2758 posts • joined 26 Jul 2008
Re: How to check?
>>"Don't Windows Servers use BASH? Not feeling so smug now, eh?"
Not sure if you're just really bad at over-elaborate sarcasm, or thick as a pig. I'm leaning toward the latter.
Re: A bad decision works out well
>>"It's the external company's problem now."
You're not by any chance a government employee in charge of hiring third party contractors, are you?
>>"Simple task: how can I test my apache server for vulnerability, how can I switch off CGI altogether?"
To test it, you'd have to write something that passed the exploit into an environment variable. Simple enough, but application specific so I can't answer. Maybe someone else can suggest something. To turn off SSI and CGI on Apache, use the following options:
Or if it were on a directory by directory basis:
Options -Includes -ExecCGI
Hope that helps. I'm not an Apache expert.
>>"Code on Unix like systems can not run with any more permissions then the program at the interface ie the web server"
This again? Same thing was posted in the last article on this and it was just as foolish then. The above is true and yet does not make such a compromise less of a disaster. If I can execute arbitrary scripts with the privileges of the web server I can scarf all the data from whatever database is running your site, read all the application code for your site and look for other vulnerabilities, subvert your site to distribute malware or capture your users' credentials... And a lot more. The above is a very big thing.
Well with a lot of sunshine your menstrual cycle can shorten (ovulate more) so maybe with the Midnight Sun phenomenon and reeeeaalllly long days, your "fecundity" could technically go up?
Best I can come up with.
Re: It's not about the ads
Until someone flags it as happened to hundreds of people recently who Facebook now insists they provide a real name and birth certificate:
Personally I'm fine with paying a little money for a service. The thing about ads is that it's all about volume (as they have a really low return rate) and it doesn't take much actual direct payment from your users to match or exceed what you get for shovelling ads in their face all day long.
I used to be a Premium Spotify subscriber way back - perfectly happy to pay the modest fees for the ad free service. I only left because these days they insist on Facebook integration and are all about tracking you.
Re: @beep54 So What?
>>"I wonder how many people would pay $175 a year for a social network"
I imagine it would weed out the trolls beautifully.
El Reg really have outdone themselves with this headline. Very nice!
Re: It's not about service to customers (dhuh) it's all about profits
>>"8K HiDef TV's are not, and will never be mainstream, so there's no need to worry about"
Indeed. 1080p should be enough for anyone.
Re: Linux novice question.
>>"Interesting you should say that. This suggests you are looking at design patterns rather than coding errors."
Actually, though I've never put it in those terms, the older I get the more that is my first approach to reviewing code. Reviewing other people's work is one of the things I do professionally these days (I consider myself very lucky, btw) and I do start with this if I'm beginning at a high enough level and it's not just "is this okay to push live?"
I would be very, very interested in any automated tools or approach to testing design patterns. I suspect like many problems, once we can formally define it, automating it will be straight-forward. And that would be a very big deal. (I got modded down furiously the other day, btw, for suggesting that within my lifetime computers would one day be better programmers than humans).
Re: That was quick! In comparison to Windows, for example...
Well technically speaking, it took 22 years to fix. So let's not use this bug as a reason to attack others... ;)
Re: I can connect to whatever database powers your site
>>"You might be able to connect but you cant scarf any data from it. Any sensible web admin will have configured it to not to allow random sql to be run over the connection between the web server and the DB."
The number of web applications that assemble their own SQL: very high. Even if they don't assemble it dynamically they read it from a file of SQL statements on...guess where: the web server.
Number of web-applications that retrieve data ONLY by pre-created stored statements in the database: far, far fewer.
Number of web-applications where even pre-created stored statements couldn't be abused to extract tonnes of confidential data: vanishingly small.
In short, being able to execute arbitrary code with the privileges of the web server is a massive security flaw and don't pretend otherwise.
Re: And they said I was crazy
>>"My impression is that it inherits the bad qualities of standard *NIX shells and adds a bunch of its own"
Your impression is very wrong. It's fundamentally different to Bash. They're very dissimilar. For example, Powershell is entirely object orientated. This isn't really the place for it, however. I'll link back to an old discussion on it if you're interested. Link. It started off just asking what was the best Powershell terminal but then some people turned up and started ranting about how inferior Powershell was to Bash and it became a very informative discussion (albeit some people got pretty upset). If the above is your genuine impression - that Powershell is Bash with worse bits grafted on, then seriously - read the above and see what you think.
Well, unless your Windows computer connects to a webserver running GNU/Linux which has been compromised using this exploit and serves you malware / steals your credit card info / exposes your real identity / etc. A security problem like this is a problem for everyone regardless of favoured OS. One reason I hate all the football team mentality - it's such an attitude of "I'm alright so that's all that matters". No islands on the Internet.
Re: oh yes?
>>"using whose login credentials? You dont think that a readonly access to limited data is te same as full access to everything and to get that password anyway"
No password, no login credentials. Post I replied to talked about "only" having privileges as the webserver. I'm quite right to point out that webserver privileges allow a huge amount of dangerous activity. If I can execute arbitrary scripts as the apache process I can do all of the things I described as more.
>>"and apache does nit have access to the scripts necessarily."
You're creating your own scripts with this exploit over CGI.
Re: Wow that was quick.
Well it's not exactly an involved fix. Someone has basically just added code a patch which scans environment variables for the beginning and end of a function definition and then spits out the text "error importing function definition for Foo'" if there's anything still trailing after the definition. The patch is probably about six lines long. ;)
It's not even what you could call a good long-term solution (though it will probably end up the long term solution due to lack of other easy options), it's just an "OMG!PATCHTHISNOW" bit of coding.
The real joy is tracking down and fixing all the vulnerable systems and worrying about whether you've been compromised by this exploit, not that it's been patched today.
Re: Wow, just wow
Yeah, I think you can spot the difference here between the professionals and those with a football team mentality. Someone further up was dismissive of the problem because it "only let you execute with the privileges of the web server". That's actually only talking about the HTTP vector but anyway, who think's that's not a security disaster?
But six people have modded that post up so far I'm presuming because it sounds wise or supports their belief in an OS's invulnerability. It's a quite alarming degree of smugness.
Re: Linu novice question.
There isn't a completely solidly centralized process of testing with Linux but testing of it is done. You have things like the Linux Test Project and there's Autotest. There are a variety of tools for testing.
The problem with something like this is that it's a design error. The reason you can pass function definitions into environment variables is so that when a Bash process creates a child shell, it can inherit the parent's defined functions. So a child shell is created, environment variables are inherited and when that happens the child shell notices something has a () in it and executes it thinking it's a function definition.
It's almost stereotypically old school UNIX. Someone needed something to happen, saw a quick and simple way to achieve it, implemented it. It's what I call the 'Stallman Approach'. Need something - build something.
With a more modern design, more OO-based, this probably would never have happened. But UNIX/Linux is very big on passing around text (the basis of all its pipelining and things such as this). We didn't have all this new-fangled OO stuff back then. Seriously - I remember when OO was the new thing. We had Bash and Vi and we MADE THEM WORK!
Anyway, I've gone on a slight side-track. The point is, that yes there are automated test tools and some automated testing is done (though lots of room for improvement tbh). But that something like this is really hard to pick up with automated testing. There's NOTHING wrong with the implementation of the code. No out by one errors, no buffer overflows, it doesn't access memory it's not supposed to. It's just excellently written to do something it shouldn't.
TL;DR: Design problems are tricky.
Re: Linux = Making Windows look Great
You're an idiot troll looking for attention by attacking people far more talented than yourself. You couldn't do better and you've clearly never even tried or you'd know how hard developing ANY modern OS is. Hint: "beyond you."
Re: Always been there or new?
>>"No, the article says The vulnerability is present in Bash through version 4.3, which is somewhat ambiguous, but means basically up to 4.3. The article also says the bug is 22 years old."
Oh shit. Thank you for correcting me. That means we've had a major vulnerability for a really long time. I find it really unlikely there aren't people out there who haven't know about this.
Note, the vulnerability notice I've read says problem since 3.0 which would mean at least since 2005. I'm not sure where the 22 years comes from. But I'm nit saying you're wrong.
>>"You can only do things within the privileges of the web server"
I don't think that word "only" means what you think it means. Give me arbitrary execution on a server with Apache's privileges and I can do quite a lot with that. At the very least I can connect to whatever database powers your site and scarf all your data, read all the code of your site (looking for other vulnerabilities) and we haven't even got to subverting your site to serve malware, yet.
Fortunately I don't think so many webservers these days run CGI, do they? But still, there is a reason experts have classed this as a '10 out of 10' for seriousness and it's not because they know less about it than you do.
Also note that you're only talking about the HTTP vector. There are others, though that is the most likely.
Re: Always been there or new?
>>"If the former it's scary to think just how many holes there must be out there"
Article says it's been present since 4.3. IF that is correct then that means since around February this year. Obviously distributions will vary according to precisely when they became variable, but we're looking at that sort of time span of vulnerability where it wasn't known. Patching everything may take some time.
Re: No ugly feminists
>>"If there is a hint of truth to what you've said, think about it, a world in which men judge and treat women based on their looks, and the group that end up trying to fight that aren't as good looking as the group that accept it. Is that really too hard for you to work out?"
Possibly, but the real reason for the "ugly feminist" attack is pretty much always just an attempt to dismiss feminist arguments on the supposition that their only motivation is that of a bitter loser vengeful because a man doesn't want her. It's a peculiarly sexist attack which supposes a woman's beliefs are determined by male desire. And like all ad hominems, is a way of avoiding an argument in favour or discrediting its proponent.
I think that may be the best comment on the topic here. Thank you.
>>"really wonder what would happen if a local pool held a 'male only' swim session.... there would be uproar"
I highly doubt that. It would probably just raise the odd eyebrow because some would assume it was a Gay event. Fact of the matter is that there is little demand for a "male only" swimming session because few men feel sufficiently uncomfortable being stared at by women that they'd require it. But for some women of muslim background, it's the only way they'll feel comfortable to swim. Most such women would probably be happy for there to be a male-only session because then people such as yourself would have less justification for criticising them for wanting a private female only session.
TL;DR: There wouldn't be a big "uproar" and there's no devastating double-standard for you to exploit here. If you think otherwise, feel free to try and organize a men only session and see if the response is outrage or apathy.
Re: "Positive" decrimination and feminist conditioned men are oppressing men.
>>"If you want equality of opportunity you are an MRA, not a feminist. Try for yourself and see what responses you get when you talk to feminists about equality rather than special privileges for women!"
I've been a feminist since I was at school - which is quite some time ago, and I'm fairly well-read in feminist theory. I've been an active feminist on many an occasion. What you say is not true. We, on the overwhelming whole, believe in equality, not female privilege. Nearly all popular feminist writers have this position and it matches the popular definitions of feminism (and I have linked to sources elsewhere showing this). I don't need to "talk to feminists", I am one and have been active in actions that can be legitimately called feminist (and those actions had plenty of men in them also). Quite simply, stop assuming authority and pronouncing on what feminism is. You wont find anything close to a majority of feminists agreeing with your description of us which, by definition, makes you wrong.
Re: No ugly feminists
>>"So why do women flaunt their beauty"
Quite right - women are to blame for men finding them attractive and must take responsibility for it. More veils are needed so that women can be more modest, clearly.
Re: Preserving modesty
Just because something doesn't bother you, doesn't mean it doesn't distress other people. And this is something that is shared by most of the human race. That you claim to be different to the majority of people (who would be distressed if private activity was shared and pawed over by the whole world), doesn't mean you should dismiss everyone else's feelings.
Re: "Positive" decrimination and feminist conditioned men are oppressing men.
I don't believe you have read what Emma Watson wrote at all. You write multiple paragraphs about what's wrong with doctrines of women being superior, of 'denying that men and women are different', etc. And yet her speech is all about men and women being treated with equal courtesy and respect and coming together. Find anything in her speech which supports your rant, please! You've just used this as an opportunity for your own axe-grinding.
As to "recognizing that men and women are different", you clearly haven't thought through what the meaning of "equal opportunity" actually is.
Even if there are different tendencies between men and women (and the fact that gender ratios in science differ markedly between nations and cultures despite the same genetics indicates there's a long way to go before we've eliminated cultural bias), those tendencies were have to be staggeringly high to make it more efficient to discriminate on gender than individual assessment. Like on the order of 50% average difference in ability level.
It takes only a basic grasp of statistics to realise that a slight difference in average ability in an area does not support discrimination on an individual level. That is why I know you are arguing from a political / personal viewpoint, rather than on a scientific basis. And that you suppose these "differences" are primarily inherent rather than cultural / sociological is shot down rather badly by the fact that, e.g., the sexes are far more equally represented in computer programming in say India, than they are in the USA. And many similar examples.
Re: But will it make a difference?
>>"and "feminism" which is the philosophy of promoting women, presumably over non-women"
That is not what 'feminism' means. You've just made up your own definition for the sake of argument. Nor has what you just wrote ever been the popular definition of feminism. It is, however, a recurrent misrepresentation by those who have read little of the writings of popular feminists or feminist theory.
Here's the opening definition from Wikipedia: "Feminism is a collection of movements and ideologies aimed at defining, establishing, and defending equal political, economic, cultural, and social rights for women. This includes seeking to establish equal opportunities for women in education and employment. A feminist advocates or supports the rights and equality of women"
Though I anticipate a No True Scots... ah, No True Feminist style of rebuttal that says there are some women who have this attitude and that they (despite being a small minority) are the real feminists and therefore you're correct. Presumably bolstered by some reasoning that the meaning of all words in the English language exactly adheres to your supposed etymological interpretation of them. Because as we all know, all words are exactly in line in meaning with a particular latin root of themselves.
Read some actual feminist writing before pronouncing on what "feminism" actually is.
>>"The FBI has no business pursuing silly crap like someone exposing Emma Watson's personal photos,"
I trust you'll remember that reasoning next time you want the police or courts to spare some times for crimes committed against you. They shouldn't pursue it because there are other crimes elsewhere in the world.
Btw, high profile targetting like this sets an example to the whole society. One reason it was good to pursue all those expenses claims scandals with MPs wasn't because of the sums involved (as a percentage of the annual cost of Westminster it's next to nothing), but because it's important that justice is not only done, but seen to be done. When society is seen to tolerate such behaviour, you get more of it and if Emma Watson can't hope to get justice done for sexual harassment, what chance do the rest of us have?
>>"Celebs expect everyone to love them and when they don't they demand press censorship."
The endless stupid rationale of the troll - you're allowed to treat those who have achieved some fame as less than other people, because your callous actions are balanced by the fact that other people like them. Because as we all know, Karma isn't just a spiritual belief, it's a recognized scientific principle and you are its divinely appointed agent.
Or perhaps you're just rationalizing what you'd like to do anyway. I wonder which is most likely.
Re: Libertarians turn to civil authorities again for redress
I don't see anything in the article about "Libertarians", just customers who have been ripped off.
Re: Crap Battery
Batteries are funny things. One thing I do with a new device is charge it all day and then discharge it completely. Thereafter I use it normally. Not sure if that is still advisable with the current generation of battery but it used to be good practice.
Personally, I'd like to see a hydrogen fuel cell in my phone. Re-fill it like a lighter and run it all week. Icon for obvious reasons.
Re: How much?
>>The lengths Apple went to to keep us away from the new iPhones was amusing."
Really? Care to share details? I'm sure quite a few El Reg readers would find a tell-all on Apple's press and marketing relationship quite an interesting one. How DO they keep you away from the phone or get you talking about it? Do they just say "no, you can't have a review sample" or do they bother to make up justifications? Do they ever hint you might be invited if you wrote a kinder review, etc?
Re: I'm trying very hard to give a shit
>>"and failing miserably"
I realize where I've been going wrong all this time now. I had thought this was a forum for people who were enthusiastic about technology, but it's actually a place for people to complain about it. Both sorts of forum discuss tech though, so it was easy to mistake one for the other.
Much becomes clear!
Re: I'm trying very hard to give a shit
>>"Laxatives. That's what you need. Laxatives and a copy of Autotrader."
It might be more expensive than Autotrader, but I would really personally recommend you spring for a roll of Andrex instead.
>>"They don't get your name, nor any sort of unique information at all that lets them know whether you're a first time customer or visit them daily."
Is that confirmed / reference? Not disagreeing, just this is very interesting if true and I would like to confirm.
Anonimity is too important.
I'm against piracy and they should certainly go after those that facilitate it. And there are ways they can do that other than measures such as this. Something like this is both too damaging in other areas and fights against the nature of the Internet.
Re: If you give a politician 1£ ...
>>"the problem is deciding which programs to write..."
No, the problem is specifying your use case in precise enough terms that automated tools can take over. And that not only will happen, but is happening. The nature of programming will increasingly shift from writing the software, to writing the tools to specify that software. And once that second part is done to a sufficient degree, it starts to turn on itself and reduce the total amount of programming that is done by people. Barring accident, I should be able to see out another forty years.
Forty years ago C had just been invented and people were arguing fiercely over whether programming without GoTo was wasteful. You honestly think now that we have the tools to automate much of code production we wont? From the point of view of someone forty years ago, we've already done that with all our compilers and high level languages and we're just specifying how the computer should write the code. From our point of view, the future will look the same and in the same terms.
Re: The Mission of Banks is to Cause Debt!
>>"Speaking from the UK, the US way is the way it *should* be done: when the bank lends me the money to purchase a house, it should be evaluating the risk of me failing to repay the loan. That risk (averaged over a number of purchasers), plus a bit of profit, should be the interest on the loan."
If someone asks me to borrow some money and then they can't or wont pay it back, why should I not be able to pursue the money they have taken from me? If I borrowed £50,000 from you and then said you couldn't have it back because the way I'd spent it hadn't worked out how I planned, would you be happy? If not, then why should banks live by a different principle?
Re: If you give a politician 1£ ...
Wow. That's a lot of downvotes in a short amount of time. I'm going to hope that's people objecting to the idea that automated code production will eventually supercede most cases of human code production, rather than objecting to the idea that women can write good software.
Re: Where's Worstall?
>>"Both energy and time are inherently finite."
But you must concede, both are on a rather different order of magnitude than things like aluminium or land. If you have to factor in the heat death of the Universe as your rebuttal to an economic argument, there may be a case to make that your rebuttal lacks practical relevance.
Re: If you give a politician 1£ ...
>>"even a computer program must be programmed by a man at some point)"
Actually, some very good ones have been written by women, thankyouverymuch. Perhaps you meant person. Though even that will change with time - I will certainly live to see computers become better programmers than people in the majority of scenarios, barring personal misfortune.
Re: The Mission of Banks is to Cause Debt!
>>By the way, USA mortgage law is different to UK law. If the mortgaged house is handed over to the bank in the USA, that is the end of the debt. If the house sells for less than the debt, the bank gets to carry the loss."
SERIOUSLY?!?! How the Hell did that come about? And secondly, why the Hell do American banks not change their lending terms to be the same as in the UK?
Re: Why the engines on an airliner are set forward
If it reassures, I wouldn't call the author of this article an economist. At least I seriously hope he isn't given the rubbish I've just read. What is his actual background / qualification to write these articles? Give me a Tim Worstall article if El Reg is going to go paddling in Economic Theory. The author of this piece is just grinding their axe.
Re: One factor left out - The System
The Greens have one especial glaring fault - an obsession with wind power and a conditioned rejection of nuclear power. Energy is one of the few fundamentals in our society - if you have cheap and plentiful energy much of the rest follows.
But the Green Party keep turning their backs on tme best source of it in favour of massive and detrimental subsidies for one of the least effective sources. If they'd make an evidence-based decision on it, they'd have removed the biggest reason not to vote for them as far as I'm concerned.
This is stupid.
Rationalizing the newly acquired Nokia components makes sense as there's inevitably going to be some overlap. Dismantling actual research units is a terrible mistake. MS need to be focusing on higher quality right now, not cutting costs.
Well it's nice to know that even though the only reason you honestly don't assault me is because it's illegal (your words and emphasis on actually meaning it)... and that you say you'd love to do so (more of your words)... Oh, and that you've elsewhere said you'll do your best to find out someone's real identity; that your post is "far from hostile". That's very good to know.
Another interesting contradiction is where you say I "lost my shit" in my initial response to your comment. My original response to your barrage of name calling was a one line suggestion not to make things personal: "That's it, let the hate flow. It's good to turn an argument personal, isn't it?"
"Lose your shit" is not one of my phrases but I don't see that my one line post above really counts! Whereas your fourteen line response to my one liner calling me further names and making up quotes from me, I think that better qualifies as "losing your shit" than mine. To say nothing of the latest thirty paragraph post (and that's excluding the quotes from me) and all the other personal insults and threats elsewhere.
Seriously, if you're now going to add the whole 'You mad?' style of personal attack to your other bits of rhetoric, I think you should realize that the one who is posting constant name calling, expressions of how they'd like to do violence to the other poster and made up quotes, is the one who appears to be "losing their shit", in all honesty.
My last post I suggested we drew a line under this. Apparently not good enough for you. You'd rather attack me further. I said right at the beginning of this that aggressive personalized attacks and name calling had no place here, that they make the forum a less welcoming place and are detrimental to good discourse. You responded that "This isn't debate club". Doesn't have to be. People can be polite in all sorts of situations. But really, you can take or leave that. The main thing is that you're taking a couple of lines of mine, putting your own vastly exaggerated spin on them with your own phrasing and going berserk over it. There's no point. It's just being silly and contributes nothing.
Re: Humble Pie
>>"Kate and Will's second sprog"
To be fair, I actually do find new mobile phone technology more interesting than some random couple's baby, functionally no different from any other baby. So I'm going to give them that one.
- +Comment Anti-Facebook Ello: Here's why we're still in beta. SPAMGASM!
- Vid+Pics Microsoft unwraps WINDOWS 10: Seven ate Nine. Or 8 did, anyway
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
- Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9