I wonder if Compuserve was running on DEC hardware with TOPS-10 I remember my University username was [201,108]. Never seen user id like that anywhere else.
05/21/2009 - sent initial email to vendor with a link to a private
resource for viewing various kloxo hiab575
vulnerability info
05/23/2009 - received the following: "Thanks for the info. I will
review this and let you know." (no signature)
05/30/2009 - sent an email asking if there were any updates
06/01/2009 - received the following: "Sorry for the delay. I am
currently looking into this, and will reply in a couple
of hours time." (no signature)
06/04/2009 - nothing heard from vendor, and the private resource
containing the vulnerability info still does not
appear to have been accessed
2 weeks have passed since the initial notification. Vendor appears
uninterested.
ISSUE 1 - uid/gid reuse
ISSUE 2 - unprivileged port use
ISSUE 3 - default passwords
ISSUE 4 - useradd string in the process list
ISSUE 5 - XSS
ISSUE 6 - remotely create partially user controlled file names
and directories. Locally append uncontrolled data to
any file
ISSUE 7 - local users can take control of any file or directory
ISSUE 8 - local users can take control of any file or directory
ISSUE 9 - local users can overwrite any file on the box
ISSUE 10 - yet another symlink attack for local users
ISSUE 11 - metachar injection, local command execution as root
ISSUE 12 - web stats world readable password hashes
ISSUE 13 - local users can overwrite any file on the box
ISSUE 14 - metachar injection, local command execution as root
ISSUE 15 - remotely block any - or every - IP addr in hosts.deny
ISSUE 16 - remote CPU and mem usage DoS
ISSUE 17 - local users can truncate and control any file
ISSUE 18 - just 2 more symlinks to own any file on the box
ISSUE 19 - file manager, view and edit any file
ISSUE 20 - file manager PT II
ISSUE 21 - file manager PT III
ISSUE 22 - local user symlink attack
ISSUE 23 - local user symlink attack (last one)
ISSUE 24 - sql injection in the "Forgot Password" form
In the section on encryption they note that your lawyer may get you your hardware/data back after seizure.
If you do, DON'T use it without taking some precautions that it hasn't been tampered with. Quite what precautions, I'm not sure.
Users are more willing to upgrade the antivirus than patching (and possibly f*king the OS), cause most have been bited by malware -attributed to the lack of AV.
I think they are less willing now after millions of users got bitten by the last AVG debacle which trashed the OS.
It would be great if the terminal was just a browser, but to all intents and purposes you need a PC, running an OS to get a browser. That surely is a large part of the cost/management/security overhead.
If we could have a 'hardware' browser only terminal then we are back to client/server. But wait a minute didn't Sun and to a lesser extend DEC with the VT1000 try this before ?
Not sure Steve kicked started it, but I'm not complaining.
According to the BBC Report Today Almost two-thirds of music industry executives think removing digital locks from downloadable music would make more people buy the tracks, finds a survey.
The surveys author Mark Mulligan claims to have beaten Jobs to the anti-DRM stance.
I'm all for 'free' Internet TV but at the moment with 'free' broadcast TV, the length and frequency of adverts within programmes is really beginning to grate. The broadcasters are at least limited by regulation on the amount of advertising. I doubt the Internet will be regulated the same and we will have more ads than programme before long.
Time to invent an ad skipping streamer.
Peter Mandelson lost his job over a dodgy house sale and was repremanded by Parliament over the affair, so it comes as no great suprise given his past history.
You may not see the gains expected by just recompling. I remember very well the problems with DEC Alpha 64 alignment issues. Unaligned data caused software traps and slowed execution very seriously.
If someone is diddling around moving bytes to save space they could suffer a performance penalty.
Slashdot Mirror
I wonder if Compuserve was running on DEC hardware with TOPS-10 I remember my University username was [201,108]. Never seen user id like that anywhere else.
Anyone know ?
Summary from http://www.milw0rm.com/exploits/8880 seems pretty serious but quite difficult to fix all of them in 2 weeks.
Timeline :
05/21/2009 - sent initial email to vendor with a link to a private
resource for viewing various kloxo hiab575
vulnerability info
05/23/2009 - received the following: "Thanks for the info. I will
review this and let you know." (no signature)
05/30/2009 - sent an email asking if there were any updates
06/01/2009 - received the following: "Sorry for the delay. I am
currently looking into this, and will reply in a couple
of hours time." (no signature)
06/04/2009 - nothing heard from vendor, and the private resource
containing the vulnerability info still does not
appear to have been accessed
2 weeks have passed since the initial notification. Vendor appears
uninterested.
ISSUE 1 - uid/gid reuse
ISSUE 2 - unprivileged port use
ISSUE 3 - default passwords
ISSUE 4 - useradd string in the process list
ISSUE 5 - XSS
ISSUE 6 - remotely create partially user controlled file names
and directories. Locally append uncontrolled data to
any file
ISSUE 7 - local users can take control of any file or directory
ISSUE 8 - local users can take control of any file or directory
ISSUE 9 - local users can overwrite any file on the box
ISSUE 10 - yet another symlink attack for local users
ISSUE 11 - metachar injection, local command execution as root
ISSUE 12 - web stats world readable password hashes
ISSUE 13 - local users can overwrite any file on the box
ISSUE 14 - metachar injection, local command execution as root
ISSUE 15 - remotely block any - or every - IP addr in hosts.deny
ISSUE 16 - remote CPU and mem usage DoS
ISSUE 17 - local users can truncate and control any file
ISSUE 18 - just 2 more symlinks to own any file on the box
ISSUE 19 - file manager, view and edit any file
ISSUE 20 - file manager PT II
ISSUE 21 - file manager PT III
ISSUE 22 - local user symlink attack
ISSUE 23 - local user symlink attack (last one)
ISSUE 24 - sql injection in the "Forgot Password" form
click on it
In the section on encryption they note that your lawyer may get you your hardware/data back after seizure. If you do, DON'T use it without taking some precautions that it hasn't been tampered with. Quite what precautions, I'm not sure.
Just knock up a utility to generate fake log files with random IP addresses when required.
gltail http://rubyforge.org/projects/gltail/ cute
I remember that. Was it this http://www.fudgie.org/ discussed here http://developers.slashdot.org/article.pl?sid=07/10/07/1232245
Users are more willing to upgrade the antivirus than patching (and possibly f*king the OS), cause most have been bited by malware -attributed to the lack of AV.
I think they are less willing now after millions of users got bitten by the last AVG debacle which trashed the OS.
It would be great if the terminal was just a browser, but to all intents and purposes you need a PC, running an OS to get a browser. That surely is a large part of the cost/management/security overhead. If we could have a 'hardware' browser only terminal then we are back to client/server. But wait a minute didn't Sun and to a lesser extend DEC with the VT1000 try this before ?
See http://www.google.com/a/ It's got some restrictions just essentially it's free web hosting.
Not sure Steve kicked started it, but I'm not complaining. According to the BBC Report Today Almost two-thirds of music industry executives think removing digital locks from downloadable music would make more people buy the tracks, finds a survey. The surveys author Mark Mulligan claims to have beaten Jobs to the anti-DRM stance.
I'm all for 'free' Internet TV but at the moment with 'free' broadcast TV, the length and frequency of adverts within programmes is really beginning to grate. The broadcasters are at least limited by regulation on the amount of advertising. I doubt the Internet will be regulated the same and we will have more ads than programme before long. Time to invent an ad skipping streamer.
Peter Mandelson lost his job over a dodgy house sale and was repremanded by Parliament over the affair, so it comes as no great suprise given his past history.
I'm suprised at the performance of India, Western Europe and America.
Maybe the high costs of writing software in the U.S. and Europe has kept the Indian outsourced programmers so busy they did not have time to compete.
You may not see the gains expected by just recompling. I remember very well the problems with DEC Alpha 64 alignment issues. Unaligned data caused software traps and slowed execution very seriously.
If someone is diddling around moving bytes to save space they could suffer a performance penalty.