Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



More Eye Candy Coming To Windows 10

benjymouse Re:Wat? (209 comments)

Posting AC since I already moderated here.

After going to the Youtube page, I gotta say - Just what the fuck?

So now in order to salve the wounds of people butthurt by the monumental sucakge of Windows 8, will be treated to the awesome best ever spectacle of rotating menu items, what they've always been waiting for?

Ahem. The youtube link (showing the flipping menus) shows a Linux desktop. It was intended by submitter jonas-supa to show how much more advanced Linux desktops are.

Can't wait until the fanbois come out and tell us how waiting for a menu to spin around a few times is based on extensive research done by Microsoft that proves once and for all that most users want the operating system to waste their fucking time, and that anyone who doesn't just love the steaming hot piece of shit is an idiot who doesn't kow that they are doing.

Lol. We have to wait for the Linux fanbois to explain why the hell Linux needs compiz and all of the (agreed: Horrid!) animations from that youtube link.

Way to go there, buddy.

3 days ago

Microsoft Gearing Up To Release a Smartwatch of Its Own

benjymouse Behold (172 comments)

The new Microsoft Time Telling and Instant Notification Wrist Computer Ultimate Edition

5 days ago

BBC Takes a Stand For the Public's Right To Remember Redacted Links

benjymouse Re:Article or link (113 comments)

The whole article is de-indexed. That is the only way it can work

What? Google already uses a huge directory of "stop words" - words or phrases that should not be indexed. What is required is that they can create such stop words per link (article). Maybe they are not done with that yet, but it could certainly work that way.

The goal is not to suppress articles, the goal is to protect individuals right to privacy. Google does not control the article, and they should not remove all links (associations) to articles. But they can and should respect individuals right to privacy. So when an association is outdated, irrelevant or misleading they should - upon request - remove the association - not the article, not all the other links to the article.

And yes - that includes the right to delete associations between your name and a possible crime you committed 30 years ago. Most modern judicial systems (US the notable exception) recognize that when you've done your time you have "paid" your debt to society - and should have a chance to start over. If youthful stupidities will follow you your entire live you will *never* get a chance to prove that you have corrected yourself.

And this is NOT just for criminals. Controversies, your participation in demonstrations, debates, political parties, deliberate smear campaigns etc. all have the potential to seriously inhibit your chances with future employers.

about a week ago

BBC Takes a Stand For the Public's Right To Remember Redacted Links

benjymouse Article or link (113 comments)

Was the article removed in its entirety, or was the *association* between the name and the article removed.

Of course Google should not remove the entire article. That was never what the law said. If they did so, it was just another blatant attempt at manipulating opinions of journalists in the hope that journalists reporting will start sway public opinion.

If it was just the *link* between a commentator name and the article that was removed, i.e. you would still find the article through googling words from the content of the article, then what is BBSs problem?

Google is blatantly trying to manipulate public opinion through journalists. They are deliberately misinterpreting the law to create an impression of draconian consequences.

about a week ago

Drupal Fixes Highly Critical SQL Injection Flaw

benjymouse Re:It's not that hard to do it right (54 comments)

People can write equally vulnerable code in Python or Java or Ruby.

Nonsensical. Yes, given enough effort, one can certainly write equally vulnerable code in Python or Java or Ruby. That does not prove *anything*

This particular vulnerability is directly triggered by a extremely poor PHP design decision: To conflate arrays and hashtables. The Drupal developers wrote some code that on the surface looks sorta ok. But it assumes that the passed array has numerical indexes.

But in their wisdom, PHP designers decided that separate data structures were too complex for programmers to understand. Alas, arrays as hashtables are the same, since one could view an array as "just" a hashtable that happens to use integers as keys.

The code in question assumed that it could retrieve the "position" of a value in the array and use that. Only, when the position was text with PHP or SQL attack code it led to a vulnerability.

There is NO way to compare that to vulnerabilities created by Python, Java or Ruby developers. Given the exact same lines of thought - which are not at all "out there" the same way of thinking woul NOT have led to a serious vulnerability in any of those languages.

PHP is just bad, bad design. And the bad design is dangerous.

about two weeks ago

Confidence Shaken In Open Source Security Idealism

benjymouse Re:Open Source in commercial products (265 comments)

It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.

Nope. It was a bug. While it was the intention that bash would "import" function definitions from env vars, it was *never* the intention that it would directly and without confirmation execute any commands *following* the function definitions in the env vars.

So yes, a serious bug.

about two weeks ago

Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others

benjymouse Re:Sensationalize much? (97 comments)

1 - ISight claims this has been a five year campaign and then add that "hackers began only in August to exploit a vulnerability found in most versions of Windows". So where did the "five year" timeline come from?

2 - "Russian hackers target NATO, Ukraine and others" the article screams and then we find this wishy washy explanation from ISight's John Hullquist on his claim about the hackers being Russian:

Sounds like a bunch of FUD to me

While I suspect that ISight (like all "security research" companies) deliberately stirs the pot (it helps generate awareness of their products), they do not actually claim that the specific vulnerability has been used for 5 years.

One could imagine that the "Sandworm" operation has been ongoing for 5 years. If they continually and persistently try to infiltrate NATO and other organizations they will probably use whatever opportunity presents itself. They actually also try to exploit vulnerabilities that have long been patched, hoping to hit an unpatched machine.

So while they do try to sensationalize, it is conceivable that the hacker group is older than just the most recently used vulnerability.

about two weeks ago

Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others

benjymouse Re:Hilarious (97 comments)


Microsoft is not a state-owned enterprise, and has no allegiance to any state. It has a responsibility only towards its shareholders, and apparently the business model of selling flawed software is very profitable.

As opposed to doling out flawed software for free?

about two weeks ago

How Poor Punctuation Can Break Windows

benjymouse Re:Shellshock is way worse (94 comments)

does IIS pass headers along to CGI scripts the same way Apache does?

Are you fucking kidding? You get them out of a collection that's a property on the request object. They aren't shat into arbitrary fucking shell environment variables, like someone's freshman year CompSci project. Grow up!

I believe that it is the CGI specification that requires parameters to be passed as environment variables. So if you use CGI on IIS it should work the same way.

That would not trigger this issue, however, as it requires some script to expand the environment variable and it is not an automatic braindead expansion like in bash. The most common environment variables to be expanded %WINDIR%, %USERNAME% and the like. Not ever have I seen someone write %HTTP_USER_AGENT% or any other %HTTP_*% expansion. There's no systemic failure as with bash Shellshock.

But to be fair, it *does* look like an injection vector. Yes, GGP blatantly ignored that the claim I made was about PowerShell - not cmd.exe - but there seems to be an issue, and it just reinforces my point that shells (i.e. Windows shells included) that conflate text and instructions are error prone by default.

about two weeks ago

How Poor Punctuation Can Break Windows

benjymouse print0 (94 comments)

It is the exact same type of vulnerability that have existed in other weakly-typed shells since their inception. This is the reason why you should use -print0 with find before passing it to any other program: If you do not you risk that the filename is an injection attack.

The culprit is the idea that a shell is just some form of text interpreter that will interpret anything that is text. There is no semantic separation of "text" and "executable".

Unfortunately, this "code is just text" has become so entrenched in shell scripting that it is vulnerabilities waiting to happen. Process substitution, subshells etc all rely on this very property.

At least with PowerShell there is no such stupidity. In PowerShell you have to indicate specifically each time you want text interpreted and executed. PowerShell script block is a separate type (actually, a lambda) from text, integers, dates, decimals etc. The ease of how you pass executable content (script blocks) even over the network removes most reasons to interpret text as executable commands.

about two weeks ago

Systemd Adding Its Own Console To Linux Systems

benjymouse Re:UseLessD (774 comments)

Or you could use what we've been using for the past 20-30 years that has been debugged, proven to work and not completely different to the rest of the world.

Like.... bash?

about two weeks ago

Systemd Adding Its Own Console To Linux Systems

benjymouse Re:Or we learn from others mistakes (774 comments)

Does anyone really want "better localization" in terminals. My experience as a bilingual user from windows is that the less things are localized the better they work.

I have to agree that you usually experience fewer problems if you just run as english. I do the same. I should not be that way, however.

Making commands localized breaks script compatibility. (And that includes any output if that is parsed too.)

That is (one of) the problems actually solved (on Windows) by PowerShell: Typed parameters and strong typing eradicates such parsing bugs

For processes more than 2 days old:

ps | ? starttime | ? starttime -lt (get-date).adddays(-2)

It has gone to the point where I get the English version of Windows rather than one adapted to my native language.

Me too, but not because of the CLI; rather the sooner availability of service packs and tech previews. Also, I cannot stand the mingling of languages in dialog boxes where some text is provided by the OS and some by the application.

The localization of some of the folder names makes things break and the translation of GUI elements obfuscates the function and makes it so that one has to translate everything to English and back to realize what the function is, especially when the original translator used every synonym for "device" he could possibly find.

Getting there. Slowly.

about two weeks ago

Hackers Compromised Yahoo Servers Using Shellshock Bug

benjymouse Re:Can someone explain... (69 comments)

This lets bash execute anything as the afflicted user.

Yeah and who exactly is this afflicted user? Right, normally apache or some other unprivileged user who has relatively little power though granted you don't even want unprivileged users logging in from the Internet

You are one setuid/SUID utility away from total system compromise. Even one such utility that invokes bash (or the default shell which is bash on Fedora and RH systems) and your box isn't yours any more.

Shellshock is *also* a privilege escalation vulnerability when exploited locally. Granted, you need to find such a setuid utility. But the utility does not need to be vulnerable by itself. It just needs to invoke the shell through system() or similar.

about three weeks ago

Test Version Windows 10 Includes Keylogger

benjymouse Re:I would not have a problem with this if... (367 comments)

I would have no qualms about this practice if it were completely up front in it's entirety rather than have to read about it in a blog.

This is quote from the page where you agree to the terms of the preview program (this is the top text - the first you read):

Accept the Terms of Use and Privacy Statement

This should be the most boring step. Accept the Terms of Use and Privacy Statement and we can finish up your registration.

By accepting the Terms of Use and Privacy Statement, you agree that:

* The experimental and early prerelease software and services might not be fully tested.

* You might experience crashes, security vulnerabilities, data loss, or damage to your device.

* Your detailed usage and device data will automatically go to Microsoft and our partners to improve our products and services. See the Privacy Statement for more information.

* You will receive communications about the program and related promotions. Once you’ve joined the program, to stop receiving such communications you must leave the program.

about three weeks ago

Test Version Windows 10 Includes Keylogger

benjymouse Re:Datamining (367 comments)

Some of this stuff will probably just concern the free Technical Preview, but there's still a clear trend of Microsoft turning Windows into a datamining platform. It started with Windows 8 where they try to get the user to log into their own computer with a Microsoft account. It seems to be only getting worse.

In Windows 10 you can choose not to use a Microsoft account - just like with Windows 8.

On top op that, Windows 10 will allow corporations to federate their own AD - which means that you will get the device-sync features *without* creating a Microsoft account.

about three weeks ago

Test Version Windows 10 Includes Keylogger

benjymouse Re:So no company is going to install it? (367 comments)

Tell me what larger corporation concerned about information control is going to accept anything close to that?

Don't install the preview version for production purposes then.

This is telemetry from the preview version. You explicitly accept the telemetry when you join the preview program.

If a larger corporation does not like that, even for testing purposes, then they can simply wait for the final (RTM) version.

about three weeks ago

Xen Cloud Fix Shows the Right Way To Patch Open-Source Flaws

benjymouse Re:Black hat (81 comments)

What if someone who privately knows about the vulnerability gets the idea to exploit various installations of competitors (or even common users!) during the embargo period? Do you trust large enterprises not to misuse their knowledge to their own advantage?

A patch cannot be prepared "privately" without a number of people knowing about it: Developers, testers, reviewers, server admins etc. At each of the organizations that are privy to the predisclosure.

There are money to be made from that. To gain access to an exploitable vulnerability before a patch can be distributed broadly is a massive opportunity.

What if someone starts to sell off their knowledge to blackhatters?

What if someone sets up what looks like a legitimate business (a fake antimalware) and uses it primary to get inside info?

about three weeks ago

Will Windows 10 Finally Address OS Decay?

benjymouse Re:OS Decay is largekly a myth. (577 comments)

I know it is a database, and slightly optimized. "A few records" would not affect query time, especially if they were not in the query path.

What about a lot of records? And how about a lot of records that are in the query path?

It's a database. IIRC it uses B* trees. Search time is proportional to the logarithm of total number of records. Even "a lot" of records may not cause the height of the tree to increase. You generally need to *square* the number of records to double to search time.

At the same time, the registry hives are really, really robust. Windows keeps to redundant copies and even protects writes through the kernel transaction manager as well as the journal of the file system. Corruption is virtually impossible until the hard drive decays to a state where even the redundancy cannot make up for it anymore. Unlike text files, both metadata *and* data are guaranteed to either succeed in an atomic transaction.

(compare to the Unix way, where config files can be corrupted if the system/power fails during a write: File system do not guarantees *data* consistency for regular files, only *metadata* consistency, i.e. the fs guarantees that its internal structures will not cause it to go haywire on your files afterwards)

I suspect that this is actually the reason why there's a myth about corruption of the registry: With all of the redundancy, the registry is often the last component to fail when a drive succumbs. At the same time, Windows will refuse to start *if* the registry is corrupted. At that point the drive is in such a bad state, that even restoring/repairing the registry corruption will not save the drive.

about three weeks ago

Microsoft Announces Windows 10

benjymouse Re:Catching up with Fedora (644 comments)


PS C:\> Get-ChildItem


PS C:\> Set-Location dev
PS C:\dev> Get-Content _vimrc .....

How one might obtain a directory listing in a concise format is beyond me.

Ah! That is because in PowerShell, the cmdlets are more true to the Unix principle of doing one thing and do it well: The Get-ChildItem cmdlet is not in the business of formatting output; it's purpose is to find child items. And that is what it does: It finds items and passes them along the pipeline.

If objects "fall off" at the end of the pipeline, they are displayed at the console. PowerShell has a number of built-in formats for displaying various item types. In the case of file system objects (fileinfo and directoryinfo objects) they are formatted very much like what the old dir command did.

But don't let that fool you: It is still objects being passed, and you can format them any way you like.

However, in PowerShell, formatting is the responsibility of a few general formatting commands. Try piping the output of Get-ChildItem through Format-Table, Format-List, Format-Wide. There is even a Format-Custom where you can specify your own formatting.

Format-Table formats the objects in table format, i.e. each item on a separate row, with the properties as columns. You can specify which properties of the objects goes into the columns. You can group and even calculate sums.

Format-List formats items in multiple groups of lines, where each line in is a property name and a value. Again, you can specify which properties goes in the output.

BTW, Get-ChildItem has aliases ls, dir and gci. Format-Table, Format-Wide and Format-List has aliases ft, fw and fl, respectively. So if it is really such a problem that you cannot get the default format of ls, you can do

ls | fw

That is, get the child items of the current directory and format them "wide" - which is spread across multiple columns.

Now, see if you can guess what this one does:

ps | fw

If you guessed it, you are beginning to understand.

Now do a ls | ogv the be blown away.

about three weeks ago

Microsoft Announces Windows 10

benjymouse Re:Catching up with Fedora (644 comments)

... (besides the obvious many-small-binaries unix philosophy vs the one-giant-blob windows philosophy) is that *sh is both a CLI and a scripting language.

PowerShell is not a one-giant-blob. The commands of PowerShell are all of them defined in a module. The core commands comes from a core module. The shell itself does not need "magic" commands like bash and other *sh shells do (for instance, cd could not have been implemented as a loadable command in bash - because it manipulates the environment that is not accessible from external commands).

Even the ability to navigate a file system hierarchy is loadable. PowerShell itself set up infrastructure for navigating "hierarchies" - and a file system is just one such hierarchy. Other providers/hierarchies are certificate store (think advanced keyring), registry, active directory, IIS server virtual file system, SQL server (navigate tables etc).

... is that *sh is both a CLI and a scripting language. Powershell is useful just as a scripting language.

False. PowerShell has many features aimed squarely at interactive user, and frankly there is no other shell that come close:

* Automatic metadata inference: Tab completion, automatic suggestions, syntax help, (parts of) man pages are derived automatically from the command/function definitions. Number, names and types of parameters are declared for cmdlet parameters. Even declarative validators will be picked up. When you type "man somecommand", PowerShell looks up all that information and generates up-to-date call syntax instructions along with whatever man content has been written. It works for built-in commands and functions, user defined commands/functions and even script files. Script files use a param directive to declare parameter names and types.

* Tab completion *and* automatic suggestions (intellisense - in the ISE), again generated from the metadata. Even works for your own script files without having to write completion definitions.

* Risk management. If you invoke commands with -WhatIf or -Confirm, the command will inform you what it *would have* done and inform you what it is *going to do* and ask for your consent, respectively. This is shell infrastructure and it even works for entire script files and nested scripts (when you invoke a script file with -WhatIf it will execute as if all the command invocations had been invoked with -WhatIf).

* Custom actions for warnings, errors, verbose messages and debug messages. You can pass -WarningAction Inquire (or short form -ea Inquire) to have the shell ask you whether it should continue if a command (or script) writes a warning message.

* Progess indicator and input functions infrastructure that work even across job and machine boundaries.

* Get-Credential cmdlet to *securely* obtain credentials from the user - allowing the user to prove identity by not just password, but by any authentication mechanisms available at the workstation, such as card reader, biometric devices, onetime passwords etc. Passwords are guaranteed to *NEVER* be available in memory in clear text (as opposed to bash/Linux).

* Out-Gridview (with alias ogv) lets you present a collection of objects in a GUI list and have the user pick one or many of them. The picked objects will be passed on on the commandline.

* much more

Sure you could use powershell as the CLI, but it does seriously suck.

I suspect that you have never really tried it. And I'm quite sure that you have never used the ISE - which has a command(console) pane but which also has source-level debugging, snippets, multiple script windows, multiple sessions, remote sessions etc.

Granted with bash illustrating the problems of a dual-use CLI and shell, separating the two might not be such a bad idea, but it's so much easier transitioning from shell one-liners to full shell scripting than the same from dos commands to powershell scripting. But posix enables this, not any particular unix shell in and of itself.

PowerShell has a much more clean syntax than bash. Bash's syntax is seriously strange and antiquated. And the parser dangerously buggy.

PowerShell has strong typing with clear separation between what is text and what is executable commands. Bash and the entire *sh tradition seriously conflates the two. Strong typing helps security by declaring specifically what you can expect in a parameter/veriable.

about three weeks ago



VLC threatens Secunia with legal action in row over vulnerability report

benjymouse benjymouse writes  |  about a year ago

benjymouse (756774) writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blob post titled More lies from Secunia. It seems that Secunia and Jean-Baptiste Kempf have different views on whether a serious vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to "unpatched". Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)."

Pwn2Own 2009: Safari, IE8 and Firefox all pwned!

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "In a matter of seconds, Charlie Miller, last years winner of the PWN2OWN contest did it again at CanSecWest and successfully exploited a fully patched Safari running on a Mac. He came prepared, directed the operator of the browser to browse to a rigged website and it was all over.

He took the $10.000 first prize and the macbook home with him.

Last year he was quoted as saying "Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime.".

As I wrote this submission news came in that all of IE8, Safari (again) and Firefox was pwned by a researcher going by the name "Nils". So far only Chrome remains standing.

These were all drive-by exploits against fully patched browsers, not 3rd party plugins. Be careful out there."

Vista Capable lawsuit loses class action status

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "In a big setback for plaintiffs, a federal judge has stripped the class-action status from the Vista Capable suit against Microsoft.

Computerworld writes

The consumers who brought the original lawsuit, and those who followed as members of the class action, will be free to continue their cases, but they will have to do it individually, not as a group, Pechman said. "Approximately one year ago, this Court certified a class in this matter and allowed Plaintiffs 'to further develop their price inflation theory'," Pechman said. "It is now apparent that class treatment is no longer appropriate."

"Dr. Leffler did not attempt any regression analysis, much less an econometric analysis of the impact of 'Vista Capable' on demand," Pechman said. "It is ... critical to Plaintiffs' theory of proof to isolate Microsoft's purportedly deceptive efforts to increase demand from promotions OEMs had in the run up to the holiday season."

Presumably the lawyers for plaintiffs were expecting a good chunk of the potential damages. This will make it much more costly and risky to retrieve such damages. Will this effectively spell the end of the suits, or will the lawyers press on? IANAL so I wouldn't know whether they can appeal this ruling or not."


Microsoft urges Windows users to shun Safari

benjymouse benjymouse writes  |  more than 6 years ago

benjymouse (756774) writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to "restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple". This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Basically, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem.

The MS bulletin speaks of a possible "blended" attack. This is obviously recognizing that having the desktop carpet bombed with executable files does not imply that they can be executed. However, once the files are on the desktop all an attacker needs to do is to find some social engineering attack vector or a way to launch one or more of the files through some other vulnerability. At the very least it does not take much imagination to come up with scenarios where this vulnerability can be used by spammers or skiddies out to annoy users.

It is unprecendented for Microsoft to recommend Windows users to abstain from using a mainstream software product, especially a competing product. Could it be that Microsofts security response team have grown sensitive over Apple TV ads ridiculing Windows users over security while at the same time Apple software products, especially Quicktime, and now Safari threatening the security of those very same users? Surely the "Apple software updater" push of Safari haven't exactly earned them points in Redmond. Surely MSRT realizes that this may be controversial. Is this a "stab" back at Apple and/or a way to shine light on Apples own security problems?"

Netcraft: Microsoft IIS may soon overtake Apache

benjymouse benjymouse writes  |  more than 7 years ago

benjymouse (756774) writes "From the latest Netcraft web server survey:
In the August 2007 survey we received responses from 127,961,479 sites, an increase of 2.3 million sites from last month. Microsoft continues to increase its web server market share, adding 2.6 million sites this month as Apache loses 991K hostnames. As a result, Windows improves its market share by 1.4% to 34.2%, while Apache slips by 1.7% to 48.4%. Microsoft's recent gains raise the prospect that Windows may soon challenge Apache's leadership position."


benjymouse has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?