There has been much FUD, but not really much technical details in the most common sites. First, this news is inflammatory behind retardation, as it does not make clear that the 2nd patch was officially out by last Thursday or Friday for Debian at least. But then, lets not get the truth on the way of a "news" article, oh noes.
As for ways of getting "exploited" they are rather limited. You have to have CGI bash scripts installed on you apache, and CGI enabled, which in more modern distros are far and between. So this will mostly affect old servers. The ways which this works to other services is not clear. Also, it only allows exploit to the same user running the service. I doubt a lot it will allow escalation with setuid scripts, because, as far as I remember, bash has not allowed for decades to mark scripts with setuid due to security problems.
Their rights end where our start, and there have been already here 20 documented cases of "Ebola" scare, which fortunately werent. But we are asking for it. P.S. I dont care wether the carriers are university educated or not.
I would be far worried about this kind of industry cheating out people/workers of job security with fake consulting/(sub)contracting roles for years to circumvent labor laws than with backup systems. When you fuck with people and they have got nothing to lose, shit like this is bound to happen.
Corporate doublespeak and half truths. So it means they were cheating out the poor sod of security on the job, and probably means, I suppose, they have got "permanent"/consultant contractors, which is say, quite smart for a job of this importance. We also have got this scam running him, and people hate it. Mostly used by the call centre, cleaning crew, IT people, and nurse industry to screw then over.
It got nothing of sad. I lived in Africa for almost a decade, and I do not enjoy being political correctness ad naseaum. Donation, whether in the 1st or the 3rd world, are an entirely industry of their own.
I have several approach to this problem. I dont do Windows, and also try to my extended family do not use it. My father used OS/X and now an iPad, my wife Linux, and me a mix of OS/X, Linux and FreeBSD. Also, my department, due mainly to my influence, is also using Mac. That helps. I also have adblock, disconnected 2, social fixer, Ghostery, clickToflash and some plug-in that blocks animated images. I also routinely inspect and delete plug-ins installed either by OS or software updates. I also use a hosts file with known advert addresses and some I put there that gave me problems (fake AV adverts, betting pages that open out of nowhere for instance). And I also block out google adverts with BIND response policy zones.
Apple swears the iCloud fiasco was due to a long running phishing campaign and not the iCloud bug. Maybe it is true, I do remember last year receiving weeks in a row in my gmail account phishing stating my "Apple account was to be cancelled, and I need to...". The emails appeared to really to be the real thing except for the headers. My own family called me to ask if such emails where legit; so I would not be surprised non-technical people and not that smart people have fallen for such schemes. This, coupled to the fact there is no need to access iCloud once you have got the password...you dont even need special software or "law enforcement" software, you just go to icloud.com, and watch the iCloud photo stream. Which comes activated by default with every iPhone, and is a pain in the ass, because once you are in whatever kind of wifi after taking photos, it starts to synchronise. In many parts of the world in holidays with limited wifi it will kill your ability to use the wifi until all the photos are in sync. And about deleted photos appearing, I bet many deleted them locally in the iPhone, but forget to delete them in iCloud. So no hi tech there, just people being dumb people, as usual.
I have an (already) legacy systemd Suse server here which I am not particularly fond of, and one the last one that I still have to convert to Debian. Also I never talked about having a graphical interface, do not put words where they are not, but about dependency hell, which goes completely against my way of working.
One would assume someone supposedly seasoned into Linux administration would be smart enough to not install a desktop configuration with all the corresponding shit, 20GB of it, on a server I agree. And to know the difference between a kernel compiled for desktop or for server, I agree. And iptables rules for desktop or for server. And trimming down booted services. And doing periodical updates. Need I say more?
You are construing it as a political statement, not me; I do not care about politics, nor do they concern me at all, so the political part is your problem. I am concerned about more practical side which is to administer the servers at my responsibility *without* using systemd altogether - I do not use graphical interfaces, but it appears that after Jessie, there wont be alternatives. I have already used most of the flavours of Unix in the past you can think of in other jobs, and OpenBSD and FreeBSD in the past, and if it cames to that I will be prepared to do whatever it takes to not be affected by braindead decisions. So in the meanwhile, I will be testing FreeBSD for the next year.
Excuse me to still keeping up the thread...In debian I have paravirtualization support for the disk I/O, and with (open) vmware tools, for the network card and memory balloning ( and I am not very fond of the vmware tools, open or not ). how is it the paravirtualization support for freebsd in vmware? I have heard there are some news in that front, at least in 10.1, but I have still to investigate it more.
About Bhyve I have been looking at it, and it is not mature enough in 10.0. And then compared to a solution like VmWare, you have the problem of I/O contention and memory ballooning; which is why I would go with jails in FreeBSD for the time being.
I second this. I already knew it, but recently had to setup up some sharing at the last minute in a very controlled network. Went with FUSE, and man, saying FUSE is slow is an understatement. But then, it works in user land, and it does not help going back and forth between user land and kernel land.
No need to "sensitive" gnome developers. People mod mostly by their opinion and not by the merit or contribution for the discussion. However it does help not to write one-liners, those are the first to be modded down.
To elaborate more on this. I have know several experienced administrators and organisations that roll out their own distros. I do am not feeling like going there, however one possibility is using my own local signed Debian repository to override a few packages that will force me to go with systemd. After all, my server setups are very light and I am not into graphical interfaces, so the effort should be light, and more cost-effective than rolling my own distro. Nevertheless, I am planning on setting up Slackware and FreeBSD servers for testing. I have been looking at very hot and new technologies in Linux that enable sysadmin on large scale, and I am not entirely comfortable with leaving it all behind.
An African country not having a problem with corruption, badly employment money and making out of proportions claims for foreign aid as an effective cashing-in industry? Must be the joke of the year.
Rather interesting accounting. As for our side, I have worked decades into Linux. We (I) have invested a lot at work, customising and optimizations for vmware/Cloud, automation/ansible, and already testing Docker. Nevertheless, I touched almost every Unix flavour under the sun in several places, and came from the BSD world. Also did some development for a cable operation. And I agree with you, it is frustrating.
Africa has far more resources than anybody else. The problem is there is not education, infra-structure, nor industry to so speak of, nor willing to work to profit of that resources. There is no wonder why babanas are their main staple or why papayas are so easily found in the market stalls, it is because they do not need to be cared of or tended.
Or so you say. Many researchers haven't reached to this day to a conclusion of what really made the 2nd wave of yersenia pestis so lethal, but there are theories it combine with some other disease that was airborne, like tuberculosis. Thinking that the already fragile infra-structures of that countries are already disintegrating and all sort of diseases will have an easier foothold...
Slashdot Mirror
There has been much FUD, but not really much technical details in the most common sites. First, this news is inflammatory behind retardation, as it does not make clear that the 2nd patch was officially out by last Thursday or Friday for Debian at least. But then, lets not get the truth on the way of a "news" article, oh noes. As for ways of getting "exploited" they are rather limited. You have to have CGI bash scripts installed on you apache, and CGI enabled, which in more modern distros are far and between. So this will mostly affect old servers. The ways which this works to other services is not clear. Also, it only allows exploit to the same user running the service. I doubt a lot it will allow escalation with setuid scripts, because, as far as I remember, bash has not allowed for decades to mark scripts with setuid due to security problems.
Thanks for saving me the time.
Their rights end where our start, and there have been already here 20 documented cases of "Ebola" scare, which fortunately werent. But we are asking for it. P.S. I dont care wether the carriers are university educated or not.
Mageia seems to be strong in the francophone world.
They might have a shot of it if they stay out of systemd. I am considered leaving Debian.
I would be far worried about this kind of industry cheating out people/workers of job security with fake consulting/(sub)contracting roles for years to circumvent labor laws than with backup systems. When you fuck with people and they have got nothing to lose, shit like this is bound to happen.
Corporate doublespeak and half truths. So it means they were cheating out the poor sod of security on the job, and probably means, I suppose, they have got "permanent"/consultant contractors, which is say, quite smart for a job of this importance. We also have got this scam running him, and people hate it. Mostly used by the call centre, cleaning crew, IT people, and nurse industry to screw then over.
Nature copyrighted, such a vanguard concept. And do not talk about it, forest guards family have to eat. (note to idiots, this is sarcasm)
It got nothing of sad. I lived in Africa for almost a decade, and I do not enjoy being political correctness ad naseaum. Donation, whether in the 1st or the 3rd world, are an entirely industry of their own.
I have several approach to this problem. I dont do Windows, and also try to my extended family do not use it. My father used OS/X and now an iPad, my wife Linux, and me a mix of OS/X, Linux and FreeBSD. Also, my department, due mainly to my influence, is also using Mac. That helps. I also have adblock, disconnected 2, social fixer, Ghostery, clickToflash and some plug-in that blocks animated images. I also routinely inspect and delete plug-ins installed either by OS or software updates. I also use a hosts file with known advert addresses and some I put there that gave me problems (fake AV adverts, betting pages that open out of nowhere for instance). And I also block out google adverts with BIND response policy zones.
Yeah, you do have to configure VM by VM the paravirtualized disk controller, and vmxnet(3). Thank you a lot for the interesting discussion.
Apple swears the iCloud fiasco was due to a long running phishing campaign and not the iCloud bug. Maybe it is true, I do remember last year receiving weeks in a row in my gmail account phishing stating my "Apple account was to be cancelled, and I need to...". The emails appeared to really to be the real thing except for the headers. My own family called me to ask if such emails where legit; so I would not be surprised non-technical people and not that smart people have fallen for such schemes. This, coupled to the fact there is no need to access iCloud once you have got the password...you dont even need special software or "law enforcement" software, you just go to icloud.com, and watch the iCloud photo stream. Which comes activated by default with every iPhone, and is a pain in the ass, because once you are in whatever kind of wifi after taking photos, it starts to synchronise. In many parts of the world in holidays with limited wifi it will kill your ability to use the wifi until all the photos are in sync. And about deleted photos appearing, I bet many deleted them locally in the iPhone, but forget to delete them in iCloud. So no hi tech there, just people being dumb people, as usual.
I have an (already) legacy systemd Suse server here which I am not particularly fond of, and one the last one that I still have to convert to Debian. Also I never talked about having a graphical interface, do not put words where they are not, but about dependency hell, which goes completely against my way of working.
One would assume someone supposedly seasoned into Linux administration would be smart enough to not install a desktop configuration with all the corresponding shit, 20GB of it, on a server I agree. And to know the difference between a kernel compiled for desktop or for server, I agree. And iptables rules for desktop or for server. And trimming down booted services. And doing periodical updates. Need I say more?
You are construing it as a political statement, not me; I do not care about politics, nor do they concern me at all, so the political part is your problem. I am concerned about more practical side which is to administer the servers at my responsibility *without* using systemd altogether - I do not use graphical interfaces, but it appears that after Jessie, there wont be alternatives. I have already used most of the flavours of Unix in the past you can think of in other jobs, and OpenBSD and FreeBSD in the past, and if it cames to that I will be prepared to do whatever it takes to not be affected by braindead decisions. So in the meanwhile, I will be testing FreeBSD for the next year.
Excuse me to still keeping up the thread...In debian I have paravirtualization support for the disk I/O, and with (open) vmware tools, for the network card and memory balloning ( and I am not very fond of the vmware tools, open or not ). how is it the paravirtualization support for freebsd in vmware? I have heard there are some news in that front, at least in 10.1, but I have still to investigate it more.
About Bhyve I have been looking at it, and it is not mature enough in 10.0. And then compared to a solution like VmWare, you have the problem of I/O contention and memory ballooning; which is why I would go with jails in FreeBSD for the time being.
I second this. I already knew it, but recently had to setup up some sharing at the last minute in a very controlled network. Went with FUSE, and man, saying FUSE is slow is an understatement. But then, it works in user land, and it does not help going back and forth between user land and kernel land.
No need to "sensitive" gnome developers. People mod mostly by their opinion and not by the merit or contribution for the discussion. However it does help not to write one-liners, those are the first to be modded down.
Problem is that systemd has becoming tied to too many things. It can be done, but it can become a lot of work.
To elaborate more on this. I have know several experienced administrators and organisations that roll out their own distros. I do am not feeling like going there, however one possibility is using my own local signed Debian repository to override a few packages that will force me to go with systemd. After all, my server setups are very light and I am not into graphical interfaces, so the effort should be light, and more cost-effective than rolling my own distro. Nevertheless, I am planning on setting up Slackware and FreeBSD servers for testing. I have been looking at very hot and new technologies in Linux that enable sysadmin on large scale, and I am not entirely comfortable with leaving it all behind.
An African country not having a problem with corruption, badly employment money and making out of proportions claims for foreign aid as an effective cashing-in industry? Must be the joke of the year.
Rather interesting accounting. As for our side, I have worked decades into Linux. We (I) have invested a lot at work, customising and optimizations for vmware/Cloud, automation/ansible, and already testing Docker. Nevertheless, I touched almost every Unix flavour under the sun in several places, and came from the BSD world. Also did some development for a cable operation. And I agree with you, it is frustrating.
Africa has far more resources than anybody else. The problem is there is not education, infra-structure, nor industry to so speak of, nor willing to work to profit of that resources. There is no wonder why babanas are their main staple or why papayas are so easily found in the market stalls, it is because they do not need to be cared of or tended.
Or so you say. Many researchers haven't reached to this day to a conclusion of what really made the 2nd wave of yersenia pestis so lethal, but there are theories it combine with some other disease that was airborne, like tuberculosis. Thinking that the already fragile infra-structures of that countries are already disintegrating and all sort of diseases will have an easier foothold...