HLL's are NOT a substitute for secure programming
on
Too Cool For Secure Code?
·
· Score: 3, Insightful
Please, spare me from the armchair drivel of these SecurityFocus columnists! (Okay, I should spare myself, but I'm compelled to comment.)
The thrust of the article is that most programmers are not skilled enough to write secure code, so they should be using HLL's that do the security for them, and leave C/C++ code to the "experts."
Hogwash.
Repeat after me: Security is a process, not a product. HLL's can be misused just as effectively as LLL's.
Back to this columnist's soapbox rant. It ends up reveling in an admittedly fallacious comparison:
> Real programmers manipulate the system at the lowest possible level, > for the maximum possible effect.
I'll accept that, in the diversity of programmers, there are some that are writing insecure code. But stereotyping of this sort is an act of the columnist. Even if there are some programmers who adopt this stereotype, they do not nearly comprise the entire population. The existence of many professional, responsible programmers is completely discounted by the columnist.
> The fallacy of the comparison should be obvious...( > I think it's safe to say that programmers spent less time at > self-criticism than pilots.)...
It's safe to say in the one-way communication of the columnist's world. It's safe to say when your profession is to write sassy, not-too-verifiable copy. It's safe to say if you don't have to have your article vetted by fact-checkers.
> It would be nice if we could expect that our programmers would act > more like airline pilots than fighter pilots: that they acknowledge, > and accept, the responsibility that they take for the well-being of > others. Until they take this step, I doubt that the quality and > security of the code that we all rely on will improve.
Here the columnist exercises the same comparison he recognized as fallacious. Programmers are not pilots. Not airline pilots, not fighter pilots. While I believe there is a need for the computing industry to move towards more responsibility for security, focusing just on C/C++ programmers will not do the job. There is plenty of improvement to be made by the end users, and the columnists as well!
> There is also a macho streak in programmers:
There's a macho streak in this columnist who disparages professions that he probably hasn't been participating in as of late.
While I was waiting for the slashdot effect to simmer down on LawMeme, I read the letter. Then I forwarded it. Then I read the LawMeme article.
Damn this mirror, I must be better looking than that.
Sure, the pharmaceuticals have to make money, but they're not lily-white, either.
It's sad that profit taking influences the availability of medicine. That's an effect of having the pharmaceutical industry as a purely capitalist venture.
Clinical trials, advertising, marketing, pseudo-shortages, all get leveraged by the pharmaceutical industry to get more profits, even when the quality and availability of the product suffers for it. IMHO, the excuse "Hey, we have to make money," does not go far enough to cover the improprieties perpetrated by the pharmaceutical companies.
We (I'm in the U.S.) have police and military that are not encumbered by profit-taking. They defend us against human threats. I'd like to see the day that we have similarly motivated defence against biological threats as well.
Airborne cellphones don't bother the plane as much as they bother the network. From a mile in the air, there can be numerous base stations at the same distance from the handset, and they have a rough time deciding which one is going to carry the connection.
> Linux will be that product. [that kills Microsoft]
Setting my love of Linux aside, I don't discount the possibility of the "Killer App."
Netscape very nearly was one, which is why Microsoft pulled out all their weaponry to stomp them into the ground. If Netscape+Java made operating systems irrelevant, Windows would have died of irrelevance.
Periodically, a new technology application appears that wipes out the previous generation. PC's, coupled with spreadsheets, wiped out timesharing and a lot of mainframes & micros, for example. Calculators (made from integrated circuits, a space product) wiped out slide rules. Cell phones are wiping out land-line telephones. Nylon wiped out silk.
Mr. Bill is trying desperately to predict and invent the next killer app. The trouble is, you can't really predict these things (if you could, they wouldn't be "killers").
The biggest killer app, IMO, was the Mosaic browser (+ HTTP + HTML + URL), which was a bolt out of the blue, and didn't come from commercial industry at all.
MS Windows was a killer app, too. The trouble (for Microsoft) is that the killer app cannot be nailed down. The killer app causes a paradigm shift (dear God, I used the P word) that affects entire industries. When your product affects a whole industry, you can't keep the technology to yourself. The best you can do is surf the wave (and knock a few other surfers off their boards, if you're good enough at surfing).
As long as Microsoft has a lock on most of the market for PC operating systems.
> you cant keep pulling the same company for antitrust violations..
The courts can keep pulling them in as long as they please. There is no "double jeopardy" for antitrust.
> wasnt Microsoft supposed to be split up?
One judge said "yes," another judge said "no."
> what ever happened there?
The judge that said "yes" was openly offended by a bumbled defense team, and then bumbled himself by reacting openly. It was then given to a new judge and tried by a prosecutor that was more sympathetic to Microsoft, not to mention a defense team who behaved in court.
> this is just going to carry on and on and on.. its getting pretty frustrating really.
Don't let it wreck your day. At least there is no _law_ that says you have to use Microsoft products. Just market forces;-)
Re:Expect fianl report in 6 months
on
Latest Columbia News
·
· Score: 2, Insightful
> Right now we have several media "experts" offering their opinions.
To amplify on the irony, these are the same media who said Reagan was dead and that Al Gore won the presidential election.
After a national disaster, I avoid the news media, thus saving myself from the constant "we don't know anything yet, but here are a long line of pundits who are happy to guess with abandon."
> What would be the point of inspecting the spacecraft in orbit?
It's useful to learn what the effects of different kinds of damage, and how the severity of the damage relates to survivability.
It's also useful to try and find ways to compensate for the damage. If you don't know whether/what damage there is, you don't have a chance to compensate for it. If you do know, you might be able to find a way out of the pinch.
Last year, Sun really, really wanted to drop Solaris for Intel.
Speculation was that it was for one or both of two reasons: 1) Not to dilute their SPARC-oriented business, 2) Not to dilute their Sun-Linux business.
At a conference I attended, as well as some Sun presentations, some Sun employees were begging customers to demand Solaris 9 for Intel from their sales reps. Seems that there was still a "Solaris for Intel" faction inside the company. Also, the inside scoop was that they already _had_ Solaris 9 for intel, but the higher-ups didn't want to release it.
Customer demand was heavy and it changed the original plan to nix Solaris 9 for Intel. Now it's out.
No big secrets here, just a little historic perspective.
Paraphrasing a quote (by whom, I forget): an Operating System, by definition, does nothing.
The point being, an OS is a platform for applications, which do the work.
MSWindows notoriously bundles lots of applications into the platform, so it doesn't really count as a bare-bones OS.
Ideally, there would be one OS as a middleware between applications and hardware. Then applications could be platform-neutral. Linux is the closest thing we have to such a definition. Unix tried to be that, but it fragmented into vendor-specific releases. It's yet to be seen whether Linux does the same thing.
See also: difference between a Linux and a Distro.
I have a partner who has combat-related PTSD. Artillery, automatic weapons fire and PBR's in a movie will trigger nightmares.
It would be nice to be able to pre-mute the soundtrack, at least. It's often hard to dance on the mute button to get the dialog and avoid the rat-a-tat-tat.
This was a particular issue with the movie "The Gods Must Be Crazy." Mostly a charming tale, and the war scenes did have artistic merit, but we would have enjoyed the non-war parts of the movie much more if we could have squelched the guerilla warfare sound effects.
My point being, it's not all about porn. There are more diverse motivations out here.
I note the fuss over the Fritz Hollings bill, which could be resurrected to try and mandate copy protection features. Also, FCC threats to promote similar aims.
In order to make these clamp-down strategies work, imported electronics would have to be regulated, too. Otherwise, consumers can bypass the restrictions by buying imported media and players.
If that happened, the US restrictions could kill the domestic market.
If the imports were restricted, there would be the threat of trade wars: a political hot potato.
Where does Europe stand on this protection racket? It's one thing to prosecute DVD Jon for hacking in his home laboratory. It's quite a different kettle of fish to be telling major electronics manufacturers what they can and can't do.
With the passing of the new millenium, I noted that the CRT was the only remaining, widespread, consumer use of vacuum tube technology.
We were so close to leaving those heavy, hot, power-gulping things behind with the 20th century.
(OTOH, I also note that it always takes about half a minute for my computer to power up, even the laptop with LCD. Same as when I was a kid and we had to "warm up" the television or radio in advance of a show.)
There's another aspect to this article besides the lock-hacking technique.
The writer speaks of the familiar dilemma of whether to publish to the "Good Guys," which notifies the "Bad Guys" simultaneously, or keep the information secret, knowing the "Bad Guys" could be sharing it already. Same old story we know from cyber security.
Then there's the "Locksmith" angle, "We've been teaching our students this for years, nothing new here." One wonders how the teachers sorted the trustworthy students from the evil students.
Good guys, bad guys, locksmiths, students, trustworthy, evil.
The enormous elephant here is whether people and their motives can be categorized this way. The truth is, these categories aren't cut and dried distinctions.
Take your government agent, for instance. When we're thinking about wiretapping mad bombers, they look more like good guys. When we're thinking about wiretapping political dissidents, they're bad guys. Same people, same behaviors, different categories.
Even discussing the distinction brings up more fuzzy categories: "bombers," "dissidents," "we."
As long as security is addressed from a good-guys vs bad-guys distinction, the argument will go in circles, because you can't really sort out the good guys from the bad guys without a clear value context. If you're diligent, you'll get mired in the values debate, and if you're not, you'll end up drawing biased conclusions.
The best stragegy in the good guys vs. bad guys debate is not to play the game.
When making powerful tools like locks, master keys, and cryptography, you have to bite the bullet that you can't really manage the motives of the tool users.
Slashdot Mirror
Please, spare me from the armchair drivel of these SecurityFocus columnists! (Okay, I should spare myself, but I'm compelled to comment.)
The thrust of the article is that most programmers are not skilled enough to write secure code, so they should be using HLL's that do the security for them, and leave C/C++ code to the "experts."
Hogwash.
Repeat after me: Security is a process, not a product. HLL's can be misused just as effectively as LLL's.
Back to this columnist's soapbox rant. It ends up reveling in an admittedly fallacious comparison:
> Real programmers manipulate the system at the lowest possible level,
> for the maximum possible effect.
I'll accept that, in the diversity of programmers, there are some that are writing insecure code. But stereotyping of this sort is an act of the columnist. Even if there are some programmers who adopt this stereotype, they do not nearly comprise the entire population. The existence of many professional, responsible programmers is completely discounted by the columnist.
> The fallacy of the comparison should be obvious...(
> I think it's safe to say that programmers spent less time at
> self-criticism than pilots.)...
It's safe to say in the one-way communication of the columnist's world. It's safe to say when your profession is to write sassy, not-too-verifiable copy. It's safe to say if you don't have to have your article vetted by fact-checkers.
> It would be nice if we could expect that our programmers would act
> more like airline pilots than fighter pilots: that they acknowledge,
> and accept, the responsibility that they take for the well-being of
> others. Until they take this step, I doubt that the quality and
> security of the code that we all rely on will improve.
Here the columnist exercises the same comparison he recognized as fallacious. Programmers are not pilots. Not airline pilots, not fighter pilots. While I believe there is a need for the computing industry to move towards more responsibility for security, focusing just on C/C++ programmers will not do the job. There is plenty of improvement to be made by the end users, and the columnists as well!
> There is also a macho streak in programmers:
There's a macho streak in this columnist who disparages professions that he probably hasn't been participating in as of late.
Pfft!
Flying cows replace power transmission lines.
> Who uses a database small enough to fit in RAM?
A terabyte is so small these days.
While I was waiting for the slashdot effect to simmer down on LawMeme, I read the letter. Then I forwarded it. Then I read the LawMeme article. Damn this mirror, I must be better looking than that.
Sure, the pharmaceuticals have to make money, but they're not lily-white, either.
It's sad that profit taking influences the availability of medicine. That's an effect of having the pharmaceutical industry as a purely capitalist venture.
Clinical trials, advertising, marketing, pseudo-shortages, all get leveraged by the pharmaceutical industry to get more profits, even when the quality and availability of the product suffers for it. IMHO, the excuse "Hey, we have to make money," does not go far enough to cover the improprieties perpetrated by the pharmaceutical companies.
We (I'm in the U.S.) have police and military that are not encumbered by profit-taking. They defend us against human threats. I'd like to see the day that we have similarly motivated defence against biological threats as well.
Put in a legal cease and desist notice.
Beat them at their own game.
> the most beneficial situation would be for the local government to own
> the actual cable plant for its municipality.
Tacoma, Washington has something like what you suggest.
> antiwar activists in the early 1970s would get knocks on the door by FBI agents to confirm where they live
Methinks this was more of an intimidation tactic than a data-gathering excercise.
Okay, so somebody put up a web page about this whiner and post the link to Slashdot.
Make him as famous as he wants to be, but not for the reason he imagines.
As seen on slashdot, it must be true....
Airborne cellphones don't bother the plane as much as they bother the network. From a mile in the air, there can be numerous base stations at the same distance from the handset, and they have a rough time deciding which one is going to carry the connection.
Two words:
Protection racket.
> Linux will be that product. [that kills Microsoft]
Setting my love of Linux aside, I don't discount the possibility of the "Killer App."
Netscape very nearly was one, which is why Microsoft pulled out all their weaponry to stomp them into the ground. If Netscape+Java made operating systems irrelevant, Windows would have died of irrelevance.
Periodically, a new technology application appears that wipes out the previous generation. PC's, coupled with spreadsheets, wiped out timesharing and a lot of mainframes & micros, for example. Calculators (made from integrated circuits, a space product) wiped out slide rules. Cell phones are wiping out land-line telephones. Nylon wiped out silk.
Mr. Bill is trying desperately to predict and invent the next killer app. The trouble is, you can't really predict these things (if you could, they wouldn't be "killers").
The biggest killer app, IMO, was the Mosaic browser (+ HTTP + HTML + URL), which was a bolt out of the blue, and didn't come from commercial industry at all.
MS Windows was a killer app, too. The trouble (for Microsoft) is that the killer app cannot be nailed down. The killer app causes a paradigm shift (dear God, I used the P word) that affects entire industries. When your product affects a whole industry, you can't keep the technology to yourself. The best you can do is surf the wave (and knock a few other surfers off their boards, if you're good enough at surfing).
> How long can this go on for?
;-)
As long as Microsoft has a lock on most of the market for PC operating systems.
> you cant keep pulling the same company for antitrust violations..
The courts can keep pulling them in as long as they please. There is no "double jeopardy" for antitrust.
> wasnt Microsoft supposed to be split up?
One judge said "yes," another judge said "no."
> what ever happened there?
The judge that said "yes" was openly offended by a bumbled defense team, and then bumbled himself by reacting openly. It was then given to a new judge and tried by a prosecutor that was more sympathetic to Microsoft, not to mention a defense team who behaved in court.
> this is just going to carry on and on and on.. its getting pretty frustrating really.
Don't let it wreck your day. At least there is no _law_ that says you have to use Microsoft products. Just market forces
> Right now we have several media "experts" offering their opinions.
To amplify on the irony, these are the same media who said Reagan was dead and that Al Gore won the presidential election.
After a national disaster, I avoid the news media, thus saving myself from the constant "we don't know anything yet, but here are a long line of pundits who are happy to guess with abandon."
> What would be the point of inspecting the spacecraft in orbit?
It's useful to learn what the effects of different kinds of damage, and how the severity of the damage relates to survivability.
It's also useful to try and find ways to compensate for the damage. If you don't know whether/what damage there is, you don't have a chance to compensate for it. If you do know, you might be able to find a way out of the pinch.
Last year, Sun really, really wanted to drop Solaris for Intel.
Speculation was that it was for one or both of two reasons:
1) Not to dilute their SPARC-oriented business,
2) Not to dilute their Sun-Linux business.
At a conference I attended, as well as some Sun presentations, some Sun employees were begging customers to demand Solaris 9 for Intel from their sales reps. Seems that there was still a "Solaris for Intel" faction inside the company. Also, the inside scoop was that they already _had_ Solaris 9 for intel, but the higher-ups didn't want to release it.
Customer demand was heavy and it changed the original plan to nix Solaris 9 for Intel. Now it's out.
No big secrets here, just a little historic perspective.
Paraphrasing a quote (by whom, I forget): an Operating System, by definition, does nothing.
The point being, an OS is a platform for applications, which do the work.
MSWindows notoriously bundles lots of applications into the platform, so it doesn't really count as a bare-bones OS.
Ideally, there would be one OS as a middleware between applications and hardware. Then applications could be platform-neutral. Linux is the closest thing we have to such a definition. Unix tried to be that, but it fragmented into vendor-specific releases. It's yet to be seen whether Linux does the same thing.
See also: difference between a Linux and a Distro.
Your message was here?
Perhaps, with a flood of spam,
I deleted it.
I have a partner who has combat-related PTSD. Artillery, automatic weapons fire and PBR's in a movie will trigger nightmares.
It would be nice to be able to pre-mute the soundtrack, at least. It's often hard to dance on the mute button to get the dialog and avoid the rat-a-tat-tat.
This was a particular issue with the movie "The Gods Must Be Crazy." Mostly a charming tale, and the war scenes did have artistic merit, but we would have enjoyed the non-war parts of the movie much more if we could have squelched the guerilla warfare sound effects.
My point being, it's not all about porn. There are more diverse motivations out here.
So, what Joe Longkneck needs is a color organ with a cupholder that weighs his container and knows when to pop up the elucidating text:
"Time for another beer!"
> This isn't at all related to whats going on right now is it?
That depends. Are you wearing your tinfoil hat?
I note the fuss over the Fritz Hollings bill, which could be resurrected to try and mandate copy protection features. Also, FCC threats to promote similar aims.
In order to make these clamp-down strategies work, imported electronics would have to be regulated, too. Otherwise, consumers can bypass the restrictions by buying imported media and players.
If that happened, the US restrictions could kill the domestic market.
If the imports were restricted, there would be the threat of trade wars: a political hot potato.
Where does Europe stand on this protection racket? It's one thing to prosecute DVD Jon for hacking in his home laboratory. It's quite a different kettle of fish to be telling major electronics manufacturers what they can and can't do.
With the passing of the new millenium, I noted that the CRT was the only remaining, widespread, consumer use of vacuum tube technology.
We were so close to leaving those heavy, hot, power-gulping things behind with the 20th century.
(OTOH, I also note that it always takes about half a minute for my computer to power up, even the laptop with LCD. Same as when I was a kid and we had to "warm up" the television or radio in advance of a show.)
There's another aspect to this article besides the lock-hacking technique.
The writer speaks of the familiar dilemma of whether to publish to the "Good Guys," which notifies the "Bad Guys" simultaneously, or keep the information secret, knowing the "Bad Guys" could be sharing it already. Same old story we know from cyber security.
Then there's the "Locksmith" angle, "We've been teaching our students this for years, nothing new here." One wonders how the teachers sorted the trustworthy students from the evil students.
Good guys, bad guys, locksmiths, students, trustworthy, evil.
The enormous elephant here is whether people and their motives can be categorized this way. The truth is, these categories aren't cut and dried distinctions.
Take your government agent, for instance. When we're thinking about wiretapping mad bombers, they look more like good guys. When we're thinking about wiretapping political dissidents, they're bad guys. Same people, same behaviors, different categories.
Even discussing the distinction brings up more fuzzy categories: "bombers," "dissidents," "we."
As long as security is addressed from a good-guys vs bad-guys distinction, the argument will go in circles, because you can't really sort out the good guys from the bad guys without a clear value context. If you're diligent, you'll get mired in the values debate, and if you're not, you'll end up drawing biased conclusions.
The best stragegy in the good guys vs. bad guys debate is not to play the game.
When making powerful tools like locks, master keys, and cryptography, you have to bite the bullet that you can't really manage the motives of the tool users.