Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:How is everyone supposed to use Emacs? (Score 1) 524

ha ha ... a bluetooth keyboard with a single key labelled "ESC". Would probably cost around $50 and in a few months would be a security vector or something that corrupts all the data

No silly, the USB-C version is only $30. Except, you can't use that whilst charging..... ;-P

Comment Re:Why does everyone use such small TTLs now? (Score 1) 56

Why does everyone use such small DNS TTLs? Checking some of the domains (including twitter) that went down, their TTLs are all less than 200...are their networks so dynamic that 1800, 3600, 7200 wouldn't work? Would really minimize the effect of DNS outages...

Perhaps so they can better deal with DoS attacks on their services; if their web server is under DoS attack, they can simply switch to another IP, but with a high TTL, it would take longer for the new IP to take effect.

Comment Re:Random prefix workaround (Score 1) 56

Problem is the same system could be use to mount a.... [D]DoS attack on services that depend on sub-domains. E.g. if "example.com" has a business where each customer has their own sub-domain, then all a hacker needs to do to deny-service to example.com is make multiple failed DNS requests.

Not that your idea isn't a bad one though... it *may* help Dyn themselves mitigate the attack somewhat by given dodgy looking requests a lower priority. But it doesn't really solve it.

My best idea is actively hunting vulnerable devices and bricking them... but I'm guessing this might not be a popular option!

Comment Re:I'm not a company (Score 1) 208

This is a person who according to Ken Clarke, didn't really want to leave the EU any more than Boris did... basically, these type of people say one thing in order that the party will like them, they can get power, but then do something completely different.

The *only* reason website ratings and "think of the children" narratives are being mentioned now is simply to appeal to the people who may select her. And that's all.

It's entirely self-serving.

Comment Re:Less money but more creators? (Score 2) 288

The thing that struck me about their point that YouTube enabled people to carry virtually every song ever in their pocket... well I was just thinking, yep, that's fucking amazing. So, what exactly is it that these artists have done that's so worth hindering human advancement?

I think you're absolutely right, and I also agree with Gr8Apes comment about the relatively recent music industry basically being a blip.

Comment Re:Why don't web server scripts require exec bit? (Score 1) 50

They inject code right into the script that already has the execute bit set. It's not uncommon, I've seen it myself.

Looking at this specific example, WP Mobile Detector flaw, I can't see how that would be possible.

Just to recap (mostly for my own benefit to make sure I'm not going mad!), this flaw works by sending a URL to a vulnerable website. The vulnerable website then uses file_get_contents() to read the file... it is assuming the file is local, but actually it's a URL to somewhere else. If the server is configured with allow_url_fopen then file_get_contents() will perform the necessary HTTP GET to retrieve the contents of that file. The file still needs to be written to disk, which in this case is performed by file_put_contents().

None of the above is going to set the execute bit.

Comment Re:Why don't web server scripts require exec bit? (Score 1) 50

This doesn't help anything because the script they inject the code into already has the execute bit set.

Erm... no!

They're not uploading the script using SFTP or anything that might preserve file permissions; they're uploading using an existing, insecure, PHP script on the server. That will only allow for the file content and the file name to be preserved, so unless the PHP script explicitly set the file as executable, then it wouldn't be executable. The problem is, right now, it doesn't need to be executable in order to execute!

Comment Re:Why don't web server scripts require exec bit? (Score 1) 50

I don't think it would be a problem having PHP set it's own execute bit if it wants/needs to. A big problem seems to be with CMS-type sites where a user can upload content where (currently) miscreants can inject script. If the execute bit were required before script could be executed, then that would seem to avoid quite a lot of problems... unless a CMS were to set execute on user uploaded content, which would be dumb!

Slashdot Top Deals

To get back on your feet, miss two car payments.

Working...