Slashdot Mirror

I'm sorry, but how does this work? Is google somehow legally obligated to, despite, as far as I know, not operating in Australia? Or will google simply be censored if they don't comply?

Comment Signature

>A diploma is worthless if you can't think for yourself, but this isn't something that can be taught, apparently.
See: Philosophy

Comment Signature

Modern app appers power apps using other apps! Apps!

...I like you.

Comment Signature

I sync via SFTP. You could also sync via dropbox, google drive, or one of the other million things keepass has extensions for.

Comment Signature

I would not recommend Grails at all. First, if for no other reason, it's a bit player, so good luck finding developers, tools, help, and all of the other benefits you get with using a language/framework with a large, thriving community. That alone should be enough to steer you away from using it for enterprise anything.

Aside from that, boolean truths are quirky, to put it kindly.

Null evaluates to false, which is ridiculous and doesn't eliminate the need to check for null, just hides the problem if you forget to do it. This is because groovy uses "null objects." Null objects mean yay! no null pointer exceptions, but the consequence is... no null pointer exceptions! So have fun tracking down bugs when things fail silently.

Variables defined in closures (which is most of them) are opaque, so you can't easily inspect them without printing them out or logging them. So now you have no NPEs and no easy way to check for null values versus empty values while debugging without adding debugging code into production code. Ugh! Don't forget to annotate the debug code so you can remove it when you're done.

You don't get compile-time errors for things like using undefined classes/methods (typos!) or sending the wrong argument types. Instead, you have to compile, run, and look at massive stack traces throwing up all over your console/log: http://pastie.org/583115 Then rinse and repeat until it actually runs. And that's before you even start testing actual functionality.

Method entry and class loading breakpoints aren't supported. (This is simply an inconvenience most of the time, but it's worth noting IMO.)

Conversely, since groovy uses convention over configuration, IDEs may flag things as errors which are not. IntelliJ IDEA probably does the best at handling Groovy/Grails, but it still has some issues. My experience was that Intellisense/autocomplete didn't work reliably for Groovy in any IDE, so if that's important to you, you may miss that.

It's not clear where business logic should go. http://bartling.blogspot.com/2...

It's buggy. https://jira.grails.org/browse...

To be fair, I'm heavily biased against dependency injection, dynamic typing, and coding by convention, which are the very concepts Grails is built around. I could go into all of the reasons, but any flamewar worth its salt will list them all for you.

Its full of spam names like @apple, @ladygaga, @wellsfargo and etc... here is a list from when it came in another thread a week ago: http://pastie.org/private/rkuws8thrzdkl1wumoo2vw its has a few users generating lists of top twitter handles to squat on.

No, more like: http://pastie.org/private/ij3rdcgtkgteefgwj57mfg

I realize that's just an example of simple inheritance, but not bad for using nothing more than functions and prototypes. Yes, it's a little verbose. You can also do prototypal inheritance, etc. The point is that with just a couple of constructs, JavaScript can do things that most languages must separate into many more statements, expressions, etc. But to clarify, I am *not* saying JavaScript is awesome; it clearly has limitations. But it is pretty amazing what all can be done with such a simple language. It is misunderstood.

Been thinking about doing that myself as well...any chances you might be willing to share out what DNS configs you happen to use on http://pastie.org/ ?

Read this, and prompted me to write a bit of code to do the de-dupe comparisons. Here is the code. You will have to mark the project to run unsafe code :) (in project properties) Compiled with Visual Studio 2010.

Program reads the first 4MB of each file and computes a hash. A thread is run for each drive you are looking for.

If you want all drives, comment out the section it says to do so, else just add the drives you want to the list of DrivesToSearch
I suggest if you use your C Drive, add some of the folders like I have below to the Ignore Directories. The "ToLower()" is there just to make sure that it is lower case, else the hash match won't work.

Please forgive the code, as this was very quick-n-dirty

Code runs *far* faster than a week....
C:\ = 185,000 files.
F:\ = 29,690 files
G:\ = 20,765 files
H:\ = 60,851 files
i:\ = 52,442 files
D:\ 196 files (DVD ROM)

Total: 348,944 files on 6 drives with 3.2TB of used space took about 50 minutes 52 seconds

Speed can be improved by lowering the 4 meg check to something lower. Many of the files on F,G are over 4MB in size and took the longest to complete, even though they had less total files.
Code Below. (mutters about slashdot and their inability to allow code)

http://pastie.org/4652387

Summary is making it look a LOT worse than it is.

- Bug's already been fixed, only what it did was revealed now.
- Bug does not affect binary distributions from mysql.com, Windows included.
- Bug only affects some distros.

Full description here: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

They claim ubuntu 10.04 64 bit is vulnerable. That's my laptop distro, and after 5,000 attempts I can't break in.

The linked memcmp program at http://pastie.org/4064638 indeed says I'm vulnerable, so why can't I break in?

I have a laptop, it has its built in screen and a VGA port on the side. Here is it's xorg.conf file:

XRandR xorg.conf.

I did briefly use a Xinerama configuration, and here that is:

Xinerama xorg.conf.

I'm using Xfce 4.10, with the Xinerama config compiz worked fine. Later on someone told me it wasn't supposed to work with Xinerama. Huh, it did.. But, anyway I went with the XRandR config anyway because it is much shorter. However, on my login manager screen - SLiM - the XRandR config has both screens as clones of each other where with the Xinerama config they are independent displays.

I have a laptop, it has its built in screen and a VGA port on the side. Here is it's xorg.conf file:

XRandR xorg.conf.

I did briefly use a Xinerama configuration, and here that is:

Xinerama xorg.conf.

I'm using Xfce 4.10, with the Xinerama config compiz worked fine. Later on someone told me it wasn't supposed to work with Xinerama. Huh, it did.. But, anyway I went with the XRandR config anyway because it is much shorter. However, on my login manager screen - SLiM - the XRandR config has both screens as clones of each other where with the Xinerama config they are independent displays.

I've been responsible for maintaining CAD software with client apps in C++ / C# / JS / Flash. Because I found commonality between all these languages, I was able to port the code quickly and easily. Some tips:
1. Keep all the state on the client side. This means put everything on one HTML page, then manipulate the DOM to add controls, etc
2. Create a set of HTML+JS controls (say datagrid.html for example), then use jQuery to load instances of these controls into the DOM
3. Aside from the initial page load and loading of your controls, the only other reason to call to the server is to save & load data via webservices
4. Classical inheritance is a subset of prototypical inheritance, therefor you can emulate it perfectly. See the below examples:
Base class: http://pastie.org/3341844
Subclass: http://pastie.org/3341846
Clone function: http://pastie.org/3341847

If you think of HTML+JS just like you would MXML+AS or XAML+C#, then your app works the exact same way! HTML5 doesn't have to be any difference from the traditional model, you just have to tinker around with it more to achieve the similarity, since there isn't really a built-in concept of controls. Lastly, install Chrome. Since there is no compile-time, this is your new IDE. If you go into "developer tools" you have all the traditional stuff: call stack, break points, watch window etc. You still have to write your code in notepad without auto-complete, but everything else you do right in the browser. You can even use the watch window to inspect what methods are on an object, so you can use this as a sort of "manual" auto-complete!

PS, before I get modded down, please see that this was an honest attempt to directly answer the author's question.

I've been responsible for maintaining CAD software with client apps in C++ / C# / JS / Flash. Because I found commonality between all these languages, I was able to port the code quickly and easily. Some tips:
1. Keep all the state on the client side. This means put everything on one HTML page, then manipulate the DOM to add controls, etc
2. Create a set of HTML+JS controls (say datagrid.html for example), then use jQuery to load instances of these controls into the DOM
3. Aside from the initial page load and loading of your controls, the only other reason to call to the server is to save & load data via webservices
4. Classical inheritance is a subset of prototypical inheritance, therefor you can emulate it perfectly. See the below examples:
Base class: http://pastie.org/3341844
Subclass: http://pastie.org/3341846
Clone function: http://pastie.org/3341847

If you think of HTML+JS just like you would MXML+AS or XAML+C#, then your app works the exact same way! HTML5 doesn't have to be any difference from the traditional model, you just have to tinker around with it more to achieve the similarity, since there isn't really a built-in concept of controls. Lastly, install Chrome. Since there is no compile-time, this is your new IDE. If you go into "developer tools" you have all the traditional stuff: call stack, break points, watch window etc. You still have to write your code in notepad without auto-complete, but everything else you do right in the browser. You can even use the watch window to inspect what methods are on an object, so you can use this as a sort of "manual" auto-complete!

PS, before I get modded down, please see that this was an honest attempt to directly answer the author's question.

I've been responsible for maintaining CAD software with client apps in C++ / C# / JS / Flash. Because I found commonality between all these languages, I was able to port the code quickly and easily. Some tips:
1. Keep all the state on the client side. This means put everything on one HTML page, then manipulate the DOM to add controls, etc
2. Create a set of HTML+JS controls (say datagrid.html for example), then use jQuery to load instances of these controls into the DOM
3. Aside from the initial page load and loading of your controls, the only other reason to call to the server is to save & load data via webservices
4. Classical inheritance is a subset of prototypical inheritance, therefor you can emulate it perfectly. See the below examples:
Base class: http://pastie.org/3341844
Subclass: http://pastie.org/3341846
Clone function: http://pastie.org/3341847

If you think of HTML+JS just like you would MXML+AS or XAML+C#, then your app works the exact same way! HTML5 doesn't have to be any difference from the traditional model, you just have to tinker around with it more to achieve the similarity, since there isn't really a built-in concept of controls. Lastly, install Chrome. Since there is no compile-time, this is your new IDE. If you go into "developer tools" you have all the traditional stuff: call stack, break points, watch window etc. You still have to write your code in notepad without auto-complete, but everything else you do right in the browser. You can even use the watch window to inspect what methods are on an object, so you can use this as a sort of "manual" auto-complete!

PS, before I get modded down, please see that this was an honest attempt to directly answer the author's question.

Most quality web hosting provides customers with shell access to the web server, or when cases where they don't, usually something like PHP is installed that usually allows for arbitrary execution.

On a web server that hosts a few thousand sites, using the Bing IP Search, you can find a list of all the domains. Usually there will be a lowest hanging fruit that's easy enough to pluck. Or, if you can't get shell access through a front-facing attack, you can always just sign up for an account with the hosting company yourself.

So once you have shell, then it's a matter of being a few steps ahead of the web host's kernel patching cycle. Most shared web hosting services don't utilize expensive services like ksplice and don't want to reboot their systems too often due to downtime concerns. So usually it's possible to pwn the kernel and get root with some script-kiddie-friendly exploit off exploit-db. And if not, no doubt some hacker collectives have repositories of unpatched 0-day properly weaponized exploits for most kernels. And even if they do keep their kernel up to date and strip out unused modules and the like, maybe they've failed to keep some [custom] userland suid executables up to date. Or perhaps their suid executables are fine, but their dynamic linker suffers from a flaw like the one Tavis found in 2010. And the list goes on and on -- "local privilege escalation" is a fun and well-known art that hackers have been at for years.

So the rest of the story should be pretty obvious... you get root and defeat selinux or whatever protections they probably don't even have running, and then you have access to their nfs shares of mounted websites, and you run some idiotic defacing script while brute-forcing their /etc/shadow yada yada yada.

The moral of the story is -- if you let strangers execute code on your box, be it via a proper shell or just via php's system() or passthru() or whatever, sooner or later if you're not at the very tip top of your game, you're going to get pwn'd.

Solution?

*) Choose a master password.
*) Never forget it, never disclose it
*) Concatenate it with "MonthYYYY"
*) Calculate its SHA1 in base 64
*) Ensure that the 8 first chars contain upper, lower, number. If not, concatenate i+=1 to the master password and keep hashing

It looks like this In Ruby: http://www.pastie.org/2163871
An example with P4SSW0RD as master password gives : OWRhNGE5

Here's what interesting to me, and please whoever, don't feel like you need to hack me for this I'm just an observer that happens to be an Engineer in the field in which you may operate.

If you believe the command history then the ANON guy that logged in showed his own IP based in New Zealand:

bash-3.2# ssh hoglund@65.74.181.141 -p 47152
[unauthorized access prohibited]
hoglund@65.74.181.141's password:
[hoglund@www hoglund]$ unset
hoglund@www hoglund]$ w
11:23:50 up 30 days, 5:45, 4 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jussi pts/0 cs145060.pp.htv. Wed11pm 59.00s 0.38s 0.35s screen -r
jussi pts/1 - Thu 5am 1:13 0.38s 4.90s SCREEN
jussi pts/2 - Thu 5am 59.00s 0.68s 4.90s SCREEN
hoglund pts/3 132.181.74.65.st 11:23am 0.00s 0.03s 0.00s w

And as an aside, rookit.com is running RHEL/CentOS 3 still???

[hoglund@www hoglund]$ uname -a;hostname
Linux www.rootkit.com 2.4.21-40.ELsmp #1 SMP Wed Mar 15 14:21:45 EST 2006 i686 i686 i386 GNU/Linux
www.rootkit.com

If this is real, it was really social engineering.

Agreed. But, in case there's any question of it, the word 'engineering' here is used sarcastically. This is unlike, say, how software engineering uses the term. I, for one, don't also want human resouces co-opting a perfectly meaningful word, ultimately serving to dilute the meaning of the word. Though I am not an engineer, I have a great respect for them, so I don't go around referring to myself as, say, an efficient mid-career operator in the ever-shrinking field of not-engineering.

If this is real, it was really social engineering.

early key list:
http://pastie.org/1427124

SCEkrit.c (v1.0): Compute Sony's Private Keys:
http://pastie.org/1425653

hex keys:
http://pastie.org/private/vcxltlm1m4mkgossbisww

Complete Key List:
https://spreadsheets.google.com/pub?key=0AmWh9I5NKgNddE5NcnlxdHk3Nm9IYVR3djItTE9FT3c&hl=en_GB&output=html

early key list:
http://pastie.org/1427124

SCEkrit.c (v1.0): Compute Sony's Private Keys:
http://pastie.org/1425653

hex keys:
http://pastie.org/private/vcxltlm1m4mkgossbisww

Complete Key List:
https://spreadsheets.google.com/pub?key=0AmWh9I5NKgNddE5NcnlxdHk3Nm9IYVR3djItTE9FT3c&hl=en_GB&output=html

early key list:
http://pastie.org/1427124

SCEkrit.c (v1.0): Compute Sony's Private Keys:
http://pastie.org/1425653

hex keys:
http://pastie.org/private/vcxltlm1m4mkgossbisww

Complete Key List:
https://spreadsheets.google.com/pub?key=0AmWh9I5NKgNddE5NcnlxdHk3Nm9IYVR3djItTE9FT3c&hl=en_GB&output=html

Where people earn like 200-400 buck per month? Exactly how do those evil "would never buy it if I had to pay for it" "pirates" harm Sony please?
Oh, and by the way, try to find out how many of the hackers out there have actually payed for IDA license. Someone on #ps3test already tried, quite fun to read:

http://pastie.org/1476525

Ok, I've been hacking on it for a while now. This is much, much better: http://pastie.org/1500543

Let me know if you try it. I think I'll have more cleanups to add once I've had a few days to "feel" around the new design.

That's a great start. This is what I came up with: http://pastie.org/1500543.

Much larger, but does a little more.

But do Debian and FreeBSD repositories have anything like the Mac App Store guidelines? These can be read to reject entire categories of applications, as I pointed out in a comment to the Armageddon story. Watch the sparks fly over the precise interpretation of these guidelines.

Torrent and Info: http://pastie.org/706872 http://dl.dropbox.com/u/457451/ide.vmdk.torrent Because making an account on some shady website that's exploiting the situation seems wrong.

It is true that Mark's tools and a lot of knowledge will let you dig quite more into Windows than you'd expect. However, you still hit the inevitable brick wall that is closed source. At some point, if there's a bug in the source, you're not going to be able to figure it out without digging into assembly language, which is undesirable.

I also get the impression -and this may very well be caused by my relative inexperience with Windows internals as opposed to Linux internals- that Windows is more complicated on several levels, or at least requires tools that are more engineered and advanced, to diagnose certain issues. Again, this may just be my unfamiliarity with the OS, but it feels like stuff on Linux is just based around simpler system primitives (UNIX filesystem, pipes, sockets, command line, environment variables) that are easier to grasp, as opposed to the more complex APIs available under Windows.

As an example, this is what a system call trace of "ls" looks like. Compare that to a procmon trace of "cmd /c dir" on a nearly vanilla Windows install (and this only includes certain system call categories).

It is true that Mark's tools and a lot of knowledge will let you dig quite more into Windows than you'd expect. However, you still hit the inevitable brick wall that is closed source. At some point, if there's a bug in the source, you're not going to be able to figure it out without digging into assembly language, which is undesirable.

I also get the impression -and this may very well be caused by my relative inexperience with Windows internals as opposed to Linux internals- that Windows is more complicated on several levels, or at least requires tools that are more engineered and advanced, to diagnose certain issues. Again, this may just be my unfamiliarity with the OS, but it feels like stuff on Linux is just based around simpler system primitives (UNIX filesystem, pipes, sockets, command line, environment variables) that are easier to grasp, as opposed to the more complex APIs available under Windows.

As an example, this is what a system call trace of "ls" looks like. Compare that to a procmon trace of "cmd /c dir" on a nearly vanilla Windows install (and this only includes certain system call categories).

The Zune was in effect sold with a predictable and correctable flaw

And if you look at the bug in the code (line 259) it's atrocious. Something a junior programmer would be embarrassed about.

When days is 366 it causes an infinite loop. And also note that simply changing line 263 to use 365 causes a different bug. So the whole approach is wrong. It ought to simply be

while (days > daysInYear(year))
{
days -= daysInYear(year);
year += 1;
}

Here's the actual buggy code. The error is infinite loop in ConvertDays(), starting at line 249. The first loop does not cope with "IsLeapYear() == true" when "days == 366"

Wow, that was pretty cool. Thank you.

Here's the actual buggy code.
The error is infinite loop in ConvertDays(), starting at line 249. The first loop does not cope with "IsLeapYear() == true" when "days == 366"

The fix:

        year = ORIGINYEAR;

        daysInYear = IsLeapYear(year) ? 366 : 365;
        while (days > daysInYear)
        {
                days -= daysInYear;
                year += 1;

                daysInYear = IsLeapYear(year) ? 366 : 365;
        }

Here is source of the trouble.

Here's the actual buggy code.
The error is infinite loop in ConvertDays(), starting at line 249. The first loop does not cope with "IsLeapYear() == true" when "days == 366"

This is the internets, you dont need a source