> Regulators put the first circuit breakers in place following the market crash of October 19th 1987, when the Dow Jones Industrial Average (DJIA) shed 508 points (22.6%) in a single day. The crash, which began in Hong Kong and soon affected markets worldwide, came to be known as Black Monday.
According to https://www.americanprogress.org/issues/immigration/reports/... it's 285bn USD over 5 years to deport them, and GDP would decrease by 1.45% over 10 years without undocumented/illegal immigrant participation (i.e. 0.145% drag every year---assuming this includes the relevant GDP multipliers).
If your ~/.bashrc is a SYMLINK to a bash or sh script, bash will AUTOMATICALLY EXECUTE that script on login.
If you give rsync command a source or destination with an unescaped colon, it will read an ENVIRONMENT VARIABLE to figure out a command to run to AUTOMATICALLY CONNECT TO ARBITRARY NETWORK RESOURCES. If you have keys, it will even SKIP PASSWORD ENTRY, and with default Kerberos, it will not only skip password, but make a network connections to a login server:port specified by a DNS ENTRY.
Seriously, who is this guy, and why is this trainwreck #1 on HN?
Not the point. Of course it's not surprising that these utilities will execute scripts if you tell them to. The unexpected fact is that you can tell them to -- and that this is documented behavior which probably isn't going away.
If your argument was that no programmer should be surprised that you can tell an archive utility to execute an arbitrary script, then you and the author of the post are in complete agreement. The remaining difference is that the article actually does something to fix the problem while you merely hurl an implicit insult at anyone who hasn't seen this type of privilege escalation yet. One of these actions is more constructive than the other.
I'm not a security researcher. Care to recommend a more appropriate term for the data -> execution stage as opposed to the user -> root stage which is more commonly associated with the term "privilege escalation"?
I don't disagree, but, as a relative novice with shell scripts, I definitely did not realize so many tools could execute arbitrary code.
The parent post's anger and disgust is misplaced, though. This article is informative at a novice level, and well-written to that level. Not a trainwreck.
Because it is treating all of these intended side-effects of using a shell as though they are security vulnerabilities.
The problem is that there is a way for untrusted user input to ever touch a shell in the first place.
Seriously, I challenge you to find a language reference that doesn't decry the use of their version of system(3)---because all that does is run the given command under the user's shell.
Sure, fine, but why the anger? Why the 'trainwreck'? that's not constructive at all. The article definitely didn't claim these were security vulnerabilities - only that they were surprising. Some of these were surprising to me too. Am I an idiot for not knowing these? (no, I'm not, I'm just a novice).
It's really aggravating to learn something from an article that is making someone more knowledgeable this angry without explanation.
I think anyone who follows that method has no idea how things work. I was actually personally offended when Ximian started handing that out as a way to install Mono a decade+ ago, because it is absolutely the worst practice you can imagine: go pull [expective] from a URL, and throw it directly from the network into system(). I will "strong no" candidates who think it's a good idea, and I reject any PRs that do [expletive] like it.
All that said, between Gmail's spam filter, my avoidance of all things bitcoin, and common sense with passwords (don't ever re-use them), most of the damage caused by this doesn't affect me.
I will note, however, that this are why "when you hit return in the URL bar, what actually happens," is a valid interview question, in the same unfortunate sense that FizzBuzz is a valid interview question.
I think the point is that this is an entire class of vulnerability that most people may never have thought about, but could very easily result in some nasty remote code execution and/or privilege escalation via setuid.
Yes, that thing that is designed to execute commands could possibly result in commands being executed. Similarly, the intended use of a setuid binary is to escalate your privileges.
I'm asking you why you thought the knife would stop cutting things when it hit your hand instead of the loaf of bread.
By analogy, you could say that the Inquisition was inherently unchristian, in so far as Christianity has an ideological character beyond simply "Christ worship".
Similarly, if we do the obvious thing and conflate "left wing" and "socialist", and believe that socialism has an ideological character beyond simply hating the existing organization of society, then extermination, slavery, thuggery, coercion, and violence are inherently anti-socialist.
This view is also the conclusion Orwell was operating under---the utopian ideal of capital-S Socialism which he approved of was used as operating cover to assist in the seizing of power by technocratic middle classes.
This view was pretty much explicitly stated in the Goldstein treatises in 1984, which described "English Socialism" as actually a form of "oligarchical collectivism," and claimed that "The Party rejects and vilifies every principle for which the Socialist movement originally stood, and it does so in the name of Socialism."
Similarly, there's this bit from the supposedly ex-Trotskyist James Burnham (who Orwell rightly abuses for being a power-worshiping scumbag):
"Some apologists try to excuse Marxism by saying that it has ‘never had a chance’. This is far from the truth. Marxism and the Marxist parties have had dozens of chances. In Russia, a Marxist party took power. Within a short time it abandoned Socialism; if not in words, at any rate in the effect of its actions. In most European nations there were during the last months of the first world war and the years immediately thereafter, social crises which left a wide-open door for the Marxist parties: without exception they proved unable to take and hold power. In a large number of countries — Germany, Denmark, Norway, Sweden, Austria, England, Australia, New Zealand, Spain, France — the reformist Marxist parties have administered the governments, and have uniformly failed to introduce Socialism or make any genuine step towards Socialism... These parties have, in practice, at every historical test — and there have been many — either failed Socialism or abandoned it. This is the fact which neither the bitterest foe nor the most ardent friend of Socialism can erase. This fact does not, as some think, prove anything about the moral quality of the Socialist ideal. But it does constitute unblinkable evidence that, whatever its moral quality, Socialism is not going to come."
To be fair, it's easy to believe claims about Stalin not being a socialist are simply ego-bruised leftists invoking the No True Scotsman fallacy. I don't think this necessarily applies simply because socialism is inherently an ideology. If someone claims to be a pacifist while marauding through a public place with an assault rifle, massacring people as they go, we have no problem resolving this dissonance: the murderer's claims of pacifism are simply lies.
Of course, pacifism was never taken all that seriously to begin with, so it's safe for us to simply say "you're lying about being a pacifist." We feel a bit more constrained telling someone they're lying about their status as a Christian or a socialist.
tl;dr: Other environments are insecure out of the box, and require applications specifically opt-in to security. Java requires you opt-out of the security.
HTTPS is built on top of PKI, which involves a list of trusted root authorities who verify that the certificate for blahblah.com is actually for blahblah.com. A self-signed certificate won't have that, and any application that doesn't validate that the certificate is signed by a trusted authority and not expired, etc. has no security.
If an application doesn't validate it's certificate, anybody sitting between you and the HTTPS server can step in between you and your traffic, give you a phony certificate, and then proxy all your "secure" traffic to the HTTPS server. And, of course, "sitting between you and the HTTPS server" means not only the NSA with their low-latency network specifically built to conduct these types of attacks, it also means the guy in the corner at Starbucks too (because WiFi is a radio).
Java only actually started checking if certificates were valid very recently (IIRC it was J7, r51). Prior to that, Java was just as lax as every other toolkit---probably specifically to address complaints like Bray's: "testing HTTPS is tough".
I never understood how trustworthy is cert that you could buy for 100$. What that certificate proves? That whoever signed the stuff had a 100$ at some point?
Besides ... why can't java just pull the certs out of the system (like you did manually) or ship with them like every browser does (I presume).
They typically ask that you perform some step of the transaction using an e-mail address tied to the domain, so it's not quite that terrible. The 700USD EV certs actually require corporate registration paperwork, tax IDs, etc. and are far closer to a credit check in terms of depth.
I agree that Java should use the certs the system provides, and that is a PITA to wrestle with keytool, but I also know that the self-signed cert that apache is using is not trusted by your PC either (so you've got work to do regardless).
...and here is Mr. Nichols explaining why even if Iraq did eliminate it's (nonexistent) weapons of mass destruction in 2003, the U.S. would've been right to invade because Saddam had been lying (about WMDs) and willing to invade his neighbors for so long:
Given that Iraq was a belligerent in both the Iran-Iraq war and Kuwaiti invasion, that's reasonable on it's face. Of course, that presumes you aren't aware the U.S. supported Iraq in the former (to the degree that we ignored the only successful missile attack on a U.S. ship in history), and said "we have no opinion" two months before the latter. I presume an "expert" on IR and national security would know both of those facts---so why make that claim? Regarding Iraqi deception about WMDs... well, we know how that one turned out, don't we?
There are conscientious members of every university's IR staff, but there are also plenty of cryptofacists and priests-for-hire giving the discipline a bad reputation. I certainly hope students challenge this kind of man's pronouncements, because they are better humans and better thinkers for doing so.
Andrew Wakefield owns a patent on a single-measles vaccine, which would be a competitor to the MMR vaccine, and most people who are aware of that suspect that's why he published that shoddy nonsense about autism in the first place.
In other words, he is very much an expert on (at least) the vaccinations in his study. His celebrity came later.
He's salted the earth though - antivax crowd would denounce his vaccine with as much pique and passion as they have dished on MMR. It just doesn't look like a good business plan...
The anti-vaccination groups didn't exist at the time, so it's quite likely that Wakefield was just as startled by paranoiac monster he'd nurtured as anyone else. No member of the public (before or after Wakefield) actually knows anything about vaccines, other than the story about the Swine Flu vaccine killing more people than it saved... since any individual member of the public does not need to care about vaccines very often in their lifes, and therefore has little direct personal advantage in knowing more, vaccine safety is a very fragile exercise in blind trust.
Ironically, those who have lived and breathed vaccines for years (i.e. experts) seem to know nothing about that enormous trust placed in the vaccination process by the public---the public assumes it works and assumes it's there to keep you safe, but knows so little about them that even simple questions of safety will be translated into "vaccines bad."
There is so much weapons grade arrogance in this essay, I wouldn't be surprised if Hans Blix bought a house nearby to cut time from his commute.
Seriously, it's a link of this:
"Oh my goodness, Google University means people are now increasingly questioning experts, like me! And doctors!"
"What are you an expert in?"
"History. I teach at the War College and write about nuclear weapons. For example, I just republished an essay I wrote 14 years ago on how responsible documentaries of the Cold War must necessarily exclude examinations of Soviet motivations, because Stalin was the bad guy."
"...Yes, it's truly a wonder why anyone could fail to trust your proclamations of genius."
