And you haven't even touched on the debacle that is 8-a in this country (the US). It's basically institutionalized money laundering. I say so, as someone who runs a company that qualifies for 8-a.:>
Well, I think there's clearly something else at work here. Even if I wanted to hire 50/50, I'd be hard pressed to find 4 good female computer security professionals who can compete on a technical level with the other people on my team (doing software audits and writing exploits). There just arn't that many women coming out of computer science classes. Maybe 10% of the total, generously, and of those, almost none choose to go into hard core technical computer security. I think it's telling (aka depressing) that MIT didn't get a female president from their engineering department.
Why aren't women going into computer science? It's not like coal mining where the job sucks afterwards. Generally, it's sitting in an office and making a lot of cash. So why is it?
Keep in mind, that CANVAS has an entire compiler and gas-compatable assembler into it. We didn't write that because we thought it would be fun - we thought it added a lot of value to the product in terms of reliability and features no other product can have (as hinted at by the paper.) These components are available under the LGPL, and we fund and support two other GPL projects.
Our exploit code is all custom written by Immunity - so it plays nicely with the engine itself and, we like to think, is better than things like Metasploit. (Which makes sense, since we have 4 people on full time salaries to do so!)
There's a lot of other stuff to it, but let me just say that cutting and pasting is certainly something that is not a part of our development process, for many reasons.:>
I think the biggest problem with.Net is that it's not interpreted enough. Despite the work being done to pretend that it can handle it, no one has a decent interpreted langauge (i.e. perl, Python) running in it that can use any of the real features of the VM. The funny thing is to hear Miguel and others rave about how much faster they are coding now that they are using C# rather than C. Imagine how much more they'd rave if they were using Python, which has the same advantages for RAD over C# that C# has over C. And it has GTK bindings, just like GTK#, only more mature.
If only they'd thrown their weight behind a Python Gnome, and made that the standard language...
I noticed in Miguel's post that he posited that you wanted real arrays of ints for speed reasons, instead of arrays of integer objects. But in a large application, speed is more commonly gained by doing intelligent caching - something easy in Python, but brutally hard in C# or C.
That's crazy. There are many good scripting languages out there, but Python is a _general purpose_ scripting language. It can be used for anything from end-user GUI development, to complex simulations, to compiler writing, to nearly anything else.
One of the great things about it is the dynamic and strong type enforcement. In short, it has automatic "templating" that makes C++'s STL look insanely complex and useless. Extending your inner API functions is easy and painless, unlike Java, C, C++, or even C#.
And that's just one of the many great things about it.
The other major advantage is readability. C#, Java, C, etc, are all unreadable to beginning programmers. Python programs I've written often come back to me with patches from non-programmers. That's never going to happen with Mono programs.
I don't buy the case that their business strategy is inherently flawed. These days, everyone is trying to emulate them. Look at Dell, everyone's rose-baby. Dell doesn't just want you to buy a computer, they want you to buy a lifestyle.
The major benefit of having a Apple computer is that everything works with it. No trying to get your camera to work. Even linux vendors like Element Computers are doing this. You buy your digital camera from Element not because it's a great digital camera, but because you know when you plug it in it will pop up on your desktop. This is why Microsoft doesn't let every OEM customize Windows to all hell and back, and why there's one XP Tablet Edition, and not thirty different ones.
You always know where to go to get something for an Apple. In the long run, they want to run the entire chain from hardware to OS to software to periferals, just like Microsoft, and for the same reasons.
Re:Charisma Carpenter is doing Playboy!
on
WB Cancels Angel
·
· Score: 0, Offtopic
She's also did a cheesy movie for WE called "See Jane Date" Frankly, she's a bit chubby now.Not sure what genius had her cut her hair off either.
-dave
I find the iRiver HP-120 to be a great little device. It has a nice long (8+hours) battery life, enough space to fit my whole collection almost, and plays ogg beautifully. Buy a set of panasonic sound reduction headphones and your plane experience is a lot nicer...
Mozilla has this feature. Actually, Mozilla is the hands-down best e-mail client available now. It seems to scale up to a huge workload, features spam filtering (killer app) and implements most of the virtual-folder features that set evolution apart...and it does GPG correctly via Enigmail.
This is a major problem with Open Source software. We're just beginning to see how dangerous our standard distribution strategy is. In my opinion, the only solution is to have a central hash server, which will check a hash and a filename for authenticity. Open Source developers could register their hashes with the central service, which would function as a global namespace, based on filename.
Then the only thing needed is a script which warns people when the files they download are trojaned. This could be built into Mozilla, Nautilus, or simply be a file system crawler built into an OS distribution.
I've actually written a proof-of-concept in Python (called HashDB) that works rather well, and released it under the GPL, but for something like this to get going, it needs to be supported by RedHat or some other large corporate entity.
five hundred ph.ds running fuzzers and testin'
to ensure that nt's security features keep progressin'
sixty billion dollars can't build you a trusted computing base
when you outsource all your code from bangkok to outer space
before palladium's nexus has you all distressin'
learn this lesson: the price to own microsoft eip is 50 rupee
but there's no price that will buy something that's free
That's because you've never used pyGTK. I have an article about it in the latest Linux Journal. It's cross platform, easy to use, fast, can use native widget-look-alikes, and making something a SOAP method is just as easy as C#. It's basically better than C# in every way. Give it a shot...
Well, there are 2 major drawbacks to Python:
1. No good free runtime debugger
2. No CPAN
But the major benefits are that you can, with basically NO Python training, sit down at a random Python program and extend it ten times faster than an expert in C could extend THEIR OWN program.
It's a combination of a lot of things that makes Python great to use - some of these things Perl has as well, but most of these things are very Python specific - you'll see them as you learn it.
I recommend Wing IDE, btw, for a commercial Python editor and runtime debugger at a reasonable price.
For what it's worth, CANVAS (http://www.immunitysec.com/CANVAS/) is written entirely in Python, so I put my money where my mouth is.
Immunity's SPIKE Proxy (http://www.immunitysec.com/spike.html) offers a python, GPL, VulnXML engine, and has for some time. VulnXML is superior to Nessus-style scripting in many ways for purely web-based assessments. Similar to how Nessus says "for all ports that have a web server on them, run these tests" VulnXML allows a fully interoperable and "self-descriptive" way to say "For all files on the web server, check for file.bak, but ignore custom 404 pages that return 200 OK, etc".
Slashdot Mirror
And you haven't even touched on the debacle that is 8-a in this country (the US). It's basically institutionalized money laundering. I say so, as someone who runs a company that qualifies for 8-a. :>
-dave
Well, I think there's clearly something else at work here. Even if I wanted to hire 50/50, I'd be hard pressed to find 4 good female computer security professionals who can compete on a technical level with the other people on my team (doing software audits and writing exploits). There just arn't that many women coming out of computer science classes. Maybe 10% of the total, generously, and of those, almost none choose to go into hard core technical computer security. I think it's telling (aka depressing) that MIT didn't get a female president from their engineering department.
Why aren't women going into computer science? It's not like coal mining where the job sucks afterwards. Generally, it's sitting in an office and making a lot of cash. So why is it?
-dave
I really looked hard for a font in the default FC2 OpenOffice install that would do that, but I failed t find one.
Keep in mind, that CANVAS has an entire compiler and gas-compatable assembler into it. We didn't write that because we thought it would be fun - we thought it added a lot of value to the product in terms of reliability and features no other product can have (as hinted at by the paper.) These components are available under the LGPL, and we fund and support two other GPL projects.
:>
Our exploit code is all custom written by Immunity - so it plays nicely with the engine itself and, we like to think, is better than things like Metasploit. (Which makes sense, since we have 4 people on full time salaries to do so!)
There's a lot of other stuff to it, but let me just say that cutting and pasting is certainly something that is not a part of our development process, for many reasons.
That was actually funny, instead of a "I don't understand the humor!" post. Someone mod this anonymous baby up! :>
-dave
Dude, did you even read my paper? It's hardly MS propoganda. That's a zero on the front of 0wn. It's a play on words.
I think the biggest problem with .Net is that it's not interpreted enough. Despite the work being done to pretend that it can handle it, no one has a decent interpreted langauge (i.e. perl, Python) running in it that can use any of the real features of the VM. The funny thing is to hear Miguel and others rave about how much faster they are coding now that they are using C# rather than C. Imagine how much more they'd rave if they were using Python, which has the same advantages for RAD over C# that C# has over C. And it has GTK bindings, just like GTK#, only more mature.
If only they'd thrown their weight behind a Python Gnome, and made that the standard language...
I noticed in Miguel's post that he posited that you wanted real arrays of ints for speed reasons, instead of arrays of integer objects. But in a large application, speed is more commonly gained by doing intelligent caching - something easy in Python, but brutally hard in C# or C.
And there's no Patent issues or other nonsense.
That's crazy. There are many good scripting languages out there, but Python is a _general purpose_ scripting language. It can be used for anything from end-user GUI development, to complex simulations, to compiler writing, to nearly anything else.
One of the great things about it is the dynamic and strong type enforcement. In short, it has automatic "templating" that makes C++'s STL look insanely complex and useless. Extending your inner API functions is easy and painless, unlike Java, C, C++, or even C#.
And that's just one of the many great things about it.
The other major advantage is readability. C#, Java, C, etc, are all unreadable to beginning programmers. Python programs I've written often come back to me with patches from non-programmers. That's never going to happen with Mono programs.
-dave
-dave
This one.
Dave Aitel
Immunity, Inc.
I don't buy the case that their business strategy is inherently flawed. These days, everyone is trying to emulate them. Look at Dell, everyone's rose-baby. Dell doesn't just want you to buy a computer, they want you to buy a lifestyle.
The major benefit of having a Apple computer is that everything works with it. No trying to get your camera to work. Even linux vendors like Element Computers are doing this. You buy your digital camera from Element not because it's a great digital camera, but because you know when you plug it in it will pop up on your desktop. This is why Microsoft doesn't let every OEM customize Windows to all hell and back, and why there's one XP Tablet Edition, and not thirty different ones.
You always know where to go to get something for an Apple. In the long run, they want to run the entire chain from hardware to OS to software to periferals, just like Microsoft, and for the same reasons.
-dave
It's Dan Geer.
-dave
She's also did a cheesy movie for WE called "See Jane Date" Frankly, she's a bit chubby now.Not sure what genius had her cut her hair off either. -dave
re FLAC: I dunno! I'm not that much of an audio snob. I bet you aren't either when on airplanes. :>
-dave
http://www.immunitysec.com/
-dave
Why do people still use Evolution? -dave
Then the only thing needed is a script which warns people when the files they download are trojaned. This could be built into Mozilla, Nautilus, or simply be a file system crawler built into an OS distribution.
I've actually written a proof-of-concept in Python (called HashDB) that works rather well, and released it under the GPL, but for something like this to get going, it needs to be supported by RedHat or some other large corporate entity.
Dave Aitel Immunity, Inc.
five hundred ph.ds running fuzzers and testin'
to ensure that nt's security features keep progressin'
sixty billion dollars can't build you a trusted computing base
when you outsource all your code from bangkok to outer space
before palladium's nexus has you all distressin'
learn this lesson: the price to own microsoft eip is 50 rupee
but there's no price that will buy something that's free
-dave
This is probably ext3 sucking. I have the same problem on my 2.4 box - thanks to ext3 I'm fairly sure. -dave
That is totally hilarious - and so true!
-dave
That exploit was written closely based on my papers at http://www.immunitysec.com/papers/
Dave Aitel
Immunity, Inc.
That's because you've never used pyGTK. I have an article about it in the latest Linux Journal. It's cross platform, easy to use, fast, can use native widget-look-alikes, and making something a SOAP method is just as easy as C#. It's basically better than C# in every way. Give it a shot...
-dave
Dave Aitel Immunity, Inc.
1. No good free runtime debugger
2. No CPAN
But the major benefits are that you can, with basically NO Python training, sit down at a random Python program and extend it ten times faster than an expert in C could extend THEIR OWN program.
It's a combination of a lot of things that makes Python great to use - some of these things Perl has as well, but most of these things are very Python specific - you'll see them as you learn it.
I recommend Wing IDE, btw, for a commercial Python editor and runtime debugger at a reasonable price.
For what it's worth, CANVAS (http://www.immunitysec.com/CANVAS/) is written entirely in Python, so I put my money where my mouth is.
-dave
Immunity's SPIKE Proxy (http://www.immunitysec.com/spike.html) offers a python, GPL, VulnXML engine, and has for some time. VulnXML is superior to Nessus-style scripting in many ways for purely web-based assessments. Similar to how Nessus says "for all ports that have a web server on them, run these tests" VulnXML allows a fully interoperable and "self-descriptive" way to say "For all files on the web server, check for file.bak, but ignore custom 404 pages that return 200 OK, etc".