Slashdot Mirror

Software glitches leave Navy Smart Ship dead in the water

a database overfow error (resulting from a divide by zero operation) caused the ship's propulsion system to fail.

The Yorktown Affair

Not exactly crypto, but an amusing article on producing a way to compute the entire shuffle of a deck of cards in online poker based on those that were visible: How We Learned To Cheat At Online Poker

Crypto is harder than card shuffling. :-)

Here is an article on how to implement java's securerandom function:

https://www.cigital.com/justice-league-blog/2009/08/14/proper-use-of-javas-securerandom/

The ignorance comes from the trolls such as you who would have to use such offending words on the internet.

I would have to agree with you, considering that when I went on the citigal website, it looked like it was made from small budget templates...
and that whoever is running that company felt it necessary to give us detailed info on Gary at this link http://www.cigital.com/gem/
funny though, no other employees have their faces , lives, religion, wives name, and dog's favorite treats listed on the website.....hmmmmm.
I guess that does show major signs of professionalism on their part. I did read they had sister offices all over the world, but you and I both know
all we have to do is find another like minded firm that would want to share namespaces and allow to use their offices to be able to call yourself global.

SO with that in mind, I would like to let you know I have found an office in russia, that is allowing me to partner with them, and they have been in IT business since 1990 and they have a department dedicated to security within the company for which I am consulting for, so now I will put up my own website,
put on there that I have been in business since 1990 AND also I have offices in Russia (the best haxors in the world) and have a multitude
of dedicated consultants to help anyone who wants to pay me..... awesome business model.....I think I like tit very much....thanks for the idea!

Is Poker a game of chance or a game of skill?

Let's look at it from different angles:

Firstly, is Backgammon a game of chance?
I'd say that in any single game, chance may play a significant role, but in a long sequence of games, it evens out. Similarly so with poker.

Secondly, there was an interesting study:
http://www.cigital.com/resources/gaming/poker/100M-Hand-AnalysisReport.pdf

Quoting:

Cigital examined 103 million hands of Texas Holdâ(TM)Em poker played at PokerStars. In the majority of cases, 75.7% of the time, the gameâ(TM)s outcome is determined with no player seeing more than his/her own cards and some or all of the community cards. In these games all players fold to a single remaining player who wins the pot. In the 24.3% of cases that see a showdown (where cards are revealed to determine a winner), only 50.3% of showdowns are won by the player who could make the best 5-card hand. The other roughly half of the showdowns are won by someone with an inferior 5-card hand because the player with the best 5-card hand folded prior to showdown.

There were some folks a while ago who wrote up a security investigation they did of Party Poker's site.

One of the problems they had was a terrible, non-uniform shuffling algorithm. Completely different problem than what MS did, but interesting nonetheless. (I actually guessed that this is what MS did, but that's not the case.)

You have obviously not done any gambling online. A large percentage, perhaps even the majority of online gambling, is poker. When you go to an online poker site, you are not playing against the house/online gambling site. You are playing against other players, and the gambling site gets its money by charging a fee, a percentage of the buy in in a tournament or a percentage of the pot.

I wouldn't even put poker in the same "gambling" category as casino games (online or otherwise), as it was clearly demonstrated that in poker skill dominates luck.
Sure, there is the element of chance but then, it is also present in contract bridge and in backgammon and you don't hear those referred to as gambling.

Of course there is no 100% guarantee that the online gambling site is not putting an employee that can see the cards in on a table, but that would really net them so little money in comparison to hosting 100's or even thousands of tables simultaneously, and getting their little fee from each of them. Not the mention the damage to their reputation if it were discovered (there is great competition amongst online poker sites.)

There can be no 100% guarantees but, given the large number of people analyzing the games for statistical and behavioral discrepancies, it will be hard to pull something like that off. The Absolute Poker scandal shows that cheating will be detected.

Also, the major online poker sites do their best to detect bots, collusions and other forms of cheating using their own server-side analysis. After all, nobody in their right mind wants to kill the goose that lays golden eggs.

You list many good things that you did. But if your developers were not trained in secure coding, you are going to be shocked at how much a good web app testing company is going to find.

I own and run a small information security consulting company myself and we also do web application security. But since you are looking for the "best", I have to recommend Cigital, which is easily one of the best in this space. When I was working for other people, I used to hire them, and now even though we are competitors, I have no problem recommending them when someone asks for the best.

WhiteHat security is also pretty good, so is FoundStone. I am sure there are other very good companies too.

One last recommendation: stay away from the Big-N audit firms.

Surfin'Shield sort of drowned. There is probably a similar scam behind this "research"....

gem

http://www.cigital.com/~gem

Just for the record, the fact that the Warden uses (weak) crypto to try to protect its data transmission over the network does nothing at all to stop the Governor program. The silly thing about the Warden is that it runs on the client it is supposedly monitoring in user mode. The Governor can be run with higher privilege, interpositioning using Detours in the kernel. That means it can perform a "lobotomy" on the Warden. Most of the exploits that are interesting in our book have to do with the fact that too much state data is exposed to shenanigans on the client. Expect much more of this in the future. gem http://www.cigital.com/~gem

The techniques in the book are most interesting because they are a harbinger of hacks to come in fat-client (real web 2.0/SOA) software.

Perhaps you should look at the book?

gem http://www.cigital.com/~gem

Nope. We have code for some of the stealthy rootkit-like bots in the book, but there are some techniques in common use now that we did not include code for. The coolest techniques involve making use of a multi-core system and hardware interrupts.

It's all real.

gem http://www.cigital.com/~gem

gem http://www.cigital.com/~gem

Here's a basic article that might help set this in context: http://www.informit.com/guides/content.aspx?g=security&seqNum=284&rl=1

gem

http://www.cigital.com/~gem

What immcintosh said. What we did in the book is not illegal as far as we know. I wrote an article about the state of the law and computer security through the lens of MMORPGs for darkreading. Here's a pointer: http://www.darkreading.com/document.asp?doc_id=136128&WT.svl=column1_1 And just for the record, our books do sell pretty well (EOG is off to a fine start), but we do it to help improve the state of software security from the dark ages to the Bronze age. gem http://www.cigital.com/~gem

Have not traded much have you?

http://www.cigital.com/paynereport/archive/jul-aug2001.php

And if there is a huge swell in trading the NYSE slows things down because the computers can't keep up. This actually happens quite often. I doubt that Windows, or Linux is faster. I think both have problems. What I think Linux buys them and this is what important, flexibility. They can tune the kernel to whatever suits their needs. They can't do that with Windows, and I could see that to be an issue with the NYSE. After all throughput is a major issue.

For another example of the entropy problems in using the current time as a PRNG seed, see How We Learned to Cheat at Online Poker.

The authors essentially broke PlanetPoker's shuffling algorithm. The algorithm was broken to begin with, and then they used the current time as the seed. These combined to make it possible, with some brute-force testing of potential seeds, to determine the entire shuffle of the deck from the face-up cards in Texas Hold'um.

Good point. There have been successful hacks of sites that have relied on poorly designed RNGs.

The C runtime library does not mandate a particular RNG implementation, but at one time there was a "suggested" or sample implementation that was widely adopted by compiler vendors, but is now considered lame.

I believe main reason is: that companies believe the FUD and myths about releasing their source. The two above points are don't hold true because of the art of reverse engineering. Go read: Exploiting Software http://www.cigital.com/books/expsoft/

Killing aboves point 1: there are still law suits even though only the binary was released.

Killing aboves point 2: It easier to get a crack patch for any software, max time to do this 2min, than it is to be reading the source code and trying to figure out what does and doesn't need to be changed. Most crack patches just put in a jump command to skip the serial authentication, which has the same effect as commenting out the source, except you don't need to waste time compiling as well.

If you really want to see the problem of data exposure reduced to a very tolerable level, the best solution is NOT to fully encrypt the drives of mobile computers, but to change our mobile computing paradigm entirely. Once viable alternatives to general purpose mobile computing are commercially available, we as an industry will finally be able to reduce the events. In other words, once thin-client mobile computing takes off, these full disk encryption products will likely not be needed at all.

Imagine a world where executives, sales people, and most other road-warrior types have a mobile computer that looks like a laptop, but instead of running its own full-blown OS, it simply rides the vast array of mobile carrier networks (like Blackberries currently do) to deliver a virtual desktop hosted in a nice segmented/protected internal network in their employers' data centers (e.g. Citrix, Terminal Servers, or X Windows). Instead of the critical, highly-valuable information floating all over the network and beyond in general purpose computers, we will see a return to the centralized computing paradigm reminiscent of the mainframe days, but with all of the flexibility of the point-and-click user interfaces. Users will interact with their desktops over nice TLS/SSL/IPSEC tunnels over a variety of wireless carrier and 802.11 networks. As long as there's bandwidth, there will be productivity. The thin client hardware will be cheaper and last longer-- another sure foothold that will bring them into the mobile market. And best of all, if one is lost, it will only cost pennies to replace the device since the data does not reside within it. Provisioning will be faster than disk-imaging techniques, and the massive back-end systems can be heavily virtualized with tools like VMWare.

Dan Geer recently said that as Moore's Law for computing power doubles every 18 months, disk space doubles every 12 and bandwidth doubles every 9 months. In our "data in motion" world, the best way for organizations to really protect data is to only "present" it to thin client endpoints. RIM has been wildly successful with introducing us to this concept via its Blackberry product line, it will only be a matter of time before some other company changes the way we think about thin clients as a mobile computing solution.

Before I am blasted by those whose religion is the PC based (decentralized) world, let me be the first to say this will not solve the problem for everybody-- just 99.9% of those cases where laptops are stolen or lost. Thin computing will not necessarily help the end-user market, but it will assist fixing their problems as well.


-Tim

teaching kids to code using robotics is a great idea with deep roots. I recall the turtle language Logo from WAY BACK WHEN. I also recall burning a hole in the carpet at my rental pad in Bean Blossom working on "carbot" with professor blank.However, I would like to see a robot that automatically conjures up tequilla shots, including sliced lemons when asked. Doug, can you get on that please? gem company http://www.cigital.com/ podcast http://www.cigital.com/silverbullet book http://www.swsec.com/

teaching kids to code using robotics is a great idea with deep roots. I recall the turtle language Logo from WAY BACK WHEN. I also recall burning a hole in the carpet at my rental pad in Bean Blossom working on "carbot" with professor blank.However, I would like to see a robot that automatically conjures up tequilla shots, including sliced lemons when asked. Doug, can you get on that please? gem company http://www.cigital.com/ podcast http://www.cigital.com/silverbullet book http://www.swsec.com/

Lets assume that Vista is as few as a 1000KLoc - (I'd bet another order of magnatude personally)

FWIW, according to this article (PDF - sorry) from CyberDefense Magazine, Microsoft Word alone was 2 million lines of code... in 1995.

It also says that Windows 2000 had 35 million LOC, and XP has 40 million.

Assume that the growth between XP and Vista is the same: that means 45 million LOC for Vista. So 60% is 27 million lines of code. It would be ridiculous to re-write that much - let alone impossible.

I agree with your premise. Microsoft often can't afford to take advantage of truly innovative technology, because that technology might erode their desktop monopoly.

Some of the logic along the way is... problematic.

Microsoft introduced ActiveX to ensure the web was tied to their platform. The reason ActiveX was "much maligned" is because it was just DCOM wrapped up in web semantics. Since DCOM was poorly-designed, ActiveX inherited many problems, including extremely poor security. At the time, CORBA was the standard for remote execution, and although it was a standard, it had many drawback when compared to DCOM-- namely, poor implementations that often didn't work together properly, naming service issues (still a problem, though its getting better), and huge bloat / performance issues.

Their platform was hardly fantastic. It was cobbled together, riddled with stability and security issues, and was tied intimately to the MS-Windows platform. The primary reason nobody adopted it on the web, outside of the compatibility nightmare, was that ActiveX controls required a Microsoft server on the other end, meaning exposing an important service to the internet. I believe that was Microsoft's intent-- get application developers to use ActiveX (most app developers were MS-Windows developers), and force the sysadmins to install MS-Windows servers to support them. But that might just be paranoid delusions on my part.

I'm glad you remember to glory days of ActiveX and IIS servers with such a warm fuzzy glow. All I remember were the serious ActiveXploits, IIS worms, and performance problems created by this "fantastic platform."

They've already been there and done that. Paradise poker published its shuffle algorithm on its website in an effort to convince people that it was safe. Cigital realized that, in addition to being faulty and producing a non-even distribution, they were seeding the RNG with the current time. Cigital was able to create a program to predict the turn & river after receiving their hole cards and seeing the flop.

This was in 1999 though, and all the sites know about it and are much smarter about things. Most of them use hardware random number generators now and some even collect a pool of entropy from their users' collective mouse movements.

Judging from the writing style, I am 99.98% sure I know who wrote the above post. I would like to share a few extra anicdotes involving guest lecturers.

I took Applied Cryptography (C&O 487) at the same time as the parent poster. During the course, one of the guest lecturers that we had was a man by the name of Gary McGraw, author of several books on the topic of computer security. During his introduction, Gary thanked Alfred for being kind enough to pick him up from the hotel he was staying at. Gary also thanked Alfred for scaring him to death because Alfred hardly paid attention to the road while driving. We later found out that Alfred drives a somewhat beat-up Toyota Corolla, and you should see some of the scratches! This is a man that could probably afford a better car, but I guess he would feel worse if he dinged-up a nicer car.

Also during that C&O 487 class, we had a guest lecturer by the name of William Tutte. Tutte talked to our class about the cryptographic work he did at Bletchley Park during WWII. Shortly after he gave the lecture, he passed away. (To the parent poster: we still have a minidisc recording of that lecture, we should get around to putting it on CD and donate it to CACR.)

Now to add to the "Celebrity Professor" story from above, I also took Coding Theory (C&O 331) but not during the same term as the parent poster. For this class Scott had one of his grad students, Kenneth Giuliani, who was on campus writing his thesis, to teach the course that term. Ken took up residence in Scott's office, but the office door still had Scott Vanstone's name plate on it. On two occasions that term, Ken arranged for Scott to come in and give a guest lecture, FOR HIS OWN CLASS!.

Definitely. There was a gambling agency that people ripped alot of money off from other people cause they seeded the generator with the amount of milliseconds since midnight and used a public lookup table to generate the random number. Not only is this a stupid way of doing it - it's only security through obscurity cause you only need a few queries to syncronise your clock with the agency's clock, but the idiots actually published their code!!!

Now consider this example - random number generators are anything but secure.

There are a variety of static source code analyzers that will find potential buffer overflows and other types of security flaws. I like Flawfinder, but ITS4 is also good though it's licensing terms aren't as clear or free as I'd like. There's also Secure Software's RATS, which can analyze several languages in addition to C and C++. Each of these tools generates a large amount of output and you have to have some understanding of security to use them, but they can find potential security flaws that you would otherwise overlook.

Using .net doesn't eliminate your exploit capabilities, it places your vulnerabilities in their hands. Things like this can be patched but as they add more features they will add more flaws. Suddenly MS's ability to prove secure code is more important. If .net has an issue, all applications written with it will have an issue.

"Went to their page and not one of their "technologies" works for me in Mozilla. Either they rely on javascript that Mozilla refuses to run with my prefs or they rely on Macromedia plugins that I have purposly not installed."

On my latest visit to my favorite PCB house, I noted I could no longer see their site. They upgraded. New Microsoft technology. Lots of Java stuff. Well, I don't run Java for these reasons which I noted in an email I fired back off to them to complain. But then I realize the position the company executives are in... they have their customers on one side that are connecting and doing business, and they have a corporate rep right in their office, shaking their hand and buying them lunch. The rep wants to leverage his corporate force by using his software on their system to help force the public into using a certain browser. The decision has to be made... use a technology the people already have to run their site, or use the new "upgraded, improved" stuff a lot of people don't have. They view the Corporate rep who just took them to lunch and have to tell him they won't "be a technology partner" and fall in line with his plan? They have to look at whats important in the big picture. What's really important? How expendable is a customer base? Do you really need customers anyway? I mean your customers did not take the time to come to your office and shake your hand and buy you lunch. The sales rep cared enough though.

And now I see this. 15 seconds tie-up time. 300K Downloads. On a "56K modem" through and ISP that often slows down the actual send rate to like 2.4 kilobytes per second. Thats the entire 15 seconds assuming I get a steady send.

This crap I have to put up with to connect to some business sites is absurd. I took a class in a community college on HTML, PERL, CGI. At the end of these simple little classes, I feel I could write pages far better than that I see on websites run by multibillion dollar corporations. Pages that loaded fast in any browser. Pages that did not require plug-ins. Pages that did not require my visitors to put their machines at risk. Just plain interactive pages - that followed HTML4.0 standards. Pages that work. Didn't even need any fancy editors, any plain ascii text editor worked fine. Why is it that when corporations put up pages, many can't make them work?

I know this is a bit of a rant, but I am really getting miffed off at technology being used to make a pain in the ass out of itself, and even businesses I trade with using the dollars I send them to work in collusion with those to force this on me.

Use source analyzers to find common mistakes, here are a few
Flawfinder
RATS
ITS4
Splint
also look at Splint's Links page for more on the topic

Ok, I was away for a little while, but the first link in a google search for "buffer overflow"+microsoft+.net resulted in this article about a buffer overflow in VC++.net compiled code. True, I've never actually used any of the MS development tools; this was just tongue-in-cheek humor. We return you now to your regularly scheduled /.

Right, and if I recall correctly this was the subject the the 1st .Net "exploit".

True it was hyped as an exploit when it really isn't, but it goes to show that there is no replacement for skilled and careful coding.

See http://www.cigital.com/news/mscompiler-tech.html for more info.

Jesse

You would have to find a chroot app that had an exploitable buffer overflow problem to begin with. The virus would have to specifically be written to exploit that particular bug in that
particular application. This is non-trivial.

How the fuck is using THIS NON-TRIVIAL... christ.... think!!

&lt ass &gt &lt head &gt &lt /head &gt &lt /ass &gt

... oh... so THAT's your problem...

It's not actually a _compiler_ overflow.

Instead, it's a subversion of the "buffer overflow protection" that's built-in to the compiler. The most startling piece of this technical review is that the Microsoft "Overflow Protection" in the compiler appears to be a port of StackGuard. The reviewers point out that an examination of the binary output reveals that the compiled code is nearly identical to the StackGuard output.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase

The second half of Building Secure Software has detailed chapters on: buffer overflows, access control, race conditions, random numbers, applying crypto, input validation, password systems, tamperproofing, and getting through firewalls. There's (too much) C, some Java, and a bit of python to make things real.

Security weenies tend not to understand that software lies at the heart of the security problem, choosing instead to throw firewalls and crypto at the problem and call it solved. You guys know better.

Software, the proactive security solution.

gem

Gary McGraw
http://www.cigital.com/~gem

For security, things are further complicated because in general, functionality and security trade off badly against one another. Plus security is not a feature...it's a property.

We wrote "Building Secure Software" to help developers negotiate that tradeoff (and other related thorny tradeoffs). In the real world of "should have shipped it last quarter" developers concerned about security need all the help they can get!

gem

Gary McGraw
http://www.cigital.com/~gem

I hadn't heard about the Canadian Keno problem, but I had heard about the Texas Hold-em Poker problems a couple of years ago. (That's http://www.cigital.com/news/gambling-tech.html for the goatse.cx paranoid)
--

I HIGHLY recommend checking out the FAQ for the usenet group: comp.software.testing . It can be found at: http://www.faqs.org/faqs/soft war e-eng/testing-faq/ or at: http://www.cigital.com/c.s.t.faq.html

There's MUCH MORE to automated testing that just recording and playing back keyboard/mouse input.

Here are some of the issues that need to be dealt with:

1. Timing. (It's hard to click a button, if it ain't there, yet.) Different versions of the Application Under Test (AUT) may run at different speeds (better/worse performance) on the same system, or you may try to run the same automated test on different (faster/slower) platforms. In either case, there's a need to wait until *something* has happened, and only then feed in the next input.
2. Location. Minor modifications of the AUT may cause fields and buttons to be relocated. Hard-coded locations in your test scripts are a PAIN to maintain!
3. Verification. How do you know if it did what you wanted it to?
   • Screen capture? Again, minor screen layout changes force major maintenance headaches.
   • Date/Time and other varying output. If your Application puts up a date or time on the window, you're gonna need a way to mask that out between prior and current runs so it doesn't give you a false negative.
4. Error Handling. The whole idea is to deal with an application that might not run the same every time. That means needed to determine all possible outcomes, and to be able to deal with them, too. (It's all too easy to get into deadlocks where the application is expecting input, and the test program is waiting for some other screen to display before it sends any keystrokes to it.)

I could go on and on, but this hopefully gives a hint to the complexity and difficulty in automated testing. (And, yes, I've stumbled upon ALL of these myself at one time or another.)