actually, that problem (of buffer overflows) *is* going away, slowly but surely. Every security problem that is fixed is another one gone. Eventually, we'll have replaced all the legacy code that uses fixed-size buffers. (I'd hope that new code uses string classes instead.. surely newbie programmers will use them instead of that complicated pointer arithmetic-style string buffers. surely)
However, all the other types of security issues will still be present in all the new code we have to replace the old. Sometimes I think the old C/C++ code we have is more secure than new languages, as all the code has been checked, and fixed, whereas if you think 'well rewrite it' the new version will have all kinds of other bugs in it.
As for tools, I wholeheartedly agree - and you should check out Microsoft's FXCop and Prefast. I think they're out soon, and hopefully will be free downloads.
please, when I started learning linux security, and what I had to do to secure my web server, I learned all about the script kiddie attacks and their rootkits.
The biggest number are all automated - you should see my logs, I now have quite a few asian IPs blocked who were probing away at various ports. A Quick search on google, and hey, yes, those IPs are blocked by others on published blocklists.
If you want to hack a linux box, you do not need to do anything manually - check out the readmes for various rootkit removal tools. They all say, rootkits are bad and are happy to probe each and every exploit they know about, you're only safe bet is to patch often and keep your box up to date. Maybe the rootkits have to be manually triggered, but frankly, I don't see that that's so big a deal that we can say 'linux cannot be automatically hacked' simply because no-one's bothered to write a email-based virus that does small amount of damage (compared to effectively giving your root password to a kiddie without you knowing)
So, you keep on thinking that Linux is some magically secure OS, I'll stick to my security best practises and hopefully keep mine safe.
considering that Linux is a fer more popular internet server than Windows is, but still gets fewer total exploits in that field.
Guess who didn't read the article...
"accounts for 65.64% of all breaches recorded, with 154,846 successfully compromised Linux 24/7 online computers of all flavours."
So Linux is a more populare internet server, and also gets compromised more often. There's not that much of a surprise to thinking people there - lots more servers, plenty of security holes available for *every* OS, therefore more hacked Linux servers.
Even if there was only 1 security hole on Linux (say, bind), and 100,000 holes on Windows - then such stats that Linux is hacked more often tells us that Windows servers are much more likely to be patched, whereas the Linux servers aren't (possibly due to perceived impression of being inherently 'more secure', possibly because its too difficult for some admins or they forget all the apps they have installed)
Hmm. autobahn on the Apple, GTA4?... they're not quite the same thing are they?
Perhaps if your first introduction to video games was Halflife, GTA, or similar, you wouldn't have grown up to be the well-rounded individual you are today.
Unfortunately the only way we have of checking whether this link is true is to allow kids to play the games, watch the movies, read the sicko internet sites, and then see (when you're a pensioner) whether Kubrick's vision of a clockwork-orangesque world comes true.
Me? I think the little darlings have the rest of their lives to be adults with all the sick and depraved stuff that I enjoy, we should make them be kids while they have the chance.
Boss: Agent Jones, I have a special assignment for you
AJ: Sir! Yes Sir!
Boss: I want you to go deep undercover, join this identity theft organisation and bring them to justice.
AJ: Sir! Yes Sir!
.. months later..
Boss: Agent Jones.
AJ: what. I'm busy, just one more compile, k.
Boss: Well done Agent Jones, the thieves are locked up and the world's a safer place.
AJ: yo! right on! My l33t undercover hax0r sk1lls roxs!
Boss: hmm. Let me have your mission report.
AJ: yeah yeah, mission documentation is for wimps. Read the source, luke dude.
Boss: such a pity. Yet another brave agent lost to the demands placed upon them. The world's such a cruel place.
The trouble is that if you want your identity to be provably you, then you also have all the issues concerning privacy.
See, even if you had a identity card, with a private key on it, issued by the government after you've proven who you are (the tax man definitely knows who you are:) ), and all your online dealings were logged with this key, (so that, to steal your identity, you'd have to steal the key and the passphrase used to activate it, and several biometric checks, etc), then everything you did online could also be traced directly and incontrovertibly to you.
You could only use the key when you wanted to be identified (eg, buying something with credit card), but I'm sure it'd still be denounced by many, after all, just the thought of having an RFID tag in your driving licence has sent waves of resentment, fear and conspiracy through previous posts on/.
Oh, and for this to work, we'd need the id cards, and commodity (cheap) hardware readers for them.
nothing to do with complexity really, your old 8086 was never connected to the internet as we know it, and security was more a case of choosing a password that wasn't 'password'.
Today, I had a new linux server installed for me, and before I even told my customer his mail address, he had spam sent to it, and the server was subject to 2 attacks that BFD detected.
Your old apps probably had all those security flaws in them, just nobody was interested in looking for them.
Of course the word 'never' is totally inappropriate since by definition exceptions _are_ designed to be thrown.
an analogy for you: my car has airbags, which are obviously designed to go off. But they shouldn't be used everytime I hit the brakes hard.
You see, many people simply use exceptions as a replacement goto. the 'clean code with error handling' is often just another way of writing 'goto end'.
I think it's perfectly normal and acceptable to have an exception be an everyday occurrence Absolutley not. Use normal error handling for those errors. Use exceptions for those things that you do not expect to happen but have to handle. FileNotFound is not one of those things (IMHO). FileNotFound after you've opened it and are reading from it... is.
I was a little contentious in the post, but I hope it makes people think a little before just using exceptions as error handlers. (especially if theyre used like VB's On Error Goto:) )
oh dear, again someone who doesnt; understand that exceptiosn are designed never to be thrown. If they were everyday occurrences, then they wouldn't be, well, exceptional.
Unlike some languages who use exceptions for events that you expect (like End-of-file) and poor programmers who think that because they're there, they must be used all the time, for everything, exceptions are a defensive programming measure to ensure that the things that should never, ever happen, are handled gracefully if they do.
I had some Java incompatibility problems with Firefox... we have a timesheet application that is written in Java, and it works fine in IE, but I use Firefox nowadays.
So, just for the hell of it, I try the timesheet app in FF - after installing the Sun JVM as you have to - and it works.. after a fashion. The combo boxes continually flick open and closed (so its keybopard only guys), and the edit fields won;t tab between them and so on - enough problems that I went back to doing my timesheets in IE... except that the same problems are now there too.
In the end, I had to uninstall the Sun JVM in order to make the painful task of filling in my timesheet not more soul crushing than it already is.
Portability of Java.. yes, it worked in a different JVM; no, it wasn't portable enough to be useable.
True, but Nochex requires you to cough up big time (in precentage terms) when you take money out of their system. Paypal is cheaper than Nochex unless you deposit hundreds of pounds to their system.
Fastpay is just as good for selling things, you know, automatically, but a ton cheaper and more transparent with their charges.
The issue isn't with Visa or MC, its the bank that supplies you with the merchant account.
The costs involved in getting a merchant account are reasonably large, too much for small ebay sellers and companies with small turnovers. Paypal is very cost effective in these cases (mainly due to no gateway fees).
As for fraud and defective merchandise - you should read all the bad stuff that people come out with concerning Paypal and its policy on chargebacks. I think its more a 'paypal sucks' type mentality, but Paypal does do chargebacks.
on the other hand, you could say 'thanks Intel', as whilst you've been keeping your pennies in your pocket over the last year, prices have been 'competivitised' so now you can buy a screen that is larger than what you could have had. Due to intel, you've saved your money instead of spending it on the first shiny toy in the first shop window you walked past.:)
I think its more down to your specific skills - consider that no-one programs by flipping switches on a console, or punches holes in cards, and only some people code up C functions nowadays. Sure, knowing what's going on allows you to learn new stuff easily (look at all the C++ programmers who can code up Java once they have a 10 minute tutorial)
As the tools improve (ie become more automated) you have to keep up with them, or become as anachronistic as the blacksmith mentioned.
One day, I think business apps will be programmed using tools something like Visio - drag and drop your 'web service' 'component' match up the inputs and outputs, and connect a GUI at one end (that provides inputs) and a DB 'component' at the other (to provide outputs). Something like this would be suitable for programming 99% of business applications and would be useable by 'business people', not dedicated programmers.
They do 'DDS' servers under several plans, the cheaper the plan, the more virtual servers share the same physical hardware. At the top end, you get the whole server yourself.
The big plus with this system is that they can migrate your server to new hardware by copying a single file or directory - and they will, downtime for server upgrades is in the matter of seconds (copy, turn off old VM, turn on new VM), and you can migrate to new plans with the same ease.
The VM technology is SWSoft's Virtuozzo which comes with some features to prevent 1 VM from taking over the entire hardware - you can set it so each VM will be guaranteed a minimum amount of resources.
don't knock it - its purpose is simple and very clear: It says to users 'get some protection' and won't allow itself to go away until you do. (or turn the notifications off, but the kind of people who need the protection are the ones who won't know how to turn the notifications off!)
It doesn't have to be 'free open source', just open and source.
ie. The patent applicant not only has to write some code showing how his invention works in detail, but also has to show it to anyone who wants to see it. Those people who see it may not use it in their own applications (or they'd be violating the patent) so all the benefits of having a patent apply, but no-one would be able to patent anything that didn't have a concrete implementation (like 1-click for example).
I think that's the idea, but if you think about it - if you wrote code for 1-click, either you'd be restricting people from using the same techniques but they could implement 1-click in a different way, which I think does invalidate the idea of a patent after all.
Imagine I come up with a novel way of toasting bread, and I have to create my 'toaster'. If patents are to work, that'd have to stop other people from inventing the 'grill'. If that is true, then my way of implementing 1-click would stop other people from implementing 1-click in their own way. The alternative, if my software only applies to my way of doing 1-click, then someone could legally invent the grill even though I have the toaster patent.
(I think I'll go lie down and wait for someone knowledgeable about patents to tell me what I mean:) )
Cell phone goes off in class. Okay, three seconds later it's off and we can continue
yeah, but the damage has been done - people's attention has been disrupted and you have to build up that 'mental momentum' again. That can be a big deal for most classes (unless you're reading media studies;) )
Besides, in most places it's different... you don't care about the ringing, its the "I'M IN THE CINEMA. YES ITS GREAT. NO, NO THE ONE WITH HIM OFF THE TELE. YES I'LL BE OUT SOON. MEET YOU AT THE PUB. YES. OK. YES. YES. LOVE YOU TOO. YES. LOVE YOU. GOTTA GO NOW. NO. YES. YES. LOVE YOU. LOVE YOU LOADS. BYE. YES. OF COURSE. NO. YES. GOTTA GO. YES. BYEEEEEE. LOVE YOU" that really annoys us.:)
Well they released it under MPL, which allows you to reissue it under a different licence, one of which is GPL. They did this solely so that certain other projects could use it without any of the kerfuffle that other projects (eg some Apache ones) have suffered from recently.
I think they thought about the licencing issues and have come up with the best they could to ensure Dirac gets used in as many places as possible.
Of course, my opinion is that the OSS licencing issue has become a monster, if to get something widely accepted you have to allow it to be relicened under the GPL...
gawd, its one thing when posters don't bother reading the article, but when they don't read the original post what have we come to?!!
for the very, very lazy: The small town of Riverside, Iowa has long billed itself as the birthplace of James T. Kirk. So they were thrilled when William Shatner came there to film a Star Trek prequel about the early life of Kirk.
the problem isn't going away
actually, that problem (of buffer overflows) *is* going away, slowly but surely. Every security problem that is fixed is another one gone.
Eventually, we'll have replaced all the legacy code that uses fixed-size buffers. (I'd hope that new code uses string classes instead.. surely newbie programmers will use them instead of that complicated pointer arithmetic-style string buffers. surely)
However, all the other types of security issues will still be present in all the new code we have to replace the old. Sometimes I think the old C/C++ code we have is more secure than new languages, as all the code has been checked, and fixed, whereas if you think 'well rewrite it' the new version will have all kinds of other bugs in it.
As for tools, I wholeheartedly agree - and you should check out Microsoft's FXCop and Prefast. I think they're out soon, and hopefully will be free downloads.
I just looked at the methlabs peerguardian page.. it says:
:)
PeerGuardian
"100% accuracy , 0% CPU usage, blocking of ALL protocols, kernel-level
yeah, I unplug my network cable occasionally too
Rumor has it that because Steve Jobs is slightly hard of hearing, he insisted on the extra volume
:)
Rumor has it that because Steve Jobs insisted on extra volume, he is slightly hard of hearing
please, when I started learning linux security, and what I had to do to secure my web server, I learned all about the script kiddie attacks and their rootkits.
The biggest number are all automated - you should see my logs, I now have quite a few asian IPs blocked who were probing away at various ports. A Quick search on google, and hey, yes, those IPs are blocked by others on published blocklists.
If you want to hack a linux box, you do not need to do anything manually - check out the readmes for various rootkit removal tools. They all say, rootkits are bad and are happy to probe each and every exploit they know about, you're only safe bet is to patch often and keep your box up to date.
Maybe the rootkits have to be manually triggered, but frankly, I don't see that that's so big a deal that we can say 'linux cannot be automatically hacked' simply because no-one's bothered to write a email-based virus that does small amount of damage (compared to effectively giving your root password to a kiddie without you knowing)
So, you keep on thinking that Linux is some magically secure OS, I'll stick to my security best practises and hopefully keep mine safe.
considering that Linux is a fer more popular internet server than Windows is, but still gets fewer total exploits in that field.
Guess who didn't read the article...
"accounts for 65.64% of all breaches recorded, with 154,846 successfully compromised Linux 24/7 online computers of all flavours."
So Linux is a more populare internet server, and also gets compromised more often. There's not that much of a surprise to thinking people there - lots more servers, plenty of security holes available for *every* OS, therefore more hacked Linux servers.
Even if there was only 1 security hole on Linux (say, bind), and 100,000 holes on Windows - then such stats that Linux is hacked more often tells us that Windows servers are much more likely to be patched, whereas the Linux servers aren't (possibly due to perceived impression of being inherently 'more secure', possibly because its too difficult for some admins or they forget all the apps they have installed)
No code has any documentation.... if you know where not to look :)
Maybe that should be 'know how not to look'.
Hmm. autobahn on the Apple, GTA4? ... they're not quite the same thing are they?
Perhaps if your first introduction to video games was Halflife, GTA, or similar, you wouldn't have grown up to be the well-rounded individual you are today.
Unfortunately the only way we have of checking whether this link is true is to allow kids to play the games, watch the movies, read the sicko internet sites, and then see (when you're a pensioner) whether Kubrick's vision of a clockwork-orangesque world comes true.
Me? I think the little darlings have the rest of their lives to be adults with all the sick and depraved stuff that I enjoy, we should make them be kids while they have the chance.
AJ: Sir! Yes Sir!
Boss: I want you to go deep undercover, join this identity theft organisation and bring them to justice.
AJ: Sir! Yes Sir!
Boss: Agent Jones.
AJ: what. I'm busy, just one more compile, k.
Boss: Well done Agent Jones, the thieves are locked up and the world's a safer place.
AJ: yo! right on! My l33t undercover hax0r sk1lls roxs!
Boss: hmm. Let me have your mission report.
AJ: yeah yeah, mission documentation is for wimps. Read the source, luke dude.
Boss: such a pity. Yet another brave agent lost to the demands placed upon them. The world's such a cruel place.
The trouble is that if you want your identity to be provably you, then you also have all the issues concerning privacy.
:) ), and all your online dealings were logged with this key, (so that, to steal your identity, you'd have to steal the key and the passphrase used to activate it, and several biometric checks, etc), then everything you did online could also be traced directly and incontrovertibly to you.
/.
See, even if you had a identity card, with a private key on it, issued by the government after you've proven who you are (the tax man definitely knows who you are
You could only use the key when you wanted to be identified (eg, buying something with credit card), but I'm sure it'd still be denounced by many, after all, just the thought of having an RFID tag in your driving licence has sent waves of resentment, fear and conspiracy through previous posts on
Oh, and for this to work, we'd need the id cards, and commodity (cheap) hardware readers for them.
nothing to do with complexity really, your old 8086 was never connected to the internet as we know it, and security was more a case of choosing a password that wasn't 'password'.
Today, I had a new linux server installed for me, and before I even told my customer his mail address, he had spam sent to it, and the server was subject to 2 attacks that BFD detected.
Your old apps probably had all those security flaws in them, just nobody was interested in looking for them.
Of course the word 'never' is totally inappropriate since by definition exceptions _are_ designed to be thrown.
:) )
an analogy for you: my car has airbags, which are obviously designed to go off. But they shouldn't be used everytime I hit the brakes hard.
You see, many people simply use exceptions as a replacement goto. the 'clean code with error handling' is often just another way of writing 'goto end'.
I think it's perfectly normal and acceptable to have an exception be an everyday occurrence
Absolutley not. Use normal error handling for those errors. Use exceptions for those things that you do not expect to happen but have to handle. FileNotFound is not one of those things (IMHO). FileNotFound after you've opened it and are reading from it... is.
I was a little contentious in the post, but I hope it makes people think a little before just using exceptions as error handlers. (especially if theyre used like VB's On Error Goto
oh dear, again someone who doesnt; understand that exceptiosn are designed never to be thrown. If they were everyday occurrences, then they wouldn't be, well, exceptional.
Unlike some languages who use exceptions for events that you expect (like End-of-file) and poor programmers who think that because they're there, they must be used all the time, for everything, exceptions are a defensive programming measure to ensure that the things that should never, ever happen, are handled gracefully if they do.
I had some Java incompatibility problems with Firefox... we have a timesheet application that is written in Java, and it works fine in IE, but I use Firefox nowadays.
So, just for the hell of it, I try the timesheet app in FF - after installing the Sun JVM as you have to - and it works.. after a fashion. The combo boxes continually flick open and closed (so its keybopard only guys), and the edit fields won;t tab between them and so on - enough problems that I went back to doing my timesheets in IE... except that the same problems are now there too.
In the end, I had to uninstall the Sun JVM in order to make the painful task of filling in my timesheet not more soul crushing than it already is.
Portability of Java.. yes, it worked in a different JVM; no, it wasn't portable enough to be useable.
True, but Nochex requires you to cough up big time (in precentage terms) when you take money out of their system. Paypal is cheaper than Nochex unless you deposit hundreds of pounds to their system.
Fastpay is just as good for selling things, you know, automatically, but a ton cheaper and more transparent with their charges.
Anbd in the UK, you want to check out Natwest's FastPay. Much cheaper than Paypal, in the few areas where it isn't free.
The issue isn't with Visa or MC, its the bank that supplies you with the merchant account.
The costs involved in getting a merchant account are reasonably large, too much for small ebay sellers and companies with small turnovers. Paypal is very cost effective in these cases (mainly due to no gateway fees).
As for fraud and defective merchandise - you should read all the bad stuff that people come out with concerning Paypal and its policy on chargebacks. I think its more a 'paypal sucks' type mentality, but Paypal does do chargebacks.
on the other hand, you could say 'thanks Intel', as whilst you've been keeping your pennies in your pocket over the last year, prices have been 'competivitised' so now you can buy a screen that is larger than what you could have had. Due to intel, you've saved your money instead of spending it on the first shiny toy in the first shop window you walked past. :)
I think its more down to your specific skills - consider that no-one programs by flipping switches on a console, or punches holes in cards, and only some people code up C functions nowadays. Sure, knowing what's going on allows you to learn new stuff easily (look at all the C++ programmers who can code up Java once they have a 10 minute tutorial)
As the tools improve (ie become more automated) you have to keep up with them, or become as anachronistic as the blacksmith mentioned.
One day, I think business apps will be programmed using tools something like Visio - drag and drop your 'web service' 'component' match up the inputs and outputs, and connect a GUI at one end (that provides inputs) and a DB 'component' at the other (to provide outputs). Something like this would be suitable for programming 99% of business applications and would be useable by 'business people', not dedicated programmers.
Yes: check out RackForce
They do 'DDS' servers under several plans, the cheaper the plan, the more virtual servers share the same physical hardware. At the top end, you get the whole server yourself.
The big plus with this system is that they can migrate your server to new hardware by copying a single file or directory - and they will, downtime for server upgrades is in the matter of seconds (copy, turn off old VM, turn on new VM), and you can migrate to new plans with the same ease.
The VM technology is SWSoft's Virtuozzo which comes with some features to prevent 1 VM from taking over the entire hardware - you can set it so each VM will be guaranteed a minimum amount of resources.
the whole security center thing is pure annoyance
don't knock it - its purpose is simple and very clear: It says to users 'get some protection' and won't allow itself to go away until you do. (or turn the notifications off, but the kind of people who need the protection are the ones who won't know how to turn the notifications off!)
It doesn't have to be 'free open source', just open and source.
:) )
ie. The patent applicant not only has to write some code showing how his invention works in detail, but also has to show it to anyone who wants to see it. Those people who see it may not use it in their own applications (or they'd be violating the patent) so all the benefits of having a patent apply, but no-one would be able to patent anything that didn't have a concrete implementation (like 1-click for example).
I think that's the idea, but if you think about it - if you wrote code for 1-click, either you'd be restricting people from using the same techniques but they could implement 1-click in a different way, which I think does invalidate the idea of a patent after all.
Imagine I come up with a novel way of toasting bread, and I have to create my 'toaster'. If patents are to work, that'd have to stop other people from inventing the 'grill'. If that is true, then my way of implementing 1-click would stop other people from implementing 1-click in their own way.
The alternative, if my software only applies to my way of doing 1-click, then someone could legally invent the grill even though I have the toaster patent.
(I think I'll go lie down and wait for someone knowledgeable about patents to tell me what I mean
Perhaps you think the USPTO grants patents for inventions that are overly obvious,
of course everyone thinks this - all patents are obvious now, once the idea's been explained to you.
Cell phone goes off in class. Okay, three seconds later it's off and we can continue
;) )
:)
yeah, but the damage has been done - people's attention has been disrupted and you have to build up that 'mental momentum' again. That can be a big deal for most classes (unless you're reading media studies
Besides, in most places it's different... you don't care about the ringing, its the "I'M IN THE CINEMA. YES ITS GREAT. NO, NO THE ONE WITH HIM OFF THE TELE. YES I'LL BE OUT SOON. MEET YOU AT THE PUB. YES. OK. YES. YES. LOVE YOU TOO. YES. LOVE YOU. GOTTA GO NOW. NO. YES. YES. LOVE YOU. LOVE YOU LOADS. BYE. YES. OF COURSE. NO. YES. GOTTA GO. YES. BYEEEEEE. LOVE YOU" that really annoys us.
Well they released it under MPL, which allows you to reissue it under a different licence, one of which is GPL. They did this solely so that certain other projects could use it without any of the kerfuffle that other projects (eg some Apache ones) have suffered from recently.
I think they thought about the licencing issues and have come up with the best they could to ensure Dirac gets used in as many places as possible.
Of course, my opinion is that the OSS licencing issue has become a monster, if to get something widely accepted you have to allow it to be relicened under the GPL...
gawd, its one thing when posters don't bother reading the article, but when they don't read the original post what have we come to?!!
for the very, very lazy:
The small town of Riverside, Iowa has long billed itself as the birthplace of James T. Kirk. So they were thrilled when William Shatner came there to film a Star Trek prequel about the early life of Kirk.