Those online games will still operate just fine, on an unmodified console. Just use the standard tool at http://www.xbox.com/en-US/support/systemuse/xbox360/licensemigration/ and move the licenses to a valid, connected console. They haven't taken anything away permanently here, you still own licenses to use the games you've paid for, you just can't use them on a modified device.
Inaccurate? yes. Baseless, given the discussions on bugtraq? Not so much. There was definitely a buffer-overflow issue in the URL bar, since you can trigger an access violation using it. I assumed it was exploitable. Perhaps it still is vulnerable, but perhaps it's just a crash-bug (in which case, it'll be an effective annoyance, but probably not critical)
If the bug's in webkit, that probably means it's in KHTML, and as you point out, anything else that uses PCRE. Of course, that post doesn't refer to a CVE or anything like that, so for all we know, webkit's PCRE may have been forked off months or years ago, and the bug could easily have been fixed by now. Or it could still be out there.
It's difficult to tell but there doesn't appear to be anything in the recent past in pcre's bugtracker that looks similar, I'd have to trawl their changelogs, and my job kinda precludes me from randomly browsing other people's source. I'm guessing that KHTML as built in most distros, relies on PCRE compiled from original source plus patches. As noted in the patch linked to in the post, Apple are using their own fork of the PCRE tree (for QA reasons, and it's not a BAD reason, it's just has gotchyas)
Thus, the problem with accepting third party code, unless you do your own homework for security, you may wind up screwed. Fortunately, most linux distros have teams to watch out for this kind of stuff, but you know, things slip through the cracks.
Notably, this problem is worse than my original guesstimate.
HDMI? sleek? sexy? Clearly you've never seen a HDMI cable made from this stuff.
The specs down the bottom proudly include: Overall diameter: 11mm (approx. 7/16 inch)
1.1cm!
That said, it's able to carry a HDMI signal, within spec, for well over 100 feet. Not that you need that when your xbox/blu-ray player/ps3/media centre/whatever is 5 feet away from your flatscreen, but yeah... thick cable. (It's crazy the hoops you have to jump through to get full HDMI 1.3a compliance, apparently. 1.2 was pathetically easy to work with, and could be done fairly cheaply. Most thinner cables won't pass 1.3a tho, it's much more strict about the degradation over 40 feet)
Particularly given that it doesn't require any special credentials to get bugtraq email.
That said, I don't doubt that the exploit had to chain-load it's way to higher privileges, that's entirely possible.
I imagine it went somethign like: Safari visits site, crashes, executes remotely supplied code. Remotely supplied code then exploits local vulnerability to gain super-user privileges. Game over.
Local vulnerabilities are a problem, and one that pretty much all OS's have, osX, linux or windows. My general point at the start of this thread is that these days, users are still the easiest vector in. I have no doubt that some external services by all three laptops could have been exposed. Since they're desktop systems, it's entirely possible that they're all firewalled quite heavily, however, or they're not running much.
But that said, for a while now, the simplest infection vector is through user action. They click on a link, open an email, or they accept junk from someone via instant messaging or facebook. That's not to say that that's the only class of vulnerability left, and ideally, the vulnerability still needs to gain extra privileges, but fortunately, most systems have gotten to the point where the user is less trusted than they used to be, windows included, although they're the odd one out in that it never really started out that way for them.
Because they make it more obvious, for simpler attempts, at any rate. IE as a whole runs in Low privileged mode now, and can't touch other parts of the system without permission from the system to even *send it a url*. Safari, it appears, was not, and so a compromise in safari was a big BIG foothold.
That's nto to say that IE's sandbox is perfect either, but it's a set of higher walls.
That's the thing. It wasn't unix that they broke, It was the relatively new code. OSX may look like a unix from the outside in, but it's not one from the desktop down. It may resemble it, but it's not complete. Unix may be convenient for Apple, but it's not a mantra.
That said, ubuntu (and linux in general) are heading that way too, just not quite with the same fevered pitch.
It's the same basic premise that windows was based on: The user is in control. OSX and linux both have fairly strong boundaries between admin and user, but things are slowly wearing down, in the name of convenience. The difference being that things started out far more secure, and there's a bit more separation at the display itself, whereas win9x was not designed with this security in mind, and while NT was, it also inherited parts from win9x's shell and there were compromises at the display, etc.
Microsoft gets this now though. SQL Server's a great example of that. Hundreds of thousands of man-hours have gone into making that thing far more secure than the slammer days, just compare critical vulnerability counts from SQL-server to Oracle. Microsoft's biggest curse is legacy code now, plus a fair amount of ongoing training, and they will only shrink with time. This is mainly shifting market pressure, of course, it costs money to have negative press regarding security nowadays. It didn't in the past, and it will only increasingly have negative press for the next couple of decades at least. It's surprising that Oracle is now doing what Microsoft used to do: treat security as a marketing buzz word (Unbreakable on linux took how long to break?)
But who knows how many holes were in the old X11R6. But you didn't run that on servers, for a good reason. Guess what, there are probably lots of applications that don't handle the Windows messaging system securely and buffer-over/underrun free either.
These days, things like IE operate in Limited user mode. This goes even further than ordinary users (far more than a "power" user, and lightyears away from Administrator or SYSTEM). It's restricted to \users\%USER%\AppData\LocalLow\ and one or two other locations, and that's it (Favorites spring to mind. It gets to be a pain if those accidentally wind up back with normal ACLs, as I mentioned here.) So you need to work harder to break out of internet explorer, and IIRC, it takes permission from a privileged application to do it. Outlook's probably a juicier target, but it's been subject to the fabled crucible for a long long time, so again, it's harder.
OSX hasn't been subject to it for long at all. Safari's new. *Really* new, and you know what, it wasn't even webkit that broke, but the url bar (if memory of the bugtraq post serves.) Where did webkit come from? Oooh. that's right. KDE.
We're all in for it if apple really do gain significant market share (we being administrators, not we being "the general populace"). It may or may not be as big a problem as windows has been, but I'm willing to bet that the effects will be as dire, and apple doesn't really have a fantastic track record here, as other articles have pointed out. The momentum of not having security as a primary goal is one that takes a *long* time to turn around.
Bigger hoops to jump through? Linux has fairly high levels of user/admin separation, and windows has been burned enough times that the sandbox that IE runs with is effective enough to slow people down, far more than it was back in the ie6 or ie5.5 days.
I doubt it'll take much longer for all three to get taken over. There'll be some office bug, or a local service vulnerability that hasn't been patched yet, and it'll be game over, sooner rather than later.
There's a lot to be said for being exposed, it does give you the benefit of a lot more hindsight.
You know, it's funny. I once did some work for Australia's monopoly Telco, Telstra.
As you may or may not know, Australia has had issues with having decent links out to the rest of the world for some time. (Partially due to us having to pay for traffic in both directions, where usually most international links will only pay for incoming on either side, and with the population disparity, that winds up being expensive for us.)
I was talking to one of the guys in their web services group, and I made a remark about there being poor links to the rest of the world. His reply was "If you can get to telstra.com, where else do you need to go?"
The sad fact is, that any ISP that's also in the game of delivering content is always going to have this view. IMHO, it should be illegal for an ISP to be it's own content provider, and give itself preferential treatment, even if it's not a monopoly.
Quibbling over language is a waste of time. Didn't "Photoshopped" "Hacker", "Xeroxed" or "Googled" teach you anything?
Also, I didn't say *anything* about it being "OK" for a mail server to lack an administrator. I said that IT HAPPENS. Not that it's okay. I'm pretty sure my language implied that i think that anyone who allows it to happen is a penny-pinching tool.
So, just to trip you out, i'm going to let you assume my opinion based on neutral language again. The nazi's murdered hundreds of thousands of jews.
OH NO, I JUST ENDORSED THE HOLOCAUST by your standards.
now stop yelling at me, and get a fricking life. This thread is old.
My understanding of their BT filtering is that they're sniffing the tracker traffic in order to determine which connections to cut. Since any internal use of BT would be to known trackers that they run themselves, I'd assume that it would be relatively easy to add exclusions to the filters to avoid blocking "legitimate" traffic.
It should be noted that one can bypass comcasts crappy seeding-only blocks by running tracker traffic through an external proxy. Encryption of the individual p2p connections doesn't cut it, you need an encrypted tracker stream as well.
This would point heavily to the tracker being the telltale
And it should be noted that there's also a corresponding advance on radio: HD Radio.
Of course, the benefits are questionable (ie, can you really tell the difference from HD radio vs a stereo FM radio with decent S/N ratio?) and it's highly proprietary (and fragmented between continents, oh joy!), but it is backwards compatible (Basically, it layers over the top of FM, so it doesn't require new spectrum) and it can degrade to lower quality if you can't afford the top of the range broadcasting equipment, etc.
Supposedly my favorite station is broadcasting in HD radio ATM. Except my car radio (the only place I really listen to it) doesn't support it, and since it's an in-dash model, not a removable one (I'd have to get one made to go in this specific range of cars or something), I can't easily replace it with HD capable stuff (And if I was going to spend money on the car, I'd do something useful. Like install central locking...:)
And he, I meant "you". Didn't realise you were the same.
So what, exactly, is your problem with openoffice? it's worked well enough for my purposes in the past. It edits documents, does spreadsheet stuff, and can be made to suck data out of a database or create presentations.
Sure, its memory usage is high, it's an older style interface, and sometimes it's a pain finding things, but for the most part, it's pretty capable. We sure don't have much else that's as complete. TeX is nice, but doesn't fill everyone's cup and only does documents, abiword is nice, but feature-poor, gnumeric is nice, but feature poor. The two don't embed well enough yet, and you'd have to go out to realbasic or equivalent to start building access-forms-alike apps at a similar skill level.
I didn't say such a server was going to be in a poor state of disrepair. That was implied in my comments about people too cheap to pay for decent maintenance. I've seen this happen far too regularly at some previous consulting jobs, however.
Uh. Because we actually do have a product like this?
OpenOffice.org has support for pulling data from a database. It also has support for a forms-like interface. It also has it's own vb-alike language. (Still in development perhaps, by the looks of it)
There are also plenty of other tools. RealBasic, etc.
Uh, so it's not configured to make the distinction between "OK" / "Not okay", and "i can't talk to it right now because it's returning a bogus result"?
127.0.0.1 is probably going to turn out a quick response consisting of "who are you, and why are you touching me in my private place"
While that's accurate to a point, Seems to me that doing this at the DNS level (deleting a DNS record, or pointing it to 127.0.0.1 and giving it a TTL of a few decades) would do the trick better than BLOCKING EMAIL.
My bet is this is going to really REALLY negatively affect all of those mailservers that have been setup, for which there is *no* administrator. You know. the ones setup for smaller companies who have no inhouse admin, who hired a consultant, but wouldn't pay for ongoing maintenance (either due to tightness or actual lack of funds, etc). The response time here, and time to resolution is likely to be high to non-existent.
All in all, this is a pathetic (understandable, mind you) move, and reeks of inconsideration.
Slashdot Mirror
I didn't know Jenny McCarthy had a slashdot account
Those online games will still operate just fine, on an unmodified console. Just use the standard tool at http://www.xbox.com/en-US/support/systemuse/xbox360/licensemigration/ and move the licenses to a valid, connected console. They haven't taken anything away permanently here, you still own licenses to use the games you've paid for, you just can't use them on a modified device.
Inaccurate? yes. Baseless, given the discussions on bugtraq? Not so much. There was definitely a buffer-overflow issue in the URL bar, since you can trigger an access violation using it. I assumed it was exploitable. Perhaps it still is vulnerable, but perhaps it's just a crash-bug (in which case, it'll be an effective annoyance, but probably not critical)
If the bug's in webkit, that probably means it's in KHTML, and as you point out, anything else that uses PCRE. Of course, that post doesn't refer to a CVE or anything like that, so for all we know, webkit's PCRE may have been forked off months or years ago, and the bug could easily have been fixed by now. Or it could still be out there.
It's difficult to tell but there doesn't appear to be anything in the recent past in pcre's bugtracker that looks similar, I'd have to trawl their changelogs, and my job kinda precludes me from randomly browsing other people's source. I'm guessing that KHTML as built in most distros, relies on PCRE compiled from original source plus patches. As noted in the patch linked to in the post, Apple are using their own fork of the PCRE tree (for QA reasons, and it's not a BAD reason, it's just has gotchyas)
Thus, the problem with accepting third party code, unless you do your own homework for security, you may wind up screwed. Fortunately, most linux distros have teams to watch out for this kind of stuff, but you know, things slip through the cracks.
Notably, this problem is worse than my original guesstimate.
HDMI? sleek? sexy? Clearly you've never seen a HDMI cable made from this stuff.
The specs down the bottom proudly include:
Overall diameter: 11mm (approx. 7/16 inch)
1.1cm!
That said, it's able to carry a HDMI signal, within spec, for well over 100 feet. Not that you need that when your xbox/blu-ray player/ps3/media centre/whatever is 5 feet away from your flatscreen, but yeah... thick cable. (It's crazy the hoops you have to jump through to get full HDMI 1.3a compliance, apparently. 1.2 was pathetically easy to work with, and could be done fairly cheaply. Most thinner cables won't pass 1.3a tho, it's much more strict about the degradation over 40 feet)
Can't whisk that I can see, but it CAN toast bread...
Particularly given that it doesn't require any special credentials to get bugtraq email.
That said, I don't doubt that the exploit had to chain-load it's way to higher privileges, that's entirely possible.
I imagine it went somethign like:
Safari visits site, crashes, executes remotely supplied code.
Remotely supplied code then exploits local vulnerability to gain super-user privileges.
Game over.
Local vulnerabilities are a problem, and one that pretty much all OS's have, osX, linux or windows.
My general point at the start of this thread is that these days, users are still the easiest vector in. I have no doubt that some external services by all three laptops could have been exposed. Since they're desktop systems, it's entirely possible that they're all firewalled quite heavily, however, or they're not running much.
But that said, for a while now, the simplest infection vector is through user action. They click on a link, open an email, or they accept junk from someone via instant messaging or facebook. That's not to say that that's the only class of vulnerability left, and ideally, the vulnerability still needs to gain extra privileges, but fortunately, most systems have gotten to the point where the user is less trusted than they used to be, windows included, although they're the odd one out in that it never really started out that way for them.
Because they make it more obvious, for simpler attempts, at any rate. IE as a whole runs in Low privileged mode now, and can't touch other parts of the system without permission from the system to even *send it a url*. Safari, it appears, was not, and so a compromise in safari was a big BIG foothold.
That's nto to say that IE's sandbox is perfect either, but it's a set of higher walls.
That's the thing. It wasn't unix that they broke, It was the relatively new code. OSX may look like a unix from the outside in, but it's not one from the desktop down. It may resemble it, but it's not complete. Unix may be convenient for Apple, but it's not a mantra.
That said, ubuntu (and linux in general) are heading that way too, just not quite with the same fevered pitch.
It's the same basic premise that windows was based on: The user is in control. OSX and linux both have fairly strong boundaries between admin and user, but things are slowly wearing down, in the name of convenience. The difference being that things started out far more secure, and there's a bit more separation at the display itself, whereas win9x was not designed with this security in mind, and while NT was, it also inherited parts from win9x's shell and there were compromises at the display, etc.
Microsoft gets this now though. SQL Server's a great example of that. Hundreds of thousands of man-hours have gone into making that thing far more secure than the slammer days, just compare critical vulnerability counts from SQL-server to Oracle. Microsoft's biggest curse is legacy code now, plus a fair amount of ongoing training, and they will only shrink with time. This is mainly shifting market pressure, of course, it costs money to have negative press regarding security nowadays. It didn't in the past, and it will only increasingly have negative press for the next couple of decades at least. It's surprising that Oracle is now doing what Microsoft used to do: treat security as a marketing buzz word (Unbreakable on linux took how long to break?)
But who knows how many holes were in the old X11R6. But you didn't run that on servers, for a good reason. Guess what, there are probably lots of applications that don't handle the Windows messaging system securely and buffer-over/underrun free either.
These days, things like IE operate in Limited user mode. This goes even further than ordinary users (far more than a "power" user, and lightyears away from Administrator or SYSTEM). It's restricted to \users\%USER%\AppData\LocalLow\ and one or two other locations, and that's it (Favorites spring to mind. It gets to be a pain if those accidentally wind up back with normal ACLs, as I mentioned here.)
So you need to work harder to break out of internet explorer, and IIRC, it takes permission from a privileged application to do it. Outlook's probably a juicier target, but it's been subject to the fabled crucible for a long long time, so again, it's harder.
OSX hasn't been subject to it for long at all. Safari's new. *Really* new, and you know what, it wasn't even webkit that broke, but the url bar (if memory of the bugtraq post serves.) Where did webkit come from? Oooh. that's right. KDE.
We're all in for it if apple really do gain significant market share (we being administrators, not we being "the general populace"). It may or may not be as big a problem as windows has been, but I'm willing to bet that the effects will be as dire, and apple doesn't really have a fantastic track record here, as other articles have pointed out. The momentum of not having security as a primary goal is one that takes a *long* time to turn around.
Bigger hoops to jump through? Linux has fairly high levels of user/admin separation, and windows has been burned enough times that the sandbox that IE runs with is effective enough to slow people down, far more than it was back in the ie6 or ie5.5 days.
I doubt it'll take much longer for all three to get taken over. There'll be some office bug, or a local service vulnerability that hasn't been patched yet, and it'll be game over, sooner rather than later.
There's a lot to be said for being exposed, it does give you the benefit of a lot more hindsight.
Well. Big shock there. These days, most vulnerabilities require the user to be at the helm.
Good to see that social engineering is still all it requires to compromise something.
No no no. The answer is
"Sure i do. Moe"
Do you even know what button you pressed?
You know, it's funny. I once did some work for Australia's monopoly Telco, Telstra.
As you may or may not know, Australia has had issues with having decent links out to the rest of the world for some time. (Partially due to us having to pay for traffic in both directions, where usually most international links will only pay for incoming on either side, and with the population disparity, that winds up being expensive for us.)
I was talking to one of the guys in their web services group, and I made a remark about there being poor links to the rest of the world. His reply was "If you can get to telstra.com, where else do you need to go?"
The sad fact is, that any ISP that's also in the game of delivering content is always going to have this view. IMHO, it should be illegal for an ISP to be it's own content provider, and give itself preferential treatment, even if it's not a monopoly.
Actually, given that china's been doing this for a lot longer.... Comcast is just like China, I'd say.
oh, for fucks sake. Get a grip.
Quibbling over language is a waste of time. Didn't "Photoshopped" "Hacker", "Xeroxed" or "Googled" teach you anything?
Also, I didn't say *anything* about it being "OK" for a mail server to lack an administrator. I said that IT HAPPENS. Not that it's okay. I'm pretty sure my language implied that i think that anyone who allows it to happen is a penny-pinching tool.
So, just to trip you out, i'm going to let you assume my opinion based on neutral language again.
The nazi's murdered hundreds of thousands of jews.
OH NO, I JUST ENDORSED THE HOLOCAUST by your standards.
now stop yelling at me, and get a fricking life. This thread is old.
My understanding of their BT filtering is that they're sniffing the tracker traffic in order to determine which connections to cut. Since any internal use of BT would be to known trackers that they run themselves, I'd assume that it would be relatively easy to add exclusions to the filters to avoid blocking "legitimate" traffic.
It should be noted that one can bypass comcasts crappy seeding-only blocks by running tracker traffic through an external proxy. Encryption of the individual p2p connections doesn't cut it, you need an encrypted tracker stream as well.
This would point heavily to the tracker being the telltale
And it should be noted that there's also a corresponding advance on radio: HD Radio.
:)
Of course, the benefits are questionable (ie, can you really tell the difference from HD radio vs a stereo FM radio with decent S/N ratio?) and it's highly proprietary (and fragmented between continents, oh joy!), but it is backwards compatible (Basically, it layers over the top of FM, so it doesn't require new spectrum) and it can degrade to lower quality if you can't afford the top of the range broadcasting equipment, etc.
Supposedly my favorite station is broadcasting in HD radio ATM. Except my car radio (the only place I really listen to it) doesn't support it, and since it's an in-dash model, not a removable one (I'd have to get one made to go in this specific range of cars or something), I can't easily replace it with HD capable stuff (And if I was going to spend money on the car, I'd do something useful. Like install central locking...
Ah, see, now that makes much more sense than "it sucks". With issues like that, I'm inclined to agree. :S
And he, I meant "you". Didn't realise you were the same.
So what, exactly, is your problem with openoffice? it's worked well enough for my purposes in the past. It edits documents, does spreadsheet stuff, and can be made to suck data out of a database or create presentations.
Sure, its memory usage is high, it's an older style interface, and sometimes it's a pain finding things, but for the most part, it's pretty capable. We sure don't have much else that's as complete. TeX is nice, but doesn't fill everyone's cup and only does documents, abiword is nice, but feature-poor, gnumeric is nice, but feature poor. The two don't embed well enough yet, and you'd have to go out to realbasic or equivalent to start building access-forms-alike apps at a similar skill level.
That's okay. He wanted a tool similar to access....
I didn't say such a server was going to be in a poor state of disrepair. That was implied in my comments about people too cheap to pay for decent maintenance. I've seen this happen far too regularly at some previous consulting jobs, however.
Uh. Because we actually do have a product like this?
OpenOffice.org has support for pulling data from a database.
It also has support for a forms-like interface.
It also has it's own vb-alike language. (Still in development perhaps, by the looks of it)
There are also plenty of other tools. RealBasic, etc.
Uh, so it's not configured to make the distinction between "OK" / "Not okay", and "i can't talk to it right now because it's returning a bogus result"?
127.0.0.1 is probably going to turn out a quick response consisting of "who are you, and why are you touching me in my private place"
While that's accurate to a point, Seems to me that doing this at the DNS level (deleting a DNS record, or pointing it to 127.0.0.1 and giving it a TTL of a few decades) would do the trick better than BLOCKING EMAIL.
My bet is this is going to really REALLY negatively affect all of those mailservers that have been setup, for which there is *no* administrator. You know. the ones setup for smaller companies who have no inhouse admin, who hired a consultant, but wouldn't pay for ongoing maintenance (either due to tightness or actual lack of funds, etc). The response time here, and time to resolution is likely to be high to non-existent.
All in all, this is a pathetic (understandable, mind you) move, and reeks of inconsideration.
Ah, yes, I'm getting the attribution and advertising clauses mixed up, my bad.