Apache bug leaks contents of server memory for all to see—Patch now

(credit: Hanno Böck)

There’s a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.

The vulnerability can be triggered by querying a server with what’s known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.

The best-known vulnerability to leak potentially serious server memory was the Heartbleed bug located in the widely used OpenSSL cryptography library. Within hours of Heartbleed’s disclosure in April 2014, attackers were exploiting it to obtain passwords belonging to users of Yahoo, Ars, and other sites. Heartbleed could also be exploited to bleed websites’ private encryption keys and to hack networks with multifactor authentication.

Read 4 remaining paragraphs | Comments

Source: Ars Technica

Setback for group seeking “hockey stick” climate scientists’ e-mails

Enlarge (credit: John McArthur)

Those prone to rejecting the conclusions of climate science sometimes fixate on weird things. For years, there has been a concerted effort to prove that a specific paleoclimate record—often referred to as “the hockey stick” because of the sharp rise at the end—was somehow fraudulent. It doesn’t seem to matter that many other researchers have replicated and advanced those findings. These people seem to feel that all of climate science would come crashing down if you could just dig up a golden e-mail that reveals a dastardly scheme.

The original record was partly the work of Michael E. Mann, now at Penn State, and he has been hounded ever since. There have been a number of attempts to get universities to turn over his e-mails over the years. But last year, an effort targeting one of Mann’s colleagues in Arizona seemed to have finally found success.

A group called the Energy and Environment (E&E) Legal Institute had turned from Mann and instead focused on Malcom Hughes and James Overpeck at the University of Arizona. E&E Legal filed a broad Freedom of Information Act request in 2011, trying to obtain 10 years’ worth of their e-mails with fellow researchers. When the university rejected the request based on legal protections for the data and communications of researchers, E&E Legal sued in 2013. Two years later, the court decided in favor of the University of Arizona.

Read 7 remaining paragraphs | Comments

Source: Ars Technica

The Morning After: Wednesday, September 20th 2017

Hey, good morning!

Welcome to your Wednesday. We've got our full verdict on Apple's iPhone 8. You'll have to wait to see how the iPhone X fares, but now Google is the latest company angling for our new smartphone-buying dollars. And, oops, the phone…
Source: Engadget

Popular Steam Extension 'Inventory Helper' Spies On Users, Says Report

SmartAboutThings shares a report from Windows Report: If you installed the “Steam Inventory Helper” on your computer, you may want to uninstall it as soon as possible. Recent reports suggest that this extension used to buy and sell digital goods on Steam is spying on its users. Redditor Wartab made a thorough analysis of the tool and reached the following conclusions: The spyware code tracks your every move starting from the moment you visit a website until you leave. It also tracks where you are coming from on the site; Steam Inventory Helper tracks your clicks, including when you are moving your mouse and when you are having focus in an input; When you click a link, it sends the link URL to a background script; Fortunately, the code does not monitor what you type. Apparently, the purpose of this spyware is to collect data about gamers for promotional purposes.

Read more of this story at Slashdot.

Source: SlashDot

Just think of it as interactive debugging

It’s the early 1970s, and students in this university engineering course write their Fortran programs on paper, have them punched onto cards and then hand the decks in to be run, says a pilot fish who was there.

“I was working on a difficult assignment: calculating the area under a curve using Simpson’s Rule,” fish says. “By putting print statements throughout the code, the student could easily debug the program.

“The problem was that we were charged for however much CPU and printer time was used. Those debugging statements cost printer time and paper, and if too many debugging lines printed, it really added up.”

To read this article in full or to leave a comment, please click here

Source: Computer World