MrPin Posted September 27, 2014 Share Posted September 27, 2014 You should not take me too seriously, Mr Chonyx, because I am an arseh0le!! Link to comment Share on other sites More sharing options...
Oliver Sutton Posted October 5, 2014 Share Posted October 5, 2014 Seems to have gone quiet on this front. Was this just another scare? Link to comment Share on other sites More sharing options...
davidg Posted October 6, 2014 Share Posted October 6, 2014 Seems to have gone quiet on this front. Was this just another scare? Yahoo had a breakin. http://www.securityweek.com/hackers-compromised-yahoo-servers-using-shellshock-bug Link to comment Share on other sites More sharing options...
stormymonday_2011 Posted October 6, 2014 Share Posted October 6, 2014 Yahoo had a breakin. http://www.securityweek.com/hackers-compromised-yahoo-servers-using-shellshock-bug From the report it looks like Winzip and Lycos might have been compromised too. Needless to say all the firms involved will want to keep Mum about it for fear of frightening the horses Link to comment Share on other sites More sharing options...
MarkG Posted October 7, 2014 Share Posted October 7, 2014 The interesting thing is that, in both cases, it wasn't so much a programming error as just a really dumb idea in the first place. No-one in their right mind would have sent a 'ping' message through SSL that contained an embedded length, because they would just be asking some idiot programmer to have a buffer overflow. Similarly, no-one in their right mind would put executable code in an environment variable, because that's ******ing stupid. Sadly, it's the kind of thing people do when they have no clue about secure programming. Edit: the latest USB attack is a similar issue. Of course no bad guy would ever build a USB memory stick that also claims to be a keyboard, and sends commands to your computer when you plug it in. Link to comment Share on other sites More sharing options...
Bloo Loo Posted October 7, 2014 Share Posted October 7, 2014 The interesting thing is that, in both cases, it wasn't so much a programming error as just a really dumb idea in the first place. No-one in their right mind would have sent a 'ping' message through SSL that contained an embedded length, because they would just be asking some idiot programmer to have a buffer overflow. Similarly, no-one in their right mind would put executable code in an environment variable, because that's ******ing stupid. Sadly, it's the kind of thing people do when they have no clue about secure programming. Edit: the latest USB attack is a similar issue. Of course no bad guy would ever build a USB memory stick that also claims to be a keyboard, and sends commands to your computer when you plug it in. automation, specially automation designed to make a device very easy to use for the dimmest of users, is usually fallible. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.