It's weird that over the course of 7 hours no one on a site called Hacker News noticed that send_email.cpp passes unsanitized user-supplied args to system(). I've spent less than 5 minutes looking at this code, so maybe that's the worst of it. But if 5 minutes of investigation found 1980's style bugs I doubt that's the worst of it.
System() creates child processes, specified by parameters. If you don't sanitize your parameters, any child process could be created. If you run this software as root, that means root will run the command. If you run this as user, it's safer than root, but not actually safe.
1) The user isn't always the one providing user input.
2) When the user does provide input, the user isn't always smart.
3) Users do things that you never would have conceived.
Unsanitized system() calls are even worse than leaving your system wide open to a sql inection attack.
All of the above apply to bash, but it still happily creates processes from user supplied input. As previously mentioned, not all software is run on a remote-access system for strangers on the internet.
Do the arguments come from the user or the exchange? If the email is telling me my profits, and the exchange says my profits are ``cat /etc/passwd`` that could be bad.
Assuming input is from a benign source is literally the cause every single security issue ever. It's bizarre that I've been downvoted for this. And you're commenting about how I'm wrong without even reading the code. I seriously don't understand this site.
The same user who feeds in the values for 'system' is also trusting the program with their bitcoins! This is (in my opinion) like saying "bash" is a security issue because you can give it bash scripts.
... but it ain't your financial system. Unless I've seriously misunderstood the README.
I put my cups in the dishwasher, not the autoclave. I use 2fa for my financial accounts, but not for my frisbee league. Security is about appropriate paranoia.
In no scenario is it better to allow arbitrary hidden process creation than to spend 10 minutes writing a function that validates parameters provided to launch a process.
This is rather odd. Knee cartilage damage is extremely common among athletes, so one would think that the treatment would be as well. But I've never heard of it used for professional athletes.
Speaking anecdotally, I've had 4 wrist surgeries over the past 5 years (coming up on my fifth next week). I've never once heard of the stem-cell injection treatment, despite having 3 surgeons and 9+ other consulting doctors. Did your doctor give you any papers to describe the procedures that made his knee "all better now"?
> But I've never heard of it used for professional athletes.
That's because stem cell therapy is not generally approved for use yet. It is still in the research stage. There was one company that did it for a while in Colorado, but nobody could really figure out whether they were legit or a scam, and the FDA ended up putting a halt on their stem cell injections.
For the most part savings from labor should reduce prices and in the aggregate, "all of us" do share in the benefit. Now obviously there is no guarantee of that, but competition will likely result in a good portion of savings passed to the customer (e.g. if FedEx drops prices UPS will have to do so as well).
I think there's a solid chance that Amazon will help drive down delivery prices, at least on the consumer end.
If they can use automated deliveries to lower their UPS/FedEx/USPS costs, and to help them beat Brick and Mortar prices, you can bet that they'll take full advantage of it.
Retail stores to would likely deliver some of the savings to customers because they have to compete with Amazon and other online retailers.
I think that's a very positive view of our possible near-future. What if Fedex doesn't drop its prices, and UPS doesn't either? They profit, we continue to pay. You see this today with airlines whose ticket prices stubbornly refuse to drop despite oil prices plunging. Competitors coordinating to preserve their profit is a very real thing.
Indeed, and I'm almost positive that I've seen models other than the C90s. I didn't realize that they were toting real passengers, though. I thought they were just Alpha Tests As Marketing. Given that they made this announcement the day after Google announced Waymo, I'm now convinced that's what they are, but I guess with real passengers?
And Black-Scholes just codified what seasoned options traders had understood for centuries. The reason it was important and rewarded is exactly that codification, which enables rapid understanding to a wider audience.
Discovering something new is exciting and important. Explaining that discovery in a way usable by the rest of humanity is ground-breaking.
To inject numbers into the discussion: my homeowners insurance is $965 and earthquake is $1220. More than doubling the yearly bill to be sure, but it's easy to justify given bay area real estate prices.
I wonder if there's an indirect way to get cheaper earthquake insurance, by investing in industries or companies that would benefit from an earthquake, or maybe by taking bets in a prediction market.
It's not. And I don't know anything about SentinelOne so maybe they're amazing, but being stymied by dynamic analysis of VBScript malware seems, um, odd.
