Having a setuid root shell somewhere on the box that is executable by the user would be just insane.
login already runs as root. It executes your shell by forking, dropping privs (seteuid) and exec'ing. The sensible thing for it to do would be fork and exec/bin/sh (not dropping privs, so it would run as root) if the user shell child process returned nonzero.
It all looks "real" to me except for that sidebar thing. It doesn't look like the rest of the UI at all. It doesn't even seem like something Microsoft would put in their UI. Look at the bizarre fonts that don't appear anywhere else on the screen. Note how the text doesn't line up in the 5th screenshot (caption: "Avalon is the codename for the Longhorn API...")
Also, the version of Longhorn may well be 6.0, but why? I would expect 5.2 (win2k was 5.0, winxp was 5.1), unless they've made some huge changes.
There were bugs in Apache, SSH, sendmail, BIND, etc. that you were vulnerable to regardless of what UNIX you were running. The apache chunked-encoding bug, in particular, had a working Free/OpenBSD exploit before any other OS. I think you "not being rooted" had more to do with you being a competant admin (whatever that means - keeping shit up-to-date and turning unneeded services off? configuring untrusted services to only run on trusted interfaces?) than FreeBSD being secure.
For someone so pedantic lately, you sure do have a grammatically awkward sig:
I have won the essay writing competition, of that there is NO doubt - Alan Gordon Partridge
You mean: I have won the essay writing competition. Of that, there is NO doubt. - Alan Gordon Partridge. Your sig is a comma-splice.
Security through obscurity? That's a bad idea considering that UNIXes released ten years ago:
Will have all the sendmail bugs
Will probably have a few telnetd bugs
Will be using a libc with bugs that have long since been fixed in more recent UNIXes
Not to mention you'll probably want to be using OpenSSH to use the thing, and OpenSSH definitiely needs to be kept bleeding-edge to be secure.
Anyway, you have more than "script kiddies" to worry about nowadays. There are worms out there (on the UNIX side, these exploit Apache, OpenSSL, telnetd and OpenSSH to name a few). Also, don't underestimate the average hacker. One of them might be testing their newly-developed exploit on your box.
The packages are seldom up-to-date. This is also a feature, since the stability is rock-solid. My system hasn't been hacked a single time since I switched from RedHat to Debian.
I bet that has nothing to do with your packages not being up-to-date. Old "known good" packages tend to have less bugs and predictable functionality, but are saddled with security issues. In fact, as far as security is concerned, the bleeding edge is almost always better.
A compromise between stability and security is of course releasing patched versions of older, reliable versions of software. This is why RedHat is still at OpenSSL 0.9.6b. They just keep increasing the patchlevel.
There appears to be another "microdot" in this flash version in the blue maze that's the same grey colour as the maze floor (so it's invisible). I don't think you can pick it up though. You can go "underneath" it from the top or the bottom, but it stops your character if you go from the left or the right. A modern easter egg added by the developer?
Before XHTML, the p tag had no closing tag. The end of a paragraph was defined by the beginning of the next one. So that wasn't necessarily a "bad habit" back then.
</p> was still allowed, but all it did was start a new paragraph. Hence, <p>hello</p>there<p>slashdot</p>
Would have displayed as 3 paragraphs. BTW I don't know what slashcode put that last ; in there.
I think the problem is exploitable if you're logged in as a local user, which could be through some kind of remote access such as ssh, telnet, or your favourite httpd bug that yields local user access (but not root). This is not equivalent to the "three-finger salute". If you were physically at the box, you could just kick it or unplug it if you wanted.
Actually, US soldiers have a fairly good reputation in this area. Most of the GIs behave more or less as they would at home So then we have nothing to fear from an international court.
If the Army sends you overseas and you rape a local girl, you're going to wish you had brought her home and done it where the US civilian courts could punish you. There's something about a court run by the army trying the army itself that doesn't sit quite right. Think about it from an outsider perspective. Wars play out internationally, so an international body is required when someone commits a war crime.
Somewhat OT, but are quarters really 0.7 mm thick, i.e. 36 to an inch? I don't think so. You'd be lucky to fit 15 if memory serves. (I don't have any American change other than pennies handy so I can't check) According to this, US quarters are pretty thick, at 1.75 mm: http://mathforum.org/elempow/solutions/solution.eh tml?puzzle=103 Sloppy reporting.
No, he had standard composite, monster composite, standard s-video, monster s-video. The only difference between the s-video and monster s-video seemed to be in the zoom-in, and that looked suspiciously like comb filtering to me, not noise as was claimed in the article.
The first section could be the Cabrillo Hwy (California 1). It's probably not one continuous road, but the path someone took from maybe Sunnyvale to Phoenix. Just a guess.
How about the logic of the game itself? I'm pretty sure that would have been run on the 68k. Was it a 68000? That's a 16-bit chip. I'm sure even 68020s (32 bit) were cheap back then.
At 5th Avenue Place (formerly Esso Plaza) in Calgary, there's two Second Cups. One's on the ground floor and the other on the second, and you can see both if you stand in a certain spot on the ground floor.
How can you be sure you only like cars or sports if you've never been exposed to anything else? I know people who are successful now that were only into smoking pot in high school. Never mind that they didn't enjoy what they were learning at that point, they weren't capable of deciding what *did* enjoy.
Obviously you're not a sysadmin then (unless you work for a tiny company). You're a desktop support person. And besides, statements like "That's because nearly everyone we deal with ARE clueless children" are 90% attitute and based 10% in reality. Ever seen "Nick Burns, your Computer Guy" on SNL?
Slashdot Mirror
Having a setuid root shell somewhere on the box that is executable by the user would be just insane.
/bin/sh (not dropping privs, so it would run as root) if the user shell child process returned nonzero.
login already runs as root. It executes your shell by forking, dropping privs (seteuid) and exec'ing. The sensible thing for it to do would be fork and exec
Assuming that your story is true, that is...
It all looks "real" to me except for that sidebar thing. It doesn't look like the rest of the UI at all. It doesn't even seem like something Microsoft would put in their UI. Look at the bizarre fonts that don't appear anywhere else on the screen. Note how the text doesn't line up in the 5th screenshot (caption: "Avalon is the codename for the Longhorn API...")
Also, the version of Longhorn may well be 6.0, but why? I would expect 5.2 (win2k was 5.0, winxp was 5.1), unless they've made some huge changes.
There were bugs in Apache, SSH, sendmail, BIND, etc. that you were vulnerable to regardless of what UNIX you were running. The apache chunked-encoding bug, in particular, had a working Free/OpenBSD exploit before any other OS.
I think you "not being rooted" had more to do with you being a competant admin (whatever that means - keeping shit up-to-date and turning unneeded services off? configuring untrusted services to only run on trusted interfaces?) than FreeBSD being secure.
I have won the essay writing competition, of that there is NO doubt - Alan Gordon Partridge
You mean: I have won the essay writing competition. Of that, there is NO doubt. - Alan Gordon Partridge. Your sig is a comma-splice.
Plus, what kind of douchebag quotes himself?
Not to mention you'll probably want to be using OpenSSH to use the thing, and OpenSSH definitiely needs to be kept bleeding-edge to be secure.
Anyway, you have more than "script kiddies" to worry about nowadays. There are worms out there (on the UNIX side, these exploit Apache, OpenSSL, telnetd and OpenSSH to name a few). Also, don't underestimate the average hacker. One of them might be testing their newly-developed exploit on your box.
I bet that has nothing to do with your packages not being up-to-date. Old "known good" packages tend to have less bugs and predictable functionality, but are saddled with security issues. In fact, as far as security is concerned, the bleeding edge is almost always better.
A compromise between stability and security is of course releasing patched versions of older, reliable versions of software. This is why RedHat is still at OpenSSL 0.9.6b. They just keep increasing the patchlevel.
There appears to be another "microdot" in this flash version in the blue maze that's the same grey colour as the maze floor (so it's invisible). I don't think you can pick it up though. You can go "underneath" it from the top or the bottom, but it stops your character if you go from the left or the right.
A modern easter egg added by the developer?
</p> was still allowed, but all it did was start a new paragraph. Hence, <p>hello</p>there<p>slashdot</p>
Would have displayed as 3 paragraphs. BTW I don't know what slashcode put that last ; in there.
I think the problem is exploitable if you're logged in as a local user, which could be through some kind of remote access such as ssh, telnet, or your favourite httpd bug that yields local user access (but not root).
This is not equivalent to the "three-finger salute". If you were physically at the box, you could just kick it or unplug it if you wanted.
Actually, US soldiers have a fairly good reputation in this area. Most of the GIs behave more or less as they would at home
So then we have nothing to fear from an international court.
If the Army sends you overseas and you rape a local girl, you're going to wish you had brought her home and done it where the US civilian courts could punish you.
There's something about a court run by the army trying the army itself that doesn't sit quite right. Think about it from an outsider perspective. Wars play out internationally, so an international body is required when someone commits a war crime.
Somewhat OT, but are quarters really 0.7 mm thick, i.e. 36 to an inch? I don't think so. You'd be lucky to fit 15 if memory serves.h tml?puzzle=103
(I don't have any American change other than pennies handy so I can't check)
According to this, US quarters are pretty thick, at 1.75 mm:
http://mathforum.org/elempow/solutions/solution.e
Sloppy reporting.
Meanwhile Apple came out with the Mac+. Compaq's 386 came out in 1985. It really was a faster machine.
That was a problem in the small city of Windsor, Ontario. It really has nothing to do with the Canadian health care system.
You're mostly right, but most Americans don't get 4 weeks of vacation a year - more like 2.
No, he had standard composite, monster composite, standard s-video, monster s-video. The only difference between the s-video and monster s-video seemed to be in the zoom-in, and that looked suspiciously like comb filtering to me, not noise as was claimed in the article.
(warning, long link)
here
The first section could be the Cabrillo Hwy (California 1). It's probably not one continuous road, but the path someone took from maybe Sunnyvale to Phoenix. Just a guess.
How about the logic of the game itself? I'm pretty sure that would have been run on the 68k.
Was it a 68000? That's a 16-bit chip. I'm sure even 68020s (32 bit) were cheap back then.
At 5th Avenue Place (formerly Esso Plaza) in Calgary, there's two Second Cups. One's on the ground floor and the other on the second, and you can see both if you stand in a certain spot on the ground floor.
Don't forget TokenTalk
(lots of Talk)
Slightly OT, but this made me laugh:
h al kwalk.jpg
http://www.calgarywireless.net/images/content/c
They act like it's a crime against humanity, perpetrated with a "secret" $150 device purchased over the internet (a wireless card, maybe?)
I'm sure they would want to stay where their interest is anyway, which is in security, not physically apprehending people.
Anyway, that's what outside contractor jobs are for. Plus the money is sweet.
How can you be sure you only like cars or sports if you've never been exposed to anything else? I know people who are successful now that were only into smoking pot in high school. Never mind that they didn't enjoy what they were learning at that point, they weren't capable of deciding what *did* enjoy.
Obviously you're not a sysadmin then (unless you work for a tiny company). You're a desktop support person.
And besides, statements like "That's because nearly everyone we deal with ARE clueless children" are 90% attitute and based 10% in reality. Ever seen "Nick Burns, your Computer Guy" on SNL?
http://www.seanbaby.com/stupid/sarcasm.htm
It's been shown that sarcasm is not actually funny.