So let me get this straight. Someone figures out how to exploit a game emulator that has nothing to do with the Linux Desktop (gaming on an emulator is not primary functionality of Linux on the DESKTOP - read that again - DESKTOP). And now we are reporting this as a distribution failure and calling the entire Linux ecosystem as bad. Meanwhile, the plugins in question are clearly labeled as "bad" as in "use at your own risk". So what is Linux on the Desktop supposed to do? Protect you from yourself? Be "just like windows"? I would suggest that we call a spade a spade and report this as a Game Emu failure. This library exists in multiple distributions but has nothing to do with the distro itself. And if you want to protect yourself - stop downloading and clicking on damn random files - "file " is far more effective than checking the extension. Someone causes a vulnerability on a file name extension in 2016 means that we haven't trained people enough that file name extensions are not linked to file format. Let's do less hype and more work. Just my two cents. (P.S. Is this even news-worthy?)
Exactly, but magnetic containment is a requirement. Plasma drives for impulse engines paves the way for the next stage. The space warp requires enormous energy that can be contained and focused. Granted, this is the first step. And the road is very long.
I think you skipped the class on Finite State Automata and the resulting literature that came from that particular line of study such as the GOF. You probably use it all today but you just don't realize it. Computer programs done w/ the predicate calculus express truths. If those truths have the finite set of transformations that maintain those truths, the program is still true and correct. We often sacrifice this process in interest of speed. But it does not mean that the resulting code does not show evidence of that series of transformations. It does however show evidence of corners being cut and that someone manually crafted the organization. So the program instead of being itself a proof of correctness that always works, is rather an approximation (first order or better) that covers the majority of cases required and then there is some sort of error catcher (often incomplete) for the rest.
I took CS. I was required to program algorithms and do proofs in a multitude of languages. And none of the languages used were taught. The basis was trial by fire. Computer scientists were supposed to be able to learn any language at any time in order to solve the problem at hand. We learned to be language agnostic and pick up the language required every 2 weeks. It worked.
"Because " is not a complete thought. Could you please expound for those of us that don't think a noun covers the gamut of possibilities that you wish to cover? Since we are all geeks here, it stands to reason that the universe of the set covered by "details" is larger than your intent and indicating that your intent is universal assumes we have the same level of understanding as you.
"Because <noun>" is catchy in journalism because "for news - it shows an all encompassing view to attract audiences." (See what I did there?)
I for one would like to know what details you mean. Please and thank you.
Every program written today is in way shape or form another program from an earlier age with one more level indirection. There is a saying in the K&R world, that there is no problem that cannot be further simplified than with one more level of indirection. The difference today is that we no longer want to choose that level of indirection. We want to have it given to us. What was once syntactic sugar has become semantic necessity through reward for the deeper understanding of the subject. Being faster to market wins over being better.
presented.... without any boilerplate code, overhead, or worries about limitations, no need for tedious checks for array out of bounds, numeric overflow, or out of memory, or invalid input.
Wait - did I read that correctly? "without any boilerplate code, overhead, or worries about limitations, no need for tedious checks for array out of bounds, numeric overflow, or out of memory, or invalid input" = improved textbook?
Aren't these the attack vectors used by malware and viruses today?
I think I'm lost. We use a newer shiny shiny that shows us to do something without showing it done safely and it's better because people will magically include the necessary safety checks and our new algorithms are better because they are clearly implemented without the safety checks.
That's the premise of this statement and the assessment?
It is secure - everything you can do anything in initrd using this exploit was already available as a feature w/o the exploit. Initrd has no passwords and no content. Until you enter the password for cryptsetup, you get access to nothign. And sure you have root access to INITRD but not the actual filesystem other than boot - but that was unfettered to start with.
1. If you already have physical access to the console, all bets are off anyway. Security 101.
2. If you have WDE enabled, dropping to root gets you initrd only - no passwords, no privileges, nada - all it lets you do is try to mount the file system which can't be because it's encrypted. Only/boot should be unencrypted.
3. The only possible attack vector is to swap out the kernel image. But there are simpler ways to do that than run an exploit.
Did these guys watch too many episodes of the new MacGyver and consider themselves hackers instead of script kiddies?
Did they report the problem as only present if you encrypt specific volumes (which is stupid anyway because your passwords are visible now).
It takes a lot of effort to avoid WDE when installing linux these days. Only an idiot would misconfigure and render his system vulnerable like this. And only an idiot would give his keys to the castle to people he didn't trust.
Social Engineering wins every time and there is nothing you can do about it.
It's not broken. It's a choice. The auto-mount DOES work already. If there is a problem, the user can fix it now. In the future, the problem cannot be repaired BEFORE it is open for the OS to make it worse.
I think you're fascism is well-placed. You the person that ensures I will always have a job. When a drive fails under Windows, Windoes keeps trying to fix it and makes things worse. When you try to recover files from windows (as most users have tried), Windows starts corrupting things all over the place. I tell my friends, when you have a problem with your drive, turn your computer off and bring it to me. I will recover all your files if you give ma drive of equal size. Why? Because Linux will never FSCK removable media unless I tell it. It will not even access files, FAT or any other content. I can clone the drive under linux with removable media without danger of reading the contents more than once and making the drive seek only forwards as fast as it can go. 99% recovery rate.
With the proposed SystemD update, I can no longer do this. Because of the hidden secret sauce that causess an FSCK on removeable media.
THIS is the problem. It's the automatic FSCK and MOUNTING. The POINT of a Linux system is that automount is at the user's discretion. Not the operating system.
SystemD, like Windows is removing the ability of the USER to choose to do something.
And like the other areas where SystemD has run rampant, the first step is embrace - then extend, and then extinguish.
Lesson learned from Microsoft.
It was all very simple.
/home
contained the home directories for users
/sbin
contained system special executables
/lib
contained system libraries
/bin
contained sytem executables
/usr
contained user space files
/usr/sbin
contained user space special executables
/usr/bin
contained user space executables
/usr/lib
contained user space libraries
/usr/share
contained shared user space files
/usr/local
contained add-on user space files (bin,sbin, lib)
/var
contained the most variable files (high data through put) or most often changed (which leads to/var/www/var/lib//var/adm/var/tmp/var/run)
/proc
contained process pseudo file system
/dev
contained device pseudo file systemIt was all very simple.
/sys
system pseudo file system - this one is new
/tmp
obvious
/etc
EVERYTHING ELSE that is not a library, user space file, or a binary in one of the other categories
Just because you were never told and never bothered to learn does not pre-suppose a lack of design.Ignorance is no excuse for claiming to be knowledgeable. It's like saying you never read the bible because it was all in Greek.
Just because you were never told and never bothered to learn does not pre-suppose a lack of design.Ignorance is no excuse for claiming to be knowledgeable. It's like saying you never read the bible because it was all in Greek. But you got the gist by looking at it long enough.
If you cut your teeth on Dec UNIX, Solaris, AIX and HP-UX, it's very easy to understand because you learn the history through comparison. This "I don't get it so there must be no rhyme or reason" is just crazy.
It's like the other old timer said - the new folks don't want to learn about how we got here - they just want to repeat our mistakes. I cut my teeth on Linux and then UNIX proper and then VAX since 1990 (TSR 80s and the like on 8086 processors and then 80386 systems before getting to real machines ). It's a proven fact that we are all social learners by nature. Maybe it's time to exercise our social learning instead of our social media which is leading to our social ignorance..
Not cherry picking. There many more examples in the same book. Right down to predicting the non-mixing of water in orean currents at different layers. That was what convinced Jacques Cousteau. But anyway. It's just one example. There are lots of scientific FACTS in the same book. That we've only recenlty proven. Yes, if this was taken as proof a long time ago, I would agree - cherry picking. Too many other facts have borne out as true since then.
How does the conclusion that there may be life on other planets disprove the existence of God?
Just because we as humans hope that God made life only on one planet does not make it so.
Just because we don't have accurate records in every religious book on possible life on other planets does not dispreove God's abilty to create life elsewhere.
Even IF ONE religious book postulated possible life on other planets is possible is grounds for DISMISSING the "There is no God if there is life on other planets" theory.
However, IF ONE religous book that DID mention possible life on other planets or even other planets from an illiterate goat herd that wouldn't know the first thing about science, the universe or planets or even that the world was round would be sufficient grounds to prove the existence of God.
Occam's Razor: In the absence of all othre explanations, the simplest explanation holds.
Chapter 1, Verse 1 of "The Opening" from the Qur'an reads: Al hamdu lillaahi rabbil ‘alameen (Praise be to God, Lord of all the worlds)
Sceince postulates NOW that there may be life on other planets. They did not have the technology to know that there were worlds back then. Therefore, God exists.
I think you missed something. You CAN force the system to ignore the BIOS and use the power management feature by setting a kernel flag. How does that qualify as a horror story? I used to build computers on "screaming new hardware" and newly purchased laptops. And I had to go through the pains of figuring out what the flags were by researching. Not once did I BOTHER with attempting to get the manufacturer to FIX the problem for me. Unless I'm a developer interested in updating the BIOS, I just care that the computer I want is doing what it should be. E.g. Figuring out how to install Bumblebee so I can run Optimus.
Also, to use the newer hardware, I would simply go to a store and bring my live Linux CD with me. Either it ran or it didn't. If it ran, I bought it. If it didn't, I skipped it. Time is money. I have none to do a manufacturer's homework.
You want to stick it to them. Don't buy the thing that doesn't run what you want.
Apologies if I am oversimplifying, but I do not see "I bought hardware and the manufacturer won't let me run what I want on it" is a horror story. The real horror story to me is that you bought it without checking to see if it was a lemon. We don't have a lemon law for computers when it comes to Windows vs Linux. Caveat emptor.
I have not clue how it could take someone HOURS to figure out the name was resolving incorrectly. It take SECONDS to run nslookup, with different nameservers on the TARGET MAACHINE. How is this even newsworthy? A network administrator that doesn't know what he is doing, takes hours to figure out that the name is resolving differently and we write an article on that?
How is this newsworthy?
Secondly, these other TLD's are the right of ICANN to implement. If we didn't want it, we didn't scream loud enough. What is the point of all this chatter on this topic now?
Just curious why we don't have better stories to talk about. ICANN is old news. They're a broken organization that is trying to maintain order in a system that was never designed for centralized control.
You study ENGINEERING (a discipline) to become a LICENSED PROFESSIONAL ENGINEER. You study MEDICINE (a discipline) to become a LICENSED MEDICAL DOCTOR. You would have to agree an automotive engineer is not the same as a mechanic which is not the same as a scientist in combustible fuels.
Software development is an art form. Software engineering is a discipline. Computer Science is a science.
Studying computer science by itself enables you to become: 1. A computer scientist 2. A computer programmer 3. A computer technician
Even becoming a computer science teacher would require you to study EDUCATION as a discipline.
There are no shortcuts. While life experience may teach you SOME things to become an engineer, there is no substitute for a Computer Science degree that focuses on software engineering. You could become an engineer after years of experience. or you could simply learn the discipline and stand on the shoulders of giants and open yourself up to learning from and teaching others in the discipline for a lifetime.
The next time you ask yourself, "Where on God's green earth would I use this knowledge", stop yourself. And think: "Why on earth would I want to work harder and solve problems already solved by others."
An engineer solves problems a new way because the outcomes of all the known methods are not satisfactory. An engineer can predict reliably how long something should take from his body of knowledge. A developer solves problems a new way because it's fun, it's cool and it's artistic. A developer, like an artist, works until he's done.
There is nothing wrong with being a developer or an artist. But just as we should never confuse industrial art with fine art, we should never confuse software development with software engineering.
If you can only solve the problem at hand, you will not have fun doing engineering. If you are happier solving higher order problems of how things are put together and how to do things efficiently or discovering how to things MORE efficiently by building on the knowledge of others or collaborating, you will have fun doing engineering.
Slashdot Mirror
And who runs Ubuntu? Canonical. Go report it to them.
He wanted his 15 minutes in the limelight. Reporting CVE would not get him that.
So let me get this straight. Someone figures out how to exploit a game emulator that has nothing to do with the Linux Desktop (gaming on an emulator is not primary functionality of Linux on the DESKTOP - read that again - DESKTOP). And now we are reporting this as a distribution failure and calling the entire Linux ecosystem as bad. Meanwhile, the plugins in question are clearly labeled as "bad" as in "use at your own risk". So what is Linux on the Desktop supposed to do? Protect you from yourself? Be "just like windows"? I would suggest that we call a spade a spade and report this as a Game Emu failure. This library exists in multiple distributions but has nothing to do with the distro itself. And if you want to protect yourself - stop downloading and clicking on damn random files - "file " is far more effective than checking the extension. Someone causes a vulnerability on a file name extension in 2016 means that we haven't trained people enough that file name extensions are not linked to file format. Let's do less hype and more work. Just my two cents. (P.S. Is this even news-worthy?)
Exactly, but magnetic containment is a requirement. Plasma drives for impulse engines paves the way for the next stage. The space warp requires enormous energy that can be contained and focused. Granted, this is the first step. And the road is very long.
This is just the first step in a long road. Art imitates life. Life imitates art.
I think you skipped the class on Finite State Automata and the resulting literature that came from that particular line of study such as the GOF. You probably use it all today but you just don't realize it. Computer programs done w/ the predicate calculus express truths. If those truths have the finite set of transformations that maintain those truths, the program is still true and correct. We often sacrifice this process in interest of speed. But it does not mean that the resulting code does not show evidence of that series of transformations. It does however show evidence of corners being cut and that someone manually crafted the organization. So the program instead of being itself a proof of correctness that always works, is rather an approximation (first order or better) that covers the majority of cases required and then there is some sort of error catcher (often incomplete) for the rest.
I took CS. I was required to program algorithms and do proofs in a multitude of languages. And none of the languages used were taught. The basis was trial by fire. Computer scientists were supposed to be able to learn any language at any time in order to solve the problem at hand. We learned to be language agnostic and pick up the language required every 2 weeks. It worked.
"Because " is not a complete thought. Could you please expound for those of us that don't think a noun covers the gamut of possibilities that you wish to cover? Since we are all geeks here, it stands to reason that the universe of the set covered by "details" is larger than your intent and indicating that your intent is universal assumes we have the same level of understanding as you.
"Because <noun>" is catchy in journalism because "for news - it shows an all encompassing view to attract audiences." (See what I did there?)
I for one would like to know what details you mean. Please and thank you.
Every program written today is in way shape or form another program from an earlier age with one more level indirection. There is a saying in the K&R world, that there is no problem that cannot be further simplified than with one more level of indirection. The difference today is that we no longer want to choose that level of indirection. We want to have it given to us. What was once syntactic sugar has become semantic necessity through reward for the deeper understanding of the subject. Being faster to market wins over being better.
presented .... without any boilerplate code, overhead, or worries about limitations, no need for tedious checks for array out of bounds, numeric overflow, or out of memory, or invalid input.
Wait - did I read that correctly? "without any boilerplate code, overhead, or worries about limitations, no need for tedious checks for array out of bounds, numeric overflow, or out of memory, or invalid input" = improved textbook?
Aren't these the attack vectors used by malware and viruses today?
I think I'm lost. We use a newer shiny shiny that shows us to do something without showing it done safely and it's better because people will magically include the necessary safety checks and our new algorithms are better because they are clearly implemented without the safety checks.
That's the premise of this statement and the assessment?
Just making sure I'm on the same page.
It is secure - everything you can do anything in initrd using this exploit was already available as a feature w/o the exploit. Initrd has no passwords and no content. Until you enter the password for cryptsetup, you get access to nothign. And sure you have root access to INITRD but not the actual filesystem other than boot - but that was unfettered to start with.
Yup - the same security experts that gave the backdoor to the spy agencies. Yup!
How is dropping to initrd "root" access?
1. If you already have physical access to the console, all bets are off anyway. Security 101.
2. If you have WDE enabled, dropping to root gets you initrd only - no passwords, no privileges, nada - all it lets you do is try to mount the file system which can't be because it's encrypted. Only /boot should be unencrypted.
3. The only possible attack vector is to swap out the kernel image. But there are simpler ways to do that than run an exploit.
Did these guys watch too many episodes of the new MacGyver and consider themselves hackers instead of script kiddies?
Did they report the problem as only present if you encrypt specific volumes (which is stupid anyway because your passwords are visible now).
It takes a lot of effort to avoid WDE when installing linux these days. Only an idiot would misconfigure and render his system vulnerable like this. And only an idiot would give his keys to the castle to people he didn't trust.
Social Engineering wins every time and there is nothing you can do about it.
It's not broken. It's a choice. The auto-mount DOES work already. If there is a problem, the user can fix it now. In the future, the problem cannot be repaired BEFORE it is open for the OS to make it worse.
Agreed - so we can recover data from files Microsoft Windows can't without paying extra for the service.
I think you're fascism is well-placed. You the person that ensures I will always have a job. When a drive fails under Windows, Windoes keeps trying to fix it and makes things worse. When you try to recover files from windows (as most users have tried), Windows starts corrupting things all over the place. I tell my friends, when you have a problem with your drive, turn your computer off and bring it to me. I will recover all your files if you give ma drive of equal size. Why? Because Linux will never FSCK removable media unless I tell it. It will not even access files, FAT or any other content. I can clone the drive under linux with removable media without danger of reading the contents more than once and making the drive seek only forwards as fast as it can go. 99% recovery rate. With the proposed SystemD update, I can no longer do this. Because of the hidden secret sauce that causess an FSCK on removeable media. THIS is the problem. It's the automatic FSCK and MOUNTING. The POINT of a Linux system is that automount is at the user's discretion. Not the operating system. SystemD, like Windows is removing the ability of the USER to choose to do something. And like the other areas where SystemD has run rampant, the first step is embrace - then extend, and then extinguish. Lesson learned from Microsoft.
Just because you were never told and never bothered to learn does not pre-suppose a lack of design.Ignorance is no excuse for claiming to be knowledgeable. It's like saying you never read the bible because it was all in Greek.
Just because you were never told and never bothered to learn does not pre-suppose a lack of design.Ignorance is no excuse for claiming to be knowledgeable. It's like saying you never read the bible because it was all in Greek. But you got the gist by looking at it long enough.
If you cut your teeth on Dec UNIX, Solaris, AIX and HP-UX, it's very easy to understand because you learn the history through comparison. This "I don't get it so there must be no rhyme or reason" is just crazy.
It's like the other old timer said - the new folks don't want to learn about how we got here - they just want to repeat our mistakes. I cut my teeth on Linux and then UNIX proper and then VAX since 1990 (TSR 80s and the like on 8086 processors and then 80386 systems before getting to real machines ). It's a proven fact that we are all social learners by nature. Maybe it's time to exercise our social learning instead of our social media which is leading to our social ignorance..
Not cherry picking. There many more examples in the same book. Right down to predicting the non-mixing of water in orean currents at different layers. That was what convinced Jacques Cousteau. But anyway. It's just one example. There are lots of scientific FACTS in the same book. That we've only recenlty proven. Yes, if this was taken as proof a long time ago, I would agree - cherry picking. Too many other facts have borne out as true since then.
How does the conclusion that there may be life on other planets disprove the existence of God?
Just because we as humans hope that God made life only on one planet does not make it so.
Just because we don't have accurate records in every religious book on possible life on other planets does not dispreove God's abilty to create life elsewhere.
Even IF ONE religious book postulated possible life on other planets is possible is grounds for DISMISSING the "There is no God if there is life on other planets" theory.
However, IF ONE religous book that DID mention possible life on other planets or even other planets from an illiterate goat herd that wouldn't know the first thing about science, the universe or planets or even that the world was round would be sufficient grounds to prove the existence of God.
Occam's Razor: In the absence of all othre explanations, the simplest explanation holds.
Chapter 1, Verse 1 of "The Opening" from the Qur'an reads: Al hamdu lillaahi rabbil ‘alameen (Praise be to God, Lord of all the worlds)
Sceince postulates NOW that there may be life on other planets. They did not have the technology to know that there were worlds back then. Therefore, God exists.
Ok - let the religous wars commence. :)
I think you missed something. You CAN force the system to ignore the BIOS and use the power management feature by setting a kernel flag. How does that qualify as a horror story? I used to build computers on "screaming new hardware" and newly purchased laptops. And I had to go through the pains of figuring out what the flags were by researching. Not once did I BOTHER with attempting to get the manufacturer to FIX the problem for me. Unless I'm a developer interested in updating the BIOS, I just care that the computer I want is doing what it should be. E.g. Figuring out how to install Bumblebee so I can run Optimus.
Also, to use the newer hardware, I would simply go to a store and bring my live Linux CD with me. Either it ran or it didn't. If it ran, I bought it. If it didn't, I skipped it. Time is money. I have none to do a manufacturer's homework.
You want to stick it to them. Don't buy the thing that doesn't run what you want.
Apologies if I am oversimplifying, but I do not see "I bought hardware and the manufacturer won't let me run what I want on it" is a horror story. The real horror story to me is that you bought it without checking to see if it was a lemon. We don't have a lemon law for computers when it comes to Windows vs Linux. Caveat emptor.
Personal opinion.
Is setting a bunch of flags really a horror story? Really? How is this possible if you are BUILDING a computer?
Ugh - damn keyboard got stuck. In place of "I have not clue", please read as "I have no clue" :(
I have not clue how it could take someone HOURS to figure out the name was resolving incorrectly. It take SECONDS to run nslookup, with different nameservers on the TARGET MAACHINE. How is this even newsworthy? A network administrator that doesn't know what he is doing, takes hours to figure out that the name is resolving differently and we write an article on that?
How is this newsworthy?
Secondly, these other TLD's are the right of ICANN to implement. If we didn't want it, we didn't scream loud enough. What is the point of all this chatter on this topic now?
Just curious why we don't have better stories to talk about. ICANN is old news. They're a broken organization that is trying to maintain order in a system that was never designed for centralized control.
Just my two cents.
You study ENGINEERING (a discipline) to become a LICENSED PROFESSIONAL ENGINEER.
You study MEDICINE (a discipline) to become a LICENSED MEDICAL DOCTOR.
You would have to agree an automotive engineer is not the same as a mechanic which is not the same as a scientist in combustible fuels.
Software development is an art form. Software engineering is a discipline. Computer Science is a science.
Studying computer science by itself enables you to become:
1. A computer scientist
2. A computer programmer
3. A computer technician
Even becoming a computer science teacher would require you to study EDUCATION as a discipline.
There are no shortcuts. While life experience may teach you SOME things to become an engineer, there is no substitute for a Computer Science degree that focuses on software engineering. You could become an engineer after years of experience. or you could simply learn the discipline and stand on the shoulders of giants and open yourself up to learning from and teaching others in the discipline for a lifetime.
The next time you ask yourself, "Where on God's green earth would I use this knowledge", stop yourself. And think: "Why on earth would I want to work harder and solve problems already solved by others."
An engineer solves problems a new way because the outcomes of all the known methods are not satisfactory. An engineer can predict reliably how long something should take from his body of knowledge.
A developer solves problems a new way because it's fun, it's cool and it's artistic. A developer, like an artist, works until he's done.
There is nothing wrong with being a developer or an artist. But just as we should never confuse industrial art with fine art, we should never confuse software development with software engineering.
If you can only solve the problem at hand, you will not have fun doing engineering. If you are happier solving higher order problems of how things are put together and how to do things efficiently or discovering how to things MORE efficiently by building on the knowledge of others or collaborating, you will have fun doing engineering.
Torrents serve the same purpose as a DVD, so I would have to agree.