The memcmp() bug in the interview seems simple enough.
There are many things that are too subtle to see at first glance. The memcmp() problem is not (always) the issue, the gets() is the major problem that I first saw.
The original code was written as:
gets(userEntry);
if (memcmp(userEntry, correctPassword,strlen(userEntry)) != 0)
return (BAD_PASSWORD);
I didn't decrypt the DMCA-compliant ROT-13 code, but I would say that at a first glance the following problems exist from a security perspective:
gets() allows an arbitrary input length. This allows buffer overflows, with all of the attendant problems.
There is no hash/encryption/non-reversable transformation between the gets() and the memcmp(). This implies that what is stored in the correctPassword buffer is in plaintext. This allows another vector of attack.
Even if the password in correctPassword is encrypted in the {password file used by this system}, the fact that you compare the input to correctPassword[] without modification implies that correctPassword has been decrypted, so if you can get access to {password file used by this system} you can decrypt the passwords without using a brute-force attack.
The memcmp() call should be for something that ensures you have entered the same number of characters as correctPassword before it compares them. If you compare strlen(userEntry) to correctPassword, anybody who has has the first "correctPassword" characters (e.g. correctPassword is "azigy", the userEntry string is "azi") will match the password. If you match strlen(correctPassword) to userEntry, then all you need is to find out the maximum password length, and start a brute-force attack from that point down.
May I ask a novice question?
As a novice myself (I've only been programming professionally since 1980), feel free.
What is unchecked buffer size problem?
A buffer overflow (or, as you call it, an "unchecked buffer size problem") occurs when you create (for example) a buffer of
char InputBuffer[100];
And then use a function that does not allow you to specify how long the buffer is, for example:
gets(InputBuffer);
If the user types more than 100 characters, they will overflow the buffer (do a google search for "fandango on core", "going to la-la-land", or other things from "the hacker's dictionary"), which can cause multiple issues, such as providing invalid data on the return from the call, creating a shell (or even worse, a root shell) on return, corrupting data on the stack from previous functions calls (e.g. rc=GetInptut(InputBuffer), which calls gets(InputBuffer)), as well as other things.
How can you take over a system because of an unchecked buffer?
Given the correct circumstances, anytime you can overflow a buffer you can take over the system. For examples, see almost any microsoft, apache, linux kernel, bind, sendmail, or other package vulnerability notice in the last 30 years.
There is no way to verify that a peer is running some genuine/particular client or other (at least, not without DRM hardware).
Sure there is. PGP/GPG sign everything, and do an exchange of newly-generated keypairs for each site.
On Paul's comment that copyright infringement is unethical, here is the (usually neglected) rule-of-thumb:
1. If, absent piracy, you would have bought it anyway, then you owe the artist (and maybe the publisher?) some money.
2. If you wouldn't have shelled out to purchase a copy, then copyright infringement is ethical.
Incorrect. The rules of thumb are:
If you would have brought it anyway, you owe the "owners" money.
If you would not have brought it, you owe the "owners" money.
I wonder if Office Depot actually read their own memo. It says "all products which connect to a personal computer must carry the 'Designed for WindowsXP logo'."
So, since a PalmPilot can "attach to a personal computer", and it isn't "Designed for WindowsXP", they're going to stop carrying it?!?!
Ditto for the rest of the PDA's they sell. Even stuff running WindowsCE wasn't "Designed for WindowsXP".
Obviously, since the Red Hat, Mandrake, SuSE, OSX, etc don't carry a "Designed for WindowsXP" label, they're going to have to stop selling them.
Time to find a new place to buy miscellanous business supplies.
It is much easier just to ask someone who knows what they're doing and can answer in 5 minutes than to spend hours googling and crawling the man pages. I have several friends who have been using Linux for a year or so, and when we can't figure something out, we IM / write each other and ask, and it's better that way.
There is a difference between "me and my friends" and "me and some guy I've never met who I think knows what I'm too lazy to learn on my own".
If nothing else, think of it as a learning experience. The more effort you put into learning something, the more you will learn and retain.
On the other hand, it does make some sense 'protect' H1-B visa holders from being fired, since they would then need to find another job or leave the country, [...]
Discrimination is illegal, even when done for "good" reasons.
I bought a new laptop last weekend (03/09/2003) with Windows XP Home installed on it. When I turned it on, it gave me a screen with "who will be using this conmputer"?
I put in my name, hit "enter", and it booted up.
It's never asked me for a password for anything.
Maybe this is just something that Toshiba is doing, but they are doing it.
"laxidasical"? How about "complete and utter disregard for all security"?
I can (almost) understand providing an application that gives a default password for something like "root", but then you should require them to log in as that user and change the password as part of the install.
Providing a lazy-password checker and requiring them to create every account with it is much better.
I can understand everybody wanting to make life easier for people, but if people can understand why you want a PIN number on your ATM card, why does everybody think they'll freak out if you tell them they need a PIN number for their computer?
However, it has come around to bite me on the ass. For instance, I am the only programmer that knows Perl. As good as the tool may be, the company now regards me as an enigma -- something to be dealt with by procedure, policy, and backups. I am now being forced to document my code to a level at which a non-programmer could figure out what's going on and stumble through it.
Gee, and you find this strange? Odd? Amazing? Why? If your employer wants mind-numbing detail in their documentation, give it to them or get out.
I can not depend on him being here and I do not want to learn Foxbase.
Bigot. If FoxBase is the best language for the application, it's in the best interest of your employer to fire you and find somebody who will work for them, not for a paycheck.
My initial reaction is that FoxBase wouldn't be a good language choice if this occured in the last decade, but "I don't want to learn" is not an acceptable answer when choosing development tools.
If you put the world's most talented Java developer and the world's best Perl programmer in a room and gave them an unstructured textual document to parse, I would put my money on the Perl programmer to finish first.
There is no such thing as an "unstructured textual document".
The person who finishes "first" does not always produce the "best" program.
What are you going to do in a year when all the developers are gone, and you need to update the program for some reason?
If you're going to create situations where your pet language will win, let's talk VSAM file manipulation.:]
Finally, as Dickerson seemingly fails to understand, choice of language should be as close to the programming staff as possible, not with the buzzword-laden clueless managers.
What's the lamest (stupidest, impossible to believe by anybody with two functioning neurons) spam that you've ever received?
For example, I once got a piece that claimed that after their "extensive market research", it had been determined that I would like to increase my breast size (I'm a male) which would provide the added benefit of increasing the passion my partner (if I had one, he'd be a male also) felt for me.
If I didn't want to receive any more offers, all I had to do was .
Congratulations. You have (once again) pointed out that there needs to be at least two teams building any significant (in GUI terms) application:
The programmer(s) and the interface developer(s).
Of course, just like the testing department, the HID team is the first to go when the budget-cut-of-the-month-so-the-CEO-can-make-his-bo nus comes around.
...and on the third hand, if the position is "over the road 18 wheel truck driver", or "airline pilot", I would *hope* that they do drug screening.
"Corporate ethics" (if there is such a thing) can be strange. I wouldn't get fired from my job for being convicted of smoking pot, but I would be for bouncing checks.
Slashdot Mirror
To blockquote/italic the parent poster:
There are many things that are too subtle to see at first glance. The memcmp() problem is not (always) the issue, the gets() is the major problem that I first saw.
The original code was written as:
I didn't decrypt the DMCA-compliant ROT-13 code, but I would say that at a first glance the following problems exist from a security perspective:
As a novice myself (I've only been programming professionally since 1980), feel free.
A buffer overflow (or, as you call it, an "unchecked buffer size problem") occurs when you create (for example) a buffer of
char InputBuffer[100];
And then use a function that does not allow you to specify how long the buffer is, for example:
gets(InputBuffer);
If the user types more than 100 characters, they will overflow the buffer (do a google search for "fandango on core", "going to la-la-land", or other things from "the hacker's dictionary"), which can cause multiple issues, such as providing invalid data on the return from the call, creating a shell (or even worse, a root shell) on return, corrupting data on the stack from previous functions calls (e.g. rc=GetInptut(InputBuffer), which calls gets(InputBuffer)), as well as other things.
Given the correct circumstances, anytime you can overflow a buffer you can take over the system. For examples, see almost any microsoft, apache, linux kernel, bind, sendmail, or other package vulnerability notice in the last 30 years.
You're welcome.
The previous poster is "blockquoted/italic":
Sure there is. PGP/GPG sign everything, and do an exchange of newly-generated keypairs for each site.
Incorrect. The rules of thumb are:
If you would have brought it anyway, you owe the "owners" money.
If you would not have brought it, you owe the "owners" money.
Sadly, it's becoming more of a reality every day.
I wonder if Office Depot actually read their own memo. It says "all products which connect to a personal computer must carry the 'Designed for WindowsXP logo'."
So, since a PalmPilot can "attach to a personal computer", and it isn't "Designed for WindowsXP", they're going to stop carrying it?!?!
Ditto for the rest of the PDA's they sell. Even stuff running WindowsCE wasn't "Designed for WindowsXP".
Obviously, since the Red Hat, Mandrake, SuSE, OSX, etc don't carry a "Designed for WindowsXP" label, they're going to have to stop selling them.
Time to find a new place to buy miscellanous business supplies.
To quote the original poster:
There is a difference between "me and my friends" and "me and some guy I've never met who I think knows what I'm too lazy to learn on my own".
If nothing else, think of it as a learning experience. The more effort you put into learning something, the more you will learn and retain.
Sayith the original poster:
Discrimination is illegal, even when done for "good" reasons.
To quote the original poster:
*knowledge* is power, not the ability to get back to somebody on something...
Take a look around for Eldos Keylord.
Um, no. The goal of the chip maker is to make money, preferably lots of it.
The goal of the OS creator is to make money, preferably lots of it.
If the OS creator keeps adding sludge so that you have to buy faster processors just to get the same response...
I bought a new laptop last weekend (03/09/2003) with Windows XP Home installed on it. When I turned it on, it gave me a screen with "who will be using this conmputer"?
I put in my name, hit "enter", and it booted up.
It's never asked me for a password for anything.
Maybe this is just something that Toshiba is doing, but they are doing it.
"laxidasical"? How about "complete and utter disregard for all security"?
I can (almost) understand providing an application that gives a default password for something like "root", but then you should require them to log in as that user and change the password as part of the install.
Providing a lazy-password checker and requiring them to create every account with it is much better.
I can understand everybody wanting to make life easier for people, but if people can understand why you want a PIN number on your ATM card, why does everybody think they'll freak out if you tell them they need a PIN number for their computer?
Actually, the real solution would be best administered with a chainsaw between the metacarpels.
You incorporate in deleware for tax reasons.
You get venue in other places for other reasons. For example, the SCO lawyers might have their office there.
It's incredibly stupid and convuluted, like most US law.
Sounds good. I live in Cap Hill, Denver, Colorado.
Um, how about printing them? You could then store them in your safe deposit box.
tarsi210 wrote:
Gee, and you find this strange? Odd? Amazing? Why? If your employer wants mind-numbing detail in their documentation, give it to them or get out.
An anonymous coward managed to write:
Bigot. If FoxBase is the best language for the application, it's in the best interest of your employer to fire you and find somebody who will work for them, not for a paycheck.
My initial reaction is that FoxBase wouldn't be a good language choice if this occured in the last decade, but "I don't want to learn" is not an acceptable answer when choosing development tools.
mslinux wrote:
The answer to "it runs slow" is almost
- NEVER
"more powerful hardware".Dickerson wrote:
There is no such thing as an "unstructured textual document".
The person who finishes "first" does not always produce the "best" program.
What are you going to do in a year when all the developers are gone, and you need to update the program for some reason?
If you're going to create situations where your pet language will win, let's talk VSAM file manipulation. :]
Finally, as Dickerson seemingly fails to understand, choice of language should be as close to the programming staff as possible, not with the buzzword-laden clueless managers.
What's the lamest (stupidest, impossible to believe by anybody with two functioning neurons) spam that you've ever received?
For example, I once got a piece that claimed that after their "extensive market research", it had been determined that I would like to increase my breast size (I'm a male) which would provide the added benefit of increasing the passion my partner (if I had one, he'd be a male also) felt for me.
If I didn't want to receive any more offers, all I had to do was .
Your evidence for this is....?
Congratulations. You have (once again) pointed out that there needs to be at least two teams building any significant (in GUI terms) application:
o nus comes around.
The programmer(s) and the interface developer(s).
Of course, just like the testing department, the HID team is the first to go when the budget-cut-of-the-month-so-the-CEO-can-make-his-b
Longer answer: NONE! Don't think about it!
Really long answer: Look, if I wanted advertising, I'd wake up.
To blockquote the poster:
Well, let's see. If you're saying you want to pay by credit card...
...and on the third hand, if the position is "over the road 18 wheel truck driver", or "airline pilot", I would *hope* that they do drug screening.
"Corporate ethics" (if there is such a thing) can be strange. I wouldn't get fired from my job for being convicted of smoking pot, but I would be for bouncing checks.