Shellshock: ‘Larger scale attack’ on its way, warn securo-bods

Apple FINALLY patches the ‘don’t worry’ Bash Shellshock vuln

Apple Releases Patches for Shellshock Bug

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here’s How to Patch OS X
— i upgraded from v.3.2.51(1) to v.3.2.53(1) according to their directions for pre-mavericks computers, and, according to the test i posted last week the system is no longer “vulnerable”, but, because of the fact that it doesn’t actually give a response other than “this is a test”, i can’t tell for sure whether or not they’ve actually patched shellshock, or whether they have just turned off the error message… it would be really nice if i could just upgrade to the current GNU release, which is v.4.3… this is why i am no longer a mac-head… 😐

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7


Firms BASH Bash bug with new round of Shellshock patches

Cisco splats Bash bug in busy swatting season

i’ve run three rounds of security updates in the past three days, and bash was updated in every one of ’em… eventually they’re gonna fix it for real… maybe i’ll just revert to using csh… or zsh (which was written by paul falstad, my former manager and coworker at openwave) 😐



The ‘Shellshock’ Bash vulnerability and what it means for OS X

Apple: Most OS X users safe from ‘Shellshock’ exploit, patch coming quickly for advanced Unix users — which, of course, is a blatant falsehood… all macs are as much at risk as -x was, and -x had a patch yesterday… this is why i am no longer a mac-head… 😐

Apple working on “Shellshock” fix, says most users not at risk [Updated] — which includes the following information:

Mac OS X uses version 3.2.51.(1) of GNU bash, released in 2007; the current GNU release of the shell is bash 4.3. However, the current version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms, even dropping the open-source Windows networking service Samba from OS X server in 2011 because Samba had shifted to a GPLv3 license. Therefore, although patches for the vulnerability have now been pushed out for most open-source operating systems, Apple executives may feel they have to have their own developers make modifications to the bash code.

this is the explanation why i haven’t been able to get SAMBA to work on my mac… grumble, mutter… 😐

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole

shellshock update: linux has been patched, mac not so much…

‘Shellshock’ Bug Spells Trouble for Web Security
by Brian Krebs

The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.

The problem resides with a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests.

According to several security firms, attackers are already probing systems for the weakness, and that at least two computer worms are actively exploiting the flaw to install malware. Jamie Blasco, labs director at AlienVault, has been running a honeypot on the vulnerability since yesterday to emulate a vulnerable system.

“With the honeypot, we found several machines trying to exploit the Bash vulnerability,” Blasco said. “The majority of them are only probing to check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”

The vulnerability does not impact Microsoft Windows users (ed. for a change), but there are patches available for Linux and Unix systems. In addition, Mac users are likely vulnerable, although there is no official patch for this flaw from Apple yet. I’ll update this post if we see any patches from Apple.

The U.S.-CERT’s advisory includes a simple command line script that Mac users can run to test for the vulnerability. To check your system from a command line, type or cut and paste this text:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

US-CERT has a list of operating systems that are vulnerable. Red Hat and several other Linux distributions have released fixes for the bug, but according to US-CERT the patch has an issue that prevents it from fully addressing the problem.

The Shellshock bug is being compared to Heartbleed because it affects so many systems; determining which are vulnerable and developing and deploying fixes to them is likely to take time. However, unlike Heartbleed, which only allows attackers to read sensitive information from vulnerable Web servers, Shellshock potentially lets attackers take control over exposed systems.

“This is going to be one that’s with us for a long time, because it’s going to be in a lot of embedded systems that won’t get updated for a long time,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley. “The target computer has to be accessible, but there are a lot of ways that this turns accessibility into full local code execution. For example, could easily write a scanner that would basically scan every Web site on the planet for vulnerable (Web) pages.”

Stay tuned. This one could get interesting very soon.

which reminds me…

according to the “universal chart of telling when things actually happened” that i made several years ago, in late 1995 i lived in a rooming house in west seattle with a couple of crazy people, one of whom was Regan Fraser, older brother of Brendan Fraser, actor in such movies as “George Of The Jungle” and the Mummy series. at the time (and, to a certain extent, still), i was more or less ignorant of the exploits of brendan, so i wasn’t as “wowed” by my brush with the sibling of a star as i might have been otherwise, but it was pretty memorable anyway.

at the time, i was working as a micro$lut, doing the evil bidding of the great Gates himself. i had lulled myself into a false sense of security, because, even though i was working at microsoft headquarters (i never actually had an office on campus in redmond, but i had several “off campus” offices), i was working in their mac division, and never actually worked with windoesn’t until several years later.

this was back in the dark ages, when you could actually telnet to different servers, and, for the most part, there was no email spam, in part because it was before the discovery of the Word Concept Virus, which was capable of being sent over email. prior to the word concept virus, you actually had to have physical access to the computer, and install viruses from a disk, for them to be able to propagate… in other words, computer security was light-years away from where we are now.

when regan heard that i was working with networked computers, he came to me with a bold plan to get both of us filthy rich — or something — a prominent part of which involved me gaining access to his “rich brother’s” bank accounts over internet.

fortunately for me, i was just at the beginning of my realisation that i was, deep down, a computer geek, and also i was a rank newbie when it came to internet — i had survived perfectly well up until that time using a sneaker-net when i had to share documents, and i was just beginning to imagine why i would ever want anything more than that…

so i “tactfully” told him that, while what he proposed was likely possible, he was talking to the wrong guy when it came to actually cracking a computer and stealing stuff.

later, after i had moved into my own apartment, i heard, third-hand, that he had actually been arrested when it was discovered that he had broken into his “rich brother’s” house, stolen some credit cards, and had actually gone to a bank with those cards, claiming to be his “rich brother”… i never actually confirmed any of this, but reading through the tale of master foo reminded me of my experience with regan fraser…

Master Foo and the Script Kiddie

Master Foo and the Script Kiddie

A stranger from the land of Woot came to Master Foo as he was eating the morning meal with his students.

“I hear y00 are very l33t,” he said. “Pl33z teach m3 all y00 know.”

Master Foo’s students looked at each other, confused by the stranger’s barbarous language. Master Foo just smiled and replied: “You wish to learn the Way of Unix?”

“I want to b3 a wizard hax0r,” the stranger replied, “and 0wn ever3one’s b0xen.”

“I do not teach that Way,” replied Master Foo.

The stranger grew agitated. “D00d, y00 r nothing but a p0ser,” he said. “If y00 n00 anything, y00 wud t33ch m3.”

“There is a path,” said Master Foo, “that might bring you to wisdom.” The master scribbled an IP address on a piece of paper. “Cracking this box should pose you little difficulty, as its guardians are incompetent. Return and tell me what you find.”

The stranger bowed and left. Master Foo finished his meal.

Days passed, then months. The stranger was forgotten.

Years later, the stranger from the land of Woot returned.

“Damn you!” he said, “I cracked that box, and it was easy like you said. But I got busted by the FBI and thrown in jail.”

“Good,” said Master Foo. “You are ready for the next lesson.” He scribbled an IP address on another piece of paper and handed it to the stranger.

“Are you crazy?” the stranger yelled. “After what I’ve been through, I’m never going to break into a computer again!”

Master Foo smiled. “Here,” he said, “is the beginning of wisdom.”

On hearing this, the stranger was enlightened.

gah… 8/

before i can do the window trim, i’ve got to re-do the gutters, which no longer have the option of having a downspout in the middle, now that there’s a deck there…

moe also wants to put trim around the windows that currently don’t have trim.

if it’s not one thing, it’s another… 😐

hey, bono… i’ve found what you’re looking for…

AUTOMATIC SONGS-OF-INNOCENCE REMOVAL TOOL — Apple finally sees the point of millions of disgruntled people like me. hopefully they’ll learn something from it, although i’m not going to hold my breath… 😐

also, Apple puts up support page to get U2 album out of your iTunes — Too many people don’t want U2 anywhere near their libraries



#b07af0 Color Information

In a RGB color space, hex #b07af0 is composed of 69% red, 47.8% green and 94.1% blue. Whereas in a CMYK color space, it is composed of 26.7% cyan, 49.2% magenta, 0% yellow and 5.9% black. It has a hue angle of 267.5 degrees, a saturation of 79.7% and a lightness of 71%. #b07af0 color hex could be obtained by blending #fff4ff with #6100e1. Closest websafe color is: #9966ff.

#b07af0 color description : Soft violet.

The hexadecimal color #b07af0 has RGB values of R:176, G:122, B:240 and CMYK values of C:0.27, M:0.49, Y:0, K:0.06. Its decimal value is 11565808.

Hex triplet b07af0 #b07af0
RGB Decimal 176, 122, 240 rgb(176,122,240)
RGB Percent 69, 47.8, 94.1 rgb(69%,47.8%,94.1%)
CMYK 27, 49, 0, 6
HSL 267.5°, 79.7, 71 hsl(267.5,79.7%,71%)
HSV (or HSB) 267.5°, 49.2, 94.1
Web Safe 9966ff #9966ff
CIE-LAB 61.169, 43.903, -51.809
XYZ 40.59, 29.441, 85.978
xyY 0.26, 0.189, 29.441
CIE-LCH 61.169, 67.909, 310.278
CIE-LUV 61.169, 17.116, -87.74
Hunter-Lab 54.259, 38.576, -55.967
Binary 10110000, 01111010, 11110000

and yet the people at home depot look at me as though i had a huge horn growing out of my forehead when i ask them to recreate this colour with exterior house paint… strange… 😐


Mighty Aphrodite… interesting…

The U in U2 stands for “Unwanted”!!


the U stands for "Unwanted"

Not pro Bono: Apple’s audio junk mail made spammers’ lives easier

Apple: take this fucking U2 album off my iPhone, NOW. I do not want it, I did not ask for it, it takes up space, it’s my device. Go to hell.

Just say BO-NO: Mark Hosler of Negativland on Apple’s ‘U2rusion’

Got iTunes? You got a U2 album. Here’s how to delete it.

unfortunately, it’s not how to delete it. because of the fact that it’s “in the cloud”, it doesn’t necessarily take up space on my device, but i can’t immediately delete it using any of the methods recommended — using iTunes on my computer doesn’t even show that i have a U2 album, so re-synching my device doesn’t do anything, and there’s nothing to un-check, and you can only delete something once you have downloaded it from the cloud…

i don’t use twitter, but i am outraged, and i reflect that guy’s twitter: Apple: take this fucking U2 album off my iPhone, NOW. I do not want it, I did not ask for it, it takes up space, it’s my device. Go to hell. 😡


in honour of the eleventh of september…

DON’T SAY THE PLEDGE! — "Under God" compromises the patriotic message of the Pledge

"Under God" wasn’t part of the original Pledge of Allegiance. Those two words were added to the Pledge in 1954, when the country was in the grip of McCarthyism and communist witch-hunt hysteria.

Before 1954, the Pledge affirmed that we were “one nation indivisible, with liberty and justice for all.” Indivisible means we can rise above our differences, religious or otherwise. Liberty means the right to act and speak freely no matter what one’s faith or philosophy may be. And Justice, of course, means equal rights for all, regardless of whether or not we believe in a deity. The Knights of Columbus — a Catholic men’s group — led the lobbying effort to add “under God.” Now the Pledge is twisted, with divisive religious language that implies true patriots must be believers.

With “under God” added, the Pledge is not a statement of patriotism. Instead, extremist preachers and politicians point to the language to validate their view that those who don’t believe in God don’t belong.

Religious or not, don’t say this altered Pledge
Until the Pledge is restored to its inclusive version, we can take it upon ourselves to refuse to participate in what’s become a discriminatory exercise. (Note: A Supreme Court case — West Virginia vs. Barnette — gives public school students the absolute right to sit out the Pledge, for any reason. Public schools might not tell you about this right, but if anyone questions you about sitting out the Pledge, contact the AHA’s Legal Center.)

Whether you are religious or not, you can make a statement for true inclusiveness. Support liberty and justice for all, and support indivisibility. Stand up for America by sitting down during the Pledge of Allegiance until the inclusive version is restored.


ॐ ༀ ૐ ੴ

the typewriter has been left in the capable hands of the guy who is either going to fix it and give it back to me, or take it and sell me another one at a discount… and, honestly, i hope he wants to take it and sell me another one at a discount, because he’s got an underwood manual typewriter that doesn’t require electricity, and that’s what i really want… if there’s no electricity, an electric typewriter is an expensive door stop, but a manual typewriter works anyway… 👿

glow-in-the-daylight house
almost finished, and it glows in the daylight as well…
140909 milestone 666666
666666 outside of bellevue, appropriately enough…

ॐ AUM ༀ OM

i manifested a typewriter that is mostly functional, but it doesn’t like to print on the envelopes, because of the ribbon, so i’m taking it to a guy, tomorrow, who thinks he may be able to get a fabric ribbon which will print on envelopes…

i’m surprised at how many people i have been meeting who seem to understand and/or relate with what i am doing, who have entirely mundane occupations… like the typewriter repair guy, or the artist who rendered my pixel graphic as vectors… i wouldn’t expect then to be anywhere close to understanding, and they not only understand, but are able to make suggestions as to how i can do things in a way that i hadn’t thought of immediately…

and the typewriter i manifested makes me chortle with evil glee… it’s a IBM correcting selectric II, the kind on which i learned to type, and i even have a “ball” for it, that is prestige pica 72… 👿