Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Bash To Require Further Patching, As More Shellshock Holes Found

Xylantiel Re:Call it what you will (326 comments)

While I tend to agree, I think is some more subtlety. In its original conception, CGI probably did consider the web inputs as essentially session-level data, which would warrant what you refer to as "semi-persistant" storage in the environment. I would say that web programming has evolved some in modern usage, and a transient-data model as you suggest is probably more appropriate.

But there is plenty of blame to go around. Bash, or anything else for that matter, should not interpret otherwise completely unused environment data in such a way that it gets executed. There are plenty of other contexts outside CGI where that is a problem. Environmental variables are a well-established way for communicating data from parent to children processes. One that is, sometimes conveniently, agnostic about whether that data is intended for or a direct child or the child of a child. But if a program is performing some function based on the content of *any* environmental variable rather than the content of a specific variable or variables, that is likely to cause trouble.

2 days ago
top

Remote Exploit Vulnerability Found In Bash

Xylantiel Re:Already fixed in Debian... (399 comments)

The question would be which shell does the equivalent of system() in PHP, PERL, etc call? If the PHP or PERL code in question only uses system() to execute binaries and not scripts (which might spawn bash as you say) then it would not be vulnerable because it would be done with dash. Does anybody know which would be used? Might it depend on the form of the system() call?

about a week ago
top

Remote Exploit Vulnerability Found In Bash

Xylantiel Re:I am wrong but... (399 comments)

I think the problem is than any large PHP application is likely to execute something with a shell at some point. Any point is enough. This may slow down exploits, since you have to hunt for the corner case that executes a shell, but not much.

about a week ago
top

The Documents From Google's First DMV Test In Nevada

Xylantiel Re:Who would have thought (194 comments)

Yep, at least in the US a roundabout is all about guessing, based on their approach, whether the other approaching driver has any clue how a roundabout is supposed to work. Just because you have the right of way doesn't mean it won't be a total mess if you hit somebody in the driver's door because they pulled out in front of you instead of yielding.

about three weeks ago
top

Reanalysis of Clinical Trials Finds Misleading Results

Xylantiel Re:Selection bias? (74 comments)

So does that mean a re-analysis of the article on re-analysis leads to different conclusions than the original article?! HA!

But I have the sneaking suspicion that this re-analysis won't be published, which is a whole nother kind of selection bias can of worms.

about three weeks ago
top

Netflix Reduces Physical-Disc Processing, Keeps Prices the Same

Xylantiel Re:You're still getting what you were promised (354 comments)

I find it odd that you don't even say whether the delay was in mailing or processing, though you could surely tell. They send a receipt notice and a ship notice. What was the delay from their ship to your receipt? I think in some situations netflix is at the mercy of your local mail processing. You should have called up your postmaster and complained. And the US mail is not doing so hot recently, and often that is worse in big cities than in suburbs or cities near but separate from big ones. Netflix rarely misses a 2-day turnaround for me and I noticed the saturday thing pretty quickly because of this.

about 2 months ago
top

The "Rickmote Controller" Can Hijack Any Google Chromecast

Xylantiel Re:Doesn't this require access to your network (131 comments)

Seems like this is trivial to fix by requiring a physical button press to return to the configuration mode after the Chromecast is successfully configured onto a wifi network.

about 2 months ago
top

People Who Claim To Worry About Climate Change Don't Cut Energy Use

Xylantiel Re:LED Lightbulbs Re:user error (710 comments)

Maybe the prices are different in different regions? When I was at Lowe's a couple of weeks ago, LEDs cost almost 10x as much and use more than half as much power as a CFL and last maybe twice as long. That just doesn't work out. I would like to switch to LED, but it's still too expensive. Maybe you are comparing to lower-light-output LEDs or ones that have bad light distribution, which is not a fair comparison. Also, as other posters point out, I don't think halogen means what you think it means.

about 3 months ago
top

Key Researcher Agrees To Retract Disputed Stem Cell Papers

Xylantiel Re:"Rigorous" peer-review ahahahahahaha (61 comments)

Um, you realize that Nature is a magazine, not a journal right? Yes they have peer review but they have a heavy vested interest in publishing exciting-but-possibly-wrong stuff, which they do all the time.

And if results were simply fabricated, peer review can't always catch that as others have said. Though sometimes it is obvious if someone is suddenly able to do something that others have been trying to do but failed, but they can't show WHY it worked for them and not for anyone else. Sometimes quality professional journals, especially in experimental sciences, will have higher peer review standards in that direction than a headline-oriented magazine like Nature.

about 4 months ago
top

Key Researcher Agrees To Retract Disputed Stem Cell Papers

Xylantiel Re:"Rigorous" peer-review ahahahahahaha (61 comments)

I'm unsure if you're serious or not.. actually it's the copyeditor's job to catch typos unless they are scientifically relevant. And if you think Nature is a journal and not a journal-like magazine, you are mistaken. TONS of stuff published in Nature turns out to be wrong or overhyped.

about 4 months ago
top

Thousands of Europeans Petition For Their 'Right To Be Forgotten'

Xylantiel Re:All I'll say... (224 comments)

I think one of the troubles here is the difference between "YOUR record" and "THE record". I'm not a UK citizen, but I would be surprised if the relevant court records are somehow expunged. Are they? And with the database-driven information environment that we live in, how do we create a workable difference between "your record" and "the record" for private handling of public information.

about 4 months ago
top

Thousands of Europeans Petition For Their 'Right To Be Forgotten'

Xylantiel Re:All I'll say... (224 comments)

I'm sorry but if you can sue me for libel for just for stating the fact that you have a "spent" conviction then the law is messed up. This is where we start to get into the fundamental nature of freedom of speech and how it relates even to freedom of thought. (Am I required to be lobotomized if I remember you have been convicted of a spent conviction. Maybe you should actually READ 1984.) I can understand laws that prohibit discrimination or harrassment based on old convictions, but trying to legislate the availablilty of public record information is stupid. I would also argue that this kind of thing is entirely separate from "privacy". There are many things that are "private", but public records are by definition not among them.

about 4 months ago
top

US To Charge Chinese Military Employees With Hacking

Xylantiel Re:Very Bad Precedent (225 comments)

You realize that there is effectively no difference between a government-denied chinese hacker and a "non official cover" spy right?

And if they aren't government-employed then this is the completely appropriate action.

In either case, I 'd say its better to get this out in the open where the justice system can work it through rather than just finger pointing. If they're not government-sponsored (as the Chinese claim) then the Chinese should be willing to pony up and extradite them! (The fundamental issue here is really that the line between government and non-government is defined in a very different way in the US and China, both in law and in practice. China is still a single-party rule, which makes it often a matter of semantics what is government and what is not.)

about 4 months ago
top

Internet Transit Provider Claims ISPs Deliberately Allow Port Congestion

Xylantiel Re:L3, Cogent and Others Crying Wolf (210 comments)

Exactly. The ISPs are holding their subscribers hostage. i.e. abusing their monopoly power to get paid twice for the same service.

about 5 months ago
top

Lessig Launches a Super PAC To End All Super PACs

Xylantiel Re:Asking the wrong questions (465 comments)

Yes, it is a relatively simple culture change really: if someone else paid for you to see or hear it, assume it is a lie or distortion.

about 5 months ago
top

Oklahoma Botched an Execution With Untested Lethal Injection Drugs

Xylantiel Re:Failed injection. (1198 comments)

The root problem here is the companies that make the drugs that have known properties are refusing to sell them to the state for use in executions. How it is legal for the companies who sell the drugs to discriminate in this way I don't understand. I know WHY they are doing it... due to pressure from anti-death penalty activists. But how it is legal?

And just to be up-front, I'm actually anti-death-penalty. But forcing state officials to euthanize people in inhumane ways in order to make headlines does not seem... humane.

about 5 months ago
top

OpenSSL: the New Face of Technology Monoculture

Xylantiel Re:Is anyone surprised? (113 comments)

Well I would say that is just evidence of the problem. If update adversely impacts stability that badly then updates are not being managed/tested properly, which is exactly the problem with OpenSSL. This also brings up another point -- a lot of the stability problems are due to interaction with various other (broken or oddly-functioning) SSL implementations. The correct way to handle that is with rigourous and extensive test cases, not just closing your eyes and not updating.

about 5 months ago
top

OpenSSL: the New Face of Technology Monoculture

Xylantiel Re:Is anyone surprised? (113 comments)

I would say it wasn't just OpenBSD either -- it appears that everyone was very reluctant to update from 0.9 to newer versions. This tells me that people knew the development practices weren't up to snuff. It's just too bad that it took such a major exploit to kick everyone in the head and get them to put proper development practices in place for OpenSSL. Many eyes don't work if everyone is intentionally holding their nose and looking the other way.

about 5 months ago
top

Administration Ordered To Divulge Legal Basis For Killing Americans With Drones

Xylantiel Re:I am confused on this issue (310 comments)

I think the basic problem is that we are not at war with country X.

I actually believe the basic bill of rights applies to the agents of government, not the people. i.e. it does not just protect these special people called "citizens", it restrains the government from certain actions, such as denial of due process of law, against any person. However, the general "rule of law" does not apply in a war zone. The problem is that we have become stupendously lax about exactly where the wars the US is currently fighting actually are. Are we at war with Pakistan? No, but we perform military strikes inside Pakistan without their consent. Are we a warlord or a modern country?

about 5 months ago
top

OpenBSD Team Cleaning Up OpenSSL

Xylantiel Re:de Raadt (304 comments)

I disagree that there was no way to catch this. From code I saw, at its core, it was a simple case of using memcpy with the size of the destination buffer rather than the source buffer. Any automated bounds checker would have caught this. But, in addition, there should have been a compliance test that a packet with a specified size bigger than its payload went unanswered since anything else is noncompliant with the RFC. Clearly the person who wrote the RFC understood that answering a heartbeat request with a size different than its payload was a potential problem since the behavior was specified. To me, both of these mean that OpenSSL is enough lacking in validation testing to make me pretty nervous. No wonder everybody has been sticking to 0.9 versions for years if the path forward is this fraught with uncertainty.

about 6 months ago

Submissions

Xylantiel hasn't submitted any stories.

Journals

Xylantiel has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?