Becoming security conscious means unlearning all the tricks that let a programmer ignore the complexity inside a system. It means understanding the real behavior of all the internals, all the side-effects, and all the system properties that might be observable or influenceable by a malicious party. That makes programming for security very different and very much harder that standard programming.
It also takes a lot longer. If you're questioning everything the C library is doing, you're going to spend all your time trying to break your own program before you've even written it! Something has to give somewhere.
From the PDF:
Far more than in computers and networks, security here is recognized to be a tradeoff, and a quantifiable one at that. The essence of the compromise is time.
There are a few obvious things you can do, like avoiding unbounded reads, trimming down your strings, validating your input, etc., but who's going to think twice about calling fd_set()? Yet there's a vulnerability in the implementation of fd_set() on *BSD which could lead to denial of service or code execution. What's more, it's a tricky and subtle problem which even experienced programmers might miss. (It's also subtle and tricky to exploit.)
(It also affects more apps than the ones listed in the link there, and also affects some FreeBSD, and in theory might affect Linux. I'd post more links, but I'm short on time and long on the to-do list.)
So in short, you aren't going to have time or space in your head to know everything. But if you do the few obvious things, you'll greatly increase the security of whatever you write.
Mod parent up Was:Hmmm...Let's see
on
Inside TechTV/G4
·
· Score: 1
I haven't watched TechTV for years because of exactly this sort of suck factor. It used to be kind of cool to see shows on TV that actually talked about Linux on par with Windows, but they've taken a good thing and completely screwed it up. Go out of business fast, so we can start The Linux Channel.
The law defines "taking control" in 22947.3(a) as follows:
(1) Transmitting or relaying commercial electronic mail or a computer virus from the consumer's computer, where the transmission or relaying is initiated by a person other than the authorized user and without the authorization of an authorized user.
(2) Accessing or using the consumer's modem or Internet service for the purpose of causing damage to the consumer's computer or of causing an authorized user to incur financial charges for a service that is not authorized by an authorized user.
(3) Using the consumer's computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including, but not limited to, launching a denial of
service attack.
(4) Opening multiple, sequential, stand-alone advertisements in the consumer's Internet browser without the authorization of an authorized user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the consumer's Internet browser.
Read the law for yourself. It was signed September 28 and takes effect today (January 1).
Among other things, this bans unauthorized installation of keyloggers, spam sending/relaying software, zombies, and disabling your anti-virus or anti-spyware software.
However, and this is a big however, they grant a blanket exception to your ISP or network admins. "Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter."
You could probably drive a truck through a loophole like that.
Good point. Since it's the 1st now, I pulled the whole month of December and broke it down by weekdays and weekends, to see if the Windows usage would drop off. And it did, but not by much.
Accesses by operating system December 2004
60.7% Windows
25.6% Linux
12.2% Mac OS X 1.5% Others
Weekday (Mon-Fri)
63.5% Windows
23.3% Linux
11.8% Mac OS X 1.4% Others
Weekend (Sat-Sun)
57.3% Windows
28.3% Linux
12.7% Mac OS X 1.7% Others
Accesses by user agent December 2004
65.2% Firefox
10.4% MSIE 9.8% Mozilla 8.6% Safari 3.3% Opera 2.1% Konqueror 0.6% Others
Weekday (Mon-Fri)
66.2% Firefox
10.7% MSIE 9.3% Mozilla 8.4% Safari 3.3% Opera 1.6% Konqueror 0.5% Others
Weekend (Mon-Fri)
63.8% Firefox
10.4% Mozilla
10.0% MSIE 8.8% Safari 3.4% Opera 2.6% Konqueror 1.0% Others
And I threw Mozilla stats in there since some AC asked for them. Anything that says Mozilla was an actual Mozilla/Gecko engine that wasn't otherwise tagged (e.g. Camino, OmniWeb, Firebird, etc.)
They have a choice of several different ways to map Mars on screen. I use the orthographic map myself, since it most closely approximates how you would actually see Mars if you were looking at it.
And based on my experiences here in the U.S., the easiest way to expose this decision is to make this levy appear as a line item on the invoice. For instance:
Siemens Kick-Ass PC €699 120GB Hard Drive 1GB RAM Keyboard Mouse Digital copying levy €12
And people will ask questions about it. Then you explain it (in the FAQ or a brochure) and point people toward the government.
Mars Time on your computer
on
One Year on Mars
·
· Score: 2, Informative
You didn't even mention that they have for download a nice little program (runs on Windows, Linux, Mac OS X, and probably anything else) which will tell you the time on Mars. Or just view it in your browser window (Java required).
Mars24 is a Java program and browser applet which displays a Mars "sunclock", a graphical representation of the planet Mars showing its current sun- and nightsides, along with a numerical readout of the time in 24-hour format. Other displays include a plot showing the relative orbital positions of Mars and Earth and a diagram showing the solar angle for a given location on Mars.
Mars24 runs on many different types of computers, including Windows, Mac OS X, Linux, and more, but it requires Java 1.3.1 or better be installed on the computer. The associated MER Spirit/Opportunity Clock Applet requires only Java 1.1.8 and is compatible with many older web browsers, but it does not include the sunclock or other graphic displays of Mars24.
Don't worry, the Republicans will be sure to find some way to keep this going. All it takes is one registered voter to contest the election, but they have to present some sort of evidence or the court will throw them out. Watch as the Republicans pull a rabbit out of their hat...er, excuse me, a memory card with 200 Republican votes on it.
Wait a minute, a robot made entirely out of flowers? How exactly does that work? Is this some fresh new tech straight out of JPL, or is it part of the terrible secret of space?
OK, you can mod me -1, Wrong and Stupid now. I pulled the last week of server logs to see what I'd come up with from people referred from/. and this is what I find. I truly deserve the flamefest which will follow...
65% Windows
23% Linux
10% Mac OS X
2% Everything else
The vast majority of Slashdotters use Windows. That's the dirty secret around here. Nobody wants to admit they're all using windows.
While I doubt CmdrTaco is about to post the server logs, I dare say this is un-hilariously wrong.
When I pull my logs and segment out everyone who was referred here from/. (and shame on you people who have your referer disabled, you know who you are and so do I) I show 85% using Linux, nearly all of whom are using Firefox, and about 1/3 of whom are using a pre-1.0 version.
I also show the Windows users who come to my site stick around longer and spend more time on the Linux articles than do the Linux users. So I plan more Linux articles.
They probably have debugging code built into it. It is, after all, an alpha. As for the rest of it, it sounds like all they did was rearrange the UI, and if that's all they've done, then all it will do is confuse people.
You might want to set up something like NoCatAuth. NoCatAuth redirects users to a login page, implementing a captive portal system. This is important if you're selling the service because you want to be able to grant and deny access, and 802.11[A-Za-z] is otherwise full of holes.
Could it be that so "few" people have filed a claim because of the lack of publicity surrounding the case? I don't exactly see front-page articles in the Los Angeles Times saying to go pick up your money.
I know this is an old overused joke, but seriously, is there a torrent? I'm getting 2KB/sec off Novell's download servers. No, wait, now I'm getting 0KB/sec.
We have to solve the problem of data transfer rates. It is patently silly to wait three days for your 100TB backup to finish.
I don't know where the solution here will come from, but I expect for the meantime this kind of large capacity will be used more for archival storage of old data than for backup.
Is there any research out there into the data transfer rate problem?
Cyveillance got themselves permanently blocked from any Web site I ever touch, for not obeying/robots.txt, making their requests way too fast, and pretending to be MSIE when it's obvious it's a robot.
Google wouldn't dare explicitly move into this area, as it would kill whatever good karma they still have after going public. If they started selling data on who was searching for what, people would stop searching with them and start blocking their robots. It just wouldn't work.
Slashdot Mirror
It also takes a lot longer. If you're questioning everything the C library is doing, you're going to spend all your time trying to break your own program before you've even written it! Something has to give somewhere.
From the PDF:
There are a few obvious things you can do, like avoiding unbounded reads, trimming down your strings, validating your input, etc., but who's going to think twice about calling fd_set()? Yet there's a vulnerability in the implementation of fd_set() on *BSD which could lead to denial of service or code execution. What's more, it's a tricky and subtle problem which even experienced programmers might miss. (It's also subtle and tricky to exploit.)
(It also affects more apps than the ones listed in the link there, and also affects some FreeBSD, and in theory might affect Linux. I'd post more links, but I'm short on time and long on the to-do list.)
So in short, you aren't going to have time or space in your head to know everything. But if you do the few obvious things, you'll greatly increase the security of whatever you write.
I haven't watched TechTV for years because of exactly this sort of suck factor. It used to be kind of cool to see shows on TV that actually talked about Linux on par with Windows, but they've taken a good thing and completely screwed it up. Go out of business fast, so we can start The Linux Channel.
What they do is keep the good ones in Asia and send the ones with the dead pixels to the U.S.
Among other things, this bans unauthorized installation of keyloggers, spam sending/relaying software, zombies, and disabling your anti-virus or anti-spyware software.
However, and this is a big however, they grant a blanket exception to your ISP or network admins. "Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter."
You could probably drive a truck through a loophole like that.
Accesses by operating system
December 2004
60.7% Windows
25.6% Linux
12.2% Mac OS X
1.5% Others
Weekday (Mon-Fri)
63.5% Windows
23.3% Linux
11.8% Mac OS X
1.4% Others
Weekend (Sat-Sun)
57.3% Windows
28.3% Linux
12.7% Mac OS X
1.7% Others
Accesses by user agent
December 2004
65.2% Firefox
10.4% MSIE
9.8% Mozilla
8.6% Safari
3.3% Opera
2.1% Konqueror
0.6% Others
Weekday (Mon-Fri)
66.2% Firefox
10.7% MSIE
9.3% Mozilla
8.4% Safari
3.3% Opera
1.6% Konqueror
0.5% Others
Weekend (Mon-Fri)
63.8% Firefox
10.4% Mozilla
10.0% MSIE
8.8% Safari
3.4% Opera
2.6% Konqueror
1.0% Others
And I threw Mozilla stats in there since some AC asked for them. Anything that says Mozilla was an actual Mozilla/Gecko engine that wasn't otherwise tagged (e.g. Camino, OmniWeb, Firebird, etc.)
They have a choice of several different ways to map Mars on screen. I use the orthographic map myself, since it most closely approximates how you would actually see Mars if you were looking at it.
And people will ask questions about it. Then you explain it (in the FAQ or a brochure) and point people toward the government.
Don't worry, the Republicans will be sure to find some way to keep this going. All it takes is one registered voter to contest the election, but they have to present some sort of evidence or the court will throw them out. Watch as the Republicans pull a rabbit out of their hat...er, excuse me, a memory card with 200 Republican votes on it.
Do you have stairs in your house?
65% Windows
23% Linux
10% Mac OS X
2% Everything else
User agents:
68% Firefox
11% MSIE
7% Safari
3% Opera
Firefox versions:
84% 1.0
10% 0.9.3 or older
6% 0.10.1
While I doubt CmdrTaco is about to post the server logs, I dare say this is un-hilariously wrong.
When I pull my logs and segment out everyone who was referred here from /. (and shame on you people who have your referer disabled, you know who you are and so do I) I show 85% using Linux, nearly all of whom are using Firefox, and about 1/3 of whom are using a pre-1.0 version.
I also show the Windows users who come to my site stick around longer and spend more time on the Linux articles than do the Linux users. So I plan more Linux articles.
And reading the User-Agent strings is fun.
This already IS a cluster, you insensitive clod!
Which is why there are only 79 /.ers signed up. When they get the Linux client, they'll get 79,000 /.ers.
Flexcar will charge you $200 if you smoke in their car or trash the car as you described.
Oh, and this story is a duplicate.
They probably have debugging code built into it. It is, after all, an alpha. As for the rest of it, it sounds like all they did was rearrange the UI, and if that's all they've done, then all it will do is confuse people.
What am I going to do with all this glögg?
You might want to set up something like NoCatAuth. NoCatAuth redirects users to a login page, implementing a captive portal system. This is important if you're selling the service because you want to be able to grant and deny access, and 802.11[A-Za-z] is otherwise full of holes.
Could it be that so "few" people have filed a claim because of the lack of publicity surrounding the case? I don't exactly see front-page articles in the Los Angeles Times saying to go pick up your money.
I know this is an old overused joke, but seriously, is there a torrent? I'm getting 2KB/sec off Novell's download servers. No, wait, now I'm getting 0KB/sec.
I don't know where the solution here will come from, but I expect for the meantime this kind of large capacity will be used more for archival storage of old data than for backup.
Is there any research out there into the data transfer rate problem?
Google wouldn't dare explicitly move into this area, as it would kill whatever good karma they still have after going public. If they started selling data on who was searching for what, people would stop searching with them and start blocking their robots. It just wouldn't work.
What will they think of next?