Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Password Security: Why the Horse Battery Staple Is Not Correct

jpvlsmv Re:Many passwords just don't matter. (546 comments)

Print your password in Barcode3of9 font and tattoo that on your hand (or stick the printout in your wallet if there's a password change policy) When you want to "log in" to the scanner, just blip, and you're in.

about a week ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

jpvlsmv Re:"could be worse than Heartbleed" (318 comments)

Bash is still executed even with the multi-argument call to system.

The file /usr/bin/xzgrep is a shell script (note the #!/usr/bin/bash as the first line of the file). It inherits the CGI environment variables from its parent process, in this case the Perl interpreter. And since some of those CGI environment variables are controlled by the attacker (such as the Referrer: and Cookie: headers) the arbitrary code is executed.

And Bash is even executed when you open(INFILE, "/usr/bin/xzgrep error /var/log/my.log|","r") -- because the thing you're running isn't an ELF executable, it's a #!/usr/bin/bash text file.

Yes, there are other ways to do this (call xz directly without the xzgrep wrapper, use IO::Compress::xz, etc).

about three weeks ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

jpvlsmv Re:"could be worse than Heartbleed" (318 comments)

Ok, perhaps I undermined the importance, but if you are using 'xzgrep' in cgi context in a serious situation, I would say that is still a mistake. Forking and execing in response to an http request is terrible performance wise before getting to the security dubious of it all.

The dhclient-script stuff is pretty significant and I think I would be in a weak position saying that those have no business execing system commands/scripts. However it does suggest it may be worthwhile to have a helper that is non-root with capabilities to allow it to do key stuff to limit it's ability.

# run under mod_perl
print "Content-Type: text/plain\n\n";
system("/usr/bin/xzgrep error /var/log/my.log");

Can you see how this prefectly secure quick CGI to find errors in your log file would result in a system compromise?

about a month ago
top

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

jpvlsmv Re:"could be worse than Heartbleed" (318 comments)

Except for the system "utilities" that are actually bash scripts, such as /usr/bin/xzgrep. These are vulnerable to inheriting malicious environment variables from the parent processes even if the overlying process is not a shell script.

The other reasonable vector is the use of environment variables set by your dhcp client before running /etc/sysconfig/if-up.d/* based on whatever is contained in the first DHCPOFFER packet it receives.

about a month ago
top

Remote Exploit Vulnerability Found In Bash

jpvlsmv Re:Full Disclosure can be found on oss-security... (399 comments)

In addition, ANY CGI that calls out to the system may call something that is actually a bash script even if it doesn't look like one.

For example, xzgrep on my Ubuntu system is a bash script, so this is vulnerable:
#!/usr/bin/perl
print("Content-type: text/plain\n\n");
system("xzgrep info /var/log/mylog.xz");

about a month ago
top

"Big Bang Signal" Could All Be Dust

jpvlsmv Re:Cue "All we are is dust in the wind" (133 comments)

- The universe did not come from nothing. Thermodynamics prevents this.

- The universe did not create itself. Thermodynamics prevents this.

- The universe was not created.

You left out the most important 4th point:

- Ergo, the universe does not exist.

about a month ago
top

Universal Big Bang Lithium Deficit Confirmed

jpvlsmv Re:!Big Bang (171 comments)

I guess that disproves the Big Bang Theory! Now what show am I going to watch?

Maybe try something with a little less scientific rigor... How about COSMOS: A Spacetime Odyssey

about a month ago
top

When Scientists Give Up

jpvlsmv Re:Tax patents/royalties to fund basic research (348 comments)

No, the tax is on engineering results. It would laundered through the NIH for funding the basic research that NIH would fund now if congress would give it the money it has in the past.

about a month and a half ago
top

When Scientists Give Up

jpvlsmv Tax patents/royalties to fund basic research (348 comments)

I heard this piece on NPR yesterday, and the thing that kept running through my mind is how the pharmaceutical industry is extorting huge profits based on fundamental research-- with much of that happening under NIH grants. Why not set a tax rate on drug patent royalties and use that to fund the NIH?

You have a multi-billion-dollar-sales patented drug? Chip in 0.5% of the revenue to fund NIH grants. Or make your own equivalent grants to truly independant researchers.

Enter into a licensing deal on a drug patent? Chip in 0.5% of the revenue to fund grants.

about a month and a half ago
top

In France, a Second Patient Receives Permanent Artificial Heart

jpvlsmv Re:WIFI-Enabled Vital Organs?!?! (183 comments)

If the implanted device is running an IPv6-only stack, nobody will be able to talk to it for years and years. I don't expect to see broad rollout of pure IPv6 in my lifetime.

about a month and a half ago
top

Scientists Sequence Coffee Genome, Ponder Genetic Modification

jpvlsmv Re:The important thing (167 comments)

Isolate out the caffiene genes, and start adding it to other plants. There are times I'm eating breakfast, and I'm thinking "Why am I only getting caffiene from the coffee? Buzz up them hashbrowns! Perk up that toast! If we can introduce it into animals, think about caffinated eggs, or butter, or cheese. We can finally jitter up the world.

To heck with that, splice that gene into a retrovirus, and let me caffeinate every cell in my body!

about a month and a half ago
top

Selectable Ethics For Robotic Cars and the Possibility of a Robot Car Bomb

jpvlsmv Re:Blue Screen of Death... (239 comments)

You're right, officer, Clippy should not have been driving.

Now, what to do when my Explorer crashes...

Click on the Start button, go to "All Programs", then go to "Brakes", right-click on the "Apply Brakes" button, and choose "Run as Administrator". After the 15-second splash screen (now with Ads by Bing), choose "Decelerate Safely".

about 2 months ago
top

US Defense Contractors Still Waiting For Breach Notification Rules

jpvlsmv Re:The rules are already out (19 comments)

Please report to level D-10 for reassignment as reactor shielding. The computer is your friend.

about 2 months ago
top

Hints of Life's Start Found In a Giant Virus

jpvlsmv Re:Well (158 comments)

I, for one, welcome our new virii overl...oh forget it, this meme is no longer funny.

Virii? Nitpicking, I know, but that particular abuse of the language makes me cringe, it really does, because it is so bizarrely and emphatically wrong on far too many levels.

[...]

just like 'one bus, several buses' ('bus' from 'omnibus', but let's not go there). Apart from that, you would use a a nominative singular here: '... our virus overlords ...'

Buses? Nitpicking, I know, but that particular abuse of the language makes me cringe, it really does, because it is so bizarrely and emphatically wrong on far too many levels.

The correct plural of bus is bi. (Unless you're talking about the London double-decker variety, in which case it's bii.)

about 3 months ago
top

Tor Project Sued Over a Revenge Porn Business That Used Its Service

jpvlsmv Re:"Don't be ridiculous." --Balki (311 comments)

Was "revenge porn" non-existant before Tor?

It was mostly limited to scratching "For a Good Time Call Jenny 867-5309" on the bathroom stall of every local truck stop/gas station.

And no more defamatory then, either.

about 3 months ago
top

How Japan Lost Track of 640kg of Plutonium

jpvlsmv Re:Come now. (104 comments)

Hint: a cleric sitting in his office somewhere filing lots of reports

Thank goodness we have the separation of church and state in the US. It's only our Patriotic Paladins who get to fill out reports over here.

about 3 months ago
top

Site of 1976 "Atomic Man" Accident To Be Cleaned

jpvlsmv Re:Faith in God (299 comments)

The reasons for the quotation marks would make for a very long rant about ionizing vs. non-ionizing radiation and their complete ignorance of what is actually going on.

If you really want to get the far right riled up about radiation, you could call something different than non-ionizing. Can you imagine if the public were exposed to unionizing radiation?

about 4 months ago
top

Mutant Registration vs. Vaccine Registration

jpvlsmv Registry checklist: (493 comments)

I'm trying to keep track of what kind of registries are acceptable for each (US) political party

No Fly Registry: It's Our Patriotic Duty (D&R)
Gun Owner Registry: Acceptable for (D), Unacceptable for (R)
Legal-to-work-in-US Registry: Acceptable for (R), Unacceptable for (D)
National ID card: Acceptable for (D), Unacceptable for (R)
Vaccination Registry: Acceptable for (D), Unacceptable for (R)
Superhero Registry: It's Our Patriotic Duty
Mutant Registry: Ditto
Windows Registry: Can't run Windows without it, and what else would you run?

about 5 months ago
top

Botched Executions Put Lethal Injections Under New Scrutiny

jpvlsmv Use confiscated drugs (483 comments)

I still don't understand why the lethal injection isn't just a bunch of heroin that's been confiscated in the latest raid. People OD on heroin without being horribly uncomfortable.

about 5 months ago
top

"Smart" Gun Seller Gets the Wrong Kind of Online Attention

jpvlsmv Re:Gun nuts (1374 comments)

The 2nd Amendment of the US Constitution guarantees that each citizen has the right to keep and bear arms for self-defense. There are only a very few obvious prohibitions, namely against convicted felons and those declared mentally incompetent or ill.

I have yet to see any constitutional argument that supports these "obvious prohibitions". Either the 2nd amendment allows each citizen to keep and bear arms (including convicted felons and the insane) or there are obvious limits on the scope of the rights enumerated there.

And once you accept that there are obvious limits on the scope of gun rights, then you can't just say "the 2nd amendment allows me to carry whatever firearm I want wherever I want to"

about 6 months ago

Submissions

jpvlsmv hasn't submitted any stories.

Journals

top

My New Word of the day

jpvlsmv jpvlsmv writes  |  more than 6 years ago

I've created a new word for today:

Home Cussprovement. It's when you take a simple home repair, start it and end up cussing the previous "handyman" for doing such a half-assed job at it the first time that it takes you 5x longer to unfix his crap and do it right.

For example:

Everything's perfect with the lightswitches in the room, except for the one that turns "up for off" (everything else is down for off) A simple turn of the switch body should fix that: a couple of screws, a twist, and everything's happy, right? Except that the previous bright spark of an electrician used six wire nut junctions feeding just-too-short bits of cable (in such an entertaining variety of colors) so that loosening any of the switches causes at least two wire ends to pop out of their former homes with such an amusing brownout* that ensues. That's a Home Cussprovement.

Or today's discovery that the bathroom vent fan is not exactly installed correctly. it was making noise when the fan was on, so i think "motor bearing or vibration in the shaft". These are fairly simple systems: hole in ceiling, wired to switch, vent to outside... I should be able to knock this problem out quickly. Guess which of the three components our previous handyman had gotten wrong? I'll give you a hint: All of them. The hole in the ceiling is 2" too long in one direction and 3/4" too short in the other. The wire from the light is not marked as switched (blue rather than black, but I can forgive that one) and is made of the wrong metal for the fixtures at both ends (both are Cu-only, the cable isn't). And the "outside" to which this great installation is vented simply means "above the ceiling drywall". Of course, none of these features were visible without removing the vent cover, which is what was really causing the noise in the first place (the motor shaft was hitting one of the cover fins), but now that I know about them, I have to do something about them.

--Joe

* Since this is such an "easy" job, I don't mind doing it live, but when half the house goes dark after the first screw comes out, I get worried and pull the main breaker. DO NOT TRY THIS AT HOME. NEVER WORK ON MAINS VOLTAGE LIVE. KEEP ONE HAND IN YOUR POCKET. TAKE YOUR PHONE/PAGER OFF VIBRATE! THIS IS VERY DANGEROUS, IF NOT DEADLY. DO NOT TRY THIS AT HOME. EVER. NEVER WORK ON MAINS VOLTAGE LIVE. Seriously.

Slashdot Login

Need an Account?

Forgot your password?