specified by the attacker could be to direct a network utility against a third machine.

How easy is it to detect the vulnerability? Surprising easily: A single command executed using ubiquitous system tools will reveal whether any particular web device or web server is vulnerable.

What are we doing? Technical personnel are using these commands to test all web servers and other devices we manage and are working with hosting providers to ensure that all devices upon which we depend have been tested. When devices are determined to be vulnerable, a determination is made whether they should be left alone (e.g., if they are not public facing and patches are either not yet available or would be disruptive at this time, or if there are other mitigations or safeguards in place), patched (e.g., if patches are available and are low impact), or turned off (e.g., if patches are not available, risk is high, and the service is not mandate critical).

Updates to this briefing will provided as the situation develops.

Comment: An odd mild R-G - but only now do I know.... (Score 1) 267

by myvirtualid (#47624921) Attached to: My degree of colorblindness:

I've known for 30 years that I was colour confused, it was diagnosed during my pre-hire medical at IBM. I've always described it symptomatically, as in "certain pinks and purples appear grey, my favourite brown shirt is green, but occasionally, I'll see a hint of green". And I've long thought that my CC was partly influenced by diet (the shirt would be greener after meals in certain restaurants, but I could never pin down the magic ingredient combo).

I have it on good authority that Mars is red, but I see it as a faint light of undetermined colour.

I had my eyes checked last week. I said all of the above to the examiner. He said something along the lines of "Huh, I've never heard of that before".

Then I described how I have a hard time scooping the yard: I have to work really hard to see the shit for the grass, but when I do, it becomes more obvious. There isn't enough contrast for me to pick it out without cognitive effort, but with said effort it becomes clear.

"Huh", he said, "It sounds like you have a very mild form of red-green colour blindness".

Interesting. I've never had a problem with traffic lights, red is one of my favourite colours, and I love the infinite variety of greens of spring. But picking a cardinal out in a dark green tree is tough - do-able, but tough. It's much easier in a light green tree.

So two weeks ago I would have answered "different form" but today I chose "mild R-G".

As my daughter would say, "That was a great old man story, thanks for sharing".

Comment: Slightly misleading, fearmongery headline (Score 4, Informative) 114

by myvirtualid (#47449851) Attached to: Critical Vulnerabilities In Web-Based Password Managers Found

This was on HN a few days ago; my comment there was the same: In the case of LastPass, the headline is misleading and a little fearmongery.

There were two issues with LastPass and NEITHER affected its storage of persistent passwords, that is, neither affected the feature the vast majority of us use passwords managers for!

One concerned a targeted attack against one-time passwords (OTP), the other concerned bookmarklets, which are used by less than 1% of the user base, according to LastPass. Personally I didn't know either feature existed until I read the LastPass blog entry about these two vulnerabilities.

A truer headline would have been Vulnerabilities found in less-frequently used features of LastPass; persistent site password storage unaffected".

Comment: I love my Viera and was hoping to upsize.... (Score 3, Interesting) 202

by myvirtualid (#45293923) Attached to: Panasonic Announces an End To Plasma TVs In March

We have a c.2003 52" Viera and love it.

The brightness is not an issue: it's on the North wall of the living room, facing a large window, and if it is "too sunny", I close the drapes. Done.

The viewing angle is amazing. Sunday night suppers are often prepared standing at the counter "just this side" of the family room, watching football.

I've stayed away from L[CE]D TVs because plasma just seemed like a better solution.

And now they will go the way of Betamax.

Silly consumers, believing hype and myth, buying poorer tech, and not saving a whole lot doing it....

Comment: It's free. Why does App Store need a credit card? (Score 0) 222

by myvirtualid (#45209335) Attached to: OS X 10.9 Mavericks Review
I don't use iTunes or iBooks or any other Apple media apps. I've only had my Air for a few months, and I do love it so, but.... If Mavericks is free, why does the App Store need a credit card in order for me to download it?

I do not plan on purchasing anything through iTunes. Never say never, sure, but I don't. Ever.

Guess I can't have Mavericks.

Even though it's free.

Kudos, Apple, you've given me my first reason to feel less than happy about a hardware purchase I reveled in.

(Originally posted in wrong discussion, mea culpa; since then, I've discovered one can bootstrap iTunes/AppStore integration without a CC, but it requires attempting to download a free app and entering tombstone info - still too much for a free OS update, IMHO, but better in a kludgey, hackish way.)

Comment: It's free. Why does the App Store need a CC? (Score -1, Offtopic) 166

by myvirtualid (#45208115) Attached to: Wikipedia Actively Battling PR Sockpuppets

I don't use iTunes or iBooks or any other Apple media apps. I've only had my Air for a few months, and I do love it so, but....

If Mavericks is free, why does the App Store need a credit card in order for me to download it?

I do not plan on purchasing anything through iTunes. Never say never, sure, but I don't. Ever.

Guess I can't have Mavericks.

Even though it's free.

Kudos, Apple, you've given me my first reason to feel less than happy about a hardware purchase I reveled in.

Comment: ...teleports the douchii to random places.... (Score 1) 443

by myvirtualid (#45208079) Attached to: I wish my car could...

Well, not quite random - to the polar opposite of current weather conditions.

It's winter (I live in Ottawa - think Minnesota with Chicago's wind and Houston's humidity).

Dude cuts me off.

I press the button

Dude finds himself in Kandahar.

It's summer (think Kandahar temperatures with Houston's humidity - detect a theme yet?).

Dude cuts me off.

I press the button

Dude finds himself in McMurdo.

I used to think I wanted photon torpedoes, but those would create debris, which might damage my vehicle. Or me.

Then I thought phasers. But that would still take life and teach nothing.

So semi-random, climactic-coupled teleportation. That's the ticket.

And the car should fly. Of course. VTOL.

Comment: Investigate Center for Open Science, framework (Score 1) 465

by myvirtualid (#45156401) Attached to: Ask Slashdot: Best Language To Learn For Scientific Computing?

In addition to the excellent comments previously made, consider investigating the Center for Open Science, specifically their information for developers, and the associated Open Science Framework (note: will display only if cookies are enabled; I've no idea what value they provide in this context and will be contacting them about that).

They may not have anything that can help you. Or they might. Or you might be able to help them. Or not. YMMV, etc.

Worth taking a peek, anyway.

A conference is a gathering of important people who singly can do nothing but together can decide that nothing can be done. -- Fred Allen