Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process,
Which is the case on most Apache Web server configs: the client has full control over the HTTP_REFERER and HTTP_USER_AGENT variables... And the exploit in question works with any environment variable, including those 2.
Well, starting from here, you are vulnerable as soon as:
You have a CGI script written as a #!/bin/bash script on your system
You have/bin/sh symlinked to/bin/bash (used to be common in many Linux distribution), so as soon as a script calls system(),/bin/bash gets executed, along with the scripts full environment...
The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.
Nowadays, on most systems,/bin/sh is a proper Bourne Shell (either ash or dash), and no longer bash. So system() should no longer be an issue, but explicitly calling bash still would be...
Or, more easily: the exploit string could be packed into the TERM variable, which almost all ssh's and even telnet daemons pass on the the shell:
env TERM='() {:;}; echo vulnerable ssh some_user@some_server'
$ env x='() {:;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Well, actually, there's plenty of sex shops around where you can buy custom-molded dildos, sold by the pound of plastic or latex... (saw some in Brussels, but most likely other large cities have those too).
Doesn't all this depend on the software? On a milling machine intended for the end user, the software could know about some of these constraints, and automatically reduce the speed to safe levels where needed. And also, this iModela machine works with soft materials (plastics, woods), not steel, which (probably) means it's not quite as likely to destroy its bits if mis-driven.
Good to know... if this indeed the case. I just wonder whether they will have to reply to messages from neighbouring countries as well, or only from Germans...
The court, not being stupid, will probably send a few "canary" emails.
The court, while certainly not stupid, is very probably lazy. And won't continue bothering google out of its own initiative once a "settlement" is reached.
It will take a continued action by the consumer watchdog organization to keep the court interested, but it's a very fine line to walk between "keeping the court interested" and "not annoy the court by pestering it too much"
If Google decides to discontinue all Google services in Germany as a result, would that really be a "win" for the German consumer?
More likely outcome is that they change the auto-reply text of the mail to "thank you for your valuable feedback", and then still continue to ignore it. The customer will be none-the-wiser, and unable to prove that feedback gets ignored.
And even Google Webmaster tools still works with the "old" browser user-agent string. However, in webmaster tools, it doesn't dump the javascripts yet, unfortunately:-(
Please, Google, do continue to not "improve" the experience for "older" browsers. I've had all the UX "improvement" I can take.
Well said! I fullheartedly agree, and set the user agent of my firefox to version 0.10: the experience is a breeze! And yes, it even prevents google from inserting its own tracking into some of the links...
And there are no tracking cookies or similar inserted into the links, just the plain links. Overall a good experience:-)
... however, the normal site (for "recent" browsers) does insert tracking cookies.
I didn't check though whether the results were maybe outdated (newer pages not listed...), that would be nasty...
A test with google news shows that this is fortunately not the case, it shows news from within today. So if it is outdated, it's certainly outdated by less than one day.
I tried it (by setting the user-agent of my firefox to "Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10"), and I'm delighted. Image search works again and it feels faster too.
I didn't notice the problem you're mentioning about link visited being broken. I searched twice for myself, the first time I clicked on one of my links. After the second search, that link was correctly colored purple, as it should. However, I did notice a small delay before it turned from blue to purple.
And there are no tracking cookies or similar inserted into the links, just the plain links. Overall a good experience:-)
I didn't check though whether the results were maybe outdated (newer pages not listed...), that would be nasty...
Indeed, the puppy is very well hidden... but not in belly folds but in buggy html or miguided deep link protection. Anybody has a URL of this picture which accepts to be viewed from Slashdot?
"Hacking the machine" was only one of many attack vectors. The more common attacks desribed were fixing stuff to the side of your body, rather than to the front or to the back (easily twarted by making you turn sideways, or visually looking for the much more obvious bulges if you try to "hide" weapons that way), or hiding the weapons behind a piece of Teflon (which reflects the rays the same way as the body, hiding everything behind it... but there still might be tell-tale contours if not done right)
This makes sense when you hold an event there that may involve urinating etc, but normally, once everybody has gone home the liability stops in the butt.
We can only take people's word for what wedding they are attending, therefore we are not responsible for guests booking under different names or choosing to attend another event. We will not question guests about their intentions after a reservation is made.
So, even if a person not in your wedding party leaves a bad review, you may get dinged for it if that person was mean enough to say he belonged to you when he checked in...
... and they'll use a greek lower case omicron (), rather than an accented o. The looks exactly the same as an o (except on Slashdot, of course. Slashdot hates Unicode...)
Slashdot Mirror
Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process,
Which is the case on most Apache Web server configs: the client has full control over the HTTP_REFERER and HTTP_USER_AGENT variables... And the exploit in question works with any environment variable, including those 2.
Well, starting from here, you are vulnerable as soon as:
The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.
Nowadays, on most systems, /bin/sh is a proper Bourne Shell (either ash or dash), and no longer bash. So system() should no longer be an issue, but explicitly calling bash still would be...
Or, more easily: the exploit string could be packed into the TERM variable, which almost all ssh's and even telnet daemons pass on the the shell: env TERM='() { :;}; echo vulnerable ssh some_user@some_server'
Just ran pacman -Syu
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Good. And now on to the next level:
env X='() { (a)=>\' bash -c "echo /usr/bin/id"; cat echo
Captcha: Pervert
Well, actually, there's plenty of sex shops around where you can buy custom-molded dildos, sold by the pound of plastic or latex... (saw some in Brussels, but most likely other large cities have those too).
Doesn't all this depend on the software? On a milling machine intended for the end user, the software could know about some of these constraints, and automatically reduce the speed to safe levels where needed. And also, this iModela machine works with soft materials (plastics, woods), not steel, which (probably) means it's not quite as likely to destroy its bits if mis-driven.
5) The official might think your bribe is too modest, and post the amount publicly on Facebook to shame you: A Restaurant Tried to Tip-Shame a Football Star
Indeed, google is notoriously hard to reach...
...when the police starts rounding up board members...
For not replying to an e-mail? I'd only wish :-)
The court, not being stupid, will probably send a few "canary" emails.
The court, while certainly not stupid, is very probably lazy. And won't continue bothering google out of its own initiative once a "settlement" is reached.
It will take a continued action by the consumer watchdog organization to keep the court interested, but it's a very fine line to walk between "keeping the court interested" and "not annoy the court by pestering it too much"
If Google decides to discontinue all Google services in Germany as a result, would that really be a "win" for the German consumer?
More likely outcome is that they change the auto-reply text of the mail to "thank you for your valuable feedback", and then still continue to ignore it. The customer will be none-the-wiser, and unable to prove that feedback gets ignored.
And even Google Webmaster tools still works with the "old" browser user-agent string. However, in webmaster tools, it doesn't dump the javascripts yet, unfortunately :-(
Please, Google, do continue to not "improve" the experience for "older" browsers. I've had all the UX "improvement" I can take.
Well said! I fullheartedly agree, and set the user agent of my firefox to version 0.10: the experience is a breeze! And yes, it even prevents google from inserting its own tracking into some of the links...
And there are no tracking cookies or similar inserted into the links, just the plain links. Overall a good experience :-)
... however, the normal site (for "recent" browsers) does insert tracking cookies.
I didn't check though whether the results were maybe outdated (newer pages not listed...), that would be nasty...
A test with google news shows that this is fortunately not the case, it shows news from within today. So if it is outdated, it's certainly outdated by less than one day.
I didn't notice the problem you're mentioning about link visited being broken. I searched twice for myself, the first time I clicked on one of my links. After the second search, that link was correctly colored purple, as it should. However, I did notice a small delay before it turned from blue to purple.
And there are no tracking cookies or similar inserted into the links, just the plain links. Overall a good experience :-)
I didn't check though whether the results were maybe outdated (newer pages not listed...), that would be nasty...
was it really the best idea to go out in a suit made of meat and barbeque sauce?
tasty
Indeed, the puppy is very well hidden... but not in belly folds but in buggy html or miguided deep link protection. Anybody has a URL of this picture which accepts to be viewed from Slashdot?
"Hacking the machine" was only one of many attack vectors. The more common attacks desribed were fixing stuff to the side of your body, rather than to the front or to the back (easily twarted by making you turn sideways, or visually looking for the much more obvious bulges if you try to "hide" weapons that way), or hiding the weapons behind a piece of Teflon (which reflects the rays the same way as the body, hiding everything behind it... but there still might be tell-tale contours if not done right)
do you want fries with that.
The difference is they take "no thanks" for an answer.
Liability for what? A bad instead of salty taste?
This makes sense when you hold an event there that may involve urinating etc, but normally, once everybody has gone home the liability stops in the butt.
As long as it doesn't happen in his mouth...
We can only take people's word for what wedding they are attending, therefore we are not responsible for guests booking under different names or choosing to attend another event. We will not question guests about their intentions after a reservation is made.
So, even if a person not in your wedding party leaves a bad review, you may get dinged for it if that person was mean enough to say he belonged to you when he checked in...
... and they'll use a greek lower case omicron (), rather than an accented o. The looks exactly the same as an o (except on Slashdot, of course. Slashdot hates Unicode...)
everyone seems to want to share it.
... and I just thought only monkeys behaved like this...
That's not even fast... some cyclists are that fast!