It's not as bad as I thought reading the banner - you need global administrator rights to perform the exploit. Most hosting servers will be pretty well protected - I certainly think I am.
But there is no point tempting fate, and it's a good excuse to update anyway.:)
Bugs fixed:
* Fixed buffer overflow in SET PASSWORD which could potentially be exploited by MySQL users with root privileges to execute random code or to gain shell access (thanks to Jedi/Sector One for spotting and reporting this one).
Unfortunately, it seems that release 3.23.58 is "to be released soon". So people with older installations will have to be extra careful until an update is released.
"The first meeting of the 'academic council' of the newly-launched World Nuclear University (WNU) was held in the UK last week. The mission of the WNU is to strengthen the international community of people and institutions to guide and further develop petroleum power and many other petroleum applications (in agriculture, medicine, environmental protection). As workers in the petroleum industry are aging, organisations have started Young Generation Networks such as the YGN of the British Petroleum Energy Society. The WNU is a further recognition that the petroleum industry needs to educate a new generation of workers, so that petroleum power can continue to provide electricity without the production of radioactive waste."
Yes it would (at least I think so, the wording was a bit vague).
Australia has a grand tradition of the big stick that is used with "discretion".
As an example - in the state of Queensland it is currently an offense to possess and/or distribute information pertaining to the production or consumption of drugs. This applies across the board - consider the following text.
Production:
Plant cannabis seed.
Add water, sun, and compost.
Harvest.
Consumption:
Eat, smoke, make a tea, rub it in your armpits, etc.
Technically, merely by having this in your internet cache, in Queensland, you could face fines up to AU$50k and/or 2 years in gaol (jail for our American friends).
The standard response from the government when asked to justify these seemingly draconian laws is: "Well, they would only be used in appropriate circumstances".
It makes you think... who decides what's appropriate??
"So practically speaking, we don't have to worry about ultra-sophisticated attacks. The vast majority of script kiddies lack the needed intelligence."
I remember feeling like this. Safe and secure behind my impenetrable shield of carefully tweaked and tuned software and hardware firewalls/NAT routers which was continually monitored and kept up to date. Sure in the knowledge that the only incidents I would have to deal with would be caused by office staff installing the "latest aquarium screensaver" and easily contained with judicious blocking of outbound ports (ie. SMTP).
Then one day you are trying out the latest tcpdump frontend and sniff a few packets of the wire at random...
You zoom in on a few ICMP replies you captured, check out the frontends rendering of the packet header, and data, and... hey! WTF?
Fscking command line fragments embedded in unused parts of the packets! Ping is disallowed mind, these are port unavailable, throttle back etc. style ICMP packets from seemingly valid hosts.
Cut a long story short, we eventually found a trojan on one of the windows machines that would request a series of web pages in order to open the firewall to the return ICMP packets. Whacky.
I assume any and all machines may be compromised at any time now. I keep my own disguised process reporting binaries on all important machines. I basically live paranoid, but that doesn't mean I'm wrong.:)
Scuse the waxing lyrical, and meandering from 2nd to 1st person with casual aplomb. It's late here...
And latex based molds superglued to the end of your thumb?
I think you will find it is rather difficult to detect without a knife... and customers get a bit grumpy over that...
Nonetheless, it was the principle of how easy it is for the invariant data used in biometrics to be compromised that was the point of that sentence.
An analogy in standard crypto would be the having to select a password that will be the password for the rest of your life. If it is ever compromised, then tough.
My overall points are: No money is saved. No security is gained.
I can't imagine being a CTO and trying to justify this "upgrade" to the bean-counters...
I don't profess to be a security expert, but I am fairly well versed on the subject.
I have long held the belief that biometrics (biological measures) are useless as an authentication method unless a challenge-response mechanism is integrated into the design.
"The teller takes the thumbprint scanner out of a locked drawer (where it's been stored precisely to limit the amount of access people can have to it, and thus, their opportunities for malfeasance with it) and sets it out in front of you."
The last research I read on thumb scanners a group from an Israeli educational institute had gotten 95% success rates (on authentication, not identification) using casts made from wax prints of thumbs. In case that wasn't scary enough, they got the same results after using acetylene to enhance prints on a glass, then wax again to create the casts.
To put it another way: Anyone who can get a copy of your thumbprint can impersonate you at your bank (well, at least 19 out of 20 times).
If the bank was using a biometrics system that output a signal and received a related response from the actual user, it would be able to have a higher confidence in the authentication. It is this invariance in your thumbprint (as noted by the first poster) that is the weak link in this chain - this of course applies equally well to voice, retina, facial recognition, and in many ways especially DNA.
The example I gave in dicussions on the UK "mouse signature" article was that the system could ask the user to sign/replicate a particular glyph or glyphs instead of an invariant "signature".
Of course research would be required to determine a time invariant, and repeatably measurable feedback mechanism that has the required properties - but that is what professional security geeks are for...
"If there's any lesson from this experience, it is not to use software developed in China or hire Chinese computer programmers, because you're running the risk of having the software you use implanted with the Trojan-horse program,"
Go on - don't be a wuss. You can take on more multi-billion dollar companies at once from flimsy legal ground can't you?
Speaking of which, have any SCO investors out there considered the consequences for their stock if SCO is thrown out of court? Does the US legal system allow recovery of legal expenses in this case? And of course there is the counter-suits. If it were my stock I would be dumping it now (let the single scamming backroom dealing investment company hold the risk).
"...EVERY computer-connected biometric ID system is potentially susceptable to interception/replay of the biometric key signal."
Well, a Challenge-Response mechanism that uses some sort of biometric feedback mechanism would seem to be the standard crypto authentication approach to this problem.
For example: use a subset of the bio-key to sign a packet, returned packet counter signed by authenticating service including a challenge mechanism (ie. pseudo-random light fluctuations to emitter in retinal scanner, measure and return eye muscle contraction patterns). This concept could possibly be implemented in the current system of 'mouse signatures' by the authenticator specifying a glyph or pattern for the user to input, rather than an (relatively) invariant pattern.
This does not exclude the possibility of compromise (even a 'statistically perfect' crypto algorithm can be extremely poorly implemented) but it would raise the bar - both in terms of complexity and time dependency.
The only perfect cryptographic solution is to not record anything, anytime, anywhere, ever...
Hrm, so NASA is now focussing on designs that are "simple, flexible, durable, dependable and relatively cheap."
Perhaps they should have thought of that back in the 70's when the original Space Missile (er shuttle) was designed. (Designed top-down, but that is a whinge for another day).
Now I am a bit of a fan of the quicksave concept (as other readers have noted, kids change your gaming criteria) but I have to register my objections to the autosave design.
After playing 9/10 of the way through a particularly long and torturous Halo level, I ended up in a Warthog, sliding sideways of a cliff, exactly when the final monster was killed (triggering the autosave).
This gave me the joy, delight and reward of a hundred or so attempts leaping from the falling warthog and just failing to make it to the top of the cliff.
If developers insist upon disempowering the users, they should at least try to ensure the users are not completely sabotaged.
Personally I have always found that over-use of a quicksave function makes it relatively easy for game designers to create "gotchas" that force users to restart a level (used all ammo, didn't flick the switch, whatever) - so I don't believe it is the game destroying function that other propose.
Personally, running around in the scrub near where I grew up helped develop my hearing discrimination (this article seems to be related to auditory discrimination and not basic audio levels).
If you couldn't hear the dog disappearing into the bush ahead of you, the slithering of a snake on the left, and keep a bearing on the bellowing livestock you were fscked!
I feel this is more of a function of the cotton-wool swaddled worlds our children grow up in. We are overprotective by default, treated as social pariahs by other parents for not being over-protective, and you end up with a child who is illprepared for the modern world and the mental alertness and acuity required to survive in it.
That said - this does sound like an exemplary way to help "children with language problems". But lets not extrapolate too far, I don't believe this will substantially help an already active and alert child to rapidly develop their auditory acuity. Sure it will help, but so would learning an instrument (timbre, tone, timing, repetition, pattern recognition - try and write a program with the flexibility of a recorder).
I don't have a playstation but she has finished the Italian Job on pc (shame about the new movie - the shorts looked attrocious). Didn't know it was made by the same ppl as carma...
Slashdot Mirror
Q.
But there is no point tempting fate, and it's a good excuse to update anyway. :)
Bugs fixed: * Fixed buffer overflow in SET PASSWORD which could potentially be exploited by MySQL users with root privileges to execute random code or to gain shell access (thanks to Jedi/Sector One for spotting and reporting this one).
All fixed. Get your 4.0.15 here.
Unfortunately, it seems that release 3.23.58 is "to be released soon". So people with older installations will have to be extra careful until an update is released.
Q.
Now I just need to build an RPG frontend for stockmarket investment... I think I'm joking... :)
Q.
There has been a distinct lack of retro combat flight sims which, IMHO, are a lot more fun to play.
There is nothing more tedious than never seing anything more than blips on a radar, green boxes on a HUD, and the odd flyspeck...
Q.
Q.
Q.
Hehe... it'll happen...
Q.
Australia has a grand tradition of the big stick that is used with "discretion".
As an example - in the state of Queensland it is currently an offense to possess and/or distribute information pertaining to the production or consumption of drugs. This applies across the board - consider the following text.
Production:
- Plant cannabis seed.
- Add water, sun, and compost.
- Harvest.
Consumption:Technically, merely by having this in your internet cache, in Queensland, you could face fines up to AU$50k and/or 2 years in gaol (jail for our American friends).
The standard response from the government when asked to justify these seemingly draconian laws is: "Well, they would only be used in appropriate circumstances".
It makes you think... who decides what's appropriate??
Q.
I remember feeling like this. Safe and secure behind my impenetrable shield of carefully tweaked and tuned software and hardware firewalls/NAT routers which was continually monitored and kept up to date. Sure in the knowledge that the only incidents I would have to deal with would be caused by office staff installing the "latest aquarium screensaver" and easily contained with judicious blocking of outbound ports (ie. SMTP).
Then one day you are trying out the latest tcpdump frontend and sniff a few packets of the wire at random...
You zoom in on a few ICMP replies you captured, check out the frontends rendering of the packet header, and data, and... hey! WTF?
Fscking command line fragments embedded in unused parts of the packets! Ping is disallowed mind, these are port unavailable, throttle back etc. style ICMP packets from seemingly valid hosts.
Cut a long story short, we eventually found a trojan on one of the windows machines that would request a series of web pages in order to open the firewall to the return ICMP packets. Whacky.
I assume any and all machines may be compromised at any time now. I keep my own disguised process reporting binaries on all important machines. I basically live paranoid, but that doesn't mean I'm wrong. :)
Scuse the waxing lyrical, and meandering from 2nd to 1st person with casual aplomb. It's late here...
Q.
I think you will find it is rather difficult to detect without a knife... and customers get a bit grumpy over that...
Nonetheless, it was the principle of how easy it is for the invariant data used in biometrics to be compromised that was the point of that sentence.
An analogy in standard crypto would be the having to select a password that will be the password for the rest of your life. If it is ever compromised, then tough.
My overall points are: No money is saved. No security is gained.
I can't imagine being a CTO and trying to justify this "upgrade" to the bean-counters...
Q.
Q.
I have long held the belief that biometrics (biological measures) are useless as an authentication method unless a challenge-response mechanism is integrated into the design.
"The teller takes the thumbprint scanner out of a locked drawer (where it's been stored precisely to limit the amount of access people can have to it, and thus, their opportunities for malfeasance with it) and sets it out in front of you."
The last research I read on thumb scanners a group from an Israeli educational institute had gotten 95% success rates (on authentication, not identification) using casts made from wax prints of thumbs. In case that wasn't scary enough, they got the same results after using acetylene to enhance prints on a glass, then wax again to create the casts.
To put it another way: Anyone who can get a copy of your thumbprint can impersonate you at your bank (well, at least 19 out of 20 times).
If the bank was using a biometrics system that output a signal and received a related response from the actual user, it would be able to have a higher confidence in the authentication. It is this invariance in your thumbprint (as noted by the first poster) that is the weak link in this chain - this of course applies equally well to voice, retina, facial recognition, and in many ways especially DNA.
The example I gave in dicussions on the UK "mouse signature" article was that the system could ask the user to sign/replicate a particular glyph or glyphs instead of an invariant "signature".
Of course research would be required to determine a time invariant, and repeatably measurable feedback mechanism that has the required properties - but that is what professional security geeks are for...
Q.
Q.
Does anyone remember the PROMIS debacle?
Far from outrageous, I think this should be a basic principle for all national security/mission critical projects.
I am not opposed to out sourcing per se, but not to the exclusion of basic common sense and self preservation.
Q.
Oh that and personality clash...
Q.
Go on - don't be a wuss. You can take on more multi-billion dollar companies at once from flimsy legal ground can't you?
Speaking of which, have any SCO investors out there considered the consequences for their stock if SCO is thrown out of court? Does the US legal system allow recovery of legal expenses in this case? And of course there is the counter-suits. If it were my stock I would be dumping it now (let the single scamming backroom dealing investment company hold the risk).
Just my AU$0.04 (damn exchange rates).
Q.
Q.
Perhaps an adult entertainment award show (or is that already the "Stiffies"?).
Q.
Well, a Challenge-Response mechanism that uses some sort of biometric feedback mechanism would seem to be the standard crypto authentication approach to this problem.
For example: use a subset of the bio-key to sign a packet, returned packet counter signed by authenticating service including a challenge mechanism (ie. pseudo-random light fluctuations to emitter in retinal scanner, measure and return eye muscle contraction patterns). This concept could possibly be implemented in the current system of 'mouse signatures' by the authenticator specifying a glyph or pattern for the user to input, rather than an (relatively) invariant pattern.
This does not exclude the possibility of compromise (even a 'statistically perfect' crypto algorithm can be extremely poorly implemented) but it would raise the bar - both in terms of complexity and time dependency.
The only perfect cryptographic solution is to not record anything, anytime, anywhere, ever...
Q.
Pretty... but is it pretty like a shark?
Mind you, water vapour is not the worst exhaust fume around.
Q.
Perhaps they should have thought of that back in the 70's when the original Space Missile (er shuttle) was designed. (Designed top-down, but that is a whinge for another day).
Q.
After playing 9/10 of the way through a particularly long and torturous Halo level, I ended up in a Warthog, sliding sideways of a cliff, exactly when the final monster was killed (triggering the autosave).
This gave me the joy, delight and reward of a hundred or so attempts leaping from the falling warthog and just failing to make it to the top of the cliff.
If developers insist upon disempowering the users, they should at least try to ensure the users are not completely sabotaged.
Personally I have always found that over-use of a quicksave function makes it relatively easy for game designers to create "gotchas" that force users to restart a level (used all ammo, didn't flick the switch, whatever) - so I don't believe it is the game destroying function that other propose.
Q.
If you couldn't hear the dog disappearing into the bush ahead of you, the slithering of a snake on the left, and keep a bearing on the bellowing livestock you were fscked!
I feel this is more of a function of the cotton-wool swaddled worlds our children grow up in. We are overprotective by default, treated as social pariahs by other parents for not being over-protective, and you end up with a child who is illprepared for the modern world and the mental alertness and acuity required to survive in it.
That said - this does sound like an exemplary way to help "children with language problems". But lets not extrapolate too far, I don't believe this will substantially help an already active and alert child to rapidly develop their auditory acuity. Sure it will help, but so would learning an instrument (timbre, tone, timing, repetition, pattern recognition - try and write a program with the flexibility of a recorder).
Q.
Please don't have your daily lead/mercury tonic...
Q.
I don't have a playstation but she has finished the Italian Job on pc (shame about the new movie - the shorts looked attrocious). Didn't know it was made by the same ppl as carma...
Q.