Domain: brainhz.com
Stories and comments across the archive that link to brainhz.com.
Comments · 12
-
The *real* security problem!
[By the way, the security problem is not hiding the extensions. The real issue
... being executable by double click].I don't agree.
I think the real security problem is that the only way to tell what a program does is
- "theoretically": by reading the source code
- experimentally: by running it.
For proprietary software, that leaves only "by running it". I don't know about you, but I don't read all the open-source code I run. See also the underhand C code contest (write malicious code that's read-the-source-resistant).
What would improve security somewhat is if each program specified what it wanted to do*, and then got promptly killed if it did anything else; AppArmor does something like this.
* Say, like "I want to write files below
/home/${user who runs me}/.emacs.d/**", or "I'd like to make outgoing connections on all tcp ports", or "I'd like to listen for connections", or "I'd like to execute the following programs: [...]".By having programs explicitly state their externally visible behavior, the user can know what the program does, and whether it's safe to run.
It won't be a panacea, and most people probably won't understand all the implications of letting programs listen for incoming connections on all ports and be able to run arbitrary other programs. But it will allow at least the technical users to have a security policy better than trusting or not trusting the source, which is all you realistically can do.
-
Re:Hide the evil code?
Have a look at some of the previous contests. The original contest (2004 voting contest) has people exploiting stacks and various other sorts of nastiness.
In 2006, http://www.brainhz.com/underhanded/results2006.html you get people exploiting the fact that 64 bit and 32 bit OS are different, or that some OSes are big endian and some little, and so on. There are all sorts of nasty tricks that are possible.
One possible option for this contest is to hide information in the lower bounds of each pixel (stenography like), there isn't much space, but you could recover some information from the original. And a one bit difference in black isn't easy to spot...
Of course, I can't code C, so I don't know what I'm talking about. -
Re:Article is a Troll
And I thought that the Underhanded C Contest would never have come in handy......
-
Re:Oh no!
I don't know your situation but if it is computer repair, part of it could be the Windows users who are so used to coming in for repairs switching to Macs and lacking the Mac or Unix skills to fix problems.
They're designers... they've been using Mac since before I was born. They also tend to stay away from the command line (that Terminal.app thing scares the hell out of them whenever I fire it up). The popularity has nothing to do with their usage of the system, as they were fine using OS 9 before hand. I work for a media company, the designers are all over the place and always use Mac.
who is going to try to hide spyware in a GPL'd product?
I don't know but considering some of the code that one can write can be obscure as hell I'm sure spyware could be slipped into a product with relative ease. Whilst I've forgotten who and what, there was some PABX software recently that called home (it always had) that took $x long to become well known... leave you to think on that. -
Underhanded C contest
Here's the same challenge for you as for the other poster: Write some code that accesses some file it shouldn't, and does something with the data in it (writing it to a socket say) in such a way that you can't tell what's it doing without looking really well at it, and it looks harmless or to be doing something else.
Take a look at the Underhanded C contest. -
Re:the answer is simple
Maybe they submitted source code patches as well? I wouldn't be surprised if the patch was something that could win the Underhanded C competition. Having an exploit is great but, as you said, somebody could find said vulnerability on their own time. Having your own back door though...
-
Re:You deserve to control your computer.
With free software you don't have to guess because you're given the freedoms you need to do the work yourself or get someone else to help you.
Not exactly. Consider this "open source" fragment:
long unsigned int maxwordsize(char *inputFromStdIn)
{
long unsigned int tmpwordsize=0,maxword=1,i;
for (i=0; i
This simple C fragment is designed to perform Fear, Uncertainty, and Doubt: it works fine on one platform, but becomes mysteriously slow on another.
Rather than leave the exercise up to the reader, I'll mention that this fragment was taken from the Underhanded C Contest. While the coding examples in that contest perform no real damage, an experienced coder could easily sneak in a root exploit into an open source project - in the same way that one person attempted to sneak a root exploit into the wait4() function call of the Linux Kernel. -
Re:OpenBSD fixed on Jan. 21, 2000
It sounds like you're thinking of the Underhanded C Contest... The 2005 results look something like what you're describing...
:-)
HTH. Cheers. -
Re:OpenBSD fixed on Jan. 21, 2000
It sounds like you're thinking of the Underhanded C Contest... The 2005 results look something like what you're describing...
:-)
HTH. Cheers. -
Oh yeah, baby!
open source insurance http://news.zdnet.com/2100-3513_22-5924112.html
+
underhanded C code http://www.brainhz.com/underhanded/
=
$$$$$$$$ -
Underhanded C
This contest has already been slashdotted, but the idea is sublime: "write code that is as readable, clear, innocent and straightforward as possible, and yet it must...do something subtly evil." And the prize is beer!
-
Underhanded C
This contest has already been slashdotted, but the idea is sublime: "write code that is as readable, clear, innocent and straightforward as possible, and yet it must...do something subtly evil." And the prize is beer!