Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

Here's how to protect yourself... apk

See subject: APK Hosts File Engine 3.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

* ONLY 1 of its kind in GUI 4 Linux/BSD & supports port filters!

APK

P.S.=> Protects vs. all speculative execution exploits + scripts/trackers (faster vs. NoScript @ kernelmode level)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware/malcript/email malicious payloads... apk

Re:Here's how to protect yourself... apk

Hosts doesn't protect us from this kind of fucking SPAM.

ZIP

P.S. => Get a real job APK. What you've done is less than worthless. I contribute to real industry. My code has ran untouched in America's factories for two decades.

Re:Here's how to protect yourself... apk

ZIP gets called out for his blowhard bragging he can't backup! APK makes ZIP "Run, Forrest: RUN" again https://developers.slashdot.or...

Re:Here's how to protect yourself... apk

ZIP gets called out for his blowhard bragging he can't backup! APK makes ZIP "Run, Forrest: RUN" again https://developers.slashdot.or... and ZIP tried to down moderate "hide" that when it was posted before https://developers.slashdot.or...

Re:Here's how to protect yourself... apk

fucking kill yourself and never spam this again you piece of shit

Re:Here's how to protect yourself... apk

ZIP gets called out for his blowhard bragging he can't backup! APK makes ZIP "Run, Forrest: RUN" https://developers.slashdot.or... and ZIP tried to down moderate "hide" that when it was posted before 2 times out of his shame https://developers.slashdot.or... https://developers.slashdot.or...

Re:Here's how to protect yourself... apk

[Zontar+The+Mindless]

You are so INCREDIBLY predictable, Alex. You're like the hamster running inside the little wheel.

Mostly.

(The hamster eventually figures out how to get off.)

Happy Armistice Day from Stockholm!

Re:Here's how to protect yourself... apk

[BronsCon]

You say your hosts file engine can protect us from advertising. Can you provide assurance that, should I choose to install and use it, I will stop seeing ads such as the one I am currently replying to?

No virtualbox in FEDERAL PRISON

Sorry TRUMP TRAITORS!

Re:No virtualbox in FEDERAL PRISON

[ShanghaiBill]

There is no need for Virtualbox in Federal Prison.

They use FreeBSD Jails instead.

Re:No virtualbox in FEDERAL PRISON

Dems racking up the felonies trying to steal the election in Florida and Arizona.

Re:No virtualbox in FEDERAL PRISON

Don't let the prison door hit you in the butt, GET YOUR ASS IN THE CELL TRUMPTARD.

VirtualBox is open source

[mccalli]

So submit the patch instead of waiting for someone else to for 15 months.

Re:VirtualBox is open source

He's a security RESEARCHER not a security DEVELOPER!

Re:VirtualBox is open source

only oracle employees have write access to the repos, so you're dealing with the bureaucracy and ineptitude of oracle regardless. 15 months previously probably means about that same turnaround now from patch submission to distribution.

Re:VirtualBox is open source

[ShanghaiBill]

So submit the patch instead of waiting for someone else to for 15 months.

It is not that simple. Oracle controls which patches get applied. Sure, you can "fork it", but almost nobody has the time and resources to successfully fork a project.

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql. They have closed source commercial products that compete with both of these. A big motivation for Oracle to acquire Sun was to get their hands on these open source projects so they could slowly strangle them. Late and slow security patches are part of the strangulation process.

If you ever see Oracle doing something that appears to not be evil, then you misunderstand what is going on.

Re:VirtualBox is open source

[El+Cubano]

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

I would have to agree with this. Things like quarterly "CPU" releases (critical patch update) that mix security fixes with "feature updates" (and those being the only way to obtain security fixes, not annotating CVE IDs in the commit messages of related commits, and forbidding Oracle personnel from helping outside project personnel identify specific commits associated with specific security vulnerability fixes (very useful for backporting purposes) makes for Oracle having a well earned reputation for being obnoxious to the open source community in general.

Re:VirtualBox is open source

forbidding Oracle personnel from helping outside project personnel identify specific commits associated with specific security vulnerability fixes (very useful for backporting purposes)

Shit. We MUST organize a rescue party to get them out of there. Clearly they are held there as employees against their own will.

Re:VirtualBox is open source

[Tom]

Same with MySql. They have closed source commercial products that compete with both of these.

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope. You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

Re:VirtualBox is open source

[Megol]

As you apparently don't know the definition of the word forbidding:
https://dictionary.cambridge.o...

Re:VirtualBox is open source

Hmm. I found a vulnerability in Firefox. I guess I'll just learn Rust, figure out how the Gecko layout engine works, download the IDE, SDK, and Acid regression test suite, and code up a quick patch for them!

Re:VirtualBox is open source

Do you think MySQL and VirtualBox have not vastly improved in the past 8 years?

Re:VirtualBox is open source

Exactly! We already moved all our MySQL servers to MariaDB. And for new projects we use PostgreSQL.

If we were ever going to pay for a database license, Oracle would be out of our price range, and would probably go with MS SQL Server (it even runs on Linux now).

Re:VirtualBox is open source

Too slow, I already did that and sent the patch in.

CAP === 'instruct'

Re:VirtualBox is open source

The fear is over the number that would migrate from Oracle to MySQL, if they had a chance.
Oracle used to have some good features that a business might want, AND couldn't get for free elsewhere. Now, they mostly can.

Re:VirtualBox is open source

[ShanghaiBill]

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope.

You are missing the point. Oracle knows these people won't migrate to Oracle-DB. Their big concern is people migrating in the other direction. Many customers (recently including Amazon) have dumped Oracle's DB, and gone to MySQL or Postgres. They want to slow that hemorrhaging.

Oracle is playing defense, not offense.

Re:VirtualBox is open source

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql. They have closed source commercial products that compete with both of these. A big motivation for Oracle to acquire Sun was to get their hands on these open source projects so they could slowly strangle them.

*snort* Oracle do not want either of these products to die. Oracle make money from both products, and if there's anything that Oracle are proven to like, it's things that make them money.

Another useless conspiracy theory from useless Shanghai Bill.

Re:VirtualBox is open source

What's your point buddy?

Re:VirtualBox is open source

go with MS SQL Server (it even runs on Linux now).

You know, that's sort of like syphilis. You don't even know your fate is sealed until the tertiary phase.

Re:VirtualBox is open source

[Tom]

Why in all nine hells would you ever want to go with MS SQL for anything, at all, ever ?

I've been doing sysadmin stuff all my adult life, even now that I'm a security architect I keep in close contact with sysadmins. Not one of them has ever recommended MS SQL, everyone who used it was unhappy, in most discussions it doesn't even appear as an option.

I'm really curious which strange twisting of dimensions makes you the only person on the planet to seriously consider it who is not forced by external circumstances.

Re:VirtualBox is open source

[Dog-Cow]

Why would you expect a sysadmin to know anything about RDMS’s?

Re:VirtualBox is open source

[Zontar+The+Mindless]

Where's your sense of humour, buddy?

Re: VirtualBox is open source

This guy thinks he can code lol

Re:VirtualBox is open source

That doesn't make any sense. It perhaps would if mysql was the only exit open to people wanting to dump oracle, but as you noted, it's not. Those determined to leave might not leave for mysql, but they will still leave. Just through a different door. Trying to stop would be defectors by closing the exits is simply not a feasible strategy, even for Larry.

Re: VirtualBox is open source

MS SQL server is point and click and licenses are affordable. MS SQL server is becoming (has become?) the default selection where a product that requires an underlying DB is required. Oracle has a shitty reputation for support, licensing and just being total dicks in so many ways.

That's why.

Re:VirtualBox is open source

MySQL was always a PoS.I have never met a person who seemed competent to me who also had anything positive to say about MySQL. I never got to use MySQL, but every person that I ever held highly had great reasons and plenty of WTF(worse than failure) level anecdotes of MySQL violating the principle of least astonishment. All of the tutorials I ever found made it look easy enough, but with enough digging, I found piles of unintuitive "gotchas" that violate guarantees that MySQL claims to have or support. The only way to make it not have data loss was to enable a crap ton of off-by-default features that made it run uselessly slow. While every other DB engine seems to provide by default out of the box, without any performance penalty relative to MySQL stock performance.

I assume MySQL only ever became popular because of a combination of it being free, as in price, and the pervasive cargo cult lemming mentality of the typical person. Not to cast everyone who used it in this light. Some men are born mediocre, some men achieve mediocrity, and some men have mediocrity thrust upon them.

Re:VirtualBox is open source

[Tom]

Because they have to run them. Your DB-Admin is not a happy camper when he can't get his console because the stupid system hung itself, again.

Re:VirtualBox is open source

[Per+Wigren]

You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

Um, no, unless you use such an incredibly small subset of SQL that you are not using the database for more than storing and retrieving your application data as-is. Depending on your code, it may be just minor adjustments or it may require a full application architecture overhaul to support a second database. Realistically, no in-house application ever changes database engine without it being a part of a major rewrite and rearchitecturing anyway. If you develop for PostgreSQL, take full advantage of its fantastic feature set. Don't restrict yourself and your coworkers to the 5% of it that it shares with MySQL just to be able to switch with a config option.

Re: VirtualBox is open source

How is oracle making so much money from these two FREE open source products?

Re:VirtualBox is open source

[piojo]

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

Why have they been doing such a good job of developing it? I recently tried to use MariaDB in my project, and it fundamentally could not do a basic JSON manipulation I needed (recursive merge with overwrite). I looked into how to write custom functions and got nowhere. As far as I could tell, the API deals with rows and tables, not other datatypes.

After using MySQL for ten minutes, I found the function that did what I needed. It has been adapted to real-world usage it a way that MariaDB has not.

I can't give the strongest testimonial because I'm not an experienced database programmer, but it certainly seems to me that Oracle is actively developing MySQL. What makes you think they want it to die?

Virtualbox is crap compare to VMware player

You know, Virtualbox, being free and open source, is a case where it's better to spend money. In my experience, VMware player is much better. The networking between the host and the guest when using NAT is better, it's far easier to run a VMware machine in a firewalled/NAT network and access it from the host via SSH, and the networking in VMware doesn't crash the way it does in Virtualbox.

VMware player is free to download and use non-commercially; I have no problem using containers from nearly a decade ago (I have a 10-year-old container which I still use to make sure my website is still minimally functional in Internet Explorer 6).

Re:Virtualbox is crap compare to VMware player

What is it about VMware Player that makes you think it is immune to this kind of internal targeted leak of its security flaws? You're living in some kind of fantasy land if you think some freeware from a company is more secure no reason other than one costs money (but it's free, so it doesn't cost money)

ZIP

Re:Virtualbox is crap compare to VMware player

[bferrell]

I have to disagree... I've seen VMware products do a lot of nasty things, even in environments with high end paid support. The answers from VMW TAC were, to say the least, very unsatisfactory (destroy the VM and start over, it does that sometimes).

I use Virtualbox a lot. No, the polish of VMware isn't there, but ya know, there is NOTHING VMware/VSphere does that I can't do with Virtualbox... If I don't mind fiddling around with it for a while. Sometimes I mind. Other times, not so much.

Just my two scheckles worth

Re:Virtualbox is crap compare to VMware player

How good or poor is opengl support in vmware workstation?

I found it glitchy when I tried it a few years ago, but still far better than virtualbox. If workstation had bulletproof opengl support I'd license it.

Re:Virtualbox is crap compare to VMware player

[goose-incarnated]

How good or poor is opengl support in vmware workstation?

I found it glitchy when I tried it a few years ago, but still far better than virtualbox. If workstation had bulletproof opengl support I'd license it.

They're both crap. VMWare is slightly better than Virtualbox, but it's still crap.

Re:Virtualbox is crap compare to VMware player

What's the virtual box alternative to vCenter?

Re:Virtualbox is crap compare to VMware player

It is pretty obvious that virtuabox is basically on lifesupport and no real updates in years. VMWare at least has updates. I use virtualbox because I am cheap...

Re:Virtualbox is crap compare to VMware player

[bferrell]

well... There are PHPVirtualbox, remotebox and hyperbox, that I know of and have used or do use. There may be others now, but I stopped looking when I found some that I liked (why is it that my keys are always in the last place I look? because I stop looking!) .

As I said, they can take some fiddling but are well worth the time/effort.

Add OpenVswitch (NICs for which are supported by Virtualbox VM guests) to the mix for a distributed switch fabric and a VirtualBox based "Vcenter" becomes very doable. Yes, you DO have to roll it yourself, unlike VMware, but...

Just like Vcenter, shared storage is necessary for moving running VMs for host to host.

Other than VMware, Virtualbox has the most pre-rolled "stuff". KVM CAN XEN do all of this stuff, but there is a lot more that has to be done for integration.

All of that said, I've also found that when importing an OVA into Virtualbox, low level details of the guest DO get changed. Nothing huge, but some things DO check for those details and do various unpleasant things when they don't match. I haven't found any I can't change back, if I know what they are.

Like I said, it CAN be a wee tad fiddly.

Re: Virtualbox is crap compare to VMware player

i have no idea what you're talking about (you might not either) - Virtualbox devs release frequent updates, continually improving the thing (no useless gui updates) - they even fixed an issue I reported (it only took them a month to fix two issues related to the problem I reported) - it's good software being produced during a time when many other projects or companies are releasing messes

Re:Virtualbox is crap compare to VMware player

[ayesnymous]

Yup, VMware is some of the worst software I've ever seen. And they still require Flash for their fully-functional UI.

Re:Virtualbox is crap compare to VMware player

[rl117]

Poor. Intermittent random freezing of kde kwin input, window switching and compositing when hw accel is enabled, plus occasional hard lockups of the whole machine. It's also a really old gl version. Unusable. This is with a well supported radeon RX 580. Spent months of back and forth with their tech "support". They don't seem to care. Was a waste of money (not cheap) and hard to recommend. The quality tanked when they fired their US team and was offshored. It's a maintenance mode cash cow at this point. I would pay good money for a replacement which worked and was actually developed. Look at what was in Workstation 15, I couldn't justify paying to upgrade from 14 when there was nothing compelling and no real hope the showstopper bugs were fixed.

Re: Virtualbox is crap compare to VMware player

[Zontar+The+Mindless]

i have no idea what you're talking about (you might not either)

He doesn't.

Heck, they fixed a bug in 5.2.22 (released 2 days ago) that I reported in 5.2.18.

Re: Virtualbox is crap compare to VMware player

VMWare has switched to HTML5.

Hooray for this!

[pierceelevated]

If more bugs were called out like this, the programmers would spend more time testing their software instead of taking the "we'll fix it if we get caught" attitude.

Re:Hooray for this!

I guess that the NSA wouldn't like that attitude, neither would any other countries intelligence operatives placed in critical software development areas of interesting corporations ;)

You'll probably get stupid 'non-deliberate' bugs like this regardless, because, 'humans'. The main gripe here is as others pointed out is too many 'hoops' and corporate crap is in the way. A fire a bug report off (literally could be an email/webform) and 'leave for X time, probably being months' method would likely be more effective at getting that stuff changed, rather than simply releasing the exploit,... which is a tad irresponsible.

Re:Hooray for this!

A management consultant friend of mine once said to me his practice largely consisted of dealing with management teams that are fixated with the benefits of some course of action. As soon as people get emotionally invested in those benefits, they become blind to unintended consequences, even when dealing with those consequences would be easy to handle.

Here the benefit is lighting a fire under developers is the intended good consequence; creating security vulnerabilities for users is the unintended consequence. It's easy to have your cake and eat it too: just give the developer a deadline.

Re:Hooray for this!

Oracle should man up, and fix things in a timely professional manner.
As they dropped the ball, and failed to prioritize, I guess security is not their forte. Thefore if I was a customer of theirs - I would go. What else are they neglecting?
Its almost as bad as Cisco not explaing how backdoors got in, and fail to address the HOW question.

Piss poor communication. Well it blew up in heir faces. Dont blame the messenger.
Go watch some Monty Python, and address the issue faster than laden swallows.
https://www.youtube.com/watch?v=liIlW-ovx0Y

Full disclosure babe...It's the only way.

We must demand the same from the damn government!

Malware devs downmodded protection... apk

See subject: APK Hosts File Engine 3.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

* ONLY 1 of its kind in GUI 4 Linux/BSD & now supports port filters!

APK

P.S.=> Protects vs. all speculative execution exploits + scripts/trackers (faster vs. NoScript @ kernelmode level)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware/malcript/email malicious payloads... apk

Is ANY Ruskie Not Frustrated?

How many? Did you tell any one how many are not? Did those you informated believe your attestation? Would you do your work again understanding same circumstances?

Re:Is ANY Ruskie Not Frustrated?

Is there another link to the article? I'm getting a 400 error from the page.

Not a zero-day ffs

Zero day means something. It doesn't mean what tech "reporters" think it means.

Re:Not a zero-day ffs

Yeah, that's what I was thinking. Isn't the fact that it's published in a public space therefore make it NOT a zero day?

virtualbog is crap, owned by a crap company.

vbox is seductively easy to use on windows, but shit it's rotten software. Even something simple like the "cli" is clearly "designed" by windows-only idiots who just don't get proper CLI at all. And mysql is the same kind of idiocy with a different face on it. Both of them dying would be a good thing. Take docker and php with it while at it, please.

Though realistically even should mysql die there's still mariadb, natch. For vbox, there's several alternatives you might use. Someone'll whip up a front-end on windows and off you go.

Anyhoo. I really don't understand what sun was thinking when they bought mysql, and I don't know what oracle was thinking when they bought sun. Both really don't "get" lots of things they bought (cobalt raq, anyone?), though they're far from the only ones to buy stuff and then strangle it from sheer incompetence with the stuff they bought. Or buying a company with a good product just for "the ip" and then abandoning the product alienating a loyer customer base. I bet you too can name a few.

As for this "security researcher", he's saying some of the same things others, including me, have been saying for years: The security industry is terribly immature and ineffective. The "responsible disclosure" folderol and all the bickering about what makes your disclosure responsible and the other guy's not, makes it only moreso.

(Though honestly, if you've found a hole in a FOSS project, kindly do email them first. Not even trying with a big fat bureaucracy I get, but FOSS projects do deserve a chance, or at least a heads-up in their security contact's inbox.)

And in closing, this is old news. I saw this announced on tuesday on a not particularly up-to-date website in a different language, translated from the original Security Industry Standard Hollibru Engrish. EditorDavid apparently was too busy reading drivel to notice actual news for nerds, stuff that matters. To me, more proof that these editors are entirely irrelevant and outdated. Maybe they ought to get jobs at oracle.

American companies do this often

Apple is another company that happily wait many months to fix critical security issues of the kind that can give an attacker control over the system. Do you think it's a coincidence? They won't do anything until the NSA court order says the can.

Just another occasion to be reminded of the lesson that if you use software from American vendors, there will always be a way into your system.

Re: American companies do this often

Citation needed.

repost

we saw this a few days ago

Overblown much?

[Bert64]

This vulnerability requires root level privileges inside a guest os, and for that guest os to be running with very specific configuration (must have e1000 nic and be configured in nat mode)...

Incidentally nat mode doesnt support ipv6, rendering it useless for me.

Re:Overblown much?

This vulnerability requires root level privileges inside a guest os, and for that guest os to be running with very specific configuration (must have e1000 nic and be configured in nat mode)...

It seems that starting with Vista the Intel Pro/1000 MT (e1000) NIC was the default for Windows but otherwise the default is the PCnet-Fast III. So, yea, people using Windows XP which likely are running as admin in a VM as an isolation technique (and for which ipv6 is likely not something they use) aren't likely to be effected. Still, this goes again to show what most people who look at people acting like VMs are some sort of magic panacea when they aren't. Running as root in a VM can be risky because clearly VM makers don't take security serious enough. I wouldn't be surprised if PCnet-Fast III has its own set of vulnerabilities.

Re: Overblown much?

Both of these things are the default settings. Most people are using them.

Re:Overblown much?

Intel PRO/1000 MT Desktop (NAT) is the default on Ubuntu. Does this mean we're not actually affected, or is e1000 a nickname for that adapter?

Re:Overblown much?

[mvdwege]

One of the reasons for running VMs is to isolate applications that require root privileges. And the e1000 is a very popular nic to virtualise. Almost everything I met had either VirtIO networking or an emulated e1000.

So this is actually a pretty common configuration. No, this is not overblown.

Re:Overblown much?

[mvdwege]

e1000 is the Linux device driver name for that NIC family.

Thank you, Russian security researcher!

One of my VMs did indeed use the Intel PRO/1000 MT Desktop (82540EM) driver (thankfully not set to NAT).

There are several links in the article summary, and it would be a shame if readers overlooked the particular link to the researcher's actual excellent work:

https://github.com/MorteNoir1/virtualbox_e1000_0day

And, as mentioned in the detailed report in the GitHub project, the rules in the "bug bounty" economy need to be clarified and made reliable so that researchers have the incentive and confidence to make the significant investment to do this kind of great work. Maybe bounty cash should be put in escrow, with independent arbiters of whether exploits meet requirements.

This kind of research is also being done by state actors and criminal organizations, of course, but their ambitions rely on breeding, nurturing, and exploiting bugs -- for wealth and power. Grossly unethical, and not a path to feeling loved.

Simple to work around, no?

There's a lot of bitching and moaning on this so far but nothing on what I believe a simple fix for this security problem. The emphasis I saw was that the default settings on the emulated network were vulnerable. So, if you are running VBox now go change the settings to something not vulnerable. The publishers of this software can change the defaults on the next release with a note that changing them to what was default before comes with the potential for some malware to exploit it.

My question is, what settings do I have to change to avoid this problem? Complaining about Oracle possibly being slow on a fix does not prevent people from fixing it themselves for now. I want to know what a secure setting might be.

My guess is that simply changing the emulated NIC is sufficient. Another fix that I expect would work is to use USB or PCI passthrough to a real hardware NIC. If the problem is in the NAT then change to a different kind of network. I don't recall all the options on VBox networking but something has to work.

I haven't used VBox in a while so I'm a bit fuzzy on the specifics but I do recall having network troubles with it. I learned that I could get better networking from my VMs with a USB Ethernet adapter for each machine that needed network access. I bought a couple for $30 each, and now there's certainly cheaper ones available that I'm sure work just as well. That's pretty cheap to get a good network connection for a desktop setup but is inconvenient on a laptop. Unless this security problem exists with this kind of setup, which seems doubtful given the description of the bug, then I'd recommend that. Make some coffee and toast for breakfast for a couple days instead of going to Starbucks and you can buy a USB Ethernet adapter, and you'll probably lose a pound or two in the process.

I'm an engineer by trade and training so I like to discuss solutions, not complain until someone else fixes it for me. I thought this website was for the do-it-yerself types. I guess not.

Re:Simple to work around, no?

Are you new here? Slashdot is dying.

Re:Simple to work around, no?

He's correct. Slashdot is dying. It used to be news but it's now just a technology slant a la Highlights magazine. There might be a phoenix effect but I doubt it. Internet dissemination doesn't work like that anymore.

Re: Simple to work around, no?

[Provocateur]

was being the operative word here.

Impersonating me AGAIN? apk

See subject: I pity c6gunner caught impersonating me (his name's the submitter signing "APK") https://linux.slashdot.org/com...

* Simply because he tried to INSULT me & I made him a COMPLETELY FAIR CHALLENGE he couldn't meet or beat by showing me he's done better work in the past prior to his impersonating me there.

APK

P.S.=> You shouldn't throw stones when you live in a glass house boys - especially vs. me... apk

Impersonating me AGAIN? apk

See subject: I pity c6gunner caught impersonating me (his name's the submitter signing "APK") https://linux.slashdot.org/com...

* All because he tried to INSULT me & I made him a COMPLETELY FAIR CHALLENGE he couldn't meet or beat by showing me he's done better work in the past prior to his impersonating me there.

APK

P.S.=> You shouldn't throw stones when you live in a glass house boys - especially vs. me... apk

lol "security researcher"

"Security researcher" sounds so much more serious, official and professional than "Nerd who can't get laid wasting his life with computers in his mother's basement".

Re: lol "security researcher"

Why do you assume that anybody whose main focus in life is not copulation is wasting their life?

VirtualBox 5.2.22 is already out

https://www.virtualbox.org/wiki/Changelog

I don't understand the details of the vulnerability, but the originator of the repo linked in TFS says VirtualBox 5.2.22 "looks like a solid fix".

See https://github.com/MorteNoir1/virtualbox_e1000_0day/issues/12

YMMV

IMPERSONATING me AGAIN? apk

See subject: I pity c6gunner caught impersonating me (his name's the submitter signing "APK") https://linux.slashdot.org/com...

* All because he tried to INSULT me & I made him a COMPLETELY FAIR CHALLENGE he couldn't meet or beat by showing me he's done better work in the past prior to his impersonating me there.

(You shouldn't throw stones when you live in a glass house boys - especially vs. me)

APK

P.S.=> Hosts stop portsmash https://it.slashdot.org/commen... not Spectre/Meltdown - so cut your crap lies as you IMPERSONATE me you pitiful loser... apk

Folks can't touch what doesn't exist, lol... apk

Folks can't touch what doesn't exist: You're a BETTER programmer than I, quoted saying so below? WHERE'S PROOF OF WORK YOU DO EVEN /.ers LIKE & USE?

It's NOT!

"I'm a much better programmer than APK, as has been proven." - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082)

FROM https://yro.slashdot.org/comme...

* I have DOZENS of /.ers saying they like & use my work - praising it & it's good effects on more speed, security, reliability & anonymity PLUS 100,000++ users of it worldwide - DO YOU??

HELL NO!

You also LIED trying to "take credit" for a SOLUTION to C++ string buffer overflow issues I SOLVED WAY BEFORE YOU https://tech.slashdot.org/comm... proof's right there scumbag punk you are.

I also shot you to pieces on your github LIE @ the root of all that too (yes that's you too scumbag) https://yro.slashdot.org/comme...

APK

P.S.=> CodeSigning you "praise" (I don't for GOOD REASONS & I use something better) can & HAS been STOLEN & ABUSED https://www.helpnetsecurity.co... MY METHOD CAN'T BE (upmodded +2 INTERESTING in CODING FOR DEFCON no less) https://it.slashdot.org/commen... ... apk

Folks can't touch what doesn't exist, lol... apk

Folks can't touch what doesn't exist: You're a BETTER programmer than I quoted saying it below? WHERE'S PROOF OF WORK YOU DO EVEN /.ers LIKE & USE?

It's NOT!

"I'm a much better programmer than APK, as has been proven." - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082)

FROM https://yro.slashdot.org/comme...

* I have DOZENS of /.ers saying they like & use my work - praising it & it's good effects on more speed, security, reliability & anonymity PLUS 100,000++ users of it worldwide - DO YOU??

HELL NO!

You also LIED trying to "take credit" for a SOLUTION to C++ string buffer overflow issues I SOLVED WAY BEFORE YOU https://tech.slashdot.org/comm... proof's right there scumbag punk you are.

I also shot you to pieces on your github LIE @ the root of all that too (yes that's you too scumbag) https://yro.slashdot.org/comme...

APK

P.S.=> CodeSigning you "praise" (I don't for GOOD REASONS & I use something better) can & HAS been STOLEN & ABUSED https://www.helpnetsecurity.co... MY METHOD CAN'T BE (upmodded +2 INTERESTING in CODING FOR DEFCON no less) https://it.slashdot.org/commen... ... apk

IMPERSONATING me AGAIN? apk

See subject: I pity c6gunner caught impersonating me (his name's the submitter signing "APK") https://linux.slashdot.org/com...

* He tried to INSULT me & so I made him a COMPLETELY FAIR CHALLENGE he couldn't meet or beat by showing me he's done better work in the past prior to his impersonating me there.

(You shouldn't throw stones when you live in a glass house boys - especially vs. me!)

APK

P.S.=> Hosts stop portsmash https://it.slashdot.org/commen... not Spectre/Meltdown - so cut your crap lies as you IMPERSONATE me you pitiful loser... apk

Folks can't touch what doesn't exist, lol... apk

Folks can't touch what doesn't exist: You're a BETTER programmer than I quoted saying it below? WHERE'S PROOF OF WORK YOU DO EVEN /.ers LIKE & USE?

It's NOT!

"I'm a much better programmer than APK, as has been proven." - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082)

FROM https://yro.slashdot.org/comme...

* I have DOZENS of /.ers saying they like & use my work - praising it & it's good effects on more speed, security, reliability & anonymity PLUS 100,000++ users of it worldwide - DO YOU??

HELL NO!

You also LIED trying to "take credit" for a SOLUTION to C++ string buffer overflow issues I SOLVED WAY BEFORE YOU https://tech.slashdot.org/comm... proof's right there scumbag punk you are.

I also shot you to pieces on your github LIE @ the root of all that too (yes that's you too scumbag) https://yro.slashdot.org/comme...

APK

P.S.=> CodeSigning you "praise" (I don't for GOOD REASONS & I use something better) can & HAS been STOLEN & ABUSED https://www.helpnetsecurity.co... MY METHOD CAN'T BE (upmodded +2 INTERESTING in CODING FOR DEFCON no less) https://it.slashdot.org/commen... ... apk

IMPERSONATING me AGAIN? apk

See subject: I pity c6gunner caught impersonating me (his name's the submitter signing "APK") https://linux.slashdot.org/com...

* He tried to INSULT me & so I made him a COMPLETELY FAIR CHALLENGE he couldn't meet or beat by showing me he's done better work in the past prior to his impersonating me there.

(You shouldn't throw stones when you live in a glass house boys - especially vs. me)

APK

P.S.=> Hosts stop portsmash https://it.slashdot.org/commen... not Spectre/Meltdown - so cut your lies as you IMPERSONATE me you pitiful loser... apk

ZIP you already committed public suicide... apk

ZIP you already committed public suicide everyone can read about here (lmao) https://developers.slashdot.or...

* RoTfLmAo!

(Have your "TaNtRuMz" elsewhere - try your mommy, she may respond to your crybaby bullshit orders - I don't - especially vs. WORMS like you!)

APK

P.S.=> I didn't write the post you replied to so you know, the morons who oppose me here & lose STUPIDLY (lol, see link above as an "example proof thereof") are IMPERSONATING me & then STALKING me by UNIDENTIFIABLE anonymous as you are now (so 'brave', lol - not)... apk

Re:ZIP you already committed public suicide... apk

[Zontar+The+Mindless]

Links are not some form of magic, Alex. Two rotten apples are not any more edible than one, and hyperlinking to repetitions of lies does not make them true, no matter how many times you do it.

Use KMS on Linux or Hyper-V on Win10

[Billly+Gates]

If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically. If you run linux KMS is there and qemu if you want a gui. Shoot even pfsense ran under Hyper-V natively without any hacks or packages out of the iso!

Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.

Re:Use KMS on Linux or Hyper-V on Win10

If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically.

Uh, no. Integration components is MS's term for guest tools and are automatically installed. Linux has its own tools which MS went out of its way to make sure were compatible with Hyper-V. Linux also has native support for its own para-virtualized devices, its term for guest tools, so it supports KVM "natively" since many, many years ago. For Windows, you install guest drivers. In short, you don't get out of using host to guest drivers.

Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.

Unless you want to be able to use a Windows VM on Windows, move it to Linux, then move it back again. The only reasonable way to get near native speed without guest tools is to do hardware pass-through, and that's generally not worth it for anything but graphics cards and possible network cards. Seriously, argue at least something sensible like standardizing on guest tools across KVM, Hyper-V, VMware, and Virtualbox to make it all pretty moot. Don't spout bullshit.

Re:Use KMS on Linux or Hyper-V on Win10

[Billly+Gates]

The integration tool,.s are default on modern linux distros as a kernel module. I do not have experience in ArchLinux but I have never needed to install them manually ever.

Re:Use KMS on Linux or Hyper-V on Win10

"Installed by default" != "without guest tools" || "run bare metal". And, again, while Linux guests are setup to automatically support guest drivers for Hyper-V and KVM, Windows guests are not setup to automatically support KVM (AFAIK, and that guide I pointed to was from Feb 2018). Beyond that, 3d graphical support is horrible without pass-through and pass-through is a PITA presuming it works.

You want to argue Virtualbox is more insecure or has more performance bottlenecks compared to KVM or Hyper-V, that might be the case. But virtually all virtualization solutions use guest drivers in some form because emulating most hardware is ass slow. It's the main reason DOS/Windows 9x is so shitty in all the various virtualization solutions I've seen as no one wants to support an OS that was all about direct hardware access and the mess that is constant root access and trying to defend against everything. That and I think most people think DOSBox is good enough*, think wanting to virtual Windows 9x is stupid (go figure on the logic on that one), and honestly I don't know if virtualization will ever get to the level of being as good as DOSBox with the difficulty of timing and such.

* PCEm is also pretty awesome. AFAIK, the next version is supposed to work a lot harder on performance which is pretty awesome. I have a lot respect for the developer trying to make things cycle accurate precisely because it's the only way to get a lot of DOS demos, games, etc working properly.

Re:Use KMS on Linux or Hyper-V on Win10

[thegarbz]

Since you look like you know a bit about this, are there any downsides to enabling Hyper-V in Windows? Being a Type-1 hypervisor does that mean that Windows 10 itself suddenly becomes a guest on the hardware? Will it affect gaming or other performance?

I've been considering playing with Hyper-V but haven't seen an answer to this question yet. I don't worry about it on my Linux box since it doesn't sit there gaming, rendering or otherwise heavily loading the hardware, and in that case I happy run Ubuntu on Xen (which was incredibly trivial to install).

Re: Use KMS on Linux or Hyper-V on Win10

[Billly+Gates]

You are correct. In a type 1 hypervisor there is a parent child relationship as the hypervisor runs in ring -1 underneath the kernel inside the CPU itself. So near native speeds for the parent and more restrictions for the children or so called guests as they call them in type 2. On my home PC I can game fine. World of Warcraft slowed down only 1 to 2 fps and I have an older i7 4770K. Guests would be slower with the GPU in pass through mode but much quicker than virtual box as no software layer is used.

So far my CPU runs much cooler and all my guests sleep when the parent OS sleeps as everything is integrated which is cool

I/O is much faster in hyper-V and KMs for all vms and GPU pass thru. Downside is latency dependent apps like audio mixing might have problems. Also your nic gets virtualized into a switch so if you use custom DNS stuff like cloudflare which I vuse then you need to configure this before enabling hyper-V as your Ethernet 1 doesn't move packets anymore as the hypervisor does this now

Re: Use KMS on Linux or Hyper-V on Win10

[thegarbz]

Thanks, I may have a play with this.

Bob

When you tell them that they suck and really doesn't understand IT, they called you "disgruntled"...may be he have to follow some gayish COC.

Virtualbox is NOT free if you add the add ons...

Be VERY careful with Virtualbox. Yes, VBox itself is licensed openly... but if you want stuff like working video, USB drivers, or other items, and you download and install the add-on pack, boom... you now are using licensed commercial software which does report back to Oracle, and they will want their cut.

Because of this, you might as well just use VMWare Workstation or Fusion, because they at least keep updating it.

Re:Folks can't touch what doesn't exist, lol... ap

[Zontar+The+Mindless]

You told people to block GitHub and GitLab—permanently, FFS.

I remember a couple of years ago when you were so proud of yourself because your string routines pegged the fucking CPU. You only changed your tune about this after about 200 people here on Slashdot mocked you for it, and rightly so.

And you continue to indulge in your classic "Pick on someone until you get a reaction, then claim they're picking on you" which is about what I'd expect of Donald Trump or someone else with the mentality of a 12-year-old bully.

So how'd it turn out for you with trying to run that Zontar character off the board, eh? Are you still living in your mother's basement? And how's the weather in Syracuse today?

Re:Virtualbox is NOT free if you add the add ons..

[Zontar+The+Mindless]

I count: one (new) unsubstantiated allegation and at least two lies (which you've repeated before). Why are you trolling this thread, anyhow?

Curious definition of reliability

[CustomSolvers2]

"The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

Can I reproduce that exploit? Yes. It will work or not. Funny. It seems the post-truth adaptation of "it works in my machine". Why even caring about saying something appearing to be true anymore, right?

Most of people seem completely incapable of understanding simple concepts. In fact, I am starting to think that well-reasoned-and-validatable-but-long statements are more likely to be assumed wrong or even untruthful by a big number of (usually noisy) individuals; unlikely not saying anything or using simple, short, ideally-repeated-many-times-&-cool-looking expressions with no real meaning.

Although I am not the kind of Schadenfreude guy, I do feel really good with myself and with all what I have (= dignity, honesty, not tolerating arbitrariness, etc.) when I see what the tyranny of the most profound stupidity and fanaticism can bring, mainly online. The saddest part is when those having nothing (from my perspective) aren't aware about that fact and seriously expect their nonsense to prevail when I am around. It is a bit pathetic. But as far as I know that helping/reasoning isn't an option (even if they could understand, they are too ignorant, empty, dishonest and invasive to ever do anything about which I could really care), I will simply focus on enjoying my privileged position.

Re:Curious definition of reliability

It's not a race or something like that, and he's telling you that he hasn't tested if it still works with mismatched binaries - which you normally shouldn't have.

Re: Curious definition of reliability

Wow, you are a pretentious prick.

Read the article you cuck.

Re:Curious definition of reliability

Folks, is what the Dunning Kruger effect looks like.

Re:Curious definition of reliability

[CustomSolvers2]

It's not a race or something like that, and he's telling you that he hasn't tested if it still works with mismatched binaries - which you normally shouldn't have.

My post was exclusively focused on the funny (indicative, not-too-honest, etc.) reference to 100% reliability. You have found an exploit working under very specific conditions and you list those specific conditions? Everything is fine with me. You could even go a bit further and get some reliable statistics (+ clearly refer to their source -> this is what you should always do when using generic values intended to have an intrinsic meaning, providing some context about their true reliability) about how probable is for certain group of people/software/computers to be in that situation and to estimate a percentage of success of your exploit. It would also be fine. Almost anything would have been fine. Saying that it is 100% reliable is tremendously far away from being fine, clear, honest and, for me, acceptable.

Re: Curious definition of reliability

[CustomSolvers2]

Wow, you are a pretentious prick.

Read the article you cuck.

?! I wasn't commenting the article, you anonymous piece of shit, but the express reference (direct quote from his author) "The exploit is 100% reliable" and the ridiculously dishonest meaning given to that expression. I took advantage from that to highlight my profound disdain towards the tremendous-ignorance-prone subculture of idiots which internet is creating. You have to be a special kind of idiot to read something like "100% reliable" together with the subsequent explanations and think that it makes any sense. You have to be the kind of credulous, coward/anonymous and pathetic idiot who isn't able to understand a simple post (my previous one), but dares to "participate" in the discussion and naively thinks that using two sentences with two insults saying pretty much nothing about his/her understanding/background makes him/her look intelligent.

Actually, you are so stupid that you aren't even understanding that your post is precisely representing a practical sample of what I was describing in my post. I quote myself:

In fact, I am starting to think that well-reasoned-and-validatable-but-long statements are more likely to be assumed wrong or even untruthful by a big number of (usually noisy) individuals; unlikely not saying anything or using simple, short, ideally-repeated-many-times-&-cool-looking expressions with no real meaning.

You are the kind of pathetic idiot that follows (-> this is what you are, a sheep) people saying short, simple, noisy (and/or arbitrarily insulting, attacking a common enemy, unreasonably appraising what you like, etc.) statements like these. In fact, you might even not be able to understand/write English too well. But you know that those two sentences are right, because you have read them many times from other idiots like you, knowing pretty much the same than you and meaning pretty much the same than your pathetic post means (= nothing). A (not necessarily too bright) parrot should be able to deliver pretty much the same than you have done right now without much effort. You are joke. You are a sample of what no one should ever be. You are the output of pure stupidity. You are so irrelevant and so pathetic that just getting this answer from me might be one of the most relevant things of which you have been part in a while.

Re:Curious definition of reliability

[CustomSolvers2]

Folks, is what the Dunning Kruger effect looks like.

Folks? Who do you think that is caring about your nonsense? Or do you have a multiple-personality disorder? Or is it perhaps your group-, social-media, bubble-based distortion of reality which is playing with you? You aren't able to have a conversation 1-to-1 with another person anymore? You already need to always be able to (anonymously) bash others, be part of a group, get some extra advantage? You think that you aren't alone anymore? That there will always be another pathetic idiot like you repeating, liking, upvoting whatever nonsense you say? Or you could always trick the system a bit, right? Creating different profiles, posting various times anonymously. Seems a bit pathetic, but it feels so good when you see the results! The media/internet supporting you! LOL. As said in my previous message (probably to you too), you are beyond pathetic and just the fact that you think that a piece of shit like you has anything to say to someone like me proves your tremendous disconnection with reality. Not with your reality, with the real reality, the one where all your (fake or not) friends, upvotes, stars have no value. You are a sad joke who should have some minimum survival resources and know with whom you can deal and with whom you cannot.

Even though you don't deserve it, I will share a curious anecdote with you. Some years back, I had a pretty weird interaction with a pretty weird person (or group of them, no idea) who did mention that "Dunning Kruger effect". That person(s) was weirdly obsessed with everyone wanting to use the same approach than them (it was about a methodology to build GUIs; bear in mind that this isn't precisely my strongest suit and that I was clearly transmitting that point, that I was fine with my approach for the limited problems with which I was dealing; but this wasn't enough for them who seem really interested in everyone liking the same that they do!!). Back then, I didn't look the meaning of that expression up, exactly the same that I am not doing it now. I mean... I am the kind of guy who is always learning, but cases like this sound to me similar to urban legends or things that insecure people repeat to impress others (something like saying that you know/saw something when it isn't true). Not saying that it isn't really a medical condition, but probably (because of the two times when I have heard about it) is used in a trendy/ignorant fashion. What do I mean with that? I mean for example how is being Aspergers/autism used within certain "collectives" (groups of idiots). It is the kind of easy understanding on which easy people (I mean idiots) rely to simplify the too-complex-for-them world. Something like a simple chant that they can repeat over and over; approaches that they feel that will always work (-> blindly trusting in the 100% reliability of something seems very important for idiots); ideas making them feel safe like thinking about an abstract enemy/problem/bad guys. You know? The kind of pathetic seeds that generate the worst version of ignorance, eventually converted into fanaticism and hate. I mean... I am not truly familiar with all these "urges" which tremendously insecure and ignorant people (usually violent and invasive too) feel. But I guess that this is a reasonably good estimate. Feel free to correct me if I am wrong, by assuming that you have been able to read until here because I am sure that so many words should be really difficult for someone like you. LOL.

No surprise here

[RuiFRibeiro]

I tried to use VirtualBox in my corporate Windows desktop earlier on this year.
Gave up on frustration of the multitude of bugs I encountered.
I cannot even phantom how people depend on VirtualBox to do some serious work, or how some misguided souls use it to run Linux servers.

Re: No surprise here

You must suck at puterZ LUL. Can't even configure a virtual machine. What a joke.

Virtualization Is NSA Backdoor'd To Hell

Enjoy!!

Re: Virtualization Is NSA Backdoor'd To Hell

I backdoored your mother to hell. I enjoyed it too. I'm not so sure she did, but thats her problem, not mine.

Hello Autismo

bazinga!!!

MySQL upgrade to PG

Not smooth at all for all those open source projects which don't support Postgres

Re:Virtualbox is NOT free if you add the add ons..

Read the PUEL. Again, not for commercial use unless you licensed it. I understand you want to ensure your Oracle stock does well, but the stock value isn't going to increase by spreading falsehoods or calling people liars.

I highly recommend not calling someone a liar unless you can show proof. Even with a four digit ID.

I find word of mouth the BEST advertisement

See subject & YOUR words BronsCon "I've never tried to belittle (APK's work), I've flat out said it's good - by BronsCon (927697) on Thursday February 11, 2016 @06:48PM (#51491263)

* Thanks for the GREAT review!

APK

P.S.=> I didn't post the post you replied to, so you know (impersonators did)... apk

Re:I find word of mouth the BEST advertisement

[BronsCon]

Still an ad, still a valid question, still no affirmative response from you, and still quoting me out off context as explained in my signature. Still just as toxic, underhanded, and dishonest as always; nobody should use or trust software written by someone with those traits. How's that for a review? Dick.

Re: Folks can't touch what doesn't exist, lol... a

I'm glad you posted this. APK been dragging your name thru the mud for months. Glad to hear your side.

It's a DIRECT QUOTE then... apk

"I'm a much better programmer than APK, as has been proven." - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082)

FROM https://yro.slashdot.org/comme...

When "ZIP" proves he has dozens of registered /.ers praising/liking/using HIS non-existent work & 100,000++ users of it I have then he can make THAT the truth but he never does, lol!

Instead all he does is STALK me by his "ZIP" ac posts WHEN HE HAS A REGISTERED ACCOUNT & HIDES from me by AC posts + DOWNMOD BOMB my posts

"P.S. => I down-modded a few of your post on other threads to save you some embarrassment. - by Anonymous Coward "ZIP" on Thursday October 11, 2018 @11:31AM (#57461058) FROM https://yro.slashdot.org/comme...

Like the "brave courageous guy" (not) he is, lol!

* ANYONE CAN TALK - very few (like me) actually DO & can back it up!

APK

P.S.=> Then again, like "ZIP"? NEITHER can YOU, lmao... apk

I'm like a hamster? You ARE one... apk

If you're not sending me postcards like the LOON you admittedly are that also makes FAKE ACCOUNTS to STALK me with too.

Going to make more sockpuppets to stalk & troll me with you loon https://slashdot.org/comments.... ?

Sending me postcards with threats too https://slashdot.org/comments.... ?? Your "watch your mailbox" THREAT & you "going postal" (pun intended) that way w/ MORE 'warnings' from you (wow).

See subject: I'm like a hamster? You ARE one-> https://developers.slashdot.or...

APK

P.S.=> Grow up lunatic &
Take your meds mentalcase - YOU NEED THEM https://slashdot.org/comments.... & You're a druggie too https://slashdot.org/comments.... ... apk

ESET/NOD32 proved Github hosts malware

See subject: I reported FACT on KODI from ESET that proved github hosts malware so into hosts it went https://www.welivesecurity.com... & there is NO DENYING IT!

* ESET/NOD32 = correct.

See for yourself right on their own page in that link there - you lose as always, false accusation LIES as always from you that you now have to EAT YOUR WORDS on loser...

APK

P.S.=> Funny I can show DOZENS of REGISTERED USERS like/use/praise my work (not your notware, lol) https://search.slashdot.org/co... vs. UNIDENTIFIABLE ANONYMOUS LOSERS who harass/STALK & IMPERSONATE me (like you do w/ sockpuppets you made to do it too PROOF - Going to make more sockpuppets to stalk & troll me with you loon https://slashdot.org/comments.... ? )... apk

How about truth/fact instead Zontar?

Going to make more sockpuppets to stalk & troll me with you loon https://slashdot.org/comments.... ?

Sending me postcards with threats too https://slashdot.org/comments.... ?? Your "watch your mailbox" THREAT & you "going postal" (pun intended) that way w/ MORE 'warnings' from you (wow).

Take your meds mentalcase https://slashdot.org/comments.... & You're a druggie too https://slashdot.org/comments....

* Zontar The Mindless (for sure OUT OF YOUR MIND, lol): You're a butthurt loon freak, plain & simple - you did it to yourself, loser...

APK

P.S.=> You're a lunatic mentalcase - period: How about YOU proving hosts & my program that builds them are useless (you FAIL there bigtime, lol) https://slashdot.org/comments.... ? I've plenty of evidence/fact to the CONTRARY right here alone as to hosts efficacy vs. threats AND that folks use/like MY WORK https://search.slashdot.org/co... ... apk

Re:How about truth/fact instead Zontar?

Your penis be tiny bro, deal

womp womp

Disgruntled? Focus on the exploit, not ad hominem!

Disgruntled? Focus on the exploit, not ad hominem!

Thanks for saying my work's good BronsCon!

Thanks for saying my work's good BronsCon! Nice to see you can't DENY you say my work ROCKS - & it does!

* I'm not here to win some "highschool popularity contest" - I'm here to WIN (& I clearly am thanks to praise like yours) so EVERYONE wins.

(I could care less if you don't like ME personally)

APK

P.S.=> You saying you didn't say what I quoted in you saying my work's good? apk

Re:Thanks for saying my work's good BronsCon!

[BronsCon]

I'm saying that, in the context in which I actually said it, it wasn't praise at all. You're too fucking dense to realize that, though... which, honestly, is not my problem.

Projecting YOUR issues again I see

Projecting YOUR issues again I see: You have no dick & certainly NO BALLS as you STALK me behind UNIDENTIFIABLE anonymous.

APK

P.S.=> Grow up psycho - accept it - vs. me? You will ALWAYS lose (it's all "your kind" KNOWS how to do in this life, lol)... apk

You don't deny you said my work's good then... apk

You don't deny you literally said my work's good then: I'm not here to win a personal popularity contest. I'm here to win & all do gaining by my work.

* Your "seal of approval" on me? I could care less - irrelevant. On my program I do & you spoke well of its quality: FACT!

(Many do worldwide)

APK

P.S.=> Sure seemed like a problem to you IF you had to reply to my irrefutable logic asking if you said my work IS good - you admit you did & it is - thanks... apk

Re:You don't deny you said my work's good then...

[BronsCon]

You're missing it, so I'll state it more plainly. I did literally write words similar to what you keep quoting (your edit changes the meaning a fair bit so, no, I did not write that), but it was not an endorsement of your work so much as a preface to an insult. Once again, my words were not an endorsement of your work and the fact that you had to edit them to make them appear to be such should be a dead giveaway of that.

I wouldn't bother replying to irrefutable logic, except to concede or agree, because I'm not an idiot. You, on the other hand, have just had your flawed logic refuted.