Beta

Comments

top

Remote Exploit Vulnerability Found In Bash

Ankh Re:Seems fundamentally broken (399 comments)

This is a complete misunderstanding of what is going on.

"The bigger problem to me seems to be that cgi scripts export user parameters to environment variables before calling bash"
No, this is not what it is about at all.

The CGI specification says that the Web server (not CGi scripts) makes HTTP headers and request data available in environment variables.

Programs called through this interface (often called "index.cgi") are vulnerable *regardless* of what language was used to write them, because a lot of programs end up calling bash indirectly. And no, shell functions themselves are not the problem, so redefining cp or ls isn't going to happen in this way, it just happens to be a part of shell syntax with a bug in the parser in bash that also executes commands when it shouldn't.

about 2 months ago
top

Remote Exploit Vulnerability Found In Bash

Ankh Re:Remote? Vulnerability? (399 comments)

That you don't understand it doesn't mean it's not real.

Some people run a program called a "Web server" which listens on a network and runs programs based on requests it receives :-)

It's not about using bash for CGI scripts, although that's an obvious example. Some people use languages like Perl or python or even php (in CGI mode), or C, or Pascal, and all of those programs can be affected too, because they might use something like systm() or `...` or run an external program that in turn calls the shell, directly or indirectly.

Other services are also affected - ssh, dhcp, remote git, potentially even ftp and email although that seems less likely.

about 2 months ago
top

Remote Exploit Vulnerability Found In Bash

Ankh Re:I am wrong but... (399 comments)

Any program that's called via the CGI interface, regardless of programming language, is potentially vulnerable to this attack, because the Web server puts the environment variables in the process' environment and they'll inherit to sub-processes.

The ssh exploit can be ued to escalate privileges e.g. when used in a limited account such as github or remote CVS or backup.

DHCP is also vulnerable (remotely).

I don't think calling people names is helpful. Anything called via the CGI API is potentially vulnerable, as is anything that passes on environment variables or HTTP headers to sub-processes, regardless of what language was used to write those programs.

about 2 months ago
top

Remote Exploit Vulnerability Found In Bash

Ankh Re:Linux is just a full of holes as Windows (399 comments)

It also affects bash scripts called from programs run by CGI, so e.g. Perl, python, C, C++ programs using system(). Since environment variables are inherited by all subprocesses, it affects grandchildren, greatgrandchildren, and all the other sub-processes that get created all the way down.

Some scripting and programming languages use the shell to expand "glob" patterns, e,g,
        $names = glob( "/tmp/[0-9]*" )
or in other places where it may not be obvious.

I'm not interested in comparing numbers of holes in different systems as it ony takes one hole for an intruder to get in.

about 2 months ago
top

Remote Exploit Vulnerability Found In Bash

Ankh Re:Full Disclosure can be found on oss-security... (399 comments)

The CGI spec tells the Web server to make the user data available as environment variables, so e.g. Apache will put them in the environment, and environment proceses are inherited to all sub-processes, so e.g. a Perl script called via CGI and using back-ticks, my $a = `pwd`; may result in code execution.

The vulnerability doesn't apply to all ways of running code on Web servers, e.g. Java servlet APIs shoud be fine, but CGI does automatically add the HTTP headers and request paramters to the environment.

about 2 months ago
top

Orphaned Works and the Requirement To Preserve Metadata

Ankh Re:as a photographer (129 comments)

Published works are automatically copyrighted in most countries, including the USA, because of ratification of international treaties such as the Berne Convention. The old US-specific requirement of marking something as copyright has long gone. (in other countries requirements varied, but e.g. in most Western countries items published anonymously, or published without explicit marking, get full copyright if the creator's identity becomes known. Just because a photograph is unmarked does not mean you can use it without permission!)

However, it's true that if you mark something as copyright you may do better in court, particularly in the USA, and that registering copyright, still available in many countries, can help.

about 2 years ago
top

17th Century Microscope Book Is Now Freely Readable

Ankh Re:It's the ink soaking through the paper. (116 comments)

It's harder than it sounds.

I do a lot of scanning from old books. The print-through can often be darker than parts of the printed page you're trying to scan; I have not found a good way to cure that beyond hand-editing.

In many case, of course, you can make huge improvements in a very short time. But Google Books is about commoditisation, it's about really large quantities of mediocre results, getting ad revenues from the keywords to pay for the work.

more than 2 years ago
top

17th Century Microscope Book Is Now Freely Readable

Ankh Re:17th Century? (116 comments)

The images are better than average for project gutenberg. On my own site I generally scan at 2400dpi, http://www.fromoldbooks.org/ - although people have to ask me for the high resolution images. For one thing, a 2 gigabyte image can crash people's Web browsers :-)

Project Gutenberg has always been really sloppy with metadata - identifying exactly which edition of a work was transcribed (and which impression), describing its physical characteristics and so forth. They seem to be improving a little, slowly.

Google Books on the other hand has always been really bad with images and with the OCR. For some books I've had some luck making a "majority edition" by taking the text when Google scanned the same book multiple times. It turns out to be almost impossible to do that with images, unfortunately.

As I understand it, Google's method of scanning books also means fold-out or large-size illustrations tend to get lost altogether.

more than 2 years ago
top

Rat Attack Causes Broadband Outage In Scotland

Ankh Re:best poison... and internet and rats (85 comments)

Hope you like the stink of dead rodents in your walls...

That's a problem with pretty much any of the poisons, yes.

Poison is just a band-aid, fix however they are getting into the house.

We live in an old wooden farmhouse; it's not really feasible to stop rodents from getting in altogether - just as we have a sump pump in the basement for the water that gets in, standard operating procedure here in rural Ontario. We have, however, added .2 inch steel wire mesh under the deck, to a depth of two feet, which helped.

I thought warfarin was still #1 for what it's worth... As far as I recall rodenticide has to be slow acting, else the neighbours will notice something is awry when the victim drops dead.

I didn't say the Vitamin D was fast, I said the rats eat a lethal dose at one sitting. When rats return to the nest the alpha male smells their breath, and when they start to die, the remaining rats will soon stop eating the bait. So any poison that takes more than one feeding to kill will tend not to kill all the rats, unless you only have a very few rats. But if it kills the rats too soon, they'll notice and avoid the bait. It's tricky to get right. Multiple-feed poison is OK in a city if they're coming up from the sewers or other underground tunnels, but if you have a nest in your walls, forget it.

Warfarin is #1 in sales, sure. You have to keep buying it, because it won't kill them all. In addition, a large proportion of rats are immune to warfarin these days. I didn't want to mention brand names in case it sounded like an advert, but Quintox and Terad3 are the leading Vitamin D poisons (both from Bell Labs, one newer than the other). Quintox is also the only rat poison that can be used on an organic farm here. You can also get it in liquid form, which is good if you're confident there are no other animals, children, etc ;-) - e.g. it's used at a local power station here. The rats have to drink a lot of liquid each day so they're particularly attracted to it.

Thanks for replying. And yes, you're right, we had a bad smell in the walls ;D

more than 3 years ago
top

Rat Attack Causes Broadband Outage In Scotland

Ankh best poison... and internet and rats (85 comments)

We had an Internet outage in our house when rats got into the walls and chewed through the cables. They just like eating plastic, and also will chew through walls (and cables) to get to the other side.

It's no surprise that the most effective rat poison (I discovered after extensive research!) was developed by a phone company - Bell Labs.

It was also interesting to me that the Wikipedia article on rat poison appears to recommend the most widely used *ineffective* rat poison, which also made by a large company..., and lists some stupid problems with the competition.

The most effective, if you are wondering, is based on Vitamin D, and has the advantages that (1) the rats eat a fatal dose on the first feeding, and hence do not get a chance to learn to avoid it; (2) pregnant rats eating the poison do not give birth to rats that are immune to it, (3) since vitamin D isn't really a poison as such, if another animal eats the rat, there's very little risk of secondary poisoning.

So we solved our own rat problem, but I had to do a lot of learning about rats and rat poison on the way!

more than 3 years ago
top

Release of 33GiB of Scientific Publications

Ankh Re:Biased summary (242 comments)

The summary is incorrect about the public domain part - for one thing, JSTOR holds a great many articles that are still in copyright. For another, "published before 1923" only applies to articles written and published in the US (smplifying slightly). An article written in Germany or France or the UK in 1923 may still be in copyright even in the US (because of copyright treaties that say countries respect one another's copyright laws, and although admittedly the US has not been an equal player in these, it's starting to honour them more often). JSTOR has journals published this year.

JSTOR is a non-profit organization that has saved university libraries huge amounts of money. In the 1980s a publisher would often charge $10,000 for a year's subscription to one journal or family of journals. Now, as others have said, the current business model for academic research and dissemination of results is pathetic and flawed. Physics and Mathematics have long had ways to try to work around it for practical research, sending pre-prints and publishing independently

A few gigabytes of text is actually a massive amount. The entire King James Bible is abut five megabytes. A single journal article is a few kilobytes, or low megabytes if it has figures. The complaint is not about the bandwidth use (as I understand it, I do not speak for MIT).

For me there's a bigger question here. If you are successful in challenging the model of careful selection and editing of articles, and of presenting them by subject, if you succeed in giving away the goods for free and making the publishers lose their shoes and socks and declare bankruptcy, have you lost anything? Is the selection process a valuable service, and, if so, can it be replicated? Crowdsourcing has for sure worked to make wikipedia voluminous, mediocre and untrustworthy. Is that a heresy here? Maybe. But you can never take an article there at face value. There have been whole fake conferences whose "conclusion" was that smoking was good for you, or that the global climate is not changing, or that the sun really does go round the earth. I don't want to see the end of traditional journal publishers unless there's a way to retain the benefits, or to have enough new benefits that the people most affected are willing to lose the old benefits.

more than 3 years ago
top

3D Hurts Your Eyes

Ankh It's 1760 all over again (244 comments)

When John Baskerville invented a process for making smoother paper, and printed books with the blackest ink and whitest smoothest paper ever seen, Benjamin Franklin said that people would go blind. Others took up this claim, although today almost all books are printed on paper every bit as white and often as smooth, and with inks every bit as black.

more than 3 years ago
top

Standards Make Rapid Software Releases Workable

Ankh Re:*correction* Re:IE 6 intentionally crippled (97 comments)

At the time I thought they started out with the code for browser and server. At any rate blink wasn't introduced by Microsoft. Mr. Andreeson bought me a drink by way of apology for hacking blink :D

more than 3 years ago
top

Standards Make Rapid Software Releases Workable

Ankh Re:*correction* Re:IE 6 intentionally crippled (97 comments)

There wasn't a published standard that night when Marc coded "blink" in Mosaic. We were working on a standard for HTML in the IETF Working Group but it was only a draft then.

Note that IE inherited "blink" from Mosaic, because the first version of IE was licensed from Spyglass and was a commercially-supported version of Mosaic.

I don't remember where "layer" came from I'm afraid.

more than 3 years ago
top

Are Flickr Images Abused By Foreign Businesses?

Ankh Foreign works both ways (227 comments)

When you say, foreign, remember that copyright violations are pretty common in the USA too, both by individuals and by organizations. From the perspective of most citizens of this planet, the USA is also a foreign country :-) (and GPL violations happen without regard for national borders, too)

Is is harder to take action against people in other countries. You may have to travel there to appear in a court, in extreme cases, and you may have to demonstrate financial losses as a result of the use of your image.

Many countries give a legal moral right to be identified as the author/creator of a work, and also give the creator ongoing rights to say how the work can be used. This may strengthen the poster's case here, although in the US, using creative commons may be seen as waiving some of those rights. Here in Canada, the rights are inalienable: you can't ever get rid of them, which in principle may not be compatible with some creative comments licenses (and GPL for that matter): there's no "public domain" in the same legal sense as in the USA.

Write a letter in general terms in the first instance - e.g., "I am writing because you are making commercial use of one of my images without permission; who would I contact in this matter?" Be firm but very polite at all times.

If you are prepared to settle for acknowledgment, and perhaps a small payment to compensate you for your time, then when you do get a reply, be polite and accept their offer if it's in the right ballpark, or negotiate for a little more. If the reply is unsatisfactory, immediately seek legal advice from a lawyer who specializes in cross-border/international copyright disputes. They are expensive, but you should get a free consultation that will get you started.

Do not be rude, arrogant, or demanding - not only is it likely to make people act defensively, rather than trying to cooperate with you in finding a friendly ("amicable') solution, but it can also actually weaken your case if you do end up with legal action. Similarly, be terse, don't volunteer information. Saying "I don't have much money, I'm a student" for example is also saying "I can't afford to sue you, you can do what you like!"

Do not attempt to base any sort of argument on the Wikipedia pages on copyright; every time I look at them I find errors (often with people fiercely defending them), and I'm not even a lawyer. Reading the actual copyright acts is difficult without legal training - e.g. knowing that a phrase like "time shall be of the essence" in US law might mean "if you don't make the deadline, all bets are off", or finding a footnote on page 50 that says, "hereafter, and everywhere in this document, the term "Ship" shall mean "Ship or hovercraft", or discovering some other law that amends the one you were reading... and even after reading the law, what matters is how individual judges ("courts") interpret it. Sort of like how different Web browsers react to the syntax errors that riddle most HTML pages - the specification says one thing, people do another, the Web browsers resolve it. Except that judges are human, of course, and consider each case as it happens. This isn't so much a criticism of Wikipedia as a note that, like any other resource, you have to know its strengths and weaknesses. For that matter I've seen official government web pages on copyrights that had serious errors in them (such as giving incorrect figures for duration, and then a while later silently changing them!) so it's all a bit of a minefield.

more than 3 years ago
top

Are Flickr Images Abused By Foreign Businesses?

Ankh Re:Yes, and "oh well". (227 comments)

Careful - there are multilateral agreements that are enacted in the individual countries who signed and ratified the treaties; there's no "international court" or body of "international law." (probably you know this, but many people reading the phrase "international copyright laws" get confused).

In the particular case here it's more than likely an error, and as others have said, contacting Elsevier, will probably result in a satisfactory conclusion. If contacting the people using the image doesn't work, I would urge anyone in this sort of situation to contact a copyright lawyer and make sure they have experience in the area of "conflict of laws" and cross-border copyright issues. In general, it's expensive to take someone to court in a foreign country, and you are likely to be limited in compensation to the amount of money you can demonstrate you have lost.

more than 3 years ago
top

Greg Bear, Others Cry Foul on Project Gutenberg Copyright Call

Ankh Re:These works were written between 40 - 60 years (721 comments)

Can you expand on this concept, please? I googled "dark archives" and nothing of use came up.

Well, they're hard to find because they're dark :D

Othe terms include hidden archives, or escrow archives, but see this google search for some pointers.

more than 3 years ago
top

Greg Bear, Others Cry Foul on Project Gutenberg Copyright Call

Ankh Re:Server location (721 comments)

Since the works in question were first published in the US, by American citizens, the US terms would still apply even if the servers were in New Zealand or Australia. Those countries have copyright agreements with the USA.

Works published jointly in more than one country (jointly usually means within 30 days) usually get the "shortest term" of any of the countries involved, but that's only for works published in multiple counties. Works published (even on the Web) without the permission of the copyright owner do not get a reduced copyright.

In practice, you can often get away with republishing woks because it's too expensive to take legal action, and because you get into an area of law called Conflict of Laws, which is one of the hardest and most expensive areas of law. However, simply moving the servers to another Berne Convention country wouldn't actually help PG very much.

In the past, the US has not tended to honour the copyright agreeents of other counties, but of late that has been changing.

Canada (where I live) also has life + 50 years instead of life + 70 years; it's not actuallyhalf of the US term, though. If you publish a work when you're 20 and you live to be 100, the work gets (100 -20 + 70) = 150 years of protection in the US, and 130 years in Canada.

Personally (and I'm speakingas a published author here too) I'd like a return to 20 or 30 years after publication, with no renewals, But Im not a film or music distribution company, of course!

more than 3 years ago
top

Greg Bear, Others Cry Foul on Project Gutenberg Copyright Call

Ankh Re:These works were written between 40 - 60 years (721 comments)

"should" - either take it up with your representative (congress if you're in the US) or be aware that civil disobedience carries penalties.

At least some of these works are in fact in circulation, by the way. See the original article; there are stories that were first published in magazines and then in books.

60 years isn't actually very long as copyright laws go (sadly) - when I'm researching images or my Web site, http://www.fromoldbooks.org/, I frequently find images over 100 years old that are still in copyright. Sometimes even older.

As for "lost to the world," well, I agree, but note that there are "dark archives" (e.g. at the Library of Congress in the USA) where items are held until such time as copyright expires.

A difficulty with copyright law is that it's the publishers who make the money, and hence have the most representation at governmental levels. I'd guess that with wider representatoin, copyright terms could be simplified and shortened. However, in the US, you also have to remember the Disney Laws. Protectionism and corruption.

more than 3 years ago
top

Greg Bear, Others Cry Foul on Project Gutenberg Copyright Call

Ankh Re:originally appeared in magazine form (721 comments)

| Copyright extends from the time it's written, not published, yes?

No. There are separate rules about unpublished works, and about works first published posthumously, but in general the clock used to start ticking on publication; these days it's usually 70 years after the author died. The Berne Convention mandates 50 years after death, in general, but like most counties the US went a little further.

more than 3 years ago

Submissions

Ankh hasn't submitted any stories.

Journals

Ankh has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?