FreeBSD v1.0 announced 21 years ago today

by
in bsd on (#2TW4)
Wow, we're getting old. FreeBSD v1.0 was announced 21 years ago today; it was considered the first "production ready" version of the now popular operating system. The original announcement is here.
From: jkh@whisker.lotus.ie (Jordan K. Hubbard)
Newsgroups: comp.os.386bsd.announce
Subject: FreeBSD 1.0 RELEASE now available
Date: 1 Nov 1993 16:12:20 -0800

The first "official" release of FreeBSD 1.0 is now available, no more greek letters - this is the "production" release.

While a fair number of bugs were also whacked between EPSILON and RELEASE, the following additional features deserve special mention:

A dynamic buffer cache mechanism that automagically grows and shrinks as you use the memory for other things. This should speed up disk operations significantly.
The Linux sound driver for Gravis UltraSound, SoundBlaster, etc. cards.
Mitsumi CDROM interface and drive.
Updated install floppies.
More fail-safe probing of devices on the ISA bus. This makes it much harder for devices to conflict with each other.
Advance syscons support for XFree86 2.0.
Of course, Jordan Hubbard is still with us and still helping make FreeBSD awesome. But we've come a long way since XFree86 2.0 and the Intel 386 architecture. Where were you in 1993? What's changed in your computing lifestyle since then?

Recently discovered bug means most or all Drupal sites have been compromised

by
in internet on (#2TW2)
story imageDrupal is an open source content management system and more that powers millions of websites worldwide. Liked for its configurability and endless extension through modules, Drupal is a huge part of Web 2.0. And it's been thoroughly rooted. The BBC is reporting:
In its "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised. Anyone who had not yet updated should do so immediately, it warned. However, the team added, simply applying this update might not remove any back doors that attackers have managed to insert after they got access. Sites should begin investigations to see if attackers had got away with data, said the warning.

"Attackers may have copied all data out of your site and could use it maliciously," said the notice. "There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised.
This one is nasty. Security researcher Graham Cluly reports:
According to the company, "automated attacks" started to hit websites running Drupal version 7 within a matter of hours of it disclosing a highly critical SQL injection vulnerability on October 15th.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

If a site using a vulnerable version of the Drupal CMS is attacked, hackers could steal information from the site or open backdoors to allow them continued remote access to the system.
If your site has been compromised, This Drupal help page gives you an answer to the question Now what do I do? But here's a tip from your friendly editor zafiro17: Step one is "pour yourself a nice glass of scotch and drink it. You're going to be wiping the site and starting over." No charge for that advice.

[Ed. note: This just in from Joomla: "Nyah nyah!"]

How one man found his private files on the Apple Cloud without his consent

by
Anonymous Coward
in security on (#2TVZ)
While last week Apple was being hailed as the white knight of user privacy while this week they are being called on for uploading files to icloud without sufficient warning. Bad times for Apple, whose blunder was a big one, and is generating a lot of buzz. The Washington Post reports:
[Security researcher Jeffrey Paul] was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function "both dangerous and poorly documented" by Apple.

The criticism was all the more notable because its target, Apple, had just enjoyed weeks of applause within the computer security community for releasing a bold new form of smartphone encryption capable of thwarting government searches - even when police got warrants. Yet here was an awkward flip side: Police still can gain access to files stored on cloud services, and Apple seemed determined to migrate more and more data to them.

Virgin Galactic's SpaceShipTwo Crashes: 1 Dead, 1 Injured

by
in space on (#2TVB)
story imageVirgin Galactic's SpaceShipTwo was destroyed during a powered test flight today in Mojave, CA. This was the fourth powered test flight of SpaceShipTwo. There were two pilots on board the craft. Local law enforcement agencies have confirmed that one of the pilots was killed during the accident and the other was able to parachute from the craft, but was injured and had to be flown to a nearby hospital.

This test flight was the first for a new kind of fuel-a plastic similar to nylon. Previously, SpaceShipTwo had used a synthetic rubber fuel, one that had been giving engineers trouble for years as they tried to scale up the successful 3-seat SpaceShipOne prototype, which won the X Prize in 2004, to a much bigger vehicle using the same hybrid rocket design and fuel, and meant to carry tourists to suborbital space.

We're left to wonder what impact the accident will have on the nascent commercial spaceflight industry, which Branson has been working hard to characterize as safe. Friday's crash is a stark reminder that spaceflight is an inherently risky endeavor.

Halloween Friday Distro: Ubuntu Satanic Edition

by
in linux on (#2TTH)
When I proposed a Linux Distro every Friday, I'd hoped to mostly avoid distros that are simply "Ubuntu plus a theme and/or windowmanager choice" but this week it's impossible. World, meet Ubuntu Linux Satanic Edition, the most appropriate distro for a Halloween Friday. Linux for the Damned is their subtitle, and if you're planning on going off to hell after this and listening to all sorts of awesome death metal in the afterlife, this is probably for you.

So what is it? It's Ubuntu, with a special selection of wallpapers, and a pre-configured Eternity Screensaver set to play the "Eternal Damnation" ray-traced screensaver when it kicks in. I looked around a bit to figure out if there's anything to Ubuntu Satanic other than the screensaver and wallpapers and found something unique: this distro also comes preconfigured with a ton of metal music! I think preloading a soundtrack on a distro might be unique; at least, I am not aware of any other distros that take this approach. Install U/S and you too can enjoy dozens of tunes by the likes of Severed Fifth, Blueprint for Disaster, Music for the Damned, Frontside, Taste of Hell, Holy Pain, and ScapeGoat. To my surprise, most of the artists are French and all of it is licensed freely via Jamendo.

All of this supports U/S's motto: "Ubuntu Satanic Edition is dedicated to combining the best software with the heaviest music." U/S connects you to Ubuntu's own repos, so no worries about the best software consisting of a reduced subset. To those of you who are offended by the presence of a Satanic distro, no worries: there are Ubuntu Muslim Editions and Christian editions as well, all using the same repos - just think about that for a second.

Happy Halloween, Pipedotters! Next time, we'll go back to distros that offer more than superficial skins (although hopefully we'll find some more distros with awesome soundtracks).

Australia poised to introduce controversial data retention laws

by
Anonymous Coward
in legal on (#2TTE)
The Australian government has introduced data retention laws that are highly controversial. Under the new provisions, all internet data would be retained for two years, leading to additional expenses related to capturing and storing data that would cost Australian internet users $100 to $200 per year each. The data will be used for copyright enforcement and to track the exact location of mobile phone users.

The Australian Pirate Party is incensed, naturally, and states that this policy destroys any semblance of a free society.
"There are far too many flaws in this legislation to enumerate," said Brendan Molloy, President of the Pirate Party. "There has been no discussion as to why the current retention order provisions are insufficient. This legislation is disproportionate and unnecessary. 'Metadata' is ill-defined in such a way as to contain so much information that it is effectively the content of the communication, insofar that it contains the context and location of all communications. This is a massive issue for journalists, whistleblowers, activists, and a whole host of other persons whose activities are in many cases legal but perhaps not in the interests of the state to let happen without some level of harassment.

"There are significant issues relating to cost and security of the data. Steve Dalby of iiNet said yesterday that iiNet would consider storing the data where it is the cheapest, which includes Chinese cloud providers. There will be a significant 'surveillance tax' introduced by retailers to cover the costs of storing this data that nobody wants stored.
The data retention laws have been delayed in the legal process, but not stopped. Pipedotter Tanuki64 points out "Sooner or later this bill will go through. It is just a matter of time. Same in Germany. A data retention law was rejected several times, but is reintroduced in almost regular intervals. The interests behind these laws are powerful and they have to succeed only once. Once such a law is enacted, it is almost impossible to repeal it again."

Apple Pay Rival CurrentC Has Been Hacked

by
in security on (#2TT4)
story imageTechCrunch reports:
MCX (Merchant Customer Exchange), the coalition of retailers including Walmart, Best Buy, Gap and others, who are backing a mobile payments solution CurrentC meant to rival newcomer Apple Pay, has been hacked.
CurrentC is still in its pilot phase. Only emails of the early app testers have been stolen. No payment data or other personal informations. Furthermore since the project is still in the pilot phase, many of those emails belonged to dummy accounts.

Since there might be a war coming between CurrentC, Apple Pay, Google Wallet, and perhaps the established credit card companies, it would be easy to construct a nice conspiracy theory. However: Never ascribe to malice that which is adequately explained by incompetence. And even incompetence does not describe it correctly. The developers of each of those systems on the one side are probably vastly outmatched by the black hats, who try break it, on the other side. And the black hats just need to find one single implementation error, while the developers have to anticipate everything. I cases like this, where real money can be made, the Linus's Law is definitely applicable.

What does it mean for the customers? They should be extra careful. Neither Apple, nor Google, nor MCX have much experience as payment service providers. Their technologies are new and most certainly will have weaknesses, which is bad. But also for the courts these system will be uncharted waters. For a duped user this might even be worse. So before using one of those shiny new and convenient payment options: Read the fine print in the contracts. Check who carries the risk and the burden of proof in case of a misuse.

ChromeOS and Android to remain separate for now

by
in mobile on (#2TS3)
CNET just interviewed Brian Rakowski, Google's vice president of product management for Android, who has confirmed that the two teams in charge of the Android mobile device software and the Chrome OS software for PCs [should] work together much more. But that won't mean sweeping changes, at least for now.

"There's no plans to change the way the products work," said Rakowski. That might be disappointing to fans of Android who were hoping to see convergence of the two product lines as a result of internal reorganization that sees both Android and Chrome being developed under the same division.
Android and Chrome, both headed by Google Senior Vice President Sundar Pichai, are important businesses to Google. The company's cash cow is still search and advertising -- now a $50 billion a year business -- but Google CEO and co-founder Larry Page has called Android "the future" of the company.
There's some more, related commentary at OSNews.

wget prior to 1.16 allows for a web server to write arbitrary files on the client side

by
Anonymous Coward
in security on (#2TS1)
Here's a concern for most of us. Be aware that the popular program wget, in versions prior to 1.16, allows for a FTP server to write arbitrary files on the client side. Wget is commonly used in shell scripts to get files or web pages from servers for further processing locally. Wget has many other uses as well, and is an important part of much command line sorcery.

A Metasploit module is available for testing:

https://github.com/rapid7/metasploit-framework/pull/4088

the disclosure is here:

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

Redhat's bug is here:

https://bugzilla.redhat.com/show_bug.cgi?id=1139181

Orbital Sciences' Antares rocket and Cygnus cargo spacecraft explodes moments after launch

by
in space on (#2TRQ)
story imageAn unmanned NASA-contracted rocket exploded early Tuesday evening along the eastern Virginia coast, causing a huge fireball. Video shows the rocket rising into the air for a few seconds before an explosion. It then plummets back to Earth, causing more flames as it hits the ground. NASA tweeted that the failure occurred six seconds after launch. Afterward, the launch director said on NASA's feed that all personnel were accounted for and that no injuries were reported.

According to NASA, the Orbital Sciences Corp.'s Antares rocket and Cygnus cargo spacecraft were set to launch at 6:22 p.m. ET from the Wallops Flight Facility along the Atlantic Ocean. It was set to carry some 5,000 pounds of supplies and experiments to the International Space Station. Since the end of NASA's space shuttle program, it has relied on private companies -- specifically Orbital Sciences and SpaceX -- to bring materials to the space station, albeit using NASA facilities for launch. Tuesday's launch was supposed to be the fourth flight for Orbital until it ended, as the company acknowledged in a statement, in "catastrophic failure." Marking the first accident since NASA turned to private operators to deliver cargo to the International Space Station.
...37383940414243444546...