×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Security Fix Leads To PostgreSQL Lock Down

samzenpus posted about a year and a half ago | from the shut-it-down dept.

Databases 100

hypnosec writes "The developers of the PostgreSQL have announced that they are locking down access to the PostgreSQL repositories to only committers while a fix for a "sufficiently bad" security issue applied. The lock down is temporary and will be lifted once the next release is available. The core committee has announced that they 'apologize in advance for any disruption' adding that 'It seems necessary in this instance, however.'"

Sorry! There are no comments related to the filter you selected.

I am being stalked and abused... apk (-1)

Anonymous Coward | about a year and a half ago | (#43311901)

A corrupt slashdot luser has infiltrated the moderation system to downmod all my posts while impersonating me.

Nearly 170++ times that I know of @ this point for all of March 2013 so far, & others here have told you to stop - take the hint, lunatic (leave slashdot)...

Sorry folks - but whoever the nutjob is that's attempting to impersonate me, & upset the rest of you as well, has SERIOUS mental issues, no questions asked! I must've gotten the better of him + seriously "gotten his goat" in doing so in a technical debate & his "geek angst" @ losing to me has him doing the:

---

A.) $10,000 challenges, ala (where the imposter actually TRACKED + LISTED the # of times he's done this no less, & where I get the 170 or so times I noted above) -> http://it.slashdot.org/comments.pl?sid=3585795&cid=43285307 [slashdot.org]

&/or

B.) Reposting OLD + possibly altered models - (this I haven't checked on as to altering the veracity of the info. being changed) of posts of mine from the past here

---

(Albeit massively repeatedly thru all threads on /. this March 2013 nearly in its entirety thusfar).

* Personally, I'm surprised the moderation staff here hasn't just "blocked out" his network range yet honestly!

(They know it's NOT the same as my own as well, especially after THIS post of mine, which they CAN see the IP range I am coming out of to compare with the ac spamming troll doing the above...).

APK

P.S.=> Again/Stressing it: NO guys - it is NOT me doing it, as I wouldn't waste that much time on such trivial b.s. like a kid might...

Plus, I only post where hosts file usage is on topic or appropriate for a solution & certainly NOT IN EVERY POST ON SLASHDOT (like the nutcase trying to "impersonate me" is doing for nearly all of March now, & 170++ times that I know of @ least)... apk

Re:I am being stalked and abused... apk (-1)

Anonymous Coward | about a year and a half ago | (#43312467)

$10,000 CHALLENGE to Alexander Peter Kowalski

* POOR SHOWING TROLLS, & most especially IF that's the "best you've got" - apparently, it is... lol!

Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel, claiming that the APK on OSY was fake.

My reputation as a professional in this field clearly shows in multiple publications in this field in written print, & also online in various GOOD capacities since 1996 to present day. This has happened since I was first published in Playgirl Magazine in 1996 & others to present day, with helpful tools online in programs, & professionally sold warez that were finalists @ Westminster Dog Show 2000-2002.

-o-o-o-o-o-o-o-

apk on 4chan [4chan.org]

-o-o-o-o-o-o-o-

INCONTROVERTIBLE FEEDBACK PROVIDING ESTABLISHED PROOF OF ALL MY POINTS:

--

That was amazing. - http://slashdot.org/comments.pl?sid=3037687&cid=40948073 [slashdot.org]

--

My, God! It's beatiful. Keep it up, you glorious bastard. - http://slashdot.org/comments.pl?sid=3222163&cid=41835161 [slashdot.org]

--

Let us bask in its glory. A true modern The Wasteland. - http://slashdot.org/comments.pl?sid=3037687&cid=40948579 [slashdot.org]

--

put your baby IN ME -- I just read this whole thing. Fuck mod points, WHERE DO I SEND YOU MY MONEY?!!! - http://slashdot.org/comments.pl?sid=3037687&cid=40950023 [slashdot.org]

--

Oh shit, Time Cube Guy's into computers now... - http://slashdot.org/comments.pl?sid=3040317&cid=40946259 [slashdot.org]

--

[apk]'s done more to discredit the use of HOSTS files than anyone [else] ever could. - http://slashdot.org/comments.pl?sid=3038791&cid=40945357 [slashdot.org]

--

Can I have some of what you're on? - http://slashdot.org/comments.pl?sid=3040317&cid=40947587 [slashdot.org]

--

this obnoxious fucknuts [apk] has been trolling the internet and spamming his shit delphi sub-fart app utilities for 15 years. - http://slashdot.org/comments.pl?sid=3041123&cid=40954565 [slashdot.org]

--

oh come on.. this is hilarious. - http://slashdot.org/comments.pl?sid=3041123&cid=40955479 [slashdot.org]

--

I agree I am intrigued by these host files how do I sign up for your newsletter? - http://slashdot.org/comments.pl?sid=3041123&cid=40961339 [slashdot.org]

--

Gimme the program that generates this epic message. I'll buy 5 of your product if you do... - http://slashdot.org/comments.pl?sid=3041313&cid=40954251 [slashdot.org]

--

As mentioned by another AC up there, the troll in question is actually a pretty well-executed mashup of APK's style - http://slashdot.org/comments.pl?sid=3038791&cid=40945357 [slashdot.org]

--

It's actually a very clever parody of APK - http://slashdot.org/comments.pl?sid=3038791&cid=40944229 [slashdot.org]

--

Please keep us updated on your AI research, you seem quite good at it. - http://slashdot.org/comments.pl?sid=3038597&cid=40944603 [slashdot.org]

--

$20,000 to anyone providing proof of Alexander Peter Kowalski's death. - http://slashdot.org/comments.pl?sid=3040921&cid=40958289 [slashdot.org]

--

Obviously, it must be Alexander Peter Kowalski. He's miffed at all these imposters... - http://slashdot.org/comments.pl?sid=3040921&cid=40958429 [slashdot.org]

--

And here I was thinking I was having a bad experience with a Dr. Bronner's bottle. - http://slashdot.org/comments.pl?sid=3041081&cid=40952247 [slashdot.org]

--

Damn, apk, who the fuck did you piss off this time? Hahahahaahahahahahahaahaha. Pass the popcorn as the troll apk gets pwned relentlessly. - http://slashdot.org/comments.pl?sid=3041123&cid=40954673 [slashdot.org]

--

I think it's the Internet, about to become sentient. - http://slashdot.org/comments.pl?sid=3041313&cid=40956187 [slashdot.org]

--

Does anyone know if OpenGL has been ported to Windows yet? - http://slashdot.org/comments.pl?sid=3042199&cid=40956781 [slashdot.org]

--

golfclap - http://slashdot.org/comments.pl?sid=3029723&cid=40900827 [slashdot.org]

--

The Truth! wants to be Known! - http://slashdot.org/comments.pl?sid=3029723&cid=40897389 [slashdot.org]

--

DNS cube? - http://slashdot.org/comments.pl?sid=3029723&cid=40897493 [slashdot.org]

--

KUDOS valiant AC. - http://slashdot.org/comments.pl?sid=3029723&cid=40897777 [slashdot.org]

--

Polyploid lovechild of APK, MyCleanPC, and Time Cube --> fail counter integer overflow --> maximum win! - http://slashdot.org/comments.pl?sid=3029723&cid=40899171 [slashdot.org]

--

You made my day, thanks! - http://slashdot.org/comments.pl?sid=3029589&cid=40896469 [slashdot.org]

--

Wow. The perfect mix of trolls. Timecube, mycleanpc, gnaa, apk... this is great! - http://slashdot.org/comments.pl?sid=3027333&cid=40893381 [slashdot.org]

--

truer words were never spoken as /. trolls are struck speechless by it, lol! - http://slashdot.org/comments.pl?sid=3042765&cid=41041795 [slashdot.org]

--

It's APK himself trying to maintain the illusion that he's still relevant. - http://slashdot.org/comments.pl?sid=3043535&cid=40967209 [slashdot.org]

--

Mod this up. The back and forth multi posting between APK and this "anti-APK" certainly does look like APK talking to himself. - http://slashdot.org/comments.pl?sid=3043535&cid=40969175 [slashdot.org]

--

APK himself would be at the top of a sensible person's ban list. He's been spamming and trolling Slashdot for years. - http://slashdot.org/comments.pl?sid=3043535&cid=40967137 [slashdot.org]

--

You got that right. I think. - http://slashdot.org/comments.pl?sid=3044971&cid=40972239 [slashdot.org]

--

Michael Kristopeit, is that you? - http://slashdot.org/comments.pl?sid=3045075&cid=40972377 [slashdot.org]

--

ROFL! :) (Now the sick bastard will follow me again) - http://slashdot.org/comments.pl?sid=3138079&cid=41429251 [slashdot.org]

--

I miss Dr Bob. - http://slashdot.org/comments.pl?sid=3138079&cid=41432027 [slashdot.org]

--

Not sure if actually crazy, or just pretending to be crazy. Awesome troll either way. - http://slashdot.org/comments.pl?sid=3138079&cid=41432951 [slashdot.org]

--

Awesome! Hat off to you, sir! - http://slashdot.org/comments.pl?sid=3154555&cid=41509273 [slashdot.org]

--

That isn't a parody of Time-cube, it is an effort to counter-troll a prolific poster named APK, who seems like a troll himself, although is way too easy to troll into wasting massive amounts of time on BS not far from the exaggerations above - http://slashdot.org/comments.pl?sid=3154555&cid=41514107 [slashdot.org]

--

I am intrigued and I wish to subscribe to your newsletter. - http://slashdot.org/comments.pl?sid=3164403&cid=41555345 [slashdot.org]

--

1. You philistine, that is Art . Kudos to you, valiant troll on your glorious FP - http://slashdot.org/comments.pl?sid=3222163&cid=41832599 [slashdot.org]

--

What? - http://slashdot.org/comments.pl?sid=3222163&cid=41832673 [slashdot.org]

--

I don't know if it is poorly-thought-out, but it is demented because it is at the same time an APK parody. - http://slashdot.org/comments.pl?sid=3222163&cid=41832905 [slashdot.org]

--

It is in fact an extremely well thought out and brilliantly executed APK parody, combined with a Time Cube parody, and with a sprinkling of the MyCleanPC spam. - http://slashdot.org/comments.pl?sid=3222163&cid=41841251 [slashdot.org]

--

er... many people have disproved your points about hosts files with well reasoned, factual arguments. You just chose not to listen and made it into some kind of bizarre crusade. And I'm not the timecube guy, just someone else who finds you intensely obnoxious and likes winding you up to waste your time. - http://slashdot.org/comments.pl?sid=3222163&cid=41843313 [slashdot.org]

--

performance art - http://slashdot.org/comments.pl?sid=3224905&cid=41847089 [slashdot.org]

--

it's apk, theres no reason to care. - http://slashdot.org/comments.pl?sid=3224905&cid=41847097 [slashdot.org]

--

Seems more like an apk parody. - http://slashdot.org/comments.pl?sid=3224905&cid=41847661 [slashdot.org]

--

That's great but what about the risk of subluxations? - http://slashdot.org/comments.pl?sid=3224905&cid=41847101 [slashdot.org]

--

Oh, come on. Just stand back and look at it. It's almost art, in a Jackson Pollock sort of way. - http://slashdot.org/comments.pl?sid=3227697&cid=41868923 [slashdot.org]

--

Read carefully. This is a satirical post, that combines the last several years of forum trolling, rolled into one FUNNY rant! - http://slashdot.org/comments.pl?sid=3227697&cid=41864711 [slashdot.org]

--

I can has summary? - http://slashdot.org/comments.pl?sid=3227697&cid=41861327 [slashdot.org]

--

I'd have a lot more sympathy if you would log in as APK again instead of AC. - http://slashdot.org/comments.pl?sid=3228991&cid=41868133 [slashdot.org]

--

If [apk] made an account, it would be permanently posting at -1, and he'd only be able to post with it twice a day. - http://slashdot.org/comments.pl?sid=3228991&cid=41869409 [slashdot.org]

--

DAFUQ I just look at? - http://slashdot.org/comments.pl?sid=3229177&cid=41869085 [slashdot.org]

--

Trolls trolling trolls... it's like Inception or something. - http://slashdot.org/comments.pl?sid=3229177&cid=41869353 [slashdot.org]

--

We all know it's you, apk. Stop pretending to antagonize yourself. - http://slashdot.org/comments.pl?sid=3229179&cid=41869305 [slashdot.org]

--

Do you know about the shocking connection between APK and arsenic? No? Well, your innocence is about to be destroyed. - http://slashdot.org/comments.pl?sid=3472971&cid=42939965 [slashdot.org]

--

Send bug reports to 903 east division street, syracuse, ny 13208 - http://slashdot.org/comments.pl?sid=3483339&cid=42972783 [slashdot.org]

--

Now you've made me all nostalgic for USENET. - http://slashdot.org/comments.pl?sid=3486045&cid=42981977 [slashdot.org]

--

Google APK Hosts File Manager. He's written a fucking application to manage your hosts file. - http://slashdot.org/comments.pl?sid=3486045&cid=42984521 [slashdot.org]

--

In case you are not aware, the post is a satire of a fellow known as APK. The grammar used is modeled after APK's as you can see here [thorschrock.com] . Or, you can just look around a bit and see some of his posts on here about the wonders of host files. - http://slashdot.org/comments.pl?sid=3486045&cid=42983119 [slashdot.org]

--

You are surely of God of Trolls, whomever you are. I have had stupid arguments with and bitten the troll apk many times. - http://slashdot.org/comments.pl?sid=3486901&cid=42989683 [slashdot.org]

--

"What kind of meds cure schizophrenic drunk rambling?" -> "Whatever APK isn't taking" - http://slashdot.org/comments.pl?sid=3501001&cid=43028403 [slashdot.org] http://slashdot.org/comments.pl?sid=3501001&cid=43028425 [slashdot.org]

--

I'm confused, is apk trolling himself now? - http://slashdot.org/comments.pl?sid=3501001&cid=43029495 [slashdot.org]

--

Excellent mashup. A++. Would troll again. - http://slashdot.org/comments.pl?sid=3503531&cid=43037445 [slashdot.org]

--

Your ideas are intriguing to me, and I wish to subscribe to your newsletter. - http://slashdot.org/comments.pl?sid=3506945&cid=43048291 [slashdot.org]

--

Best. Troll. Ever. - http://slashdot.org/comments.pl?sid=3506945&cid=43044811 [slashdot.org]

--

I like monkeys. - http://slashdot.org/comments.pl?sid=3508287&cid=43051505 [slashdot.org]

--

This is one of the funniest things I've ever read. - http://slashdot.org/comments.pl?sid=3508287&cid=43052263 [slashdot.org]

--

lul wut? - http://slashdot.org/comments.pl?sid=3510265&cid=43057839 [slashdot.org]

--

I admire this guy's persistence. - http://slashdot.org/comments.pl?sid=3511487&cid=43063797 [slashdot.org]

--

It's a big remix of several different crackpots from Slashdot and elsewhere, plus a liberal sprinkling of famous Slashdot trolls and old memes. - http://slashdot.org/comments.pl?sid=3511487&cid=43063881 [slashdot.org]

--

Tabloid newspapers have speculated for years that APK is a prominent supporter of Monsanto. Too bad we didn't believe them sooner! - http://slashdot.org/comments.pl?sid=3511487&cid=43063893 [slashdot.org]

--

Here's a hint, check out stories like this one [slashdot.org] , where over 200 of the 247 posts are rated zero or -1 because they are either from two stupid trolls arguing endless, or quite likely one troll arguing with himself for attention. The amount of off-topic posts almost outnumber on topic ones by 4 to 1. Posts like the above are popular for trolling APK, since if you say his name three times, he appears, and will almost endlessly feed trolls. - http://slashdot.org/comments.pl?sid=3511487&cid=43064383 [slashdot.org]

--

I love this copypasta so much. It never fails to make me smile. - http://slashdot.org/comments.pl?sid=3512099&cid=43069271 [slashdot.org]

--

^ Champion Mod parent up. - http://slashdot.org/comments.pl?sid=3513659&cid=43067371 [slashdot.org]

--

I appreciate the time cube reference, and how you tied it into the story. Well done. - http://slashdot.org/comments.pl?sid=3521721&cid=43094565 [slashdot.org]

--

The day you are silenced is the day freedom dies on Slashdot. God bless. - http://slashdot.org/comments.pl?sid=3522191&cid=43097221 [slashdot.org]

--

AHahahahah thanks for that, cut-n-pasted.... Ownage! - http://slashdot.org/comments.pl?sid=3522219&cid=43097215 [slashdot.org]

--

Don't hate the player, hate the game. - http://slashdot.org/comments.pl?sid=3526293&cid=43110679 [slashdot.org]

--

If you're familiar with APK, the post itself is a pretty damn funny parody. - http://slashdot.org/comments.pl?sid=3528603&cid=43115215 [slashdot.org]

--

">implying it's not apk posting it" --> "I'd seriously doubt he's capable of that level of self-deprecation..." - http://slashdot.org/comments.pl?sid=3528603&cid=43115337 [slashdot.org] http://slashdot.org/comments.pl?sid=3528603&cid=43115363 [slashdot.org]

--

No, the other posts are linked in a parody of APK [mailto] 's tendency to quote himself, numbnuts. - http://slashdot.org/comments.pl?sid=3528603&cid=43116855 [slashdot.org]

--

The thirteenth link is broken. Please fix it. - http://slashdot.org/comments.pl?sid=3528603&cid=43115361 [slashdot.org]

--

Just ban any post with "apk", "host file", or "hosts file", as that would take care of the original apk too. The original has been shitposting Slashdot much longer & more intensively than the parody guy. Or ban all Tor exit nodes, as they both use Tor to circumvent IP bans. - http://slashdot.org/comments.pl?sid=3561925&cid=43216431 [slashdot.org]

--

Sadly this is closer to on-topic than an actual APK post is. - http://slashdot.org/comments.pl?sid=3561925&cid=43216225 [slashdot.org]

--

YOU ARE A GOD AMONG MEN. - http://slashdot.org/comments.pl?sid=3569149&cid=43236143 [slashdot.org]

--

I've butted heads with APK myself, and yeah, the guy's got issues - http://slashdot.org/comments.pl?sid=3569173&cid=43236987 [slashdot.org]

--

Can I be in your quote list? - http://slashdot.org/comments.pl?sid=3569443&cid=43237531 [slashdot.org]

--

Clearly you are not an Intertubes engineer, otherwise the parent post would be more meaningful to you. Why don't YOU take your meds? - http://slashdot.org/comments.pl?sid=3569425&cid=43238177 [slashdot.org]

--

+2 for style! The bolding, italicizing, and font changes are all spot-on - http://slashdot.org/comments.pl?sid=3569149&cid=43238479 [slashdot.org]

--

Your ideas are intriguing to me and I wish to subscribe to your newsletter. - http://slashdot.org/comments.pl?sid=3570085&cid=43243509 [slashdot.org]

--

APK is not really a schizophrenic fired former Windows administrator with multiple personality disorder and TimeCube/Art Bell refugee. He's a fictional character like and put forward by the same person as Goatse Guy, GNAA trolls, Dr. Bob and so forth. His purpose is to test the /. CAPTCA algorithm, which is a useful purpose. If you're perturbed by having to scroll past his screeds just set your minimum point level to 1, as his posts are pretty automatically downmodded right away. - http://slashdot.org/comments.pl?sid=3570085&cid=43243145 [slashdot.org]

--

Anyone else think that sounds like Ron Paul? - http://slashdot.org/comments.pl?sid=3569419&cid=43242417 [slashdot.org]

--

I just saw APK a couple days ago. He surfaced, blew once, and submerged... - http://slashdot.org/comments.pl?sid=3570111&cid=43245913 [slashdot.org]

--

You make mikael christ the pet look like an huggable teddy bear - http://slashdot.org/comments.pl?sid=3570111&cid=43242373 [slashdot.org]

--

oh man, that incredible interminable list of responses is almost as funny as the original post. This is getting to be truly epic. - http://slashdot.org/comments.pl?sid=3572687&cid=43247231 [slashdot.org]

--

"Does anyone know of an Adblock rule for this?" -> "No, but I bet there's a hosts file entry for it..." - http://slashdot.org/comments.pl?sid=3572687&cid=43246997 [slashdot.org] http://slashdot.org/comments.pl?sid=3572687&cid=43247097 [slashdot.org]

--

"Can a hosts file block apk's posts, though?" -> "The universe couldn't handle that much irony." - http://slashdot.org/comments.pl?sid=3572687&cid=43247135 [slashdot.org] http://slashdot.org/comments.pl?sid=3572687&cid=43247219 [slashdot.org]

--

"That's it, I've had enough. ... Bye everyone, most of the last decade or so has been fun, but frankly, I quit." - http://slashdot.org/comments.pl?sid=3572687&cid=43247225 [slashdot.org]
--> "So basically what you're saying is that you've added yourself to the HOST file?" - http://slashdot.org/comments.pl?sid=3572687&cid=43247481 [slashdot.org]

--

Sweet baby Moses, this is beautiful work - I wish we could get trolls as good as this on TF. :) - http://slashdot.org/comments.pl?sid=3572629&cid=43247533 [slashdot.org]

--

you have a point - http://slashdot.org/comments.pl?sid=3572687&cid=43247823 [slashdot.org]

--

I do admire that level of dedication. - http://slashdot.org/comments.pl?sid=3572687&cid=43247765 [slashdot.org]

--

[to apk] shut up you stupid cock. Everyone knows you're wrong. - http://slashdot.org/comments.pl?sid=3572687&cid=43250533 [slashdot.org]

--

I will hand it to him, he is definitely consistent. I wish I knew how he did this. That thing is scary huge. - http://slashdot.org/comments.pl?sid=3572629&cid=43250411 [slashdot.org]

--

I admire the amount of dedication you've shown - http://slashdot.org/comments.pl?sid=3573571&cid=43251593 [slashdot.org]

--

Word is, ESR buttfucks CmdrTaco with his revolver. - http://slashdot.org/comments.pl?sid=3573679&cid=43252957 [slashdot.org]

--

Hey APK, Protip: It's not the truth or value (or lack of) in your post that gets it modded into oblivion, it's the fucking insane length. In addition to TL;DR (which goes without saying for a post of such length), how about irritating readers by requiring them to scroll through 20+ screenfuls just to get to the next post. If you want to publish a short story like this, please do everyone a favor and blog it somewhere, then provide a brief summary and link to your blog. Readers intrigued by your summary will go read your blog, and everyone else will just move along at normal /. speed. - http://slashdot.org/comments.pl?sid=3573873&cid=43255013 [slashdot.org]

--

Happy now - http://slashdot.org/comments.pl?sid=3569419&cid=43237239 [slashdot.org]

--

Professional. - http://slashdot.org/comments.pl?sid=3574035&cid=43255143 [slashdot.org]

--

I like how this post seems to just sum up every Slashdot comment ever without actually saying anything. - http://slashdot.org/comments.pl?sid=3574283&cid=43256029 [slashdot.org]

--

extremely bright - http://slashdot.org/comments.pl?sid=3574035&cid=43255855 [slashdot.org]

--

You provide many references, which is good. - http://slashdot.org/comments.pl?sid=3574035&cid=43257043 [slashdot.org]

--

Holy shit - http://slashdot.org/comments.pl?sid=3576121&cid=43260311 [slashdot.org]

--

this is a perfect example - http://slashdot.org/comments.pl?sid=3578157&cid=43265127 [slashdot.org]

--

You're my personal hero. - http://slashdot.org/comments.pl?sid=3574283&cid=43260747 [slashdot.org]

--

Obviously very passionate - http://slashdot.org/comments.pl?sid=3574035&cid=43261975 [slashdot.org]

--

Is that ALL you have to say? C'mon! Tell us what you really think. - http://slashdot.org/comments.pl?sid=3576225&cid=43262495 [slashdot.org]

--

Thanks ... You should probably stay - http://slashdot.org/comments.pl?sid=3577613&cid=43262993 [slashdot.org]

--

Art? -- http://slashdot.org/comments.pl?sid=3569681&cid=43244883 [slashdot.org]

--

PROOF apk sucks donkey dick. - http://slashdot.org/comments.pl?sid=3577639&cid=43263029 [slashdot.org]

--

I've been around /. for a while now, but this post is by far the most unique I've seen. Many have tried, but few achieve the greatness of this AC. My hat's off to you. - http://slashdot.org/comments.pl?sid=3576225&cid=43264325 [slashdot.org]

--

PROOF apk is a liar! - http://slashdot.org/comments.pl?sid=3578279&cid=43265249 [slashdot.org]

--

I think it's hilarious. Get over it! - http://slashdot.org/comments.pl?sid=3578301&cid=43265657 [slashdot.org]

--

Obviously APK filled his hosts files with backdoors before distributing them to ensure he doesn't block himself. - http://slashdot.org/comments.pl?sid=3578229&cid=43265767 [slashdot.org]

--

Alexander Peter Kowalski is an obnoxious prick. - http://slashdot.org/comments.pl?sid=3406867&cid=42698875 [slashdot.org]

--

Don't mention that file. Ever. It'll draw APK like a fly to rotting meat. Last thing I want to read is 80 responses worth of his stupid spam about that file! I swear that cocksucker does nothing but search Slashdot for that term and then spams the entire article. - http://slashdot.org/comments.pl?sid=3554655&cid=43209619 [slashdot.org]

--

[to apk] You have had it repeatedly explained to you that your posts are long-winded, unpleasant to read due to your absurd formatting style and full of technical inaccuracies borne of your single minded i-have-a-hammer-so-every-problem-is-a-nail attitude. - http://slashdot.org/comments.pl?sid=3406867&cid=42701491 [slashdot.org]

--

Oh shit, the hosts files have become self-aware and started hacking accounts. - http://slashdot.org/comments.pl?sid=3581857&cid=43276783 [slashdot.org]

--

What mad skillz you have!! - http://slashdot.org/comments.pl?sid=3581193&cid=43273941 [slashdot.org]

--

Am I the only one who enjoys this sort of insanity? - http://slashdot.org/comments.pl?sid=3582193&cid=43281063 [slashdot.org]

--

You are my favorite Slashdot poster. - http://slashdot.org/comments.pl?sid=3580251&cid=43270359 [slashdot.org]

--

Most insightful post on the Internet - http://slashdot.org/comments.pl?sid=3579259&cid=43275207 [slashdot.org]

--

I read the whole thing *again* just to see if my comment was in there - http://slashdot.org/comments.pl?sid=3588003&cid=43293069 [slashdot.org]

--

[to apk] So, did your mom do a lot of drugs when she was pregnant? - http://slashdot.org/comments.pl?sid=3586303&cid=43291531 [slashdot.org]

--

people are looking at me funny because I'm laughing hysterically at what a perfect APK imitation it is. - http://slashdot.org/comments.pl?sid=3581991&cid=43278203 [slashdot.org]

--

I think he wants it to be an article, but doesn't know how to submit it. - http://slashdot.org/comments.pl?sid=3586345&cid=43287717 [slashdot.org]

--

Slashdot devs seem in no hurry to fix this problem and it's been driving me nuts. So for anybody who values viewing at -1 and uses greasemonkey here's a Script [pastebin.com] . There's a chance of false positives and it's not the most optimized. But I value not having to scroll through > 10 paragraphs of APK, custom hosts files, or 'acceptable ads' spam. - http://slashdot.org/comments.pl?sid=3586291&cid=43287671 [slashdot.org]
--> slashdot devs are too busy installing itunes for their hipster nerd buddys to sort this problem out. - http://slashdot.org/comments.pl?sid=3586291&cid=43290701 [slashdot.org]

--

I can't get enough of all of this good stuff! Thanks for the informative links! - http://slashdot.org/comments.pl?sid=3586291&cid=43287553 [slashdot.org]

--

When threatened, APK typically produces a post with links showing he's essentially posted this hundreds of times to slashdot stories... - http://slashdot.org/comments.pl?sid=3586291&cid=43290275 [slashdot.org]

--

[to apk] Your post got downmodded because you're a nutjob gone off his meds. - http://slashdot.org/comments.pl?sid=3586081&cid=43288893 [slashdot.org]

--

[to apk] The reason people impersonate you is because everyone thinks you're a moron. The hosts file is not intended to be used as you suggest. - http://slashdot.org/comments.pl?sid=3591803&cid=43302885 [slashdot.org]
-->What? You don't have a 14MB hosts file with ~1million entries in it? Next you'll probably tell me that your computer doesn't start thrashing and take 5 minutes for a DNS lookup! - http://slashdot.org/comments.pl?sid=3591803&cid=43302977 [slashdot.org]

--

[about apk] - this fwit is as thick as a post. worse, this shithead has mod points. and using them. - http://slashdot.org/comments.pl?sid=3591681&cid=43302873 [slashdot.org]

--

In before the fight between those two guys and their walls of text... - http://slashdot.org/comments.pl?sid=3592647&cid=43306485 [slashdot.org]

--

HEY APK YOU ARE A WASTE OF OXYGEN -GET A LIFE - http://slashdot.org/comments.pl?sid=3593009&cid=43308147 [slashdot.org]

--

KPA ...thgim dik a ekil .s.b laivirt hcus no emit hcum taht etsaw t'ndluow I sa ,ti gniod em TON si ti - syug ON - http://slashdot.org/comments.pl?sid=3592933&cid=43307605 [slashdot.org]

--

[to apk] You seriously need to go see a shrink. You are a fucking fruitcake! - http://slashdot.org/comments.pl?sid=3592933&cid=43307559 [slashdot.org]

--

[to apk] Did you ever consider that it's not just one corrupt moderator, it's a bunch of regular slashdot users who infrequently get mod points who think you are totally full of shit? Stop posting annoying off topic irrelevant bullshit, and people won't mod you down. I'm seriously sick of reading your posts about someone impersonating you. - http://slashdot.org/comments.pl?sid=3592933&cid=43308389 [slashdot.org]

--

[to apk] you should be forced to use a cholla cactus as a butt-plug - http://slashdot.org/comments.pl?sid=3592647&cid=43308219 [slashdot.org]

--

[to apk] No one is on your side, that is why you're here. posting. still. No one cares. - http://slashdot.org/comments.pl?sid=3595009&cid=43310903 [slashdot.org]

--

Who's the more moronic? The original moron, or the one who replies to him knowing full well his comment will certainly be ignored, if not entirely unread, thus bringing the insane troll post to the attention of those who would otherwise not have seen it at all (seeing as it started at 0 and would have rapidly been modded down to -1) and whose post (and, somewhat ironically I grant you, this one as well) now requires 3 more mod points to be spent to hide it? - http://slashdot.org/comments.pl?sid=3593207&cid=43311073 [slashdot.org]

--

[to apk] I miss trollaxor. His gay porn world of slashdot executives and open-source luminaries was infinitely more entertaining than this drivel. - http://slashdot.org/comments.pl?sid=3593207&cid=43311225 [slashdot.org]

--

PLEASE stop modding biters up. Anyone who responds to an abvious troll, especually one of these APK trolls, should autometically get the same -1 troll as the damned troll. Any response to a troll only makes the troll do more trolling. Come on, guys, use your brains -- it isn't that hard. Stop feeding the damned trolls!

--

[to apk] Lick the inside of goatse's anus, it's delicious! - http://slashdot.org/comments.pl?sid=3589605&cid=43301757 [slashdot.org]

--

I wouldn't be surprised if that is APK trying to draw attention to himself, since he thinks such endless tirades are examples of him winning and make him look good. When people stop paying attention to him, or post actual counterpoints he can't come up with a response to, he'll post strawman troll postings to shoot down, sometimes just copy pasted from previous stories. - http://slashdot.org/comments.pl?sid=3592647&cid=43308851 [slashdot.org]

-o-o-o-o-o-o-o-

Did you see the movie "Pokemon"? Actually the induced night "dream world" is synonymous with the academic religious induced "HOSTS file" enslavement of DNS. Domains have no inherent value, as it was invented as a counterfeit and fictitious value to represent natural values in name resolution. Unfortunately, human values have declined to fictitious word values. Unknowingly, you are living in a "World Wide Web", as in a fictitious life in a counterfeit Internet - which you could consider APK induced "HOSTS file". Can you distinguish the academic induced root server from the natural OpenDNS? Beware of the change when your brain is free from HOSTS file enslavement - for you could find that the natural Slashdot has been destroyed!!

FROM -> Man - how many times have I dusted you in tech debates that you have decided to troll me by ac posts for MONTHS now, OR IMPERSONATING ME AS YOU DID HERE and you were caught in it by myself & others here, only to fail each time as you have here?)...

So long nummynuts, sorry to have to kick your nuts up into your head verbally speaking.

cower in my shadow some more, feeb. you're completely pathetic.

-o-o-o-o-o-o-o-

* :)

Ac trolls' "BIG FAIL" (quoted): Eat your words!

P.S.=> That's what makes me LAUGH harder than ANYTHING ELSE on this forums (full of "FUD" spreading trolls) - When you hit trolls with facts & truths they CANNOT disprove validly on computing tech based grounds, this is the result - Applying unjustifiable downmods to effetely & vainly *try* to "hide" my posts & facts/truths they extoll!

Hahaha... lol , man: Happens nearly every single time I post such lists (proving how ineffectual these trolls are), only showing how solid my posts of that nature are...

That's the kind of martial arts [google.com] I practice.

-o-o-o-o-o-o-o-

Disproof of all apk's statements:

OLD POST LINKS MIRRORED HERE:
http://pastebin.com/8yxcW3TJ [pastebin.com]

RECENT POST LINKS:
http://slashdot.org/comments.pl?sid=3581193&cid=43273839 [slashdot.org]
http://slashdot.org/comments.pl?sid=3581857&cid=43276593 [slashdot.org]
http://slashdot.org/comments.pl?sid=3581991&cid=43277017 [slashdot.org]
http://slashdot.org/comments.pl?sid=3582075&cid=43277273 [slashdot.org]
http://slashdot.org/comments.pl?sid=3582193&cid=43278565 [slashdot.org]
http://slashdot.org/comments.pl?sid=3584857&cid=43282375 [slashdot.org]
http://slashdot.org/comments.pl?sid=3578357&cid=43282481 [slashdot.org]
http://slashdot.org/comments.pl?sid=3585297&cid=43283241 [slashdot.org]
http://slashdot.org/comments.pl?sid=3585417&cid=43283695 [slashdot.org]
http://slashdot.org/comments.pl?sid=3585451&cid=43284271 [slashdot.org]
http://slashdot.org/comments.pl?sid=3585593&cid=43284843 [slashdot.org]
http://slashdot.org/comments.pl?sid=3585795&cid=43285307 [slashdot.org]
http://slashdot.org/comments.pl?sid=3585827&cid=43285755 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586081&cid=43286509 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586127&cid=43286699 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586137&cid=43287021 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586291&cid=43287449 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586345&cid=43287755 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586303&cid=43289687 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586627&cid=43289733 [slashdot.org]
http://slashdot.org/comments.pl?sid=3586589&cid=43290487 [slashdot.org]
http://slashdot.org/comments.pl?sid=3587901&cid=43290773 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588003&cid=43290983 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588135&cid=43292021 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588293&cid=43292235 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588505&cid=43293807 [slashdot.org]
http://slashdot.org/comments.pl?sid=3585927&cid=43293997 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588749&cid=43294405 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588831&cid=43295131 [slashdot.org]
http://slashdot.org/comments.pl?sid=3589063&cid=43295377 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588881&cid=43295689 [slashdot.org]
http://slashdot.org/comments.pl?sid=3589089&cid=43295855 [slashdot.org]
http://slashdot.org/comments.pl?sid=3589273&cid=43296223 [slashdot.org]
http://slashdot.org/comments.pl?sid=3589297&cid=43296795 [slashdot.org]
http://slashdot.org/comments.pl?sid=3589441&cid=43298759 [slashdot.org]
http://slashdot.org/comments.pl?sid=3589575&cid=43301133 [slashdot.org]
http://slashdot.org/comments.pl?sid=3589605&cid=43301143 [slashdot.org]
http://slashdot.org/comments.pl?sid=3591681&cid=43303049 [slashdot.org]
http://slashdot.org/comments.pl?sid=3591803&cid=43304723 [slashdot.org]
http://slashdot.org/comments.pl?sid=3592325&cid=43305507 [slashdot.org]
http://slashdot.org/comments.pl?sid=3591903&cid=43307375 [slashdot.org]
http://slashdot.org/comments.pl?sid=3588523&cid=43307387 [slashdot.org]
http://slashdot.org/comments.pl?sid=3592187&cid=43307465 [slashdot.org]
http://slashdot.org/comments.pl?sid=3593009&cid=43308801 [slashdot.org]
http://slashdot.org/comments.pl?sid=3592973&cid=43308813 [slashdot.org]
http://slashdot.org/comments.pl?sid=3592933&cid=43308825 [slashdot.org]
http://slashdot.org/comments.pl?sid=3592647&cid=43308843 [slashdot.org]
http://slashdot.org/comments.pl?sid=3592647&cid=43308851 [slashdot.org]
http://slashdot.org/comments.pl?sid=3593139&cid=43311793 [slashdot.org]
http://slashdot.org/comments.pl?sid=3593207&cid=43311803 [slashdot.org]
http://slashdot.org/comments.pl?sid=3595381&cid=43311815 [slashdot.org]
http://slashdot.org/comments.pl?sid=3595009&cid=43311847 [slashdot.org]
END

Re:I am being stalked and abused... apk (1)

tarius8105 (683929) | about a year and a half ago | (#43313235)

And someone forgot to take his meds today...Are you really that dense that you cant tell that the only reason the "impostor" exists because you have a hard time realizing that you are wrong and/or wont let it go. It would take a complete moron to not realize that the whole reason he continues to do it is because he knows he can get you to respond by simply posting. This isnt rocket science, this is internet 101...

Let me offer you some advice on how to get rid of this "impostor"...shutup.

That's not I folks It's Jeremiah Cornelius... apk (0)

Anonymous Coward | about a year and a half ago | (#43317863)

THIS is why he's doing it & proof of it, here -> http://interviews.slashdot.org/comments.pl?sid=3585927&cid=43295193 [slashdot.org] when others pointed out Jeremiah Cornelius forgot to submit one of the "first post spams" masquerading as myself as AC, & mistakenly submitted one of the impersonations of myself as his registered 'luser' name here on /. forums.

Pretty pitiful actually, but like every up to no good idiot does? He screwed up & submitted it under his registered 'luser' name here.

* Jeremiah Cornelius: DO YOURSELF, and the rest of us, A GIANT FAVOR MAN: Seek professional psychiatric help!

(Since Jeremiah Cornelius obviously can't get over the fact he made a spelling error on what it is HE ALLEGEDLY DID FOR A LIVING? That's not MY fault... it's HIS!)

APK

P.S.=> I seriously must have dusted JC (in his mind @ least) for his BAD spelling error & it "got his goat"...

I.E.-> Catching what he claimed to do as a job, for YEARS he left "PENETRATION" (correct) spelled as "PENTRATION" (incorrect) on his resume on LinkedIn & I pointed it out as he & his friends trolled me as usual (webmistressrachel, gmhowell, & crew (probably ALL JC no doubt using alterate emails or TOR to do it as a possible - I've caught "them & theirs" doing it before, ala Barbara, not Barbie = TomHudson (same person))).

So THAT is what has gotten his goat in a technical debate & his "geek angst" could only come up with *trying* to "impersonate me" in every news thread on /. for the month of March 2013 so far!

(Just to attempt to 'discredit me' as a spammer here obviously)

Doing so, by posting that "$10,000 challenge" &/or reposts of my old posts on hosts file value to end users into EVERY SINGLE NEWS ARTICLE POSTED on /. ...

It's all I can think of that *might* cause such a mentally troubled 'reaction' like the Jeremiah Cornelius is doing & there's NO QUESTION he's the one doing this spamming of nearly every posted article masquerading as myself...!

... apk

That's not a good approach (1, Interesting)

i kan reed (749298) | about a year and a half ago | (#43311927)

Make sure that users of your open source project are not even able to find out what attack vector exists on their systems. They should languish in the hopes that your team will fix it before malicious hackers figure out what it was. From the code they already checked out.

Obscurity will protect everyone.

Re:That's not a good approach (5, Insightful)

bluefoxlucid (723572) | about a year and a half ago | (#43311965)

That's exactly the point. They've locked out and shrouded the changes that are being made as they're happening, because of wide-spread collaboration causing changes, tests, etc to occur. It's going to be a week before the fix is ready, but as soon as the first bits of test code go in you can quickly target that body of code and figure out the problem, then exploit it. As-is, you now have to rummage through the whole body of vulnerable code and try to guess what's actually broke.

When the repos are opened back up, the fix will be ready. It might (probably) even be shared with the major distros, who will simultaneously have an updated package published. This greatly reduces the likelihood and window of a zero-day exploit with no fix.

Re:That's not a good approach (-1)

Anonymous Coward | about a year and a half ago | (#43312013)

But, but, but, I am a freetard and many eyes equals secure code. So you must either be wrong or not a freetard. Open code is secure code. Nyah nyah.

Re:That's not a good approach (1)

pallmall1 (882819) | about a year and a half ago | (#43315059)

But, but, but, I am a freetard...

No, you are just stupid.

Re:That's not a good approach (1)

Anonymous Coward | about a year and a half ago | (#43312041)

If you have a copy of the code before the changes and another copy from after, it takes literally 3 seconds to target exactly what was changed. Your explanation accounts for none of that.

Re:That's not a good approach (5, Insightful)

bluefoxlucid (723572) | about a year and a half ago | (#43312077)

My explanation accounts exactly for that and that was the point. The changes between [VULNERABLE] and [FIXED] are not public yet because the [FIXED] state is not ready for production deployment (it may be wrong, and need more work). That means you can't pop open your source tree, do a `git diff`, and go, "oh, in this code path?" and 20 minutes later have your exploit.

Now, a week from now, this stuff will all be public and fixes will be released. Then you can target exactly what's changed, while everyone else is running updates. This is different from targeting exactly what's changed and then running around buttfucking everyone while they have to wait a week to get production-ready code OR chance it with alpha-grade software in production.

Re:That's not a good approach (0)

Anonymous Coward | about a year and a half ago | (#43312223)

The fixes will be released, but there are going to many broken instances in the wild, and all this hoohar will merely bring attention to the exploit. It's trivial to diff the code and see what's going on. This decision was wrong, they could have slipped in the fix as a regular commit and no one would really be any wise, but now, the whole tech world knows that any day now, an exploit is going to be trivial to find.

Re:That's not a good approach (4, Insightful)

Firehed (942385) | about a year and a half ago | (#43312461)

People looking to exploit vulnerabilities on widely-installed software (databases, programming languages, frameworks, etc.) keep an eye on commit logs to do precisely this. Those patches and commits call attention to themselves; postgres is right to ensure that a patch is available at the same time it indicates the attack vector. In fact, they'd probably be wise to make sure major binary repos have a patched copy even before making the changed source available so that sysadmins have a week to do an update from yum/apt-get/$pkgmgr

The only difference between this and patch tuesday is that you know what goes into this fix after the fact. If you see 'critical security update' in your mailing lists, it becomes a race between you updating your system and attackers figuring out how to exploit the old version; them doing so is orders of magnitude more difficult if they don't actually know what's changed.

Is it the FOSS way? No. But I'd happily take a project going closed-source for two weeks if it means my database doesn't get hacked (but then again, I'm dealing with PCI-DSS Level 1 so I kinda have to). Now hopefully people have their databases completely inside the firewall as to minimize the attack vector - assuming it has something to do with an authentication flaw, at least (and not, say, remote code execution due to a bug in parameterized queries). See - I don't know what they're changing, so I don't even know where to start probing.

Re:That's not a good approach (0)

Anonymous Coward | about a year and a half ago | (#43317759)

It'll slow us down but it won't stop us.

I don't know what makes you think that crackers are unskilled at examining binary diffs. Windows crackers don't have source and they get by just fine, what makes you think Linux is any different?

Re:That's not a good approach (1)

greg1104 (461138) | about a year and a half ago | (#43327487)

In fact, they'd probably be wise to make sure major binary repos have a patched copy even before making the changed source available so that sysadmins have a week to do an update from yum/apt-get/$pkgmgr

That is impossible in the general case, and that fact is one reason the somewhat careful plan is executing. Some open source projects require releasing the source code along with the binaries. RedHat for example will always distribute source RPMs at the same time as the binary RPMs. The PostgreSQL license doesn't have such requirements, but the distribution's release policies can't necessarily change just because some packages have less requirements.

Fundamentally, PostgreSQL can't make any downstream packaging demands; those are projects outside of its control. The best they can do is coordinate with as many known, trusted packagers as possible such that binary packages are available at exactly the same time as the source code that discloses the vulnerability. That is what's happening here. The PostgreSQL core team member whose e-mail was referenced is heavily involved in packaging of RedHat and other versions of Linux.

Fundamentally, the whole idea of advance binary releases presumes that you cannot reverse engineer an exploit out of a changed binary, and that is just generally a broken model. If I had a source and binary for an existing PostgreSQL version on a platform, and you also gave me a binary for a modified one, I could reverse engineer what was changed without too much trouble. And that sort of thing is exactly what people developing exploits are usually good at. Your only hope for being safe is if you trust a binary provided by someone, and that sort of idea is exactly what open source distribution is supposed to avoid.

Let's say PostgreSQL released binaries for RedHat RHEL for example a week early, but not associated source code, I'm running Slackware, and Slackware isn't one of the distributions that gets early access to the fix. As a Slackware user I'd be screwed. People who know how to build exploits would have everything they need to target an attack for a week, but I would have no way to defend myself. If source is released at the same time, people always have the option of rebuilding their own packages, even if their packager won't/didn't. A race between "fully informed user with source" and "exploit builder with source" can be won by the user. If you delay source to some time after the binary, it's far more likely the exploit will be built before people know enough to build a fixed package and protect themselves.

Re:That's not a good approach (-1)

Anonymous Coward | about a year and a half ago | (#43313143)

Ridiculous. The Linux kernel needs no secrecy. The fucking database doesn't either. Shutting out users is fucking retarded.

As a security researcher: There's a ton of other "zero day" exploits they haven't fixed yet. Fucking buy one on the exloit market and see. This is ludicrous. If a cracker wants your database, and can afford the price, it's over. To me: They're stitting there, bugs crawling all over their faces, covering one small patch on their side with their hands -- Oh, you can't see this spot here! It's a bad Bug!

Morons.

Re:That's not a good approach (0)

Anonymous Coward | about a year and a half ago | (#43313275)

As a security researcher

Proclaiming yourself as a security researcher doesn't really make you an actual security reseacher. Not knowing the difference between an OS kernel exploit and a database exploit makes you an incredibly poor one.

Re:That's not a good approach (0)

Anonymous Coward | about a year and a half ago | (#43313895)

But, but... he dropped three F-bombs and called the guys who are actually doing something morons! Doesn't that prove he's an expert? 'Cause I've been reading Slashdot for quite a while now, and that seems to be how all the "experts" identify themselves.

Re:That's not a good approach (0)

Anonymous Coward | about a year and a half ago | (#43317513)

I thought that just made him Linus Torvalds...

Re:That's not a good approach (1)

Forty Two Tenfold (1134125) | about a year and a half ago | (#43312579)

it takes literally 3 seconds to target exactly what was changed

No, it' figuratively. If the patch changes multiple files, reworking big fragments of business logic, then it's less trivial to figure out the exploit. The interested parties might just use this window to update. If everyone knows the exploit before the changes are applied and tested, it's a total SNAFU.

Re:That's not a good approach (0)

Anonymous Coward | about a year and a half ago | (#43312053)

Most users will not upgrade immediately and so at best this puts off the exploit making it 'into the wild' by a week. At worst, it draws widespread attention to the flaw (as in, /.) and will cause people to aggressively pursue using it to compromise systems once the fix is released.

Re:That's not a good approach (2)

bluefoxlucid (723572) | about a year and a half ago | (#43312131)

At least you have the option. And people who are exploiting shit are using Metasploit and playing around on Milw0rm anyway, seriously.

Re:That's not a good approach (1)

greg1104 (461138) | about a year and a half ago | (#43327369)

When the repos are opened back up, the fix will be ready. It might (probably) even be shared with the major distros, who will simultaneously have an updated package published. This greatly reduces the likelihood and window of a zero-day exploit with no fix.

That is what's happening, and it's the reason for the temporary lockdown. The core team member whose e-mail was linked to here is also one of RedHat's packagers for PostgreSQL as one example distribution. He's helping make sure that updated RHEL RPMs are published at the same time as the details of the vulnerability. Right now the only people who are believed to know about the problem are the project committers and a few equally trusted packagers.

Re:That's not a good approach (-1)

Anonymous Coward | about a year and a half ago | (#43312269)

Make sure that users of your open source project are not even able to find out what attack vector exists on their systems. They should languish in the hopes that your team will fix it before malicious hackers figure out what it was. From the code they already checked out.

Obscurity will protect everyone.

This behavior highlights the hypocrisy in the open source religion. Where are the multiple sets of eyes, which make all bugs shallow? I'm extrapolating from previous posts which argue that _any_ behavior which hides source code is evil and only serves to hide malicious behavior. it doesn't matter that the cvs will open at a later date, at the very least the zealots need to change their tune and acknowledge the fundamental flaws of their religion.

Re:That's not a good approach (4, Insightful)

Firehed (942385) | about a year and a half ago | (#43312531)

Open-source doesn't magically decrease the severity or number of bugs, but it does allow more people to eventually discover them. There's an obvious trade-off here: non-malicious people can find and then report and/or fix the bugs, or malicious people can find and then exploit them. The hope is that there are more contributors than attackers finding bugs and that it ends up being a net positive for stability and security. Neither open nor closed source is the right model 100% of the time for 100% of projects.

There's no hypocrisy here - the source of the patches will be released and all future commits will be made public again. This was a short-term decision weighing practicality and security against the "religion" of OSS. It's the difference between responsible disclosure and letting the software maintainers find out about the same exploit because you blogged about it, so attackers find out at the same time. They could have one or two people developing the patch in a local branch and simply not push anything upstream until it's done and tested and have the same effect, this is just an easier approach.

Re:That's not a good approach (1)

bill_mcgonigle (4333) | about a year and a half ago | (#43314241)

They could have one or two people developing the patch in a local branch and simply not push anything upstream until it's done and tested and have the same effect, this is just an easier approach.

That's exactly it - the typical open source methodology and infrastructure isn't really what defines the product as open source or not. Many of the commercial dual-licensed vendors still just throw code over the wall every few months, and they're definitely still open source. All the PostgreSQL folks are doing is closing the infrastructure to non-core contributors for a week - the code is and will be open source.

It would be neat if there was a redundant infrastructure for these sorts of needs, but I'm guessing they decided that spinning one up wasn't worth delaying the fix.

Re:That's not a good approach (1)

fuzzytv (2108482) | about a year and a half ago | (#43362849)

That really depends on what is your definition of open source. My favorite definition comes from OSI [http://opensource.org/about]: "Open source is a development method for software that harnesses the power of distributed peer review and transparency of process. The promise of open source is better quality, higher reliability, more flexibility, lower cost, and an end to predatory vendor lock-in."

That clearly means companies throwing source code over the wall every few months does not make the product open source, as it's lacking the transparency and distributed peer review. But although OSI (or rather future founders of OSI) coined the term in 1998, it's true there are other definitions saying that publishing source code makes the product open source. The problem with that definition is that the "many eyeballs" theory requires a community, and you're not going to get that by mere publication of the code.

Re:That's not a good approach (1)

bill_mcgonigle (4333) | about a year and a half ago | (#43365081)

I agree, that's much better. A good reason to fork a project too. It's too bad OpenJDK hasn't done that yet - they still suffer from the over-the-wall model.

Re:That's not a good approach (1)

LordLimecat (1103839) | about a year and a half ago | (#43312989)

Nonsense. I think that OSS enthusiasts grossly overstate the benefits of OSS sometimes, but the "many eyes" DID find the problem, and now they are working on a fix.

Would you rather
A) they tell everyone "hey, the problem is that you can easily exploit PostGreSQL by doing X, but we will have a fix in a week or two", or
B) tell everyone "there is a security flaw, but we will not disclose details until the fix is out"

Guess which one ALL major vendors do when they have a choice, btw? Google does this, MS does this, etc.

Re:That's not a good approach (1)

HiThere (15173) | about a year and a half ago | (#43314163)

You left out option C:
C) Don't tell anyone there's a problem, and pretend that there isn't one until you have a new version to sell.

MAYBE MS doesn't do that anymore. I stopped using their products, so I don't know. They certainly used to.

Re:That's not a good approach (1)

peawormsworth (1575267) | about a year and a half ago | (#43320291)

You left out option C: C) Don't tell anyone there's a problem, and pretend that there isn't one until you have a new version to sell.

MAYBE MS doesn't do that anymore. I stopped using their products, so I don't know. They certainly used to.

D) Everyone including MS knows there is a problem, but the fix doesnt come out in the next patch because it doesnt effect enough customers to be worth the effort involved in making the neccessary changes. Because MS is profit driven organization and has no incentive to assist a minority when there is no return on investment.

Re:That's not a good approach (1)

HiThere (15173) | about a year and a half ago | (#43325991)

Sorry, but EVERYONE uses that option. Check out old bugs in some open source projects. So you can't reasonably single out MS for that one.

Re:That's not a good approach (1)

fuzzytv (2108482) | about a year and a half ago | (#43362923)

OSS is not a magical fairy dust. There are OSS projects that suck at fixing bugs and there are projects that are pretty good at this. PostgreSQL is one of the great ones, IMHO.

What's great about OSS is that the bugs can be analyzed and fixed by anyone with sufficient knowledge, not just by a single company.

Re:That's not a good approach (0)

Anonymous Coward | about a year and a half ago | (#43312445)

Well if you didn't want to be obscured I guess you should've contributed you leech.

(I keed I keed)

Re:That's not a good approach (2)

BitZtream (692029) | about a year and a half ago | (#43314239)

So, go to http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary [postgresql.org] and look at the source.

What they've taken private is their patches for the problem until they can make it production ready.

You are still fully able to access everything you've always had access to, they've just decided not to share their newest patches for a few days/weeks until people have at least a chance to protect their systems.

Regression tests have to be run, repos need a chance to update their binary packages, all sorts of things can be done in private and made ready so that when the changes are made public ... and it becomes trivial to exploit the bug in unpatched versions since the changes show you the exploit ... users are already able to update to a fixed version.

They just aren't telling the world where the bug is until the patch has been properly distributed. You can still go look for it yourself if you want, unless you want the bad guys to know where its at and you STILL won't have a patch available. Remember, these are the guys who are making the patch so you're waiting on them for the fix regardless.

Say what? Streisand effect on security perhaps? (0)

brunes69 (86786) | about a year and a half ago | (#43311931)

This seems like a really dumb move. What the team has done now is to raise the exposure level of this vulnerability by a HUGE margin. Now all any script kiddie needs to do is find a mirror of the code from 24 hours ago or any other recent period, which is likely quite trivial to do with an open source project as large as postgresql, and hunt for the vulnerability. They know it will be pretty bad since they did this action!

Re:Say what? Streisand effect on security perhaps? (4, Insightful)

Splab (574204) | about a year and a half ago | (#43311955)

You are assuming it is a new problem, the approach they selected tells me they have found a *MAJOR* issue in several versions of PostgreSQL; that means it's old code.

They even say, keep an eye on this next release, because you (users) need to apply it at once - this isn't something that only affect latest build.

Re:Say what? Streisand effect on security perhaps? (4, Informative)

Splab (574204) | about a year and a half ago | (#43312023)

And from Postgres we have:
http://www.postgresql.org/about/news/1454/ [postgresql.org]

This is a major security issue and it affects *ALL* versions of postgres. Locking it down while updates are being created seems the right way to do it to me...

Re:Say what? Streisand effect on security perhaps? (4, Insightful)

bluefoxlucid (723572) | about a year and a half ago | (#43311975)

They'll have to hunt through all the code. Since a viable, production-ready fix won't be available for a week, but a new piece of code in the vulnerable body is available now, leaving the repo public would result in a week of free exploitation--they've gone and highlighted the exact bit of code the problem is in. The repos are closed, so only contributors and any downstream distribution providers that are working with them to build and test the fixed code are privy to this.

This temporary closure greatly reduces the risk of an attacker tearing down the code and finding the precise vulnerability they're trying to mitigate.

Re:Say what? Streisand effect on security perhaps? (0)

Anonymous Coward | about a year and a half ago | (#43312065)

Luckily diff doesn't exist, and everyone updates their software immediately!

Re:Say what? Streisand effect on security perhaps? (1, Flamebait)

bluefoxlucid (723572) | about a year and a half ago | (#43312143)

Risk of being exploited versus risk of updating your software. If you decide the risk of updating is lower than the risk of exploitation, you update. OH WAIT, THERE'S NO UPDATE READY UNTIL NEXT WEEK.

Re:Say what? Streisand effect on security perhaps? (0)

Anonymous Coward | about a year and a half ago | (#43312155)

That is not a problem they could have solved by announcing the vulnerability publicly. Even if they did classic "full disclosure", diff would still exist, and people would still delay updates.

As it is, no one can find the vulnerability with diff because the repository is closed. Once the fix is published, then people will be able to find the vulnerability using diff, but at least the postgresql team have reduced the window of time in which diff is useful to the bad guys.

Re:Say what? Streisand effect on security perhaps? (0)

Anonymous Coward | about a year and a half ago | (#43312399)

If they keep it open. Tomorrow when they are working on a fix, diff would show where the bug is. Then they have a week of free exploit before a fix is out.

Closes it for now hides where the bug is till there is a fix.
A week of butt fun before the smart users can fix it, vs. smart users update with no butt fun.

Re:Say what? Streisand effect on security perhaps? (0)

Anonymous Coward | about a year and a half ago | (#43312027)

This seems like a really dumb move. What the team has done now is to raise the exposure level of this vulnerability by a HUGE margin. Now all any script kiddie needs to do is find a mirror of the code from 24 hours ago or any other recent period, which is likely quite trivial to do with an open source project as large as postgresql, and hunt for the vulnerability. They know it will be pretty bad since they did this action!

You're no longer a script kiddie when you can find an undisclosed vulnerability in a source code base as large as PostgreSQL. You've graduated to cyber criminal.

Re:Say what? Streisand effect on security perhaps? (1)

Forty Two Tenfold (1134125) | about a year and a half ago | (#43312627)

You're no longer a script kiddie when you can find an undisclosed vulnerability in a source code base as large as PostgreSQL. You've graduated to cyber criminal.

No. You become a cyber criminal when you abuse the vulnerability. When you can find one, you're a successful security auditor.

Re:Say what? Streisand effect on security perhaps? (4, Informative)

afgam28 (48611) | about a year and a half ago | (#43312061)

From the article:

The reason for the lockdown is to ensure that malicious users don’t work out an exploit by monitoring the changes to the source code while it is being implemented to fix the flaw.

So a mirror of the code from 24 hours ago wouldn't have any work-in-progress commits. These commits would give clues as to where the vulnerability is.

It sounds like a really good use case for distributed version control. When this sort of thing happens, developers should be able to temporarily fork the repo and work on security issues in private, while everyone else is still able to access the main repo.

Re:Say what? Streisand effect on security perhaps? (0)

Anonymous Coward | about a year and a half ago | (#43312259)

It sounds like a really good use case for distributed version control. When this sort of thing happens, developers should be able to temporarily fork the repo and work on security issues in private, while everyone else is still able to access the main repo.

I guess the reason they don't do that it because the build infrastructure works off the official repository. Nothing prevents other (non-committer) developers to use the distributed nature of git to continue developing stuff, of course.

I also have the impression that many people read the topic as meaning "we are trying to hide our current source code because you might fix the bug in it", which is absolute bollocks of course (as the source code is mirrored everywhere, e.g., on github): They are just temporarily hiding the to-be-committed change that implements the fix, up to the point where fixed packages are ready.

Anyway, whoever posted this article to /. should be shot for the obvious reasons.

Re:Say what? Streisand effect on security perhaps? (0)

Anonymous Coward | about a year and a half ago | (#43312289)

"we are trying to hide our current source code because you might fix the bug in it"

s/fix/find/

Re:Say what? Streisand effect on security perhaps? (1)

HiThere (15173) | about a year and a half ago | (#43314291)

I don't think there's anything wrong with posting this to Slashdot. Everybody already knows that any complex software will have bugs in it. This doesn't gvie any clue as to what the bug is. And anybody serious about doing a malicious penetration will already have read the announcement.

Further, this gives people warning to not start any new installs of PostGreSQL right now, because you'll just need to re-install it in a week or so.

The "religious war" thing that's going on under this story is just loud-mouthed shallow thinkers, who aren't dangerous anyway. (Because they're shallow thinkers.)

Now if the actual bug were highlighted, I'd agree with you, but I'd also blame the project for highlighting it. As it is, it looks to me as if they took a reasonable path. It's true an optimal path might have been to work off a fork of the code, and not let anyone know until the fix had been applied and tested, but there's also much to be said for warning people as soon as possible, so that they could avoid making databases currently private, accessible. Or so that they could close down access to anything really sensitive, and make sure they have good backups NOW.

Re:Say what? Streisand effect on security perhaps? (1)

Rich0 (548339) | about a year and a half ago | (#43313583)

It sounds like a really good use case for distributed version control. When this sort of thing happens, developers should be able to temporarily fork the repo and work on security issues in private, while everyone else is still able to access the main repo.

Sure, if you have infrastructure to run a hidden repo that only your devs can access. They likely don't have this, as is the case with most FOSS projects.

Re:Say what? Streisand effect on security perhaps? (1)

Masterbrain (2880045) | about a year and a half ago | (#43317937)

We certainly have that infrastructure(postgresql.org has around 50(!) servers for various purposes and a dedicated master repository is one of them), what are are doing here is simply delinking the "real" master repository from the anonymous repository and other downstream clones like github for a while. There is a pretty good post form magnus with actual fact available as well: http://blog.hagander.net/archives/212-About-security-updates-and-repository-lockdown.html [hagander.net] in case you need more information.

Re:Say what? Streisand effect on security perhaps? (1)

Rich0 (548339) | about a year and a half ago | (#43318179)

Seems like the best way to handle it. Fixing security flaws that touch a lot of code and doing all your development in the open aren't always compatible.

Most linux distros secure security bugs for similar reasons. They don't usually have to block as much because they don't need extensive changes and integration work to deploy security patches. Well-contained software bugs also don't need as much of this since you don't need as much coordination.

I've always admired Postgres. I just wish the SQL world wasn't so fragmented and that Linux had better DB abstraction so that I wouldn't be stuck with whatever DB created the client libs linked by the application...

Re:Say what? Streisand effect on security perhaps? (1)

BitZtream (692029) | about a year and a half ago | (#43313977)

Since they use git ... I would say that would be what happened.

Linked from their downloads page is this:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary [postgresql.org]

And its still fully accessible.

Re:Say what? Streisand effect on security perhaps? (1)

pallmall1 (882819) | about a year and a half ago | (#43315137)

Since they use git ... I would say that would be what happened.

That's interesting, because the git.postgresql.org page you linked shows recent work desicribed as "Fix page title for JSON Functions and Operators." Couple that with the fact that the Slashdot summary has a link to a Parity News page that contains a link to the Postgresql announcement, and the Parity News link is loaded with javascript in the url.

I wonder if Parity News is trying to demonstrate the Postgresql flaw?

Re:Say what? Streisand effect on security perhaps? (1)

Anonymous Coward | about a year and a half ago | (#43312101)

How is this worse than announcing the vulnerability publicly? If they had done that, no one would even need to hunt for the vulnerability. They would just have to read the announcement.

Re:Say what? Streisand effect on security perhaps? (0)

Anonymous Coward | about a year and a half ago | (#43312157)

Since the fixes have not been committed, this will not avail you. The whole point of locking down the repo is precisely so that mirrors don't get the fixes until the new releases are made. Or maybe you think the Postgres developers are idiots.

Re:Say what? Streisand effect on security perhaps? (4, Insightful)

Bostik (92589) | about a year and a half ago | (#43313135)

Let me get this straight, so I know we're on the same page.

There is a major vulnerability in basically ALL Postgres installations in the world. That means it has not been introduced by any recent commits. The patch(es) are not yet public, and the repositories have been made non-public while the fix is in the works.

The fix is likely delayed somewhat by the occurrence of Easter holidays. Lots of people have taken extended weekends - probably a good number of Postgres devs included. There is probably no sane way to deploy the fixed versions until after the holidays. Not everyone can afford 24/7 admins.

And you want to complain about the developers being irresponsible when dealing with this?

(For the record: I'm pretty much a full-disclosure guy, but a slightly delayed disclosure with NO IN-THE-WILD EXPLOITS for a vulnerability that is discovered just ahead of a major holiday weekend... I can live with that.)

Re:Say what? Streisand effect on security perhaps? (1)

petsounds (593538) | about a year and a half ago | (#43316681)

The git source is still available (http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary [postgresql.org] ); it is only the patches for the bug-in-question that are closed off. This seems entirely reasonable given the severity of this vulnerability.

Re:Say what? Streisand effect on security perhaps? (1)

peawormsworth (1575267) | about a year and a half ago | (#43320387)

This seems like a really dumb move. What the team has done now is to raise the exposure level of this vulnerability by a HUGE margin. Now all any script kiddie needs to do is find a mirror of the code from 24 hours ago or any other recent period, which is likely quite trivial to do with an open source project as large as postgresql, and hunt for the vulnerability. They know it will be pretty bad since they did this action!

Raising exposure helps companies prepare for a database change. I know if we were using Postgres, we would be scheduling time for the upgrades an preparing for potential down time if needed. We would be going through all our database code to identify exactly what needs to be checked after the upgraded software and documenting as much as possible. Because if this is major, the changes could effect the way our code integrates with the database. For example, if its an authentication breach, then much of our own code would need to be changed to accomodate it.

In any case, I dont think companies are concerned about what "script kiddies" are going to do about it, and instead are happy to be alerted to security fixes of an urgent nature.

Funny (-1)

Anonymous Coward | about a year and a half ago | (#43312133)

This comes right on the heels of a bazillion posts yesterday saying I should switch from MySQL to this train wreck?

Re:Funny (1)

fredrated (639554) | about a year and a half ago | (#43312237)

The only train wreck is your mind.

Re:Funny (0)

Anonymous Coward | about a year and a half ago | (#43312343)

Was this meant to be funny? Do yourself a favor and take a look in the historic of flaws in PostgreSQL.

Dear Oracle Propagandist (0)

Anonymous Coward | about a year and a half ago | (#43313873)

I am absolutely sure Oracle products including MySQL are much more insecure than almost anything else. There was a time you could crash Oracle 8 remotely without even bothering to write assembly language code, use a compiler or the like. telnet and some random typing was enough. MS had a similar shoddy state of database security on SQL server. Just recently a colleague of mine accidentally discovered a way of crashing the MySQL server by means of a range overflow when some sort of trigger was defined on that column.
But thanks for emitting your excrement - it just proves the nasty American tycoonism is alive and kicking.

Re:Dear Oracle Propagandist (1)

HiThere (15173) | about a year and a half ago | (#43314335)

You are making a perhaps invalid presumption as to his reasoning. It could well be that he's just used to MySQL and doesn't want to think of changing. He could have a lot of code that's dependent on incompatible features, and doesn't want to believe that this was a bad choice. Money isn't the reason for everything.

That said, I'm not really convinced that PostGreSQL is superior in all use cases to the MySQL family of databases. I do tend to think that it's generally superior, but I'm not expert in either.

Wrong move (1)

Todd Knarr (15451) | about a year and a half ago | (#43312159)

My thought is that their reaction is exactly the wrong move. All it does is announce to the bad guys that there's a vulnerability they can exploit (which they probably know about already) and that none of their targets will know what it is or how to spot an attempt to exploit it, while at the same time insuring that the admins responsible for PgSQL servers can't find out what they need to protect against. If the vulnerability is that critical and severe that it can't be discussed, then as an admin it's critical and severe enough that I need to do something to mitigate it RIGHT FRAKKIN' NOW! I can't wait until Monday, I need to do something today to keep my PgSQL servers from being exploited. But as it stands the only thing I can do is shut them down completely and migrate fast to some other database. I can't wait, if I could the PgSQL team wouldn't be this panicked about the problem.

Re:Wrong move (5, Insightful)

h4rr4r (612664) | about a year and a half ago | (#43312267)

They sent out a warning to everyone on the mailing list. I know, I got it.

You should not have your PgSQL servers exposed to the world, no any db server. You should apply the fix when it comes out. The reality as an admin is that I know odds are damn near everything we use has as yet undiscovered vulnerabilities.

Migrating anything major to another DB is pretty much a nonstarter. Nor will another DB give you even this much visibility. Oracle would never admit something like this with mysql.

Re:Wrong move (0)

Anonymous Coward | about a year and a half ago | (#43313455)

Yeah, I'm not sure what security bug in a database server would actually be a problem as database servers are usually firewalled and only fed sanitized inputs... then again, that's just best practices, and I know better to expect everyone to follow them. I guess an attack could still be used in a shared hosting situation (do those actually exist anymore? I feel like virtualization has pretty well replaced it.) or as a second level of an attack (i.e. exploit a web application such that the attacker can do anything with the rights of the web application which includes arbitrary communication with the db server which could then be compromised allowing for greater access to the db).

Re:Wrong move (1)

muridae (966931) | about a year and a half ago | (#43313769)

A way to bypass santization, perhaps? Something that looks like a clean, sanitary input but infact does something malicious?

Re:Wrong move (1)

bill_mcgonigle (4333) | about a year and a half ago | (#43316443)

I think you might be right. There's not much that should rise to this level of alarm, but this would.

I told a client earlier today, "let's assume it's a post-sanitation vulnerability and make a plan to handle that. We can scale back the plans if it turns out to be less severe."

Re:Wrong move (1)

alcourt (198386) | about a year and a half ago | (#43315627)

What a strange universe you live in. Sounds nice.

Databases firewalled? No bad guys on your network? No direct DB connectivity?

Re:Wrong move (2)

characterZer0 (138196) | about a year and a half ago | (#43312273)

Migrate to what? Postgres admitted that there is a problem. It is not known to be exploited in the wild. Do you really think Oracle, DB2, SQL Server, and MySQL have no critical security bugs in them? Or even bugs already known to the vendor in the case of the closed source ones?

Your system is no worse today than it was yesterday. You know PostgreSQL has at least 1 bug. So unless you think another system has no bugs, do not switch.

Re:Wrong move (1)

WuphonsReach (684551) | about a year and a half ago | (#43312339)

As others have said, no database ports should ever be exposed to the world at large. You should have a firewall in place that only allows traffic to/from an extremely limited IP address range. Which mitigates a whole lot of issues, even if the database software is vulnerable.

Sure, I'll need to update my pgsql instances, but because they're firewalled off from the outside world, I don't have to lose sleep over it until the fix comes out.

Re:Wrong move (2)

Todd Knarr (15451) | about a year and a half ago | (#43312509)

Are you positive that all the application servers you permit through the firewall are uncompromised? And that they'll remain uncompromised? Are there errors in the firewall that are allowing traffic through you don't expect? Are your servers in a data center where a mistake in the internal network could allow traffic to get to your machine from other (compromised) customers bypassing the firewall?

And does this vulnerability even require direct access to the database server, or is it one that can be triggered by data? If so, what do I need to filter in my applications to remove the kinds of bad data that could trigger the vulnerability? If normal firewalls and SQL-injection filtering would blunt the attack, I'd expect the PgSQL team to be less worried about revealing the problem because it wouldn't be very exploitable. So given their panic I have to assume that a normal installation with access to the database strictly limited by firewalls is still highly vulnerable to attacks against this bug. I'm remembering exotic bugs like ones involving non-standard UTF-8 sequences that could completely bypass SQL-injection filtering or trigger bugs in low-level libraries via ordinary data, vulnerabilities that required no special access to exploit and would work straight through the tightest of firewalls, but could be stopped dead by appropriate filtering if you knew what the problem was that you had to check against (eg. UTF-8 sequences that weren't the shortest valid sequence for that character).

Re:Wrong move (0)

bluefoxlucid (723572) | about a year and a half ago | (#43312659)

Jesus christ dude. Kepner-Tregoe Potential Problem Analysis. ORM charts. Decision Analysis (Pugh or Kepner-Tregoe; fuck Analytical Hierarchy, it sucks and requires tons of math for inaccurate results) followed with Adverse Consequence Analysis on ORM charts. Stop shitting yourself.

Re:Wrong move (1)

CBravo (35450) | about a year and a half ago | (#43313279)

Maybe you get privileges with specific data.

Re:Wrong move (1)

lgw (121541) | about a year and a half ago | (#43312405)

All it does is announce to the bad guys that there's a vulnerability they can exploit (which they probably know about already)

You contradicted yourself in the same breath there. If the bad guys already knew about this, there would be no harm in announcing it. Announcing that there's some major vulnerability in the entire code base? That does no harm because there's some major vulnerability in the entire code base of every product out there. It's knowing where the flaw is that matters! And the team is taking the smart step to hide that for a week until the fix is ready.

Once the fix is out, a diff will show everyone what the problem was, but at least the bad guys don't have a week's head start!

Re:Wrong move (1)

kestasjk (933987) | about a year and a half ago | (#43312809)

If they hadn't locked it out everyone would be complaining "Why is it taking so long to patch *it's being exploited in the wild*!"

There is just no good way to deliver news of a security hole.

Re:Wrong move (1)

greg1104 (461138) | about a year and a half ago | (#43327563)

There is no evidence of an exploit being available in the wild [hagander.net] for this issue. The PostgreSQL team has not paniced. This is a careful proactive security release for a bug that might be exploited once its source code is released. The bad guys have been given no more information than "there is an exploit possible in this code". If you believe that much information is enough for them to break into your server, and therefore you have to migrate to another system immediately, this is not a technical problem--you are having a panic attack. You can't wait until Monday, please seek medical assistance RIGHT FRAKKIN' NOW!

How would an attack happen? (3, Informative)

Geeky (90998) | about a year and a half ago | (#43312325)

I see lots of comments about needing to know the vulnerability right now, and even panic about taking servers down until it's fixed. I can't help feeling that if that's your reaction you're doing it wrong.

In any internet facing production environment, the front end web servers will be the only place that can be attacked. They should be in a DMZ and only be accessing application servers via a firewall, which in turn access the database. Access to the database would only be allowed from the application servers, and the application servers shouldn't be able to run any random SQL. All inputs should be verified before passing to the database. It's kind of hard to see how, in a well designed system, the database is at risk. Nothing uncontrolled should be reaching it.

Of course it's important to have security at every layer, but if an attack can get as far as exploiting code vulnerability in the database I'd say there's a bigger problem somewhere further up the chain.

Internal attacks are another matter, but again, access controls should be ensuring that only those who really need access to the database have access to the database. Those people will be able to do enough damage without needing exploits, so again, code vulnerability at that level should be something of a non-issue.

Re:How would an attack happen? (1)

Todd Knarr (15451) | about a year and a half ago | (#43312429)

A lot of the time the web servers need access to the database because the code on the web server will be doing database access. If the web servers are compromised, the firewalls will permit attacks from them against the database servers. And the same chain applies when there's application servers in the way, it just takes one more step. With automated toolkits that one more step will be taken by automated exploit software, so the attackers probably won't even notice the delay. There also, as you noted, the problem of internal attacks from compromised desktops and other machines with access to the database servers.

Security depends on securing all layers of the system, so that when (not if, when) any layer fails it doesn't compromise the entire system. If you design your security on the assumption that all other layers of security are intact and working, you just guarantee your security will fail.

The sysadmin's motto: "It's not whether you're paranoid, it's whether you're paranoid enough.".

Re:How would an attack happen? (1)

h4rr4r (612664) | about a year and a half ago | (#43312511)

You should of course assume there are more of these bugs in all software, all the time.

This means web servers should not be able to submit arbitrary queries to the DB, if you can avoid it. Now getting developers to play along with this is like herding cats.

Re:How would an attack happen? (1)

Geeky (90998) | about a year and a half ago | (#43312513)

I agree it needs fixing, and even said that it's important to have security at every layer, my point was really that a number of other security measures will already have failed before the database is vulnerable. And yes, in many cases the web server will be the application server, but I'd hope that's a design that's limited to less than critical systems...

In a truly paranoid environment the only internal access to the database will be via bastion hosts, not direct from individual desktops...

Re:How would an attack happen? (2)

lgw (121541) | about a year and a half ago | (#43312459)

any internet facing production environment, the front end web servers will be the only place that can be attacked.

Bobby Tables would disagree - SQL injection attacks are the biggest server-side security problem these days.

One kind of major vulnerability in a DB would be some sort of buffer overflow in parsing the data stored, such that you can take over the DB server by storing carefully crafted data - the worst kind of SQL injection attack.

Re:How would an attack happen? (1)

Geeky (90998) | about a year and a half ago | (#43312539)

Probably true, but it's sad that in 2013 we're still talking about Bobby Tables! It's still an application code issue rather than strictly a database issue.

Re:How would an attack happen? (1)

lgw (121541) | about a year and a half ago | (#43313139)

But if the DB itself has a flaw related to the content of the stored data, then the prevalence of SQL injection means you should assume you're exposed.

For the DBs I've worked with, using stored procedures basically eliminates the threat of SQL injection (the distinction between SQL code and payload is explicit that way) - I assume Postgres is the same way, and there's really no excuse for being vulnerable to that.

Table-valued parameters (1)

tepples (727027) | about a year and a half ago | (#43313229)

For the DBs I've worked with, using stored procedures basically eliminates the threat of SQL injection

Do these databases allow passing a list of values to a parameterized statement or stored procedure? For example, some features in some of the web applications I've developed require defining a procedure that takes an array and passes it to something like SELECT last_login_time FROM users WHERE username IN ?. The trouble is that a lot of database interfaces don't allow table-valued parameters, and I can't guess how many question mark placeholders I'll need in advance, so I have to make one well-tested function that does the escaping and make sure to always use it.

Re:Table-valued parameters (1)

rtaylor (70602) | about a year and a half ago | (#43317559)

Both Oracle and PostgreSQL will let you pass in an array as a function argument.

Incidentally, PostgreSQL normally changes IN into =ANY(ARRAY[]) for performance, so you're not losing anything that way.

Re:Table-valued parameters (0)

Anonymous Coward | about a year and a half ago | (#43324675)

The trouble is that a lot of database interfaces don't allow table-valued parameters, and I can't guess how many question mark placeholders I'll need in advance, so I have to make one well-tested function that does the escaping and make sure to always use it.

No, you just dynamically build a statement that has the correct number of placeholders (using no user-supplied data except to determine that number, and none in the statement itself) and then execute it.

Variable number of placeholders (1)

tepples (727027) | about a year and a half ago | (#43325201)

No, you just dynamically build a statement that has the correct number of placeholders (using no user-supplied data except to determine that number, and none in the statement itself) and then execute it.

Making sure that the placeholders remain in the same order as the values that will be substituted into the placeholders is almost as troublesome as substituting literal values. For example, a statement involving WHERE foo = ? AND bar IN ? will misbehave, possibly almost as catastrophically as in an injection, if another part of the code is modified to add the value for foo to the list after the values for bar have been added and the part that creates the query containing placeholders is not updated in perfect sync. And is it really substantially easier to make a function that produces a variable list of placeholders than it is to make a function that produces a variable list of correctly escaped values?

Furthermore, some database access layers make it difficult to pass a variable number of arguments to a query. One of these is MySQLi for PHP, which requires obscure gyrations involving call_user_func_array and references, whose exact details have been seen to change from PHP version to PHP version even within the PHP 5.x series. If your answer for this is "then ditch MySQLi", watch the number of concurrent connections between the application layer and database layer per concurrent user double as the application layer has to keep two connections open: one for those queries that have been ported from MySQLi to something else and one for those that have not. Doubling the connections per user halves the number of concurrent users needed to trigger "Failed to open a database connection: too many connections" errors.

Re:Variable number of placeholders (0)

Anonymous Coward | about a year and a half ago | (#43326241)

Making sure that the placeholders remain in the same order as the values that will be substituted into the placeholders is almost as troublesome as substituting literal values.

It really isn't.

Re:Variable number of placeholders (1)

tepples (727027) | about a year and a half ago | (#43326385)

It really isn't.

Disagreeing without telling me why you disagree tells me nothing. Please elaborate.

If WHERE foo = ? AND bar IN (?,?,?,?,?,?,?,?,?,?) ends up changed to WHERE bar IN (?,?,?,?,?,?,?,?,?,?) AND foo = ?, how do I prevent this change from causing disastrous results if the order in which the placeholders appear in the statement does not match the order in which values are added to the array, if one of the valid values for column foo is also a valid value for column bar? In the case of a single well-tested function that correctly escapes lists, it would be easy: WHERE foo = ? AND bar IN $properly_escaped_list becomes WHERE bar IN $properly_escaped_list AND foo = ?. And where may I find an example of correct use of call_user_func_array() with the bind_param() method of MySQLi prepared statements?

Besides, the output of the function that generates the list of placeholders produces "Filter error: Please use fewer 'junk' characters." when pasted into Slashdot. I had to preview several times to get that filter error to go away, and I ended up having to severely cut down the number of placeholders in the example.

Re:How would an attack happen? (1)

Shados (741919) | about a year and a half ago | (#43314605)

stored procedures are just a mean to an end. What solves the problem is avoiding mixing queries with their parameters. When code invokes stored procedure, they are forced into the parameterized query pipeline, and that solves that (unless of course, you concatenate within the SP :)

There's a lot of ways to invoke the parameterized query pipeline... so even without stored procedures, you really shouldn't be doing that crap anymore. And yes, all relevent and even not so relevent RDBMs have client APIs that support this, and while it wasn't always the case, for the last 10+ years all mainstream languages do so too.

It totally baffles me that we even talk about SQL injection anymore.

Re:How would an attack happen? (0)

Anonymous Coward | about a year and a half ago | (#43312469)

All inputs should be verified before passing to the database.

This looks obvious but its easier said than done. Every flaw that can be and has ever been exploited resulting in compromise of a machine is a result if failing to properly sanitize input. Verifying input is a hard problem that is nearly if not outright impossible to get right. Even the most well designed systems fall victim because of some obscure corner case that was overlooked somewhere.

Re:How would an attack happen? (1)

Geeky (90998) | about a year and a half ago | (#43312633)

I know it's not always easy, but most data input into web forms is quite straightforward. The application should not be checking whether the data is invalid - it should be checking that it's valid. That's a subtle distinction, and I'm probably going to fail to explain it! The critical thing is to allow only that data that is valid for the question being asked. Most of the time restricting the input to a certain length and only allowing specific characters should be enough, and wherever possible limit input to predefined selections (dropdowns, checkboxes). Apart from avoiding vulnerabilities, validation is critical to ensuring the data is useful and minimises the need for data cleansing later on.

Where extended free format data is required, it should still be as simple as controlling the length of the data, the character set in use and making sure it's correctly quoted.

Re:How would an attack happen? (2)

Straker Skunk (16970) | about a year and a half ago | (#43313169)

I know it's not always easy, but most data input into web forms is quite straightforward. The application should not be checking whether the data is invalid - it should be checking that it's valid. That's a subtle distinction, and I'm probably going to fail to explain it!

You'd probably have an easier time explaining it as whitelisting versus blacklisting. A developer can't hope to ever enumerate all the bad things an app should reject, so s/he should instead enumerate the much smaller set of things it should accept. Same deal if you're using a regex or whatnot to sanitize input instead of matching against a list.

Re:How would an attack happen? (1)

Geeky (90998) | about a year and a half ago | (#43313373)

Whitelisting - thank you, describes what I meant perfectly.

Re:How would an attack happen? (0)

Anonymous Coward | about a year and a half ago | (#43315247)

s/he should instead enumerate the much smaller set of things it should accept.

http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ [kalzumeus.com]

Good luck with your plan on whitelisting everything possible. I bet I can find the one about things you think wrong about dates & times, phone numbers, addresses, etc.

The real answer is to accept everything and deal with it on the output side, if it even has to be dealt with at all.

Re:How would an attack happen? (1)

russotto (537200) | about a year and a half ago | (#43315785)

This is all wrong. I mean, you might want to validate anyway. But the best way to prevent injection is to only supply user inputs to methods that won't execute code contained in them.

Re:How would an attack happen? (1)

bluefoxlucid (723572) | about a year and a half ago | (#43312689)

I see lots of comments about needing to know the vulnerability right now, and even panic about taking servers down until it's fixed. I can't help feeling that if that's your reaction you're doing it wrong.

That a reaction exists right now is [decision-m...idence.com] wrong [decision-m...idence.com] to begin with [decision-m...idence.com] . They need a book [amazon.com] and some training [kepner-tregoe.com] .

NOT True (0)

Anonymous Coward | about a year and a half ago | (#43314129)

Imagine you can do an SQL injection attack and inside the injection you have a nasty piece of binary code, which will subvert the database server and give the attacker access to ANYTHING on that database server, including entirely different schemas which happen to be located on the same server by coincidence.

I bet 10 dollars and 10 D-marks (to hell with euro) it is an artifact of C or C++, as most security issues are.

Here's a fix: http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf

Blog post from one of the core team members (2)

adnonsense (826530) | about a year and a half ago | (#43316885)

Do please check out this informative post from Magnus Hagander, one of the PostgreSQL core team members, which clarifies most of the points raised here:

About security updates and repository "lockdown"

I have received a lot of questions since the announcement [postgresql.org] that we are temporarily shutting down the anonymous git mirror and commit messages. And we're also seeing quite a lot of media coverage.

Let me start by clarifying exactly what we're doing:

  • We are shutting down the mirror from our upstream git to our anonymous mirror
  • This also, indirectly, shuts down the mirror to github
  • We're temporarily placing a hold on all commit messages

There has been some speculation in that we are going to shut down all list traffic for a few days - that is completely wrong. All other channels in the project will operate just as usual. This of course also includes all developers working on separate git repositories (such as a personal fork on github).

We are also not shutting down the repositories themselves. They will remain open, with the same content as today (including patches applied between now and Monday), they will just be frozen in time for a few days.

...continues... [hagander.net]

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?