Re:The real 90s versus outdated 00s software
on
Java Is So 90s
·
· Score: 1
A language is just a BNF diagram specification which describes the syntax of the program, and all of its reserved words.
No... it is that, yes, but it also describes the semantics of the language -- what those reserved keywords, constructs, data types, etc, do. This is where you start getting into inherent problems in the language, like its garbage collection, etc.
You probably have to upgrade to 4.1 first -- I know 4.1 is a non-trivial upgrade. Gentoo won't let you do it directly, you have to back up, upgrade, and reimport. The biggest problem is revdep-rebuild (rebuilding packages linking against the old libmysqlclient), which took a while. All told, I had probably about an hour of downtime, but my database isn't very big.
Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.
How about an application whose sole job is to pull data from untrusted sources as root and pass it to other programs which either send it to other hosts, recieving back untrusted data, run programs on that data, or write that data to disk as a user? Gotta have security problems, right?
But our contention is, if you're searching, you've lost something. We are building an automatically organized system where you don't lose it in the first place.
This is simply not the case. I know that Chicken of the VNC is located in "/Applications/Chicken of the VNC.app," but there's no way I'm going to navigate to it when I can type cmd-space-"chicken"-down-enter. Just because I know where something is doesn't mean I want to go find it.
TFA mentions using AES, TDES, or RSA as alternatives to DES. He also says, "...the final AES standard is estimated to require a current cryptanalysis system 149 trillion years to decrypt." That may be true for direct-channel cryptanalysis, but side-channel attacks such as cache timings against most implementations of AES can guess the key given known plaintext, known ciphertext, and at least estimated timings for encryption.
The Smashing Pumpkins did this in 2000 with Machina II: The Friends and Enemies of Modern Music. Machina was originally intended to be a double album, but Virgin didn't want to produce a double album, fearing it wouldn't sell. The band pressed 25 vinyl copies and distributed it to friends, family, radio stations, and various internet people (like the maintainer of alt.music.smash-pumpkins) with instructions to spread it as much as possible.
Oh, god, I sound like a DJB fanboy... but he makes a good point here. It's not that I or anyone else can't figure it out, it's that I shouldn't have to figure it out. I should only have to learn how to start Apache once. Maybe it's cause I'm used to my Mac JustWorking(tm).
I can get into just about any car and find the gas pedal. I can't boot any distro and figure out how to start Apache. I have to know something about the philosophy of the maintainers.
<bsdrant> In BSD, you know how everything's gonna work. Even in the lucrative, flamewar-ridden world of Theo de Raadt, you've still got man hier(7). Now you know where your shit's going to be. </bsdrant>
It must be boring to watch that movie over and over again to see if it's smart or not. I don't know about everyone else, but I thought it was pretty good.
Re:I don't really like PHP that much...
on
A Decade of PHP
·
· Score: 1
Yeah -- find a webserver running PHP
My biggest problem with PHP is that it makes it easy for novices to write code that runs on webservers, open to the world, taking data from untrusted sources, without the slightest inkling of anything security-related. Hop on bugtraq for a few days to see what I mean.
This is TI we're talking about -- if calculators were a larger market, or if we depended on them more, we'd be comparing them to Microsoft. Every 3-4 years, they put out a calculator with features HP has had for a couple years, set the price point too high, and campaign schools to get them to use it.
I love TI calculators, though, I have 4 graphing calcs, I really got started with programming on my 83, and I've written TI-BASIC, Z80 assembler, and C programs for them. When you start mucking around with assembly (or C if you're using the low-level key APIs), you figure out how the keypad works. On the TI-82, for instance, if you want to test for the MODE key being pressed, you write a byte to port 1, the keyboard port. Set a bit corresponding to the row the key is on, in this case, bit 6. Now read a byte from port 1 -- any bit cleared corresponds to keys that are pressed (in this case, bit 6). So it's a sort of matrix -- you've got rows and columns, so you mask a row and look at a column. It's possible, however, to make the calculator think you're pressing 4 keys when you're only pressing 3, if they're 3 corners of a key matrix square.
What TI did here was take the key off the keypad and remove the contact, but the actual calculator didn't know that. This kid figured out how to make it think he was pressing the Dec->Frac button. It'd be pretty hard for TI to do anything about this, although I imagine they will.
Now just wait till high school when this same kid puts a TI-89 in an 83's case, complete with swapping out the keys and everything. Then he can get a program that just shows a blinking cursor, and he's all set.
(and what's with Slashdot telling me I've failed to prove my humanity after I'm logged in, but not giving me a captcha image to do so?
The weirdest thing I've seen lately has been the craziness provoked by a feud between tech writer Maureen O'Gara of LinuxGram/Linux Business News and her apparently bitter rival, blogger Pamela Jones (PJ) of Groklaw. It began some time back when the two exchanged barbs over intimations that Jones was somehow a stooge for IBM in the SCO-Linux battle and that O'Gara was somehow a stooge for SCO. You can see where this is headed.
So over the past week O'Gara tracked down and photographed PJ's home and PJ's mother's home and posted pics in her column, with veiled accusations that the entire Groklaw site is a front for IBM in its battle with SCO. Once this article appeared, all hell broke loose in the Linux community, with editors scrambling. There was removal of the offending article with apologies all around. Then came accusations of this and that; staffs of editors quitting in protest; publishers befuddled; veiled threats of lawsuits; vituperative attacks on multiple parties, including the LinuxWorld publisher, editors, O'Gara, and PJ; several worldwide denial-of-service attacks on LinuxWorld's parent company, Sys-Con Media; calls to Interpol; O'Gara's "firing"; and a flamestorm on Slashdot and elsewhere.
Oh, brother. In the olden days, O'Gara would have been given a medal for generating readership. But in today's world of the so easily offended, she's apparently let go instead, and things calm down as the hissy fit subsides.
Although her article was removed, you can usually find it on the Google cache (an interesting situation if you think about it), and I'm sure someone will mirror the piece eventually. Whatever the case, I've seen this feud become ridiculous and invasive, but I've seen worse on network TV with less-public figures than PJ. I would have paid no attention to the whole thing if I represented the collective thoughts of the Linux community. What difference does it make?
First let's get a few things straight. All of O'Gara's assertions are nutty. And I'm not talking about the yet-to-be-proven assertion that PJ is a 60-year-old dowager stooging for IBM. That's just ludicrous on the surface. Yet that is what is claimed.
First of all, IBM has lawyers, and it sure doesn't need to have someone find out via the discovery process that it's fronting a Web site about this case. That would simply never happen. Besides, IBM is not that clever. There are also enforced policies against this sort of thing.
It's wrong to assume that IBM expected the SCO battle to drag out like this from the outset. Unlikely! And I should mention that just because I, for example, developed an early timeline of the SCO history doesn't mean I'm a stooge for SCO or IBM either.
That said, the Linux community figures that O'Gara is being paid by SCO or Microsoft or someone bad. Again, if this were so, and if it was ever proven or stumbled on during the discovery process (nothing to take lightly), it would be a disaster for the litigation chances of the company doing the paying. It just wouldn't be worth the risk. It appears to me that O'Gara is just being overly provocative to get readers. And apparently it doesn't take much provocation, as the Linux community is slowly evolving into a state of mob rule, with the cheerleaders being paranoid crackpot leftovers from the waning days of Amiga. "Too nutty even for the Mac community? We welcome you!"
Now these lunatics are issuing death threats? I can tell you that my mere mentioning of any of this will result in incredibly hateful attempted postings on this forum and on my moderated blog. What is wrong with these people?
If anything is going to kill Linux and the open-source movement, it's the presence of certifiable lunatics in the ranks representing the users. It may be that this is actually a deep Astroturf PR campaign orchestrated by Microsoft to discredit open source and Linux. It sure seems like something weird is going on.
I can tell you this much: Normal people do not like being associated with fanatics and lunatics. Once Linux gets the image as the OS for the criminally insane, it's a dead duck. Unless the community gets a handle on this, grows up, and rebukes the extremists, the trash heap of history is where this is all headed.
A good one would be Crimson II: telnet to mud.crimson2.com, port 4000. If you can make Avatar without writing macros, you will be a good typist. Then try beating Novius in PK without using triggers.
Why, cause Drew Curtis isn't funny and his fanboys rip all their jokes off of Something Awful six months after they die? Fark still seems to think that Photoshopping Ackbar into an image is the pinnacle of comedy.
Yeah, I tend to agree. However, Rich "Lowtax" Kyanka has a forum to run, a forum that a lot of people pay for. This was messing it up, big time. People were logging in as mods, reading other people's PMs, etc. I think he's just sick of the attitude that "Well, if Google does it, it must be golden manbabies!" People seem to think this... probably because Google is awesomely great. That doesn't mean that they do everything right the first time. Although I think that the Something Awful forums should be under SSL... I'm paying my:10bux: for it.
RTF review. Nowhere does he mention "here's an undetectable ub3r-l33t wallhack for CS:Source!" It's *hacks*. In the true sense of the word. Apparently you don't understand that. R->C->P.
Because Azureus runs like a lazy snail crawling through molasses in January on an incline. Plus, I don't want to have to use 1.5 gig of swap space to download a 100 MB file.
How about saying that pi is exactly "1.000" in "base pi"?
First off, it'd be 10.000 in base pi.:eng101: Second, you're begging the question. Hey, I've got a number. It's called a. Its value is 10.0(a). Now you know exactly what that number is, right? No, you don't. That's like saying pi is equal to 1*pi. It gets you absolutely nowhere.
Yes, it's true, NX will protect you from the simple char buf[512]; strcpy(buf, untrusted_data). But that doesn't mean it's secure. What if the return address the attacker supplies isn't on the stack? What if it's in a predictable malloc() buffer? Ok, set NX on malloc()s. What if it's in the code segment? You can't make that NX. What if it's in libc? Once again, can't make that NX. Lots of undesirable stuff can be done without executing stack code.
Random offsets won't help much -- they'll help some, but what if you can write a LOT of data into that buffer? Give it a LARGE NOP sled.
Detect when a process is doing a lot of NOPs in a row and kill it? Ok. Use "AIAIAIAIAIAIAIAI..." 'A' = 0x41 = inc %ecx, 'I' = 0x49 = dec %ecx. Together, they are an effective NOP. Hell, most of the time, "AAAAAAAAA..." is an effective NOP. Does an attacker really care what's in ECX?
The problem is NOT the architecture, NOT the OS, and NOT the language. It's not a problem with libc, stdio, strcpy, or anything else. If you haven't figured this out by now, you might want to read about computer architecture -- computers do what you tell them to. I can write secure code in which I strcpy() from untrusted data into a static buffer on the stack, on an x86 running Windows with no NX. Hell, I'll even do it in real mode.
I'm not a DJB fanboy, but he does have quite a few good points. Programmers are lazy. Write secure code.
Slashdot Mirror
No... it is that, yes, but it also describes the semantics of the language -- what those reserved keywords, constructs, data types, etc, do. This is where you start getting into inherent problems in the language, like its garbage collection, etc.
everyone will appreciate that
You probably have to upgrade to 4.1 first -- I know 4.1 is a non-trivial upgrade. Gentoo won't let you do it directly, you have to back up, upgrade, and reimport. The biggest problem is revdep-rebuild (rebuilding packages linking against the old libmysqlclient), which took a while. All told, I had probably about an hour of downtime, but my database isn't very big.
How about an application whose sole job is to pull data from untrusted sources as root and pass it to other programs which either send it to other hosts, recieving back untrusted data, run programs on that data, or write that data to disk as a user? Gotta have security problems, right?
http://cr.yp.to/qmail.html
This is simply not the case. I know that Chicken of the VNC is located in "/Applications/Chicken of the VNC.app," but there's no way I'm going to navigate to it when I can type cmd-space-"chicken"-down-enter. Just because I know where something is doesn't mean I want to go find it.
TFA mentions using AES, TDES, or RSA as alternatives to DES. He also says, "...the final AES standard is estimated to require a current cryptanalysis system 149 trillion years to decrypt." That may be true for direct-channel cryptanalysis, but side-channel attacks such as cache timings against most implementations of AES can guess the key given known plaintext, known ciphertext, and at least estimated timings for encryption.
p df
Read more: http://cr.yp.to/antiforgery/cachetiming-20050414.
The Smashing Pumpkins did this in 2000 with Machina II: The Friends and Enemies of Modern Music. Machina was originally intended to be a double album, but Virgin didn't want to produce a double album, fearing it wouldn't sell. The band pressed 25 vinyl copies and distributed it to friends, family, radio stations, and various internet people (like the maintainer of alt.music.smash-pumpkins) with instructions to spread it as much as possible.
5. Photoshop Ackbar saying "IT'S A TRAP" into something.
6. Overuse catchphrases
At least he's bettar than Penny Arcaded.
Oh, god, I sound like a DJB fanboy... but he makes a good point here. It's not that I or anyone else can't figure it out, it's that I shouldn't have to figure it out. I should only have to learn how to start Apache once. Maybe it's cause I'm used to my Mac JustWorking(tm).
I can get into just about any car and find the gas pedal. I can't boot any distro and figure out how to start Apache. I have to know something about the philosophy of the maintainers.
<bsdrant>
In BSD, you know how everything's gonna work. Even in the lucrative, flamewar-ridden world of Theo de Raadt, you've still got man hier(7). Now you know where your shit's going to be.
</bsdrant>
I suggest the name "MACE." MACE Ain't a Cocoa Emulator.
It must be boring to watch that movie over and over again to see if it's smart or not. I don't know about everyone else, but I thought it was pretty good.
Yeah -- find a webserver running PHP My biggest problem with PHP is that it makes it easy for novices to write code that runs on webservers, open to the world, taking data from untrusted sources, without the slightest inkling of anything security-related. Hop on bugtraq for a few days to see what I mean.
I love TI calculators, though, I have 4 graphing calcs, I really got started with programming on my 83, and I've written TI-BASIC, Z80 assembler, and C programs for them. When you start mucking around with assembly (or C if you're using the low-level key APIs), you figure out how the keypad works. On the TI-82, for instance, if you want to test for the MODE key being pressed, you write a byte to port 1, the keyboard port. Set a bit corresponding to the row the key is on, in this case, bit 6. Now read a byte from port 1 -- any bit cleared corresponds to keys that are pressed (in this case, bit 6). So it's a sort of matrix -- you've got rows and columns, so you mask a row and look at a column. It's possible, however, to make the calculator think you're pressing 4 keys when you're only pressing 3, if they're 3 corners of a key matrix square.
What TI did here was take the key off the keypad and remove the contact, but the actual calculator didn't know that. This kid figured out how to make it think he was pressing the Dec->Frac button. It'd be pretty hard for TI to do anything about this, although I imagine they will.
Now just wait till high school when this same kid puts a TI-89 in an 83's case, complete with swapping out the keys and everything. Then he can get a program that just shows a blinking cursor, and he's all set.
(and what's with Slashdot telling me I've failed to prove my humanity after I'm logged in, but not giving me a captcha image to do so?
You're absolutely right. I tried to do my PHP programming in BASIC once. Bad idea.
The weirdest thing I've seen lately has been the craziness provoked by a feud between tech writer Maureen O'Gara of LinuxGram/Linux Business News and her apparently bitter rival, blogger Pamela Jones (PJ) of Groklaw. It began some time back when the two exchanged barbs over intimations that Jones was somehow a stooge for IBM in the SCO-Linux battle and that O'Gara was somehow a stooge for SCO. You can see where this is headed.
So over the past week O'Gara tracked down and photographed PJ's home and PJ's mother's home and posted pics in her column, with veiled accusations that the entire Groklaw site is a front for IBM in its battle with SCO. Once this article appeared, all hell broke loose in the Linux community, with editors scrambling. There was removal of the offending article with apologies all around. Then came accusations of this and that; staffs of editors quitting in protest; publishers befuddled; veiled threats of lawsuits; vituperative attacks on multiple parties, including the LinuxWorld publisher, editors, O'Gara, and PJ; several worldwide denial-of-service attacks on LinuxWorld's parent company, Sys-Con Media; calls to Interpol; O'Gara's "firing"; and a flamestorm on Slashdot and elsewhere.
Oh, brother. In the olden days, O'Gara would have been given a medal for generating readership. But in today's world of the so easily offended, she's apparently let go instead, and things calm down as the hissy fit subsides.
Although her article was removed, you can usually find it on the Google cache (an interesting situation if you think about it), and I'm sure someone will mirror the piece eventually. Whatever the case, I've seen this feud become ridiculous and invasive, but I've seen worse on network TV with less-public figures than PJ. I would have paid no attention to the whole thing if I represented the collective thoughts of the Linux community. What difference does it make?
First let's get a few things straight. All of O'Gara's assertions are nutty. And I'm not talking about the yet-to-be-proven assertion that PJ is a 60-year-old dowager stooging for IBM. That's just ludicrous on the surface. Yet that is what is claimed.
First of all, IBM has lawyers, and it sure doesn't need to have someone find out via the discovery process that it's fronting a Web site about this case. That would simply never happen. Besides, IBM is not that clever. There are also enforced policies against this sort of thing.
It's wrong to assume that IBM expected the SCO battle to drag out like this from the outset. Unlikely! And I should mention that just because I, for example, developed an early timeline of the SCO history doesn't mean I'm a stooge for SCO or IBM either.
That said, the Linux community figures that O'Gara is being paid by SCO or Microsoft or someone bad. Again, if this were so, and if it was ever proven or stumbled on during the discovery process (nothing to take lightly), it would be a disaster for the litigation chances of the company doing the paying. It just wouldn't be worth the risk. It appears to me that O'Gara is just being overly provocative to get readers. And apparently it doesn't take much provocation, as the Linux community is slowly evolving into a state of mob rule, with the cheerleaders being paranoid crackpot leftovers from the waning days of Amiga. "Too nutty even for the Mac community? We welcome you!"
Now these lunatics are issuing death threats? I can tell you that my mere mentioning of any of this will result in incredibly hateful attempted postings on this forum and on my moderated blog. What is wrong with these people?
If anything is going to kill Linux and the open-source movement, it's the presence of certifiable lunatics in the ranks representing the users. It may be that this is actually a deep Astroturf PR campaign orchestrated by Microsoft to discredit open source and Linux. It sure seems like something weird is going on.
I can tell you this much: Normal people do not like being associated with fanatics and lunatics. Once Linux gets the image as the OS for the criminally insane, it's a dead duck. Unless the community gets a handle on this, grows up, and rebukes the extremists, the trash heap of history is where this is all headed.
A good one would be Crimson II: telnet to mud.crimson2.com, port 4000. If you can make Avatar without writing macros, you will be a good typist. Then try beating Novius in PK without using triggers.
Why, cause Drew Curtis isn't funny and his fanboys rip all their jokes off of Something Awful six months after they die? Fark still seems to think that Photoshopping Ackbar into an image is the pinnacle of comedy.
Yeah, I tend to agree. However, Rich "Lowtax" Kyanka has a forum to run, a forum that a lot of people pay for. This was messing it up, big time. People were logging in as mods, reading other people's PMs, etc. I think he's just sick of the attitude that "Well, if Google does it, it must be golden manbabies!" People seem to think this... probably because Google is awesomely great. That doesn't mean that they do everything right the first time. Although I think that the Something Awful forums should be under SSL... I'm paying my :10bux: for it.
Don't ban me, Rich. Please?
RTF review. Nowhere does he mention "here's an undetectable ub3r-l33t wallhack for CS:Source!" It's *hacks*. In the true sense of the word. Apparently you don't understand that. R->C->P.
Because Azureus runs like a lazy snail crawling through molasses in January on an incline. Plus, I don't want to have to use 1.5 gig of swap space to download a 100 MB file.
First off, it'd be 10.000 in base pi. :eng101: Second, you're begging the question. Hey, I've got a number. It's called a. Its value is 10.0(a). Now you know exactly what that number is, right? No, you don't. That's like saying pi is equal to 1*pi. It gets you absolutely nowhere.
I have a feeling it will produce something almost, but not entirely, unlike tea.
Random offsets won't help much -- they'll help some, but what if you can write a LOT of data into that buffer? Give it a LARGE NOP sled.
Detect when a process is doing a lot of NOPs in a row and kill it? Ok. Use "AIAIAIAIAIAIAIAI..." 'A' = 0x41 = inc %ecx, 'I' = 0x49 = dec %ecx. Together, they are an effective NOP. Hell, most of the time, "AAAAAAAAA..." is an effective NOP. Does an attacker really care what's in ECX?
The problem is NOT the architecture, NOT the OS, and NOT the language. It's not a problem with libc, stdio, strcpy, or anything else. If you haven't figured this out by now, you might want to read about computer architecture -- computers do what you tell them to. I can write secure code in which I strcpy() from untrusted data into a static buffer on the stack, on an x86 running Windows with no NX. Hell, I'll even do it in real mode.
I'm not a DJB fanboy, but he does have quite a few good points. Programmers are lazy. Write secure code.