Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Lenovo Set To Close $2.1 Billion Server Deal With IBM

Junta Competition need not be apples to apples... (48 comments)

The 'topmost tiers' are threatened by other tiers, even when they are not direct replacements. Workload might not have another viable closed-source DB or Unix player or Mainframe platform to move to, but many of those workloads are moving out of those tiers entirely instead. On the flip side, you don't see a lot of workload living happily outside of IBM's wheelhouse eager to jump in. The signs all suggest that IBM's most believable favorable outcome is slowing the erosion rather than capturing a lot of new growth. This wouldn't be such a terrible thing, except that their business leaders and shareholders think that no growth == dead and act accordingly.

yesterday
top

Lenovo Set To Close $2.1 Billion Server Deal With IBM

Junta Re:Server Admins Everywhere are Saying... (48 comments)

at least not worry about Chinese spyware

Considering the reality of the manufacturing and supply chain of *all* the vendors, there isn't a scenario where you are justified in not worrying on that score. The nationality of the CEO doesn't really help or hurt the ability of intelligence agencies to infiltrate product development and manufacturing.

yesterday
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Junta Re:"could be worse than Heartbleed" (316 comments)

Well, perhaps some of my comment should be modded down, but I really want people to cringe if they find themselves ever typing backtick, popen, or system() when doing web development, exploit or no exploit. It's just a very bad thing to do only as a very last resort in a very controlled situation.

4 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Junta Re:"could be worse than Heartbleed" (316 comments)

any CGI program + any non-Debian Linux => vulnerable

No, only CGI programs that use system/popen/etc to call out to things that may be bash.

For once, the PHP programmers are ahead security wise due to the ubiquity of mod_php...)

Well for one most languages the equivalent facility is available and usually used since it is a requirement to scale. For another, even the silly 'fork and exec' perl or php or python isn't vulnerable if said script avoids system/popen/backticks/whathaveyou.

I guess I was wrong to play down the severity of bash, but my hope was for people to just consider themselves to make a mistake by ever potentially having bash in a cgi context, for reasons beyond this exploit.

4 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Junta Re:"could be worse than Heartbleed" (316 comments)

The DHCP case is truly a bad situation.

I still say that people shouldn't be using things like system() in cgi context except in very limited hacked up internal-only little web pages. It has the same problem as using bash directly, it's a massive waste of resources for an HTTP request to spawn a new process.

4 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Junta Re:"could be worse than Heartbleed" (316 comments)

This blog post mentions php, c++, python, et alia, as another attack vector.

And while that underscores the appropriate need for this to be fixed, it should also be an opportunity to educate people to be wary of popen or system. If you leverage those a lot in a cgi context, you have created a significant potential bottleneck to scaling, versus using language libraries to accomplish the same goal without fork/exec being mandatory.

4 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Junta Re:"could be worse than Heartbleed" (316 comments)

I guess the point is that if a significant application is either written in bourne script or even doing something like system() to do nearly anything and it isn't some internal low security thing, then there is something that is bad going on.

That's not to say the bash thing isn't bad, but it *should* also be a wake up call to people to be mindful of invoking external utilities willy nilly when it is not appropriate.

5 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Junta Re:"could be worse than Heartbleed" (316 comments)

Ok, perhaps I undermined the importance, but if you are using 'xzgrep' in cgi context in a serious situation, I would say that is still a mistake. Forking and execing in response to an http request is terrible performance wise before getting to the security dubious of it all.

The dhclient-script stuff is pretty significant and I think I would be in a weak position saying that those have no business execing system commands/scripts. However it does suggest it may be worthwhile to have a helper that is non-root with capabilities to allow it to do key stuff to limit it's ability.

5 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Junta "could be worse than Heartbleed" (316 comments)

To be fair, anyone using bash as the cgi handler for anything remotely serious was already doing it wrong. Bash by it's nature is a facility trying to let the presumably authenticated user of it to do whatever they want, even if it looks somewhat weird. Yes this bug warrants fixing, but putting bash or similar in a path where untrusted environment variables and/or argv is present is a very dubious design decision. Besides, fork and exec for every request is a huge no no, and that's the only way to fly with bash.

Outside of malicious HTTP headers landing in environment variable in CGI land, I'm hard pressed to think of another reasonable vector for this bug to be a problem...

5 days ago
top

Amazon Forced To Reboot EC2 To Patch Bug In Xen

Junta Netflix is not perfect... (94 comments)

Netflix still cocks up randomly on a stream and forces retries. I suspect it's not as rosy as they like to say and that the random death of services is more disruptive than they notice or acknowledge.

Meanwhile, even with their 'kill stuff randomly' methodology, the wrong thing still dies ever so often and brings the whole thing to a screeching halt.

5 days ago
top

Amazon Forced To Reboot EC2 To Patch Bug In Xen

Junta Re:migratable vms? (94 comments)

That seems like a very very big oversite.

It's nature of the beast. Live migrations without shared storage are really not commonplace. Amazon does not bother with shared storage and thus cannot live migrate. Even if they did have the ability to live migrate with no shared storage, the time to live migrate such a workload would be impractical.

In short, EC2 strives for cheap and no migration is part of 'cheap'.

5 days ago
top

Amazon Forced To Reboot EC2 To Patch Bug In Xen

Junta Re:Compared to Azure (94 comments)

My personal favorite Azure feature, is that SQL Azure randomly drops database connections by design.

I have seen that mentality in a few places beyond azure, I find it moderately annoying. I guess the theory is assuring that *some* failure will happen to you soon even if you don't properly test so you don't go too long without failure and get surprised. However it tends to lead to stacks that occasionally spaz out for a particular user and accepting that as ok because the user can just retry.

You are actually required to program your application to expect failed database calls.

On the other hand, you should always design your application to expect failed database calls. There might be some regrettable performance or unavoidable awkwardness in some cases around a failed database call (making it rude to randomly drop needlessly), but such an occurrence is to be expected at least occasionally no matter the stack.

5 days ago
top

Torvalds: No Opinion On Systemd

Junta Re:Do it well (385 comments)

That is, support *functional* dependencies between processes,

Well, explicit stated dependencies are there. If you mean something beyond that, I get very concerned.

caching of input/output.

What i/o are you referring to? I/O generally is already cached as intelligently as the filesystem or block subsystem can manage. At filesystem or lower or inside the application are your opportunities to enhance things, not much room in between. If you mean cache data that is piped around or networked around, that is absolutely a horrible idea that is really infeasible unless it's in the application (it is impossible for an infrastructure to ascertain whether cached result is good enough in a generic fashion since it isn't in the middle of the transactions or understanding the flow.

automatic starting of processes when configurations change, etc.

This would be horrible. If it is a process that reads config only at startup, you have no idea of knowing when the changed on-disk copy is 'ready'. You cannot graft magic onto such a daemon. On the fly reconfiguration is already available even in standard libraries if applications want to do that. This is another problem that cannot be reasonably added in a sensible way without cooperation of the managed applications.

Right now, my computer has to reboot whenever stuff changes

Something is very very very wrong in your case. Updates sometimes are more practical to reboot to just be sure that stale copies of vulnerable libraries are surely out (and certain platforms require a reboot to replace open files at all), but no reconfiguration necessitates a reboot short of reconfiguring very particular kernel/driver settings.

about two weeks ago
top

Torvalds: No Opinion On Systemd

Junta Re:This is why I no longer use Linux (385 comments)

Being paid to program doesn't make you a professional.

Being paid to do anything by definition makes you a professional. Professional does not mean 'better', it just carries the connotation since frequently someone who cannot get paid for their work where another can is due to things that lack. In coding, sometimes being 'professional' versus 'amatuer' really boils down to being loud enough to get taken seriously.

about two weeks ago
top

Torvalds: No Opinion On Systemd

Junta The problem... (385 comments)

People have reported corrupt log files. The result is all the data is unrecoverable. The complaints have been answered 'as designed'.

When things are right, it works as intended. When things are bad, it can go far off the rails. Considering it is the system log used to debug what is wrong when things are off the rails, a full binary log is a dubious proposition.

There are benefits to binary log, but they could have been done to varying degrees with structured text and/or external binary metadata, rather than a corruptable binary blob.

about two weeks ago
top

Ask Slashdot: What To Do After Digitizing VHS Tapes?

Junta Re:nas4free, raidz2, primary/secondary server, rsy (268 comments)

I would argue that the raid is useless. Better to use the excess drive capacity for rsnapshot external with off site backup.

If theft or fire takes out your place, then that data is safe. Such an event would still be traumatic, but at least the data would be intact.

about two weeks ago
top

Ask Slashdot: What To Do After Digitizing VHS Tapes?

Junta Re:always keep the analogs (268 comments)

flaky format changes, .. system obsolence

No,VHS itself is getting harder to get a recorder for.

bit rot, one too many cycles of use on a flash drive,

No VHS notoriously looks worse and worse over time. Digital tolerates bit rot losslessly up to a threshold, then starts getting artifacts. Those artifacts are frequently no worse than how terrible VHS looks by that point of degradation

Sure keep the analogs since there is no harm, but don't expect them to fare better than digital backups

about two weeks ago
top

Ask Slashdot: What To Do After Digitizing VHS Tapes?

Junta snapshot to external disk (268 comments)

I have two external disks on alternating cadences of backup. At any given time, one or both of them are in a desk drawer at work (while I work, I keep both there, and take home the one that needs to be run that night).

Cloud for me is impractical as the price structure is pretty steep at these capacities. Even if it wasn't, my bandwidth is inadequate for the task. Offsite backup to my desk drawer is adequate.

You can encrypt the backups if you are concerned about the privacy of such a setup (the desk drawer locks, but the employer has keys).

about two weeks ago
top

Cuba Calculates Cost of 54yr US Embargo At $1.1 Trillion

Junta Re:RT.com? (540 comments)

I don't think Karl Marx would look at China and say 'yes, that's communism'. You have a pretty much capitalist economy in effect in China.

about three weeks ago
top

Cuba Calculates Cost of 54yr US Embargo At $1.1 Trillion

Junta Re:RT.com? (540 comments)

I'm pretty sure communism has manifested without tyranny. The issue is that human nature in practice doesn't let it scale to notable levels. Small communities being communist without tyranny happens ever so often. When you have the human connection face to face and there is not really any practical opportunity for some subset of the community to be overwhelmingly better off than the rest even if they had capitalism or tried, communism can work. However once one man is far enough from others to be somewhat apathetic toward them and/or perceive a chance for unreasonably better standard of living at the expense of others, the good facets of humanity that would enable communism go out the window.

Of course the risk for a benevolent 'commune' with nice principles to turn to 'cult' seems pretty high, so I guess even this assessment gives human nature too much credit...

about three weeks ago

Submissions

Junta hasn't submitted any stories.

Journals

Junta has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?