Which is of course not true if "own it" means "access data encrypted with a strong key and a non-trivial-to-brute-force password".
Not true. The kernel and initramfs itself need to be stored in cleartext (or else, how would the machine boot?). So, the exploiter would proceed as follows:
1. Use the vulnerability to get a root shell
2. Doctor a couple of scripts to log encryption password, or to inject a script into the root once encryption password has been entered.
3. Use cpio and bzip to build a new initramfs from the image in memory
4. Write that image to the appropriate part of the (cleartext) boot partition.
5. Log off, go away, and wait for a legitimate admin to log in, triggering the booby trap.
Blocking that/12 will unfortunately block hundreds of thousands of "perfectly legitimate" sites... essentially anyone deigning to use AWS. Kontera just happens to be one of the users.
Well, it's not as if this was any surprise. The WOT issue has been in the news for several days already, and apparently Amazon has not "deigned" to to do anything about it yet. Indeed both still reverse resolve to kontera.com... or did Amazon actually kick Kontera, but just forgot to update their name server?
When choosing a cloud provider, smart users also consider the provider's reactivity, and his willingness to protect his legitimate customers' reputation and Amazon indeed seems to be lacking in this area...
Just out of curiosity, I checked the web server logs for this user agent on 3 servers that I administer, and indeed I found a number of accesses using this user agent on all 3 of them (but in our case unfortunately none that are obviously not public knowledge). The most frequent IP (91 accesses) using this user agent was 52.71.155.178 and this is indeed nat-service.aws.kontera.com. This was followed ex aequo by 54.209.60.63 (also nat.aws.kontera.com) and 99.63.100.174 (99-63-100-174.lightspeed.bcvloh.sbcglobal.net)
All accesses were suspicious, as they are obvious bots (it only accesses isolated URLs, but never any pictures nor other dependent content such as CSS), yet they masquerade as a interactive user agent (Mozilla on Macintosh).
I promptly lodged a complaint at abuse@amazonaws.com.
I recommend other webmasters do the same (i.e. check your logs, and if you find any similar occurrences, complain loudly to Amazon)
Whois tells that the IP range is 52.64.0.0/12, in case anybody wants to firewall this.
Except that the email likely contains a cut-and-paste that may solve your problem
... or a cut and paste that answers a situation that is similar to yours, but not identical, and so doesn't help you at all, and might even mislead.
or at least a helpful web link
... if such existed, you'd probably already have found it by googling. So chances are, that the web link might be just as misleading.... or they might not actually respond to your mail in the first place.
The witnesses are credible. They give specific, verifiable details that others have confirmed.
If these stories were true, these same specific, verifiable details would also allow Appelbaum to find out which of his witnesses were singing. Completely defeating the goal of anonymity and professional backlash from the hands of Appelbaum.
So, that makes me think that their stated reason for wanting to stay anonymous is bullshit. And that maybe other "details" are bullshit too.
how long before they use the tactic of releasing false information about a company they dislike simply to crash their share price or worse abuse it to make a small fortune themselves
.
You know, they can make a small fortune even by telling the truth. Just sell it short (or have a straw-man sell it short) before releasing the (accurate) news. Actually, I'd be astonished if they didn't...
Being able to look at people you're talking to in real time at a distance is a common sense fantasy; it is quite another thing to figure out how to do it.
If the "how to do it" is important, then please explain why it is infringement if somebody figures out his own way of how to do it. You can't have it both ways. Typically those bogus patents don't event contain a description of the how to do part...
Someone having a general idea does not constitute prior art.
No problem with that. But then someone needs to explain those stupid judges that actually implementing something (using your own method) does not constitute infringement of somebody's general idea described in a patent.
It could very well make more sense economically to not have the resistors...
But what if they wouldn't find an electricity consumer on such short notice? Would then everything blow up?:-)
It certainly is more productive to have someone use the power for _something_, even if it is electric resistive heating or inductive melting rather than just pump it into the atmosphere.
Nice sentiment, but I somehow doubt that the grid company cares more about the environment or humanity's overall good than about their own wallet. By the same reasoning, it is certainly more productive to give unsellable fruit or vegetables to the homeless rather than throwing it into the trash. But supermarkets doing this are still quite rare, and none are actually pay the homeless to take the fruit or vegetables off their hands...
But if they have so much excess power that they have to actually pay people to take it off their hands, couldn't they just burn the excess in huge banks of resistors?
What, in your opinion should the upload receiving routines check? In the example, the website would resize profile photos that users upload. One image format would have the possibly to "include" contents that is to be downloaded from someplace else. Imagemagick performs such downloads by handing off that task to wget (or similar tool), which it calls via system(), completely forgetting to santize the URL (... so somebody might append "; rm -rf/ to it, or somesuch). How do you propose that the upload routine of the web site catch this, short of parsing the entire image itself? But if it did that, there'd be no point of using an image processing tool at all, because the wrapper would already half done two thirds of the job.
Slashdot Mirror
The trouble is that more and more sites are now not allowing you to access them without turning off your ad-blocker.
Indeed, there is the German tabloid "Bild Zeitung" which does this (no big loss...). Which other site does this?
And, if you are so inclined, Bild's block is easy to subvert: just do View->PageStyle->NoStyle. Yeah, "No Style", quite fitting for that rag.
Indeed. In that case, they are a "friend" rather than a friend...
I've got alien life in my bowl too...
Who's ass are you pulling this from? I Ctrl+F'ed the blogger's page and can't find shit.
hmmm, looks like the blogger knows what TP is for :-)
Which is of course not true if "own it" means "access data encrypted with a strong key and a non-trivial-to-brute-force password".
Not true. The kernel and initramfs itself need to be stored in cleartext (or else, how would the machine boot?). So, the exploiter would proceed as follows:
1. Use the vulnerability to get a root shell
2. Doctor a couple of scripts to log encryption password, or to inject a script into the root once encryption password has been entered.
3. Use cpio and bzip to build a new initramfs from the image in memory
4. Write that image to the appropriate part of the (cleartext) boot partition.
5. Log off, go away, and wait for a legitimate admin to log in, triggering the booby trap.
Blocking that /12 will unfortunately block hundreds of thousands of "perfectly legitimate" sites... essentially anyone deigning to use AWS. Kontera just happens to be one of the users.
Well, it's not as if this was any surprise. The WOT issue has been in the news for several days already, and apparently Amazon has not "deigned" to to do anything about it yet. Indeed both still reverse resolve to kontera.com... or did Amazon actually kick Kontera, but just forgot to update their name server?
When choosing a cloud provider, smart users also consider the provider's reactivity, and his willingness to protect his legitimate customers' reputation and Amazon indeed seems to be lacking in this area...
All accesses were suspicious, as they are obvious bots (it only accesses isolated URLs, but never any pictures nor other dependent content such as CSS), yet they masquerade as a interactive user agent (Mozilla on Macintosh).
I promptly lodged a complaint at abuse@amazonaws.com.
I recommend other webmasters do the same (i.e. check your logs, and if you find any similar occurrences, complain loudly to Amazon)
Whois tells that the IP range is 52.64.0.0/12, in case anybody wants to firewall this.
Yes, everyone outside of Microsoft realizes that use of a database is not necessary for email.
You forgot about Lotus Notes...
Will 4.8 work with KDE again? If not, is there a place where we still can download a debian package of 4.6?
Batteries have a higher energy density than explosives.
So does pizza.
... and the funny this is that according to Wikipedia it's actually true about pizza, but not about explosives...
Lithium batteries are just behind explosives (TNT, Gunpowder), but far behind foodstuffs (Carbohydrates, Protein, Fat). Look it up!
So you're basically saying that the government charges an arm and a leg for a finger? What a ripoff!
Except that the email likely contains a cut-and-paste that may solve your problem
... or a cut and paste that answers a situation that is similar to yours, but not identical, and so doesn't help you at all, and might even mislead.
or at least a helpful web link
... if such existed, you'd probably already have found it by googling. So chances are, that the web link might be just as misleading. ... or they might not actually respond to your mail in the first place.
Fortunately the trapped energy didn't come out from the other end...
It predicted the future like a calendar or an almanac predicted the future.
Too bad it wasn't a sports almanac then...
Philosopher. :-)
Philosopher.
Not hitchhiker
... unless he tries to get back at them in some completely unrelated way (badmouthing them for poor job performance, or whatever)
The witnesses are credible. They give specific, verifiable details that others have confirmed.
If these stories were true, these same specific, verifiable details would also allow Appelbaum to find out which of his witnesses were singing. Completely defeating the goal of anonymity and professional backlash from the hands of Appelbaum.
So, that makes me think that their stated reason for wanting to stay anonymous is bullshit. And that maybe other "details" are bullshit too.
Your argument is valid but "his 45 year old wife behind the wheel" gets priority .
Well that still doesn't rule out the "or indeed anything else like a dropped handbag" theory :-)
If you know the right auditors, things aren't quite so strict anywhere...
how long before they use the tactic of releasing false information about a company they dislike simply to crash their share price or worse abuse it to make a small fortune themselves
. You know, they can make a small fortune even by telling the truth. Just sell it short (or have a straw-man sell it short) before releasing the (accurate) news. Actually, I'd be astonished if they didn't...
Being able to look at people you're talking to in real time at a distance is a common sense fantasy; it is quite another thing to figure out how to do it.
If the "how to do it" is important, then please explain why it is infringement if somebody figures out his own way of how to do it. You can't have it both ways. Typically those bogus patents don't event contain a description of the how to do part...
Someone having a general idea does not constitute prior art.
No problem with that. But then someone needs to explain those stupid judges that actually implementing something (using your own method) does not constitute infringement of somebody's general idea described in a patent.
It could very well make more sense economically to not have the resistors...
But what if they wouldn't find an electricity consumer on such short notice? Would then everything blow up? :-)
It certainly is more productive to have someone use the power for _something_, even if it is electric resistive heating or inductive melting rather than just pump it into the atmosphere.
Nice sentiment, but I somehow doubt that the grid company cares more about the environment or humanity's overall good than about their own wallet. By the same reasoning, it is certainly more productive to give unsellable fruit or vegetables to the homeless rather than throwing it into the trash. But supermarkets doing this are still quite rare, and none are actually pay the homeless to take the fruit or vegetables off their hands...
But if they have so much excess power that they have to actually pay people to take it off their hands, couldn't they just burn the excess in huge banks of resistors?
What, in your opinion should the upload receiving routines check? In the example, the website would resize profile photos that users upload. One image format would have the possibly to "include" contents that is to be downloaded from someplace else. Imagemagick performs such downloads by handing off that task to wget (or similar tool), which it calls via system(), completely forgetting to santize the URL (... so somebody might append "; rm -rf / to it, or somesuch). How do you propose that the upload routine of the web site catch this, short of parsing the entire image itself? But if it did that, there'd be no point of using an image processing tool at all, because the wrapper would already half done two thirds of the job.