It doesn't work any more; Slashdot just deletes the word altogether if it contradicts the score. I think the highest score you can get on a "Troll" post is 2.
Actually, correction: this isn't session fixation, it's a replay attack (as earlzdotnet points out). Session fixation is where you make the user use the attacker's cookie, rather than the other way round. (Less useful but still potentially exploitable.)
https is used to prevent session fixation working without a secondary exploit. If you have a secondary exploit that allows access to the cookie (e.g. the XSS exploit you're describing), then a different fix is needed for the different exploit (for instance, fixing the XSS hole itself, or marking the cookies as http-only so that they can't be accessed via JavaScript). If you don't have https, then someone with access to the victim's network doesn't need another exploit at all; their network access is enough in its own right.
In this case, it seems that some of the services were using https to protect the cookie and had secondary exploits, and others weren't protecting the cookie and so the secondary exploits weren't needed.
(Also, your suggested fix doesn't work; what's causing the server to send the hidden form field? There's no obvious way to send it to the user-who-has-a-cookie unless you also send it to the attacker-who-has-a-cookie. Unless you make the user log in on every page view, which would be ridiculous (although at least Bugzilla can optionally fall back to that mechanism if the user isn't accepting cookies).
This isn't exactly a new exploit (I remember the Firesheep event where someone made hijacking Facebook accounts like this user-friendly, but don't have a link handy). One problem with actually doing this is that you need access to the data as the victim's sending it (e.g. via sniffing unencrypted wi-fi, or physical access to the network that the victim is using); that still gives several possible targets (especially the wi-fi angle), but makes it much harder to use against arbitrary targets.
(The simplest fix, of course, is to use https for all cookie handling, which probably means https for every page access.)
So this is old news, although a reminder that this is still possible is definitely worthwhile.
There are laws against what AT&T did in the UK (if you're storing information about a person that's sufficient to identify that person, you can't make it public without their permission, although you can obtain their permission when you obtain the information). Ones that are considered important enough to be taught in schools.
If you leave a pile of gold in the street, then legally, people shouldn't steal it. Although you'd be naive to expect it to still be there in the morning, if you found out who took it, you could legally get it back. (You'd also be liable somewhat for blocking the street, but that's a separate issue.)
It's an operating system, that descended from the original versions of UNIX (and thus is a true UNIX, rather than Linux which aims to be compatible with UNIX without actually being a UNIX), that's both free and open source; there were some licensing issues at one point but those have been cleaned up now. It's used in pretty much the same contexts as Linux is, and is pretty similar from a user's point of view, but is less popular. (The compatibility means that many programs only need a recompile to be ported from Linux to BSD or vice versa; and you can even get hybrid distributions, e.g. Debian/kFreeBSD is FreeBSD's kernel with the mostly-GNU userland that Debian uses, programs that are more frequently run on Linux. Or you can run BSD's traditional userland on Linux; many people do.)
The main reason it isn't so widely known is that it's pretty similar to Linux in terms of what it can do and why you would use it, so without a compelling reason to use BSD in particular, you'd typically use Linux by default because it's better known.
I think it's a response to most of their existing proprietary attempts to do things having been trainwrecks. I guess the reasoning is that at least this way, the trainwrecks will be less expensive on average.
Be careful. Part of the reason that this mess came about in the first place was that they'd given false names/addresses when filing a court case. And in general, the confusion is that nobody's sure who's meant to be in charge, if anyone. The judge has spent much of the court case so far trying to work it out; and is probably in a better position to enforce a punishment too.
If someone was very fast, and the people they were sending money to impatient, they might have been able to spend the same coins twice, one on the old version chain, one on the new version chain, and had both of the recipients believe that the transactions were confirmed. (Only one of them would actually get valid bitcoins as a result; in this case, the people on the older clients' chain).
I don't know if anyone actually did do that in this case, or (if they did) whether the recipients called them on it.
Most likely, I'd guess that some of them would be hitting cross-platform parts of the browser, and so the exploit would work in order to break out of the browser sandbox. Because Windows code doesn't run directly on Linux, the rest of the exploit would have to be changed to work correctly on Linux, but that would be a reasonably routine porting job.
If the exploit hits a platform-specific part of the browser, it wouldn't work on any other OS, because the part it was trying to attack wouldn't exist.
Think about something like iOS; there's no officially supported way to install arbitrary software (and doing so in practice requires jailbreaking). It is, however, possible to write an alternative browser for iOS; IIRC Apple allows them into the store at the moment, but they used not to, so you'd have a situation where the software existed but wasn't allowed to run.
It's not quite valid Perl. Typeglobs don't have a number of elements. (Apart from that, it parses: the word with the symbols in parses as "stringise the number of elements of the special variable @-, interpret that as a variable name, find the typeglob representing variables with that name, count the number of elements in it (this is the bit that doesn't work), interpret that as a package name, then call the static method 'd' in it with the argument 'sucking'.)
I'm subscribed to the mailing list at the moment; they're at least aware of the problem. The latest suggestion's been to put a really visible kill switch on the Dash that causes it to do no network traffic at all, even with a sandbox to make sure that none gets out by accident. Not as good as turning it on by default and letting the user turn it off, but it's at least an improvement.
The slowness in the Dash opening is, as far as I can tell, due to overuse of Zeitgeist (which is overengineered for what it does). So making the window manager faster isn't going to help there, and in general, it seems difficult to fix without a rethink of how that part of the desktop is implemented.
(FWIW, I use Unity as my primary desktop/window manager; I really like what it's trying to be, and it's quite a bit of the way there already, but there are a huge number of rough edges and it's still pretty slow and buggy.)
Regex search over the entire info document is something I use a lot, and HTML doesn't (natively) support. (Index search via typing the name of an index entry, and then jumping to other entries that match the same string, is another thing that HTML doesn't do well.) These are arguably deficiencies in HTML, and could be fixed with mindboggling amounts of JavaScript or by doing things server-side, but both seem to be missing the point to some extent.
I've been reading a lot of info pages recently, and learning the viewer was worth the effort (tip that helps a lot: 'l' undoes navigation commands, for when you've got completely lost due to pressing the wrong button). It'd be great if we had something that replaces Info without all its conveniences, but sadly nothing seems to have obsoleted it yet.
info shows the manpage by default if the info documentation isn't installed. So what you're seeing is probably a packaging problem, where the documentation exists but, for whatever reason (perhaps you're using a Debian-based distro and forgot to explicitly ask for it), wasn't installed on your computer.
It'd only be even potentially noticeable if the end user compiles their documentation from source. That's only likely to happen if they're also compiling their binaries from source, i.e. on source-based distros. (I doubt it'd be particularly noticeable even in such cases.) Most people would get the compiled version of the documentation, rather than compiling it themselves.
The way most stores sell Office nowadays is that they sell you a card with a code on it. In order to use it, you have to create an account with Microsoft (with a lot of personal information), enter the code on the card, and then Microsoft gives you your license key and a link to download the actual software from their website. This is true for even retail copies that have nothing to do with Office 365.
I agree, in that I've discovered LibreOffice isn't quite compatible enough with Microsoft Office to interoperate with it perfectly (although it does quite well on average).
However, Microsoft Office has the same problem. It often can't open files made with Microsoft Office accurately. (To the extent that my usual advice for people who want to make a Word document on one computer, and print it on another, is to save it to PDF on the original system and transport and print the PDF.)
Because being able to turn it off doesn't necessarily mean you know how to do so. (It's likely to be buried in a settings menu during the boot process.) Just putting a CD in the drive and choosing "install", like you used to be able to do, won't work unless you reconfigure the UEFI first. So it's adding a bunch of extra steps to try out a new OS.
This still worked 10 years ago. Admittedly, 6502-based computers were quite rare by then, but also very cheap because most people considered them junk. (And my machine code reference manual was a book, rather than photocopied.)
The putting hand-soldered circuitry into the printer ports came later for me, with Windows (back then I hadn't more than vaguely heard of Linux) and an RS232 port. That's still possible nowadays, although you probably need to get a USB to RS232 convertor (i.e. an RS232 port that's driven over USB) in order to get a computer with the appropriate ports.
Yes, but not by as much as you'd like, and it's been getting slowly worse over time for a while now.
The government - whichever party is in charge - has attempted to attribute the steady increase in grades to students being better-taught / cleverer, but are failing to hide the main causes of that, which are that the courses are being simplified and the grade boundaries adjusted so that you get higher grades for the same quality of work from the students. Most of this is subjective, but as an objective example, the year after I completed my Mathematics A-level (exam taken at approximately 18 years old, and the usual qualification used to obtain entrance to university), they pretty much directly removed 1/6 of the syllabus. (Precisely what happened: you had to take 6 exams, 3 of which were compulsory and 3 of which you could choose from a set. They changed the course to have 4 compulsory exams, which together covered the same material as the previous 3 compulsory exams, and requiring the choice of 2 of the optional exams. This lets you drop one of the optional exams, reducing the syllabus you have to cover, while still getting the same qualification.)
Slashdot Mirror
It doesn't work any more; Slashdot just deletes the word altogether if it contradicts the score. I think the highest score you can get on a "Troll" post is 2.
Actually, correction: this isn't session fixation, it's a replay attack (as earlzdotnet points out). Session fixation is where you make the user use the attacker's cookie, rather than the other way round. (Less useful but still potentially exploitable.)
https is used to prevent session fixation working without a secondary exploit. If you have a secondary exploit that allows access to the cookie (e.g. the XSS exploit you're describing), then a different fix is needed for the different exploit (for instance, fixing the XSS hole itself, or marking the cookies as http-only so that they can't be accessed via JavaScript). If you don't have https, then someone with access to the victim's network doesn't need another exploit at all; their network access is enough in its own right.
In this case, it seems that some of the services were using https to protect the cookie and had secondary exploits, and others weren't protecting the cookie and so the secondary exploits weren't needed.
(Also, your suggested fix doesn't work; what's causing the server to send the hidden form field? There's no obvious way to send it to the user-who-has-a-cookie unless you also send it to the attacker-who-has-a-cookie. Unless you make the user log in on every page view, which would be ridiculous (although at least Bugzilla can optionally fall back to that mechanism if the user isn't accepting cookies).
This isn't exactly a new exploit (I remember the Firesheep event where someone made hijacking Facebook accounts like this user-friendly, but don't have a link handy). One problem with actually doing this is that you need access to the data as the victim's sending it (e.g. via sniffing unencrypted wi-fi, or physical access to the network that the victim is using); that still gives several possible targets (especially the wi-fi angle), but makes it much harder to use against arbitrary targets.
(The simplest fix, of course, is to use https for all cookie handling, which probably means https for every page access.)
So this is old news, although a reminder that this is still possible is definitely worthwhile.
There are laws against what AT&T did in the UK (if you're storing information about a person that's sufficient to identify that person, you can't make it public without their permission, although you can obtain their permission when you obtain the information). Ones that are considered important enough to be taught in schools.
If you leave a pile of gold in the street, then legally, people shouldn't steal it. Although you'd be naive to expect it to still be there in the morning, if you found out who took it, you could legally get it back. (You'd also be liable somewhat for blocking the street, but that's a separate issue.)
It's an operating system, that descended from the original versions of UNIX (and thus is a true UNIX, rather than Linux which aims to be compatible with UNIX without actually being a UNIX), that's both free and open source; there were some licensing issues at one point but those have been cleaned up now. It's used in pretty much the same contexts as Linux is, and is pretty similar from a user's point of view, but is less popular. (The compatibility means that many programs only need a recompile to be ported from Linux to BSD or vice versa; and you can even get hybrid distributions, e.g. Debian/kFreeBSD is FreeBSD's kernel with the mostly-GNU userland that Debian uses, programs that are more frequently run on Linux. Or you can run BSD's traditional userland on Linux; many people do.)
The main reason it isn't so widely known is that it's pretty similar to Linux in terms of what it can do and why you would use it, so without a compelling reason to use BSD in particular, you'd typically use Linux by default because it's better known.
I think it's a response to most of their existing proprietary attempts to do things having been trainwrecks. I guess the reasoning is that at least this way, the trainwrecks will be less expensive on average.
Be careful. Part of the reason that this mess came about in the first place was that they'd given false names/addresses when filing a court case. And in general, the confusion is that nobody's sure who's meant to be in charge, if anyone. The judge has spent much of the court case so far trying to work it out; and is probably in a better position to enforce a punishment too.
If someone was very fast, and the people they were sending money to impatient, they might have been able to spend the same coins twice, one on the old version chain, one on the new version chain, and had both of the recipients believe that the transactions were confirmed. (Only one of them would actually get valid bitcoins as a result; in this case, the people on the older clients' chain).
I don't know if anyone actually did do that in this case, or (if they did) whether the recipients called them on it.
Most likely, I'd guess that some of them would be hitting cross-platform parts of the browser, and so the exploit would work in order to break out of the browser sandbox. Because Windows code doesn't run directly on Linux, the rest of the exploit would have to be changed to work correctly on Linux, but that would be a reasonably routine porting job.
If the exploit hits a platform-specific part of the browser, it wouldn't work on any other OS, because the part it was trying to attack wouldn't exist.
Think about something like iOS; there's no officially supported way to install arbitrary software (and doing so in practice requires jailbreaking). It is, however, possible to write an alternative browser for iOS; IIRC Apple allows them into the store at the moment, but they used not to, so you'd have a situation where the software existed but wasn't allowed to run.
It's not quite valid Perl. Typeglobs don't have a number of elements. (Apart from that, it parses: the word with the symbols in parses as "stringise the number of elements of the special variable @-, interpret that as a variable name, find the typeglob representing variables with that name, count the number of elements in it (this is the bit that doesn't work), interpret that as a package name, then call the static method 'd' in it with the argument 'sucking'.)
I may have undermined my own point, here.
I'm subscribed to the mailing list at the moment; they're at least aware of the problem. The latest suggestion's been to put a really visible kill switch on the Dash that causes it to do no network traffic at all, even with a sandbox to make sure that none gets out by accident. Not as good as turning it on by default and letting the user turn it off, but it's at least an improvement.
The slowness in the Dash opening is, as far as I can tell, due to overuse of Zeitgeist (which is overengineered for what it does). So making the window manager faster isn't going to help there, and in general, it seems difficult to fix without a rethink of how that part of the desktop is implemented.
(FWIW, I use Unity as my primary desktop/window manager; I really like what it's trying to be, and it's quite a bit of the way there already, but there are a huge number of rough edges and it's still pretty slow and buggy.)
Regex search over the entire info document is something I use a lot, and HTML doesn't (natively) support. (Index search via typing the name of an index entry, and then jumping to other entries that match the same string, is another thing that HTML doesn't do well.) These are arguably deficiencies in HTML, and could be fixed with mindboggling amounts of JavaScript or by doing things server-side, but both seem to be missing the point to some extent.
I've been reading a lot of info pages recently, and learning the viewer was worth the effort (tip that helps a lot: 'l' undoes navigation commands, for when you've got completely lost due to pressing the wrong button). It'd be great if we had something that replaces Info without all its conveniences, but sadly nothing seems to have obsoleted it yet.
info shows the manpage by default if the info documentation isn't installed. So what you're seeing is probably a packaging problem, where the documentation exists but, for whatever reason (perhaps you're using a Debian-based distro and forgot to explicitly ask for it), wasn't installed on your computer.
It'd only be even potentially noticeable if the end user compiles their documentation from source. That's only likely to happen if they're also compiling their binaries from source, i.e. on source-based distros. (I doubt it'd be particularly noticeable even in such cases.) Most people would get the compiled version of the documentation, rather than compiling it themselves.
The way most stores sell Office nowadays is that they sell you a card with a code on it. In order to use it, you have to create an account with Microsoft (with a lot of personal information), enter the code on the card, and then Microsoft gives you your license key and a link to download the actual software from their website. This is true for even retail copies that have nothing to do with Office 365.
I agree, in that I've discovered LibreOffice isn't quite compatible enough with Microsoft Office to interoperate with it perfectly (although it does quite well on average).
However, Microsoft Office has the same problem. It often can't open files made with Microsoft Office accurately. (To the extent that my usual advice for people who want to make a Word document on one computer, and print it on another, is to save it to PDF on the original system and transport and print the PDF.)
One mibibyte = 1/1024 of a byte? I hadn't heard of that unit before, and for good reason :)
(I am happy with the use of kibibytes and mebibytes, though. It's nice to have unambiguous names for useful units.
Because being able to turn it off doesn't necessarily mean you know how to do so. (It's likely to be buried in a settings menu during the boot process.) Just putting a CD in the drive and choosing "install", like you used to be able to do, won't work unless you reconfigure the UEFI first. So it's adding a bunch of extra steps to try out a new OS.
Presumably in the Microsoft Tax on the new computers that would otherwise be bought to replace them.
This still worked 10 years ago. Admittedly, 6502-based computers were quite rare by then, but also very cheap because most people considered them junk. (And my machine code reference manual was a book, rather than photocopied.)
The putting hand-soldered circuitry into the printer ports came later for me, with Windows (back then I hadn't more than vaguely heard of Linux) and an RS232 port. That's still possible nowadays, although you probably need to get a USB to RS232 convertor (i.e. an RS232 port that's driven over USB) in order to get a computer with the appropriate ports.
Yes, but not by as much as you'd like, and it's been getting slowly worse over time for a while now.
The government - whichever party is in charge - has attempted to attribute the steady increase in grades to students being better-taught / cleverer, but are failing to hide the main causes of that, which are that the courses are being simplified and the grade boundaries adjusted so that you get higher grades for the same quality of work from the students. Most of this is subjective, but as an objective example, the year after I completed my Mathematics A-level (exam taken at approximately 18 years old, and the usual qualification used to obtain entrance to university), they pretty much directly removed 1/6 of the syllabus. (Precisely what happened: you had to take 6 exams, 3 of which were compulsory and 3 of which you could choose from a set. They changed the course to have 4 compulsory exams, which together covered the same material as the previous 3 compulsory exams, and requiring the choice of 2 of the optional exams. This lets you drop one of the optional exams, reducing the syllabus you have to cover, while still getting the same qualification.)