SoylentNews

We've recently had a credible threat made against the site w.r.t. to a security exploit on slash. While details are somewhat vague, what little information was posted, combined with my knowledge of slash, and reviewing old security posts on slashcode.com suggests we're looking at a potential SQL injection technique.

While slash does considerable data sanitization, and escapes information coming in (so you can't just "; drop table users;"), there are values that require special sanitization on top of the normal. This has been the source of other XSS and SQL exploits against Slash historically (look at the articles on the main index).

I took a brief look at Environment.pm (where the supposed exploit is supposed to live) and said sanitization, and didn't seen anything that immediately jumped out at me, but it is a *lot* of code to look through. A grep through the access logs suggests that no one has tried to execute raw SQL on the site, but its impossible to know for sure.

If you or someone you know is interested in trying help secure SoylentNews, grab the dev VM, the current git tree, and get auditing. If we're informed of any security exploits (which should be sent by mail, and not posted in the comments), we will patch it here, and informal all other slashcode sites that we aware of about the exploit before releasing information about it publicly on the main index.

Do note that IP addresses, and passwords are hashed in the database (although only with MD5; upgrading to stronger hashing is on the TODO list), so an information leak, while bad, is not catastrophic. We do take regular snapshots of the database and of the machines themselves as well, and we'll make sure to post immediately if we become aware of any specific exploit against the site.

The server apparently was only infected with an admin that didn't read RTFA correctly... but it still needs a reinstall... its too bad that they can't do the same to humans... [do an OS reinstall... maybe someday]

I had an old SuSE 9.2 system I brought on-line some time in 2005 [running on an old Compaq D510 desktop with 1.5 Ghz Pentium 4 with 2 Gb of memory]. I used it as an internet facing home web server [dynamic dns]. It had maybe 5 or 6 small web sites for various projects I've done. Nothing critical. Some of my old music mp3s, some of my writings, the former XOOP shell of a writer's forum for I and some of my USENET friends...

I say "had" because I ran the system check as stated in the Ars Tech article on the "infected Linux hosts" and it seems my little home host, Aya, is infected. I shut it down. This was the third incarnation of the system [the first two were zapped by Thunderstorm power surges [amazingly the Hard Drive survived and I just put it in another system]... Took a lickin' and kept on tickin'...

Not sure how it got infected [I never used it for any thing except to serve web pages] probably a worm of some kind but I guess it was over due for a re-build.

I've changed it's IP config to a bogus default gateway so it can't phone home then shut it down. Tomorrow I'll clean off the usable files. Once I've done that I'll yank the drive put another one in [got a lot of retro computing stuff here]then probably install a more up-to-date distro... Maybe Debian or Mint something that will run a light weight GUI or some such and then slot it back into place. I've been using Xubuntu on one of my netbooks... and have it also have Xubuntu running in Virtual Box on my Old Dell T7500 but I'm not too sure about running it on a home server... the last I looked you had to spend a god awful amount of time after you get Ubuntu running to install all of the server services. Never had that problem with SuSE or RedHat [The last time I installed RH, it was a RH 7.2 server in 2001 before RHEL]...

OS or other suggestions? This is a no budget server project.

Of course for all we know this might be an NSA put up job...

Chapter One
Previously...

Cargo
        I started the long walk back to the pilot room wishing again for a bicycle or something.
        A robot wheeled past. Hell, I should just flag down a robot. But, of course there was a reason for not having transportation; I remembered the climb up the boat when the whores locked me out and how tiring it was. A body needs exercise and the most I was going to get on a boat with two-thirds gravity was walking.
        Destiny and Tammy were in the commons with a few other women; I say "women" because these were acting halfway civilized, despite their lack of clothing.
        "Done already?" Destiny asked.
        "No," I sighed. "Trouble. One of the generators blew out and we're off course again. I just saw you and thought I'd say 'hi', I can't stay. Too much damned work."
        "what do you have to do? How long will it take?"
        "I don't know. When I get us back on course I have to see what the robots are doing with the generator."
        "How bad is it?" Tammy asked. "How many generators are there?"
        "Only two. I wish this was an old tub, they originally had just one fission generator and got retrofitted with fusions. If our other generator dies it's batteries.
        "What then?"
        "We're late. But there isn't much chance of losing both generators. We'll be okay. But speaking of generators, I gotta go." I kissed Destiny and headed to the generator.
        It had cooled enough for the robots to go in to work, but was a bulkhead removed from where a human could tolerate it. I had two more engines I hadn't checked off so I inspected them. Of course, if there was anything wrong I'd have been clueless.
        The repair robots said the generator was shot.
        Shit.
        I walked past the commons to my quarters, Destiny and Tammy weren't in there although there were a few unclothed whores. Damn, ladies, put some pants on!
        Destiny and Tammy were in my living room drinking coffee. As I walked in, Destiny said "John, you're damned lucky Tammy's here."
        As I'd suspected. "You're supplying the drops," I said, sitting down.
        "Yeah."
        "The whores would have killed us without them."
        "Yeah."
        "How much you got?"
        "Plenty."
        "Enough to get to Mars?"
        "Don't worry. I know my chemistry, I know how much they need."
        I said "don't give any to the bitches in confinement."
        "You don't know what you're talking about. With drops they're harmless. Take them away, and well, it isn't pretty."
        I was confused. "What can they do locked up?"
        "They're liable to suicide."
        Crap. Losing cargo is a pretty bad thing.
        "Crap! Damn but I'm glad you're here. I'm going to suggest to the company that they send someone like you on all these runs."
        She laughed. "The company wouldn't want to spend the money necessary. The bean counters know how much loss is acceptable."
        Destiny said "I made coffee."
        "Thanks, but after the day I've had I want a beer."
        "I'm still trying to wake up," she said.
        "Yeah, you napped for a couple of hours after you went for a stroll outside. I would have thought the oxygen would have woke you up."
        "Actually it put me to sleep."
        Where the hell was that robot with my beer? "Robot! Beer, damn it, are you deaf?" A robot rolled over with my beer. I'm glad this boat has the older robots. The newer ones talk, and it's annoying as hell. If I want output from the computer I'll use my fone or tablet.
        Tammy said she had whores to study and excused herself. The robots made dinner and we watched some really dumb old movie from a couple hundred years ago, laughing all the way through it although they say when it was made, it was meant to be serious.
        Then we went to bed. I hoped tomorrow would be less stressful. My muscles all ached from the walking and climbing, I was going to be in pain the next day.

Continues. I need to think of some other trouble that Knolls can get into. Suggestions?

to feed the trolls!

Occasionally, I enjoy the hell out of it.

I was busy yesterday. I wrote a Mars, Ho! chapter and posted it, and spent the rest of the day on drudgery. Specifically, getting The Paxil Diaries in print. I finally finished this morning and ordered a copy.

I don't like the price a bit. The list price is $38, if Amazon or someone sells it to you I get $2.50. If you guys want a copy it's $28.50. I need a cheaper printer. It is a fat book, though, weighing in at 347 pages. It's Twice as long as Nobots.

I mentioned before that rather than waiting until stuff turns green in town I'd found a painting I'd done as a kid that fits it perfectly. I recently remembered that there's an Escherism in it.

I'll link to the URL with the cheaper but way too high priced version after my copy arrives and I check it out to make sure I didn't screw anything up.

Now I have to finish converting it to HTML because hey, you guys don't need to spend thirty bucks. It's just there if you want something for your shelf.

Chapter One
Previously...

Fusion
      As I was floating back to the pilot room, Tammy was waiting outside her quarters, hanging from the doorway with one hand. "Is Destiny OK?" she said with a worried tone.
      "She will be," I said. "A little anoxia." They'd warned us about anoxia in Captain's training and I'd seen it before. "She's in the infirmary getting oxygen. You can see her if you want but she was still unconscious when the robot took her."
      "Thanks. I would have thought you'd have stayed with her."
      "God knows I'd like nothing better, but I have to make sure we get to Mars alive. We're off course and I have to inspect the ship to make sure it isn't about to blow up or anything. Look, I gotta go," I said as I continued to the pilot room.
      We were even farther off course than I'd feared. Now it was a matter of juggling speed and fuel usage to the company's specifications.
      Back in the old days, way before my time, these boats weren't so automated. Crews were human rather than robot, and the Captain had to calculate all this stuff by hand, with their primitive computers helping.
      Captains had to go to college back then, and some of the crew, too. The Captain had to figure out all that shit almost by hand; he needed to know calculus. Hell, I ain't even took algebra even though I could have in high school.
      I made the adjustments the computer read out, and we had gravity again and were going the right way. I didn't look at what gravity was, and it was hard to tell since we'd been so heavy before weightlessness.
      The empty crew's quarters were first, then cargo pens. I wondered why they call them that.
      "Who is it?" a voice said at my knock. Presumably Kathy, which was the name on the doorplate.
      "Captain Knolls. Ship inspection, you girls should be used to this by now."
      "Yeah? You should be used to us telling you to fuck off, too."
      "Door, open. I can lock you up any time I want, you know. I don't even need no excuse."
      "I ain't got no drops, bitch."
      I suddenly realized why they called them "pens". They were designed to house any species of animal, and a word Destiny had teased me for using came to mind.
      Feral. From what I'd read of Tammy's book, some of these whores were more animal than human, especially when they didn't get their drops. It had driven Billie wild enough that she'd wound up blowing her quarters up, with her in it.
      I sighed. "I hope you're lying. From what I found out I'm better off when you have them."
      "Well, cough 'em up, Joe!"
      I laughed, and replied "I ain't got no drops, bitch!"
      I did wonder why they hadn't run out. Where were they getting them? They shouldn't have been able to get them onto the boat in the first place.
      Billie's quarters were next. She, along with some fifty odd fellow cargo were confined for the duration. Of course, I just opened the door and entered, taser in hand. This would have been a "brig" back when Captains had diplomas.
      The robots had done a good job, but they always did. Except for making coffee. They suck at that. But you couldn't tell that she'd almost burned to death. Well, except that her hair was really short and frizzly.
      "Inspection."
      "I ain't got no drops, bitch."
      "Whatever," I sighed, and inspected the quarters. It was obvious she was lying, her eyes gave her away. I wondered again where the drops were coming from.
      After hearing "I ain't got no drops, bitch" so many times I didn't even hear it any more I went to inspect the infirmary, the one part of the inspection I looked forward to. I wanted to see how Destiny was.
      Tammy was sitting there talking with her. "John!" Destiny said. "Tammy told me you saved my life."
      I blushed, and grinned sheepishly. "It's my job."
      Tammy laughed. "Bullshit, any other 'cargo' wouldn't have made it. Destiny almost died, and she would have if you weren't moving so frantically. God but you're fast!"
      Destiny pulled me close and kissed me. "Thanks, Johnnie," she whispered, then said in a normal voice "go ahead and finish your inspection, I should be able to go home in half an hour. I'll meet you there."
      I walked back to the starboard generator and wondered why in the hell I had to do this. I mean, I don't know anything about a fusion generator. There was a stairway to get there, as the generators and engines were on the "bottom" of the boat. It was the "bottom" because the ion engines pushing against the ship pushed everything else the other way. Something about "three laws of thermoses" or something but I think I was hung over that morning's training and don't really remember. Something about actions and opposite reactions or something.
      I went over the checklist and checked the first engine. These things were huge and there were a lot of them. A hell of a lot of electricity went through those things.
      I had two more engines to go when an alarm went off. "Damned whores, not now!" I thought.
      But it wasn't the whores, it was the port generator and I couldn't get in; the computer said it was an inferno in there. Hell, that damned thing should have shut down automatically. I pulled the breaker and there was a sort of thump. Damn. Another trip to the pilot room, we were going to be off course again.
      It would have to cool before the robots could start repairing it, if it was repairable at all. Damn, if the other generator went out...
      I called Destiny. "Honey, I'm really sorry but this is going to take a while."

Continues.

I'm on a roll this morning. Besides this chapter I've started on a foreword; as I write this thing new ideas pop into my head and the foreword will be sort of a teaser you'll think of when you see the surprise at the end (hey, I have to give some sort of clue).

Someone said my web site was ugly so I added a <style> tag and filled out the <body> tag. Happy now?

Yesterday was beautiful and all I did was get a haircut, take Leila to lunch and spent the afternoon in Felbers' beer garden. Spring fever?

Now it's snowing. I'm staying inside today.

• Be neutral and factual in both Subject and Summary. You can wait until the article is posted, or if you must, include your opinion at the end of the Summary.
• Provide OC - original content. Don't just copy/paste other people's work.
• Avoid paywalled articles if possible. This is also true for sites that show an advertisement before loading the article.
• Use primary sources if possible. If a statement is made to NBC News, link to NBC News, not another site that is quoting NBC News.
• Use at least two source links if possible. This gives readers options and helps insulate against other sites' outages or page removals.
• For controversial issues, use source links from sites with opposing biases. If a wolf says he wants sheep for dinner, don't ask another wolf if that's a good idea, ask a sheep.
• If there is a study or deeper link listed in one of articles you are linking to, you should also include that direct link. Some news sites link to study abstracts, and they are primary source material.
• If the new articles you are linking to reference old articles, you may link those as well to provide background or quotes.
• Explain acronyms for most things. The first time you name something, spell it out. Then on subsequent uses, use the acronym. With our goal of being a global site, things like the US FAA or British OfCom may not be obvious to those outside those countries.
• Wikipedia links are a good source of background info and statistics.
• Check your links are timely. Nothing is worse than warning about something Snopes disproved 5 years ago.
• When quoting a sentence or less, use quotes. When using more than a sentence, use blockquotes, as this makes the text stand out more.
• Double-check your story in preview prior to submission, including opening all links. The less an editor has to edit, the more likely your submission is to being approved.

There are also some things to avoid:

• Don't grumble about rejection of your submission As the site grows, more people will submit the same story. I've also heard there is a 'reason for rejection' system in the works.
• Avoid unauthorized copying. Don't copy/pasta from Slashdot, that's setting up your editor for failure. Or a mocking on IRC.
• Avoid links to non-English sources unless you provide a Google Translate link along with the direct, native link.