My tough guess here is something like valgrind would have helped. Yeah, even though you have the limits of true brk() allocation bundles, valgrind operates more at a byte level. Valgrind in this case would have been useless, because of the custom allocator code.
if you write code that requires a "caching" allocator so much that you break with normal malloc()/free(), you're doing something wrong. If you're doing it in high impact security code, you really should stop everything else and fix what you're doing wrong.
If I'm a malicious hacker, or the NSA, but I repeat myself....
I'd be now (if i wasn't before) checking the feeds for gnutls, nss,, and openssl, hoping to catch he bug before anyone else, so i can exploit it.
That said, I'd also be checking out the best decompilers to see if that helps me find bugs in closed source code. Im sure people have looked online for Windows source code to see if there are any ways to exploit it. In this case, a small group of hackers would have the code, and would necessarily want to limit the number of people aware of those exploits.
Don't most people who complain about mods get metamodded to smitherines? This guy is complaining about moderation (being in the form of popularity and talk) about something.
I'd get metamodded to shreds, he gets a front page post.
is it any better than a billion geeks in Silicon Valley trying to create YetAnotherMobileLocationCheckin platform? Today Facebook, yesterday, Foursquare.
The market wants what it wants. Capitalism never claimed to fund the most useful thing.
If you have root on a webserver, why do you need javascript to do the redirect?
Lets say you had root, to get a redirect in apache you'd need to:
* edit the config file, bounce the server as root, leaving a change in the config and a bounce record in the server log
or * create a.htaccess file, possibly edit the config to respect the.htaccess file and the subsequent bounce as root, leaving possibly a new file on the filesystem that can be detected
or * edit a javascript file that's likely to be around and edited anyway.
The latter is most likely to evade detection. Besides, no one said they had root.
From the comments on the announce page, since (almost) nobody will go over there.
The first site on compromise_1.txt seems to be running “Apache/2.2.26 (FreeBSD) DAV/2 mod_ssl/2.2.26 OpenSSL/0.9.8y”, which does not quite sound like it’d be running Linux at all. As others have already pointed out, I would not blame this on a Linux kernel bug yet.
So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".
BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.
I've been lucky enough to go to Dayton for a tournament. It was so loud they disrupted our cheerleaders. Even during off times they were still so loud our cheerleaders couldn't hear the beat to do their routines.
They're freaking nuts about basketball. I wouldn't have necessarily picked them to win over Ohio State, but I'm not too shocked that they did.
So you bet against Michigan State? Good luck with that...
Whats the rule of thumb again? No directional schools (Northeastern Illinois?) or schools with hyphens in them - hyphens indicating the non-primary campus of a University system. Oh, you're University of North Carolina hyphen Charlotte.
Though that rule arguably would break down with UCLA which is more or less a hyphen school yet won a slew of championships and is usually somewhat competitive. Also, USC, which is a directional school, but has had a run or two. Hmm, UNLV? All right, a lot of exceptions...
As an aside, I kind of like the idea of the bookie as the more or less opposite of crowdsourcing.
Crowdsourcing - take a bunch of guesses, amalgamate them together, you got a final answer.
Bookie guesses what the crowd will do, and comes up with an answer to that he thinks will split the crowd in roughly 50-50 (with eventual adjustments to keep them closer to 50-50).
I never submitted a bracket, partially because I didn't follow the schools this year, partially because I didn't want to get spammed by Quicken - you give a cell number voluntarily to them, now you have a "relationship" where they can call you.
Two random rants as a starting point for discussion.
1) I hate the "bigger than the group of 64" games. You can't even call them play-in games if you have two 11 seeds going at it - they don't need to "play" into the tournament as much as they'd push someone else out. There used to be some poetry in "63 teams lose their last game, one team goes 6-0 and wins the championship". The current "67 teams lose their last game, one team goes 6-0 and wins the championship, well unless they were a play-in school and they need to go 7-0" is a but more unwieldy.
2) There's so much money generated by the games now, and the players get nothing. I'm not a lawyer, but I'm sure a player filling out a bracket would run afoul of NCAA rules and would have their eligibility threatened. And now there's talk of forcing players to play yet another year at college before going to the pros, delaying by another year when a player can get compensated for the skills that so many are willing to pay for. A good part of this is pressure from the NBA to get more mature players of predictable NBA skill level. I'm not sure that having millionaire/billionaire owners offload their uncertainty onto 18/19 year old freshman/sophomores is all that fair.
My counter to this, is how many people say Government Is The Problem. How many times did Obama say that we need to cut coal, and then everyone in Appalachia, rich and poor alike, say "get your regulatin' hands out of here". The issues will continue until people have other choices besides laying in bed with a corporation that has shown it doesn't care about health.
My bigger issue is with the corporation who decided that profits here are more important than lives there. For everyone who jumps up in arms any time there's a shooter and says "those 3 people died because of music/videogames/sunspots" do they jump up 1000x as hard when a toxic spill kills 3000? The CEO is just as much as a sociopath, caring not about lives, but bottom line.
People who say "corporations are people" should allow them to be categorized as mass murderers in certain cases, and they should be allowed to be put on death row.
A lot of the comments about the issue hitting Charleston, W.VA's water is pretty much this - rich white folks in Charleston are getting affected, not just poor (mostly white) folks. Some of these rich white folks in Charleston are lawyers with connections.
One podcast I listen to (forgot which one, can't properly attribute) had a couple families rent an apartment just outside of the affected area. They'd go, shower, get a bunch of tapwater in bottles, and rotate the other family in after a few days. Obviously a poor family can't do this.
I'm not really deep on Bitcoin, so this probably needs to be proofread....
Think of bitcoin as a ledger. Any time you get bitcoins (mining, giving bitcoins) the transaction goes in the ledger. "5000 BitC => wallet 0x748a53cb56" or whatever. There's fairly good crypto making sure it's a valid ledger ("mining" is actually you proving the crypto work to make it valid - you get paid in coins for validating the blockchain). There's no "unique file" per se. There's no single bitcoin.com/blockchain that everyone supports. You have a copy of it, and the crypto makes sure its the same as everyone elses. (interesting issue if the blockchain gets so big that its too big for mobile/embedded devices). There's some edge cases as far as timing (including the "transaction malleability" flaw) that mostly seem to be worked out, if you pay attention to Best Practices.
So, the ledger says you have 5000 BitC. When you put them in MtGox. You in effect hand this to the 'Bank'. They now have your BitC. Now, they do their thing - they made money on processing. Think like PayPal transaction charges more than any bank loans.
Now, something happens that takes away those bitcoins. Can be fraud, can be "transaction malleability" (but in this case, was unlikely to be that). Either way, their BitC stash is gone, meaning yours are gone too. Can you track them? Theoretically, since everyone can see the ledger. In theory i can track numbers or BitC moving in and out, but not "your" BitC.
So... you went from having 5000 BitC to "having nothing but trust" once you gave it to MtGox. You truly lost it, once MtGox had its wallet emptied, either internally by fraud or externally by attacks, because at that point there's zero value in that trust - the coins are gone. In some ways, i don't know how anyone gave their money to an exchange. There's no guarantee they'd ever pay you, either in BitC nor cash. The fact it worked as well as it did is a shock to me.
I know regulations can't solve everything. we're all human. We're fragile, stupid, and too easily bought. Regulators and regulation writers are all those.
But through all of this, i think of "the sign on the bar that says no backpacks on the bar".
Whenever you see a sign at a place, that says "no something_or_other" its probably from experience. For a while everyone had their backpacks onthe bar. They took up space, and then people started knocking food on everyone else. At some point, we realized this "liberty" to have backpacks there sucks for everyone, and there was a sign.
So.. a "bank" that has no internal controls? Those internal controls there for a reason. Sarbannes Oxley? Maybe poorly written, but there for a reason. Glass/Steagal was there for a reason. Regulations on who can open accounts are there (usually) for a reason. People who say "aww the rules suck, we'll be much better off with no rules" get burned easily.
A form of this I like is "I have nothing to hide from people I trust". The NSA is way past the trust range now.
And just because I'm not doing anything illegal, doesn't mean I don't have things I don't want private. Medical things, pr0n habits (which the NSA does use against you). I don't want them with leverage they're not entitled to.
I forgot if it was the NSA or the CIA that investigated ex-gfs for no reason.
They don't just make it easy... they make it near impossible to not have one on the phone. Check youtube once, and the entire phone is a Google device. How'd hangouts get there?
And it will become the year of the Linux desktop.... And the Hurd will ship...
These are not trivial issues, especially when Google's roadmap for Android is mostly about competing with iOS at the high end.
Wasn't KitKat designed for lighter footprint on smaller devices? They're not abandoning the low end. Also, computing history is littered with corpses of companies that tried to optimize for current hardware, but spent so much time/money that the hardware caught up to "bloated" software, and they were beat. Check out how this happened withWordPerfect. where they were so happy they used assembler, but lost to nimbler Microsoft. Having a business plan that depends that hardware doesn't progress much hasn't been too lucrative.
The writer needs to remember that the market changes rapidly. The iPhone as first introduced would hit this current market with a thud. Webapps on a 2G mobile browser? Yeah, not gonna sell.
Palm WebOS tried this already. Came from a company with some weight in hardware. Landed with a huge thud.
What about developers? This might be the toughest nut to crack.
Ya think?
There's going to be a massive chicken/egg problem here. I don't pretend to know apps in developing countries, but Facebook dropped 19Billion to buy network effects in developing countries. It's still a big thing.
And lets not forget Tizen, and Sailfish. The OS waters they want to plunge into are not even empty. Good luck. I like Firefox, but they have huge headwinds.
We had a source code leakage through email, so first they did for google/yahoo/hotmail. Then they expanded it to any social network site. Now it's on every https site.
The latter "every" site sucks. Every site gets cert errors, and parts of the site work or fail oddly.
Slashdot Mirror
My tough guess here is something like valgrind would have helped. Yeah, even though you have the limits of true brk() allocation bundles, valgrind operates more at a byte level. Valgrind in this case would have been useless, because of the custom allocator code.
if you write code that requires a "caching" allocator so much that you break with normal malloc()/free(), you're doing something wrong. If you're doing it in high impact security code, you really should stop everything else and fix what you're doing wrong.
If I'm a malicious hacker, or the NSA, but I repeat myself....
I'd be now (if i wasn't before) checking the feeds for gnutls, nss,, and openssl, hoping to catch he bug before anyone else, so i can exploit it.
That said, I'd also be checking out the best decompilers to see if that helps me find bugs in closed source code. Im sure people have looked online for Windows source code to see if there are any ways to exploit it. In this case, a small group of hackers would have the code, and would necessarily want to limit the number of people aware of those exploits.
In a nutshell, we're all screwed.
Don't most people who complain about mods get metamodded to smitherines? This guy is complaining about moderation (being in the form of popularity and talk) about something.
I'd get metamodded to shreds, he gets a front page post.
Wasn't this on Colbert?
"Who knew that a bunch of college kids would put things off until the last minute" or something to that effect.
is it any better than a billion geeks in Silicon Valley trying to create YetAnotherMobileLocationCheckin platform? Today Facebook, yesterday, Foursquare.
The market wants what it wants. Capitalism never claimed to fund the most useful thing.
Lets say you had root, to get a redirect in apache you'd need to:
* edit the config file, bounce the server as root, leaving a change in the config and a bounce record in the server log .htaccess file, possibly edit the config to respect the .htaccess file and the subsequent bounce as root, leaving possibly a new file on the filesystem that can be detected
or
* create a
or
* edit a javascript file that's likely to be around and edited anyway.
The latter is most likely to evade detection. Besides, no one said they had root.
From the comments on the announce page, since (almost) nobody will go over there.
So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".
BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.
I've been lucky enough to go to Dayton for a tournament. It was so loud they disrupted our cheerleaders. Even during off times they were still so loud our cheerleaders couldn't hear the beat to do their routines.
They're freaking nuts about basketball. I wouldn't have necessarily picked them to win over Ohio State, but I'm not too shocked that they did.
So you bet against Michigan State? Good luck with that...
Whats the rule of thumb again? No directional schools (Northeastern Illinois?) or schools with hyphens in them - hyphens indicating the non-primary campus of a University system. Oh, you're University of North Carolina hyphen Charlotte.
Though that rule arguably would break down with UCLA which is more or less a hyphen school yet won a slew of championships and is usually somewhat competitive. Also, USC, which is a directional school, but has had a run or two. Hmm, UNLV? All right, a lot of exceptions...
As an aside, I kind of like the idea of the bookie as the more or less opposite of crowdsourcing.
Crowdsourcing - take a bunch of guesses, amalgamate them together, you got a final answer.
Bookie guesses what the crowd will do, and comes up with an answer to that he thinks will split the crowd in roughly 50-50 (with eventual adjustments to keep them closer to 50-50).
Becomes The Internet of unpatched easily pwned things.
I never submitted a bracket, partially because I didn't follow the schools this year, partially because I didn't want to get spammed by Quicken - you give a cell number voluntarily to them, now you have a "relationship" where they can call you.
Two random rants as a starting point for discussion.
1) I hate the "bigger than the group of 64" games. You can't even call them play-in games if you have two 11 seeds going at it - they don't need to "play" into the tournament as much as they'd push someone else out.
There used to be some poetry in "63 teams lose their last game, one team goes 6-0 and wins the championship". The current "67 teams lose their last game, one team goes 6-0 and wins the championship, well unless they were a play-in school and they need to go 7-0" is a but more unwieldy.
2) There's so much money generated by the games now, and the players get nothing. I'm not a lawyer, but I'm sure a player filling out a bracket would run afoul of NCAA rules and would have their eligibility threatened. And now there's talk of forcing players to play yet another year at college before going to the pros, delaying by another year when a player can get compensated for the skills that so many are willing to pay for. A good part of this is pressure from the NBA to get more mature players of predictable NBA skill level. I'm not sure that having millionaire/billionaire owners offload their uncertainty onto 18/19 year old freshman/sophomores is all that fair.
But did they have a choice in asking? What industry is there besides coal? Obama takes that away you got nothing.
The Hunger Games needed a bleak locale with people with no hope... Appalachia was chosen for a reason.
My counter to this, is how many people say Government Is The Problem. How many times did Obama say that we need to cut coal, and then everyone in Appalachia, rich and poor alike, say "get your regulatin' hands out of here". The issues will continue until people have other choices besides laying in bed with a corporation that has shown it doesn't care about health.
My bigger issue is with the corporation who decided that profits here are more important than lives there. For everyone who jumps up in arms any time there's a shooter and says "those 3 people died because of music/videogames/sunspots" do they jump up 1000x as hard when a toxic spill kills 3000? The CEO is just as much as a sociopath, caring not about lives, but bottom line.
People who say "corporations are people" should allow them to be categorized as mass murderers in certain cases, and they should be allowed to be put on death row.
A lot of the comments about the issue hitting Charleston, W.VA's water is pretty much this - rich white folks in Charleston are getting affected, not just poor (mostly white) folks. Some of these rich white folks in Charleston are lawyers with connections.
One podcast I listen to (forgot which one, can't properly attribute) had a couple families rent an apartment just outside of the affected area. They'd go, shower, get a bunch of tapwater in bottles, and rotate the other family in after a few days. Obviously a poor family can't do this.
I'm not really deep on Bitcoin, so this probably needs to be proofread....
Think of bitcoin as a ledger. Any time you get bitcoins (mining, giving bitcoins) the transaction goes in the ledger. "5000 BitC => wallet 0x748a53cb56" or whatever. There's fairly good crypto making sure it's a valid ledger ("mining" is actually you proving the crypto work to make it valid - you get paid in coins for validating the blockchain). There's no "unique file" per se. There's no single bitcoin.com/blockchain that everyone supports. You have a copy of it, and the crypto makes sure its the same as everyone elses. (interesting issue if the blockchain gets so big that its too big for mobile/embedded devices). There's some edge cases as far as timing (including the "transaction malleability" flaw) that mostly seem to be worked out, if you pay attention to Best Practices.
So, the ledger says you have 5000 BitC. When you put them in MtGox. You in effect hand this to the 'Bank'. They now have your BitC. Now, they do their thing - they made money on processing. Think like PayPal transaction charges more than any bank loans.
Now, something happens that takes away those bitcoins. Can be fraud, can be "transaction malleability" (but in this case, was unlikely to be that). Either way, their BitC stash is gone, meaning yours are gone too. Can you track them? Theoretically, since everyone can see the ledger. In theory i can track numbers or BitC moving in and out, but not "your" BitC.
So... you went from having 5000 BitC to "having nothing but trust" once you gave it to MtGox. You truly lost it, once MtGox had its wallet emptied, either internally by fraud or externally by attacks, because at that point there's zero value in that trust - the coins are gone. In some ways, i don't know how anyone gave their money to an exchange. There's no guarantee they'd ever pay you, either in BitC nor cash. The fact it worked as well as it did is a shock to me.
I know regulations can't solve everything. we're all human. We're fragile, stupid, and too easily bought. Regulators and regulation writers are all those.
But through all of this, i think of "the sign on the bar that says no backpacks on the bar".
Whenever you see a sign at a place, that says "no something_or_other" its probably from experience. For a while everyone had their backpacks onthe bar. They took up space, and then people started knocking food on everyone else. At some point, we realized this "liberty" to have backpacks there sucks for everyone, and there was a sign.
So.. a "bank" that has no internal controls? Those internal controls there for a reason. Sarbannes Oxley? Maybe poorly written, but there for a reason. Glass/Steagal was there for a reason. Regulations on who can open accounts are there (usually) for a reason. People who say "aww the rules suck, we'll be much better off with no rules" get burned easily.
Ha, that's sweet. I should try that sometime. single user mode in emacs.
This story is a replicant...
A form of this I like is "I have nothing to hide from people I trust". The NSA is way past the trust range now.
And just because I'm not doing anything illegal, doesn't mean I don't have things I don't want private. Medical things, pr0n habits (which the NSA does use against you). I don't want them with leverage they're not entitled to.
I forgot if it was the NSA or the CIA that investigated ex-gfs for no reason.
They don't just make it easy... they make it near impossible to not have one on the phone. Check youtube once, and the entire phone is a Google device. How'd hangouts get there?
Reminds me of my favorite UNIX joke:
Emacs would be great operating system if someone just wrote a decent text editor for it.
And it will become the year of the Linux desktop....
And the Hurd will ship...
Wasn't KitKat designed for lighter footprint on smaller devices? They're not abandoning the low end. Also, computing history is littered with corpses of companies that tried to optimize for current hardware, but spent so much time/money that the hardware caught up to "bloated" software, and they were beat. Check out how this happened withWordPerfect. where they were so happy they used assembler, but lost to nimbler Microsoft. Having a business plan that depends that hardware doesn't progress much hasn't been too lucrative.
The writer needs to remember that the market changes rapidly. The iPhone as first introduced would hit this current market with a thud. Webapps on a 2G mobile browser? Yeah, not gonna sell.
Palm WebOS tried this already. Came from a company with some weight in hardware. Landed with a huge thud.
Ya think?
There's going to be a massive chicken/egg problem here. I don't pretend to know apps in developing countries, but Facebook dropped 19Billion to buy network effects in developing countries. It's still a big thing.
And lets not forget Tizen, and Sailfish. The OS waters they want to plunge into are not even empty. Good luck. I like Firefox, but they have huge headwinds.
We had a source code leakage through email, so first they did for google/yahoo/hotmail. Then they expanded it to any social network site. Now it's on every https site.
The latter "every" site sucks. Every site gets cert errors, and parts of the site work or fail oddly.
It's spelled Expresso... Right on the side of my Dodge Neon