Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Vulnerabilities Found (and Sought) In More Command-Line Tools

s.petry Re:Silly (84 comments)

AFAIK what you are describing is surely possible, but I'm wondering if it's illegal. "Alquada_terrorist_network" may be offensive, but not assuming the ID of anyone. Yes, possible so I stand corrected.

1 hour ago
top

Vulnerabilities Found (and Sought) In More Command-Line Tools

s.petry Re:Silly (84 comments)

I think for the most part we agree, but I still disagree that you can't know if "Free_Hotel" WIFI is legit, since every Hotel I have been in has information in numerous places about their WIFI. Airports too, and shopping malls, etc... I could probably trap a whole mess of people in a Hotspot "Free_Airport_Porn", but anyone checking with the airport should know that this is not an Airport provided WIFI network. In fact they busted some guy just last week with a Hotspot because it had a name that included Al Quada somewhere (no charges filed), so some people do pay attention.

3 hours ago
top

Vulnerabilities Found (and Sought) In More Command-Line Tools

s.petry Re:Silly (84 comments)

You still have not demonstrated that a Client can hack a Server (and won't be able to), which as I stated means that Best Practices fixes issues for companies. If you are running DHCP, secure it! Both on the client and the server side.

People connecting to "any" Wifi they can find should have an expectation that they are going to be hacked. In fact if I own a DHCP server as a bad guy, you have more serious problems than me getting a shell on your laptop. I can MITM every connection you make so would not brute force in except as a last resort. I'd steal all your credentials and activities first..

4 hours ago
top

Debate Over Systemd Exposes the Two Factions Tugging At Modern-day Linux

s.petry Re:Non production Non Stable (851 comments)

"Debian" is a rather generic statement. Instead of presenting information that is false based on a generalization why not work on your own pathetic communication ability. Oh, I know.. it's much easier to troll. Asshole!

5 hours ago
top

Vulnerabilities Found (and Sought) In More Command-Line Tools

s.petry Re:Silly (84 comments)

So what you are telling me is that your wifi client automatically connects to any available network automatically? Okay, but if you get hacked that is not a Bash problem. My WIFI does not connect to any random network, I have to take action to connect. Get a new WIFI client or secure what you have, problem solved.

5 hours ago
top

Ask Slashdot: Can You Say Something Nice About Systemd?

s.petry So much better than mine... (654 comments)

I was just going to quote Patches O'Hoolihan an say "You're about as useful as a poopy flavored lollipop."

Then I was going to ask if anyone else was concerned with this obvious brainwashing attempt for a pro systemd mindset? Between that, and all of the previous "You have to have it to be cool" and "all the cool guys are going to run it" arguments for systemd I'm going to start testing and auditing source code this weekend.

8 hours ago
top

Vulnerabilities Found (and Sought) In More Command-Line Tools

s.petry Re:Silly (84 comments)

Huh? First of all, DHCP has no authentication.

It may not have authentication, but it can surely be secured. Not to say your point is completely invalid, but it's not something that any business should really have to worry about because the DHCP Client does not hack the DHCP server.

Where your point has some validity is lets say a Laptop and a traveler. Going through the airport you could, if you wanted, connect to networks other than what the airport provides. So a bad guy can set up a rogue server and hotspot that you could connect to if you selected this network and told the application to connect. This should never be "automatic" and requires the user to change settings in everything I'm aware of. So let me go back and add user error to my list of reasons that shellshock was exploitable. Fair?

8 hours ago
top

Vulnerabilities Found (and Sought) In More Command-Line Tools

s.petry Silly (84 comments)

While surely there are serious bugs that are found, shellshock is not one on my list of "serious bugs". If you would have picked a different target, I may have taken less issue with your statement. Every exploit of "shellshock" requires either A) access to the system. or B) poor system administration/development (which in essence loops back to A).

Let's see how this is actually exploited from the same Wiki page.

CGI-based web server
If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above.

OpenSSH server
OpenSSH has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running

DHCP servers
A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.

QMail server
Depending on the specific system configuration, a qmail mail server can pass external input through to Bash in a way that could exploit a vulnerable version

I added emphasis and snipped the quotes to the relevant portions, but you can read the whole Wiki if you have doubts.

As I stated in my opening, surely exploits exist but Shellshock was more noise than anything else. Yup it was a bug, but having it exposed to the Internet was not a Bash problem in and of itself. Shellshock was easy to avoid simply by using "Best Practices". If you are running your sites on a bunch of Bash CGI scripts, we knew that shell based CGI was a bad idea in the 90s. If you have a DHCP client attaching to unknown servers, shame on you. If you have arbitrary users with shell access to your hosts.. well, I guess it's possible that someone has this in their business model somewhere but it's surely not very common.

We manage many tens of thousands of websites, and even with "vulnerable bash" we could not exploit the bug unless we were logged in to a host. We tried really really hard to exploit it (at least 5 days of testing since they kept releasing patches), but we follow best practices.

yesterday
top

Vulnerabilities Found (and Sought) In More Command-Line Tools

s.petry Yup (84 comments)

I used to spend a ton of time doing nothing but scrutinizing source code. I used to not install things based on what I saw in the code, pretty commonly. I simply lack the time today, but wish I could make time for this. I have turned into a minimalist because I don't trust everything, which 15 years ago I thought was crazy.

That aside, at least with OpenSource I could try and make time. The source is there for scrutiny, we just need more eyes watching for problems. Compare this to closed source (as you stated) and you can't. What you may perceive as the OS looking to download a patch could easily be that OS uploading your passwords and credit card data. In fact go ahead and run one of those closed source OSes and dump all the traffic for a perfectly idle box.

yesterday
top

Debate Over Systemd Exposes the Two Factions Tugging At Modern-day Linux

s.petry Re:Non production Non Stable (851 comments)

You can read, puh leaze. I asked a question because the person wrote something that at best seemed misleading. If my interpretation of their statement was wrong, it would/could have been clarified. That did not happen.

yesterday
top

Debate Over Systemd Exposes the Two Factions Tugging At Modern-day Linux

s.petry Re:Non production Non Stable (851 comments)

Since you jump to this person's defense, I believe my assumption is fair that you are the same person. Numerous people here have personal sock puppet accounts, so this is not a novel or unexpected behavior.

If you didn't read the posts above mine and jumped in blind, that is _your_ fault. I responded to correct a false claim, your claim defended that post. That is how dialog works, and why there is post history so that you can determine context.

yesterday
top

Debate Over Systemd Exposes the Two Factions Tugging At Modern-day Linux

s.petry Re:Non production Non Stable (851 comments)

YOU DID!

Well good news, this is the default, at least on Debian. In fact Debian doesn't even store journalctl logs, it fowards then straight through to rsyslog. Of course, if you and literally every other Anon. Coward in this thread of posts knew what they were talking about, then it wouldn't exist. The "anti-systemd" brigade seems to consist of a lot of people who have absolutely no idea what they're doing, let alone any idea of how Linux actually works.

To which I asked what version you ran, and you claimed "current production" which is Deb 7, and the installed packages demonstrate that you are warong.

In fact you claimed that I don't know what I'm talking about even though I proved you wrong numerous times. Continuing a lie will NOT make it the truth! A simple "Yup, I meant to claim that in beta/dev Debian it uses systemd, not in a production stable release" would have resolved the issue. Instead of doing this, you keep repeating a false claim that Debian 7 uses systemd as it's default init system.

The existence of a package page does not make it a package installed by default. Looking at the default packages list (or what's installed) determines the default. You lose, good day!

yesterday
top

Debate Over Systemd Exposes the Two Factions Tugging At Modern-day Linux

s.petry Re:Non production Non Stable (851 comments)

Having a package available by backport is not the same as having a package installed by default, liar.

yesterday
top

Power and Free Broadband To the People

s.petry Re: Just like (257 comments)

He used to be able to hire more, but he got sued.

2 days ago
top

Power and Free Broadband To the People

s.petry Complete Horse SH$&! (257 comments)

Public housing resulted from economic disparity and poverty, not building standards. It was a cheaper and safer option to make new "cheap" buildings that are tenant controlled than hand out checks every month which may not have gone to rent anyway. Wealth disparity and poverty causes riots and has caused governments to be toppled. A lack of affordable housing is a side effect of poverty, not a stand alone condition (with the rare exception of temporary housing loss due to a natural disaster, which in reality loops back to poverty).

2 days ago
top

Power and Free Broadband To the People

s.petry Yup (257 comments)

The only part of your statement I disagree with is the use of the term "helping the needy", because these programs are never to help the needy. If they do help the needy, it's usually an unwanted side effect that receives no maintenance or scrutiny. There is always a new bureaucratic position to be created for the explicit purpose of consuming those funds.

Anyone doubting this just needs to look at the "Obama Phone" program, where tax payers are getting shafted, just so people vote for a particular party. Americans are paying hundreds of millions in extra "fees" each year as tax on their services (close to 3.00/month report I read). I have no issue with giving 1 emergency phone to someone in need, but there are 2 huge problems with the current program. 1) No accountability so people are being found with dozen(s) of phones, and 2) The phones and services being handed out don't match up to the funds being taken in as a "Tax".

Oh, and there was a report in the last couple weeks that people with phones are still paying the tax, and people are still being found with dozens of phones from the program.

2 days ago
top

Security Companies Team Up, Take Down Chinese Hacking Group

s.petry Re:Chinese government complicity (63 comments)

Solution: Nuke em. Now where are my mod points and donuts? (You didn't claim it needed to be "good" solution.)

2 days ago
top

Apple Pay Competitor CurrentC Breached

s.petry Re:Minor correction (263 comments)

Not losing money is not the same thing as making money.

2 days ago
top

Apple Pay Competitor CurrentC Breached

s.petry Minor correction (263 comments)

Especially one designed to make more money for the retailers, and give them more access to consumer data.

Retailers are not making money from this service. In fairness, a retailer does not make more money from a credit card company either. The people making money from these services are in essence middlemen acting as the proverbial money changer and money lender.

That's not to claim retailers get nothing from the arrangement. They don't have to carry cash every day to deposit in the bank, and "skimming" is much less of an issue. For a retailer, it's probably worth the few percent on every transaction to be paid.

Retailers, for the most part don't care about the data aspects either. Sure, the mega stores do.. but.. they tend to creep people out already.

How this works with these secondary services is not the same arrangement, and as you claim "their benefit' is all that's considered. Making the issue more severe it the fact that these newer services lack the protections of the established services.

2 days ago

Submissions

top

Slashdot Beta Woes

s.petry s.petry writes  |  about 9 months ago

s.petry (762400) writes "What is a Slashdot and why the Beta might destroy it?

Slashdot has been around, well, a very long time. Longer than any of it's competators, but not as long as IIRC. Slashdot was a very much one of the first true social media web sites.

On Slashdot, you could create a handle or ID. Something personal, but not too personal, unless you wanted it to be. But it was not required either. We know each other by our handles, we have watched each other grow as people. We may have even taken pot shots at each other in threads. Unless of course you are anonymous, but often we can guess who that really is.

One of Slashdot's first motto's was "News for Nerds" that Matters. I have no idea when that was removed. I have not always scoured the boards here daily, life can get too busy for that. That excuses my ignorance in a way. I guess someone thought it politically incorrect, but most of us "Nerds" enjoyed it. We are proud of who we are, and what we know. Often we use that pride and knowledge to make someone else look bad. That is how we get our digs in, and we enjoy that part of us too. We don't punch people, we belittle them. It's who we are!

What made Slashdot unique were a few things. What you will note here is "who" has been responsible for the success of Slashdot. Hint, it has never been a just the company taking care of the servers and software.

— First, the user base submitted stories that "they" thought mattered. It was not a corporate feed. Sure, stories were submitted about companies. The latest break through from AMD and Intel, various stories regarding the graphic card wars, my compiler is better than your compiler, and yes your scripting language stinks! Microsoft IIS has brought us all a few laughs and lots of flame wars to boot. Still, we not only read about the products but get to my second point.

— User comments. This is the primary why we have been coming here for as long as we have, many of us for decades. We provide alternative opinions or back what was given in the article. This aspect not only makes the "News" interesting, but often leads to other news and information sharing. It's not always positive, but this is the nature of allowing commentary. It also brings out the third point.

— Moderation. Moderation has been done by the community for a very long time. It took lots of trial and error to get a working system. As with any public system it's imperfect, but it's been successful. People can choose to view poorly modded comments, but don't have to. As with posting anonymous versus with our own handle it's an option that allows us to personalize the way we see and read what's on the site. And as a reward for submitting something worth reading, you might get a mod point of your own to use as a reward for someone else.

Why we dislike Beta and what is being pushed, and why this will result in the end of an era if it becomes forced on the community.

1. Bulky graphics. We get that Dice and Slashdot need revenue. I have Karma good enough to disable advertisements, but have never kept this setting on. I realize that Slashdot/Dice make money with this. That said, the ads sit away from my news and out of the way. I can get there if I want it (but nobody has ever gotten a penny from me clicking an ad... nobody!), but it's not forced into my face or news feed.

2. Low text area. I like having enough on my screen to keep me busy without constant scrolling. Slashdot currently has the correct ratio of text to screen. This ratio has never been complained about, yet Beta reduces the usable text area by at least 1/2 and no option for changing the behavior. I hate reading Slashdot on mobile devices because I can't stand scrolling constantly.

3. JavaScript. We all know the risks of JS, and many of us disable it. We also have an option of reading in Lync or non-standard browsers that many of us toy with for both personal and professional reasons. This flexibility is gone in Beta, and we are forced to allow JS to run. If you don't know the risks of allowing JS to run, you probably don't read much on Slashdot. Those that allow JS do so accepting the risk (which is admittedly low on a well known site).

4. Ordering/Sorting/Referencing. Each entry currently gets tagged with a unique thread ID. This allows linking to the exact post in a thread, not just the top of the thread. In Beta this is gone. It could be that the site decided to simply hide the post ID or it was removed. Either way, going to specific posts is something that is used very commonly by the community.

5. Eye candy. Most of us are not here for "eye candy" and many have allergic reactions to eye candy. Slashdot has a good mix currently. It's not as simple as the site starting with a r-e-d-i-t, which is good. That site has a reputation that keeps many of us away, and their format matches my attitude of them (s-i-m-p-l-e-t-o-n). At the same time, it's not like watching some other "news" sites with so much scrolling crap I can't read an article without getting a headache. The wasted space in beta for big bulky borders, sure smells like eye candy. Nothing buzzes or scrolls yet, but we can sense what's coming in a patch later.

The thing is, the community cares about Slashdot. We come here because we care. We submit stories because of that, we vote because of that, we moderate because of that, and we comment because of that. At the same time we realize that without the community Slashdot loses most of its value. We respect that we don't host the servers, backup the databases, or patch the servers. Slashdot/Dice provide the services needed for Slashdot.

It's a give give relationship, and we each get something in return. Slashdot gets tons of Search hits and lots of web traffic. We get a place to learn, teach, and occasionally vent.

Look, if you want to change default color scheme or make pre-made palettes for us to choose from, we would probably be okay with that. If you want to take away our ability to block ads by Karma, or move the ads to the left side of my browser window, I would be okay with those things too.

If you want to make drastic changes to how the site works, this is a different story all together. The reason so many are against Beta is that it breaks some of the fundamental parts of what makes Slashdot work.

User input until recently has not been acknowledged. The acknowledgment we have received is not from the people that are making the decision to push Beta live. We told people Beta was broken, what it lacked, and we were rather surprised to get a warning that Beta would be live despite what we told people. People are already making plans to leave, which means that Slashdot could fade away very soon.

Whether this was the goal for Dice or not remains to be seen. If it is, it's been nice knowing you but I won't be back. A partnership only works when there is mutual respect between the parties. A word of caution, us Nerds have good memories and lots of knowledge. The loss of Slashdot impacts all of Dice holdings, not just Slashdot. I boycott everything a company holds, not just the product group that did me wrong.

If that was not the goal of Dice, you should quickly begin communicating with the user base. What are the plans are to fix what Beta has broken? Why is Beta being pushed live with things broken? A "Sorry we have not been communicating!", and perhaps even a "Thank you" to the user base for helping make Slashdot a success for so many years."
top

Limiting debate in science, is it still science?

s.petry s.petry writes  |  about a year ago

s.petry (762400) writes "We knew that this was coming, but I'm sure many of us thought that science would be immune to censorship. Perhaps not. I was not surprised that it happened on Boing Boing, but on a "science" site I never expected it (at least not this quickly).

These decisions may smack some as subjective or even malicious. After all comments are arguably the digital age response to print's "letter to the editor" — and they often contain criticisms of the article ranging from grammatical erorrs to factual oversights. Some may view the decision to ban comments as a form of censorship, a means for writers to escape any sort of visible accountability among their audience.

While that statement does not get to the meaty subject of real trolling and sock puppets, it does beg a very important set of questions. Especially when the reason for Popular Science from them claims:

And because comments sections tend to be a grotesque reflection of the media culture surrounding them, the cynical work of undermining bedrock scientific doctrine is now being done beneath our own stories, within a website devoted to championing science.

As the article points out, Science is not about doctrine. Science is about methods of proof. Science also requires collaboration and gets much better when numerous minds work on and debate the Science.

Is censorship the right direction, or is finding more intelligent ways of reducing sock puppets and trolls through moderation?"

Link to Original Source

Journals

s.petry has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?