Why, yes it would, that is a good point. That was hardly the only real issue.
To add insult to injury, it would change the password by generating ldiff files, and storing them in/tmp, then running command line ldap utils on them. So in addition to that, you could likely arbitrarily set someone else's password with a little finagling.
Which, is pretty much why I just verified it could be exploited to touch a file in tmp and immediately began re-writing it.
I don't disagree that it has problems but, lets not pretend that things were better without it. I worked for several years in healthcare IT. I was there when we started encrypting our laptops by policy.... it was because of HIPAA. Prior to that, there were no exceptions.
A good part of the problem is that hospitals grew up doing their own systems support for medical devices and tried to grow IT out of that, and they tend to be non-profits that budget their departments like universities do. Its a huge mess.
They just never cared about security because they built up their entire system for a single purpose of providing medical care, they were so focused on that the idea that they were exposing themselves was an afterthought, security has always been an afterthought in the the industry that brought us the word "triage"
Yes but the intent wasn't to exploit so much as to have a way to raise a flag when connecting to a vulnerable system, so as to know it still needs updating.
If you think that is bad, you should see the parts I didn't mention, the contents of that if statement was something like "$ERRORNO = 101"
The structure of the program was very simple....it had 4 functions which were called in sequence, each one would set global variables, which would be read by the other. So, if ERRORNO was set, a whole nother function with a whole different big if statement block would then print out the error message..... which is why I opened the code up...one of the errors was wrong.
So basically, it was written in the era of perl 5, to a perl 4 standard, by someone who really liked BASIC.
I was actually just thinking another way to use this might be to have ssh pass x='() {:;}; echo vulnerable' as a variable to remote systems, that way whenever you login to a remote system, it just tells you whether it is vulnerable or not on login.
> I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.
lol well, as annoying as they can be, I have beaten a fork bomb before without rebooting so, I was confident enough after a quick perusal to not be afraid, especially since....come on, the function isn't even being called how can it possibly exec.....fuck
I have to admit, my suspicous old self had to spend a minute making sure this wasn't a fork bomb. Which, I have to say, this would be the perfect thread for if you were into that sort of mischief. In any case, yah that shouldn't worl. That really shouldn't work at all.
Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
That said, you know someone does this. Hell, I have had to deal with web applications written mostly in shell and did much of their processing in shell.... the only thing that really topped it for idiocy was when I dove into some perl4 code for a password change form and found this gem:
$password = $q->param('password'); if "`grep $password/usr/dict/words`" != "" { }
No taint checking, nothing, just shell out with whatever someone put in the form. I loaded it up and added a "; touch/tmp/foo" on the end and verified there was no protection, then I found 4 more similar errors and figured that since security issues were not even why I opened the code to read it....I re-wrote it from scratch.
This is exactly the sort of reason I run requestpolicy, and jquery is always one of the ones I hate seeing because I know what it means to allow so many sites to talk to load code the same one, so it only ever gets a temporary exception, same for googleapis.
Actually, I think that difference is less than you imagine. The thing is, the information will either lead to nothing, and be assumed to be lies, or lead to something, which will be assumed to be the truth, regardless of whether it is coincidence or not. Lets not forget, these are the same people who defined all males old enough to carry a gun as "militants" so that every drone strike is, by definition, a success as long as it kills someone.
Its kind of like the whole drug dog thing. Police ask to search a car, they get denied, so they call in a dog. If the dog hits, they consider it vindication they were right and search. The dog hits almost every time due to clever hans effects (which has been well demonstrated with search dogs). If nothing is found, the assumption is that the driver got lucky and what the dog smelled just happened to not be there.... so really....every case is positive confirmation for them, even if it doesn't lead to evidence....because they can explain away the lack of finding evidence...as everyone that walks free is now "one who got away".
I suspect these "intelligence" operations suffer from exactly the same confirmation biases.
I watched that speech recently. If anyone in history could have his words called prophetic, it would be him, and those words would be that speech. For as radical and terrible as what he described was; the truth is he never dreamed the real extent of it. He had no way to see that the model he so rightly feared would be replicated and used again to create a permanent prison population..... do you think he had any idea that he was only a prophet of the tip of the iceberg?
Except your captor is never actually a machine, its humans, who are using the machine the same way they would use a car battery or water board. In the end, the purpose is to get confessions.
In fact, at this, most torture techniques, and even many interrogation techniques that amount to little more than mental torture are quite effective. One of my favorites is this: http://en.wikipedia.org/wiki/R...
Notice throughout how the techniques approaches with the assumption of guilt and proceedes accordingly. It should be of no shock that many innocent people will make false confessions confronted with an officer using.
In the end, no matter what, the computer is a prop, its all props designed to help elicit confessions. That is what they do, confessions lead to convictions, and convictions are the numbers they need to report, so that is what they get. You get what you measure....so you have interrogators building props.
I assure you, they cry at night that they can't just use their polygraph prop.
All things being equal that sounds right to me, however, I don't think all things are equal here.
Now IANNAL but as I understand it an agreement to break the law cannot be a legal contract. Agreeing to not disclose something which the police have no right to actually refuse to disclose is an agreement to break the law; is it not?
Also, as I understand it, an agreement to break the law, is itself a criminal act known as conspiracy.
If the local police and FBI are entering into an agreement which would require them to break the law to conform to, and they then conform to the agreement, how is that not a criminal conspiracy?
Seriously, I don't doubt they have some technical legal out but, if they do, its a technical loophole and a serious weakness in the law as it stands, because all I see here is conspiracy to obstruct justice by withholding evidence.
No, that would imply republicans when the reality is, this is really a bipartisan screwing. The Democrats typically move in lockstep with the republicans when it comes to their shared belief that us peons don't even deserve the truth about what they are doing, never mind any rights to redress of actual grievance.
To be fair he didn't say it was a privacy concern. I have had to deal with similar processes for different reasons and, only did so because there was something I wanted and couldn't get another way on the other side of that process. Any way you slice it, its more work, frustration, and waiting around.
any barrier thrown up, even for the best of reasons, is going to dissuade some amount of people you were not intending to.
Right because....when I said this video I meant to link it.... pretty sure the first commandment of slashdot should be "thou shalt not post before coffee" (or maybe that should be my rule):
However in practice it is trivial to use key sizes, and we do, which bump those time frames up into the utterly impractical to the point that even trying can't be justified. If it takes decades to crack one key, nobody is going to waste the resources on one key to find out if it was worth it. Its just silly. If it takes hundred of years, it was already silly at decades.
This is exactly why they go after service providers and end nodes....specifically because attacking the encryption by brute force or any method that doesn't start with the key or some other leak of information, is worthless.
That is true for glucose, but fructose, like alcohol, is also exclusively processed in the liver. Which is why its so bad. Glucose is processed over the entire body in every cell, something like less than 8% of it gets processed in the liver. Fructose is over 90% (the other 10% is excreted as is), just like alcohol.
I avoid sugar, hfcs or not. Not entirely of course, hell, I drink a little alcohol too, but, I try to keep them both in check.
This video really explains the whole issue pretty well, its by Dr Lustig, an endocrinologist who has looked into the issue and basically concluded that fructose is poison and the main thing that made it safe to eat for so long was that in nature it is almost always found with a lot of fiber.
Its hard to ingest dangerous amounts of the stuff eating apples, you can only eat so many. However, refined sugars can easily be used in consumed in large quantities. It is estimated that 100 years ago the average person ate about 15 grams of sugar a day, that is up over 65 grams now and growing.
However HFCS is just a mixture of glucose and fructose. Your "Real sugar" is just the two bonded into a single molecule. First thing your body does with sugar is break it down into a mixture of glucose and fructose.
Corn farmers and the problems with it aside.... the health effects of sugar vs HFCS are nearly identical, and both are pretty much poison to your liver in much the same way alcohol is, both increase appetite, and help you along your way to diabetes or heart disease.
Slashdot Mirror
Why, yes it would, that is a good point. That was hardly the only real issue.
To add insult to injury, it would change the password by generating ldiff files, and storing them in /tmp, then running command line ldap utils on them. So in addition to that, you could likely arbitrarily set someone else's password with a little finagling.
Which, is pretty much why I just verified it could be exploited to touch a file in tmp and immediately began re-writing it.
I don't disagree that it has problems but, lets not pretend that things were better without it. I worked for several years in healthcare IT. I was there when we started encrypting our laptops by policy.... it was because of HIPAA. Prior to that, there were no exceptions.
A good part of the problem is that hospitals grew up doing their own systems support for medical devices and tried to grow IT out of that, and they tend to be non-profits that budget their departments like universities do. Its a huge mess.
They just never cared about security because they built up their entire system for a single purpose of providing medical care, they were so focused on that the idea that they were exposing themselves was an afterthought, security has always been an afterthought in the the industry that brought us the word "triage"
Yes but the intent wasn't to exploit so much as to have a way to raise a flag when connecting to a vulnerable system, so as to know it still needs updating.
If you think that is bad, you should see the parts I didn't mention, the contents of that if statement was something like "$ERRORNO = 101"
The structure of the program was very simple....it had 4 functions which were called in sequence, each one would set global variables, which would be read by the other. So, if ERRORNO was set, a whole nother function with a whole different big if statement block would then print out the error message..... which is why I opened the code up...one of the errors was wrong.
So basically, it was written in the era of perl 5, to a perl 4 standard, by someone who really liked BASIC.
I was actually just thinking another way to use this might be to have ssh pass x='() { :;}; echo vulnerable' as a variable to remote systems, that way whenever you login to a remote system, it just tells you whether it is vulnerable or not on login.
> I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.
lol well, as annoying as they can be, I have beaten a fork bomb before without rebooting so, I was confident enough after a quick perusal to not be afraid, especially since....come on, the function isn't even being called how can it possibly exec.....fuck
I have to admit, my suspicous old self had to spend a minute making sure this wasn't a fork bomb. Which, I have to say, this would be the perfect thread for if you were into that sort of mischief. In any case, yah that shouldn't worl. That really shouldn't work at all.
Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
That said, you know someone does this. Hell, I have had to deal with web applications written mostly in shell and did much of their processing in shell.... the only thing that really topped it for idiocy was when I dove into some perl4 code for a password change form and found this gem:
$password = $q->param('password'); /usr/dict/words`" != "" {
if "`grep $password
}
No taint checking, nothing, just shell out with whatever someone put in the form. I loaded it up and added a "; touch /tmp/foo" on the end and verified there was no protection, then I found 4 more similar errors and figured that since security issues were not even why I opened the code to read it....I re-wrote it from scratch.
well, I, because.... fucking great idea. I really just never considered it.
This is exactly the sort of reason I run requestpolicy, and jquery is always one of the ones I hate seeing because I know what it means to allow so many sites to talk to load code the same one, so it only ever gets a temporary exception, same for googleapis.
Actually, I think that difference is less than you imagine. The thing is, the information will either lead to nothing, and be assumed to be lies, or lead to something, which will be assumed to be the truth, regardless of whether it is coincidence or not. Lets not forget, these are the same people who defined all males old enough to carry a gun as "militants" so that every drone strike is, by definition, a success as long as it kills someone.
Its kind of like the whole drug dog thing. Police ask to search a car, they get denied, so they call in a dog. If the dog hits, they consider it vindication they were right and search. The dog hits almost every time due to clever hans effects (which has been well demonstrated with search dogs). If nothing is found, the assumption is that the driver got lucky and what the dog smelled just happened to not be there.... so really....every case is positive confirmation for them, even if it doesn't lead to evidence....because they can explain away the lack of finding evidence...as everyone that walks free is now "one who got away".
I suspect these "intelligence" operations suffer from exactly the same confirmation biases.
This argument rings a bell for some reason, so should I take it from this we should plan to always be at war with Eurasia?
Then he will spend his latter years telling people how he traveled to Mars before it was cool.
I watched that speech recently. If anyone in history could have his words called prophetic, it would be him, and those words would be that speech. For as radical and terrible as what he described was; the truth is he never dreamed the real extent of it. He had no way to see that the model he so rightly feared would be replicated and used again to create a permanent prison population..... do you think he had any idea that he was only a prophet of the tip of the iceberg?
Except your captor is never actually a machine, its humans, who are using the machine the same way they would use a car battery or water board. In the end, the purpose is to get confessions.
In fact, at this, most torture techniques, and even many interrogation techniques that amount to little more than mental torture are quite effective. One of my favorites is this: http://en.wikipedia.org/wiki/R...
Notice throughout how the techniques approaches with the assumption of guilt and proceedes accordingly. It should be of no shock that many innocent people will make false confessions confronted with an officer using.
In the end, no matter what, the computer is a prop, its all props designed to help elicit confessions. That is what they do, confessions lead to convictions, and convictions are the numbers they need to report, so that is what they get. You get what you measure....so you have interrogators building props.
I assure you, they cry at night that they can't just use their polygraph prop.
Perhaps "FCC Requires" in the way the police "require" that if you want to speed you not do it in front of them?
All things being equal that sounds right to me, however, I don't think all things are equal here.
Now IANNAL but as I understand it an agreement to break the law cannot be a legal contract. Agreeing to not disclose something which the police have no right to actually refuse to disclose is an agreement to break the law; is it not?
Also, as I understand it, an agreement to break the law, is itself a criminal act known as conspiracy.
If the local police and FBI are entering into an agreement which would require them to break the law to conform to, and they then conform to the agreement, how is that not a criminal conspiracy?
Seriously, I don't doubt they have some technical legal out but, if they do, its a technical loophole and a serious weakness in the law as it stands, because all I see here is conspiracy to obstruct justice by withholding evidence.
No, that would imply republicans when the reality is, this is really a bipartisan screwing. The Democrats typically move in lockstep with the republicans when it comes to their shared belief that us peons don't even deserve the truth about what they are doing, never mind any rights to redress of actual grievance.
To be fair he didn't say it was a privacy concern. I have had to deal with similar processes for different reasons and, only did so because there was something I wanted and couldn't get another way on the other side of that process. Any way you slice it, its more work, frustration, and waiting around.
any barrier thrown up, even for the best of reasons, is going to dissuade some amount of people you were not intending to.
Then they will never amount to anything and are of no actual concern.
Right because....when I said this video I meant to link it.... pretty sure the first commandment of slashdot should be "thou shalt not post before coffee" (or maybe that should be my rule):
https://www.youtube.com/watch?...
It is a bit long but, he breaks it down a few different ways and goes over the history of how we came to eat so much cheap sugar in everything.
However in practice it is trivial to use key sizes, and we do, which bump those time frames up into the utterly impractical to the point that even trying can't be justified. If it takes decades to crack one key, nobody is going to waste the resources on one key to find out if it was worth it. Its just silly. If it takes hundred of years, it was already silly at decades.
This is exactly why they go after service providers and end nodes....specifically because attacking the encryption by brute force or any method that doesn't start with the key or some other leak of information, is worthless.
That is true for glucose, but fructose, like alcohol, is also exclusively processed in the liver. Which is why its so bad. Glucose is processed over the entire body in every cell, something like less than 8% of it gets processed in the liver. Fructose is over 90% (the other 10% is excreted as is), just like alcohol.
I avoid sugar, hfcs or not. Not entirely of course, hell, I drink a little alcohol too, but, I try to keep them both in check.
This video really explains the whole issue pretty well, its by Dr Lustig, an endocrinologist who has looked into the issue and basically concluded that fructose is poison and the main thing that made it safe to eat for so long was that in nature it is almost always found with a lot of fiber.
Its hard to ingest dangerous amounts of the stuff eating apples, you can only eat so many. However, refined sugars can easily be used in consumed in large quantities. It is estimated that 100 years ago the average person ate about 15 grams of sugar a day, that is up over 65 grams now and growing.
However HFCS is just a mixture of glucose and fructose. Your "Real sugar" is just the two bonded into a single molecule. First thing your body does with sugar is break it down into a mixture of glucose and fructose.
Corn farmers and the problems with it aside.... the health effects of sugar vs HFCS are nearly identical, and both are pretty much poison to your liver in much the same way alcohol is, both increase appetite, and help you along your way to diabetes or heart disease.
The main difference is it is cheaper because it can be produced from corn.