Yep. As soon as I see "Sen Hatch to...", I just feel like crying. The fact that he is an elected official just drives me crazy. Its like a glazed donut, washed down with beer.
Wake up Utah, there's something stuck on your shoe, and you're stinking up the country.
A little-known fact (it must be little-known, because no-one else mentioned it) is that.NET actually supports running untrusted, or partially trusted rich clients over the internet, using their browser as a launch platform.
The enabling.NET technologies for this are code access security (CAS), and isolated storage. CAS allows local machines to limit local permissions to the running application, based on a combination of factors including the location that the code is running from (e.g. over the Internet). Isolated storage allows an application to have a small file-system sandbox that it can use for its own purposes.
In.NET 1.0, Microsoft has not pushed this technology much, because they only had the groundwork done. Come.NET 2.0, and they will be pushing it more. Expect full rich clients that can be automatically downloaded, and installed on your Windows box, without worrying about whether the application has a virus or will interfere with other apps, etc, (because CAS prevents the app from doing anything that accesses the filesystem, the local network or whatever).
I use ASP.NET regularly; it is my web development tool of choice.
I find ASP.NET a little bit of a contradiction really...In so many ways it seems designed like VB6, i.e. simplified so much that it hurts sometimes. In other ways, it uses code inheritance for web pages, user-controls and web-controls, which are all wonderful things.
I'm hoping ASP.NET 2.0 will be better, but I already consider ASP.NET to be better than plain old ASP (no experience in PHP, so I can't comment on that).
I liked your title, because I believe that the development process is key to quality+secure software.
However, your ideas on "written in stone" specs are unrealistic (as you know). When you are programming for businesses you have to let your processes adapt to the way the business works.
If your business typically has late-breaking features that "need" to be included, then it is up to your project managers (and you) to ensure that your process can handle that.
Maybe "handling it" means providing estimates of how the new requirement will influence the schedule (that one usually scares them off). Maybe it means actually assigning programmers to complete the functionality, because there is a real business need.
My point is that there are processes that deal well with changing requirements (e.g. extreme programming), and there are those that do not deal well with changes. Which you use for a particular product can make all the difference in the success of your effort.
The real problem in software security lies in the design of the software itself
That is a little oversimplistic IMO. The impact of design on security is primarily in the impact of the security problems, not on the overall number of security holes. Take Windows for example - it may or may not have more holes than Linux, but when they do occur, they typically allow hackers "root" access.
The number of security problems is more driven by software development processes and quality control.
Its not as black and white as that of course, but nothing ever is in the software world.
I don't have much insight from the point of view of the theory, but as someone who has programmed a lot of software, my opinion is that you can prove things about software, although nothing as generic as "it is secure".
I believe it is possible to prove that a system is immune to a specific attack (such as a previous hole that has been fixed), or even a generalized attack (such as buffer overflows). There are tools that help to do this, but not many, and nothing that integrates well into the development process.
Your assessment of buffer overflows is not overly harsh. But don't be too hard on the programmers; its not all their fault. Organizations, managers (and most programmers) do not understand that there are compromises in software development. Programmers are typically under heavy pressure to produce something in short amounts of time using the minimal resources. Inevitably, given a choice between producing a product before their competitors, or of better quality than their competitors, and organization will choose to get it out the door first, bugs and all.
As an industry, software development is *very* young and immmature. As the parent post said, we have a long way to go before we can consistently produce better quality software. There are techniques available that improve quality, but at the perceived cost of more development time. Experienced software developers typically fight for the right to use these techniques in practice, but do not always win.
Ok, I'll do your homework for you. Comparing the articles listed on the author's website with the TOC of the book, the book appears to have the following additional articles:
4. Good Bad Attitude 6. How to Make Wealth 7. Mind the Gap 10. Programming Languages Explained 14. The Dream Language 15. Design and Research
The author's website has the following articles not in the book: Stopping Spam So Far, So Good Filters that Fight Back Better Bayesian Filtering Design and Research Will Filters Kill Spam? Spam is Different Filters vs. Blacklists Succinctness is Power Being Popular What Made Lisp Different The Roots of Lisp Programming Bottom-Up Lisp for Web-Based Applications Why Arc Isn't Especially Object-Oriented Five Questions about Language Design If Lisp is So Great Java's Cover What Languages Fix Chapter 1 of Ansi Common Lisp Chapter 2 of Ansi Common Lisp E-Commerce
There are 2 styles of subscriptions in the world today. The first is the "lease" style - you get a product for a low ongoing cost, and at the end of some period you own the product, or can trade it in for the next product version. During the lease, the product features remain static, and the value of the product decreases.
The second style is the "rent" style, you pay a fixed price for as long as you want to keep the product. Occasionally, the product may be upgraded (e.g. an apartment complex may install new energy efficient windows). When you no longer want the product, then you stop paying (although usually you have to commit to a period).
Given that software manufacturers want software subscriptions, which model do you think they prefer? Lets try and find some current examples...
Why do people lease cars? Because the prices are exhorbitant. Why would people lease a hardware and software combination? Is the price of those 2 combined exhorbitant? Are there any examples out there already?
What about Tivo? Combined software and hardware, together for a particular purpose, with a monthly subscription and a low initial cost. People are quite happy to pay a monthly subscription, even though the software remains static. This is not the "lease" style, it is the "rent" style. So, given that established corporations are spectacularly non-original entities, there is little likelihood that they will go for the lease style of subscriptions.
Given that, and using Tivo as a reference, what can we deduce? The hardware need not be upgradeable, and the software need only support a very limited capability to upgrade. In addition, the user will have little or no ability to alter or substitute the software themselves. Finally, the hardware/software unit will perform limited, specific functionality.
Perhaps it will be an "office" machine, with a word processor and a spreadsheet. Or a travel machine, or even a remote desktop machine, with no functionality of its own.
I am not entirely clear what Sun seeks to gain. Will corporations rent server appliances? Do they now? I don't know. Microsoft's focus is more obvious, since they have traditionally worked on the "client" side of things.
With regard to DRM, in the PC appliance world, it is a non-issue. If the appliance has no place for an analogue output, and the software is not accessible, then the user has no way to access the content, except through the appliance.
Actually, it looks like they have innovated in their own way. They have a common file format for all of their office apps, and they have focused on building it from the ground up to support robust linking of data between documents. Their focus is on integration, because that is the weakness of their competitors. It seems to me that they have looked at what MS did, and taken the good stuff and left out the bad. Can you say "embrace and extend"?
From their whitepaper...
None of the Office suites currently sold today constitutes a REAL Office. Instead, they are separate components packaged together for marketing purposes. Microsoft adopted this approach, in part to gain an advantage over software publishers that did not have a complete line of products. Unfortunately, the result is based on domination rather than innovation - an environment that touts minor enhancements yet gives many users no economic reason to incur the cost of an upgrade. Evermore Software believes software users deserve a better solution than a system that requires the launching of four or five separate applications just to complete one task. This premise guided our development of Evermore Integrated Office - the only REAL Office - the first coherently-designed, well-conceived Office suite. It is one integrated program, not many disjointed applications, and delivers one standard user interface in screen layout, display screen style, keystroke usage, dialog boxes, menus and submenus, icon sets, function key usage, help system and file format. It stores all data in one file format - not the several file formats used by others. It saves all data related to any one project in one file or a binder. And, when the user changes the source data of linked data, EIO applies that change automatically, immediately, correctly, to all other uses of that same source data to assure data synchronization. Evermore Software believes that true integration distinguishes the Office
I had a go at writing one, and can summarize as follows. There are 4 essential parts...
1) The crawler - goes out and retrieves pages 2) The parser - parses the pages, finding links and text. 3) The indexer - indexes the pages. 4) The searcher - interprets the index in the context of a user's search request.
None of these are especially hard to do simple versions of, but all of them are hard to do well.
My online bank has 2 techniques they use to try and fight key logging.
1) Provide a mouse-driven numeric keypad (they use short numeric pins as a primary password) 2) Require a strong secondary password, of which random characters are requested each time. So, if I login today, they will request characters 1, 6 and 7. The next time they may request 1, 5 and 7.
Point 2 provides dubious benefits, I think. Sure, it defeats keylogging but I would guess that most people write down the 2nd password, so that they can easily find the requested letters. Plus, it is complicated enough to be a tech-support nightmare.
At the storage level, there is no need to have a limit on the length at all. Password systems only store a hash (always the same length), so there is no impact on the system if a user uses a long password.
Limited password lengths are either a factor of legacy aspects of the system, user interface limitations, or poor security (not storing password hashes).
Agreed. I can already get stamps from my ATM, why not vote there too? Forget seperate machines though, just pay the banks to add the functionality to ATMs.
Very offtopic, (but right at home in this thread), but interestingly, MS has recently come up with an innovative solution to the "always root/admin" problem, in their Longhorn product.
They allow users to run as admin, but when they run applications, the applications are wrapped in a different security context that provides the minimum security that that application can work with. The application is also partially sandboxed, so that if it accesses the registry (or some other system-wide resources), it gets its own virtual copy, that does not affect others. That way, it cannot do any harm to other apps.
Now obviously MS is doing this as a hack, because it is the only way they can try and get out of their current situation, (whereby it is almost impossible to run a Windows PC as a non-admin, and their web browser is leaky as a sieve).
If I have a point, it is that the MS solution is actually simpler for users, because they do not have to think. Login as root if you like, they say, and the OS will take care of protecting you. Trust big brother:)
I am sure this is a fine contest, and the programmer(s) that win will be better than most of the other programmers that entered. However, I do not see contests like this as a true measure of "a good programmer".
The measure of a good programmer is in the robustness of the solution, in how maintainable it is, and how well its architecture will support future changes.
A better competition would be a multi-phase one, where the programmers are given several tasks that each build upon the previous solution. Alternately, they could change the problem half way through the competition. Thus, the program (and programmers) would have to be flexible enough to change to meet changing requirements.
That is what programming is about in the real world, not figuring out an algorithm to find the shortest path between two nodes.
Blow me. My advice is just as good as anyone elses in this forum, certainly better than some abstract phrase like "unfair competition and passing off".
I was having a good day before I met you. Asshole.
IANAL, but unless it is a registered trademark (R), it is not really something they can enforce. Certainly, they cannot do anything about you using 2 separate words when their (TM) is on the combined words. It would be thrown out of court in minutes.
When a company wants to change their (TM) to an (R), they have to go through a registration process, part of which involves checking for existing uses of the term. Should there be too many instances of the term that are prior to their own, then it becomes more difficult for them to acquire the (R). It is my guess that they are going through the registration process, and are trying to smooth the way as much as possible.
Ignore them if you want, change it if you want. Legally, you're safe. Again, IANAL, so my advice is legally worthless.
The.NET CLS provides a common specification for any language compiler to compile to the intermediate code for.NET. So you could very well have a Prothon.NET, as well as any other $language_you_like.NET.
Perhaps in theory, but in practice the.NET CLS takes a particular view of the world, and if your language does not have the same world-view, then you will struggle to create $language_you_like.NET.
Take the people at ActiveState, for example. I recall that they made a good attempt at porting Python to.NET, but in the end gave it up as a bad idea, citing performance due to the conflicting natures of Python and.NET.
One reason that existing software developed by the government will not be made open-source, is security. While a program to calculate salt usage is probably not a security risk, what about the software used to run a government web site, or to manage social security benefits?
Programmers are lazy, and (IMO) security-by-obscurity is the most common type in use today in closed-source apps. If the code becomes open, then the security is invalidated, and sensitive data becomes at risk of being exposed. It costs money to ensure that security is incorporated correctly into applications, and government has not historically been willing to spend money in that area.
I agree with you, government software should be open - I just don't think it'll happen, and if it does then it will be a disaster from a security standpoint.
.NET executables do not need to be installed, they can simply be copied. If they are installed, then I do not know if the install app can alter.NET security profiles.
There is also something called no-touch deployment, whereby the executable is executed from anetwork location. Code access security is also influenced by the location from which the executable is run. So, if I run an executable off the internet, it will have very few permissions. If I run it off the local network, it will have slightly more. Local executables have the most permissions by default.
With regard to concerns over Palladium, I will refer you to a FAQ which explains how certification is NOT required.
Code access security controls what code can and cannot do, based on the identity of the code. As a machine administrator, or a network administrator, I can choose how little or how much to trust a.NET executable (for example a Script Interpreter).
Thus, I have full control over what a script that runs from the Script Interpreter can do, because it cannot do anything that I do not allow the interpreter to do. Nothing is circumvented.
Slashdot Mirror
+5 informative!!? Parent post is a complete troll. Picasa has no spyware or adware, and I have never heard of them spamming usenet.
I have owned the software for about a year now, and it is good, quality stuff.
Yep. As soon as I see "Sen Hatch to...", I just feel like crying. The fact that he is an elected official just drives me crazy. Its like a glazed donut, washed down with beer.
Wake up Utah, there's something stuck on your shoe, and you're stinking up the country.
A little-known fact (it must be little-known, because no-one else mentioned it) is that .NET actually supports running untrusted, or partially trusted rich clients over the internet, using their browser as a launch platform.
.NET technologies for this are code access security (CAS), and isolated storage. CAS allows local machines to limit local permissions to the running application, based on a combination of factors including the location that the code is running from (e.g. over the Internet). Isolated storage allows an application to have a small file-system sandbox that it can use for its own purposes.
.NET 1.0, Microsoft has not pushed this technology much, because they only had the groundwork done. Come .NET 2.0, and they will be pushing it more. Expect full rich clients that can be automatically downloaded, and installed on your Windows box, without worrying about whether the application has a virus or will interfere with other apps, etc, (because CAS prevents the app from doing anything that accesses the filesystem, the local network or whatever).
The enabling
In
I use ASP.NET regularly; it is my web development tool of choice.
I find ASP.NET a little bit of a contradiction really...In so many ways it seems designed like VB6, i.e. simplified so much that it hurts sometimes. In other ways, it uses code inheritance for web pages, user-controls and web-controls, which are all wonderful things.
I'm hoping ASP.NET 2.0 will be better, but I already consider ASP.NET to be better than plain old ASP (no experience in PHP, so I can't comment on that).
I liked your title, because I believe that the development process is key to quality+secure software.
However, your ideas on "written in stone" specs are unrealistic (as you know). When you are programming for businesses you have to let your processes adapt to the way the business works.
If your business typically has late-breaking features that "need" to be included, then it is up to your project managers (and you) to ensure that your process can handle that.
Maybe "handling it" means providing estimates of how the new requirement will influence the schedule (that one usually scares them off). Maybe it means actually assigning programmers to complete the functionality, because there is a real business need.
My point is that there are processes that deal well with changing requirements (e.g. extreme programming), and there are those that do not deal well with changes. Which you use for a particular product can make all the difference in the success of your effort.
The real problem in software security lies in the design of the software itself
That is a little oversimplistic IMO. The impact of design on security is primarily in the impact of the security problems, not on the overall number of security holes. Take Windows for example - it may or may not have more holes than Linux, but when they do occur, they typically allow hackers "root" access.
The number of security problems is more driven by software development processes and quality control.
Its not as black and white as that of course, but nothing ever is in the software world.
I don't have much insight from the point of view of the theory, but as someone who has programmed a lot of software, my opinion is that you can prove things about software, although nothing as generic as "it is secure".
I believe it is possible to prove that a system is immune to a specific attack (such as a previous hole that has been fixed), or even a generalized attack (such as buffer overflows). There are tools that help to do this, but not many, and nothing that integrates well into the development process.
Your assessment of buffer overflows is not overly harsh. But don't be too hard on the programmers; its not all their fault. Organizations, managers (and most programmers) do not understand that there are compromises in software development. Programmers are typically under heavy pressure to produce something in short amounts of time using the minimal resources. Inevitably, given a choice between producing a product before their competitors, or of better quality than their competitors, and organization will choose to get it out the door first, bugs and all.
As an industry, software development is *very* young and immmature. As the parent post said, we have a long way to go before we can consistently produce better quality software. There are techniques available that improve quality, but at the perceived cost of more development time. Experienced software developers typically fight for the right to use these techniques in practice, but do not always win.
For the fine art of tit-bounce physics, check out Tripping the Rift on SciFi. (The first episode is available streamed from their site).
Ok, I'll do your homework for you. Comparing the articles listed on the author's website with the TOC of the book, the book appears to have the following additional articles:
4. Good Bad Attitude
6. How to Make Wealth
7. Mind the Gap
10. Programming Languages Explained
14. The Dream Language
15. Design and Research
The author's website has the following articles not in the book:
Stopping Spam
So Far, So Good
Filters that Fight Back
Better Bayesian Filtering
Design and Research
Will Filters Kill Spam?
Spam is Different
Filters vs. Blacklists
Succinctness is Power
Being Popular
What Made Lisp Different
The Roots of Lisp
Programming Bottom-Up
Lisp for Web-Based Applications
Why Arc Isn't Especially Object-Oriented
Five Questions about Language Design
If Lisp is So Great
Java's Cover
What Languages Fix
Chapter 1 of Ansi Common Lisp
Chapter 2 of Ansi Common Lisp
E-Commerce
There are 2 styles of subscriptions in the world today. The first is the "lease" style - you get a product for a low ongoing cost, and at the end of some period you own the product, or can trade it in for the next product version. During the lease, the product features remain static, and the value of the product decreases.
The second style is the "rent" style, you pay a fixed price for as long as you want to keep the product. Occasionally, the product may be upgraded (e.g. an apartment complex may install new energy efficient windows). When you no longer want the product, then you stop paying (although usually you have to commit to a period).
Given that software manufacturers want software subscriptions, which model do you think they prefer? Lets try and find some current examples...
Why do people lease cars? Because the prices are exhorbitant. Why would people lease a hardware and software combination? Is the price of those 2 combined exhorbitant? Are there any examples out there already?
What about Tivo? Combined software and hardware, together for a particular purpose, with a monthly subscription and a low initial cost. People are quite happy to pay a monthly subscription, even though the software remains static. This is not the "lease" style, it is the "rent" style. So, given that established corporations are spectacularly non-original entities, there is little likelihood that they will go for the lease style of subscriptions.
Given that, and using Tivo as a reference, what can we deduce? The hardware need not be upgradeable, and the software need only support a very limited capability to upgrade. In addition, the user will have little or no ability to alter or substitute the software themselves. Finally, the hardware/software unit will perform limited, specific functionality.
Perhaps it will be an "office" machine, with a word processor and a spreadsheet. Or a travel machine, or even a remote desktop machine, with no functionality of its own.
I am not entirely clear what Sun seeks to gain. Will corporations rent server appliances? Do they now? I don't know. Microsoft's focus is more obvious, since they have traditionally worked on the "client" side of things.
With regard to DRM, in the PC appliance world, it is a non-issue. If the appliance has no place for
an analogue output, and the software is not accessible, then the user has no way to access the content, except through the appliance.
From their whitepaper...
I had a go at writing one, and can summarize as follows. There are 4 essential parts...
1) The crawler - goes out and retrieves pages
2) The parser - parses the pages, finding links and text.
3) The indexer - indexes the pages.
4) The searcher - interprets the index in the context of a user's search request.
None of these are especially hard to do simple versions of, but all of them are hard to do well.
My online bank has 2 techniques they use to try and fight key logging.
1) Provide a mouse-driven numeric keypad (they use short numeric pins as a primary password)
2) Require a strong secondary password, of which random characters are requested each time. So, if I login today, they will request characters 1, 6 and 7. The next time they may request 1, 5 and 7.
Point 2 provides dubious benefits, I think. Sure, it defeats keylogging but I would guess that most people write down the 2nd password, so that they can easily find the requested letters. Plus, it is complicated enough to be a tech-support nightmare.
At the storage level, there is no need to have a limit on the length at all. Password systems only store a hash (always the same length), so there is no impact on the system if a user uses a long password.
Limited password lengths are either a factor of legacy aspects of the system, user interface limitations, or poor security (not storing password hashes).
Agreed. I can already get stamps from my ATM, why not vote there too? Forget seperate machines though, just pay the banks to add the functionality to ATMs.
Drive through voting, thats the American way!
Very offtopic, (but right at home in this thread), but interestingly, MS has recently come up with an innovative solution to the "always root/admin" problem, in their Longhorn product.
:)
They allow users to run as admin, but when they run applications, the applications are wrapped in a different security context that provides the minimum security that that application can work with. The application is also partially sandboxed, so that if it accesses the registry (or some other system-wide resources), it gets its own virtual copy, that does not affect others. That way, it cannot do any harm to other apps.
Now obviously MS is doing this as a hack, because it is the only way they can try and get out of their current situation, (whereby it is almost impossible to run a Windows PC as a non-admin, and their web browser is leaky as a sieve).
If I have a point, it is that the MS solution is actually simpler for users, because they do not have to think. Login as root if you like, they say, and the OS will take care of protecting you. Trust big brother
I am sure this is a fine contest, and the programmer(s) that win will be better than most of the other programmers that entered. However, I do not see contests like this as a true measure of "a good programmer".
The measure of a good programmer is in the robustness of the solution, in how maintainable it is, and how well its architecture will support future changes.
A better competition would be a multi-phase one, where the programmers are given several tasks that each build upon the previous solution. Alternately, they could change the problem half way through the competition. Thus, the program (and programmers) would have to be flexible enough to change to meet changing requirements.
That is what programming is about in the real world, not figuring out an algorithm to find the shortest path between two nodes.
Parent is insightful? Where are my mod points when I need them!? At best, its funny. At worst, a troll. Argh!
Cello,
Blow me. My advice is just as good as anyone elses in this forum, certainly better than some abstract phrase like "unfair competition and passing off".
I was having a good day before I met you. Asshole.
IANAL, but unless it is a registered trademark (R), it is not really something they can enforce. Certainly, they cannot do anything about you using 2 separate words when their (TM) is on the combined words. It would be thrown out of court in minutes.
When a company wants to change their (TM) to an (R), they have to go through a registration process, part of which involves checking for existing uses of the term. Should there be too many instances of the term that are prior to their own, then it becomes more difficult for them to acquire the (R). It is my guess that they are going through the registration process, and are trying to smooth the way as much as possible.
Ignore them if you want, change it if you want. Legally, you're safe. Again, IANAL, so my advice is legally worthless.
Perhaps in theory, but in practice the
Take the people at ActiveState, for example. I recall that they made a good attempt at porting Python to
I propose we add infinity to the supported values for an integer in SQL. I find the whole NULL thing somewhat unbalanced.
SELECT * FROM Articles WHERE Len(ReviewText) = INFINITY
RESULT
------
NULL
In case you read this far, I don't really have a point, but it is Friday afternoon, so I have an excuse.
One reason that existing software developed by the government will not be made open-source, is security. While a program to calculate salt usage is probably not a security risk, what about the software used to run a government web site, or to manage social security benefits?
Programmers are lazy, and (IMO) security-by-obscurity is the most common type in use today in closed-source apps. If the code becomes open, then the security is invalidated, and sensitive data becomes at risk of being exposed. It costs money to ensure that security is incorporated correctly into applications, and government has not historically been willing to spend money in that area.
I agree with you, government software should be open - I just don't think it'll happen, and if it does then it will be a disaster from a security standpoint.
There is also something called no-touch deployment, whereby the executable is executed from anetwork location. Code access security is also influenced by the location from which the executable is run. So, if I run an executable off the internet, it will have very few permissions. If I run it off the local network, it will have slightly more. Local executables have the most permissions by default.
With regard to concerns over Palladium, I will refer you to a FAQ which explains how certification is NOT required.
Code access security controls what code can and cannot do, based on the identity of the code. As a machine administrator, or a network administrator, I can choose how little or how much to trust a .NET executable (for example a Script Interpreter).
Thus, I have full control over what a script that runs from the Script Interpreter can do, because it cannot do anything that I do not allow the interpreter to do. Nothing is circumvented.