Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
comp.text.tex
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion Who is this guy...?
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
JohnF  
View profile  
 More options May 26 2009, 12:44 pm
Newsgroups: comp.text.tex
From: JohnF <j...@please.see.sig.for.email.com>
Date: Tue, 26 May 2009 16:44:30 +0000 (UTC)
Local: Tues, May 26 2009 12:44 pm
Subject: Re: Who is this guy...?
Print | View thread | Show original | Report this message | Find messages by this author

Robin Fairbairns <r...@cl.cam.ac.uk> wrote:
> JohnF <j...@please.see.sig.for.email.com> writes:
>> Thanks, Robin.  I agree that can be a useful community service,
>> and maybe I overreacted a little.  But I get emails from people
>> with requests or pointing out errors all the time, none of whom
>> have felt the need to use words like "embargo" until now.

> cert teams embargo details of problems that have been reported to
> them so that the supplier of the software has time to put it right.

> why do you think m$ releases can be so precisely scheduled? -- because
> the cert people have embargoed their information.  once the patches
> have propagated, cert will release the information.

Oops, looks like I misinterpreted their meaning.  But it wasn't
too far-fetched a misinterpretation given their choice of vocabulary
and grammar (especially on the internet, routinely peppered with more
gratuitous obnoxiousness than one might hope for).

>> As for mathtex.c, I've fixed the explicit vulnerability that was
>> pointed out.  But anyone using it should realize it's essentially
>> a script written in C that just runs latex and friends.  So it's
>> going to remain as exploitable as all the similar script cgi's
>> that are out there.  I'm not sure there's much I can do about that.

>> So far (knock on wood), however, I haven't received any emails
>> from people who think their systems have been hacked into
>> through either mimetex or mathtex.  Though more people use these
>> programs than I'd have originally guessed, it's still a vanishingly
>> small user base in web terms.  And I'd guess that seriously
>> dangerous hackers/crackers might focus their efforts on jucier
>> targets.

> any website that's capable of doing anything other than just serving
> pages is a worthy target of attack by the slime who do these things.
> (and sometimes they even have an agenda related to nothing more than
> the pages that are served.)

Okay, well, I've put current corrected copies of mimetex.zip and
mathtex.zip on ftp.tex.ac.uk/incoming, along with the requisite
emails to ctan.dante.de.  Sorry for the extra work.  (P.S. You're
welcome for the upload.:)  And, to the extent that security remains
an ongoing issue, perhaps users of either program should be advised
that, while I am an experienced C programmer, I'm no security expert.
     And that leads to the open question of how much of one's time
should be spent trying to do good things, versus trying to stop
other people from doing bad things.  (I'm not liking today's answer
to that question, which perhaps partly explains my initial bad
reaction to ocert's email.)
--
John Forkosh  ( mailto:  j...@f.com  where j=john and f=forkosh )

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google