U.S. Attorney General Eric Holder makes a statement about the grand jury decision not to seek an indictment in the Staten Island death of Eric Garner during an arrest in July, in Washington December 3, 2014. [Reuters]
Results of a federal review of policing in Cleveland, Ohio were released today, and they underscore what many residents of that city undoubtedly know first-hand: the use of unreasonable force by police officers there is part of pattern of behavior that is in some cases endorsed by supervisors. Read the rest
Two juvenile pandas joined forces to try and stop a breeder from feeding them medicine instead of the yummy bamboo they wanted, at a zoo in Chengdu, in Southwest China. The keeper in this video is using a syringe to inject liquid meds into the cubs' mouths. They resist by rolling around and climbing on top of him adorably. [BBC Video]
Mark Khaisman creates remarkable images using common packing tape and light boards. Since his early portraits with basic white and brown tapes found in any office, he has expanded to other colors and themes, below. Read the rest
Watch this Ankeny, Iowa police officer try to trick a young man into incriminating himself. The police chief has since apologized for the officer's actions. (13 WHOtv.com)
The former conservative GOP senator from Idaho illegally used his campaign funds to defend himself on charges of soliciting sex in a men's toilet in the Minneapolis airport.
Read the rest
UPDATE, 9/25: The Bash vulnerability, now dubbed by some as "Shellshock," has been reportedly found in use by an active exploit against Web servers. Additionally, the initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to a new CERT alert. See Ars' latest report for further details, our initial report is below.
A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.
The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
A test on Mac OS X 10.9.4 ("Mavericks") by Ars showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to "command line tools."
While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server. And a malicious DHCP server set up on a network or running as part of an “evil” wireless access point could execute code on some Linux systems using the Dynamic Host Configuration Protocol client (dhclient) when they connect.
There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.
There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.
It's been less than a day since the company published its new, excellent privacy policy -- but Gigaom has noticed that the latest Apple transparency report, covering Jan 1-Jun 30 2014, has eliminated the line that says that the company has received no secret Patriot Act "section 215" requests, which come with gag orders prohibiting companies from discussing them.
Read the rest
According to the Washington Post, Texas Instruments owns 93 percent of the US market for graphic calculators thanks to its ubiquitous TI-84 model, a ridiculously high profit margin product that hasn't been updated much for a decade.
The “Bitcoin For Kids Trilogy” is a book series which claims to teach children how to run a business using Bitcoin. Considering that many of the top Bitcoin advocates have had their Bitcoins stolen through software attacks, this doesn’t seem like a particularly good idea. Coupled with the fact that the primary uses for Bitcoin continue to be gambling, illegal pornography, guns, and drugs, it seems like probably the worst thing you could encourage your child to do on the computer. But, hey, if you think your nine-year-old should be communicating with Russian gun-runners on the deep web, go for it.
Researchers from UCSD, the U Michigan, and Johns Hopkins will present their work on the Rapiscan Secure 1000 at Usenix Security tomorrow; the Secure 1000 isn't used in airports anymore, but it's still in courts, jails, and government security checkpoints (researchers can't yet get their hands on the millimeter machines used at airports). Read the rest
"The National Security Agency is secretly providing data to nearly two dozen U.S. government agencies with a 'Google-like' search engine built to share more than 850 billion records about phone calls, emails, cellphone locations, and internet chats, according to classified documents obtained by The Intercept." Ryan Gallagher has more.
I went to this thing today. The duck was very large.
Over a dozen tall ships and a 6-story-high Rubber Duck sailed into the Los Angeles harbor Wednesday, kicking off the Tall Ships Festival LA. Read the rest
my partner tried to call me a sweetheart the other day but he misspelled it and I read it as “sweetbeard” and then I decided that this is what dwarf couples call each other
Reader Claire sent us this awesome photo of “24th Century Casualwear” that is basically 100% perfect. As she explains it: “I met all the basic requirements: asymmetrical hemlines; color blocking; secondary colors; inappropriate fabrics (the top is made of wool felt); and weird straps that don’t serve an obvious purpose.” This color story of dried-blood brown, deep mustard, and Eddie Bauer 1997 Hunter Green is absolutely something we’d see on one of the Enterprise’s non-uniformed denizens.
I also LOVE the little “purse” she made to go with it! Claire says: “I designed the labels on my computer and had them printed on bumper sticker stock; the black lines are Chartpak tape, which is what they used to do all those lines on props and sets on the show.”
A+ COSPLAY, CLAIRE. You are ready for a casual coffee date at Ten Forward.
I love the idea of making casual wear based on the cues of Starfleet uniforms. Super rad!