However, I would never generalize and recommend people to always roll their own stuff
I recommended investigating third party libs and considering rolling your own, rather than using Microsoft's solution. I'm going to have to stand by my statement on this one.
You are right that always rolling your own is a very bad thing.
Dude, you should be doing that with ALL your code, regardless if you are re-inventing something or not...
Some people like to start coding before designing. I've met people that had to hammer on a keyboard to get their thought processes going - usually the code gets 100% rewritten as soon as the design is complete and accepted.
I personally don't have that, but I can't find a valid reason for arguing against it.
Input sanitization would catch the uneven number of closing tags, assuming you somehow confused it.
As stated, sanitization is done when both loading and saving. In this case it would just reject it as an invalid file.
And before you ask, it also sanitizes identical element names directly inside each other.
But since the input sanitizing code filters all that out, it's a non-issue unless you're manually editing in notepad. And if I've done my job properly, you'll have a GUI to change all settings, so you'll never have to hunt around in a settings file...:/
(Although for a settings file, there's no need to have characters like $; for storing text, there would be)
You'll notice the ASCII text and lack of attributes on anything - but it still gets the job done and people call it XML. You can insist I didn't create an xml parser, and I will agree with you - I created a ProgramSettings parser, and it generates 100% valid (but very simple) XML.
Again, the purpose was not to parse all XML files, or greatly increase the attack surface by having tons of complicated syntax. The purpose was to store and retrieve program settings to/from an easy to edit format.
I guess I just got tired of ini. Spent too long configuring Samba on Ubuntu.;)
So you didn't write an XML parser, then. I sure hope that when you documented that thing, you didn't call the format of your app settings file "XML", because it sure as hell isn't that.
It parses and generates valid XML files, readable or writable by other parsers - as long as you stay away from attributes.;)
But I understand your point. Technically it's not an XML parser.
Java XML Parser? MS XML Parser? Have you seen the number of published exploits and fixes released?
What makes you think your own code is any better?
His own code can be easily updated when it needs to be. Microsoft's... heh heh.
There's truth in that, but I also limit the implemented features.
If you stick with simplistic syntax, it's much easier to cut down on attackable surface. When I wrote an XML parser for app settings, I chose...
ASCII only, no XML attributes(only simple tags), strict closing tag order. Also, opt-out input sanitization(all chars rejected unless... A-Z, a-z, 0-9, +_-, etc.) when both saving and loading.
I'm not a genius; limiting features and scope can be done by any half-decent coder that spends some time designing before coding. Just figure out what you actually need to complete your task(in my case, storing program settings), and figure out if there's a third party lib which works, or whether you should roll your own. If rolling your own, design before you begin to code.
All the exploits hitting MS's XML Parsers and even the Java XML Parser really encouraged me to build my own. It's not a proper implementation of any XML spec, but anyone can look at it and edit it in notepad, and the worst that can happen is the file gets rejected as containing invalid syntax. Or, if they try to add attributes, it complains about a missing closing tag. Either way, no exploit.:P
I think the whole thing was under 200 lines of java code, too. Certainly not mind-boggling.
Somewhat - but I prefer security through limited feature sets.
In the case of XML Parsers, they have a lot of features, and XML can have very complex syntax. New exploits pop up quite often. If you only need to store a few settings, why not roll your own simplistic XML parser? Or go even simpler and use INI!
For an XML parser, make it only understand <tags>, data inbetween tags, and spit out errors if there isn't an ending tag for every single tag, in exactly the right order. Sanitize all input with checks for <> or other special chars.
Make it ASCII only too, since it's only storing settings - perhaps even limit it to opt-out sanitization rather than opt-in, and just accept characters or numbers.
How do you crack that? You can't. Some strange exploit related to unicode characters isn't going to break open an exploit 2 years from today - if you did proper unit testing, and your code is bug free, then you just wrote an "unhackable" XML parser, which at the worst will just reject files as not having valid syntax.
I call that "rock solid", and for high-risk code, I'll always go for a reduced feature set and more security.
Note: I would never roll my own crypto. I do place great faith in OpenSSL...
I read that site sometimes. I don't make mistakes like that - not because I'm brilliant, but because I actually write unit tests and try to fark my own code over. I never assume because I think it should work, that it will work.
For me, actually writing code is probably less than 20% of the time spent on a piece.
I also follow the rulebook when it comes to sanitizing input, or anything that could be modified by a user.
But none of this has anything to do with not depending on Microsoft when third party libs are available.
go for a third party library. (perhaps open source)
The rewrite it bit was actually referring to automatic updates and XML parsing. Those are pretty easy to implement properly in an app, without depending on Microsoft-coded services.
Apparently I'm 80% overrated, but that's also why a single exploit can affect so much software. Rather than using a third party lib, most devs just use whatever you stick in front of them.:/
This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack [CC] that Moxie also presented at Defcon, this certificate cannot be revoked."
It irks me how much Microsoft and Google products depend on Windows components.
I'm an avid nLiter for my own personal computers. Google uses BITS for updates, and apparently MS Crypto too. This is all stuff that I strip out entirely, because just about all non-Microsoft non-Google software works fine without it.
If there's one thing I've learned about software development, it's that if you depend on system APIs, you're more likely to get attacked. After all, every Windows computer has such libraries, so why wouldn't hackers target it? Short of heavily modified/nLited XP computers, you'd have a 100% attack base if you can find an exploit in the component, or a way to exploit that component's behaviour.
As a developer, if you have an option about what you use to handle something... like crypto or updates... code it yourself and code it properly, or go for a third party library. (perhaps open source) XML Parsing? Code it yourself or use a third party lib, but DO NOT use MS XML parsing. You're asking for trouble if you do!
Why not just create a standard archive format for app distribution, and let anybody make and distribute apps. Just like with the Windows Mobile platform, or for that matter the PalmOS platform?
So that if they get complaints, they have archived copies of the apps in question. It also removes the chance of the apps just vanishing.
Recently I was trying to install a Firefox extension... but the homepage was down, and only the old version for FF2 was available from Mozilla.
Recently I installed BackInTime - an incremental GUI backup program for Ubuntu. A few days ago its website and repositories went down.
Seems logical to have a central repository for everything.
This is where Android really shines. You can program in any language, as long as it's Java.
Android has full C/C++ support, but then you're locked to whatever phone you made it for.
Most devs would rather take a tiny hit in performance to not have to recompile constantly. If you go the C/C++ route, you have the chance that you'll miss out on an Android phone using a different SoC.
With Java, you have languages like Ruby and Python too.;)
I know how you feel. I've often wondered why they can't open a hyperspace portal inside/around an enemy ship, ripping it to shreds. After all, the shields are probably down, and the enemy's hyperdrive isn't activated and keeping things under control, so it would be catastrophic, wouldn't it?
And for that matter... Asgard weapons were awesome against the Ori - but as soon as they went to the Pegasus galaxy, they were almost totally ineffective against Wraith vessels. Their excuse? Thick hulls. @_@
Well jeeze - the Daedalus gets in enough battles that I really wonder why they didn't slap a hull a few metres thicker onto it! I also wonder why the Daedalus is so weak in "The Daedalus Variations". It gets ripped to bits by an alien ship, which was hiding from the wraith...
And I wonder why they never used those Asgard battle suits or Ancient personal shield emitters that they picked up. And where did the Zat guns go? Those things disintegrate!
Maybe some stargate geek will give me an answer - but most are probably just TV tropes. Because, y'know, at the end of an episode the state of the universe has to return to exactly the way it was.
Those are the exact same files 7-zip can extract, which fail to slipstream properly the easy way.
Missing DLL errors on install, caused by failing to unpack the cab files. If you had actually done any slipstreaming, you'd have noted the vast drop in uncabbed DLL files from 185.xx, and figured out a way around it - and you'd also be unhappy about it, like I am.
Pneumonia is the most common complication of the flu, say that doctors -- and that's ANY flu, not anything specific to any Scary Flu you may have heard about. I should know; I got a bout of it myself while recovering from a nasty flu when I was a kid. (When I was in the throes of the flu I spiked a fever high enough that I hallucinated.)
I had the same thing happen when I was about 10. I remember coughing for hours, day after day, and nothing could be done. A lot of cough medicine makes me hurl, and in the case of pneumonia it's probably better to get whatever you can out of your lungs...
According to my mother, before the coughing started I had a really high fever for a day and was also hallucinating.
The coughing was an improvement, although a rather painful one.
Oh - and thanks - but I've been feeling better for months.:P
The new drivers (beyond 185.xx) use a new type of installer as well, which isn't as compatible with slipstreaming into XP CDs. That was my big annoyance.
If I had to guess... on purpose. But it could be one manager making the call - not the entire company, or even any of the top guys.
Apart from that - flu is one ugly disease to have. It just doesn't put you down flat with 40 fever but the other infections that sneak in while your immune system is overwhelmed will give you trouble for weeks. Of course, if you get pneumococci into your lungs, you won't have to worry about that, you'll just drown in your own mucus.Flu is rarely deadly, but the opportunistic infections that follow are.
According to the lab, I had H1N1.
For three days.
First day I hurt all over, and had a fever, so I stayed in bed and kept warm. Piled the sheets on top, so I was sweating and uncomfortably hot. I ate an apple mid-afternoon, and went back to sleep. Aching and tired was pretty much it - had no other symptoms.
Second day I was feeling a bunch better, except my back really hurt, so I slept on the couch. Watched some TV and also ate another apple. Oh, and I still had blankets piled ontop to keep warm.
Third day I was feeling less sore, but still wanted to be under blankets because the heat made the ache go away. Was awake most of the day, watching TV; not enough energy to do much else. Only had one short nap, though. Ate an Apple, banana, and later some raw carrots, raw cauliflower, and a small amount of cooked chicken that someone else prepared. Also pooped, not that you care.:D
Day four I was feeling pretty good. Low energy, but ache was gone. Was feeling good enough to get up, read slashdot, play a game for a few hours, etc., and didn't have any negative effects afterward from doing it. Had a much needed shower and went to bed early.
Day five I felt fine. Stayed indoors rather than going out. Watched movies fairly late into the night. Didn't do any strenuous activities.
Day six.. feeling fine. Still opted for staying home. Wouldn't feel right infecting coworkers or friends. Got some much needed house-cleaning done.
Day seven - returned to work. When I got there, one of my coworkers was sneezing and had a cold.:/
Overall it was the most mild flu I've ever experienced - not even a runny nose! But if your claim about flu opening the door for other diseases is correct, then maybe this time I lucked out and nothing else got in?
FYI, I've had no flu shots for about the past decade. My immune system has had a couple years and over a dozen sicknesses to fight through, so it's probably had a good workout. If I were much older, it might not be the same story.
Slashdot Mirror
Might not sound like much, but if you are working with financial information, for example, this is a HUUUUGE breach.
Good thing it's storing settings - like which side of the screen a toolbar is attached to, and what buttons are visible. ;)
However, I would never generalize and recommend people to always roll their own stuff
I recommended investigating third party libs and considering rolling your own, rather than using Microsoft's solution. I'm going to have to stand by my statement on this one.
You are right that always rolling your own is a very bad thing.
Dude, you should be doing that with ALL your code, regardless if you are re-inventing something or not...
Some people like to start coding before designing. I've met people that had to hammer on a keyboard to get their thought processes going - usually the code gets 100% rewritten as soon as the design is complete and accepted.
I personally don't have that, but I can't find a valid reason for arguing against it.
Input sanitization would catch the uneven number of closing tags, assuming you somehow confused it.
As stated, sanitization is done when both loading and saving. In this case it would just reject it as an invalid file.
And before you ask, it also sanitizes identical element names directly inside each other.
But since the input sanitizing code filters all that out, it's a non-issue unless you're manually editing in notepad. And if I've done my job properly, you'll have a GUI to change all settings, so you'll never have to hunt around in a settings file... :/
The settings file is settings.xml, and can be read by other xml parsers.
Typical output from saving settings would be something like this:
http://www.w3schools.com/XML/plant_catalog.xml
(Although for a settings file, there's no need to have characters like $; for storing text, there would be)
You'll notice the ASCII text and lack of attributes on anything - but it still gets the job done and people call it XML. You can insist I didn't create an xml parser, and I will agree with you - I created a ProgramSettings parser, and it generates 100% valid (but very simple) XML.
Again, the purpose was not to parse all XML files, or greatly increase the attack surface by having tons of complicated syntax. The purpose was to store and retrieve program settings to/from an easy to edit format.
I guess I just got tired of ini. Spent too long configuring Samba on Ubuntu. ;)
So you didn't write an XML parser, then. I sure hope that when you documented that thing, you didn't call the format of your app settings file "XML", because it sure as hell isn't that.
It parses and generates valid XML files, readable or writable by other parsers - as long as you stay away from attributes. ;)
But I understand your point. Technically it's not an XML parser.
What makes you think your own code is any better?
His own code can be easily updated when it needs to be. Microsoft's... heh heh.
There's truth in that, but I also limit the implemented features.
If you stick with simplistic syntax, it's much easier to cut down on attackable surface. When I wrote an XML parser for app settings, I chose...
ASCII only, no XML attributes(only simple tags), strict closing tag order. Also, opt-out input sanitization(all chars rejected unless... A-Z, a-z, 0-9, +_-, etc.) when both saving and loading.
I'm not a genius; limiting features and scope can be done by any half-decent coder that spends some time designing before coding. Just figure out what you actually need to complete your task(in my case, storing program settings), and figure out if there's a third party lib which works, or whether you should roll your own. If rolling your own, design before you begin to code.
All the exploits hitting MS's XML Parsers and even the Java XML Parser really encouraged me to build my own. It's not a proper implementation of any XML spec, but anyone can look at it and edit it in notepad, and the worst that can happen is the file gets rejected as containing invalid syntax. Or, if they try to add attributes, it complains about a missing closing tag. Either way, no exploit. :P
I think the whole thing was under 200 lines of java code, too. Certainly not mind-boggling.
You are advocating security through obscurity.
Somewhat - but I prefer security through limited feature sets.
In the case of XML Parsers, they have a lot of features, and XML can have very complex syntax. New exploits pop up quite often. If you only need to store a few settings, why not roll your own simplistic XML parser? Or go even simpler and use INI!
For an XML parser, make it only understand <tags>, data inbetween tags, and spit out errors if there isn't an ending tag for every single tag, in exactly the right order. Sanitize all input with checks for <> or other special chars.
Make it ASCII only too, since it's only storing settings - perhaps even limit it to opt-out sanitization rather than opt-in, and just accept characters or numbers.
How do you crack that? You can't. Some strange exploit related to unicode characters isn't going to break open an exploit 2 years from today - if you did proper unit testing, and your code is bug free, then you just wrote an "unhackable" XML parser, which at the worst will just reject files as not having valid syntax.
I call that "rock solid", and for high-risk code, I'll always go for a reduced feature set and more security.
Note: I would never roll my own crypto. I do place great faith in OpenSSL...
I read that site sometimes. I don't make mistakes like that - not because I'm brilliant, but because I actually write unit tests and try to fark my own code over. I never assume because I think it should work, that it will work.
For me, actually writing code is probably less than 20% of the time spent on a piece.
I also follow the rulebook when it comes to sanitizing input, or anything that could be modified by a user.
But none of this has anything to do with not depending on Microsoft when third party libs are available.
No. Just consider where you're placing your faith.
As someone above posted - OpenSSL or MS Crypto? I know which one I'll be using!
Java XML Parser? MS XML Parser? Have you seen the number of published exploits and fixes released?
Automatic updates for your app?
Those last two are probably best implemented by reinventing the wheel.
Hehe... it'd be a horrible idea for me. :D
But automatic updates and XML parsing are easy. I wouldn't expose an app to the vulnerabilities Microsoft's implementations provide.
NO! Don't roll your own crypto. This is madness!
I'd never do that.
OpenSSL is available for windows; use that.
->
go for a third party library. (perhaps open source)
The rewrite it bit was actually referring to automatic updates and XML parsing. Those are pretty easy to implement properly in an app, without depending on Microsoft-coded services.
Apparently I'm 80% overrated, but that's also why a single exploit can affect so much software. Rather than using a third party lib, most devs just use whatever you stick in front of them. :/
Install less software to protect yourself?
Use different software. There's a difference between not using anything, and preferring manually installed FOSS to Microsoft's solution.
This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack [CC] that Moxie also presented at Defcon, this certificate cannot be revoked."
It irks me how much Microsoft and Google products depend on Windows components.
I'm an avid nLiter for my own personal computers. Google uses BITS for updates, and apparently MS Crypto too. This is all stuff that I strip out entirely, because just about all non-Microsoft non-Google software works fine without it.
If there's one thing I've learned about software development, it's that if you depend on system APIs, you're more likely to get attacked. After all, every Windows computer has such libraries, so why wouldn't hackers target it? Short of heavily modified/nLited XP computers, you'd have a 100% attack base if you can find an exploit in the component, or a way to exploit that component's behaviour.
As a developer, if you have an option about what you use to handle something... like crypto or updates... code it yourself and code it properly, or go for a third party library. (perhaps open source) XML Parsing? Code it yourself or use a third party lib, but DO NOT use MS XML parsing. You're asking for trouble if you do!
Why not just create a standard archive format for app distribution, and let anybody make and distribute apps. Just like with the Windows Mobile platform, or for that matter the PalmOS platform?
So that if they get complaints, they have archived copies of the apps in question. It also removes the chance of the apps just vanishing.
Recently I was trying to install a Firefox extension... but the homepage was down, and only the old version for FF2 was available from Mozilla.
Recently I installed BackInTime - an incremental GUI backup program for Ubuntu. A few days ago its website and repositories went down.
Seems logical to have a central repository for everything.
http://developer.android.com/sdk/ndk/1.5_r1/index.html#overview
My bad - you still need to tie apps in with the VM - you can just opt to code huge chunks in C/C++ if that's what floats your boat.
You are correct.
This is where Android really shines. You can program in any language, as long as it's Java.
Android has full C/C++ support, but then you're locked to whatever phone you made it for.
Most devs would rather take a tiny hit in performance to not have to recompile constantly. If you go the C/C++ route, you have the chance that you'll miss out on an Android phone using a different SoC.
With Java, you have languages like Ruby and Python too. ;)
If I worked on something for years, I'd want more than $90,000 before I signed it over.
Just sayin'...
I have a modified claw stance for my mouse and hand. My wrist doesn't bend much - my hand simply rests slightly diagonally on a forward facing mouse.
Works best with Razer mice - huge buttons about 60% the size of the mouse, so you can put your fingers just about anywhere.
The Ubuntu guys can ship a DVD out to you, and their cost is under a dollar.
I don't see why a big OEM can't manage the same.
I know how you feel. I've often wondered why they can't open a hyperspace portal inside/around an enemy ship, ripping it to shreds. After all, the shields are probably down, and the enemy's hyperdrive isn't activated and keeping things under control, so it would be catastrophic, wouldn't it?
And for that matter... Asgard weapons were awesome against the Ori - but as soon as they went to the Pegasus galaxy, they were almost totally ineffective against Wraith vessels. Their excuse? Thick hulls. @_@
Well jeeze - the Daedalus gets in enough battles that I really wonder why they didn't slap a hull a few metres thicker onto it! I also wonder why the Daedalus is so weak in "The Daedalus Variations". It gets ripped to bits by an alien ship, which was hiding from the wraith...
And I wonder why they never used those Asgard battle suits or Ancient personal shield emitters that they picked up. And where did the Zat guns go? Those things disintegrate!
Maybe some stargate geek will give me an answer - but most are probably just TV tropes. Because, y'know, at the end of an episode the state of the universe has to return to exactly the way it was.
Those are the exact same files 7-zip can extract, which fail to slipstream properly the easy way.
Missing DLL errors on install, caused by failing to unpack the cab files. If you had actually done any slipstreaming, you'd have noted the vast drop in uncabbed DLL files from 185.xx, and figured out a way around it - and you'd also be unhappy about it, like I am.
People use the driver installers? Just unzip them and point Windows at the .inf file...
...which isn't possible starting with 186.xx and 190.xx :/
The new installers are not unpackable by programs like 7-zip or WinRAR. Even Universal Extractor fails.
If you know of a way to unpack the new installers, please let me know.
Pneumonia is the most common complication of the flu, say that doctors -- and that's ANY flu, not anything specific to any Scary Flu you may have heard about. I should know; I got a bout of it myself while recovering from a nasty flu when I was a kid. (When I was in the throes of the flu I spiked a fever high enough that I hallucinated.)
I had the same thing happen when I was about 10. I remember coughing for hours, day after day, and nothing could be done. A lot of cough medicine makes me hurl, and in the case of pneumonia it's probably better to get whatever you can out of your lungs...
According to my mother, before the coughing started I had a really high fever for a day and was also hallucinating.
The coughing was an improvement, although a rather painful one.
Oh - and thanks - but I've been feeling better for months. :P
The new drivers (beyond 185.xx) use a new type of installer as well, which isn't as compatible with slipstreaming into XP CDs. That was my big annoyance.
If I had to guess... on purpose. But it could be one manager making the call - not the entire company, or even any of the top guys.
Apart from that - flu is one ugly disease to have. It just doesn't put you down flat with 40 fever but the other infections that sneak in while your immune system is overwhelmed will give you trouble for weeks. Of course, if you get pneumococci into your lungs, you won't have to worry about that, you'll just drown in your own mucus.Flu is rarely deadly, but the opportunistic infections that follow are.
According to the lab, I had H1N1.
For three days.
First day I hurt all over, and had a fever, so I stayed in bed and kept warm. Piled the sheets on top, so I was sweating and uncomfortably hot. I ate an apple mid-afternoon, and went back to sleep. Aching and tired was pretty much it - had no other symptoms.
Second day I was feeling a bunch better, except my back really hurt, so I slept on the couch. Watched some TV and also ate another apple. Oh, and I still had blankets piled ontop to keep warm.
Third day I was feeling less sore, but still wanted to be under blankets because the heat made the ache go away. Was awake most of the day, watching TV; not enough energy to do much else. Only had one short nap, though. Ate an Apple, banana, and later some raw carrots, raw cauliflower, and a small amount of cooked chicken that someone else prepared. Also pooped, not that you care. :D
Day four I was feeling pretty good. Low energy, but ache was gone. Was feeling good enough to get up, read slashdot, play a game for a few hours, etc., and didn't have any negative effects afterward from doing it. Had a much needed shower and went to bed early.
Day five I felt fine. Stayed indoors rather than going out. Watched movies fairly late into the night. Didn't do any strenuous activities.
Day six.. feeling fine. Still opted for staying home. Wouldn't feel right infecting coworkers or friends. Got some much needed house-cleaning done.
Day seven - returned to work. When I got there, one of my coworkers was sneezing and had a cold. :/
Overall it was the most mild flu I've ever experienced - not even a runny nose! But if your claim about flu opening the door for other diseases is correct, then maybe this time I lucked out and nothing else got in?
FYI, I've had no flu shots for about the past decade. My immune system has had a couple years and over a dozen sicknesses to fight through, so it's probably had a good workout. If I were much older, it might not be the same story.