They aren't "possibly infected", they are "definitely vulnerable", as long as they use a kernel < 2.4.23, which are probably all of them. Mandrake has updated kernel packages, for others, you probably should build your own kernel or take your boxes offline until new packages are available (or make damn sure that no malicious user can get a local shell). I'd expect updates for most distros rather soon now, however. You decide.
And to the RedHat and SuSE security teams for helping them to track it down. In other words, hats off to the whole Free Software Community for collaborating when desaster strikes.
Most home users are running big SQL databases are they?
No, probably not. If we ignore all security problems that don't directly affect home users (whyever we would do that), web sites vulnerable to SQL injection attacks could only harm them by someone getting or manipulating personal data, order stuff in their name without being authorized...
And if they're running SpamCop and using Mozilla, they're not going to have those scripting problems because they won't have pop-ups, now are they?
Right, because the most interesting thing you can do with XSS are pop-ups.
And they're not going to see that porn spam with the malware so they're not going to click it, now are they?
Spam and virus filters without false negatives are impossible. Not to mention that people who want to run something (that might later turn out to be a trojan horse) will find a way to. By turning off the security measures if needs be.
There is currently no system that would effectively prevent stupid user behaviour from causing harm on the user itself and others. And even if there are ideas how to make systems better in that regard (which include saying bye-bye to the models employed by windows and unix), I really doubt that it will ever be possible.
If you think that a packet filter and some anti-spam tool will give you enough security, well, that's your problem. I guess that blackhats are a little more creative than you are, however.
(Simple example: Please explain how netfilter or spamcop would have prevented the recent Debian break-in. Oh, but that isn't only about home users, I guess.)
Its good to see something like this happening as ifconfig is not only used on FreeBSD but also on most (all?) Linux distros.
They all have an ifconfig (even windows has, but it's spelled ipconfig), but a different one. The GNU version takes different arguments anyway - like for example none at all, which the FreeBSD version doesn't allow - so this will most likely not affect any Linux user in any way.
To all those "bsd is dying" trolls, things like this show its not. Without the work of the BSD projects you wouldn't have some of the many tools you use each day.
If the only sign of life of the BSDs would be a refactoring of one little command-line utility that has been around for decades, I think calling it "dead" would be a good approximation. Fortunatly it isn't. There are enough more interesting things going on the BSD world.
In other words, this is really one of the most boring stories ever, even considering the "let's duplicate the daemonnews slashbox" policy/. recently adopted.
Yeah, IPTables and SpamCop work wonders against buffer overflows, SQL injections, people actively executing malware because they think it's porn, cryptographic weaknesses, cross-site scripting, weak passwords...
Especially for home-user boxes, packet filters are of pretty little use. Before you block services from being accessed via the big bad internet, why do they have to listen on a public interface in the first place?
Didn't somebody recently announce a new effort to port the Free version of Gt/X11 to Windows?
That might help even if the project won't get finished itself. Remember the Big Qt/KDE Licensing Flamewar? Seeing both Gnome and Project Harmony, a free Qt clone, being developed because many people considered the old QPL to be not acceptable for the base of a free desktop, Trolltech gave in and adopted the current dual licence scheme. With a free port to Windows, and other cross-platform toolkits being available (and getting more support, like Borland now using wxWindows after having used Qt for Kylix), they might reconsider not offering a free version for Windows themselves.
Or we can all just get along and use one of the other fine cross-platform toolkits.
A certification is no replacement for the problem solving skills that only experience can teach you
Obviously not, it is supposed to be an indication that you have these skills. Of course, a lot of existing certifications are not (but academic grades may be even worse in that regard), but you don't expect HR drones to test potential employees under real-world conditions, do you? They just cannot do that, they'd have to simulate things like your familiarity with the network, your frustration level after working there for a few months/years, the detailed nature of their systems, coping with office politics, recognizing problems if you don't know that there is something to fix (like there always is in an exam) etc.
At least the Novell thing seems to let you work on a real computer, like the RHCE exams and unlike many others. Could be worse, I say.
Most "real engineers" I work with and know personally seem to have spent more time learning about how they're better than everyone else than actually aquiring any skills.
When I think of the "real engineers" I work with and know personally, I know why it takes them that long.
Of course DNS data has a required format (the actual files used to configure it depend on the implementation, but not the data sent over the wire). And this format is extensible to transport arbitrary kinds of data, totally unthought of when the protocol was fixed. DNS already gets used for all kinds of funky things that haven't much to do with domain names.
In addition the the mechanisms mentioned before like securelevels, jails and fs flags, FreeBSD 5 has the MAC framework from the TrustedBSD project that can do some funky stuff, similar to what LIDS or SELinux do (in fact, some MAC modules are derived from SELinux code). It's an extensible modular framework with default modules that implement the usual Mandatory Access Control policies, like being able to specify which processes may do what with which files etc. It is documented in the Handbook and on the TrustedBSD site. FBSD 5 also has extended filesystem ACLs (POSIX.1e style), like LIDS.
One thing still missing are full POSIX.1e capabilities, but they are being worked on.
Well, the manufacturers of palm/retina scanners generally do include a feature that detects if the bodypart being scanned has a pulse. So you can't fool these scanners just by cutting off someone's hand or ripping out their eyeball.
Tests regularly show that you can fool a lot of fingerprint scanners with an image of the fingerprint on translucent foil, and face recognition systems by holding a black-and-white photograph in front of the camera. Biometric access control is a cool idea with lots of geek appeal - just wait a few more decades until it actually works. Or at least make damn sure that the system you plan to buy isn't snake oil.
Doesn't sound like much of a problem to you? Could you possibly be any more self-centered? It doesn't matter one damn bit whether or not you think it's a problem or not, dammit! It matters that somewhere, somebody may think it's a genuine problem for them,
That somebody can always fix it, we are talking about open source after all. Oh, they can't? Too bad, then he will probably have to pay someone to do that work, like RedHat, Apple or Microsoft for example. Or politely tell the OS developers what he thinks could be improved, but he certainly cannot demand anything from them.
OS developers owe this somebody nothing, and they don't owe you anything and do not have to follow your "Microsoft must die" agenda. Have you ever considered that maybe some people really do not care about Linux overtaking Microsoft on the desktop? There are already plenty OSes for Joe Sixpack, what's wrong with having some for hackers too? And perhaps, just perhaps, the requirements for a average-user-friendly OS and a hacker OS simply don't go well together - so what? Maybe Linux will never get "ready for the desktop", but most likely Windows will never get ready for the tinkerer's home LAN either.
You critizied your parent poster for being arrogant. Let me critizise you for wanting to force your political agenda on people who have better things to do with their life.
Given the zealotry of some OpenBSD users, I'm sure it wouldn't be hard to find someone claiming that a blowfish-encrypted passwd database prevents that, or something. Maybe even one who actually believes this. There have been more stupid claims be made about OpenBSD's security.
personally i don't care about sql compliance (as long as it's not wildly different)
unfortunately, it isn't merely an academic issue: it means that applications and skills can't be easily ported.
You imply that the target you port to is SQL compliant as well;-)
But seriously, you are right of course. You shouldn't call something with such a weak support for SQL "MySQL", except when it is to be interpreted as "definitely not your SQL". Just as you shouldn't call it a database management system when the only justification is that most of the common features associated with this term are scheduled for experimental implementation in the next couple of years.
Off topic rant: It is not called "Postgre". If you really cannot afford to type its full name, it is "Postgres", as it was called before it got SQL support (with "Postgres95" as a short intermezzo, which proved to be a silly name around 1996), a name chosen because it is a successor of INGRES.
No, the problem is that it looks easy, but doesn't actually make to core problem any easier, namely designing database applications (which is much harder then implementing them). This leads to incompetent people using them without really having a clue about what they are doing, which in turn will at some point result in a huge mess. The same problem exists with many computer-related things, simply because there are usually more incompetent people for a given problem, so the market for oh-shiny tools is bigger.
In the case of people that think that, just because windows and outlook are really simple to use at the first sight, they are qualified to operate a computer connected to public networks results in billions of damages every year.
Because size is not the only reason for the dynamic/bin. One big reason was better support for dynamically loadable PAM/nsswitch modules in the base utilities - so there is a good reason to have multiple versions of some binaries, one that always works and one that can do more fancy stuff.
But I don't understand this myself./sbin means "static/bin" and it's that way for recovery purposes.
Wrong. man 7 hier:
/sbin/
system programs and administration utilities fundamental to both single-user and multi-user environments
Think "system administration", not "static". After all,/bin was static too, so the distinction doesn't much sense (and I think/sbin has been part of Unix earlier than dynamic linking anyway)
Even with having statically linked versions of the tools needed for system repair in/rescue, the whole stuff still takes less place then before. So you really get the best of both worlds: The base system is smaller, more flexible and potentially even faster (has anybody measured it yet?), but static binaries are still around when you hosed you linker or libs.
I'm still somewhat surprised that this got committed now, shouldn't 5.2 be released Really Soon Now? This looks like something that ought to be tested in -CURRENT for a good while.
The plural of "radius" is "radii", for example. However, this hasn't much to do with "virus" (it would if it would be "virius" and actually had a plural form at all). But the point is that latin doesn't matter that much anyway, because we don't speak latin here - we just borrow some words, rather liberally.
I'm not sure what your problem with Hexadecimal is, meaning a Base 16 number system, so I'm going to ignore that.
Pity. Given that the argument against "virii" usually is that it isn't correct latin (which nobody claimed anyway), it's rather funny that people claiming that don't have any problem with a crude mixture of greek and latin like "hexadecimal" (or even "automobile", which should either be an "ipsomobile" or an "autokines"). This isn't a valid word in any language than english (and the languages that adopted it from english) either.
Sure, "virii" is not the correct latin plural of the latin word "virus". In fact, the latin "virus" is a mass-word anyway and simply has no plural form, so even "viruses" would be strange if you would care about the latin roots that much. But we deal with an english word and an english plural form of it, no matter its etymological roots. Sure, "virii" is not that usual an english plural, but it's not the only word with a strange plural either (what kind of rule does "penny"-"pence" follow? Or "mouse"-"mice"?)
Note well, I fully agree that "virii" is pretty a stupid and needlessly unusual word, and certainly a slang word most often used at least half-joking, like "boxen". But it is still a word. Linguistics are empirical sciences.
Of course it is a word, what else should it be? You just used it in a normal sentence. You may not like this one, but it is as much a word as "blog", "burger" or "hexadecimal", and not even that much more stupid then them.
Slashdot Mirror
They aren't "possibly infected", they are "definitely vulnerable", as long as they use a kernel < 2.4.23, which are probably all of them. Mandrake has updated kernel packages, for others, you probably should build your own kernel or take your boxes offline until new packages are available (or make damn sure that no malicious user can get a local shell). I'd expect updates for most distros rather soon now, however. You decide.
There is currently no system that would effectively prevent stupid user behaviour from causing harm on the user itself and others. And even if there are ideas how to make systems better in that regard (which include saying bye-bye to the models employed by windows and unix), I really doubt that it will ever be possible.
If you think that a packet filter and some anti-spam tool will give you enough security, well, that's your problem. I guess that blackhats are a little more creative than you are, however.
(Simple example: Please explain how netfilter or spamcop would have prevented the recent Debian break-in. Oh, but that isn't only about home users, I guess.)
In other words, this is really one of the most boring stories ever, even considering the "let's duplicate the daemonnews slashbox" policy /. recently adopted.
It doesn't seem any deader than usual to me.
Especially for home-user boxes, packet filters are of pretty little use. Before you block services from being accessed via the big bad internet, why do they have to listen on a public interface in the first place?
That might help even if the project won't get finished itself. Remember the Big Qt/KDE Licensing Flamewar? Seeing both Gnome and Project Harmony, a free Qt clone, being developed because many people considered the old QPL to be not acceptable for the base of a free desktop, Trolltech gave in and adopted the current dual licence scheme. With a free port to Windows, and other cross-platform toolkits being available (and getting more support, like Borland now using wxWindows after having used Qt for Kylix), they might reconsider not offering a free version for Windows themselves.
Or we can all just get along and use one of the other fine cross-platform toolkits.
At least the Novell thing seems to let you work on a real computer, like the RHCE exams and unlike many others. Could be worse, I say.
I would, but it will cost you most-positive-fixnum dollars. But at least if you fail, you can still get a good job as a garbage collector.
Of course DNS data has a required format (the actual files used to configure it depend on the implementation, but not the data sent over the wire). And this format is extensible to transport arbitrary kinds of data, totally unthought of when the protocol was fixed. DNS already gets used for all kinds of funky things that haven't much to do with domain names.
One thing still missing are full POSIX.1e capabilities, but they are being worked on.
Bloat and complete lack of usability? I thought we had viper-mode for that.
OS developers owe this somebody nothing, and they don't owe you anything and do not have to follow your "Microsoft must die" agenda. Have you ever considered that maybe some people really do not care about Linux overtaking Microsoft on the desktop? There are already plenty OSes for Joe Sixpack, what's wrong with having some for hackers too? And perhaps, just perhaps, the requirements for a average-user-friendly OS and a hacker OS simply don't go well together - so what? Maybe Linux will never get "ready for the desktop", but most likely Windows will never get ready for the tinkerer's home LAN either.
You critizied your parent poster for being arrogant. Let me critizise you for wanting to force your political agenda on people who have better things to do with their life.
Given the zealotry of some OpenBSD users, I'm sure it wouldn't be hard to find someone claiming that a blowfish-encrypted passwd database prevents that, or something. Maybe even one who actually believes this. There have been more stupid claims be made about OpenBSD's security.
But seriously, you are right of course. You shouldn't call something with such a weak support for SQL "MySQL", except when it is to be interpreted as "definitely not your SQL". Just as you shouldn't call it a database management system when the only justification is that most of the common features associated with this term are scheduled for experimental implementation in the next couple of years.
See also A Brief History of PostgreSQL
In the case of people that think that, just because windows and outlook are really simple to use at the first sight, they are qualified to operate a computer connected to public networks results in billions of damages every year.
Because size is not the only reason for the dynamic /bin. One big reason was better support for dynamically loadable PAM/nsswitch modules in the base utilities - so there is a good reason to have multiple versions of some binaries, one that always works and one that can do more fancy stuff.
I'm still somewhat surprised that this got committed now, shouldn't 5.2 be released Really Soon Now? This looks like something that ought to be tested in -CURRENT for a good while.
The plural of "radius" is "radii", for example. However, this hasn't much to do with "virus" (it would if it would be "virius" and actually had a plural form at all). But the point is that latin doesn't matter that much anyway, because we don't speak latin here - we just borrow some words, rather liberally.
Sure, "virii" is not the correct latin plural of the latin word "virus". In fact, the latin "virus" is a mass-word anyway and simply has no plural form, so even "viruses" would be strange if you would care about the latin roots that much. But we deal with an english word and an english plural form of it, no matter its etymological roots. Sure, "virii" is not that usual an english plural, but it's not the only word with a strange plural either (what kind of rule does "penny"-"pence" follow? Or "mouse"-"mice"?)
Note well, I fully agree that "virii" is pretty a stupid and needlessly unusual word, and certainly a slang word most often used at least half-joking, like "boxen". But it is still a word. Linguistics are empirical sciences.
Of course it is a word, what else should it be? You just used it in a normal sentence. You may not like this one, but it is as much a word as "blog", "burger" or "hexadecimal", and not even that much more stupid then them.