On the shoulders of giants
This sounds quite similar to the credit card industry's fraud detection systems. Ought to work about as well too.
756 posts • joined 4 Feb 2011
This sounds quite similar to the credit card industry's fraud detection systems. Ought to work about as well too.
Meh. As double entendres go, this one's half-cocked and premature. Wait for a story where the double meaning is closer to the truth than the literal interpretation. The kind where you're halfway down the page before you realize "holy shit, that's fucking filthy - and hilarious!"
Hell yes - have you seen that series where she's investigating serial murders in Northern Ireland?
"Letting an argument die, or changing the subject, usually works much better than picking an argument and getting someone's back up (as new parents recognize fast)."
Therein lies the answer. If you see something, say something .... defensive, eh?
I assume the Reg staff use adblockers like the rest of us.
"Safe alignment"? That would be due North, or face-down. That would require far greater range of motion than normal operation...
> In 2016? It's been a few years since browsers were showing the site's icon in the same place as they would show the padlock icon.
Firefox and Chrome, yes. Palemoon still shows a favicon in the url bar - with red/green/blue colors for various levels of HTTPS. Not that the average hacking victim would notice.
Just to be clear: as far as your privacy/security is concerned, HTTPS is worthless.
SSLstrip substitutes a fake "padlock" icon for the site's favicon. Crude but effective.
"SSL Inspection" proxies the victim through an actual HTTPS connection, so it's less obvious, but the attacker must install their own root cert on the victim's computer (corporate PC, or via malware, or via dumb PC manufacturers) - unless they've obtained the private key for a "real" root cert...
Yep - why change your password when there are a so many reasons to delete your account?
Networking is everything, but only the old-fashioned kind, not 'social networking' facilitated by these spam factory websites.
Android ... Nicotine?
Anyone who's ever used an Oracle Java webapp knows what a mistake that was, and that's entirely Oracle's fault. By flooding the corporate world with that garbage, Oracle undermined Java's value. Maybe that was part of a plan to acquire Sun at fire-sale price, but that acquisition and subsequent lawsuit(s?) were the final nails in Java's coffin. What a greedy, boneheaded company.
I can only imagine that the Android devs chose Java in their formative years due to the popularity (among geeks) of JVM languages like Scala and Clojure at the time. LLVM would've been a better choice if its future had been more certain back then.
Lordy, but you people (Charlie Clark aside) do not understand code analysis.
I certainly do. Languages like JS, PHP, Python, Ruby, C/C++ are fairly opaque to static analysis. Fuzzing isn't the answer to everything either.
Auto-analysis tools are a machine gun approach to software defense; spray 'n' pray. Not a substitute for the (almost nonexistent) engineering that's so sorely needed.
I think I get why this is filed under
Hype DevOps... because it plays to the idea that you can just write a ton of bloated crap code, run it through a few tools like this, and get secure software. Nope. You get... ImageMagick.
That's not to say you shouldn't bother with automated tools like this. But if they find ANY real security flaws, I'd say it's not enough to plug those holes. The software in question needs a thorough going-over.
LOL, you want NoScript. It'll turn off 80% of HTML5 and break 99% of websites, and it's not exactly easy to selectively unblock scripts. Yep, it's 1999 all over again.
Youtube has been working impeccably well WITHOUT flash for years.
In your parallel universe, maybe. But you can use youtubedown without flash or a browser...
Hey - at least Microsoft gave the world a Flash replacement. It's called Silver light. ;-)
Was. It's already gone...
Moving the repo is easy but what about Travis, Coveralls, etc?
I never use the bells & whistles. Most of the git repos I work on are private and self-hosted.
Issues and pull requests would seem to be more important for open-source projects. I don't know. In practice, I see thousands of them in a few popular repos I track, which just confirms that those projects are hopeless clusterfucks. Is Github making it too easy?
It's interesting that Böck and others have tried fuzzing ImageMagick before, and didn't find ImageTragick, which is a pretty trivial vuln.
Wild ass guess: since there are so few "instances" given the size of the company and the bloatyness of their SaaS, might they be using mainframes? I vaguely remember rumors that they were a poster-child for mainframes last decade; maybe they still are. And while mainframes would surely have dual-redundant PSUs, if one fails but the sysadmins don't notice or take their dear sweet time to replace it, then the other one fails... they're SOL. It's a proprietary replacement part. And it takes a courier about 12 hours to drive it down from upstate New York.
But what do I know? I use commodity 'cloud' hosting and I don't have to deal with problems like this... because they never happen.
If it knocked itself out, yes.
God I hope so. I haven't been cajoled into doing any Salesfarce integration in over a year but I still receive crap data exported from it on a regular basis. Please just die, Shitforce.
Like a lot of this decade's additions to Unicode, these don't belong in standard fonts. They're like hieroglyphics that no one has ever written by hand, with no common meaning or significance whatsoever.
Yesterday I was saying (not here) that UTF-8 text is a good archival format, in spite of some issues with bloat. I take that back. Unicode must die.
I haven't checked my spam folder today but wouldn't be surprised to see a signup for this site. But I think IPBoard actually does email verification, unlike Ashley Madison.
If you applied the 5-line policy.xml patch, patch again. It's 9 lines now, per https://imagetragick.com/
Or uninstall ImageMagick and install GraphicsMagick (but test if you care; it's not 100% compatible)
I knew this day would come. I'll stick with Mint 17.x until either Mint or someone else releases a no-bullshit distro that's not based on systemd. Or at least until systemd solves more problems than it creates for me.
And if every OS is utter crap by the time Mint 17.x reaches its effective EOL, it's time to get out of this business (again).
Wide open. Hackers have been waltzing through all the CC bureau databases since the 80s, and I don't see security getting any better in the web/mobile age.
What's with all the love for Firefox? I can understand hating it a bit less than Chrome, Safari, and IE/Edge... but only a wee little bit. Firefox ain't what it was 10 years ago.
Who needs Flash (or HTML5) when you can publish 80-column ASCII text files. The good old days... :D
Not affected in the least.
But how many commercial devs give a shit? They hide their GPL infringement behind their closed source.
Which makes GPL more of a burden on the "good guys" than on the "bad guys". BSD/MIT FTW.
Code reuse is a basic requirement of software development
Code reuse was last century's Holy Grail of software development. We pretty much found it, but there's a catch: it's poisonous.
It's a requirement for the Agile(TM) Rapid(TM) programming-lite "development" of Cheap and Bloated software.
Thing is, most useful software seems to fall into two classes, A) small throwaway scripts not shared with the world, and B) highly polished applications relying upon a conservative set of stable OS/library code (and high-quality specialized hardware in some instances).
That's some shitty propoganda: When you pay for commercial software, you're getting repackaged free software... and two thirds of it is old and unpatched. And I don't doubt it's true.
Yeah, this Fox story is all hand-waving, no substance.
Still, Hillary's own spin on this is enough to convince me. "I never emailed classified documents through that server" and so on (left unsaid: "I spilled the beans in my own words"). She's as bad at lying as she is at opsec. On the bright side, if she wins the election, move over Snowden - she'll be the greatest Leaker In Chief EVER.
Doctorow may be the world's foremost authority on Clickbaitineeriing.
I worked on a rebranding project that actually was necessary. The company's old name sounded like a commodity; I'd heard it in ads for years without realizing it was a brand. But they put a lot more thought into the new name than these "Healthineering" hacks :)
Me, a commenteer? No.
Them "imaginatards". Them "healthintards".
Sorry for the downvote, but text formats are anything but inherently safe. Text parsing is one of the trickiest things to get right. Even a simple format like PNM could conceivably be used for an exploit, especially if you're using dozens of obscure tools.
Last decade I switched from PIL to GD to ImageMagick because of image quality, in spite of their inferior APIs and code quality. A few clients/employers thought PIL in particular looked worse than other sites; I did some comparisons and they were absolutely right.
And, PIL and GD have not seen much improvement (or security patching?) since then. Although I just noticed there's a fork of PIL called Pillow.. anyone using that?
ImageMagick is used on tons of Wordpress and Drupal sites. The alternative is libgd which has its own problems.
I've used ImageMagick on Python sites as well; functionally it's miles ahead of PIL.
Confirmed: GraphicsMagick is NOT vulnerable to the particular exploit in this article. It bails out if the file's extension doesn't match its 'magic number' header, and if you give it the proper extension (.mvg) it rejects the malicious 'fill color'.
This does not mean GraphicsMagick is 100% safe.
Meanwhile, turns out it's pretty easy to screw up the policy.xml patch for ImageMagick. Test the exploit code before and after patching, or just switch to GraphicsMagick.
I'm glad to see these forks. Debian has the insurmountable bureaucratic and architectural problems one should expect from a huge 2-decade-old FOSS project. OpenWRT (and DD-WRT) look pretty sketchy as OS distros go. I realize part of the problem is the profusion of more-or-less proprietary consumer router hardware, but I'm not at all surprised to hear about the political/bureaucratic issues.
If they want to do different things, they should just fork off and do different things. Competition is beautiful.
Ok, my assumption was wrong. At first glance, anyway, GraphicsMagick is NOT vulnerable to these attacks. GraphicsMagick FTW.
I assume GraphicsMagick is vulnerable, and may take longer to get fixed. It has a /etc/ImageMagick/policy.xml file... I'm patching it.
Point of Sale machine. Why, what did you think we meant?
That, and the other. Both meanings are correct in this case.
Verizon employees on the Eastern Seaboard shut down operations
Standard operating procedure, in other words.
They should pick on Netflix for not carrying their show (or anything else I actually think I might want to watch)
> but hopefully the BSDs won't include any of this poettering-soft (i havent checked in on BSD for a few years by now)
Unfortunately some of the pollution is spreading. Not systemd or pulse, but I've seen some crap like Dbus even on fairly minimal FreeBSD servers.
2500+ years. We're the latest incarnation of the Roman Empire... in spirit, anyway ;)