|
Soon, the entire Internet will be mining Bitcoins.evol262 posted:CGI calls for metavariables. These are almost always done as environment variables. FastCGI and other app servers avoid this in different ways, but anything that's plain CGI which calls out to system() or a shell, ever, is vulnerable.
|
# ¿ Sep 26, 2014 01:36 |
|
|
# ¿ Apr 23, 2024 10:36 |
|
evol262 posted:setenv where?
|
# ¿ Sep 26, 2014 01:58 |
|
Random thought: Might this (and Heartbleed) be a counterpoint to the idea of security through obscurity being bad, since something like this happening on a closed platform would probably have been either quietly patched out during a maintenance update or patched out as a completely non-specific vulnerability instead of being announced to the whole world with instructions on day zero?
|
# ¿ Sep 26, 2014 06:10 |
|
Dr. Jackal posted:While the release for this might have been poorly managed, if this was a closed source bug we may have never found out about it. I don't know how this could have been managed better though with an open-source program, which is the problem. It's not possible to release a source patch without revealing the problem, whereas a patch of a closed binary would probably get lost in a sea of other updates released at the same time, allow the embargo to extend for a much longer period while still distributing the fix, and reveal much less information about the specific vulnerability in the end. The only way I can think of to discretely update something like Bash would be to, say, come up with an excuse to refactor the surrounding system to disguise the motive. OneEightHundred fucked around with this message at 07:32 on Sep 26, 2014 |
# ¿ Sep 26, 2014 07:10 |
|
evol262 posted:Additionally, "refactoring the surrounding system" to avoid disclosing major security problems is unethical. You're either proposing suggesting an RFE or code rework which gets a ton of (suspicious) mailing list traffic about its implications or a closed list discussing what to do about problems, which is antithetical to open-source ideals, obvious, or both.
|
# ¿ Sep 26, 2014 09:59 |
|
evol262 posted:It's also unethical, but you clearly don't care about that. quote:Again, ethics may not be a big deal in the games industry. OneEightHundred fucked around with this message at 18:38 on Sep 26, 2014 |
# ¿ Sep 26, 2014 18:21 |
|
evol262 posted:Yet again, responsible disclosure was practised, but the scope of the vulnerability was larger than anticipated. distros@ is disclosure only to '"responsible" parties' http://broadcast.oreilly.com/2009/01/responsible-disclosure-is-irre.html The core issue is that the overwhelming majority of attacks are not via zero-days, but via vulnerabilities unveiled by security researchers and deployed against users that haven't patched. The same article suggests that covert patching might be a good idea too, so I guess there's your answer to whether anyone would be consider it to be ethical. It's probably better than vendors ignoring everything, sure, but the question is if it's possible to fix an issue without drawing attention to it. evol262 posted:It would open you to lawsuits (when some large bank or govt agency was left in the dark about what the problem was and how it occurred, then owned because they didn't update)
|
# ¿ Sep 28, 2014 02:57 |
|
|
# ¿ Apr 23, 2024 10:36 |
|
evol262 posted:Responsible disclosure is the context. quote:Whether or not one person considers covert patching OK has no impact on whether it's ethical. quote:misrepresentation (ala covert patching)
|
# ¿ Sep 28, 2014 07:29 |