Yes, worms can happen everywhere. That's because practically all network software is written in C (or its perverse descendent, C++).
If we were coding our network software in a secure ("safe") language (one without buffer-overflow "capabilities") such as Java, O'Caml, (or even scripting languages like Python, to an extent) we would greatly reduce our security risk. Given that these languages also typically increase productivity, it seems like a clear win to me...
Microsoft realizes the contribution C and C++ make against stability and security; they've recently hired up a lot of famous programming language folks to work on new language technologies. Microsoft knows that large projects written in languages without sophisticated modularity constructs (ie C, C++) tend to get out of hand quickly. They're working to fix this! They're even working on technologies to improve the stability of device drivers through language technologies (see the Vault project, for instance).
However, C has always been the UNIX platform's language. Will UNIX stay in the 60s as even Microsoft moves on? If so, I say it will be the "wormy" operating system family of the 21st century...
Many have. There are loads of indie labels all over the country. The question is, why do most people listen to radio bands?
Of my 300ish CDs, maybe 20 or so are from major labels. It's easy to build a collection of music you like without walking into a national chain and buying from their $16 greatest hits section. It's cheaper, and it feels better too. (Better yet, buy from bands at their shows; they get almost all the money and it is cheaper for you!)
Hell, go on mp3.com and search for a while and you'll find something you like for free. *That* may be the future of music.
Another thing you could do if you feel like you should combat major labels is make music and release it to others on the internet for free. This is a lot easier than selling CDs and usually doesn't cost you anything. And that worries the record companies more than indie labels, since the majors are already comfortable with dealing with labels.
What does this have to do with copyright? The DMCA is about writing software which defeats protection of *copyrighted information*. It is a law bought by the media companies to keep you from using their content in ways they do not have control over.
The DMCA is a bad law, but let's get our facts straight so that we can fight it most effectively. It is not productive to fanatically distort the law into some kind of root-of-all evil monster.
I'm waiting for one which sends digitally-signed updates to hosts (like hybris did off usenet) for upgrade capabilities. From what I understand, CR2 was not directly based on CR1's code (though it's easy enough to disassemble the executable that it sends your web server...)
At least in my mind, "Return of the ___" and "The ____ Strikes Back" were pioneered by the Star Wars series. Attack of the Clones seems derivative at this point.
It's a silly name (I thought it read, "Attack of the Clowns" at first), but it sure isn't petition-worthy.
Why do we get offended at this stuff? CHILL!
on
Mac Rants
·
· Score: 2
I don't really know why this needs to be an argument, though. It is really good to have variance in the industry. If we were all running the same OS and processor and software, worms like Code Red would have the potential to take out the whole internet. (don't get me started...)
Let's let the Mac folks be Mac folks. If they say their stuff is faster, who cares? There's no point in getting upset. It's not as if you actually designed the Athlon processor, and need to feel offended that someone says their potentially inferior favorite chip is better than the one you poured your heart and soul into designing. All you did was read Tom's Hardware Guide or Ars Technica. Every side has its own propaganda, and it's easy to convince someone of anything.
Tell them that you'll believe it when you do benchmarks on your own apps. Use the standard compilers and see which one wins. Until then, speculation is only wasting all of our time!
I think the slashdot populace (not you, the kind of people whose sentiment was expressed in that line about ISPs) should think their principles through carefully. Most of the time, ISP regulation of your email or access is seen as bad on slashdot. So is government regulation of the internet. I agree. But when there is some annoyance, they want regulation to fix that. Bad idea!!
Annoyances like spam or sircam are not that bad compared to what could happen to the internet if we encourage value-add ISPs like this (or in the case of spam, government regulation). Just press delete or write some damn mail filters. Stuff like the DMCA or the CDA is much, much harder to deal with.
It is true that corporate email systems should have filters for this. Perhaps, if I ask my ISP to block mail with attachments, they should be able to provide that service. But when I am paying for raw internet connection, I do NOT want regulation on that from anyone. Do you?
Some problems are intrinsically checkable. For instance, if you do a distributed factoring search, and report factors, it is easy to check if it is really a factorization of the number in question.
Other problems need redundancy. This isn't just to guard against malice, but to protect against hardware failure.
I think you need a bit more breadth there, dude. Almost every book you listed is in the "systems" category, only one of the many areas of computer science (albeit a popular one among slashdot kids). How about:
Theory? (and the million areas of theory?)
Software engineering?
Modern Programming Languages?
Graphics?
User interfaces?
AI?
Computational *?
I'd like to see a java entry in this, but having written compilers in java before, I know it is very painful. (Not as painful as C, mind you, but painful.) The ML family and related languages have a huge advantage here.
C is a poor language for rapid development because it is not safe -- it's too easy to have a space leak or a myserious crashing bug. Manipulating strings and data structures in C is also rather tedious.
I would expect that a good C implementation would not be faster, either, because using a higher-level, safe language would allow you to make more optimizations to your program (since you can write it faster).
I don't think lisp is the most popular functional language any more.. I would say it's probably SML or O'Caml. Lisp hasn't won in any of the previous years, I don't think.
I agree wholeheartedly, though, that Perl won't be powerful enough for this kind of AST manipulation. I like that the task will probably make slashdot kids think that perl is extremely appropriate -- that will put them in their place all right.;) Bring it on!
Re:Who will win? Look at past years:
on
ICFP 2001 Task
·
· Score: 1
You mean, they are too busy debugging their core dumps and memory leaks?;)
I'm not sure that that would be the case. There is a ton of code out there that uses system(3) to invoke sub-processes, despite the fact that system(3) is known to be a problematic interface from a security point of view.
Well, true or not, it doesn't change the fact that we can eradicate a more common and more difficult-to-detect security problem by switching to safe languages. Certainly we don't introduce any more in this system(3) class by switching from C to O'Caml, for instance.
Not necessarily. It is easy enough for the attacker to spoof the initial handshake of a TCP connection just by creating raw packets and writing them over a raw socket.
It is the operating system's responsibility to be hardened against syn-flooding, since it is what implements TCP. This is a language-independent issue.
The authors of bind, wu_ftpd, IIS 5, rpc.statd, netscape, etc. are all lazy and careless? I don't think I believe that. What programs weren't written by lazy careless people?
I think it is more because C makes it easy to make this kind of mistake.
Moving to a safe language automatically gets rid of buffer overflows and format strings (not to mention other non-security related bugs). Then we don't need to expend the care to avoid them; we can spend our time on other security issues. That is what I'm saying.
Slashdot Mirror
Yes, worms can happen everywhere. That's because practically all network software is written in C (or its perverse descendent, C++).
If we were coding our network software in a secure ("safe") language (one without buffer-overflow "capabilities") such as Java, O'Caml, (or even scripting languages like Python, to an extent) we would greatly reduce our security risk. Given that these languages also typically increase productivity, it seems like a clear win to me...
Microsoft realizes the contribution C and C++ make against stability and security; they've recently hired up a lot of famous programming language folks to work on new language technologies. Microsoft knows that large projects written in languages without sophisticated modularity constructs (ie C, C++) tend to get out of hand quickly. They're working to fix this! They're even working on technologies to improve the stability of device drivers through language technologies (see the Vault project, for instance).
However, C has always been the UNIX platform's language. Will UNIX stay in the 60s as even Microsoft moves on? If so, I say it will be the "wormy" operating system family of the 21st century...
Many have. There are loads of indie labels all over the country. The question is, why do most people listen to radio bands?
Of my 300ish CDs, maybe 20 or so are from major labels. It's easy to build a collection of music you like without walking into a national chain and buying from their $16 greatest hits section. It's cheaper, and it feels better too. (Better yet, buy from bands at their shows; they get almost all the money and it is cheaper for you!)
Hell, go on mp3.com and search for a while and you'll find something you like for free. *That* may be the future of music.
Another thing you could do if you feel like you should combat major labels is make music and release it to others on the internet for free. This is a lot easier than selling CDs and usually doesn't cost you anything. And that worries the record companies more than indie labels, since the majors are already comfortable with dealing with labels.
That's too bad. It was better when the RIAA didn't know how to pick its battles -- they would've lost serious points if this had gone to court.
Is Felten planning a suit for harassment?
What does this have to do with copyright? The DMCA is about writing software which defeats protection of *copyrighted information*. It is a law bought by the media companies to keep you from using their content in ways they do not have control over.
The DMCA is a bad law, but let's get our facts straight so that we can fight it most effectively. It is not productive to fanatically distort the law into some kind of root-of-all evil monster.
That is the most gramatically awkward submission I've read recently. It's almost as if Taco wrote it himself! ;)
The coke machine was at CMU (in the grad CS lounge); you could finger it to see the quantity of soda and their temperature.
http://www.cs.cmu.edu/~coke/history_long.txt
Hehe.
I'm waiting for one which sends digitally-signed updates to hosts (like hybris did off usenet) for upgrade capabilities. From what I understand, CR2 was not directly based on CR1's code (though it's easy enough to disassemble the executable that it sends your web server...)
At least in my mind, "Return of the ___" and "The ____ Strikes Back" were pioneered by the Star Wars series. Attack of the Clones seems derivative at this point.
It's a silly name (I thought it read, "Attack of the Clowns" at first), but it sure isn't petition-worthy.
I don't really know why this needs to be an argument, though. It is really good to have variance in the industry. If we were all running the same OS and processor and software, worms like Code Red would have the potential to take out the whole internet. (don't get me started...)
Let's let the Mac folks be Mac folks. If they say their stuff is faster, who cares? There's no point in getting upset. It's not as if you actually designed the Athlon processor, and need to feel offended that someone says their potentially inferior favorite chip is better than the one you poured your heart and soul into designing. All you did was read Tom's Hardware Guide or Ars Technica. Every side has its own propaganda, and it's easy to convince someone of anything.
Tell them that you'll believe it when you do benchmarks on your own apps. Use the standard compilers and see which one wins. Until then, speculation is only wasting all of our time!
it doesnt go
I think the slashdot populace (not you, the kind of people whose sentiment was expressed in that line about ISPs) should think their principles through carefully. Most of the time, ISP regulation of your email or access is seen as bad on slashdot. So is government regulation of the internet. I agree. But when there is some annoyance, they want regulation to fix that. Bad idea!!
Annoyances like spam or sircam are not that bad compared to what could happen to the internet if we encourage value-add ISPs like this (or in the case of spam, government regulation). Just press delete or write some damn mail filters. Stuff like the DMCA or the CDA is much, much harder to deal with.
It is true that corporate email systems should have filters for this. Perhaps, if I ask my ISP to block mail with attachments, they should be able to provide that service. But when I am paying for raw internet connection, I do NOT want regulation on that from anyone. Do you?
Some problems are intrinsically checkable. For instance, if you do a distributed factoring search, and report factors, it is easy to check if it is really a factorization of the number in question.
Other problems need redundancy. This isn't just to guard against malice, but to protect against hardware failure.
Dude, 1000 roothat boxes... Imagine installing the patches on those.
Please, god no.. the last thing we need is more C programs.
I think you need a bit more breadth there, dude. Almost every book you listed is in the "systems" category, only one of the many areas of computer science (albeit a popular one among slashdot kids). How about:
Theory? (and the million areas of theory?)
Software engineering?
Modern Programming Languages?
Graphics?
User interfaces?
AI?
Computational *?
Here's benchmarks:
http://www.bagley.org/~doug/shootout/craps.shtm
Lots of tests aren't implemented for Mercury, which explains its low score.. but it isn't doing to well in the ones that are implemented, anyway.
Nonetheless, I think the Mercury folks took a prize last year though, didn't they? (Don't get me wrong, I'm all for unorthodox new languages.)
Well, that would be Microsoft Research, actually, and last I checked Peyton-Jones was at the Cambridge one.
> or perl, or c, or c++, or shell with awk and sed.
Ha, good luck with those. This is not just simple string manipulation...
Well said, dude.
I'd like to see a java entry in this, but having written compilers in java before, I know it is very painful. (Not as painful as C, mind you, but painful.) The ML family and related languages have a huge advantage here.
C is a poor language for rapid development because it is not safe -- it's too easy to have a space leak or a myserious crashing bug. Manipulating strings and data structures in C is also rather tedious.
I would expect that a good C implementation would not be faster, either, because using a higher-level, safe language would allow you to make more optimizations to your program (since you can write it faster).
Go ahead and prove me wrong, though!
I don't think lisp is the most popular functional language any more.. I would say it's probably SML or O'Caml. Lisp hasn't won in any of the previous years, I don't think.
I agree wholeheartedly, though, that Perl won't be powerful enough for this kind of AST manipulation. I like that the task will probably make slashdot kids think that perl is extremely appropriate -- that will put them in their place all right.
You mean, they are too busy debugging their core dumps and memory leaks? ;)
Yeah, it's those french guys and their secret war of Caml vs SML. =)
I'm not sure that that would be the case. There is a ton of code out there that uses system(3) to invoke sub-processes, despite the fact that system(3) is known to be a problematic interface from a security point of view.
Well, true or not, it doesn't change the fact that we can eradicate a more common and more difficult-to-detect security problem by switching to safe languages. Certainly we don't introduce any more in this system(3) class by switching from C to O'Caml, for instance.
Not necessarily. It is easy enough for the attacker to spoof the initial handshake of a TCP connection just by creating raw packets and writing them over a raw socket.
It is the operating system's responsibility to be hardened against syn-flooding, since it is what implements TCP. This is a language-independent issue.
The authors of bind, wu_ftpd, IIS 5, rpc.statd, netscape, etc. are all lazy and careless? I don't think I believe that. What programs weren't written by lazy careless people?
I think it is more because C makes it easy to make this kind of mistake.
Moving to a safe language automatically gets rid of buffer overflows and format strings (not to mention other non-security related bugs). Then we don't need to expend the care to avoid them; we can spend our time on other security issues. That is what I'm saying.