mind the qualifier, which states that 'I' dont find it to be ugly.. not very pedantic of you.
The mere idea that somehow the constant being on the left as opposed to the right brings forth the stentch of religious idiocy.
to anyone who makes a routine of putting their constants on the left hand side of the expression, that becomes not very hard to notice.. although intermixed with several megabytes of source it becomes less obvious.
What I mean is:
if (( (__WCLONE|__WALL) == options && 0 = current->uid))
will throw an error, whereas 0 == current->uid will not.
I guess it depends on whether you think the application or the operating system should be in charge of resource limits. It seems to me that, since an operating system needs resource limits to protect itself from rogue programs, a cooperating program may just as reasonably rely on the existance of resource limits. djb's programs do.
I would agree with you, if it didnt take a programming error, i.e. int overflows to cause the situation. This is the case in all 3 of Guninski's bug's, i.e. integer overflow causes the problem, os ulimits/etc stop you from exploiting, but the bug still exists none the less.
So in the end, it has nothing to do with who controls resource limits, but rather who caused the bug that causes the need for resource limits.
You pinpointed my argument exactly.
Whether or not the OS protects you from these bugs, they still remain bugs.
The fact that DJB refuses to fix his code speaks volumes about his character and is reason enough to not use his code.
Do his interests lie in security, or upholding his 'never had a bug found' reputation. I think this instance clearly shows where he stands.
This changes the code how?
I thought we were conversing over whether there were bugs in the code or not?
Not whether OS dependant configurations masked the bug or not?
This is more like saying, certain versions of gun model X have been known to misfire and sometimes shoot out the back of the gun, but its not a bug if you point the gun backwards.
Yes I only counted 4 of them as being DJB bugs. As for the 32 to 64 bit thing, yes naturally. My biggest argument is as a professor of CS and generally an asshole to people about their coding, this is something that should be have coded in a manner that would not break when switching between processors, even if its far into the future and we are using 256b processors. I mean, even if 64b didn't exist at the time of the code writing, the implications of such things were clearly understood.
Yes, all of the bugs are unrealistic in practice, and you should have ulimit controls in place regardless, but for a programmer to depend on this is a mistake, this holds doubly true if the programmer makes claims as to being security minded.
I mean, it's still a bug in the code either way, you should not rely on the OS to protect you.
Even with qmaild permissions, most boxes out there are pretty cushy once on the inside, and most root compromises happen from a user who already has local access-- whether it be an account or a compromised service that didn't run as root.
DJB claimed at least the top three were not bugs because simply put, no one runs qmail like that, which is incredibly silly on his part to me, I mean, okay so this changes your code how? It's still a bug, even if the os protects you from it, you havent fixed the bug, just masked it.
In regards, to OpenBSD, I suppose in a few areas t hey are ahead of the curve, for instance the way they just changed their malloc/free routines (although we shall see over time if they were ahead of the curve or off hitting the pipe again), but in many area's they are quite behind in comparisson to say PaX/Grsec.. and thats just in security.. outside of that, they just got ELF support in i386 as of what? 3.4?
I'd like to see DJB, Theo and RMS in a boxing ring with sickle's attacking each other to the death, and then we should shoot whoever is the winner.
funny, what are these?
http://osvdb.org/searchdb.php?action=search_title& vuln_title=qmail&Search=Search
Additionally, about two years ago I saw code floating around for qmail.
Just becuase Denial Bernstein claims there are no bugs and finds technicalities to justify his position, doesn't mean they dont exist... but then I imagine most of the people who believe that type of stuff also believe openbsd is ahead of the curve.
i often argue and ponder such things, and you have added another argument to my aresonal. My two favorites prior to this were:
most of us believe slavery to be incorrect, however at the time of its implementation in the US, it was the norm, and the people of the country wanted it. So then what is a politician to do, what is correct? or what the people want?
The other one deals with situations like israel/palestine and england/n. ireland, where most everyone living on the land has lived there about as long as the rest of the people there, and therefore they both have valid claim to the land (i have as much claim to the US as a native american, both of our lineages have been here long enough to validly call it home)
and now, the more or less free as a result of not being able to sell myself into slavery.
thanks.
3 or 4 years ago I made a bunch of jewelry out of old computer parts, much of it was similar to what I see here.
Then I was called a geek, now its news.
blah!
Re:Well known problems, mitigation long overdue
on
Examining ICMP Flaws
·
· Score: 1
thank you. I have 2 moderator points and i just read this entire thread looking for someone mentioning this. I would mod you up, but you are at the top already.
So, say my apartment/house gets bombarded with the neighbors wifi? Whose property is it? I mean, surely its his radio signal, but its passing through my property. This is akin to running a telephone line through my house. I realize this is somewhat ridiculous, but seriously, your rights stop when they impede mine.
Let's suppose for a second that I sit at home in my bathtub wearing a tinfoil hat and that i don't feel comfortable with your radio waves passing through my house, is it within my rights to try and stop you?
if so, is it within my rights to use your internet?
well I was refering more to another official government and trying to state more that their decision changes nothing, but gives them less of a bargaining chip when the inevitable happens.
the important part is that people are thinking about it. I've been up all night debugging a pthreaded nightmare of a library, but after I get some sleep I will add into your thoughts some more.
I mean, I'm relatively neutral in either court, but whats to stop say Asia from springing up its own root DNS servers, serving.notus, eventually if it grows enough the demand would be large enough to force a merge, or at least in theory it would.
I only hope that we can remember what arrogant assholes we were to the world as the EU continues to climb and the US continues to slide.
I was waiting for your comment to get modded up (as I knew it would) before replying.
For starters, only (3) has anything to do with internetworking protocols, everything else is dependant on the OS-- the topic at hand was about 'hardening the internet', not 'how to fix microsoft'. Aside from that, my rebuttals to everything follow.
1) This really has nothing to do with how networks work, but rather how credit card companies/internet merchants process the credit card numbers, and still nothing stops me from getting you to give me your temporary credit card number and then turning around and using it-- not hard to track, but still not fool proof.
2) And who decides what is classified as signed and not signed? Is there a central registry? How do you get listed in it? Pay some money, keep in mind many spyware companies consider themselves legitimate advertisers and wouldn't have a problem
jumping through the hoops to get classified as signed, poof gator shows up with a 'BRIGHT ORANGE BORDER', all this stop's is john q. from creating pop ups-- and thats only if there is a centralized database, otherwise I will just sign it as 'fish oil inc'.
3) watch my hands as I wave them and propose a 'hardened email system' with next to no detail. How are these tokens issued? do we again have a centralized database, whats to stop me from breaking into your server and using *your* tokens? wouldnt that be insult to injury?
4) do not watch the man behind the curtains. The bigger problem here is the OS's ability to decide that you can't shut a service down. And if everything is in a sandbox, whats the point of breaking out? It's like chrooting everything inside the same jail-- a compromise there still equates to an entire system compromise.
5) What? A 'no-spy-on-me' option? Okay and this does what exactly? whats to stop me from just raw reading memory, or patching a read/write system call or similar and just reading everything? Or say, for me to add a hook in a system library that checks executions against a file list, and if certain files are executed then I would just preload spyware.exe which in turn calls iexplorer.exe? Checksum's you say? what shall we do when a user wants to update? Whats to stop me from updating your checksum? Well how does the OS do it, why can't I update the checksum in the same manner as the OS, or better yet, just ask the OS to do it for me- again vague on details, good rhetoric though.
6) Okay, I say you create it, then I will market a program that has legit uses to me and questionable uses to you, and when you mark my program as 'JUNK' and make it authoritive, it wont matter that no one is running my program because I just made a ton of cash suing you. The problem here is that you assume everyone agree's on the uses of a program, gator probably feels their programs are quite useful.
Additionally, almost all of your answers require a centralized database of one sort or another, and then the big problem is, who gets to run it? Microsoft? Didn't they just buy gator? I bet they think their software is useful, oops green-listed.
again, tell me exactly, what does most of this have to do with the internet as opposed to the operating systems on the internet? Now, excuse me, but would you please pass the bong?
"Look at phishing and spam, and zombies, and all this crap," said Clark. "Show me how six incremental changes are going to make them go away."
Wait Mister Clark, you show me how *any* amount of change(s) will ever fix the inevitable human error, whether it be running a bad program or an actual programing error-- I'm sorry, but no design change will ever 100% fix that.
Slashdot Mirror
all of my code gets -Wall -Werror -pedantic, i more do constants on the left out of habit now, but i dont think its a bad idea, or ugly.
Also note that -pedantic wouldn't create a warning, but gcc -Wall would.
mind the qualifier, which states that 'I' dont find it to be ugly .. not very pedantic of you.
The mere idea that somehow the constant being on the left as opposed to the right brings forth the stentch of religious idiocy.
why? the solution really becomes putting your constants on the lefthand side of the expression.
It's really not that hard to get used to, i dont find it to be particularly ugly and it solves the problem.
to anyone who makes a routine of putting their constants on the left hand side of the expression, that becomes not very hard to notice .. although intermixed with several megabytes of source it becomes less obvious.
What I mean is:
if (( (__WCLONE|__WALL) == options && 0 = current->uid))
will throw an error, whereas 0 == current->uid will not.
I guess it depends on whether you think the application or the operating system should be in charge of resource limits. It seems to me that, since an operating system needs resource limits to protect itself from rogue programs, a cooperating program may just as reasonably rely on the existance of resource limits. djb's programs do.
I would agree with you, if it didnt take a programming error, i.e. int overflows to cause the situation. This is the case in all 3 of Guninski's bug's, i.e. integer overflow causes the problem, os ulimits/etc stop you from exploiting, but the bug still exists none the less.
So in the end, it has nothing to do with who controls resource limits, but rather who caused the bug that causes the need for resource limits.
You pinpointed my argument exactly.
Whether or not the OS protects you from these bugs, they still remain bugs.
The fact that DJB refuses to fix his code speaks volumes about his character and is reason enough to not use his code.
Do his interests lie in security, or upholding his 'never had a bug found' reputation. I think this instance clearly shows where he stands.
This changes the code how?
I thought we were conversing over whether there were bugs in the code or not?
Not whether OS dependant configurations masked the bug or not?
This is more like saying, certain versions of gun model X have been known to misfire and sometimes shoot out the back of the gun, but its not a bug if you point the gun backwards.
Yes I only counted 4 of them as being DJB bugs. As for the 32 to 64 bit thing, yes naturally. My biggest argument is as a professor of CS and generally an asshole to people about their coding, this is something that should be have coded in a manner that would not break when switching between processors, even if its far into the future and we are using 256b processors. I mean, even if 64b didn't exist at the time of the code writing, the implications of such things were clearly understood. .. outside of that, they just got ELF support in i386 as of what? 3.4?
Yes, all of the bugs are unrealistic in practice, and you should have ulimit controls in place regardless, but for a programmer to depend on this is a mistake, this holds doubly true if the programmer makes claims as to being security minded.
I mean, it's still a bug in the code either way, you should not rely on the OS to protect you.
Even with qmaild permissions, most boxes out there are pretty cushy once on the inside, and most root compromises happen from a user who already has local access-- whether it be an account or a compromised service that didn't run as root.
DJB claimed at least the top three were not bugs because simply put, no one runs qmail like that, which is incredibly silly on his part to me, I mean, okay so this changes your code how? It's still a bug, even if the os protects you from it, you havent fixed the bug, just masked it.
In regards, to OpenBSD, I suppose in a few areas t hey are ahead of the curve, for instance the way they just changed their malloc/free routines (although we shall see over time if they were ahead of the curve or off hitting the pipe again), but in many area's they are quite behind in comparisson to say PaX/Grsec.. and thats just in security
I'd like to see DJB, Theo and RMS in a boxing ring with sickle's attacking each other to the death, and then we should shoot whoever is the winner.
funny, what are these?& vuln_title=qmail&Search=Search
http://osvdb.org/searchdb.php?action=search_title
Additionally, about two years ago I saw code floating around for qmail.
Just becuase Denial Bernstein claims there are no bugs and finds technicalities to justify his position, doesn't mean they dont exist... but then I imagine most of the people who believe that type of stuff also believe openbsd is ahead of the curve.
i often argue and ponder such things, and you have added another argument to my aresonal. My two favorites prior to this were:
most of us believe slavery to be incorrect, however at the time of its implementation in the US, it was the norm, and the people of the country wanted it. So then what is a politician to do, what is correct? or what the people want?
The other one deals with situations like israel/palestine and england/n. ireland, where most everyone living on the land has lived there about as long as the rest of the people there, and therefore they both have valid claim to the land (i have as much claim to the US as a native american, both of our lineages have been here long enough to validly call it home)
and now, the more or less free as a result of not being able to sell myself into slavery.
thanks.
if you hadn't already been modded up to the max, i would have spent my last moderation point modding you up. a great memory for a great man ;]
notice virusbuster is no longer in #virus and is only in #vxers.
also, if you look at things, 29a is more or less dead. The most interesting people have left the group many of which to go on to better things.
while i like 29a and am friends with many of the original 29a authors, i giggled at the concept that it has overall been a better zine than phrack.
Seriously, consider the first years of phrack and then tell me with a straight face it has gotten worse.
3 or 4 years ago I made a bunch of jewelry out of old computer parts, much of it was similar to what I see here. Then I was called a geek, now its news. blah!
thank you. I have 2 moderator points and i just read this entire thread looking for someone mentioning this. I would mod you up, but you are at the top already.
wait.. i dont get it, where is god?
So, say my apartment/house gets bombarded with the neighbors wifi? Whose property is it? I mean, surely its his radio signal, but its passing through my property. This is akin to running a telephone line through my house. I realize this is somewhat ridiculous, but seriously, your rights stop when they impede mine.
Let's suppose for a second that I sit at home in my bathtub wearing a tinfoil hat and that i don't feel comfortable with your radio waves passing through my house, is it within my rights to try and stop you?
if so, is it within my rights to use your internet?
of course, we are at war, war always increases the numbers. Psst, you might want to get a realistic measuring system.
well I was refering more to another official government and trying to state more that their decision changes nothing, but gives them less of a bargaining chip when the inevitable happens.
the important part is that people are thinking about it. I've been up all night debugging a pthreaded nightmare of a library, but after I get some sleep I will add into your thoughts some more.
I mean, I'm relatively neutral in either court, but whats to stop say Asia from springing up its own root DNS servers, serving .notus, eventually if it grows enough the demand would be large enough to force a merge, or at least in theory it would.
I only hope that we can remember what arrogant assholes we were to the world as the EU continues to climb and the US continues to slide.
I live in phoenix and I sware I just heard RMS scream.
I was waiting for your comment to get modded up (as I knew it would) before replying.
For starters, only (3) has anything to do with internetworking protocols, everything else is dependant on the OS-- the topic at hand was about 'hardening the internet', not 'how to fix microsoft'. Aside from that, my rebuttals to everything follow.
1) This really has nothing to do with how networks work, but rather how credit card companies/internet merchants process the credit card numbers, and still nothing stops me from getting you to give me your temporary credit card number and then turning around and using it-- not hard to track, but still not fool proof.
2) And who decides what is classified as signed and not signed? Is there a central registry? How do you get listed in it? Pay some money, keep in mind many spyware companies consider themselves legitimate advertisers and wouldn't have a problem jumping through the hoops to get classified as signed, poof gator shows up with a 'BRIGHT ORANGE BORDER', all this stop's is john q. from creating pop ups-- and thats only if there is a centralized database, otherwise I will just sign it as 'fish oil inc'.
3) watch my hands as I wave them and propose a 'hardened email system' with next to no detail. How are these tokens issued? do we again have a centralized database, whats to stop me from breaking into your server and using *your* tokens? wouldnt that be insult to injury?
4) do not watch the man behind the curtains. The bigger problem here is the OS's ability to decide that you can't shut a service down. And if everything is in a sandbox, whats the point of breaking out? It's like chrooting everything inside the same jail-- a compromise there still equates to an entire system compromise.
5) What? A 'no-spy-on-me' option? Okay and this does what exactly? whats to stop me from just raw reading memory, or patching a read/write system call or similar and just reading everything? Or say, for me to add a hook in a system library that checks executions against a file list, and if certain files are executed then I would just preload spyware.exe which in turn calls iexplorer.exe? Checksum's you say? what shall we do when a user wants to update? Whats to stop me from updating your checksum? Well how does the OS do it, why can't I update the checksum in the same manner as the OS, or better yet, just ask the OS to do it for me- again vague on details, good rhetoric though.
6) Okay, I say you create it, then I will market a program that has legit uses to me and questionable uses to you, and when you mark my program as 'JUNK' and make it authoritive, it wont matter that no one is running my program because I just made a ton of cash suing you. The problem here is that you assume everyone agree's on the uses of a program, gator probably feels their programs are quite useful.
Additionally, almost all of your answers require a centralized database of one sort or another, and then the big problem is, who gets to run it? Microsoft? Didn't they just buy gator? I bet they think their software is useful, oops green-listed.
again, tell me exactly, what does most of this have to do with the internet as opposed to the operating systems on the internet? Now, excuse me, but would you please pass the bong?
"Look at phishing and spam, and zombies, and all this crap," said Clark. "Show me how six incremental changes are going to make them go away."
Wait Mister Clark, you show me how *any* amount of change(s) will ever fix the inevitable human error, whether it be running a bad program or an actual programing error-- I'm sorry, but no design change will ever 100% fix that.