Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Bash To Require Further Patching, As More Shellshock Holes Found

Sits ShellShock checker (329 comments)

From Eric Blake's bug-bash post

bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"

If you see anything like the following:

bash: g: line 1: syntax error: unexpected end of file
bash: error importing function definition for `g'
1
2
f=1
f=() { echo 2

you're still vulnerable. There may be other issues the above does not cover.

about three weeks ago
top

Project Zero Exploits 'Unexploitable' Glibc Bug

Sits Some C compilers already have bounds checking (98 comments)

You can already ask some compilers to do what you are asking - it's just often not on in shipped builds.

At compilation time warnings can be generated for out of bounds accesses that can be determined statically. Clang has -fsanitize=bounds, GCC has -Warray-bounds.

As an Anonymous Coward pointed out, it can be hard to detect runtime allocations overruns at compilation time. For these something like Clang's AddressSanitizer (GCC has added it too will help but at a cost of both time (slow down factor of 2) and space which is why you're unlikely to find it enabled on your precompiled SSH server binary. It's true there are cheaper checks (such as GCC's FORTIFY_SOURCE) that are less thorough/specialized that are often enabled by distros.

about 2 months ago
top

Python Bumps Off Java As Top Learning Language

Sits Theory says it is possible (415 comments)

Any Turing complete language can mimic any other Turing complete language (but at a price) so if your language supports condition driven loops you effectively have GOTO and IF. However if we see GOTO as syntactic sugar (and thus an efficiency optimisation/control flow obfuscator) wouldn't the combination of continuations and exceptions get you what GOTO can achieve?

about 3 months ago
top

Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype?

Sits If a tree falls in a forest... (65 comments)

Whether you consider this issue is hype depends on your answer to "if a tree falls in a forest and there's no one to observe it..." thought experiment.

The author of LZ4 has a summary with regards to LZ4 (both LZO and LZ4 are based on the LZ77 compression and both contained the same flaw) - that the issue has not been demonstrated as being exploitable in currently deployed programs due to their configuration (a rather angrier redacted original reply was originally posted). So at present this issue is severe but of low importance. If a way is found to exploit this problem on currently deployed popular programs without changing their configuration then this issue will also be of high importance but since this issue has now been patched hopefully newly deployed systems wouldn't be vulnerable.

about 4 months ago
top

Netflix Shutters Its Public API

Sits What will happen to Moreflicks? (59 comments)

Moreflicks lets you see what's available on multiple streaming services based on various "best of" lists (e.g. it's unlikely Netflix will ever tie in to the IMDB top 250 but Moreflicks does) and even has support for countries like the UK. It's sad to see an ecosystem like this being removed without replacement...

about 4 months ago
top

Mesa 10.2 Improves Linux's Open-Source Graphics Drivers

Sits Relevent unless you are using binary drivers (58 comments)

Unless your graphics driver provides a full 3D stack (userspace GL libraries down to kernel drivers) you will be using Mesa on Linux. You are probably thinking of Mesa as purely a software renderer whereas it is also used as a frontend to open source 3D drivers and uses DRI to provide access to the hardware's acceleration.

I've yet to see binary any drivers use Mesa.

about 5 months ago
top

Ask Slashdot: What Should Every Programmer Read?

Sits Lists and links of top Programming Books (352 comments)

This is one of those questions that's going to keep being asked... Perhaps one day I'll be fast enough to get a first post on this that people actually read...

Link summary from last time:

General comments

  • A few people have volumes of Knuth's Art of Programming on their shelves (but it's harder to find people who have read all of them).
  • One of the consultants who taught at my University said that the Mythical Man Month and Peopleware were good. I've read these too and can also recommended them (although they are more about managing programmers rather than programming per se). The consultant also recommended Design Patterns (although he said not to read the book cover to cover but rather to just be aware of them so you could refer to them later).
  • I've heard the "Dragon Book" (Compilers: Principles, Techniques, and Tools I think is the 2nd edition) being talked of favourably.
  • Many people seem to recommend reading Godel, Escher, Bach (I'd say it's about mathematical thinking)...

I've noticed which book answers tend to fall a bunch of categories:

  • Books that talk about software engineering/management/teams.
  • Books that talk about programming languages.
  • Books that talk about Computer Science.
  • Books that improve your mathematical thinking.
  • Books that programmers like but aren't programming/maths at all.

If you're going to ask someone "which book?" try limit the categories they should give you an answer for...

about 5 months ago
top

The Truth About OpenGL Driver Quality

Sits OpenGL drivers on other platforms (158 comments)

There's a comment at the bottom of the article by David Poole that links to a post talking about OpenGL driver quality on desktop Linux and mobile Linux. The summary from that blog post is:

  • Vendor N closed source desktop Windows/Linux - Excellent. Near perfect.
  • Vendor X open source desktop Linux - Good. Highly responsive to bug reports but updates get to users slowly.
  • Vendor I closed source desktop Windows - Good but lacking useful features.
  • Vendor A1 closed source desktop Windows/Linux - Mediocre. Unresponsive to bug reports.
  • Vendor A2 closed source mobile - Bad. Buggy, vendor knows there are issues but doesn't fix them, driver limits performance forcing others to implement workarounds.
  • Vendor Q closed source mobile - Bad. Buggy, vendor is unresponsive to bug reports.
  • Vendor P closed source mobile - Unknown. Driver does not publicly support high enough version of OpenGL ES.

about 5 months ago
top

The Truth About OpenGL Driver Quality

Sits OSX GPU drivers probably not written by Apple (158 comments)

NVIDIA definitely write their own OSX drivers. I'm pretty sure AMD/ATI and Intel write their own OSX drivers too but these days GPU drivers are usually delivered with operating system updates (in a similar way that you can get driver updates through Windows update). Given how squeezing out GPU hardware documentation for Linux has been tough I don't think NVIDIA/AMD would be keen to help someone else write drivers that unlocked full functionality...

about 5 months ago
top

Ask Slashdot: Preparing For Windows XP EOL?

Sits There HAVE been XP privilege escalations recently (423 comments)

It's not entirely clear what you mean when you say "root exploit" but one interpretation is an exploit that when run as a regular user gives you administrator/root permissions. There have definitely been recent XP privilege escalations exploits for XP recently (e.g. CVE-2013-5065 leverages a bug in NDProxy).

Perhaps you meant "remote exploit" but also last year there was CVE-2013-3175 malformed asynchronous RPC request so another machine can attack your XP machine over the network with no user intervention. See this table of 2013 Windows XP CVE entries for a list of what MS have been patching...

If you are no longer able to keep your OS regularly patched it's no longer safe and you are better off using something else for online activities. Save XP for those appliances that have to use it and can be stringently firewalled/quarantined.

about 7 months ago
top

Now On Video: GCHQ Destroying Laptop Full of Snowden Disclosures

Sits Electron microscopes not enough (237 comments)

The "Can you recover overwritten data?" question was answered a few years ago in the paper Overwriting Hard Drive Data: The Great Wiping Controversy. The conclusion was with an electron microscope you could get 1 bit back but the chance of recovering more than that is negligible (and that is in the new barely used drive scenario).

about 9 months ago
top

Google Ports Capsicum To Linux, and Other End-of-Year Capsicum News

Sits Re: Answered Capsicum questions (71 comments)

The last question was basically "Can I use Capsicum to create a program that in turn isolates other arbitrary programs in a meaningful way (e.g. in the style of sandboxie)"?

about 9 months ago
top

Google Ports Capsicum To Linux, and Other End-of-Year Capsicum News

Sits Re: Answered Capsicum questions (71 comments)

Hey TR, thanks for the comprehensive replies (to be honest I thought I'd asked so late no one would see them) - you elaborated on things that I did not glean from the presentation. Well done for splitting secomp and secomp-bpf up too. I have a few more questions:

  • Does Capsicum only work at the process level? I can't have a more privileged thread that is still uncontained (i.e. still able to perform a blocked syscall) while other threads are contained?
  • How do you envision codebases supporting Capsicum in a way that they leaves them still portable to platforms where Capsicum is not available? Is it going to be a case of #ifdefs all the way down?
  • Would it be possible to make a sandbox program that uses Capsicum to in turn sandbox another (Capsicum-unaware) program that it goes on to run or is it likely going to be too restrictive for the second program?

about 9 months ago
top

Google Ports Capsicum To Linux, and Other End-of-Year Capsicum News

Sits Looks interesting - I have a few questions (71 comments)

  • How does this compare to existing (coarse grained) Linux capabilities?
  • How does this compare to SELinux?
  • Does this complement things like Linux's seccomp?
  • What's the overhead compared to the above?
  • Will FreeBSD ship a policy for a ssh/sshd?

about 9 months ago
top

Linux Distributions Storing Wi-Fi Passwords In Plain Text

Sits Windows and OS X system wifi passwords (341 comments)

To answer my own question here's what OS X and Windows do with system wide wifi passwords:

OS X stores the wifi password in the (encrypted) System keychain. The System keychain (System.keychain) is stored in a known location on disk and the material to decrypt it (SystemKey) is also stored in a known location on disk. The permissions on SystemKey file are set to be readable by only root.

What Windows does varies depending on version. For XP the wifi password is converted into a key and this key is stored directly in the registry unencrypted. For Vista and later the wifi password is encrypted (not turned into a key) with the System's Master Key and saved into XML file inside a known path on disk. To reverse this process offline, you need the particular decrypted Master Key used to encrypt the wifi password. Due to the way that Window's DPAPI works there may be many multiple Master Key's, one of which was the one actually used to encrypt the wifi password. All System Master Key's live under a well known path on disk but are encrypted. To decrypt a System Master Key, data from the SYSTEM and SECURITY registry hives has to be used. Permissions on the aforementioned registry hives and Master Keys is tight so even a "regular" Administrator cannot directly access the underlying files while the system is running and some of the files are marked as hidden (but this is by the by for an offline attack).

about 10 months ago
top

Linux Distributions Storing Wi-Fi Passwords In Plain Text

Sits Passwords and automation (341 comments)

The issue of passwords being stored unencrypted on media has come up before with Android email passwords, Pidgin passwords and so on. If your attacker can bypass filesystem permissions you are already in a world of pain. One way to mitigate this would be to use a password protected keychain/keyring but this only works if you don't automatically unlock it...

Say that I want my Windows machine to automatically log in as a user when I turn it on. Because of the way Windows works it needs to be able to unlock my account (almost certainly to be able to unlock credential stores that would be otherwise locked), which means that when I enable Windows auto-login my password is going to be saved into the registry in plain text.

Perhaps Mac OS X can magically do better? Well not really - OS X XOR's your password with a fixed key and saves into /etc/kcpassword. For an attacker this is not a big hurdle over what Windows does. Unless your password is available OS X would be unable to unlock your keychain and all sorts of things would have to start prompting you if they wished to work.

If the keys to reverse the encryption are stored alongside the encrypted object you have not gained any more security but are just obfuscating your data - an attacker can simply steal both at the same time, run the decryption algorithm and use the object. To be secure you need to have something your attacker doesn't have access to which is at odds with unattended operation. If you want to have something happen completely unattended (i.e. from power on) fashion you are going to need ALL the information available in a directly usable form at some point and it's going to have to be "unprotected". While saving things like hashes are bit better (as they don't reveal the underlying password which may have been reused elsewhere) someone can still steal the hash and use it as is for accessing that service and in many cases a hash is no good as challenge response is being used to prevent the whole secret from having to be passed.

I do have one question though - what do OS X and Windows when you save things like WiFi/802.11x passwords that are accessible to every user? To what extent do they try and protect their system "keychains" and wouldn't such protection be obfuscation?

about 10 months ago
top

Google Makes It Harder For Marketers To Collect User Data

Sits Good and bad? (195 comments)

GMail will be fetching the images by default but only after the user opens the mail. So it's an improvement because the user's browser and IP address will be hidden (as it will be Google's servers doing the fetching) and it's a step back because it is tracking images will work by default. If you want the old behaviour of not showing images you will need to opt into it so only those who explicitly don't want to be tracked will remain anonymous.

Sources: Wired, Ars Technica

about 10 months ago

Submissions

top

UK banks push Rapport security software

Sits Sits writes  |  more than 4 years ago

Sits (117492) writes "UK banks have started urging their customers to install the Rapport security software but unlike previous efforts Rapport installs kernel hooks to encrypt key strokes, thawt screengrabbers and send off monitoring information for some Windows and OSX web browsers. Should banks be pushing such software and are OS/browser vendors be doing more to prevent another antivirus/anti-spyware market being required?"
top

Sits Sits writes  |  more than 7 years ago

Sits writes "While talking about the Red Hat summit Chris Blizzard mentions how an ATI marketing spokesman was on stage. The spokesman said ATI knows it has a problem with open source and is committed to fixing it. Does this mean ATI will finally resolve alleged agpgart misappropriation, fast track the release of open source 2D drivers on its latest cards while releasing specifications for its mid-range cards or is ATI only concerned with fixes to its binary driver to maintain feature parity with competitors?"

Journals

top

Sits Sits writes  |  more than 13 years ago What happened to my first entry in my journal? It seems like /. has chomped it up...

Well today I continued work on trying to make updates to my site that bit easier. While it may not end up with the features and quality of something like Manilla it should hopefully make my life easier and encourage me to update my diary a bit more often.

Boy am I glad that I checked that Manilla link before posting this - Manilla.com was not the site I had in mind :)

Slashdot Login

Need an Account?

Forgot your password?