Story 2014-11-02

FreeBSD v1.0 announced 21 years ago today

by
in bsd on (#2TW4)
Wow, we're getting old. FreeBSD v1.0 was announced 21 years ago today; it was considered the first "production ready" version of the now popular operating system. The original announcement is here.
From: jkh@whisker.lotus.ie (Jordan K. Hubbard)
Newsgroups: comp.os.386bsd.announce
Subject: FreeBSD 1.0 RELEASE now available
Date: 1 Nov 1993 16:12:20 -0800

The first "official" release of FreeBSD 1.0 is now available, no more greek letters - this is the "production" release.

While a fair number of bugs were also whacked between EPSILON and RELEASE, the following additional features deserve special mention:

A dynamic buffer cache mechanism that automagically grows and shrinks as you use the memory for other things. This should speed up disk operations significantly.
The Linux sound driver for Gravis UltraSound, SoundBlaster, etc. cards.
Mitsumi CDROM interface and drive.
Updated install floppies.
More fail-safe probing of devices on the ISA bus. This makes it much harder for devices to conflict with each other.
Advance syscons support for XFree86 2.0.
Of course, Jordan Hubbard is still with us and still helping make FreeBSD awesome. But we've come a long way since XFree86 2.0 and the Intel 386 architecture. Where were you in 1993? What's changed in your computing lifestyle since then?

Recently discovered bug means most or all Drupal sites have been compromised

by
in internet on (#2TW2)
story imageDrupal is an open source content management system and more that powers millions of websites worldwide. Liked for its configurability and endless extension through modules, Drupal is a huge part of Web 2.0. And it's been thoroughly rooted. The BBC is reporting:
In its "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised. Anyone who had not yet updated should do so immediately, it warned. However, the team added, simply applying this update might not remove any back doors that attackers have managed to insert after they got access. Sites should begin investigations to see if attackers had got away with data, said the warning.

"Attackers may have copied all data out of your site and could use it maliciously," said the notice. "There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised.
This one is nasty. Security researcher Graham Cluly reports:
According to the company, "automated attacks" started to hit websites running Drupal version 7 within a matter of hours of it disclosing a highly critical SQL injection vulnerability on October 15th.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

If a site using a vulnerable version of the Drupal CMS is attacked, hackers could steal information from the site or open backdoors to allow them continued remote access to the system.
If your site has been compromised, This Drupal help page gives you an answer to the question Now what do I do? But here's a tip from your friendly editor zafiro17: Step one is "pour yourself a nice glass of scotch and drink it. You're going to be wiping the site and starting over." No charge for that advice.

[Ed. note: This just in from Joomla: "Nyah nyah!"]

How one man found his private files on the Apple Cloud without his consent

by
Anonymous Coward
in security on (#2TVZ)
While last week Apple was being hailed as the white knight of user privacy while this week they are being called on for uploading files to icloud without sufficient warning. Bad times for Apple, whose blunder was a big one, and is generating a lot of buzz. The Washington Post reports:
[Security researcher Jeffrey Paul] was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function "both dangerous and poorly documented" by Apple.

The criticism was all the more notable because its target, Apple, had just enjoyed weeks of applause within the computer security community for releasing a bold new form of smartphone encryption capable of thwarting government searches - even when police got warrants. Yet here was an awkward flip side: Police still can gain access to files stored on cloud services, and Apple seemed determined to migrate more and more data to them.