I know what you mean. At one job I found a web page with the argument (in a GET statement) "include=file.html". I decided to play with it a bit (it wasn't my code and I didn't have any read/write rights to that directory) and tried "include=../../../../../etc/passwd". Surprise! I could read it. And/etc/vfstab, and pretty much everything else I wanted short of/etc/shadow. I also discovered that our cgi executables contained hardcoded username/password pairs visible when this webpage tried to read them as text. My boss' reaction "So, why is this a problem?".
You forgot the late 90's trend of adding "virtual" to everything. Or adding "e" to the begining of any word (which Apple morphed into adding "i" to everything).
Actually, to fake a post most of the time you simply need to save a local copy of the relevant form and manually edit a field or two (or turn a hidden field into a text box, or something similar). It is much easier than you suggest in 90+% of the cases. (Yes, extensive use of javascript makes this harder, but most websites use pretty simple forms, and any JS is for input validation. You can usually ignore the JS, especially if you are mangling a hidden field -- as JS usually does no validation on hidden fields.)
I have a better solution. I live under those trees! Dressed only in my tinfoil jumpsuit, hiding in dense foliage, no google spyplane will ever find me!
Agreed, windows makes security much harder. (Though mounting ro is only effective if the hacker can't then remount as rw, just as chattr is only effective if the hacker can't run chattr as well.) My main point was that any system can be compromised, though some don't believe it. (If you want proof see the fanboys above insisting that only a bad admin can be compromised. That is a certain recipe for failure. Your first rule should always be to assume that you will be hacked, then plan on how to detect and deal with it.)
I called you a troll, because your first statement was "You're talking out fo your ass", which is not an invitation to civilized discussion.
And I hate to tell you, but there are exploits in a lot of code, exploits which can be used to compromise a machine. No matter how good your admin skills, if your code has unknown holes in it, you can be compromised. Stop being so arrogant about your own abilities.
First, there is software that must run as root. Second, sometimes that software has exploits. Third, sometimes those exploits are not known at the time the software is installed. In this way, sometimes people manage to exploit a machine and get root. Why is that such a hard concept to grasp?
This is not the case of "unknown software" it is the case of known software containing potential exploits. PHP had one such exploit. SSH had several over the years. There are a number of other cases.
Why do I constantly get "You must be a lousy admin or a liar" when I say that people can get root access on linux boxes and install trojaned software? Or that Linux is vulnerable just like any OS? Are you that rabid a fanboy that you can't stand someone saying Linux has even a slight problem?
Did they hide files in the some of the localization directories? (I think ours were in.SE, or something similar, it has been 3 years and I don't have a redhat machine in front of me.)
OK. To give a little credit to the AC troll who accused me of talking out of my ass, I did make a mistake in my original post. The line should read web-server related, not web browser.
Nonetheless, the AC is still an ignorant troll.
Shouldn't type when I am annoyed, I make too many typos. Penultimate sentence should read:
However, if you had reading skills and a modicum of logic, you would realize that "a number" and "all" are different concepts, and that the bin problem I described may have fallen outside the subset of exploits that were web related.
Good to hear we weren't the only ones hit by this. I never heard anyone else admit to a similar problem.
We also had a number of "hacks" which were more annoying than damaging. People would substitute trojaned binaries, but for the wrong kernel or distro version. So, rather than being compromised, we would get machines where 'ls' or 'login' would just stop working.
I said a number were web related, not this particular one. Though, if you worked in IT in the past 3-4 years, you may recall a number of PHP exploits which provided root access on compromised machines.
However, if you had reading skills and a modicum of logic, you would realize that "a number" and "all" are different concepts, and that the bin problem I described may have falled outside the subest of exploits that were web realted.
Then again, you post AC which means you are an ignorant troll, so why bother explaining this?
Finally! Someone points out that linux/unix/macos is not immune to this problem. My last job was at an all linux shop, yet we still had to deal with exploits (though a number were web-browser related, so not relevant for personal desktops). The worst left the entire contents of bin replaced with trojaned versions which would not allow you to replace them. (Had to copy untrojaned versions from another machine to a local directory and use those copies of mv, cp, rm, etc. to get rid of the offending programs. There were other problems, such as a recurring at job which ran 'find' and replaced any copies of 'cp', 'mv' & co it found with trojaned versions, but that is more detail than we need for this discussion.) Linux is not a cure-all for malware. It is far more likely that windows dominance of the personal desktop market means most developers concentrate on windows. If Linux held 90+% of the market, I am sure we would see a lot more linux worms,trojans, viruses, etc. (And, yes, they are possible, even if a little harder to create than the windows version.)
It is when Java claims to "compile once, run anywhere". If (1) the byte code is different for the same source code depending on compiler and (2) the same byte code will not run, or will behave differently, when run on differing OSes, this does give lie to the whole "platform independence" thing.
So, yes, that is exactly my point. Java (unlike C, C++, etc.) claims the platform is irrelevant, so there should be no difference.
Besides the JVM being platform dependednt, the byte-code itself is also platform dependent despite Sun's claims (or so it was a few years ago). I have had Java byte-code compiled on a Windows box fail on Linux, FreeBSD, and Solaris. Similarly, Solaris code would not quite work on a BSD box.
Besides that, I have also run into problems with source code not compiling the same way on two different platforms. For example, linux's kaffe compiler accepted: try{...initialize object...}catch{...exit...}...use object... while sun's compiler complained I was using an object that may not be initialized, and refused to compile. To get Sun to work I had to nest the entire rest of the code inside the try block.
Note: This was a number of years ago, and Java may be all spiffy and wonderful now, but after all the hype about platform independence this experience soured me to java enough that I haven't gone back.
Email has one advantage over any collaboration software, I continue to control the content (at least of a copy of what I sent). If the collaboration software doesn't maintain a record of changes made, or if it can be edited by someone I don't trust, the software leaves no "paper trail" when some middle manager insists later that I did or didn't do something. Email leaves a much better record for purposes of fending off corporate infighting. (Yes, I used to work at a mean and miserable.com, actually several. And when buyout and layoff time came, I was glad to have records of what I said and to whom I said it.)
Actually, shouldn't that recurse in the opposite direction?
DATA=DATA Accountability and Trust Act=DATA Accountability and Trust Act Accountability and Trust Act= DATA Accountability and Trust Act Accountability and Trust Act Accountability and Trust Act etc.
604K? are you mad? who could ever need all that space! if it can't fit in memory on a VIC20, then it is far too large! (And no fair using those expansion cartridges either)
Yes, this is all about my preferences. Not about people inventing needless words and focing language to be even more ugly than necessary. "Architecting" is not a word, and it serves no purpose that is not better served by an existing word. I don't know why you are getting so worked up about this. I simply pointed out that in coining a new word one should avoid words that are unnecessary and especially ones that are ugly. Why is that such an objectionable position?
For an alternate view see overlawyered.com's rebuttal of this "it's an urban legend" position. Don't have the URL handy, but search "mcdonald coffee" on overlawyered. (Turns out McD's coffee then was 10-20 degrees cooler than Starbuck's is served right now. And was well within the norm for coffee temperatures at the time.)
Then again, the whole post above sounds a bit like a trial lawyer soundbite, so not sure how much good my statement will do.
No. but they may buy it and leave it unused to prevent microsoft opponents or anyone else from buying it and hoping to cash in on mistaken URLs or googlebombing or other tricks which the ms name would make much easier.
Slashdot Mirror
I bought an iPod because I'm different...just like everyone else. (For the Apple fanatics, that was sarcasm.)
How about "JavaScript Kludge, Now With XML!"?
If I had mod points I would mod you +5 interesting! Something about what you said just fascinates me!
I know what you mean. At one job I found a web page with the argument (in a GET statement) "include=file.html". I decided to play with it a bit (it wasn't my code and I didn't have any read/write rights to that directory) and tried "include=../../../../../etc/passwd". Surprise! I could read it. And /etc/vfstab, and pretty much everything else I wanted short of /etc/shadow. I also discovered that our cgi executables contained hardcoded username/password pairs visible when this webpage tried to read them as text. My boss' reaction "So, why is this a problem?".
You forgot the late 90's trend of adding "virtual" to everything. Or adding "e" to the begining of any word (which Apple morphed into adding "i" to everything).
Actually, to fake a post most of the time you simply need to save a local copy of the relevant form and manually edit a field or two (or turn a hidden field into a text box, or something similar). It is much easier than you suggest in 90+% of the cases. (Yes, extensive use of javascript makes this harder, but most websites use pretty simple forms, and any JS is for input validation. You can usually ignore the JS, especially if you are mangling a hidden field -- as JS usually does no validation on hidden fields.)
There are modules which can be used to record POST data, but for a default setup you are correct.
I have a better solution. I live under those trees! Dressed only in my tinfoil jumpsuit, hiding in dense foliage, no google spyplane will ever find me!
Agreed, windows makes security much harder. (Though mounting ro is only effective if the hacker can't then remount as rw, just as chattr is only effective if the hacker can't run chattr as well.)
My main point was that any system can be compromised, though some don't believe it. (If you want proof see the fanboys above insisting that only a bad admin can be compromised. That is a certain recipe for failure. Your first rule should always be to assume that you will be hacked, then plan on how to detect and deal with it.)
I called you a troll, because your first statement was "You're talking out fo your ass", which is not an invitation to civilized discussion.
And I hate to tell you, but there are exploits in a lot of code, exploits which can be used to compromise a machine. No matter how good your admin skills, if your code has unknown holes in it, you can be compromised. Stop being so arrogant about your own abilities.
First, there is software that must run as root. Second, sometimes that software has exploits. Third, sometimes those exploits are not known at the time the software is installed. In this way, sometimes people manage to exploit a machine and get root. Why is that such a hard concept to grasp?
This is not the case of "unknown software" it is the case of known software containing potential exploits. PHP had one such exploit. SSH had several over the years. There are a number of other cases.
Why do I constantly get "You must be a lousy admin or a liar" when I say that people can get root access on linux boxes and install trojaned software? Or that Linux is vulnerable just like any OS? Are you that rabid a fanboy that you can't stand someone saying Linux has even a slight problem?
Did they hide files in the some of the localization directories? (I think ours were in .SE, or something similar, it has been 3 years and I don't have a redhat machine in front of me.)
OK. To give a little credit to the AC troll who accused me of talking out of my ass, I did make a mistake in my original post. The line should read web-server related, not web browser.
Nonetheless, the AC is still an ignorant troll.
Shouldn't type when I am annoyed, I make too many typos. Penultimate sentence should read:
However, if you had reading skills and a modicum of logic, you would realize that "a number" and "all" are different concepts, and that the bin problem I described may have fallen outside the subset of exploits that were web related.
Good to hear we weren't the only ones hit by this. I never heard anyone else admit to a similar problem.
We also had a number of "hacks" which were more annoying than damaging. People would substitute trojaned binaries, but for the wrong kernel or distro version. So, rather than being compromised, we would get machines where 'ls' or 'login' would just stop working.
I said a number were web related, not this particular one. Though, if you worked in IT in the past 3-4 years, you may recall a number of PHP exploits which provided root access on compromised machines.
However, if you had reading skills and a modicum of logic, you would realize that "a number" and "all" are different concepts, and that the bin problem I described may have falled outside the subest of exploits that were web realted.
Then again, you post AC which means you are an ignorant troll, so why bother explaining this?
Finally! Someone points out that linux/unix/macos is not immune to this problem. My last job was at an all linux shop, yet we still had to deal with exploits (though a number were web-browser related, so not relevant for personal desktops). The worst left the entire contents of bin replaced with trojaned versions which would not allow you to replace them. (Had to copy untrojaned versions from another machine to a local directory and use those copies of mv, cp, rm, etc. to get rid of the offending programs. There were other problems, such as a recurring at job which ran 'find' and replaced any copies of 'cp', 'mv' & co it found with trojaned versions, but that is more detail than we need for this discussion.) Linux is not a cure-all for malware. It is far more likely that windows dominance of the personal desktop market means most developers concentrate on windows. If Linux held 90+% of the market, I am sure we would see a lot more linux worms,trojans, viruses, etc. (And, yes, they are possible, even if a little harder to create than the windows version.)
It is when Java claims to "compile once, run anywhere". If (1) the byte code is different for the same source code depending on compiler and (2) the same byte code will not run, or will behave differently, when run on differing OSes, this does give lie to the whole "platform independence" thing.
So, yes, that is exactly my point. Java (unlike C, C++, etc.) claims the platform is irrelevant, so there should be no difference.
Besides the JVM being platform dependednt, the byte-code itself is also platform dependent despite Sun's claims (or so it was a few years ago). I have had Java byte-code compiled on a Windows box fail on Linux, FreeBSD, and Solaris. Similarly, Solaris code would not quite work on a BSD box.
Besides that, I have also run into problems with source code not compiling the same way on two different platforms. For example, linux's kaffe compiler accepted:
try{...initialize object...}catch{...exit...}...use object...
while sun's compiler complained I was using an object that may not be initialized, and refused to compile. To get Sun to work I had to nest the entire rest of the code inside the try block.
Note: This was a number of years ago, and Java may be all spiffy and wonderful now, but after all the hype about platform independence this experience soured me to java enough that I haven't gone back.
Email has one advantage over any collaboration software, I continue to control the content (at least of a copy of what I sent). If the collaboration software doesn't maintain a record of changes made, or if it can be edited by someone I don't trust, the software leaves no "paper trail" when some middle manager insists later that I did or didn't do something. Email leaves a much better record for purposes of fending off corporate infighting. (Yes, I used to work at a mean and miserable .com, actually several. And when buyout and layoff time came, I was glad to have records of what I said and to whom I said it.)
Actually, shouldn't that recurse in the opposite direction?
DATA=DATA Accountability and Trust Act=DATA Accountability and Trust Act Accountability and Trust Act= DATA Accountability and Trust Act Accountability and Trust Act Accountability and Trust Act etc.
604K? are you mad? who could ever need all that space! if it can't fit in memory on a VIC20, then it is far too large! (And no fair using those expansion cartridges either)
Yes, this is all about my preferences. Not about people inventing needless words and focing language to be even more ugly than necessary. "Architecting" is not a word, and it serves no purpose that is not better served by an existing word. I don't know why you are getting so worked up about this. I simply pointed out that in coining a new word one should avoid words that are unnecessary and especially ones that are ugly. Why is that such an objectionable position?
For an alternate view see overlawyered.com's rebuttal of this "it's an urban legend" position. Don't have the URL handy, but search "mcdonald coffee" on overlawyered. (Turns out McD's coffee then was 10-20 degrees cooler than Starbuck's is served right now. And was well within the norm for coffee temperatures at the time.)
Then again, the whole post above sounds a bit like a trial lawyer soundbite, so not sure how much good my statement will do.
No. but they may buy it and leave it unused to prevent microsoft opponents or anyone else from buying it and hoping to cash in on mistaken URLs or googlebombing or other tricks which the ms name would make much easier.