Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > State Department Developing Cyber Toolkit

Reply
Thread Tools

State Department Developing Cyber Toolkit

 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      11-15-2005

"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the Usenet newsgroup alt.computer.security, in article
> <mOaef.16683$q%(E-Mail Removed)> , fluidly unsure wrote:
>
> >Hairy One Kenobi wrote:

>
> >> C was due to have died out in the onslaught of 4GLs.. about 1990, if
> >> memory serves.
> >>
> >> "A stone bridge still takes load, even after the invention of CFRP" ;o)

>
> C exists, despite the invention of thousands of prospective replacements
> exactly because it still works quite well TYVM


Exactly

> >> * Somewhere between Babbage and C21. It's amazing what you can do with
> >> pointers; and depressing what you can do if you don't understand the
> >> consequences ;o)

>
> It was developed for use by people with clue - a commodity in shockingly
> short supply over the past 30 years.


Not so exactly... ;o)

>> Never saw B (although BPL allegedly was based upon it), but A must have
> >> kinda.. sucked )

>
> I think you really mean BCPL, as 'BPL' is a late invention based on Basic.
> According to Dennis Ritchie, B was created as a 'cut down' version of BCPL
> because they only had 4K of memory on their PDP-7. BCPL (Basic Combined
> Programming Language) dates from 1967.


You caught my typo (slaps head!*), but it stood for "British Computer
Programming Language". 'Twas more B than C (apparently), and published by
whoever did ProText under CP/M.

Remember, this was in the days before (e.g.) YACC! No since ADA has anyone
had to do so much, so unwillingly, for so little effect ;o)

H1K

*Just re-read - /my/ head! ;o)


 
Reply With Quote
 
 
 
 
Moe Trin
Guest
Posts: n/a
 
      11-16-2005
In the Usenet newsgroup alt.computer.security, in article
<Mouef.1890$(E-Mail Removed)>, Hairy One Kenobi wrote:
>
>"Moe Trin" <(E-Mail Removed)> wrote


>> It was developed for use by people with clue - a commodity in shockingly
>> short supply over the past 30 years.

>
>Not so exactly... ;o)


I dunno - C was originally written with some slackness - but who do you
blame for buffer overflows? K & R for writing instructions that allowed
this, or the programmers who refuse to use improved instructions or at
least check the crap they get handed to avoid overflows? It's not as if
this were discovered only in the past ten years. Yet we are seeing the
same attack concepts exploiting overflows year, after year, after year.

>You caught my typo (slaps head!*), but it stood for "British Computer
>Programming Language". 'Twas more B than C (apparently), and published by
>whoever did ProText under CP/M.


That's the problem with acronyms - it really is to easy to confuse things.

Old guy
 
Reply With Quote
 
 
 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      11-17-2005
"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the Usenet newsgroup alt.computer.security, in article
> <Mouef.1890$(E-Mail Removed)>, Hairy One Kenobi wrote:
> >"Moe Trin" <(E-Mail Removed)> wrote


> I dunno - C was originally written with some slackness - but who do you
> blame for buffer overflows? K & R for writing instructions that allowed
> this, or the programmers who refuse to use improved instructions or at
> least check the crap they get handed to avoid overflows? It's not as if
> this were discovered only in the past ten years. Yet we are seeing the
> same attack concepts exploiting overflows year, after year, after year.


Agreed.. but it's not an attack against a given platform, but an attack
against consistently sloppy programming practices. (We could probably go on
all week about how C - in particular - makes this easier to do, but let's
not ;o)

In my own code, I have a "standard" socket read routine, that I know works;
in a "past life" at a news agency, I remember chopping some 500 lines (from
an 1100 line eventual program!) that were simple repeats, rewrites, and
"oopsies". Took about two hours.

FFS! Here I am, with a routine that has continued pretty much unaltered
since Delphi 1. And /definitively/ unaltered since Delphi 4. (I'm currently
adjusting to D2005. And sort of missing D6 ;o)

The problem isn't in the platform, it's in the programmers. There are more
Windows programmers out there (and bad ones - let's not complain about
people using the registry badly, but more about people ignorantly using it
incorrectly!), but it certainly isn't a platform thing. But you're much more
likely to get random fires from petrol/gasoline spillage than from, say,
mammoth-oil . It's all in the platform.

Someone writing Open Source certainly doesn't make them an instant Guru. Or
necessarily mean that their code is - in any meaningful way - peer-reviewed.

Cards on the table - my particular, Delphi-specific, SMTP server module has
been downloaded 2107 times, at time of writing. I don't claim it to be the
be-all and end-all. After all, you need to be a pretty serious server
programmer to even take note.

But I *will* happily contrast it with stuff that I *have* reviewed, such as
the FireFox IDN implementation.

By all means, protest (this isn't aimed at you, Moe!), but give me the means
to judge you - submit your own code, or code that *you* have reviewed. If I
don't find error, then by all means have a nice warm feeling )

And vice versa...

Reap/sow/submit (common UK phrase is "put up or shut up")

H1K


 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-17-2005
In the Usenet newsgroup alt.computer.security, in article
<9%Pef.4856$(E-Mail Removed)>, Hairy One Kenobi wrote:

>Someone writing Open Source certainly doesn't make them an instant Guru.


No, but if their code is accepted in a project, it certainly isn't the
stuff they teach in "Intro to Computer Programming Languages". Last
time I looked, I didn't see "hello, world" in the source for Apache
or Sendmail, or the FreeBSD (or Linux) kernels. With most open
source projects, the author usually has a choice of a number of chunks
of code written by others. Even if the author selects a piece of goat
droppings, someone else is going to come up with a replacement that at
least isn't quite as horrible. Presented to the author properly, it has
a chance of being adopted.

>Or necessarily mean that their code is - in any meaningful way -
>peer-reviewed.


I suspect that Open Source code is peer-reviewed a lot more often than
closed source simply because it's possible to do so. Eric S Raymonds
wrote in "The Cathedral & The Bazaar" (O'Reilly, ISBN 1-56592-724-9,
October 1999, but available on the web)

8. GIVEN A LARGE ENOUGH BETA-TESTER AND CO-DEVELOPER BASE, ALMOST
EVERY PROBLEM WILL BE CHARACTERIZED QUICKLY AND THE FIX OBVIOUS TO
SOMEONE.

Or, less formally, "Given enough eyeballs, all bugs are shallow."

Want to review the entire distribution of a *BSD or Linux release? Not,
a problem (other than the enormous volume), because it's there. Fedora
Core 4 is a current Linux release and comes on nine CDs - 4 of binaries,
one is a rescue disk, and the other 4 are source (2.67 Gigs of binaries,
2.57 Gigs of bzip2 compressed tarballs), so it might be a daunting task.

But I don't think anyone would review an entire source tree. Someone
might look at a section pertaining to something they know about, or
when they are trying to figure what it was that caused the massive
explosion in the printer, or out of plain curiosity, but that's about it.

>By all means, protest (this isn't aimed at you, Moe!), but give me the
>means to judge you - submit your own code, or code that *you* have
>reviewed. If I don't find error, then by all means have a nice warm
>feeling )


Glad you aren't asking me - my C skills are properly defined as "emergency
use only". I'm a networking admin, and while I do Bourne shell stuff, I'm
not paid enough to program

Old guy
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      11-18-2005

"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the Usenet newsgroup alt.computer.security, in article
> <9%Pef.4856$(E-Mail Removed)>, Hairy One Kenobi wrote:
>
> >Someone writing Open Source certainly doesn't make them an instant Guru.

>
> No, but if their code is accepted in a project, it certainly isn't the
> stuff they teach in "Intro to Computer Programming Languages". Last
> time I looked, I didn't see "hello, world" in the source for Apache
> or Sendmail, or the FreeBSD (or Linux) kernels. With most open
> source projects, the author usually has a choice of a number of chunks
> of code written by others. Even if the author selects a piece of goat
> droppings, someone else is going to come up with a replacement that at
> least isn't quite as horrible. Presented to the author properly, it has
> a chance of being adopted.


Granted.

> >Or necessarily mean that their code is - in any meaningful way -
> >peer-reviewed.

>
> I suspect that Open Source code is peer-reviewed a lot more often than
> closed source simply because it's possible to do so. Eric S Raymonds
> wrote in "The Cathedral & The Bazaar" (O'Reilly, ISBN 1-56592-724-9,
> October 1999, but available on the web)


While I have no knowledge of the cite posted, what I *will* say is that,
when I've personally checked (the FireFox IDN thing is a recent example),
I've seen examples of coding "oopsies" that even a remotely sane individual
would have noted and flagged. If such peer review were a fact.

> 8. GIVEN A LARGE ENOUGH BETA-TESTER AND CO-DEVELOPER BASE, ALMOST
> EVERY PROBLEM WILL BE CHARACTERIZED QUICKLY AND THE FIX OBVIOUS TO
> SOMEONE.
>
> Or, less formally, "Given enough eyeballs, all bugs are shallow."


Absolutely. Although, in Real Life (tm), it's a lot harder to see these bugs
(and that can be even simple ones, let alone the convoluted nonsense that
one gets in a "mature" codebase). I can even voulenteer the simlest of the
most obvious - one of our major products still proclaims a copyright date of
2004. Trivial, yes. On every bloody screen, yes. And missed by everyone (I
asked for it to be changed a mere 2 months into this year... we're now days
from 2006). We're not talking of a trivial userbase, either - it might be
low on the list of things to fox (but hasn't been flagged, that I know of),
but - of the multi-millions of users that out product has, who has seen fit
to report the problem?

Noone.

Yes, it's hightly trivial, but.. what about the [proposed] legions of
programmers that "everyone" puts forward as having checked OS code? I
deleted the FireFox source a while back, but there's an entry in the
now-recommended-disabled code that basically says "must remember to comment
this out". But it isn't. And, TBH, who the hell noticed?

> But I don't think anyone would review an entire source tree. Someone
> might look at a section pertaining to something they know about, or
> when they are trying to figure what it was that caused the massive
> explosion in the printer, or out of plain curiosity, but that's about it.


Used to be that one peer-reviewed on a module fashion (can't say if it
happens now, but that was certinaly the vogue when I started coding
profrssionally in the late eighties)

My experience indicates that it's damned difficult to actually catch a bug -
you can catch a style that indicates a liekly proliferation of bugs ("Ravi
Patel", sometime before 1990; I have never before seen more GOTO labels in
FORTRAN than there are working lines of code. And, thank Dog, never since.
Fortunately, "nothing important" - /just/ the C2 system used by several
British county Police forces)

> I'm a networking admin, and while I do Bourne shell stuff, I'm
> not paid enough to program


More's the shame - once upon a time, cutting code was viewed in a similar
way to architecture (a merging of art and engineering); then the HR weenies
got involved, and it became an engineering discipline without the
engineering structure. Bad move.

Dunno about where you live, but in the UK programming is paid in a similar
way to Dickensian clerks - I happened to luck-out in getting two very
technical jobs that allow me to keep up to date, while avoiding that whole
drift into Management (although, that said, the last couple of days was the
first time that I've built an ActiveX control)

<Shudder>.

There's also a lot more documentation on the Net than there was three years
ago.. but not for Delphi and building - rather than using - ActiveX.

In a frankly rather pathetic moment of pride, I'd like to think that I was
in some way still "up there" for learning a wholly new bit of methodology in
less than a day. Not that, you understand, the control is any good - I'd
/like/ it to take an LDAP call, Base64 decode it and *remember* what it's
done. Instead, I submit the retrieved string, decode it *every damned time*,
and /then/ report. Choice was get the job done and go on holiday to Spain
tomorrow [today!], or finesse the code.

Did I mention that I trained as a practical engineer? D

H1K


 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-19-2005
In the Usenet newsgroup alt.computer.security, in article
<eE9ff.1726$(E-Mail Removed)>, Hairy One Kenobi wrote:

>"Moe Trin" <(E-Mail Removed)> wrote


>Absolutely. Although, in Real Life (tm), it's a lot harder to see these bugs
>(and that can be even simple ones, let alone the convoluted nonsense that
>one gets in a "mature" codebase). I can even voulenteer the simlest of the
>most obvious - one of our major products still proclaims a copyright date of
>2004. Trivial, yes. On every bloody screen, yes.


Has anything in the product changed this year? (I know, I see that one
fairly frequently.)

>Yes, it's hightly trivial, but.. what about the [proposed] legions of
>programmers that "everyone" puts forward as having checked OS code? I
>deleted the FireFox source a while back, but there's an entry in the
>now-recommended-disabled code that basically says "must remember to comment
>this out". But it isn't. And, TBH, who the hell noticed?
>
>> But I don't think anyone would review an entire source tree.


That might be one reason right there.

>Used to be that one peer-reviewed on a module fashion (can't say if it
>happens now, but that was certinaly the vogue when I started coding
>profrssionally in the late eighties)


But how big was the code base? There's a heck of a difference trying
to stay aware of something in a program of 100,000 lines verses several
tens of millions. Late 80s? Heres a simple comparison:

73091 Aug 17 1991 linux-0.01.tar.gz
1259161 Mar 12 1994 linux-1.0.tar.gz
2354612 Aug 1 1995 linux-1.2.13.tar.gz
7269221 Nov 16 1998 linux-2.0.36.tar.gz
19343412 Mar 25 2001 linux-2.2.19.tar.gz
37009983 Jan 5 2003 linux-2.4.24.tar.gz
49087256 Nov 11 05:39 linux-2.6.14.2.tar.gz

You get quite a few lines in a 49 Megabyte tarball, and this does not
include the GNU C libraries this depends on.

>My experience indicates that it's damned difficult to actually catch a
>bug - you can catch a style that indicates a liekly proliferation of bugs


I know what you are saying - but by the same token, it's not impossible.
I don't have a cite, but in November 2003, but someone "got to" the
Linux source tree, and inserted a backdoor. The file change was detected
by the versioning system (Bitkeeper), and my understanding is that the
flaw was detected AND UNDERSTOOD by several of the maintainers rather
quickly... try www.freedom-to-tinker.com/?p=472 according to google.

>("Ravi Patel", sometime before 1990; I have never before seen more GOTO
>labels in FORTRAN than there are working lines of code. And, thank Dog,
>never since.




>Fortunately, "nothing important" - /just/ the C2 system used by several
>British county Police forces)


Well, as long as it wasn't important.

>More's the shame - once upon a time, cutting code was viewed in a similar
>way to architecture (a merging of art and engineering); then the HR weenies
>got involved, and it became an engineering discipline without the
>engineering structure. Bad move.


Any time HR gets involved, things tend to go down the tubes. We've had
similar problems here trying to work around the hoops. They wanted us
to install windoze on a couple of systems (we're totally *nix) so they
could use some resume parsing application that gets for buzzwords in Word
documents, and didn't understand that the people we're looking to hire
don't own a windoze box, and won't be using it to write the resume. Still
fighting that one.

>Dunno about where you live, but in the UK programming is paid in a similar
>way to Dickensian clerks


EXPN?

>I happened to luck-out in getting two very technical jobs that allow me
>to keep up to date, while avoiding that whole drift into Management
>(although, that said, the last couple of days was the first time that I've
>built an ActiveX control)


Management doesn't promote technical types into their "lofty" realm. You
need "more appropriate training".

>In a frankly rather pathetic moment of pride, I'd like to think that I was
>in some way still "up there" for learning a wholly new bit of methodology
>in less than a day.


There is merit in that.

>Choice was get the job done and go on holiday to Spain tomorrow [today!],
>or finesse the code.


But then, there _are_ priorities.

>Did I mention that I trained as a practical engineer? D


No, but enjoy the trip to the Sunny South - winter is coming. In another
two or three weeks, I'm going to have to turn on the heaters in the
morning - temperature only got up to 30C today.

Old guy
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      11-24-2005
"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the Usenet newsgroup alt.computer.security, in article
> <eE9ff.1726$(E-Mail Removed)>, Hairy One Kenobi wrote:
> >"Moe Trin" <(E-Mail Removed)> wrote
> >Absolutely. Although, in Real Life (tm), it's a lot harder to see these

bugs
> >(and that can be even simple ones, let alone the convoluted nonsense that
> >one gets in a "mature" codebase). I can even voulenteer the simlest of

the
> >most obvious - one of our major products still proclaims a copyright date

of
> >2004. Trivial, yes. On every bloody screen, yes.

>
> Has anything in the product changed this year? (I know, I see that one
> fairly frequently.)


(Sorry - not ignoring you, been away!)

Yep - semi-major releases every six months, temporary-fix [t-fix] releases
with either a bugfix or new functionality every week or two.

> >Used to be that one peer-reviewed on a module fashion (can't say if it
> >happens now, but that was certinaly the vogue when I started coding
> >profrssionally in the late eighties)

>
> But how big was the code base? There's a heck of a difference trying
> to stay aware of something in a program of 100,000 lines verses several
> tens of millions. Late 80s? Heres a simple comparison:
>
> 73091 Aug 17 1991 linux-0.01.tar.gz
> 1259161 Mar 12 1994 linux-1.0.tar.gz
> 2354612 Aug 1 1995 linux-1.2.13.tar.gz
> 7269221 Nov 16 1998 linux-2.0.36.tar.gz
> 19343412 Mar 25 2001 linux-2.2.19.tar.gz
> 37009983 Jan 5 2003 linux-2.4.24.tar.gz
> 49087256 Nov 11 05:39 linux-2.6.14.2.tar.gz
>
> You get quite a few lines in a 49 Megabyte tarball, and this does not
> include the GNU C libraries this depends on.


Hmm. Good question. probably in the region of 100-150k in toto, of which
only one section was something I hadn't touched at some point.

Thing is, though, this is was system for performing a specific task - the
Linux example above would include - I assume! - all of the layered stuff,
rather than just be the OS? In other words, lots of different things, whose
only common trait is that the sit on the same platform.

> >My experience indicates that it's damned difficult to actually catch a
> >bug - you can catch a style that indicates a liekly proliferation of bugs

>
> I know what you are saying - but by the same token, it's not impossible.
> I don't have a cite, but in November 2003, but someone "got to" the
> Linux source tree, and inserted a backdoor. The file change was detected
> by the versioning system (Bitkeeper), and my understanding is that the
> flaw was detected AND UNDERSTOOD by several of the maintainers rather
> quickly... try www.freedom-to-tinker.com/?p=472 according to google.


Oh, I've caught bugs that way myself - many, many times. My argument is that
it's simply not very efficient - and usually only works if you're looking
for a known specific bug.

> >Dunno about where you live, but in the UK programming is paid in a

similar
> >way to Dickensian clerks

>
> EXPN?


You'd have to do it for love, rather than money. Unless you freelance, or
split out into management, there aren't a lot of openings for highly-paid
techies over here. I "got lucky" in my last two roles, after spending six
whole weeks being bored rigid as a Business Analyst. Wanted to get rid of
three-four hours on the train each day, commuting to work in a City of
London firm.

> enjoy the trip to the Sunny South - winter is coming. In another
> two or three weeks, I'm going to have to turn on the heaters in the
> morning - temperature only got up to 30C today.


Just got back from Stanstead - yesterday I was sitting on a beach; a couple
of hours ago I was standing on the apron in 1C... brrrrr! )

H1K


 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-24-2005
On Thu, 24 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<Zv9hf.1200$(E-Mail Removed)>, Hairy One Kenobi wrote:

>Yep - semi-major releases every six months, temporary-fix [t-fix] releases
>with either a bugfix or new functionality every week or two.


Sounds like something fell off the checklist

>Hmm. Good question. probably in the region of 100-150k in toto, of which
>only one section was something I hadn't touched at some point.


Even a hundred thousand lines isn't something you can remember where
this or that function, or some information, might be hiding. Recently,
I had to fumble my way through a source looking to see if a variable was
hard coded or not. The only way I succeeded was because I can use a tool
named 'grep' to locate strings in a file. There were no less than 159
files in 14 subdirectories, totalling 78285 lines of C. And regarding
copyright data - each file had one, and if my scripting it right, five
files have been changed this year, but don't mention 2005 in the
copyright lines. You're not alone.

>Thing is, though, this is was system for performing a specific task - the
>Linux example above would include - I assume! - all of the layered stuff,
>rather than just be the OS? In other words, lots of different things, whose
>only common trait is that the sit on the same platform.


No, that 49 Meg tarball is just the kernel of the O/S. There is a lot more
needed to get the computer to even boot - never mind the the tools needed
to do anything. For one example, the source files for 'Fedora Core 4' (a
current Linux distribution) total 2.57 Gigabytes of tarballs. You don't
need all of that stuff - probably a mere 750 Megs worth would do. But I
also remember when a "distribution" was 50 or 70 floppies worth of source
which you downloaded over the phone.

>Oh, I've caught bugs that way myself - many, many times. My argument is that
>it's simply not very efficient - and usually only works if you're looking
>for a known specific bug.


Looking on Bugtraq, you'll occasionally see something that was discovered
in an audit of the source code. But thousands of times more often, it's
been discovered by someone looking to see why this or that happens.

>You'd have to do it for love, rather than money. Unless you freelance, or
>split out into management, there aren't a lot of openings for highly-paid
>techies over here.


In reality, it's like that most everywhere. I did hear that Google is
looking, and offering new grads a starting salary of six figures plus
stock (and the location 40 miles South of San Francisco - three miles
from where I used to live - is pretty good), but the burn out rate is
rather high too.

>I "got lucky" in my last two roles, after spending six whole weeks being
>bored rigid as a Business Analyst. Wanted to get rid of three-four hours
>on the train each day, commuting to work in a City of London firm.


Can't say about the job, but the idea of working in the City is not all
that appealing. A commute that far (especially by train)... no, thank you.

>Just got back from Stanstead - yesterday I was sitting on a beach; a couple
>of hours ago I was standing on the apron in 1C... brrrrr! )


Today's a holiday here, and this is the biggest travel weekend of the year.
I used to visit family on the East coast (six hours by air, not including
a plane change somewhere), but it's to cold for me any more. I go back
in mid-summer. My sister indicated temps in 5-10C range today. Heck,
my un-heated swimming pool is warmer than that, and I'm not going near it
because it's to cold.

Old guy
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      11-25-2005
"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 24 Nov 2005, in the Usenet newsgroup alt.computer.security, in

article
> <Zv9hf.1200$(E-Mail Removed)>, Hairy One Kenobi wrote:
>
> >Yep - semi-major releases every six months, temporary-fix [t-fix]

releases
> >with either a bugfix or new functionality every week or two.

>
> Sounds like something fell off the checklist
>
> >Hmm. Good question. probably in the region of 100-150k in toto, of which
> >only one section was something I hadn't touched at some point.

>
> Even a hundred thousand lines isn't something you can remember where
> this or that function, or some information, might be hiding.


Agreed.. if OS. This was (extremely!) proprietary. Think "next competitor
catching-up, nail the b***ard!". That was pretty much our mission statement,
which was why we got the job instead of Development. Still remember the
comment from the Marketing chap when he discovered that it's not a good idea
to show high-level prospects their own page on a Development system. The
address of the insurance company was "underhanded", unstead of "Underhill".
One of the lasses had an outstanding claim on her car insurance...)

If one can be proud that one's software has been turned-off, then I'm fairly
damned happy that mine lasted just over ten years.. a big chunk of it is
still in operation, from 1992, but that particular bit was something that I
considered uniquely, well, /mine/. Won't bore you with the details, but
took 32k lines of code, beat it into around 5k of code that - in the overall
system - worked slightly in excess of 15 times faster, and was far more
resilient to boot.

Who gives a **** if you are entirely hack-proof (cough!), if one **** of an
Operator can delete the live database by mistake, and then do a runner?
Although I was denim-wearing Development, and not permitted to touch
Production (or, at the end, even Staging) systems, this is the origin of my
conviction about good backups.

TBH, I doubt that one soul on this planet noticed - but it's why I *always*
include backups in any general definition of "security". As an aside, the
xCI code (the one bit I didn't get involved in) was the bit that had..
issues.. when driven at high speed. Although I wouldn't be human if I said
that I didn't rather enjoy Chris' squirming at finding his software
crapping-out every three minutes or so.

I wouldn't recommend it for a life's ambition, but "evil" can but fun at
times.. or at least entertaining, hovering over someone's desk, asking "has
it crashed yet?" ;o)

Oh, and the reason that it crashed? You'll love this - buffer overflow.
Despite the obvious, the progger in question hard-coded a 16-unit queue. I'm
not Jewish, but.. schmuck!

> Recently,
> I had to fumble my way through a source looking to see if a variable was
> hard coded or not. The only way I succeeded was because I can use a tool
> named 'grep' to locate strings in a file. There were no less than 159
> files in 14 subdirectories, totalling 78285 lines of C. And regarding
> copyright data - each file had one, and if my scripting it right, five
> files have been changed this year, but don't mention 2005 in the
> copyright lines. You're not alone.


"Variables won't, Constant's don't". C assumptions about cAPS-lOCK are still
a little frightening to an (cough) "alternative" language progger. Although
I don't do COBOL. Life's too short.

> >Thing is, though, this is was system for performing a specific task - the
> >Linux example above would include - I assume! - all of the layered stuff,
> >rather than just be the OS? In other words, lots of different things,

whose
> >only common trait is that the sit on the same platform.

>
> No, that 49 Meg tarball is just the kernel of the O/S. There is a lot more
> needed to get the computer to even boot - never mind the the tools needed
> to do anything. For one example, the source files for 'Fedora Core 4' (a
> current Linux distribution) total 2.57 Gigabytes of tarballs. You don't
> need all of that stuff - probably a mere 750 Megs worth would do. But I
> also remember when a "distribution" was 50 or 70 floppies worth of source
> which you downloaded over the phone.


Yikes!

(And I /truly/ mean that).

WTF happened to the Mach kernel that everyone was on about a decade or so?
Did everyone get bored, or simply stop bothering?

Fads and fashion are one thing, but a kernel is.. well, just *is*. Bloody
NT4 all over again... let's face it - if IBM can do it on a Mainframe and
(stands to be corrected) hands the whole lot over to OS developers, then
someone's got a serious PITA. Their head.

> >You'd have to do it for love, rather than money. Unless you freelance, or
> >split out into management, there aren't a lot of openings for highly-paid
> >techies over here.

>
> In reality, it's like that most everywhere. I did hear that Google is
> looking, and offering new grads a starting salary of six figures plus
> stock (and the location 40 miles South of San Francisco - three miles
> from where I used to live - is pretty good), but the burn out rate is
> rather high too.


Not sure I'd agree with that, at least in the UK. Last experience with
employing new grads was back (oh sh**, I /now/ feel old...) ten years ago.
Arrogance to ability ratio around 8:1; the latest types I've seen attain a
much higher number (!), but seem to fold into spin-speak when questioned.
Met Office reckon on a cold Winter. Could probably burn them for fuel, or
something ;o)

Anyway. Let's call a decent progger (as opposed to Developer = Systems
Analyst/Progger/Project Manager/PHB Victim) at around GBP12-18k. If you're
good at it, you'd earn more stacking supermarket shelves.

The Developer is more your burn-out candidate.. the good ones are *very*
good (I'm fortunate that several work for the same company; I'm now "field
sales" which - roughly translated, according to a colleague and good
friend - means "I make the lies come true" ;o)

> >I "got lucky" in my last two roles, after spending six whole weeks being
> >bored rigid as a Business Analyst. Wanted to get rid of three-four hours
> >on the train each day, commuting to work in a City of London firm.

>
> Can't say about the job, but the idea of working in the City is not all
> that appealing. A commute that far (especially by train)... no, thank you.


'Twas the only way to make decent money. In the unlikely event that the
comment didn't translate too well, British "City" == USAian "Wall Street".

<snip bit about nice weather and Thanksgiving 'cos I'm feeling jealous>

<Dick van Dyke>
Avagudun..!
</Cor blimey, Mark Poppins>

H1K


 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      11-25-2005
On Fri, 25 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<a_shf.3517$(E-Mail Removed)>, Hairy One Kenobi wrote:

>Agreed.. if OS. This was (extremely!) proprietary. Think "next competitor
>catching-up, nail the b***ard!".


Not sure how to read that - remember what microsoft did to Digital Research.
But then, Gary Killdall had a reason to be antagonistic.

>The address of the insurance company was "underhanded", unstead of
>"Underhill". One of the lasses had an outstanding claim on her car
>insurance...)


Nah, that never happened in the "real world"... Surely.... <runs around
the corner and tries to stop snickering to loudly>

>Who gives a **** if you are entirely hack-proof (cough!), if one **** of an
>Operator can delete the live database by mistake, and then do a runner?


Leaving aside the "hack-proof" concept, I don't know of any company that
hasn't had an operator (or even root) take careful aim, and put a .45
caliber (11 m/m) chunk of lead squarely through the wobbley bits. Someone
in another newsgroup (yesterday) identified a similar problem as
"testicular malletosis".

>TBH, I doubt that one soul on this planet noticed - but it's why I *always*
>include backups in any general definition of "security".


The person was lucky - I still recall one of the 'registrars' who was
cleaning up after the Summer interns had left, deleting their old home
directories. People who wield UID 0 really need to look two or three times
before pressing that <Enter> key. Usual problem - an extra space in the
worst possible location - rm'd an entire hard drive (not just a directory
or partition - no, let's go for the whole d?mn thing) instead of a single
(ex-)users directory. Hey, there were only 250 users on that drive, and
they only lost everything between last nights backups and about 10 AM
when she hit the <Enter> key - and we were able to restore to last-night's
backup by about noon or so... I really thought we were going to have a
major incident then, as some of the users were somewhat more than "miffed".

>I wouldn't recommend it for a life's ambition, but "evil" can but fun at
>times.. or at least entertaining,


"I am root. If you see me laughing, you better have a backup."

>hovering over someone's desk, asking "has it crashed yet?" ;o)


Top 100 things you don't want the sysadmin to say:
45. Was that YOUR directory?

>Oh, and the reason that it crashed? You'll love this - buffer overflow.
>Despite the obvious, the progger in question hard-coded a 16-unit queue. I'm
>not Jewish, but.. schmuck!


I am constantly amazed that after (what) 33 years, this is still a problem.
This can't be news to the instructors of programming language classes, For
_years_ we've been screaming about checking/validating input before even
looking at it - yet someone asks in a newsgroup this morning asks what can
go wrong if allowed to pass unchecked user supplied variables to a PHP
script. "Nothing, of course - what could _possibly_ go wrong?"

>"Variables won't, Constant's don't".


"These are not the variables you are looking for... move along"

But then, how many programmer types are still calling whole d*mn modules
"test"?

>Yikes!


One of the Linux FAQs still talks about running Linux on an 80386 with
4 Megs of RAM, though I think it recommends swap files to bring the total
up to 8 Megs of virtual memory. In fact, my home firewall is a 386SX-16
with 8 Megs of RAM (and 8 of swap), but most distribution installation
programs won't even start with less than 128 Megs.

>WTF happened to the Mach kernel that everyone was on about a decade or so?
>Did everyone get bored, or simply stop bothering?


That's straying into advocacy, but let's just say that Linus did a better
PR job, and has a clue about getting free programmers to work together.
Look at the ChangeLog file on a 2.6.x kernel, and you'll see literally
thousands of names. Mach never had a chance in that environment.

>Not sure I'd agree with that, at least in the UK. Last experience with
>employing new grads was back (oh sh**, I /now/ feel old...) ten years ago.


We still get new grads annually. Slight advantage - most of them did time
here as interns, so we know something about them. On the other hand, the
interns gain real-life experience, but are rarely in a position to do much
harm.

>Arrogance to ability ratio around 8:1; the latest types I've seen attain a
>much higher number (!), but seem to fold into spin-speak when questioned.


Don't those types normally end up in Sales/Marketing?

>Met Office reckon on a cold Winter. Could probably burn them for fuel, or
>something ;o)


Problem with that is when you need to burn them, the state environmental
protection agency frequently has declared it a 'no burn' day because of
air quality. (Joking aside - many of the houses here have fireplaces, but
we rarely can use them. When it would be desirable, we usually have a
temperature inversion, trapping pollutants in the air, so the State Air
Quality Board bans fires, and recommends waiting until dark to refuel
cars, etc.)

>Anyway. Let's call a decent progger (as opposed to Developer = Systems
>Analyst/Progger/Project Manager/PHB Victim) at around GBP12-18k. If you're
>good at it, you'd earn more stacking supermarket shelves.


Fsck! That's down near the Federal Poverty level. Flipping burgers is
another way to make more.

>The Developer is more your burn-out candidate.


The poor sod who's got to deliver (at something remotely resembling the
schedule) that something that marketing sold, at a bottom line cost that
doesn't destroy the company. That's why I'm happy to be in an R&D
facility. Yes, we've got to deliver exciting new products, but inventions
don't have schedules.

>'Twas the only way to make decent money.


A likely excuse.

>In the unlikely event that the comment didn't translate too well, British
>"City" == USAian "Wall Street".


Know it well enough. A neighbor (used to be?) a subscriber to the FTL.

><snip bit about nice weather and Thanksgiving 'cos I'm feeling jealous>


This is the time of year we get the visitors - we call 'em "snow birds" -
from the North. You can spot 'em on the streets easy enough - they're the
ones in scanty clothing. The residents are the ones wearing jackets and
heavy coats. The real estate people love 'em, as they buy houses in this
place with the lovely weather. Come May when the thermometer hits 40C (or
July, when it hits 50), it's a different story for some reason.

><Dick van Dyke>
>Avagudun..!


Thankee, Guv'nr

></Cor blimey, Mark Poppins>


Old guy
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
As soon as U.S cyber defense is ready the U.S cyber offensive beginsproper n3td3v Computer Security 6 01-10-2010 06:42 PM
Department of Defense Relies On Linux TechNews Computer Support 0 05-27-2004 09:01 PM
Re: New virus that masguerades as a note from IT department. DC Computer Support 15 08-02-2003 03:19 PM
Re: New virus that masguerades as a note from IT department. Thund3rstruck Computer Support 2 08-02-2003 10:56 AM
Re: New virus that masguerades as a note from IT department. °Mike° Computer Support 1 08-02-2003 01:52 AM



Advertisments