Forgot your password?
typodupeerror

Catch up on stories from the past week (and beyond) at the Slashdot story archive

Security

Vulnerabilities Found (and Sought) In More Command-Line Tools 87

Posted by timothy
from the one-thing-at-a-time dept.
itwbennett writes The critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities. Two remote command execution vulnerabilities were patched this week in the popular wget download agent and tnftp client for Unix-like systems [also mentioned here]. This comes after a remote code execution vulnerability was found last week in a library used by strings, objdump, readelf and other command-line tools.
Unix

Dangerous Vulnerability Fixed In Wget 58

Posted by Soulskill
from the under-the-radar dept.
jones_supa writes: A critical flaw has been found and patched in the open source Wget file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877. "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov writes in Red Hat Bugzilla. A malicious FTP server can stomp over your entire filesystem, tweets HD Moore, chief research officer at Rapid 7, who is the original reporter of the bug.
Sony

How Sony, Intel, and Unix Made Apple's Mac a PC Competitor 296

Posted by samzenpus
from the back-in-the-day dept.
smaxp writes In 2007, Sony's supply chain lessons, the network effect from the shift to Intel architecture, and a better OS X for developers combined to renew the Mac's growth. The network effects of the Microsoft Wintel ecosystem that Rappaport explained 20 years ago in the Harvard Business Review are no longer a big advantage. By turning itself into a premium PC company with a proprietary OS, Apple has taken the best of PC ecosystem, but avoided taking on the disadvantages.
Debian

Debian's Systemd Adoption Inspires Threat of Fork 555

Posted by timothy
from the tine-to-weigh-priorities dept.
New submitter Tsolias writes It appears that systemd is still a hot topic in the Debian community. As seen earlier today, there is a new movement shaping up against the adoption of systemd for the upcoming stable release [of Debian], Jessie. They claim that "systemd betrays the UNIX philosophy"; it makes things more complex, thus breaking the "do one thing and do it well" principle. Note that the linked Debian Fork page specifically says that the anonymous developers behind it support a proposal to preserve options in init systems, rather than demanding the removal of systemd, and are not opposed to change per se. They just don't want other parts of the system to be wholly dependent on systemd. "We contemplate adopting more recent alternatives to sysvinit, but not those undermining the basic design principles of "do one thing and do it well" with a complex collection of dozens of tightly coupled binaries and opaque logs."
Software

Apple Releases CUPS 2.0 178

Posted by Soulskill
from the onward-and-upward dept.
kthreadd writes: 15 years after the release of CUPS 1.0, Apple has now released version 2.0 of the printing system for GNU/Linux and other Unix-style operating systems. One of the major new features in 2.0 is that the test program for ippserver now passes the IPP Everywhere self-certification tests. Also, they've made an interesting blog post looking at the past and future of printing. Since the first major release in 1999, printing has become much more personal. Printer drivers are going away, and mobile usage is now the norm."
Medicine

Professor Kevin Fu Answers Your Questions About Medical Device Security 21

Posted by samzenpus
from the listen-up dept.
Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions.
OS X

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild 318

Posted by timothy
from the oy-oy-oy dept.
The recently disclosed bug in bash was bad enough as a theoretical exploit; now, reports Ars Technica, it could already be being used to launch real attacks. In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion web pages that at least partially fit the profile for the Shellshock exploit. More bad news: "[T]he initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry." And CNET is not the only one to say that Shellshock, which can affect Macs running OS X as well as Linux and Unix systems, could be worse than Heartbleed.
Security

Remote Exploit Vulnerability Found In Bash 399

Posted by Soulskill
from the don't-bash-bash dept.
kdryer39 sends this news from CSO: A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.
Data Storage

Slashdot Asks: What's In Your Home Datacenter? 287

Posted by samzenpus
from the show-and-tell dept.
First time accepted submitter jvschwarz writes There was a time when I had rack-mount systems at home, preferring old Unix boxes, Sun-3 and early SPARC machines, but have moved to low-power machines, Raspberry Pi systems, small NAS boxes, etc. Looks like some are taking it to another level. What do other slashdotters have in their Home Datacenter?
Open Source

Torvalds: No Opinion On Systemd 385

Posted by Soulskill
from the linus-not-swearing-at-people dept.
An anonymous reader writes:Linux creator Linus Torvalds is well-known for his strong opinions on many technical things. But when it comes to systemd, the init system that has caused a fair degree of angst in the Linux world, Torvalds is neutral. "When it comes to systemd, you may expect me to have lots of colorful opinions, and I just don't," Torvalds says. "I don't personally mind systemd, and in fact my main desktop and laptop both run it." Torvalds added, "I think many of the 'original ideals' of UNIX are these days more of a mindset issue than necessarily reflecting reality of the situation. There's still value in understanding the traditional UNIX "do one thing and do it well" model where many workflows can be done as a pipeline of simple tools each adding their own value, but let's face it, it's not how complex systems really work, and it's not how major applications have been working or been designed for a long time. It's a useful simplification, and it's still true at some level, but I think it's also clear that it doesn't really describe most of reality."
Emulation (Games)

GSOC Project Works To Emulate Systemd For OpenBSD 314

Posted by timothy
from the everyone's-idea-of-a-good-time dept.
An anonymous reader writes Through a Google Summer of Code project this year was work to emulate systemd on OpenBSD. Upstream systemd remains uninterested in supporting non-Linux platforms so a student developer has taken to implementing the APIs of important systemd components so that they translate into native systemd calls. The work achieved this summer was developing replacements for the systemd-hostnamed, systemd-localed, systemd-timedated, and systemd-logind utilities. The hope is to allow for systemd-dependent components like more recent versions of GNOME to now run on OpenBSD.
Linux

Choose Your Side On the Linux Divide 826

Posted by samzenpus
from the picking-a-team dept.
snydeq writes The battle over systemd exposes a fundamental gap between the old Unix guard and a new guard of Linux developers and admins, writes Deep End's Paul Venezia. "Last week I posted about the schism brewing over systemd and the curiously fast adoption of this massive change to many Linux distributions. If there's one thing that systemd does extremely well, it is to spark heated discussions that devolve into wild, teeth-gnashing rants from both sides. Clearly, systemd is a polarizing subject. If nothing else, that very fact should give one pause. Fundamental changes in the structure of most Linux distributions should not be met with such fervent opposition. It indicates that no matter how reasonable a change may seem, if enough established and learned folks disagree with the change, then perhaps it bears further inspection before going to production. Clearly, that hasn't happened with systemd."
Security

New Mayhem Malware Targets Linux and UNIX-Like Servers 168

Posted by Soulskill
from the keep-calm-and-patch-on dept.
Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."
Hardware Hacking

SRI/Cambridge Opens CHERI Secure Processor Design 59

Posted by Unknown Lamer
from the dreaming-of-hurd/coyotos dept.
An anonymous reader writes with some exciting news from the world of processor design: Robert Watson at Cambridge (author of Capsicum) has written a blog post on SRI/Cambridge's recent open sourcing of the hardware and software for the DARPA-sponsored CHERI processor — including laser cutting directions for an FPGA-based tablet! Described in their paper The CHERI Capability Model: Reducing Risk in an age of RISC, CHERI is a 64-bit RISC processor able to boot and run FreeBSD and open-source applications, but has a Clang/LLVM-managed fine-grained, capability-based memory protection model within each UNIX process. Drawing on ideas from Capsicum, they also support fine-grained in-process sandboxing using capabilities. The conference talk was presented on a CHERI tablet running CheriBSD, with a video of the talk by student Jonathan Woodruff (slides).

Although based on the 64-bit MIPS ISA, the authors suggest that it would also be usable with other RISC ISAs such as RISC-V and ARMv8. The paper compares the approach with several other research approaches and Intel's forthcoming Memory Protection eXtensions (MPX) with favorable performance and stronger protection properties.
The processor "source code" (written in Bluespec Verilog) is available under a variant of the Apache license (modified for application to hardware). Update: 07/16 20:53 GMT by U L : If you have any questions about the project, regular Slashdot contributor TheRaven64 is one of the authors of the paper, and is answering questions.
Education

Prof. Andy Tanenbaum Retires From Vrije University 136

Posted by timothy
from the congratulations-and-good-wishes dept.
When Linus Torvalds first announced his new operating system project ("just a hobby, won't be big and professional like gnu"), he aimed the announcement at users of Minix for a good reason: Minix (you can download the latest from the Minix home page) was the kind of OS that tinkerers could afford to look at, and it was intended as an educational tool. Minix's creator, Professor Andrew Stuart "Andy" Tanenbaum, described his academic-oriented microkernel OS as a hobby, too, in the now-famous online discussion with Linus and others. New submitter Thijssss (655388) writes with word that Tanenbaum, whose educational endeavors led indirectly to the birth of Linux, is finally retiring. "He has been at the Vrije Universiteit for 43 years, but everything must eventually end."
GUI

Meet Carla Shroder's New Favorite GUI-Textmode Hybrid Shell, Xiki 176

Posted by timothy
from the shades-of-some-others dept.
New submitter trogdoro (3716731) writes with an excerpt from Linux Cookbook author Carla Schroder's enthusiastic introduction to what looks like a tempting tool, combining elements of GUI and text-mode interfaces: Command-line lovers, allow me to introduce you to Xiki, the incredibly interactive, flexible, and revolutionary command shell. I do not use the word "revolutionary" lightly. The command shell has not advanced all that much since the ancient days of Unix. Xiki is a giant leap forward. If you're looking for the Next Big Thing in FOSS, Xiki is it. It's not the first tool meant to combine text and graphic interface, but from the screencast demo, Xiki looks like it gets a lot of things right.
Security

Exploiting Wildcards On Linux/Unix 215

Posted by Soulskill
from the teaching-a-new-dog-old-tricks dept.
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.
Programming

Ask Slashdot: Best Rapid Development Language To Learn Today? 466

Posted by timothy
from the pronto-now-yesterday-or-else dept.
An anonymous reader writes "Many years ago, I was a coder—but I went through my computer science major when they were being taught in Lisp and C. These days I work in other areas, but often need to code up quick data processing solutions or interstitial applications. Doing this in C now feels archaic and overly difficult and text-based. Most of the time I now end up doing things in either Unix shell scripting (bash and grep/sed/awk/bc/etc.) or PHP. But these are showing significant age as well. I'm no longer the young hotshot that I once was—I don't think that I could pick up an entire language in a couple of hours with just a cursory reference work—yet I see lots of languages out there now that are much more popular and claim to offer various and sundry benefits I'm not looking to start a new career as a programmer—I already have a career—but I'd like to update my applied coding skills to take advantage of the best that software development now has to offer. (More, below.)
Unix

Terran Computational Calendar Introduces Minimonths, Year Bases, and Datemods 209

Posted by timothy
from the on-a-night-just-like-tonight dept.
First time accepted submitter TC+0 (3672227) writes "Inspired by comments regarding its first incarnation, the Terran Computational Calendar's recent redefinition now includes dynamic support for 'leap duration', 'year bases', and 'datemods'. Here's the new abstract from terrancalendar.com (wikia mirror) captured at 44.5.20,6.26.48 TC+7H:

Synchronized with the northern winter solstice, the terran computational calendar began roughly* 10 days before the UNIX Epoch. Each year is composed of 13 identical 28-day months, followed by a 'minimonth' that houses leap days (one most years and two every 4th but not 128th year) and leap seconds (issued by the IERS during that year). Each date is an unambiguous instant in time that exploits zero-based numbering and a handful of delimiters to represent the number of years and constant length months, days, hours, minutes, and seconds that have elapsed since 0TC (the calendar's starting point). An optional 'year base' may be applied to ignore erratic leap duration. Arithmetic date adjusting 'datemods' can be applied to define things like weeks, quarters, and regional times."

"The hottest places in Hell are reserved for those who, in times of moral crisis, preserved their neutrality." -- Dante

Working...