How not to handle a critical security vulnerability
-
For anyone who hasn't already seen this [url=http://www.reddit.com/r/programming/comments/1gfve8/how_not_to_handle_a_critical_security/]on reddit[/url]:
[url]http://www.webhostingtalk.com/showthread.php?t=1275572[/url]
-
I feel sick now.
On an unrelated note, today is my I-fell-out-of-a-vagina-day!
-
@Ben L. said:
..today is my I-fell-out-of-a-vagina-day!
Sorry to hear that, dude. Some guys continue to grow down there until their early 20s, so don't give up hope.
-
@immibis said:
http://www.webhostingtalk.com/showthread.php?t=1275572
And linked from that one, http://www.webhostingtalk.com/showthread.php?t=871428 (software sends your root password to support@zamfoo.com.)
-
@kevin@zamfoo said:
You publish a vulnerability your done forever. You threaten us again and your done forever.
*you're
-
@PJH said:
@immibis said:
Actually, that topic is about a different kind of WTF. Basically, the author of the Zamfoo software accidentally released some code which dumped all environment variables in a mail to the supporthttp://www.webhostingtalk.com/showthread.php?t=1275572
And linked from that one, http://www.webhostingtalk.com/showthread.php?t=871428 (software sends your root password to support@zamfoo.com.)Not too bad, were it not that some other piece of s**tware found it a good idea to store an administrator password in an environment variable so that CGI components could use it.
EDIT: See http://www.webhostingtalk.com/showpost.php?p=6264754&postcount=19
-
@immibis said:
For anyone who hasn't already seen this on reddit:
http://www.webhostingtalk.com/showthread.php?t=1275572Wow! I just spent a joyful 40 minutes reading through the entire thread, with frequent departures to see Kevin's other masterful attempts at customer-communication. Eye-watering!
-
@JBert said:
http://www.webhostingtalk.com/showpost.php?p=6264754&postcount=19
Not the point. It's the root password (why it needs to be entered is another WTF in and of itself,) and it was being sent to a 3rd party.
-
@PJH said:
@JBert said:
http://www.webhostingtalk.com/showpost.php?p=6264754&postcount=19
Not the point. It's the root password (why it needs to be entered is another WTF in and of itself,) and it was being sent to a 3rd party.I'll just leave this here: http://www.zamfoo.com/updatezamfoo
-
What the fuck is a Zamfoo? Isn't that the PBS show with the Kratt Brothers and a lemur puppet?
On a related note, TRWTF is how that site always scrolls down a few lines on loading in Chrome.
-
@SamC said:
I'll just leave this here: http://www.zamfoo.com/updatezamfoo
Well, yes - I seem to recall that was mentioned as well. The whole operation stinks of amateur hour.
-
@MiffTheFox said:
What the fuck is a Zamfoo?
3rd party tool to use with WHM/cPanel, which (if you're not aware) themselves are one of the 'professional' software suites (Parallels/Plesk is another) for those who have managed hosting, and typically used for resellers.
Basically they're web-based GUI's for those who don't know how to run/configure a server remotely from the command line, and this idiot - who could do with some lessons in customer relations - wrote a highly insecure/buggy plugin for the GUI.
-
@Ben L. said:
today is my I-fell-out-of-a-vagina-day!
And you'll spend the rest of your life trying to get into one.
-
@El_Heffe said:
@Ben L. said:
today is my I-fell-out-of-a-vagina-day!
And you'll spend the rest of your life trying to get into one.That seems doubtful. Given the average poster around here, he'll probably spend the rest of his life trying to get into small hole cut in a fox fursuit.
-
-
@SamC said:
@PJH said:
@JBert said:
http://www.webhostingtalk.com/showpost.php?p=6264754&postcount=19
Not the point. It's the root password (why it needs to be entered is another WTF in and of itself,) and it was being sent to a 3rd party.I'll just leave this here: http://www.zamfoo.com/updatezamfoo
Fools! It's not working on Ubuntu!
Also the no-ssl part is important (our script did not trash your server, your root password was intercepted on your side of internet!).
-
@skotl said:
@immibis said:
For anyone who hasn't already seen this on reddit:
http://www.webhostingtalk.com/showthread.php?t=1275572Wow! I just spent a joyful 40 minutes reading through the entire thread, with frequent departures to see Kevin's other masterful attempts at customer-communication. Eye-watering!
I got stuck reading that thread too, and when I saw that link I actually LOLed. That's the domain of the pissy dude who wrote the root script (kevin).
-
@SamC said:
@PJH said:
@JBert said:
http://www.webhostingtalk.com/showpost.php?p=6264754&postcount=19
Not the point. It's the root password (why it needs to be entered is another WTF in and of itself,) and it was being sent to a 3rd party.I'll just leave this here: http://www.zamfoo.com/updatezamfoo
-
@Ronald said:
@skotl said:
@immibis said:
For anyone who hasn't already seen this on reddit:
http://www.webhostingtalk.com/showthread.php?t=1275572Wow! I just spent a joyful 40 minutes reading through the entire thread, with frequent departures to see Kevin's other masterful attempts at customer-communication. Eye-watering!
I got stuck reading that thread too, and when I saw that link I actually LOLed. That's the domain of the pissy dude who wrote the root script (kevin).
Yeah - it's mentioned in the long thread that the twat let his domain lapse so someone jumped on it, registered it, and created that lovely little him page :-)
-
@morbiuswilters said:
Given the average poster around here, he'll probably spend the rest of his life trying to get into small hole cut in a fox fursuit.
Never understood how people could prefer a fursuit instead of a real foxhole.
-
I spent way too much time reading through it, but it reminds me of Intel and the Pentium bug. They went through a number of missteps. If I remember their communications to the public went something like this (in order)
- Not an issue
- Not a big issue, not doing anything
- Not a big issue, fixing it in a future update.
- Customers demand recalls/refunds
- Intel: Prove to use that you have encountered the bug in your normal course of work, and we will replace your processor.
- Silence for a few days
- Intel hires a PR Manager to handle future public communications
- Intel recalls and will replace defective processors.
Unfortunately, the dumb customers asking for the impossible, etc. etc. seems to wear on the tech people and they end up with the arrogant attitude. I have seen it too many times. Eventually, it either kills their business, they learn, or they get someone else to handle the communications.
-
@Liquid Egg Product said:
@morbiuswilters said:
He's just expressing his own repressed desires.Given the average poster around here, he'll probably spend the rest of his life trying to get into small hole cut in a fox fursuit.
Never understood how people could prefer a fursuit instead of a real foxhole.
-
@drurowin said:
@Liquid Egg Product said:
@morbiuswilters said:
He's just expressing his own repressed desires.Given the average poster around here, he'll probably spend the rest of his life trying to get into small hole cut in a fox fursuit.
Never understood how people could prefer a fursuit instead of a real foxhole.
Furophobe.
-
@morbiuswilters said:
@drurowin said:
At least I don't suffer from [url="http://www.tandfonline.com/doi/abs/10.1080/00224490902747727#.UcDGwpyP2lg"]autoplushophilia[/url] and masturbate to the thought of not just being in a fursuit, but being a giant life-size stuffed animal like [url="http://forums.thedailywtf.com/members/dhromed.aspx"]certain[/url] [url="http://forums.thedailywtf.com/members/Ben-L_2E00_.aspx"]forum[/url] [url="http://forums.thedailywtf.com/members/El_5F00_Heffe.aspx"]regulars[/url].@Liquid Egg Product said:
@morbiuswilters said:
He's just expressing his own repressed desires.Given the average poster around here, he'll probably spend the rest of his life trying to get into small hole cut in a fox fursuit.
Never understood how people could prefer a fursuit instead of a real foxhole.
Furophobe.
-
@drurowin said:
but being a giant life-size stuffed animal like certain forum regulars.
I and The_Jeff have never implied any such desire, although Heffe is represented by a little doggy.
You're thinking of this guy.
-
-
@drurowin said:
@morbiuswilters said:
@drurowin said:
At least I don't suffer from autoplushophilia and masturbate to the thought of not just being in a fursuit, but being a giant life-size stuffed animal like certain forum regulars.@Liquid Egg Product said:
@morbiuswilters said:
He's just expressing his own repressed desires.Given the average poster around here, he'll probably spend the rest of his life trying to get into small hole cut in a fox fursuit.
Never understood how people could prefer a fursuit instead of a real foxhole.
Furophobe.
I don't trust people who got 5F00s or E200s in their URL. Those URLs don't sound healthy.
-
@morbiuswilters said:
@dhromed said:
You're thinking of this guy.
HISSSSSSSSSS
All your anger simply comes from a troubled past.
But it's okay now. You're among friends. Be yourself. Be free.
Embrace your desire for Nepeta cosplay. Google it. Inspire yourself.
-
@dhromed said:
@morbiuswilters said:
@dhromed said:
You're thinking of this guy.
HISSSSSSSSSS
All your anger simply comes from a troubled past.
But it's okay now. You're among friends. Be yourself. Be free.
Among friends only? That's something the guys running PRISM would want us to think....oh crap...
-
@Liquid Egg Product said:
Among friends only? That's something the guys running PRISM would want us to think....oh crap...
I yearn for the day where internet denizens everywhere will be able to talk about something completely unrelated to the NSA/PRISM without somehow bringing up the NSA/PRISM.
-
@Liquid Egg Product said:
@dhromed said:
You Americans have nothing to fear from the NSA. It's honest minding-our-own-business "dangerous" foreigners that have to watch our fucking backs on the Internet now.@morbiuswilters said:
@dhromed said:
You're thinking of this guy.
HISSSSSSSSSS
All your anger simply comes from a troubled past.
But it's okay now. You're among friends. Be yourself. Be free.
Among friends only? That's something the guys running PRISM would want us to think....oh crap...
-
@drurowin said:
You Americans have nothing to fear from the NSA.
Probably not.
@drurowin said:
It's honest minding-our-own-business "dangerous" foreigners that have to watch our fucking backs on the Internet now.
If you're honest and minding your own business, you'll probably be fine. If you have nothing to hide, you have nothing to worry about.
-
@morbiuswilters said:
@drurowin said:
It's honest minding-our-own-business "dangerous" foreigners that have to watch our fucking backs on the Internet now.
If you're honest and minding your own business, you'll probably be fine. If you have nothing to hide, you have nothing to worry about.
So then why does the government have to hide so much from us?
-
@MiffTheFox said:
@morbiuswilters said:
@drurowin said:
It's honest minding-our-own-business "dangerous" foreigners that have to watch our fucking backs on the Internet now.
If you're honest and minding your own business, you'll probably be fine. If you have nothing to hide, you have nothing to worry about.
So then why does the government have to hide so much from us?
Governments usually hide fuck-ups, so that's probably as safe a guess as any.
Also, the default posture for any defense-related agency is secrecy ("NSA cafeteria menu? Classified!"). That's because: see above.
-
@morbiuswilters said:
If you have nothing to hide, you have nothing to worry about.
Stop saying bullshit like this. I have lots to hide, which is everything I don't wish to share. Period.
-
@dhromed said:
@morbiuswilters said:
If you have nothing to hide, you have nothing to worry about.
Stop saying bullshit like this. I have lots to hide, which is everything I don't wish to share. Period.
Depends on how you look at it; assuming one way I agree with "eveything I don't wish to share", but looking at it realisticly anyone how is willing to expend even a little effort can find the info about you (yes they have to break a few laws that the gov doesn't with the plans, but it's not much) so it doesn't make that big a difference.
-
@dhromed said:
@morbiuswilters said:
If you have nothing to hide, you have nothing to worry about.
Stop saying bullshit like this. I have lots to hide, which is everything I don't wish to share. Period.
This from a man who doesn't bother hiding his purple dildo.
-
@dhromed said:
@morbiuswilters said:
If you have nothing to hide, you have nothing to worry about.
Stop saying bullshit like this. I have lots to hide, which is everything I don't wish to share. Period.
I believe that is the only time I've said that phrase. And I would never agree with it domestically, but part of the reason we have a Federal government is to spy on and kill foreigners. It's nice that our horrible bureaucracy is turned on someone outside the country, for once.
-
@lettucemode said:
I yearn for the day where internet denizens everywhere will be able to talk about something completely unrelated to the NSA/PRISM without somehow bringing up the NSA/PRISM.
If it weren't for that damn Isaac Newton, prisms would have been the furthest thing from my mind. Feel free to piss on his grave; it's well-established he was kind of a douche anyway.
-
@morbiuswilters said:
@dhromed said:
@morbiuswilters said:
If you have nothing to hide, you have nothing to worry about.
Stop saying bullshit like this. I have lots to hide, which is everything I don't wish to share. Period.
I believe that is the only time I've said that phrase. And I would never agree with it domestically, but part of the reason we have a Federal government is to spy on and kill foreigners. It's nice that our horrible bureaucracy is turned on someone outside the country, for once.
I wouldn't have expected you to have such great confidence that the government wouldn't, intentionally or not, end up spying on citizens.
-
@Liquid Egg Product said:
If it weren't for that damn Isaac Newton, prisms would have been the furthest thing from my mind. Feel free to piss on his grave; it's well-established he was kind of a douche anyway.
Color theorists curse Newton's name every time they have to deal with the color indigo, since it's just something he made up with no basis in reality so he can say that there's 7 colors in the rainbow (he had a big 7 motif since he believed in numerology).
-
@MiffTheFox said:
Color theorists curse Newton's name every time they have to deal with the color indigo, since it's just something he made up with no basis in reality so he can say that there's 7 colors in the rainbow (he had a big 7 motif since he believed in numerology).
Fuck color theorists.
-
@Liquid Egg Product said:
I wouldn't have expected you to have such great confidence that the government wouldn't, intentionally or not, end up spying on citizens.
Depends on the level of spying and depends on what they do with it. They legally can't use it against me in criminal proceedings, so I'm not too worried about that.
-
@MiffTheFox said:
@Liquid Egg Product said:
If it weren't for that damn Isaac Newton, prisms would have been the furthest thing from my mind. Feel free to piss on his grave; it's well-established he was kind of a douche anyway.
Color theorists curse Newton's name every time they have to deal with the color indigo, since it's just something he made up with no basis in reality so he can say that there's 7 colors in the rainbow (he had a big 7 motif since he believed in numerology).
Indigo's a real color. How is it any less legit than orange or yellow or violet?
-
@morbiuswilters said:
@Liquid Egg Product said:
I wouldn't have expected you to have such great confidence that the government wouldn't, intentionally or not, end up spying on citizens.
Depends on the level of spying and depends on what they do with it. They legally can't use it against me in criminal proceedings, so I'm not too worried about that.
That is exactly why we'll never get to listen to the FBI tapes where MLK can be heard beating prostitutes and having sex with underage boys.
-
@Ronald said:
That is exactly why we'll never get to listen to the FBI tapes where MLK can be heard beating prostitutes and having sex with underage boys.
I thought it was just sex with prostitutes. Citation on the beatings and the boys?
-
@morbiuswilters said:
@Ronald said:
That is exactly why we'll never get to listen to the FBI tapes where MLK can be heard beating prostitutes and having sex with underage boys.
I thought it was just sex with prostitutes. Citation on the beatings and the boys?
Check out this site.
-
@Ronald said:
@MiffTheFox said:
Color theorists curse Newton's name every time they have to deal with the color indigo, since it's just something he made up with no basis in reality so he can say that there's 7 colors in the rainbow (he had a big 7 motif since he believed in numerology).
Fuck color theorists.
Is that the new euphemism for racists?
-
@boomzilla said:
@Ronald said:
@MiffTheFox said:
Color theorists curse Newton's name every time they have to deal with the color indigo, since it's just something he made up with no basis in reality so he can say that there's 7 colors in the rainbow (he had a big 7 motif since he believed in numerology).
Fuck color theorists.
Is that the new euphemism for racists?
Black and white aren't colors. Black is the absence of any light (or soul). And white is the pure mingling of all colors.
-
@morbiuswilters said:
Black and white aren't colors.
Fuck you. I hate that bullshit you fucking color theorist.