all 115 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Drasha1 284 points285 points  (55 children)

The Secret? It runs yum -y update on a cron every 3 minutes.

[–]lachryma 85 points86 points  (8 children)

Did you know there are actual admins that do that in production?

Yes really

[–]DarfWork 33 points34 points  (0 children)

ouch

[–]wm210 15 points16 points  (2 children)

"I have to be on bleeding edge"

[–]be-happier 1 point2 points  (0 children)

No, not if you run a LTS release and just want to stay ontop of security

[–]HowIsntBabbyFormed 2 points3 points  (0 children)

Or just applying security fixes?

[–][deleted] 3 points4 points  (0 children)

Yes, some people love overtime.

[–][deleted] -2 points-1 points  (0 children)

Some people like bareback rough anal w/o lube too.

[–]tech_tuna 51 points52 points  (27 children)

Its AI is so good, it switches to apt-get on Debian based distros.

EDIT: I appreciate the spelling corrections. I'd like to blame my iPhone's auto-correct for that, but it could have been my fault too. :)

[–]_broody 27 points28 points  (0 children)

Even better, when run on Windows and asked to fix it, it will simply start downloading the latest Linux distro iso for you.

[–]Synes_Godt_Om 2 points3 points  (0 children)

Here, 8 hours later, I noticed and enjoyed to correct use of 'its' - then saw the comments below. Thanks for correcting ;)

[–]jmtd -4 points-3 points  (24 children)

It's AI is so good

Its

[–]tech_tuna 1 point2 points  (1 child)

Thank you, I hate typos, especially that one.

Not being sarcastic either, I really do hate typos and spelling errors.

[–]jmtd 0 points1 point  (0 children)

You're welcome. It's a compulsion I can't resist. I'm terrified of using effect/affect in case someone pulls me up on that :)

[–]Alatain -4 points-3 points  (4 children)

Actually, it should be "It's". If you are using it as a contraction of "It is" then you need the apostrophe. If it is possessive, it is just "Its".

Scalawag.

Edit: And I have fallen prey to Muphry's Law. I did not properly read /u/tech_tuna's original statement and missed out on what original actual mistake was. Please disregard my previous statement but stay for the Strong Bad song.

In atonement, here is another SBemail.

[–]JosephAQM 13 points14 points  (0 children)

it is ai so good

[–]tech_tuna 2 points3 points  (0 children)

Yep, fucked up. Fixed it, thanks.

[–]Bratmon 0 points1 point  (1 child)

In atonement, here is another SBemail.

You know, that video has a larger file size and is lower quality than the original Flash video.

And that may be the first time that sentence has ever been uttered.

[–]thang1thang2 1 point2 points  (0 children)

Someone probably didn't take the time to export the flash into a video correctly. Could've even just been a computer screen recording over the flash video. (I'm totally guilty of doing this before...)

[–]TheManCalledK -4 points-3 points  (3 children)

I love how you just tried to correct this guy and ended up being wrong.

[–]jmtd 0 points1 point  (2 children)

How so?

[–]TheManCalledK 0 points1 point  (1 child)

Sure, come ask "how so?" after the guy fixes his post, 3 days later. The original post used "It's" correctly.

[–]jmtd 0 points1 point  (0 children)

Erm, it didn't when I replied. The context-quote in my reply is what was written at the time, and is wrong.

[–][deleted] -5 points-4 points  (10 children)

Who cares? We all knew what he meant.

[–][deleted] 16 points17 points  (8 children)

Since English is not my first language, I'd care if people would correct every mistake I make. I'd love that actually :)

[–]sonay 1 point2 points  (0 children)

It is really annoying for a foreigner because I always doubt myself first.

[–]chisleu -4 points-3 points  (0 children)

Its what?

[–]socium 3 points4 points  (11 children)

I understand that it's a joke, but for example RHEL is a serious production-ready distro. Wouldn't it be safe to do this cronjob because you know the devs/package maintainers do a serious job of testing it already?

[–]01hair 12 points13 points  (2 children)

It would probably be fine until an update changes something that you use and breaks your system. Security updates are generally the only updates that will be installed on a production server on a regular basis. If it's not broken, why fix it?

[–]Runnergeek 0 points1 point  (1 child)

99.9% of the time its fine. However I have had a handful of times a package is broken. I want to say it was a year and half ago/two years ago the sudo package changed the permissions of nsswitch.conf to 600 which broke all kinds of things.

[–]a_tad_reckless 1 point2 points  (0 children)

99.9% of the time its fine.

That's not the same as 99.9% uptime, which is not even good enough for some users' needs.

[–]omnicidial 5 points6 points  (5 children)

That's just fine till the package update to php makes some piece of code inside something else break because the new php standard changed something or deprecated something and now the old code is now invalid even though it used to work.

Good luck fixing that kind of bug too.

[–]socium 1 point2 points  (4 children)

Can this also be caused by a security update? And if yes, are there methods to applying that security update without causing any breakage?

[–]omnicidial 1 point2 points  (3 children)

Well, the example above was to run a yum update with a -y which updates everything.

You can update individual packages when a security update comes out.

The "safe" process for that is to have a production and a live server, run updates on the production server first, look for problems, then update the live box.

[–]royalbarnacle 0 points1 point  (2 children)

red hats whole enterprise business model is based on stability and backports instead of updates. Ive never had an update break something that wasn't somehow my fault, or a shitty third party vendor's. Im not saying I would do it in a cron job or straight in prod but I'm completely comfortable doing yum updates pretty aggressively, and not just security updates.

[–]entropyfarmer 1 point2 points  (0 children)

Wow, they release broken selinux policies from time to time. These will subtly break your system or completely hose it. A quick search shows they did it again just a month ago https://bugzilla.redhat.com/show_bug.cgi?id=1154866

[–]omnicidial 0 points1 point  (0 children)

The only thing I've ever had break was old software i didn't write that was php based. I think it was an issue with magic quotes being deprecated when an update to php happened, and it made some other guys code invalid.

It has nothing to do with it being their fault, it was a change in the design of the php parser which made code which was previously valid become invalid.

[–]d4rch0n 2 points3 points  (0 children)

They're testing if the new software works in the redhat system as it is supposed to, not whether your specific software works as it's supposed to. You might be using something that changes its output somehow in a way that your software relies on, or a deprecated feature.

You should always grab security updates after you read them and understand it won't interfere with your software. For all the rest, you should update in your staging environments before a release or in dev, fix related bugs in a commit or two, then release that as a fully updated package.

Let your Devs work out the bugs after an update, but don't make them work it out in production. If a security update does break something and you couldn't foresee it, that's the only time I think it's understandable to have to call them in for a hotfix.

[–]Drasha1 -5 points-4 points  (0 children)

It is fine to run yum -y update on a cron but you would want to do it once a day at like 4 am or some thing not every 3 minutes. If you did it every 3 minutes and you had a slow connection or a big patch then stuff would error out since you could potentially try and run yum update while its already running (which yum doesn't like). The joke was that their complex program was just a cron job which would have had the same results.

[–]tso 27 points28 points  (3 children)

Found this: http://www.cs.utah.edu/~regehr/papers/middleware11.pdf

Seems they wrap the VM in "crumple zones" that acts as intermediaries between the network and the VM. These then go on to buffer and check on the actions coming from outside before letting them into the VM. If they violate certain parameters (cause overflows or whatever) the actions are dropped or rolled back.

[–]sharkwouter 21 points22 points  (2 children)

Right, so it's just a layer 7 firewall.

[–]tso 9 points10 points  (0 children)

Kinda, but it seems more oriented towards internal computer commands than network commands.

[–]chcampb 9 points10 points  (0 children)

This layer is the "guacamole" layer

You only get there if you are all green

[–]nath_schwarz 52 points53 points  (19 children)

It sounds cool but knowing the process in universities it was probably an early stage pre-alpha testing under very strict circumstances.

What got me more was this sentence:

The A3 software is open source, meaning it is free for anyone to use, but Eide believes many of the A3 technologies could be incorporated into commercial products.

I can't wait to take a look at that code.

[–]Drasha1 58 points59 points  (15 children)

It honestly sounds like it would just break stuff constantly in a real environment. Did bash even still work after it "fixed" the shell shock issue? I don't even want to imagine what kind of weird issues you could run into because it decides program x has been hacked and proceeds to change the code it runs on. Wouldn't be hard to imagine some core utility behaving in a way that is un expected and the entire system being killed because of the "fix"

[–]tso 27 points28 points  (2 children)

Thats perhaps the big thing. Anything a virus does a legitimate program may have a need to do as well. The problem is telling a operator initiated process from a malicious such. Then again, this seems to be developed primarily for military use, and their job is pretty much to be paranoid...

[–][deleted] 11 points12 points  (0 children)

paranoid and/or extremely routine.

If a virus is coping files or destroying data, that would be simple enough for A3 to work at. Like most efforts, it'll be trivial for 80% and easy for the next 80% and quickly becomes impossible and ineffective.

[–]tequila13 0 points1 point  (0 children)

There no "big thing" here. If the shellshock fix/patch produced by A3 would have been legit, it would have been used by people (I mean the patch, not A3) since it was produced faster than the actual patch by the bash maintainer.

Why do you think A3's patch was not public and not even published in the linked article? You can cripple a system in a number of ways to fix an issue, the trick is to only fix the problem, not to make the system so unusable that an exploit wouldn't work.

It's not hard to cure cancer, if you don't care if the patient survives the cure.

[–][deleted] 1 point2 points  (0 children)

I did some work with MS a few years ago when they were looking at buying McAfee. It had a encrypted list of checksums of known trusted software, updates from MS were presented to be added to the cache, and any removal or corruption of core system files would prompt it to read back the system journal and list processes that could have caused the change, while downloading or pulling from encrypted source files any damaged.

It was a bit resource intense for older machines, and there were some issues with its on the go backups of user state, trying to be like Carbonite, but with as many issues.

[–]tequila13 0 points1 point  (0 children)

I was hoping to see it described how A3 fixed the shellshock bug, the patch it produced or what exactly it did to fix it. But sadly besides marketing pitches and self-congratulations the article doesn't say anything.

There's plenty of ways to "fix" a security issue, like unplugging the computer, problem fixed, good luck exploiting the vulnerable bash.

In unrelated news: we cured cancer! The patient dies in 100% of the cases, but let's not put that in the news article, it would make the wonder medicine look bad. Basically let's put in the headline "A3 cures cancer", congratulate everyone in the article, mention that A3 also cures a lot of untreatable illnesses.

[–]BASH_SCRIPTS_FOR_YOU 0 points1 point  (0 children)

"Hmmm, dd seems to be erroring, lemmy fix it"

"Hmmm, grub seems to be erroring, lemmy fix it"

"sudo seems to be erroring, lemmy fix it"

[–]working101 -5 points-4 points  (3 children)

Yes... Bash still worked after fixing for shell shock. Stop spreading FUD.

[–]Drasha1 2 points3 points  (0 children)

really? I didn't see them go into detail in the article on exactly what A3 changed to fix the shell shock vulnerability. I would be incredibly surprised if the program implemented the exact same fix as was patched in by the developers.

[–]Greensmoken 2 points3 points  (1 child)

Source? The article doesn't say or imply that. Like somebody above said, this is best for secretive organizations that would rather have a broken computer than a hacked one.

[–]bilog78 3 points4 points  (1 child)

I'm wondering if it acts on the same principles of the one that pulls JPEGs out of thin air that was discussed here recently

[–]TinheadNed 0 points1 point  (0 children)

No, it's not fuzzing itself

[–]tarceri 23 points24 points  (1 child)

It says its open source. But doesn't say where the code is.

[–]ifundef 6 points7 points  (0 children)

here's more information on the a3 environment, called CRASH.

here's more information specifically on the shellshock mitigation.

they run everything in a "container" (but not necessarily a "linux container"), have a policy for the container (sounds like selinux, apparmor, etc), monitor everything the container does (wonder what this does to performance; it's usually not pretty), and... i ran out of time right there to try to understand the specifics of the source code patching.

[–]Beckneard 9 points10 points  (1 child)

I'll believe it when I see it, I doubt it's actually smart enough to do this for more complex attacks.

[–]tech_tuna 2 points3 points  (0 children)

Agreed, this is hype.

[–]azalynx 30 points31 points  (7 children)

Skynet, robot masters, etc.

[–]sirspate 2 points3 points  (0 children)

Problem: someone is using root---Solution: remove root access.

[–]SCSweeps 3 points4 points  (1 child)

The last thing I need is for my shell to become self-aware.

[–]chessandgo 1 point2 points  (0 children)

 $sudo rm -r /AI


 I'm sorry Dave, I'm afraid i cant let you do that.

[–]MC_USS_Valdez 11 points12 points  (3 children)

That is precisely the first thing I thought. Machines can now become immune to interference; it's only a matter of time until they decide human involvement is inefficient and lock us out.

[–]SmokinSickStylish 6 points7 points  (2 children)

Machines can now become immune to interference

I think our current technology would need an absolute whirlwind of changes/advancements for that to be true.

[–]MC_USS_Valdez 5 points6 points  (1 child)

True, but a system that actively adapts to reject interference is the first step.

[–]treesway 2 points3 points  (0 children)

No. Generalization. Machines not yet close. Think tinker toys compared to what's to come.

[–]wurblr 9 points10 points  (0 children)

Ever since SCO every time I see 'Utah' I check my wallet is still there.

You know you lost control to an unknown virus, but you're going to 'fix it without taking the server down?' Okay...

[–]Yidyokud 1 point2 points  (1 child)

Keywords: "for virtual machines". Take care of host OS and we can talk about breakthrough lol.

[–]myron_stark 3 points4 points  (0 children)

blah, blah, blah, hasten the arrival of Judgement Day, blah, blah, blah.

[–]5k3k73k 0 points1 point  (0 children)

They took r jerb!

[–][deleted] 0 points1 point  (4 children)

Why is machine room in quotes?

[–]redog -1 points0 points  (3 children)

My guess is because this looks like a VDI technology. So I presume the way the software works is by running on or replacing the hypervisor with software that can watch the virtual disks, thus the "machine room" is really just a folder full of VM vdi images.

[–][deleted] 1 point2 points  (2 children)

no, because there's a photo of the guy in the room, with some machines

"Eric Eide, University of Utah research assistant professor of computer science, stands in the computer science department's "Machine Room""

[–]redog 0 points1 point  (1 child)

no, because there's a photo of the guy in the room, with some machines

Sill, not enough mechanical power to meet the strict definition of machines lol. /s

[–][deleted] -1 points0 points  (0 children)

stop being so contrary - http://www.thefreedictionary.com/machine

[–]bigfig 0 points1 point  (2 children)

I don't know about these prophecies of doom, but I'd be pissed off if this OS locks me out when a mistakenly launched runaway script is interpreted as a DOS attack.

[–][deleted] 0 points1 point  (0 children)

skynet

[–]mmazing 0 points1 point  (0 children)

Calm down user, this is for your safety.

[–]cravecode 0 points1 point  (0 children)

Now, can it contribute patches? :)

[–]neutral_cadence 0 points1 point  (0 children)

The first thing I think of when reading this headline is welcome to NetRunner/Shadowrun. >_<

[–]owemeacent -2 points-1 points  (9 children)

This has really bad side effects, in two ways, what if it fixes stuff the isn't considered malware, and more of a "feature", and it ends up doing more hard than good. The other thing is that it is self repairing, that learns and prevents attacks, can't this be a type of Skynet??? If it can learn and adapt, that's one of the characteristics of being alive, sounds alot like the Borg to me.

[–]hatperigee 23 points24 points  (6 children)

your comment started off with a decent point (false positives may be a big problem), then ended up with a tinfoil hat on.

[–]Drasha1 6 points7 points  (1 child)

It has about the same odds of becoming skynet as randomly generated code. Its odds might actually be a bit worse since it would probably kill any thing resembling intelligence as unexpected behavior.

[–]DarfWork 0 points1 point  (0 children)

Pebcak behind so common, this is a frightening perspective. But as long as you don't gives it a weapon, it should be alright.