* Posts by Michael Wojcik

12132 publicly visible posts • joined 21 Dec 2007

Re-light my diode: Trio of boffins scoop physics Nobel for BLUE LEDs

Michael Wojcik Silver badge

Re: Curious - "simple, straight-forward and cheap filament bulbs"

His reply "BMW £28,000: this: £8,000. £20,000 buys a LOT of fuel..."

Because the BMW and the muscle car are equivalent, price aside.

Mind you, I wouldn't buy the BMW just because of their horrible infotainment control system. But it's false economics nonetheless.

(Why not buy no car at all, and walk everywhere? £28,000 buys a lot of food and shoes.)

How much is Microsoft earning from its Android taxes again?

Michael Wojcik Silver badge

Re: Microsoft scrapping WP royalties

"Cloudbile" - great term for their "strategy": feeling nauseous already ;)

It's a bit of a mouthful. "Clobile" would be more along the lines of the usual Reg portmanteaux.

Indeed, I find it simultaneously euphonious and obnoxious, and I urge the Reg editors to adopt it immediately.

Michael Wojcik Silver badge

Re: I do wonder

Because there's a discontinuity in the Space-Time Continuum.

Maybe Eddie can do something about it while he's there?

Official: Turing's Bombe better than a Concorde plane

Michael Wojcik Silver badge

Re: So somebody really did...

I'm guessing this might be a popular music reference?

GIYF. It's a meme from the idiosyncratic English translation of a Japanese video game. About 15 years old now (the meme, that is - the game in question came out in the early '90s). At one time it was bigger than Lolcats.

There is, somewhere, a Flash music video based on AYB, and it was quite popular back in the day, so I supposed you could call it a popular music reference - but it's a stretch.

Countless Belkin routers go TITSUP in massive mystery meltdown

Michael Wojcik Silver badge

"I felt a great disturbance in the Force, as if thousands of routers suddenly cried out in terror issued SNMP alerts, and were suddenly silenced"

FTFY.

"That's no moon! It's a MIB." "I have a very bad feeling about this."

Adobe spies on readers: 'EVERY page you turn, EVERY book you own' leaked back to base

Michael Wojcik Silver badge

Re: No, really, I read it and I have proof...

I know about zip bombs and xml bombs, anyone know anything about json bombs?

I don't know offhand of an easy way to create a JSON "bomb" of that sort - i.e., an amplification attack. Compression-format bombs are obvious (create a data stream that decompresses maximally), and XML bombs are based on reference compression using entities. JSON is a simple flattened data format; it doesn't incorporate references to its own contents.

I suppose you could do something with Unicode transformation formats, if you know that the recipient will transcode into UTF-8. Then you could pick UTF-16 as the source format and send JSON strings containing characters that transcode into more than two bytes. It's a pretty weak attack.

That said, if you know what the recipient is going to do with the JSON data, opportunities abound for misuse. Considerable care has to be taken in the parsing and handling of JSON data. The format tempts coders into simply eval'ing it (often as a "temporary" approach that becomes lingering technical debt), which means remote code execution; even when people try to parse it properly, they may not be sufficiently vigilant.

There are likely better amplification attacks. If you have a website, fill it with hidden img or iframe elements that have http://adelogs.adobe.com as their source attribute value. Then whenever someone visits your page, their browser will pummel Adobe's server. Hidden links would make spiders do the same. Add scripting for even more attacks. And so on. Of course you shouldn't do this, as it would be unethical and might be illegal in some jurisdictions.

What do teenagers love doing? That's right: Staying up all night ... debugging

Michael Wojcik Silver badge

Re: development costs

Some of the things in the package do normally cost money and may not have sufficiently-close equivalents for some projects. Unreal Engine, for example - if a student really wanted to develop a game using that engine, this would save the $19/year. Not a big deal, and there are other, free, open-source game engines, and clearly it's for a pretty specific purpose; but it's something. And the Namecheap bundle is a free domain and SSL certificate - again a small value ($18.99) but a teenager might try it out just because it's free.

I suspect the real value here is that the psychological attraction of getting some free stuff (that normally people have to pay for, as opposed to stuff that's free for everyone) might lure some students into checking the package out. It's your basic loss leader.

That said, I can't see a lot of teenagers getting wildly excited about, say, Travis CI. "Dude, check out my sweet continuous integration!" "Sick, man, that makes my free Jenkins system look like crap."

Trio share 2014 Nobel Prize for cracking internal GPS of the brain

Michael Wojcik Silver badge

Re: I am impressed,,, very impressed.

you generally can't use rocket scientists to study brains

Sure I can. Haven't you heard of functional MRI?

Holey? COWL! Boffins build boxes to hold sketchy JavaScript libs

Michael Wojcik Silver badge

jQuery

jQuery – the official site for which was just infiltrated by miscreants

To be fair, the official jQuery site was created by miscreants.

At the very least, they're guilty of supporting jQuery.

Chinese researchers develop fuzzy search algorithm for encrypted cloud data

Michael Wojcik Silver badge

Re: ?

What is the point of encrypting your stuff if people can still search to see what is in it.

Threat model. The point of information security is not to ensure that there is no possibility of your data being misused. There's a well-known protocol for that: discard the data in an irretrievable manner.1

Oh, you need that data for your own purposes? Then you have to decide what types of attack you're going to worry about, and what their cost factors should be for the attackers, and what costs you can bear to achieve those factors, and what remediation steps you'll implement to realize that model.

For a great many applications, a perfectly reasonable threat model is: "We'll encrypt the data, so it can't just be stolen in bulk. But we need it to be searchable, so we'll create an index first. We'll throttle access to the index so it's infeasible to use it as an oracle to reconstruct significant portions of the data, and we'll use an IDS to try to detect attempts to do so. Anyone who can get past all of that probably has resources to suborn or coerce a legitimate user, so there's little benefit to raising the cost factor beyond that."

Security is never about absolutes.

(Is it just me?)

No. Lots of people don't understand information security.

1Implementation is left as an exercise for the reader.

Michael Wojcik Silver badge

LSA

I doubt these researchers have "dubbed their system Latent Semantic Analysis", since LSA is a well-known algorithm invented1 at Bell Labs in the '80s and patented by Deerwester et al.

Indeed, it's pretty clear just from the abstract of their paper that they've combined LSA with k-Nearest Neighbor (kNN), another algorithm of ancient and widespread fame, to precompute a fuzzy index for data that is then encrypted. Incremental refinement of established tools, applied in a slightly different domain. Good work, but not revolutionary.

1"Discovered", for the Platonists.

One Windows? How does that work... and WTF is a Universal App?

Michael Wojcik Silver badge

Re: Both Windows and Linux are monolithic kernels

You either have a microkernel or a monolithic kernel

Rubbish. Modular kernels with dynamic loading are by no stretch of the imagination microkernels, but there's a wide range of kernel architectures between micro and monolithic. Modular kernels are a tremendous step forward from monolithic kernels like SVR3 and BSD 4. Less useful, but still not monolithic, are the older partitioned kernels with driver and services layers, like AIX 1 and 2 for the PC RT and the original HAL-based Windows NT. And then there are other variations, like the "library OS" design that builds a custom special-purpose kernel on the fly when a VM spins up.

There are microkernels and things that are not microkernels, but to label the latter category "monolithic" robs that term of all meaning.

Coming to a theater near you: the TETRIS MOVIE

Michael Wojcik Silver badge

Re: Still waiting for the Trilogy

It'd be released as Tic, Tac, Toe Part 1, and Toe Part 2.

Critics would agree that Toe Part 1 was unsatisfying, and Toe Part 2 contained too much padding before the big reveal.

Cable guy, Games of Thrones chap team up to make Reg 'best sci-fi film never made' reject

Michael Wojcik Silver badge

Re: Cancelled...

Hey! If it weren't for NCIS, we'd never have discovered that the silver bullet for computer security is Two Nerds, One Keyboard.

(Personally, I find the original NCIS moderately watchable, in that I can generally sit through an episode without wanting to murder the writers - when they stay away from the magical-computer crap. [I know, Murray Gell-mann Amnesia Effect.] That's more than I can say for most procedurals. But I agree that the world isn't suffering from a lack of NCIS episodes.)

The Geek Chorus: 'Give MARK ZUCKERBERG all the DATA he wants!'

Michael Wojcik Silver badge

Scoble. Ugh.

his complete absence of critical facility

I agree with the sentiment, but I'd suggest "critical faculty" would be the better phrase. Scoble is nothing if not facile.

That sounds alluring, a bit like the "upstairs" universe of Downton Abbey, powered by squadrons of "downstairs" servants who constantly monitor, observe, and respond to every whim of their masters. Scoble promises a perfectly pampered lifestyle - and who wouldn’t want that?

I wouldn't want that. It sounds dreadful, and not just because it obviously and immediately falls foul of the master/slave dialectic (which in essence is the argument this article is making), but as a mode of experience. Isn't life fucking mediated enough already by our opportunistic caretakers and cultural curators? Where's jake when I need some support from the curmudgeon contingent, damn it?

It's interesting to contrast Scoble's sophomoric, narcissistic vision with, say, the one Doctorow presents in Down and Out in the Magic Kingdom. That also posits a "post-scarcity" milieu (the major economic elements are free energy, the "cure for death", and a reputation economy), but the cultural response is for everyone to get their hands dirty as members of ad hoc teams working on projects they're passionate about, not to become a bunch of disaffected, idle super-consumers. I'm not sure I'd want to live in Doctorow's world either, but at least I'd be doing something productive.

That glass of water you just drank? It was OLDER than the SUN

Michael Wojcik Silver badge

Typical

What this implies is if the planetary disk didn't make the water, it inherited it

Damn lazy trust-fund planet. When I were a lad, planets made their own water. Built character.

Michael Wojcik Silver badge

Re: Panic!

We are literally awash with an alien substance. Tell the Daily Mail.

Do the Mail's readers wash?

(Awaiting downvotes from the three DM readers here...)

Michael Wojcik Silver badge

Re: "making it about one million years older than the solar system"

We await the appearance of your paper contradicting their results.

This is what I love about the Reg - the readers are so much smarter than everyone else in the world.

Mine Bitcoins with PENCIL and PAPER

Michael Wojcik Silver badge

Re: Proof of Concept

Interesting question. Has anyone demonstrated a nondeterministic algorithm for finding 2-SHA-256 preimages that outperforms brute force? And does it have reasonable characteristics (eg in space requirements)? I haven't heard of one.

Grover's algorithm doesn't look directly applicable to me - I think the necessary precalculation would take as long as brute force. Basically it's equivalent to creating a rainbow table. But I could be wrong; I haven't given it any real thought.

Michael Wojcik Silver badge

Re: Other fun tasks!

it's just that one group ("government") has the largest collection of paid enforcers and can thus exert influence over the general population under threat of violence. Note how another group ("criminals") refuses to subject themselves to the rules laid out by the first group and wilfully ignores them, even knowing the consequences will be violent.

Or put another way, the monopoly on violence is never total.

Ah, Max Weber, you silver-tongued devil.

(There's been a lot of thinking about the monopoly on violence since Weber introduced the concept in the early twentieth century. The Frankfurt School, Foucault, the poststructuralists... and a lot of novelists, of course. Contemporary thinking usually identifies a lot of exceptions beyond criminal activity per se, but it's the obvious example and nicely illustrates some of the complexities in the operation of political power.)

Michael Wojcik Silver badge

Re: "Here are some other fun challenges young Bitcoiners can do in their spare time!"

Bitcoin never ceases to amaze me. So much intelligence and ingenuity poured into being colossally stupid.

So ... it's like most other human activities, eh?

Michael Wojcik Silver badge

Finding a way to reverse the hash function would mean an earthquake in theoretical computer science. It would be a discovery on the order of cold fusion.

Finding a way to reverse a cryptographic digest would be an earthquake for causality, since by the Pigeonhole Principle it would in effect require time travel, or at least the ability to extract arbitrary information from the past, which in turn breaks thermodynamics.

Finding a way easier than brute force to discover a preimage (not the preimage) of a cryptographic digest has been done for a number of cryptographic digests already. The sky has not fallen.

If the strength of a cryptographic digest were based on some problem with interesting consequences - which probably boils down to something known to be NP-Complete - then a polynomial-effort deterministic algorithm for discovering a preimage would indeed be hugely important for theoretical computer science (and mathematics). As it is, when a crypto hash falls, it's of practical importance if the hash is in use, and of theoretical importance if the attack is new, but it's certainly not cold fusion.

Michael Wojcik Silver badge

Re: how long...

According to Algorithmic Information Theory, they've already proven a whole bunch of 'em. They're just not interesting theorems.

But yes, converting some interesting problem into a cryptocurrency mining problem is a nice idea.

Michael Wojcik Silver badge

"Forget Sudoku,"

Nothing to remember in the first place. It's a crossword puzzle, and trivial.

Sudoku isn't even vaguely related to a crossword puzzle. It's a Latin square with additional structure and some values masked. Calling Sudoku a crossword puzzle is like claiming TSO and sh are the same because they're both command-line interpreters.

As for whether it's trivial: the constraints are clear, and the problem can obviously be solved by exhaustive search with backtracking, and the search space is limited with a (small) constant maximum depth. So in a formal sense it's trivial. Whether a given puzzle is trivial in practice for a human to solve with pen & paper methods depends on the structure of that puzzle and the solver's capacity for backtracking; it's possible to construct well-formed (single solution) puzzles that require testing eight possible paths (three noncollinear cells each with two possible values that aren't locally constrained further), and that's beyond most people's ability to do mentally, without taking notes.

Solving by machine is simple (which is why I don't trust the statistics collected by websudoku.com, for example - I could easily write a solver in Javascript that solved their puzzles right on the page), but that doesn't mean Sudoku isn't a useful paideia.

I'd rather look out the window, or maintain the mahogany and teak on a boat, when I have a little down-time.

I've found lots of ways to spend my time, too, but I try not to sneer at everyone else's.

Ellison: Sparc M7 is Oracle's most important silicon EVER

Michael Wojcik Silver badge

Re: Memory Protection

What's different between the features a standard MMU has and Larry's new toy?

Details seem to be scarce online, but I ran across one quote that mentioned memory keys, so it does appear to be similar to IBM's POWER6 storage protection key mechanism.

It's basically a limited version of a capability architecture - you can assign page protections that are associated with a label, not just global ones, and then only (hardware) threads that hold the corresponding "key" get those permissions.

Conventional MMUs assign page permissions globally, and the kernel sets them on a per-process basis, so your protection granularity is the process. Storage keys let you change the protection granularity to threads and thread groups.

Of course a real capability architecture (AS/400, arguably Burroughs MCP, etc) is much fancier.

Ello, 'ello, what's all this then? We take a spin on the new social network driving everyone loopy

Michael Wojcik Silver badge

Re: noun too

I like Jon LeCarres comments about Americans violence with Verbs.

I like his comments about apostrophes and capitalization.

Turn OFF your phone or WE'LL ALL DI... live? Europe OKs mobes, tabs non-stop on flights

Michael Wojcik Silver badge

Someone has an car accident, can't call an ambulance, people die, person with jammer gets put in jail for manslaughter...

Yes, and what if that nice fellow from 24 is being jammed and can't call the President to tell him where the zombie terrorists have hidden the Ebola-spreading dirty nukes? THERE IS AN EXCELLENT CHANCE OF THIS HAPPENING.

How the FLAC do I tell MP3s from lossless audio?

Michael Wojcik Silver badge

I have found I can greatly increase the sound quality by using the green pens to color my cables.

Careful - that only works if you color in the direction of the signal flow.

Michael Wojcik Silver badge

I experience neither of those symptoms, so clearly the "bollox" is true.

But don't let me stand in the way of your ranting about your anecdotal and no doubt psychosomatic "evidence".

Michael Wojcik Silver badge

Re: One thing which hasn't been mentioned re MP3 encoding

how much grunge was audible, and more importantly how really irritating it was

That's how I feel about grunge too. Really ruined flannel shirts for me.

Michael Wojcik Silver badge

Why bother purchasing FLAC online?? Just rip a CD.

Maybe your time is free. Mine isn't. I don't give a rat's about FLAC, but when I buy music, I'm not going to spend the time to transfer it to a different medium or convert it to a different format. I have better things to do.

Michael Wojcik Silver badge

Re: @Dave Bell, MP3 compression

My impression is that MP3 leaves the sound intact, but compromises the emotional impact.

Fascinating. Let's file this next to the spirit theory of disease.

Possibly sampling the emotions at twice the affective frequency would help.

Michael Wojcik Silver badge

But if you can't tell the difference already, what "breakthrough" could possibly improve the experience?

And what if you don't care? I've been buying music (defined broadly) for three decades, and I consistently find myself unable to give a damn about fidelity. There are songs I enjoy listening to, and I enjoy them just as much from a bargain-basement MP3 player and earbuds as I do from a CD and fancy audio components (when I hear them played on someone else's system, since I don't own any player that cost more than $30).

Yes, I understand that many people do care; but some of the codec warriors don't seem to understand that not everyone shares their passion.

That said, when our phones all have terabytes of storage, we'll probably all use lossless.

I'll use whatever format it comes in when I buy it.

A Norsified Linux for Windows and OS X wobblers

Michael Wojcik Silver badge

Re: Strange habits

I always maximise as much as I can. It's a far more optimal way of working.

I always do X, because it's so prima facie optimal that I don't even need to present an argument in its favor, and anyone who doesn't do things my way is an idiot.

Sun of a beach! Java biz founder loses battle to keep his shore private

Michael Wojcik Silver badge

Re: Isn't this a federal issue?

Even the inland ones?

Certainly some of the inland ones, because some of them have a lot of coastline. Michigan has the 9th longest coast of the US states - only slightly less than California.

There are legal battles over beach access in Nevada.

It's not all about the oceans.

Hackers thrash Bash Shellshock bug: World races to cover hole

Michael Wojcik Silver badge

Re: I'm safe. I use a Microsoft Windows system.

Yeah. Microsoft shell bugs are usually just DoSes.

Michael Wojcik Silver badge

Re: I'm safe. I use a Microsoft Windows system.

As I posted earlier, I have multiple Windows systems with bash.

If I were running bash-interpreted CGI scripts, or scripts that invoked bash child processes, they'd be vulnerable to remote exploitation.

That's not so far-fetched. These machines are on the corporate network, behind firewall and NAT, so the threat model doesn't generally include direct attack.1 In the past I've had a number of quick & dirty CGI scripts on various development machines, for various development tasks. It would be easy for me to write an ad hoc bash-based CGI script to deal with some development process issue, host it under IIS or Apache or Tomcat (each of which I have running on various Windows dev boxes, for various reasons), and then forget about it.

And then there are all those "LAMP-on-Windows" kits that you can download to do Apache-MySQL-PHP development on Windows boxes. Some quite likely have CGI enabled for one reason or another. Probably they don't include bash, and probably they don't include vulnerable scripts if they do; but combine one with Cygwin and you're most of the way there.

In short,2 running Windows is not a guarantee of safety from this vulnerability. It makes it much less likely, but merely due to convention, not due to any difficulty in setting up a vulnerable system.

1Does that overlook insider attacks? Yes it does. Insiders have much juicier targets readily available to them.

2Too late.

Michael Wojcik Silver badge

Re: OpenBSD for the win @iEgoPad

AIX was derived from AT&T code

AIX was derived from all sorts of things. I was working at IBM in the early AIX years, and I've seen source code for a number of its incarnations.

AIX 1 for the RT PC was largely SVR1 / SVR2 based, but IBM and ISC also incorporated a fair bit of BSD userland code. And that version of AIX ran on top of the RT's VRM microkernel, so it was hardly stock System V.

AIX 1 for the PS/2 was a different codebase, written by Locus under contract to IBM. Also SysV based. Locus also did the initial AIX/370.

AIX 2 for the RT continued the mix of SysV and BSD code, but much of the kernel was written in PL/I. (I don't know if that was true of the AIX 1 RT kernel as well.) Obviously those parts had little to do with AT&T code.

AIX 3 was a major rewrite, incorporating parts of SVR4 and BSD 4.3, and dropping the VRM in favor of a new pageable, modular, dynamically extendable kernel. Features like the unified VMM, logical cross-volume partitioning, JFS, and XCOFF executable format made AIX quite different from SVR4 at the system level, while SMIT, the ODM, and the like gave it a unique userland for sysadmins.

Subsequent versions diverged further from SVR4 in some ways, but - largely under the auspices of POSIX, the Austin Group, and ultimately the Single UNIX Specification - AIX userland and APIs gradually converged with other UNIX implementations, so it eventually got things like dlopen, POSIX threading, etc.

Michael Wojcik Silver badge

Re: OpenBSD for the win

csh and its re-implementation are Sun-originated heresies

Bill Joy wrote csh at UCB. It didn't originate at Sun. If you're going to post pointless religious flames, you could at least get your facts straight.

Michael Wojcik Silver badge

Re: If you do not sanitize CGI input

"could pass function definitions TO a cgi-bin script FROM the web server in its runtime environment (as per RFC3875) ... e.g. crafting HTTP headers to include dodgy bash function definitions."

Really ? http servers now accept scripts execution in headers ? That's a novelty.

Perhaps you should withhold your sarcasm until you learn how the exploit works.

CGI/1.1 requires that the server set various environment variables before executing the target program. Those variables are set from data supplied in the request message, including request headers.

So those variables will be set in the environment of the target process, and of any of its children (modulo changes to the environment made by the parent process or any intermediary processes).

If the target process, or any of its descendants, is a vulnerable version of bash, and any of its environment variables have values that exercise the vulnerability, then those bash instances will execute the text in the value of the variable that follows what (appears to be) the function definition.

Nothing - not the HTTP server, not the bash instance - has to actually execute the function. Nothing has to refer to the variable. No "scripts execution in headers" is happening. The problem is that bash will execute arbitrary code from its environment, and HTTP servers that provide CGI access will put attacker-supplied data in the child process's environment. If the child process, or one of its descendants, is bash, then the system is vulnerable.

Michael Wojcik Silver badge

Re: CentOS 4

Or download the source RPM from the CentOS 5 updates repo, unpack using rpm, run rpmbuild, install the rpm binary package with yum, and voila, you have backported and installed a package to CentOS 4. It really is that simple.

Can I point out that really is not, in fact, very simple?

Don't get me wrong. It's not a terribly complex process - and downloading the source, then running "./configure && make install" is even simpler (though you don't get the benefit of package tracking). But I've been a UNIX developer since '87, and been using Linux since the mid-90s; I build and install OSS frequently (and modify it pretty often); I've used rpm quite a few times and yum several times; and I'd still have to review the man pages to see exactly what options I'd want for those steps.

And for someone who hasn't used the rpm and yum command-line clients? Who doesn't even know to use them in the first place?

For this sort of case, we really haven't progressed that far from "find a tarball with archie, FTP it, and see if you can build it".

Distributions that are still supported and pull updates automatically do make things pretty easy for non-technical users. Outside that envelope, though, even experienced developers who don't regularly mess with package maintenance will have to do some poking around to get things updated.

(And I'm not claiming any other OS is better, mind you. I've spent many an hour wrangling Windows updates - when Microsoft makes them available at all - and AIX PTFs and HP-UX depots and OS/400 APARs and you name it. The software industry is lousy at fixing its stuff across the board. And so are lots of other industries.)

Michael Wojcik Silver badge

Re: Eyes on the code? Not.

I haven't worked anywhere using CGI since about 2001.

Hurrah for you. How many zillions of cheap web-server providers out there are running cPanel? That's a big ol' bot army waiting to happen.

Michael Wojcik Silver badge

Re: Eyes on the code? Not.

>Well will somebody please tell me what the hell is secure?

I am sure somebody can give a formal Turing like definition

No one can provide a formal definition of "secure", because it's meaningless outside context. Specifically, it can only be defined as a sufficient (for some purpose) value of some metric (probability of compromise, attacker's work factor, average loss, etc) under a particular threat model."Secure" in the abstract means nothing.

Michael Wojcik Silver badge

Re: How to check?

Don't Windows Servers use BASH?

It's "bash", not "BASH". Yes, it's a partial acronym, but the "H" isn't an initial, and it's conventionally written in lower case.

And I've never seen a version of Windows that shipped with bash. There are bash ports for Windows, of course, such as the ones available with Cygwin and MKS. Microsoft used to have a collection of UNIX shells and utilities for Windows (Windows Services for UNIX - I don't remember offhand if it's still available), but it supplied the Bourne shell and ksh (and maybe csh), not bash.

My (development) Windows boxes have bash, because I have Cygwin installed. And it's vulnerable; you can even trivially demonstrate it by invoking bash from a Windows cmd shell session:

C:\>set x=() { :;}; echo Vulnerable

C:\>bash

Vulnerable

xxx@xxxxxx /cygdrive/c

$

Of course these machines don't have any listening processes that invoke bash, and they're behind a NATing firewall. But I'll be updating them shortly anyway.

(Dear Reg: Would you please fucking fix the formatting of preformatted text already? People have been asking for this for years now.)

Latest Firefox and Thunderbird updates plug CRITICAL SSL vuln

Michael Wojcik Silver badge

Re: Which other software is affected?

Wikipedia has a list, which I'm sure is not comprehensive.

This is a pretty bad vulnerability. It's due - once again - to poor ASN.1 handling. ASN.1 is a blight upon computing. Though in this case it looks like the problem could have been avoided by refusing to handle BER and insisting on DER, which makes ASN.1 a little better. (Is there ever a good reason to use BER? I can't think of one.)

One thing that's not clear in the descriptions I've read of the bug is whether it only applies to some RSA keys. It's a variation of the Bleichenbacher attack, which appends attacker-chosen data to the signed hash so it matches a bogus key supplied by the attacker. Bleichenbacher's attack only works on RSA keys that use 3 for the exponent. It'd be interesting to know if this new bug ("BERserk") also only applies to RSA keys with exponent 3, since that at least reduces the scope of the vulnerability.

And, of course, it doesn't affect certificates signed using other algorithms (DSS, ECDH, ECDSA).

Bash bug: Shellshocked yet? You will be ... when this goes WORM

Michael Wojcik Silver badge

Re: Oh $!#t.

Everybody who uses old-school CGI or anybody who hacked some stuff back in 2000 on the quick?

CGI is the obvious vector, but others include programs that invoke system(3) with insufficiently-vetted attacker-supplied data, if bash is the shell for the account that program runs under. Advisories have mentioned some dhcpd configurations, for example (though I haven't looked at the sources to confirm the vulnerability).

It's also possible to set environment variables with typical telnetd and sshd implementations. Again, I haven't personally tried to exploit Shellshocked through one of those, but I wouldn't rule it out without investigation.

Security protection for environment variables has typically been done by blacklisting (e.g. prohibiting setting PATH and LD_LIBRARY_PATH in sensitive environments) or whitelisting (programs will only set particular variables). It's rare to have programs that do support setting environment variables actually put much effort into vetting the supplied values.

iPhone 6: The final straw for Android makers eaten alive by the data parasite?

Michael Wojcik Silver badge

Re: lets look at this in another way..

I don't need a phone to be unsufferably smug.

I noticed...

Thanks! Would you be interested in blurbing my autobiography?

Are you a fat boy? Get to university now, you penniless slacker

Michael Wojcik Silver badge

20%, eh?

As someone who possess a trim - one1 might even say "svelte" - physique, presumably I should take this study to my manager and demand a 20% pay raise3 to cover my "thin employee" premium.

1Specifically, me. Or any of my legion of admirers2, really.

2Legion of Admirers #12 goes on sale next week. Reserve your copy today!

3Or "rise",4 if you prefer.

4Let me forestall the prescriptivist complaints over the etymological and grammatical justification for either of these idioms. Both are reasonable; "raise" is simply active voice (I induce my employer to raise my compensation) while "rise" is passive, suggesting compensation has been increased through the agency of some unnamed, mysterious force. I blame that elusive superhero the Invisible Hand, though only his faithful retainer Mr Smith knows for sure.

4chan outraged by Emma Watson nudie photo leak SCAM

Michael Wojcik Silver badge

Does Rantic really exist?

There's some evidence on the Wikipedia discussion page for the deletion of the (now deleted) FoxWeekly page to support the theory that Rantic / FoxWeekly is a single person. That seems entirely plausible.

Man, its smartphones are SQUARE. But will BlackBerry make a comeback with them?

Michael Wojcik Silver badge

Can you imagine the struggle to get that fucker out of a tight pair of jeans?

I admit the first thing I thought of when I saw the picture was how convenient, and safe, it'd be in a pant pocket. If I wore a suit jacket all the time (which I would, if I had a good excuse to, but alas I don't) it'd be fine. As it is, I'm not sure how I'd carry the damn thing around.

As it stands, I'll probably stick with cheap Android phones with sliding physical keyboards for the foreseeable future. Nothing else looks like a viable replacement for my use case.