Follow Slashdot stories on Twitter


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Taxing consumption is archaic. (Score 1) 839

You could just as well say that wind energy is a relic form times before the steam engine was invented, or that the electric car is a relic from times before the internal combustion engine became mature. Sometimes old ideas regain their relevance in the face of new developments, deal with it.

As for consumption tax being regressive, that would have been a good point, except that TFA quite explicitly talked about progressive tax on consumption (i.e. don't tax basic goods but do tax luxury items).

Comment Re:Climate change is degrading the military (Score 1) 228

Let's get this straight: you're so rabidly anti-public-spending that you're willing to trample all over article 23 of the Universal Declaration of Human Rights for it? (And no, the USA is not exempt.) It makes me sad that a supposedly intelligent person can seriously suggest things like this, and makes me fear for the future of American democracy. What ever happened to "freedom"? Does that only count when it comes to guns?

Comment Re:symbols, caps, numbers (Score 1) 549

Yup, and that's exactly why they keep these in plain text.

I have always questioned the wisdom of using these kind of security questions at all. If they are used as an extra factor in authentication, then there is some rationale to it, though there are far stronger multi-factor schemes. The real scary part is that a lot of places (fortunately not banks) allow users to reset their password with little more than a correct answer to a security question, which can often be found on Facebook etc...

Comment I came here to say just that (Score 1) 644

It would be a tribute to the much-beloved X Windows, which was obviously their inspiration for introducing workspaces aka. virtual desktops.(*)

(*) Yeah, yeah, I know that this is a feature that is implemented in (most FOSS) window managers, and that X has nothing to do with it. The joke works better like this, OK? O yeah, and the part about X Windows being beloved was sarcasm.

Comment Re:Arstechnica = fail (Score 1) 208

You might want to read my post again. Slowly. Note that in my last paragraph, I was not talking about CVE-2014-6271, but about the other thing Norihiro Tanaka tried. Also note the presence of the word "unlike" in my post. Either you missed that, or you misunderstood the information in your link. If so, to clarify: the old by-design behavior for passing a function to a subshell was by itself not remotely exploitable; it merely forced the shell to parse each and every env variable, making any bugs in the parser (we're counting 6 so far if I'm still keeping track) remotely exploitable. What Florian Weiner did is essentially limit the parsing of env variables to the ones that start with "BASH_FUNC_", which ordinarily cannot be set remotely (unless the daemon or client is criminally insecure). This is more a "defense in depth" style security enhancement than an actual bug fix, and it does have the potential of breaking bash scripts that are too tricky for their own good. It's also a must-have, long overdue, and has the beneficial side effect of eliminating potential namespace collisions between shell functions and other variables, so the "too tricky for their own good" script authors will have to suck it up.

Comment Re:The whole function exporting mechanism is a bug (Score 1) 208

Yes, that was Florian Weimer's suggestion as discussed in the arstechnica article (which is probably where you got the idea), and is exactly what they did in the last round of patches.
Old behavior:
x() { echo foo; }; export -f x; env | grep foo
x=() { echo foo

New behavior:
$ x() { echo foo; }; export -f x; env | grep foo
BASH_FUNC_x()=() { echo foo

Comment Re:Not to praise Apple, but... (Score 1) 208

It pains me to defend the Apple fanboi, but what you say is not entirely true. The DHCP client in question explicitly calls "/bin/bash"; bash is a dependency for it. Of course, there do presumably exist Linux distros that use a different DHCP client, but in my understanding, the vulnerable one is quite widespread. The only saving grace (for a short time) is that remotely exploiting the DHCP client flaw is substantially more complex than remotely exploiting the web server flaw, and that the major distros already released full patches by yesterday morning.

Comment Re:Shellshock a result of inappropriate use of bas (Score 1) 208

You have a lot of good and true points, but there are couple of huge mistakes in your post that I cannot let stand uncorrected.

AFAIK, the original Bourne shell hasn't been maintained since 1989 or so; if you were to distribute it today as /bin/sh , your distro would doubdlessly be plagued by the most embarrasing buffer overflow and other vulnerabilities. What Debian and its derivatives do is link /bin/sh to dash , the Debian Almquist Shell, which is a modern and well-maintained project aimed at providing a lightweight shell that throws out all interactive features yet has a rich set of non-interactive scripting features that far surpasses the original Bourne shell - not as rich as bash, but good enough for present-day shell scripting. I remember when they took the jump (which required months of preparation consisting of purging bashisms from common shell scripts), boot times were suddenly slashed in half because repeatedly initializing dash processes is so much lighter on the system than doing the same with bash. And as you said, as a side effect, security also benefits.

Redhat aside many third party shell scripts are written in bash that use no bash features

This is factually incorrect; when was the last time you installed something that didn't come out of a Debian repository? Red Hat is incredibly popular in corporate environments, and almost all 3rd party "#!/bin/sh" scripts are actually shock full of bashisms because their customers ask them to target Red Hat and their programmers are Red Hat inbreds who wouldn't know a bashism if it hit them in the head. And remember that a lot of FOSS development is being done within corporations... The pervasive bashisms are why it took Debian so much effort to switch and why Red Hat never did.

Comment Arstechnica = fail (Score 1) 208

The Arstechnica journalist Sean Gallagher really dropped the ball on this one:
- His information was behind even when it was published. On the 25th of September around 22:00 EST (depending on the version you're running), Debian issued a patch that fixes the new vulnerabilitys CVE-2014-7186 and CVE-2014-7187 AND implements the Florian Weimer suggestion, strongly mitigating the exploitability of any future parser bugs. Red Had and Ubuntu took their sweet time validating this patch suite, but eventually followed suit the evening of the 26th and the morning of the 27th, respectively.
- The Norihiro Tanaka "bug" is documented and intended behavior, which Sean Gallagher could have known simply by clicking next in thread! Specifically, it's how bash passes shell functions to a subshell. Unlike shellshock, it could only be exploited remotely when allowing a remote attacker to set variables with arbitrary names, which is not the case for any widespread software package. If it was, you'd be lost regardless of which shell you're using and it would have been exploited ages ago. Even the Florian Weimer improvement doesn't change this.

Slashdot Top Deals

If you are good, you will be assigned all the work. If you are real good, you will get out of it.