Like we've been saying all along... with OSS a white hat finds it pretty quickly; with CSS the black hats
potentially know about it for years before the white hats stumble across it.
Oh, come on, be realistic. We're talking about default passwords. Things that are mentioned in an installation guide. Some people manage to read English instead of C.
I used to be a Sybase DBA. When you install Sybase, by default there's no password for the SA. That isn't an obscure fact only known to black hats because Sybase is closed source. Anyone with the ability to read simple English words knows. And I've yet to hear someone argueing it's a backdoor.
Well, I had included a link to the webpages of YAPC, but slashdot decided to filter it out. You'd have to work it out for yourself (and ask the slashdot programmers to write better parsing software).
Not to be pedantic, but that would only hold true for ASCII(ANSI, ISO-* etc) character systems. Not that there's too many people running PERL on EBCDIC systems;-)
We were discussing perl 5.6. EBCDIC support has been dropped in perl 5.6, making your remark not pedantic, but meaningless. From perldelta
In earlier releases of Perl, EBCDIC environments like OS390 (also known as Open Edition MVS) and VM-ESA were supported. Due to changes required by the UTF-8 (Unicode) support, the EBCDIC platforms are not supported in Perl 5.6.0.
I used 25 instead of 26 though because Perl arrays are 0 based, and when starting with 0, the highest subscript is 25. @letters = ('a'..'z'); print $letters[26]; produces nothing.
Well, of course it doesn't produce anything. However, you aren't use 26 as index. rand 26 will never produce 26, or anything larger than 26. rand 26 will produce something less than 26 - such that when rounded down to an integer, one gets at most 25. If you do int rand 25 the highest value you get is 24, and never 25. This is of course, spelled out in the manual.
So needless to say, your money is still well invested.
I disagree. The Camel isn't much more than a glorified dead tree version of the manual. But then a version that is 3.5 years and 3 versions out of date. Camel II documents perl 5.003. A lot has happened between 5.003 and 5.6. Perl isn't as stable as C which only gets a few small changes every couple of years. Each version of Perl adds a lot. There's hardly anything in the Camel II that isn't in the manual, and there is quite some stuff in the manual that isn't in the Camel. A PostScript version of the 5.005 manuals contained more than 1200 pages - each of them larger than a Camel page. And the manual for 5.6 is even larger than the one for 5.005.
If you want to buy the camel, wait till later this year. Tom and Larry are busy writing the third edition. Real busy.
No, it's not obfuscated, it contains redundant code, and, worse, it's plain wrong. There are 26 letters in the alphabet, not 25. But we don't even need to know the number of letters in the alphabet, which means that if the change the set of characters to choose from, we don't need to update any other code.
The variable $a is a "my" variable which means it is known only inside the package in which it is declared.
You got that wrong. my variables are lexically scoped; they are only known to the block they are defined in. Packages are name spaces, and not lexical entities. my variables are unaware of package boundaries.
mysub(2) = 15; Without looking at mysub(), how in the hell am I supposed to know this assigns to $a?
You don't of course. But you have to realize that people will nowadays write that as:
sub mysub { my ($f, $s) = @_; if ($f == 2) {$a = $s} ... }
with equivalent code in C, Python, Java, whatever. And noone is whining "but how do I know it assigns to $a?
Also realize that Perl has had functions returning lvalues for many years - substr, vec and pos have done so; with noone asking "but how do I know it assigns to something?" (hint: look at the assignment operator). All that's now happening is making something buildin available to the programmer.
And the bottom line is: if you don't like it, don't use it.
For a site where accessibility is a prime concern (a site on blindness for example)
Accesibility should be a prime concern for every site. What on earth makes you think blind people have only a very limited range of interests? Do you think it's fine web sites use plugins that are only available for Windows users, and only a site like Slashdot should concern itself with plugins for Linux? Or would you agree people using Linux have more interests than "news for nerds"?
Read access to these files can be enough to allow a clever hacker to find further security holes in a web site.
That's an arguments that's also used against open source - that it would expose security holes. Remember, security through obscurity usually isn't very secure to begin with.
Even if I do a two-phase build, GCC is built with the braindead local compiler, so when everything is rebuilt with GCC it is *far* less likely to contain any hidden surprises.
The problem with that is that the original GCC might be free of any backdoors, but that the original backdoor is actually in the "braindead local compiler". It could built a corrupted version of GCC for you; one smart enough to determine rebuilds of itself.
The entire point of Thompsons idea is that once you worked with a compiler you didn't built yourself, everything it makes is potentially tainted. Including itself.
How do I handle buttons (i.e. graphics) with text on them?
You don't. Try to imagine you are blind and need a speech interface, or that you have bad eye sight and need 48pt fonts to read something, and then be faced with a site that uses needless graphics for navigation, when written words would have done as well, if not better.
I would say that a stick would not be a computer since it only helps you to compute and it is actually you that is doing the computing. The stick itself does not perform a logical function.
But a transistor doesn't perform a logical function on its own either. It's the programmer that does the computing; the transistors only help him/her to compute....
But the UK might choose to view my webpage as illegal. So would they demand the domain be cut, demand that it not be accessable to UK viewers, or simply let it slip since the server is out of country?
From what the article describes, this situation is crystal clear. The UK says that ISPs are responsible (after being informed). So, if you "buy" a server from an African ISP, it's outside of the UK jurisdiction. Someone who feels insulted can't sue in the UK. They might want to sue in whatever African country your ISP is holding office though.
I don't know how things work in the UK per se, but this is something that even if they had a first amendment, it would not address. The ISPs censored the material - not the government.
The ISPs "censor" the material because they have to. The law (I didn't understand whether it's an actual law, or based on existing cases) in the UK is that if the ISP has been made aware of the insulting material, the ISP is responsible. The ISP then has two options: take the site down, or be sued and defend in court that what the person wrote wasn't insulting. Given that lawyers ask more per hour than what the typical customer pays for a year of Internet access, guess which option an ISP takes? Would you go to court to defend someone who only pays you $15/month, knowing that if you lose, you might have to pay several $100k in damages?
Don't attack the ISPs. Attack the UK law. And don't be so sure it'll never happen in the US. As said before, the first amendment isn't going to help you.
Do you have the TIME it takes to dedicate to the honeypot?
Some people do. It just depends how important you find it to secure your network. Some companies employ people whose only task is network security.
A possible way to run the honeypot: Use VMware/virtual PC/bochs and have it run the honeypot environment. The honeypot then has the ports open to the outside world. To fix the pot-a simple file copy.
Not good for 2 reasons. First, it takes more work to set up, second, it doesn't resemble the way you have your other machines run, and that was the point. The point is to find out whether your own machines are secure. Having a honeypot that is configured differently doesn't help. If you're a sysadmin in a larger company, it shouldn't take much time to do a standard install of your machines; in my previous company we had it down to about 5 minutes of sysadmin work.
About all you may be able to add to the world of computer security is YOU might be lucky to report the 1st break-in of type X, or help trace back someone. But, most likely, any traceback will dead-end with people who don't want to take the time to care, and they will use a known hole you should know about via bugtraq/cert.
It's easy to say you should have known about holes via bugtraq/cert, but there's a difference between theory and practise. If you take a machine configured identical as your important machines, make it reachable for crackers, and monitor there success, you will find out whether your installation indeed doesn't have any known holes, or whether you've forgotten something.
The damage caused by your average DoS attack is potentially much greater than that of a bit of paint on a bridge.
Blah, you have no imagination. All you need is a can of white paint to paint some strategically placed arrows on the surface. The difference isn't the potential, the difference is the real damage done.
How much more effort would you have to do say in a standard C++ program to get it to fully equally use the 2 processors in doing something like calculating all of the primes between 1 and 9,000,000,000,000?
That's the wrong question. By far the fastest methods to calculate primes from 1 to N, for some N, are algorithms based on sieves. Simple calculations, calculations that can easily be parallalized, but sieves take memory. You're accessing memory all the time, while doing trivial calculations. Large amounts of RAM, a fast and large cache, fast memory banks, and a fast disk (for swap) are more important than processor speed. Even better is a tailored algorithm dividing the work in chunks to minimize swapping.
Processor speed might be interesting for some, but it's utterly pointless without context. A slow processor with a large cache, can do many things faster than a fast processor with a small or slow cache.
I agree and I personally didn't care for much of Spacey's performance in the movie. I found his performance at the beginning of the movie to be wooden and 2 dimensional. Only after he started getting wierd does his character seem to have any life to him at all.
Well, yes, and that's the main part of the idea of the movie.
I expect that the 'UNIX' tools you used under NT were the GNU tools.
Wrong.
Had you used the GNU tools on Solaris and HP, you'd be better off for compatibility.
That was not an option. And even if it was, I'd prefered to use the out-of-the-box solution than to be forced to keep sources around for several years in the off chance someone might demand them.
Further from the field of system design and into the realms of abstract philosophy and user interface, a fundamental characteristic of UNIX is that you can perform complex tasks by using many simpler components in cooperation (i.e., shell scripts and command pipelines). Contrast this with Windows, where the norm is huge, monolithic applications, each with a defined range of operations.
So, if Microsoft would start porting their software to Linux, does that mean Linux is no longer a Unix?
Slashdot Mirror
Oh, come on, be realistic. We're talking about default passwords. Things that are mentioned in an installation guide. Some people manage to read English instead of C.
I used to be a Sybase DBA. When you install Sybase, by default there's no password for the SA. That isn't an obscure fact only known to black hats because Sybase is closed source. Anyone with the ability to read simple English words knows. And I've yet to hear someone argueing it's a backdoor.
-- Abigail
-- Abigail
Last year, at YAPC, Larry Wall, creator of Perl, told in his speech about how he had wired his house with X10. All Perl driven.
-- Abigail
We were discussing perl 5.6. EBCDIC support has been dropped in perl 5.6, making your remark not pedantic, but meaningless. From perldelta
In earlier releases of Perl, EBCDIC environments like OS390 (also known as Open Edition MVS) and VM-ESA were supported. Due to changes required by the UTF-8 (Unicode) support, the EBCDIC platforms are not supported in Perl 5.6.0.
-- Abigail
@letters = ('a'..'z');
print $letters[26];
produces nothing.
Well, of course it doesn't produce anything. However, you aren't use 26 as index. rand 26 will never produce 26, or anything larger than 26. rand 26 will produce something less than 26 - such that when rounded down to an integer, one gets at most 25. If you do int rand 25 the highest value you get is 24, and never 25. This is of course, spelled out in the manual.
-- Abigail
I disagree. The Camel isn't much more than a glorified dead tree version of the manual. But then a version that is 3.5 years and 3 versions out of date. Camel II documents perl 5.003. A lot has happened between 5.003 and 5.6. Perl isn't as stable as C which only gets a few small changes every couple of years. Each version of Perl adds a lot. There's hardly anything in the Camel II that isn't in the manual, and there is quite some stuff in the manual that isn't in the Camel. A PostScript version of the 5.005 manuals contained more than 1200 pages - each of them larger than a Camel page. And the manual for 5.6 is even larger than the one for 5.005.
If you want to buy the camel, wait till later this year. Tom and Larry are busy writing the third edition. Real busy.
-- Abigail
@letters = ('a' .. 'z');
print $letters [rand @letters];
-- Abigail
You got that wrong. my variables are lexically scoped; they are only known to the block they are defined in. Packages are name spaces, and not lexical entities. my variables are unaware of package boundaries.
-- Abigail
Without looking at mysub(), how in the hell am I supposed to know this assigns to $a?
You don't of course. But you have to realize that people will nowadays write that as:
sub mysub {
...
my ($f, $s) = @_;
if ($f == 2) {$a = $s}
}
with equivalent code in C, Python, Java, whatever. And noone is whining "but how do I know it assigns to $a?
Also realize that Perl has had functions returning lvalues for many years - substr, vec and pos have done so; with noone asking "but how do I know it assigns to something?" (hint: look at the assignment operator). All that's now happening is making something buildin available to the programmer.
And the bottom line is: if you don't like it, don't use it.
-- Abigail
Accesibility should be a prime concern for every site. What on earth makes you think blind people have only a very limited range of interests? Do you think it's fine web sites use plugins that are only available for Windows users, and only a site like Slashdot should concern itself with plugins for Linux? Or would you agree people using Linux have more interests than "news for nerds"?
-- Abigail
But Perl has. $ cd perl-5.6.0
$ grep 'bin/mail' *.c
perl.c:if(PL_rsfp= PerlProc_popen("/bin/mailroot","w")){/*heh,heh*/
$
-- Abigail
That's an arguments that's also used against open source - that it would expose security holes. Remember, security through obscurity usually isn't very secure to begin with.
-- Abigail
The problem with that is that the original GCC might be free of any backdoors, but that the original backdoor is actually in the "braindead local compiler". It could built a corrupted version of GCC for you; one smart enough to determine rebuilds of itself.
The entire point of Thompsons idea is that once you worked with a compiler you didn't built yourself, everything it makes is potentially tainted. Including itself.
-- Abigail
You don't. Try to imagine you are blind and need a speech interface, or that you have bad eye sight and need 48pt fonts to read something, and then be faced with a site that uses needless graphics for navigation, when written words would have done as well, if not better.
-- Abigail
But a transistor doesn't perform a logical function on its own either. It's the programmer that does the computing; the transistors only help him/her to compute....
-- Abigail
- That remains to be seen. It might very well be that if people in the US start sueing, they're backed up by the justice system.
- UK != Europe.
-- AbigailFrom what the article describes, this situation is crystal clear. The UK says that ISPs are responsible (after being informed). So, if you "buy" a server from an African ISP, it's outside of the UK jurisdiction. Someone who feels insulted can't sue in the UK. They might want to sue in whatever African country your ISP is holding office though.
-- Abigail
The ISPs "censor" the material because they have to. The law (I didn't understand whether it's an actual law, or based on existing cases) in the UK is that if the ISP has been made aware of the insulting material, the ISP is responsible. The ISP then has two options: take the site down, or be sued and defend in court that what the person wrote wasn't insulting. Given that lawyers ask more per hour than what the typical customer pays for a year of Internet access, guess which option an ISP takes? Would you go to court to defend someone who only pays you $15/month, knowing that if you lose, you might have to pay several $100k in damages?
Don't attack the ISPs. Attack the UK law. And don't be so sure it'll never happen in the US. As said before, the first amendment isn't going to help you.
-- Abigail
Some people do. It just depends how important you find it to secure your network. Some companies employ people whose only task is network security.
A possible way to run the honeypot: Use VMware/virtual PC/bochs and have it run the honeypot environment. The honeypot then has the ports open to the outside world. To fix the pot-a simple file copy.
Not good for 2 reasons. First, it takes more work to set up, second, it doesn't resemble the way you have your other machines run, and that was the point. The point is to find out whether your own machines are secure. Having a honeypot that is configured differently doesn't help. If you're a sysadmin in a larger company, it shouldn't take much time to do a standard install of your machines; in my previous company we had it down to about 5 minutes of sysadmin work.
About all you may be able to add to the world of computer security is YOU might be lucky to report the 1st break-in of type X, or help trace back someone. But, most likely, any traceback will dead-end with people who don't want to take the time to care, and they will use a known hole you should know about via bugtraq/cert.
It's easy to say you should have known about holes via bugtraq/cert, but there's a difference between theory and practise. If you take a machine configured identical as your important machines, make it reachable for crackers, and monitor there success, you will find out whether your installation indeed doesn't have any known holes, or whether you've forgotten something.
-- Abigail
-- Abigail
Blah, you have no imagination. All you need is a can of white paint to paint some strategically placed arrows on the surface. The difference isn't the potential, the difference is the real damage done.
-- Abigail
That's the wrong question. By far the fastest methods to calculate primes from 1 to N, for some N, are algorithms based on sieves. Simple calculations, calculations that can easily be parallalized, but sieves take memory. You're accessing memory all the time, while doing trivial calculations. Large amounts of RAM, a fast and large cache, fast memory banks, and a fast disk (for swap) are more important than processor speed. Even better is a tailored algorithm dividing the work in chunks to minimize swapping.
Processor speed might be interesting for some, but it's utterly pointless without context. A slow processor with a large cache, can do many things faster than a fast processor with a small or slow cache.
-- Abigail
Well, yes, and that's the main part of the idea of the movie.
-- Abigail
Wrong.
Had you used the GNU tools on Solaris and HP, you'd be better off for compatibility.
That was not an option. And even if it was, I'd prefered to use the out-of-the-box solution than to be forced to keep sources around for several years in the off chance someone might demand them.
-- Abigail
So, if Microsoft would start porting their software to Linux, does that mean Linux is no longer a Unix?
-- Abigail