Let's get this straight: you're so rabidly anti-public-spending that you're willing to trample all over article 23 of the Universal Declaration of Human Rights for it? (And no, the USA is not exempt.) It makes me sad that a supposedly intelligent person can seriously suggest things like this, and makes me fear for the future of American democracy. What ever happened to "freedom"? Does that only count when it comes to guns?
Yup, and that's exactly why they keep these in plain text.
I have always questioned the wisdom of using these kind of security questions at all. If they are used as an extra factor in authentication, then there is some rationale to it, though there are far stronger multi-factor schemes. The real scary part is that a lot of places (fortunately not banks) allow users to reset their password with little more than a correct answer to a security question, which can often be found on Facebook etc...
*facepalm* Wow, looks like you succeeded to submit a 31-words post before your brain had the chance to spend a single cycle thinking about what you were writing. You must either be a very fast typer, or a very slow thinker.
Not to mention that the European Commission consists of more than 2 people and historically has been acting very pro-business as a whole (from a European perspective anyway), with the European Parliament providing a counterweight.
It would be a tribute to the much-beloved X Windows, which was obviously their inspiration for introducing workspaces aka. virtual desktops.(*)
(*) Yeah, yeah, I know that this is a feature that is implemented in (most FOSS) window managers, and that X has nothing to do with it. The joke works better like this, OK? O yeah, and the part about X Windows being beloved was sarcasm.
You might want to read my post again. Slowly. Note that in my last paragraph, I was not talking about CVE-2014-6271, but about the other thing Norihiro Tanaka tried. Also note the presence of the word "unlike" in my post. Either you missed that, or you misunderstood the information in your link. If so, to clarify: the old by-design behavior for passing a function to a subshell was by itself not remotely exploitable; it merely forced the shell to parse each and every env variable, making any bugs in the parser (we're counting 6 so far if I'm still keeping track) remotely exploitable. What Florian Weiner did is essentially limit the parsing of env variables to the ones that start with "BASH_FUNC_", which ordinarily cannot be set remotely (unless the daemon or client is criminally insecure). This is more a "defense in depth" style security enhancement than an actual bug fix, and it does have the potential of breaking bash scripts that are too tricky for their own good. It's also a must-have, long overdue, and has the beneficial side effect of eliminating potential namespace collisions between shell functions and other variables, so the "too tricky for their own good" script authors will have to suck it up.
Yes, that was Florian Weimer's suggestion as discussed in the arstechnica article (which is probably where you got the idea), and is exactly what they did in the last round of patches. Old behavior: x() { echo foo; }; export -f x; env | grep foo
x=() { echo foo
It pains me to defend the Apple fanboi, but what you say is not entirely true. The DHCP client in question explicitly calls "/bin/bash"; bash is a dependency for it. Of course, there do presumably exist Linux distros that use a different DHCP client, but in my understanding, the vulnerable one is quite widespread. The only saving grace (for a short time) is that remotely exploiting the DHCP client flaw is substantially more complex than remotely exploiting the web server flaw, and that the major distros already released full patches by yesterday morning.
You have a lot of good and true points, but there are couple of huge mistakes in your post that I cannot let stand uncorrected.
AFAIK, the original Bourne shell hasn't been maintained since 1989 or so; if you were to distribute it today as/bin/sh , your distro would doubdlessly be plagued by the most embarrasing buffer overflow and other vulnerabilities. What Debian and its derivatives do is link/bin/sh to dash , the Debian Almquist Shell, which is a modern and well-maintained project aimed at providing a lightweight shell that throws out all interactive features yet has a rich set of non-interactive scripting features that far surpasses the original Bourne shell - not as rich as bash, but good enough for present-day shell scripting. I remember when they took the jump (which required months of preparation consisting of purging bashisms from common shell scripts), boot times were suddenly slashed in half because repeatedly initializing dash processes is so much lighter on the system than doing the same with bash. And as you said, as a side effect, security also benefits.
Redhat aside many third party shell scripts are written in bash that use no bash features
This is factually incorrect; when was the last time you installed something that didn't come out of a Debian repository? Red Hat is incredibly popular in corporate environments, and almost all 3rd party "#!/bin/sh" scripts are actually shock full of bashisms because their customers ask them to target Red Hat and their programmers are Red Hat inbreds who wouldn't know a bashism if it hit them in the head. And remember that a lot of FOSS development is being done within corporations... The pervasive bashisms are why it took Debian so much effort to switch and why Red Hat never did.
The Arstechnica journalist Sean Gallagher really dropped the ball on this one:
- His information was behind even when it was published. On the 25th of September around 22:00 EST (depending on the version you're running), Debian issued a patch that fixes the new vulnerabilitys CVE-2014-7186 and CVE-2014-7187 AND implements the Florian Weimer suggestion, strongly mitigating the exploitability of any future parser bugs. Red Had and Ubuntu took their sweet time validating this patch suite, but eventually followed suit the evening of the 26th and the morning of the 27th, respectively.
- The Norihiro Tanaka "bug" is documented and intended behavior, which Sean Gallagher could have known simply by clicking next in thread! Specifically, it's how bash passes shell functions to a subshell. Unlike shellshock, it could only be exploited remotely when allowing a remote attacker to set variables with arbitrary names, which is not the case for any widespread software package. If it was, you'd be lost regardless of which shell you're using and it would have been exploited ages ago. Even the Florian Weimer improvement doesn't change this.
Ooooh! It's the biggest conspiracy in human history! By the sheer scale of it, I wager it must have been perpetrated by the Illuminati, the Masons, the Elders of Zion and the New World Order all at once, because each of these organizations hate the fossil fuel industry as they're handsomely funded by the scary-powerful alternative energy lobby. Luckily, it has now been exposed by a handful of diligent bloggers, with no connection to any polluting industry at all. Because everyone knows blog posts have more weight than peer-reviewed scientific papers. </sarcasm>
Seriously, knock it off with regurgitating debunked climate myths. Yours is #9 on the list. Alsorelated.
Hmmm, on second look, not a really good example of what I was saying. I can't quickly find a good source anywhere on modernist philosophy. There's of course this, but that's not the same; one could say modernist philosophy is a subset of modern philosophy. So I'm willing to concede the point by lack of time to dig up a good reference. Still, my assertion stands that TFA is one big strawman argument, and part of the problem.
Dear Alva Noë, the word you're looking for is "modernism", or rather, a caricature thereof. You're basically railing against a strawman on whom you put the label "Spock". I'm a scientists and I'm surrounded by scientists and atheists, yet I know few people who fit your description. Admittedly, some of the folks here on/. come close, but/. is a bit of a freak show in that respect. Either way, it sounds like you're trying very hard to paint modernists, atheists and adherents of science as sticks-in-the mud, which would make you part of the problem.
Fortunately, the biosphere can separate elements far, far faster. Unfortunately, it's still far, far slower that the average historic lifetime of human civilizations.
The Heartland Institute published Watts' preliminary report on weather station data, titled Is the U.S. Surface Temperature Record Reliable?.[12] Watts has been featured as a speaker at Heartland Institute's International Conference on Climate Change, for which he acknowledges receiving payment.[55]
Documents obtained from the Heartland Institute and made public in February 2012 reveal that the Institute had agreed to help Watts raise $88,000 to set up a website,(...)
So, paid for by a fine organization that, apart from the climate change thing, is also known for denying the health effects of second-hand tobacco smoke, promoting franking, and openly advocating free-market environmentalism? A likely story!
So, not invented here rarely makes sense with RedHat
NIH rarely makes sense anywhere, yet people are doing it everywhere. It's just that much more fun to create one's own code base and fix one's own bugs than to learn someone else's and do their homework for them. Own farts smell better...
This puzzles me too. It would make some sense if the airliners were trying to push politicians to intervene in some way, or to sway public opinion, but all I can see them getting out of this is fingers pointing at them (aside for the direct financial loss, of course)...
Slashdot Mirror
Let's get this straight: you're so rabidly anti-public-spending that you're willing to trample all over article 23 of the Universal Declaration of Human Rights for it? (And no, the USA is not exempt.) It makes me sad that a supposedly intelligent person can seriously suggest things like this, and makes me fear for the future of American democracy. What ever happened to "freedom"? Does that only count when it comes to guns?
Yup, and that's exactly why they keep these in plain text.
I have always questioned the wisdom of using these kind of security questions at all. If they are used as an extra factor in authentication, then there is some rationale to it, though there are far stronger multi-factor schemes. The real scary part is that a lot of places (fortunately not banks) allow users to reset their password with little more than a correct answer to a security question, which can often be found on Facebook etc...
*facepalm* Wow, looks like you succeeded to submit a 31-words post before your brain had the chance to spend a single cycle thinking about what you were writing. You must either be a very fast typer, or a very slow thinker.
Not to mention that the European Commission consists of more than 2 people and historically has been acting very pro-business as a whole (from a European perspective anyway), with the European Parliament providing a counterweight.
Whoosh.
It would be a tribute to the much-beloved X Windows, which was obviously their inspiration for introducing workspaces aka. virtual desktops.(*)
(*) Yeah, yeah, I know that this is a feature that is implemented in (most FOSS) window managers, and that X has nothing to do with it. The joke works better like this, OK? O yeah, and the part about X Windows being beloved was sarcasm.
OSX is not as stable as Windows 7
That one's new to me, actually, though I haven't used either for appreciable periods of time so I cannot really know.
You might want to read my post again. Slowly. Note that in my last paragraph, I was not talking about CVE-2014-6271, but about the other thing Norihiro Tanaka tried. Also note the presence of the word "unlike" in my post. Either you missed that, or you misunderstood the information in your link. If so, to clarify: the old by-design behavior for passing a function to a subshell was by itself not remotely exploitable; it merely forced the shell to parse each and every env variable, making any bugs in the parser (we're counting 6 so far if I'm still keeping track) remotely exploitable. What Florian Weiner did is essentially limit the parsing of env variables to the ones that start with "BASH_FUNC_", which ordinarily cannot be set remotely (unless the daemon or client is criminally insecure). This is more a "defense in depth" style security enhancement than an actual bug fix, and it does have the potential of breaking bash scripts that are too tricky for their own good. It's also a must-have, long overdue, and has the beneficial side effect of eliminating potential namespace collisions between shell functions and other variables, so the "too tricky for their own good" script authors will have to suck it up.
Wait, wait, what? Surely you don't mean to suggest hamburgers are living organisms and not made synthetically in a factory?!
Yes, that was Florian Weimer's suggestion as discussed in the arstechnica article (which is probably where you got the idea), and is exactly what they did in the last round of patches.
Old behavior:
x() { echo foo; }; export -f x; env | grep foo
x=() { echo foo
New behavior:
$ x() { echo foo; }; export -f x; env | grep foo
BASH_FUNC_x()=() { echo foo
It pains me to defend the Apple fanboi, but what you say is not entirely true. The DHCP client in question explicitly calls "/bin/bash"; bash is a dependency for it. Of course, there do presumably exist Linux distros that use a different DHCP client, but in my understanding, the vulnerable one is quite widespread. The only saving grace (for a short time) is that remotely exploiting the DHCP client flaw is substantially more complex than remotely exploiting the web server flaw, and that the major distros already released full patches by yesterday morning.
You have a lot of good and true points, but there are couple of huge mistakes in your post that I cannot let stand uncorrected.
AFAIK, the original Bourne shell hasn't been maintained since 1989 or so; if you were to distribute it today as /bin/sh , your distro would doubdlessly be plagued by the most embarrasing buffer overflow and other vulnerabilities. What Debian and its derivatives do is link /bin/sh to dash , the Debian Almquist Shell, which is a modern and well-maintained project aimed at providing a lightweight shell that throws out all interactive features yet has a rich set of non-interactive scripting features that far surpasses the original Bourne shell - not as rich as bash, but good enough for present-day shell scripting. I remember when they took the jump (which required months of preparation consisting of purging bashisms from common shell scripts), boot times were suddenly slashed in half because repeatedly initializing dash processes is so much lighter on the system than doing the same with bash. And as you said, as a side effect, security also benefits.
Redhat aside many third party shell scripts are written in bash that use no bash features
This is factually incorrect; when was the last time you installed something that didn't come out of a Debian repository? Red Hat is incredibly popular in corporate environments, and almost all 3rd party "#!/bin/sh" scripts are actually shock full of bashisms because their customers ask them to target Red Hat and their programmers are Red Hat inbreds who wouldn't know a bashism if it hit them in the head. And remember that a lot of FOSS development is being done within corporations... The pervasive bashisms are why it took Debian so much effort to switch and why Red Hat never did.
The Arstechnica journalist Sean Gallagher really dropped the ball on this one:
- His information was behind even when it was published. On the 25th of September around 22:00 EST (depending on the version you're running), Debian issued a patch that fixes the new vulnerabilitys CVE-2014-7186 and CVE-2014-7187 AND implements the Florian Weimer suggestion, strongly mitigating the exploitability of any future parser bugs. Red Had and Ubuntu took their sweet time validating this patch suite, but eventually followed suit the evening of the 26th and the morning of the 27th, respectively.
- The Norihiro Tanaka "bug" is documented and intended behavior, which Sean Gallagher could have known simply by clicking next in thread! Specifically, it's how bash passes shell functions to a subshell. Unlike shellshock, it could only be exploited remotely when allowing a remote attacker to set variables with arbitrary names, which is not the case for any widespread software package. If it was, you'd be lost regardless of which shell you're using and it would have been exploited ages ago. Even the Florian Weimer improvement doesn't change this.
Ooooh! It's the biggest conspiracy in human history! By the sheer scale of it, I wager it must have been perpetrated by the Illuminati, the Masons, the Elders of Zion and the New World Order all at once, because each of these organizations hate the fossil fuel industry as they're handsomely funded by the scary-powerful alternative energy lobby. Luckily, it has now been exposed by a handful of diligent bloggers, with no connection to any polluting industry at all. Because everyone knows blog posts have more weight than peer-reviewed scientific papers. </sarcasm>
Seriously, knock it off with regurgitating debunked climate myths. Yours is #9 on the list. Also related.
Hmmm, on second look, not a really good example of what I was saying. I can't quickly find a good source anywhere on modernist philosophy. There's of course this, but that's not the same; one could say modernist philosophy is a subset of modern philosophy. So I'm willing to concede the point by lack of time to dig up a good reference. Still, my assertion stands that TFA is one big strawman argument, and part of the problem.
http://en.wikipedia.org/wiki/M...
HTH
Wow, it's even on TV tropes. This Alva Noë guy is even more unoriginal than I initially thought.
Dear Alva Noë, the word you're looking for is "modernism", or rather, a caricature thereof. You're basically railing against a strawman on whom you put the label "Spock". I'm a scientists and I'm surrounded by scientists and atheists, yet I know few people who fit your description. Admittedly, some of the folks here on /. come close, but /. is a bit of a freak show in that respect. Either way, it sounds like you're trying very hard to paint modernists, atheists and adherents of science as sticks-in-the mud, which would make you part of the problem.
Heh lol... looks like my autocorrect is the product of a right-wing conspiracy
Fortunately, the biosphere can separate elements far, far faster. Unfortunately, it's still far, far slower that the average historic lifetime of human civilizations.
The Heartland Institute published Watts' preliminary report on weather station data, titled Is the U.S. Surface Temperature Record Reliable?.[12] Watts has been featured as a speaker at Heartland Institute's International Conference on Climate Change, for which he acknowledges receiving payment.[55]
Documents obtained from the Heartland Institute and made public in February 2012 reveal that the Institute had agreed to help Watts raise $88,000 to set up a website,(...)
So, paid for by a fine organization that, apart from the climate change thing, is also known for denying the health effects of second-hand tobacco smoke, promoting franking, and openly advocating free-market environmentalism? A likely story!
So, not invented here rarely makes sense with RedHat
NIH rarely makes sense anywhere, yet people are doing it everywhere. It's just that much more fun to create one's own code base and fix one's own bugs than to learn someone else's and do their homework for them. Own farts smell better...
On a American flight the passenger next to me went ballistic and very loudly demanded to be reseated, because I was wearing perfume.
This can actually be a pretty serious issue for people with asthma - just sayin'...
This puzzles me too. It would make some sense if the airliners were trying to push politicians to intervene in some way, or to sway public opinion, but all I can see them getting out of this is fingers pointing at them (aside for the direct financial loss, of course)...
Roughly a millennium later, in an alternative time line where Sauron won the war:
OMFG THAT'S'SSSS BOSSSSSS55S55555five555fifty-five