Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Bash To Require Further Patching, As More Shellshock Holes Found

c Re:Call it what you will (317 comments)

The wrong mechanism (a semi-persistent environment) is being used to transfer what should have transient data. That is a vulnerability in the spec.

Hm. Okay, I'll buy that argument.

In practice, if the CGI developer follows best security practices it shouldn't be a more significant problem than any other "untrusted input" path, and whatever invokes the CGI does have the option of cleaning up the environment instead of accepting the default, but it's fair to say there's a flaw in the spec.

yesterday
top

Bash To Require Further Patching, As More Shellshock Holes Found

c Re:Call it what you will (317 comments)

The fact is that bash allows external entities to poison environment variables ahead of invocation, causing unintended behavior in bash when it is launched as a child process.

Well, it's not that it allows external entities to poison the environment, it's that it gives the finger to that basic secure programming practice where you should just assume that externally provided input is tainted data.

(you could say that there is a design vulnerability in CGI - and I would agree about that).

Debatable.

There's nothing in the CGI specification that requires or suggests that there needs to be any kind of intermediary in handling the reqests aside from the web server. The environment is a perfectly legitimate way of passing data, and if the web server calls the CGI safely (i.e. pipe()/fork()/exec()) there's no reason for a transient interpreter like bash to get involved. And, aside from security, the performance hit of invoking a shell just to launch another program makes it a bit silly to do it any other way.

And I'd point out that it's possible to explicitly control the environment of a subprocess (i.e. execle()), so anything calling a CGI program can at least sanitize things to minimize any damage. Not that the CGI should depend on the caller to sanitize things, of course.

On the other hand, the environment is a perfectly stupid way to pass code around.

yesterday
top

2015 Corvette Valet Mode Recorder Illegal In Some States

c Re:Keeping it safe (266 comments)

Valet mode also locks storage compartments, and disables the stereo.

Missed opportunity, there. It should turn the stereo on, and shuffle play Celine Dion's Greatest Hits at loud volume. Guaranteed to discourage joyriding, or any other kind of joy.

3 days ago
top

2015 Corvette Valet Mode Recorder Illegal In Some States

c What does the boss say? (266 comments)

Given the massive increase in CCTV installs in places like parking areas, can a valet make a convincing claim that they have an expectation of privacy on the job site?

3 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

c Re:"could be worse than Heartbleed" (316 comments)

The only communication mechanism for talking to the subshell is the environment.

Well, the easy communication mechanism is the environment. And, quite frankly, I don't have a particular problem with bash treating stuff that bash intends to be a chunk of code as code. It's just random other bits of the environment that aren't intended for bash that are the problem.

It's *nix, though, so there's many more ways to pass data around between processes than just the environment. Even if you've gotta use the environment, why not go with a env variable namespace, like "BASH_FUNCTION_FOO=()"?

4 days ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

c Re:"could be worse than Heartbleed" (316 comments)

Try to understand, this is not about executing bash scripts as cgi, and it's not about sanitizing input. Period. It is about httpd setting environment variables from unsanitized user input when calling ANY cgi.

Well... no. The root of the problem is bash treating something which really should only be considered data as code.

When I hear the words "Environment Variables", I don't think "well, some random bozo is going to look at those and just up and execute 'em". For bash to be treating the contents of the environment as anything other than dumb strings is, quite frankly, a Very, Very Bad Thing. For variables being set within a shell script, sure, they're intended for bash. But for data passed from program to program and not really even intended for interpretation by any specific script engine (which is fundamentally what environment variables are for), it's incredibly dumb.

4 days ago
top

Canadian Regulator Threatens To Impose New Netflix Regulation

c Re:why does the CRTC need this list? (324 comments)

Personally, I like the idea of that. It encourages and funds a lot of Canadian artists that might otherwise get swamped out of the market by monied American interests.

Personally, I would much, much, much rather the CRTC enforce rules for true network neutrality for Canadian internet users and find some other way to promote Canadian content.

Or, more accurately, for someone else to force the CRTC to go that way, because there's pretty much zero probability that they'll do it without coercion.

about two weeks ago
top

Scotland Votes No To Independence

c Re:Everyone loses (474 comments)

The problem with relying for support for separation from the younger generation...

Well, yes. It still takes at least a generation for them to work it out of their system. 40 years might do it, but seeing where we are now in Canada I think it's going to take another 20 or so before we can really feel comfortable that separation is truly dead.

The reality is that there's more people in the RoC (Rest of Canada) who would vote to kick Quebec out than there are Quebecers willing to pull the trigger on separation.

Oh, definitely. And to some degree, I think the growing understanding that Quebec wouldn't be able to unilaterally dictate the terms of a separation actually proceeded is one of the biggest factors in killing the movement.

about two weeks ago
top

U2 and Apple Collaborate On 'Non-Piratable, Interactive Format For Music'

c Re:confused (358 comments)

Apple also sells music in its lossless format, and there it's hard to get "robust" without annoying the listener.

No argument that it's hard.

But if Apple (I highly doubt U2 is directly involved in the research itself) did manage to develop a robust audio watermark that doesn't suck, it's understandable how someone would get the impression that it might result in an "unpiratable" format, at least within the bounds of the Apple walled garden.

about two weeks ago
top

Scotland Votes No To Independence

c Re:Everyone loses (474 comments)

The separatist movement here has burned itself out, the generation who were pushing for it being seen as burned-out old farts. Go back to the UK in 40 years and tell me that everyone lost.

From what I read of the demographics, it's mainly the younger generation of Scots that supported separation. They're pretty much at the stage of Quebec in the 70's.

about two weeks ago
top

Scotland Votes No To Independence

c Re:Canada & Quebec (474 comments)

I wonder if this will silence or encourage the separatists that want Quebec to leave Canada?

Encourage.

The margins are way too close. If it would've been more like 75% against, the Quebec separatists might have taken a bit of a morale hit, but 55% ? That's a "Please Play Again" for a separatist. The 1980 referendum was 59% against and it certainly didn't stop them.

The real question is whether the Scots are going to be smart enough to tar and feather the next bunch of politicians that decide they want to run a country? I'm not optimistic.

about two weeks ago
top

U2 and Apple Collaborate On 'Non-Piratable, Interactive Format For Music'

c Re:confused (358 comments)

Because it shows that neither know what they are talking about. If I can HEAR it, I can copy it. And the quality can get pretty damn good depending on how the sound is captured.

The only way I can see something like that working is a robust audio watermark containing the purchasers iTunes information. Won't stop copying directly, but would theoretically allow them to go after a "source" and possibly publish revocation lists that some devices could support to suppress "pirated" music.

Of course, that would only be applicable to online stores (I assume the record companies would force other stores to toe the line on the technology) and likely could only be enforced on iDevices. It obviously could be trivially defeated by ripping the music from a CD (for that short while we still have mass-pressed anonymous, physical media), pirates buying music using throwaway store accounts, or other peoples accounts being hacked.

But, let's face it, at this point the best they can hope for is deterrence rather than outright prevention.

about two weeks ago
top

iOS 8 Review

c Re:Keyboard (216 comments)

I think you're overselling it somewhat. I've tried the swype systems, and I always devolve to just tapping. Same with my friends that have access to it. Out of 4 of us, all of us hate swype based systems. That's not data, obviously, it's just an anecdote.

I think the GP is overselling it a bit too, but I've been using the standard Android keyboard for a bit now, which includes swype-like typing, and I'd have a tough time switching back to just tapping. It's substantially faster and generally as accurate as tapping and quite a bit better than any miniature hardware keyboard I've tried. I don't know that if it wasn't built if I'd have bothered downloading Swype or Swiftkey, but it's nice to have the option.

In some ways, it reminds me of the difference between Newton HWR and Palm Graffiti; you had to learn some new patterns to use Graffiti, but when you got used to it, it was light years ahead of the performance of the natural handwriting recognition of the Newton.

about two weeks ago
top

Google's Android One Initiative Launches In India With Three $100 Phones

c Re:$100 phones (50 comments)

Well... Yes. All technology corporations try their best to bring technology to more people than before.

I couldd swear that Microsoft has been trying hard at the exact opposite...

about two weeks ago
top

Microsoft Killing Off Windows Phone Brand Name In Favor of Just Windows

c Re:Abject brand mismanagement (352 comments)

People ***HATE*** "Windows". Windows is associated with work, pain, crazy difficulties, nerds and viruses. The brand name has negative value.

True. But it still gets more respect than "Windows Phone".

about three weeks ago
top

Text While Driving In Long Island and Have Your Phone Disabled

c Re:And if I am ridding in the car? (364 comments)

Well, that would explain why my language center pretty much seized up trying to make sense of that.

about three weeks ago
top

Report: Microsoft To Buy Minecraft Studio For $2bn+

c Re:No. (368 comments)

On the one hand, I can't blame notch, because if Microsoft offered me enough cash to retire, I'd sell out. But on the other hand, notch is already a millionaire, right? It's not like he needs the money.

He might be a millionaire, but there's a subtle qualitative difference between retiring comfortably versus buying a large Pacific island, having an army of minions carve it into something that looks like a Minecraft world, and retiring comfortably.

about three weeks ago
top

Text While Driving In Long Island and Have Your Phone Disabled

c Re:And if I am ridding in the car? (364 comments)

If my wife is driving and I am riding then what?

It's supposed to be applicable to people caught (and, presumably, convicted) of texting and driving. I'm sure being stuck as a passenger with no interesting distractions other than the company of the driver and other passengers might be considered a living hell by some people, but such is life.

about three weeks ago
top

Is It Time To Split Linux Distros In Two?

c Re:Huh? (282 comments)

Several years ago, a kernel developer submitted a patch that greatly increased Linux performance for desktop-oriented tasks

Well, sure. But that'd be a kernel fork.

Here's the problem... I'm not clicking on an infoworld link, so I can only go by the summary, which clearly talks about forking Linux distributions, not the kernel. And I assume the submitter is a professional infoworld writer, so the emphasis on distributions must've been intentional (since, it being slashdot, it's not like an editor would ever actually do any editing).

Now, someone could fork the Linux kernel according to workload, but any sane distro would just handle that scenario with a linux-image-server and linux-image-desktop packaging option and maybe a few meta-packages to sort out any other distinctions. Not unlike the -smp and -bigmem kernels that were typical until multi-core multi-GB desktops showed up.

In other words, even if the article-I-won't-read is talking about a kernel fork, the conclusion in the summary doesn't necessarily follow.

about three weeks ago
top

Is It Time To Split Linux Distros In Two?

c Huh? (282 comments)

I assume that this is yet another click-bait blog-spam article, because I can't imagine that anyone who knows jack about Linux distributions wouldn't be aware that server and desktop variants of various distributions have been and still are done.

More to the point, anyone who wanted it done that way would've or could've already done it. That the more popular distros don't generally make the distinction or don't emphasize it should be taken as a fairly solid answer to the question posed in the headline.

about three weeks ago

Submissions

c hasn't submitted any stories.

Journals

c has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?