On 10/5/14, Georgi Guninski <guninski@guninski.com> wrote:
... ok, i won't argue :)
one last beating of this dead horse: "The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic." - https://docstrange.livejournal.com/95142.html also relevant, "Dear clueless assholes: stop bashing bash and GNU... You people are pieces of shit. I am disgusted..." - https://weev.livejournal.com/409835.html "These bugs that happen, these mistakes in software that lead to vulnerabilities, they aren’t one-off problems. They’re systemic. There are patterns to them and patterns to how people take advantage of them. But it isn’t in any one particular company’s interest to dump a pile of their own resources into fixing even one of the problems, much less dump a pile of resources into an engineering effort to fight the pattern... They’ve got even less incentive to fix entire classes of vulnerabilities across the board. Same goes for everybody else in the game... it’s worse than a tragedy of the commons, it’s a race to the bottom." - https://medium.com/message/how-i-explained-heartbleed-to-my-therapist-4c1dbc...