State Department Developing Cyber Toolkit

Discussion in 'Computer Security' started by Imhotep, Nov 10, 2005.

  1. Imhotep

    Imhotep Guest

    "An anonymous reader writes "The U.S. State Department, known for its recent
    RFID passport embarassment, seems to have developed a key tool in the
    Department of Homeland Security's cyber toolkit for federal agencies.
    There's not much out there on it other than mention of a tool called
    SandStorm in a recent press release from State's Bureau of Diplomatic
    Security. According to the site, "SandStorm simultaneously collects,
    correlates, and analyzes data on multiple computer systems and departs,
    leaving no trace of its activities. The White House is championing this
    cyber tool and the Department of Homeland Security has selected it as a
    cornerstone application for a cyber toolkit being made available to all
    Federal agencies." Sounds scary to me, but may be a step in the right
    direction."

    Press release meantioning SandStorm: http://www.state.gov/m/ds/rls/56504.htm

    If this is true, it is pretty f'd up...

    http://it.slashdot.org/

    Imhotep
     
    Imhotep, Nov 10, 2005
    #1
    1. Advertising

  2. "Imhotep" <> wrote in message
    news:...
    > "An anonymous reader writes "The U.S. State Department, known for its

    recent
    > RFID passport embarassment, seems to have developed a key tool in the
    > Department of Homeland Security's cyber toolkit for federal agencies.
    > There's not much out there on it other than mention of a tool called
    > SandStorm in a recent press release from State's Bureau of Diplomatic
    > Security. According to the site, "SandStorm simultaneously collects,
    > correlates, and analyzes data on multiple computer systems and departs,
    > leaving no trace of its activities. The White House is championing this
    > cyber tool and the Department of Homeland Security has selected it as a
    > cornerstone application for a cyber toolkit being made available to all
    > Federal agencies." Sounds scary to me, but may be a step in the right
    > direction."
    >
    > Press release meantioning SandStorm:

    http://www.state.gov/m/ds/rls/56504.htm
    >
    > If this is true, it is pretty f'd up...


    </paranoia>

    TBH, one could describe Ethereal (or even more accurately, [Win]PCap) in
    exactly the same terms..

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!

    P.S. I'd probably pee myself laughing if this was a branded Unicenter
    (etc.)... note that the article differentiates between the "tool" and what
    the prize was awarded for!

    P.P.S. After defining "MPs" - whatthehell is the "Bureau of Diplomatic
    Security"? Someone who stops diplomats from being shot, or someone who
    explains - in a very nice way - /why/ they're about to be shot unless they
    keep their hands in plain sight...
     
    Hairy One Kenobi, Nov 11, 2005
    #2
    1. Advertising

  3. Imhotep

    Imhotep Guest

    Hairy One Kenobi wrote:

    > "Imhotep" <> wrote in message
    > news:...
    >> "An anonymous reader writes "The U.S. State Department, known for its

    > recent
    >> RFID passport embarassment, seems to have developed a key tool in the
    >> Department of Homeland Security's cyber toolkit for federal agencies.
    >> There's not much out there on it other than mention of a tool called
    >> SandStorm in a recent press release from State's Bureau of Diplomatic
    >> Security. According to the site, "SandStorm simultaneously collects,
    >> correlates, and analyzes data on multiple computer systems and departs,
    >> leaving no trace of its activities. The White House is championing this
    >> cyber tool and the Department of Homeland Security has selected it as a
    >> cornerstone application for a cyber toolkit being made available to all
    >> Federal agencies." Sounds scary to me, but may be a step in the right
    >> direction."
    >>
    >> Press release meantioning SandStorm:

    > http://www.state.gov/m/ds/rls/56504.htm
    >>
    >> If this is true, it is pretty f'd up...

    >
    > </paranoia>


    perhaps, perhaps not....

    > TBH, one could describe Ethereal (or even more accurately, [Win]PCap) in
    > exactly the same terms..


    Ethereal does not self install and deistall itself for steathly
    purposes...and it is PCap...just because it was ported to Windows does not
    mean it needs a "Win" in front of it :-o

    Imhotep

    Imhotep
     
    Imhotep, Nov 11, 2005
    #3
  4. "Imhotep" <> wrote in message
    news:...
    > Hairy One Kenobi wrote:


    <snip>

    > > TBH, one could describe Ethereal (or even more accurately, [Win]PCap) in
    > > exactly the same terms..

    >
    > Ethereal does not self install and deistall itself for steathly
    > purposes...and it is PCap...just because it was ported to Windows does not
    > mean it needs a "Win" in front of it :-o


    True (I'm assuming that you know more about the "tool" than was mentioned in
    the link). Although the library *is* known as WinPCap.

    Has even got its own, rather posh, web site these days, as opposed to a
    "personal" Italian site (http://www.winpcap.org/)

    H1K
     
    Hairy One Kenobi, Nov 11, 2005
    #4
  5. Imhotep

    Imhotep Guest

    Hairy One Kenobi wrote:

    > "Imhotep" <> wrote in message
    > news:...
    >> Hairy One Kenobi wrote:

    >
    > <snip>
    >
    >> > TBH, one could describe Ethereal (or even more accurately, [Win]PCap)
    >> > in exactly the same terms..

    >>
    >> Ethereal does not self install and deistall itself for steathly
    >> purposes...and it is PCap...just because it was ported to Windows does
    >> not mean it needs a "Win" in front of it :-o

    >
    > True (I'm assuming that you know more about the "tool" than was mentioned
    > in the link). Although the library *is* known as WinPCap.


    Yea, use it quite frequently (indirectly by a couple of security programs).
    I always have referred to it by libpcap. I believe it's history was in *NIX
    and later ported to Windows...

    > Has even got its own, rather posh, web site these days, as opposed to a
    > "personal" Italian site (http://www.winpcap.org/)
    >
    > H1K


    Im
     
    Imhotep, Nov 11, 2005
    #5
  6. "Imhotep" <> wrote in message
    news:...
    > Hairy One Kenobi wrote:
    >
    > > "Imhotep" <> wrote in message
    > > news:...
    > >> Hairy One Kenobi wrote:

    > >
    > > <snip>
    > >
    > >> > TBH, one could describe Ethereal (or even more accurately, [Win]PCap)
    > >> > in exactly the same terms..
    > >>
    > >> Ethereal does not self install and deistall itself for steathly
    > >> purposes...and it is PCap...just because it was ported to Windows does
    > >> not mean it needs a "Win" in front of it :-o

    > >
    > > True (I'm assuming that you know more about the "tool" than was

    mentioned
    > > in the link). Although the library *is* known as WinPCap.

    >
    > Yea, use it quite frequently (indirectly by a couple of security

    programs).
    > I always have referred to it by libpcap. I believe it's history was in

    *NIX
    > and later ported to Windows...


    Yup. Correct.

    H1K
     
    Hairy One Kenobi, Nov 12, 2005
    #6
  7. Imhotep wrote:
    > Hairy One Kenobi wrote:
    >
    >
    >>"Imhotep" <> wrote in message
    >>news:...
    >>
    >>>Hairy One Kenobi wrote:

    >>
    >><snip>
    >>
    >>>>TBH, one could describe Ethereal (or even more accurately, [Win]PCap)
    >>>>in exactly the same terms..
    >>>
    >>>Ethereal does not self install and deistall itself for steathly
    >>>purposes...and it is PCap...just because it was ported to Windows does
    >>>not mean it needs a "Win" in front of it :-o

    >>
    >>True (I'm assuming that you know more about the "tool" than was mentioned
    >>in the link). Although the library *is* known as WinPCap.

    >
    >
    > Yea, use it quite frequently (indirectly by a couple of security programs).
    > I always have referred to it by libpcap. I believe it's history was in *NIX
    > and later ported to Windows...


    I've always wondered why it was in the *NIX to begin with. I thought raw
    sockets were native to *NIX/BSD.

    >
    >
    >>Has even got its own, rather posh, web site these days, as opposed to a
    >>"personal" Italian site (http://www.winpcap.org/)
    >>
    >>H1K

    >
    >
    > Im
     
    fluidly unsure, Nov 14, 2005
    #7
  8. "fluidly unsure" <> wrote in message
    news:3BVdf.12939$...

    <snip>

    > I've always wondered why it was in the *NIX to begin with. I thought raw
    > sockets were native to *NIX/BSD.


    It was so you could "do things".

    In olden times*, C was considered little more than a high-level assembler.
    Lack of "What Happens If" assembler techniques have led to most of the
    carnage we see in modern shiteware.

    C was due to have died out in the onslaught of 4GLs.. about 1990, if memory
    serves.

    "A stone bridge still takes load, even after the invention of CFRP" ;o)

    H1K

    * Somewhere between Babbage and C21. It's amazing what you can do with
    pointers; and depressing what you can do if you don't understand the
    consequences ;o)

    Never saw B (although BPL allegedly was based upon it), but A must have
    kinda.. sucked :eek:)
     
    Hairy One Kenobi, Nov 14, 2005
    #8
  9. Hairy One Kenobi wrote:
    > "fluidly unsure" <> wrote in message
    > news:3BVdf.12939$...
    >
    > <snip>
    >
    >>I've always wondered why it was in the *NIX to begin with. I thought raw
    >>sockets were native to *NIX/BSD.

    >
    >
    > It was so you could "do things".
    >
    > In olden times*, C was considered little more than a high-level assembler.
    > Lack of "What Happens If" assembler techniques have led to most of the
    > carnage we see in modern shiteware.
    >
    > C was due to have died out in the onslaught of 4GLs.. about 1990, if memory
    > serves.
    >
    > "A stone bridge still takes load, even after the invention of CFRP" ;o)
    >
    > H1K
    >
    > * Somewhere between Babbage and C21. It's amazing what you can do with
    > pointers; and depressing what you can do if you don't understand the
    > consequences ;o)


    The only reference to C21 I could find was "Century 21". Where you
    speaking of CDR or one of the other dwarfs?

    You talked about Babbage, I usually use Ada (Lady Lovelace) for similar
    references. I wonder if Linda (the WaterGate breaker) is related to her?

    As I read your 2nd statement. I was thinking about how useful pointers
    are to hackers/crackers.

    >
    > Never saw B (although BPL allegedly was based upon it), but A must have
    > kinda.. sucked :eek:)


    I only saw it mentioned in Dr Dobbs. Back when it was a small
    newsletter. I think it was 6 or 8 pages stabled together.

    --
    Liquid
     
    fluidly unsure, Nov 15, 2005
    #9
  10. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <mOaef.16683$q%>, fluidly unsure wrote:

    >Hairy One Kenobi wrote:


    >> C was due to have died out in the onslaught of 4GLs.. about 1990, if
    >> memory serves.
    >>
    >> "A stone bridge still takes load, even after the invention of CFRP" ;o)


    C exists, despite the invention of thousands of prospective replacements
    exactly because it still works quite well TYVM

    >> * Somewhere between Babbage and C21. It's amazing what you can do with
    >> pointers; and depressing what you can do if you don't understand the
    >> consequences ;o)


    It was developed for use by people with clue - a commodity in shockingly
    short supply over the past 30 years.

    >You talked about Babbage,


    > RYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRY
    > RY RY
    > RY WELCOME TO THE BABBAGE ANALYTICAL TIMESHARING SERVICE RY
    > RY * * * * * * * * * * * * * * * * * * * * * * * * * * * RY
    > RY RY
    > RY PLEASE NOTE THAT THE INTEGRATOR IS CURRENTLY UNAVAILABLE RY
    > RY DUE TO THE WEEKLY GREASING SCHEDULE. WOULD ALL USERS KINDLY RY
    > RY RETURN ANY UNUSED PLUGBOARDS, AS THE PROGRAMMING TEAM ARE RY
    > RY RUNNING LOW. DIVISION UNIT 3 WILL BE OUT OF ACTION UNTIL RY
    > RY THURSDAY DUE TO EMERGENCY COG REPLACEMENT - PLEASE ENSURE RY
    > RY THAT YOUR PROGRAM DOES NOT ATTEMPT TO DIVIDE BY ZERO AS RY
    > RY THIS CAN CAUSE SEVERE DAMAGE (INCLUDING SHAFT BREAKAGES). RY
    > RY RY
    > RYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRYRY
    > .
    > .
    > SYSTEM READY.
    > ?


    (stolen from another newsgroup)

    >I usually use Ada (Lady Lovelace) for similar references. I wonder if
    >Linda (the WaterGate breaker) is related to her?


    Oh, sweet innocence of youth - you never saw the 1972 pr0n flick? Let's
    just say that a few seconds at google would correct your misunderstanding.

    >> Never saw B (although BPL allegedly was based upon it), but A must have
    >> kinda.. sucked :eek:)


    I think you really mean BCPL, as 'BPL' is a late invention based on Basic.
    According to Dennis Ritchie, B was created as a 'cut down' version of BCPL
    because they only had 4K of memory on their PDP-7. BCPL (Basic Combined
    Programming Language) dates from 1967.

    Old guy
     
    Moe Trin, Nov 15, 2005
    #10
  11. "Moe Trin" <> wrote in message
    news:...
    > In the Usenet newsgroup alt.computer.security, in article
    > <mOaef.16683$q%>, fluidly unsure wrote:
    >
    > >Hairy One Kenobi wrote:

    >
    > >> C was due to have died out in the onslaught of 4GLs.. about 1990, if
    > >> memory serves.
    > >>
    > >> "A stone bridge still takes load, even after the invention of CFRP" ;o)

    >
    > C exists, despite the invention of thousands of prospective replacements
    > exactly because it still works quite well TYVM


    Exactly

    > >> * Somewhere between Babbage and C21. It's amazing what you can do with
    > >> pointers; and depressing what you can do if you don't understand the
    > >> consequences ;o)

    >
    > It was developed for use by people with clue - a commodity in shockingly
    > short supply over the past 30 years.


    Not so exactly... ;o)

    >> Never saw B (although BPL allegedly was based upon it), but A must have
    > >> kinda.. sucked :eek:)

    >
    > I think you really mean BCPL, as 'BPL' is a late invention based on Basic.
    > According to Dennis Ritchie, B was created as a 'cut down' version of BCPL
    > because they only had 4K of memory on their PDP-7. BCPL (Basic Combined
    > Programming Language) dates from 1967.


    You caught my typo (slaps head!*), but it stood for "British Computer
    Programming Language". 'Twas more B than C (apparently), and published by
    whoever did ProText under CP/M.

    Remember, this was in the days before (e.g.) YACC! No since ADA has anyone
    had to do so much, so unwillingly, for so little effect ;o)

    H1K

    *Just re-read - /my/ head! ;o)
     
    Hairy One Kenobi, Nov 15, 2005
    #11
  12. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <Mouef.1890$>, Hairy One Kenobi wrote:
    >
    >"Moe Trin" <> wrote


    >> It was developed for use by people with clue - a commodity in shockingly
    >> short supply over the past 30 years.

    >
    >Not so exactly... ;o)


    I dunno - C was originally written with some slackness - but who do you
    blame for buffer overflows? K & R for writing instructions that allowed
    this, or the programmers who refuse to use improved instructions or at
    least check the crap they get handed to avoid overflows? It's not as if
    this were discovered only in the past ten years. Yet we are seeing the
    same attack concepts exploiting overflows year, after year, after year.

    >You caught my typo (slaps head!*), but it stood for "British Computer
    >Programming Language". 'Twas more B than C (apparently), and published by
    >whoever did ProText under CP/M.


    That's the problem with acronyms - it really is to easy to confuse things.

    Old guy
     
    Moe Trin, Nov 16, 2005
    #12
  13. "Moe Trin" <> wrote in message
    news:...
    > In the Usenet newsgroup alt.computer.security, in article
    > <Mouef.1890$>, Hairy One Kenobi wrote:
    > >"Moe Trin" <> wrote


    > I dunno - C was originally written with some slackness - but who do you
    > blame for buffer overflows? K & R for writing instructions that allowed
    > this, or the programmers who refuse to use improved instructions or at
    > least check the crap they get handed to avoid overflows? It's not as if
    > this were discovered only in the past ten years. Yet we are seeing the
    > same attack concepts exploiting overflows year, after year, after year.


    Agreed.. but it's not an attack against a given platform, but an attack
    against consistently sloppy programming practices. (We could probably go on
    all week about how C - in particular - makes this easier to do, but let's
    not ;o)

    In my own code, I have a "standard" socket read routine, that I know works;
    in a "past life" at a news agency, I remember chopping some 500 lines (from
    an 1100 line eventual program!) that were simple repeats, rewrites, and
    "oopsies". Took about two hours.

    FFS! Here I am, with a routine that has continued pretty much unaltered
    since Delphi 1. And /definitively/ unaltered since Delphi 4. (I'm currently
    adjusting to D2005. And sort of missing D6 ;o)

    The problem isn't in the platform, it's in the programmers. There are more
    Windows programmers out there (and bad ones - let's not complain about
    people using the registry badly, but more about people ignorantly using it
    incorrectly!), but it certainly isn't a platform thing. But you're much more
    likely to get random fires from petrol/gasoline spillage than from, say,
    mammoth-oil . It's all in the platform.

    Someone writing Open Source certainly doesn't make them an instant Guru. Or
    necessarily mean that their code is - in any meaningful way - peer-reviewed.

    Cards on the table - my particular, Delphi-specific, SMTP server module has
    been downloaded 2107 times, at time of writing. I don't claim it to be the
    be-all and end-all. After all, you need to be a pretty serious server
    programmer to even take note.

    But I *will* happily contrast it with stuff that I *have* reviewed, such as
    the FireFox IDN implementation.

    By all means, protest (this isn't aimed at you, Moe!), but give me the means
    to judge you - submit your own code, or code that *you* have reviewed. If I
    don't find error, then by all means have a nice warm feeling :eek:)

    And vice versa...

    Reap/sow/submit (common UK phrase is "put up or shut up")

    H1K
     
    Hairy One Kenobi, Nov 17, 2005
    #13
  14. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <9%Pef.4856$>, Hairy One Kenobi wrote:

    >Someone writing Open Source certainly doesn't make them an instant Guru.


    No, but if their code is accepted in a project, it certainly isn't the
    stuff they teach in "Intro to Computer Programming Languages". Last
    time I looked, I didn't see "hello, world" in the source for Apache
    or Sendmail, or the FreeBSD (or Linux) kernels. ;-) With most open
    source projects, the author usually has a choice of a number of chunks
    of code written by others. Even if the author selects a piece of goat
    droppings, someone else is going to come up with a replacement that at
    least isn't quite as horrible. Presented to the author properly, it has
    a chance of being adopted.

    >Or necessarily mean that their code is - in any meaningful way -
    >peer-reviewed.


    I suspect that Open Source code is peer-reviewed a lot more often than
    closed source simply because it's possible to do so. Eric S Raymonds
    wrote in "The Cathedral & The Bazaar" (O'Reilly, ISBN 1-56592-724-9,
    October 1999, but available on the web)

    8. GIVEN A LARGE ENOUGH BETA-TESTER AND CO-DEVELOPER BASE, ALMOST
    EVERY PROBLEM WILL BE CHARACTERIZED QUICKLY AND THE FIX OBVIOUS TO
    SOMEONE.

    Or, less formally, "Given enough eyeballs, all bugs are shallow."

    Want to review the entire distribution of a *BSD or Linux release? Not,
    a problem (other than the enormous volume), because it's there. Fedora
    Core 4 is a current Linux release and comes on nine CDs - 4 of binaries,
    one is a rescue disk, and the other 4 are source (2.67 Gigs of binaries,
    2.57 Gigs of bzip2 compressed tarballs), so it might be a daunting task.

    But I don't think anyone would review an entire source tree. Someone
    might look at a section pertaining to something they know about, or
    when they are trying to figure what it was that caused the massive
    explosion in the printer, or out of plain curiosity, but that's about it.

    >By all means, protest (this isn't aimed at you, Moe!), but give me the
    >means to judge you - submit your own code, or code that *you* have
    >reviewed. If I don't find error, then by all means have a nice warm
    >feeling :eek:)


    Glad you aren't asking me - my C skills are properly defined as "emergency
    use only". I'm a networking admin, and while I do Bourne shell stuff, I'm
    not paid enough to program ;-)

    Old guy
     
    Moe Trin, Nov 17, 2005
    #14
  15. "Moe Trin" <> wrote in message
    news:...
    > In the Usenet newsgroup alt.computer.security, in article
    > <9%Pef.4856$>, Hairy One Kenobi wrote:
    >
    > >Someone writing Open Source certainly doesn't make them an instant Guru.

    >
    > No, but if their code is accepted in a project, it certainly isn't the
    > stuff they teach in "Intro to Computer Programming Languages". Last
    > time I looked, I didn't see "hello, world" in the source for Apache
    > or Sendmail, or the FreeBSD (or Linux) kernels. ;-) With most open
    > source projects, the author usually has a choice of a number of chunks
    > of code written by others. Even if the author selects a piece of goat
    > droppings, someone else is going to come up with a replacement that at
    > least isn't quite as horrible. Presented to the author properly, it has
    > a chance of being adopted.


    Granted.

    > >Or necessarily mean that their code is - in any meaningful way -
    > >peer-reviewed.

    >
    > I suspect that Open Source code is peer-reviewed a lot more often than
    > closed source simply because it's possible to do so. Eric S Raymonds
    > wrote in "The Cathedral & The Bazaar" (O'Reilly, ISBN 1-56592-724-9,
    > October 1999, but available on the web)


    While I have no knowledge of the cite posted, what I *will* say is that,
    when I've personally checked (the FireFox IDN thing is a recent example),
    I've seen examples of coding "oopsies" that even a remotely sane individual
    would have noted and flagged. If such peer review were a fact.

    > 8. GIVEN A LARGE ENOUGH BETA-TESTER AND CO-DEVELOPER BASE, ALMOST
    > EVERY PROBLEM WILL BE CHARACTERIZED QUICKLY AND THE FIX OBVIOUS TO
    > SOMEONE.
    >
    > Or, less formally, "Given enough eyeballs, all bugs are shallow."


    Absolutely. Although, in Real Life (tm), it's a lot harder to see these bugs
    (and that can be even simple ones, let alone the convoluted nonsense that
    one gets in a "mature" codebase). I can even voulenteer the simlest of the
    most obvious - one of our major products still proclaims a copyright date of
    2004. Trivial, yes. On every bloody screen, yes. And missed by everyone (I
    asked for it to be changed a mere 2 months into this year... we're now days
    from 2006). We're not talking of a trivial userbase, either - it might be
    low on the list of things to fox (but hasn't been flagged, that I know of),
    but - of the multi-millions of users that out product has, who has seen fit
    to report the problem?

    Noone.

    Yes, it's hightly trivial, but.. what about the [proposed] legions of
    programmers that "everyone" puts forward as having checked OS code? I
    deleted the FireFox source a while back, but there's an entry in the
    now-recommended-disabled code that basically says "must remember to comment
    this out". But it isn't. And, TBH, who the hell noticed?

    > But I don't think anyone would review an entire source tree. Someone
    > might look at a section pertaining to something they know about, or
    > when they are trying to figure what it was that caused the massive
    > explosion in the printer, or out of plain curiosity, but that's about it.


    Used to be that one peer-reviewed on a module fashion (can't say if it
    happens now, but that was certinaly the vogue when I started coding
    profrssionally in the late eighties)

    My experience indicates that it's damned difficult to actually catch a bug -
    you can catch a style that indicates a liekly proliferation of bugs ("Ravi
    Patel", sometime before 1990; I have never before seen more GOTO labels in
    FORTRAN than there are working lines of code. And, thank Dog, never since.
    Fortunately, "nothing important" - /just/ the C2 system used by several
    British county Police forces)

    > I'm a networking admin, and while I do Bourne shell stuff, I'm
    > not paid enough to program ;-)


    More's the shame - once upon a time, cutting code was viewed in a similar
    way to architecture (a merging of art and engineering); then the HR weenies
    got involved, and it became an engineering discipline without the
    engineering structure. Bad move.

    Dunno about where you live, but in the UK programming is paid in a similar
    way to Dickensian clerks - I happened to luck-out in getting two very
    technical jobs that allow me to keep up to date, while avoiding that whole
    drift into Management (although, that said, the last couple of days was the
    first time that I've built an ActiveX control)

    <Shudder>.

    There's also a lot more documentation on the Net than there was three years
    ago.. but not for Delphi and building - rather than using - ActiveX.

    In a frankly rather pathetic moment of pride, I'd like to think that I was
    in some way still "up there" for learning a wholly new bit of methodology in
    less than a day. Not that, you understand, the control is any good - I'd
    /like/ it to take an LDAP call, Base64 decode it and *remember* what it's
    done. Instead, I submit the retrieved string, decode it *every damned time*,
    and /then/ report. Choice was get the job done and go on holiday to Spain
    tomorrow [today!], or finesse the code.

    Did I mention that I trained as a practical engineer? :eek:D

    H1K
     
    Hairy One Kenobi, Nov 18, 2005
    #15
  16. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <eE9ff.1726$>, Hairy One Kenobi wrote:

    >"Moe Trin" <> wrote


    >Absolutely. Although, in Real Life (tm), it's a lot harder to see these bugs
    >(and that can be even simple ones, let alone the convoluted nonsense that
    >one gets in a "mature" codebase). I can even voulenteer the simlest of the
    >most obvious - one of our major products still proclaims a copyright date of
    >2004. Trivial, yes. On every bloody screen, yes.


    Has anything in the product changed this year? (I know, I see that one
    fairly frequently.)

    >Yes, it's hightly trivial, but.. what about the [proposed] legions of
    >programmers that "everyone" puts forward as having checked OS code? I
    >deleted the FireFox source a while back, but there's an entry in the
    >now-recommended-disabled code that basically says "must remember to comment
    >this out". But it isn't. And, TBH, who the hell noticed?
    >
    >> But I don't think anyone would review an entire source tree.


    That might be one reason right there.

    >Used to be that one peer-reviewed on a module fashion (can't say if it
    >happens now, but that was certinaly the vogue when I started coding
    >profrssionally in the late eighties)


    But how big was the code base? There's a heck of a difference trying
    to stay aware of something in a program of 100,000 lines verses several
    tens of millions. Late 80s? Heres a simple comparison:

    73091 Aug 17 1991 linux-0.01.tar.gz
    1259161 Mar 12 1994 linux-1.0.tar.gz
    2354612 Aug 1 1995 linux-1.2.13.tar.gz
    7269221 Nov 16 1998 linux-2.0.36.tar.gz
    19343412 Mar 25 2001 linux-2.2.19.tar.gz
    37009983 Jan 5 2003 linux-2.4.24.tar.gz
    49087256 Nov 11 05:39 linux-2.6.14.2.tar.gz

    You get quite a few lines in a 49 Megabyte tarball, and this does not
    include the GNU C libraries this depends on.

    >My experience indicates that it's damned difficult to actually catch a
    >bug - you can catch a style that indicates a liekly proliferation of bugs


    I know what you are saying - but by the same token, it's not impossible.
    I don't have a cite, but in November 2003, but someone "got to" the
    Linux source tree, and inserted a backdoor. The file change was detected
    by the versioning system (Bitkeeper), and my understanding is that the
    flaw was detected AND UNDERSTOOD by several of the maintainers rather
    quickly... try www.freedom-to-tinker.com/?p=472 according to google.

    >("Ravi Patel", sometime before 1990; I have never before seen more GOTO
    >labels in FORTRAN than there are working lines of code. And, thank Dog,
    >never since.


    ;-)

    >Fortunately, "nothing important" - /just/ the C2 system used by several
    >British county Police forces)


    Well, as long as it wasn't important.

    >More's the shame - once upon a time, cutting code was viewed in a similar
    >way to architecture (a merging of art and engineering); then the HR weenies
    >got involved, and it became an engineering discipline without the
    >engineering structure. Bad move.


    Any time HR gets involved, things tend to go down the tubes. We've had
    similar problems here trying to work around the hoops. They wanted us
    to install windoze on a couple of systems (we're totally *nix) so they
    could use some resume parsing application that gets for buzzwords in Word
    documents, and didn't understand that the people we're looking to hire
    don't own a windoze box, and won't be using it to write the resume. Still
    fighting that one.

    >Dunno about where you live, but in the UK programming is paid in a similar
    >way to Dickensian clerks


    EXPN?

    >I happened to luck-out in getting two very technical jobs that allow me
    >to keep up to date, while avoiding that whole drift into Management
    >(although, that said, the last couple of days was the first time that I've
    >built an ActiveX control)


    Management doesn't promote technical types into their "lofty" realm. You
    need "more appropriate training".

    >In a frankly rather pathetic moment of pride, I'd like to think that I was
    >in some way still "up there" for learning a wholly new bit of methodology
    >in less than a day.


    There is merit in that.

    >Choice was get the job done and go on holiday to Spain tomorrow [today!],
    >or finesse the code.


    But then, there _are_ priorities.

    >Did I mention that I trained as a practical engineer? :eek:D


    No, but enjoy the trip to the Sunny South - winter is coming. In another
    two or three weeks, I'm going to have to turn on the heaters in the
    morning - temperature only got up to 30C today.

    Old guy
     
    Moe Trin, Nov 19, 2005
    #16
  17. "Moe Trin" <> wrote in message
    news:...
    > In the Usenet newsgroup alt.computer.security, in article
    > <eE9ff.1726$>, Hairy One Kenobi wrote:
    > >"Moe Trin" <> wrote
    > >Absolutely. Although, in Real Life (tm), it's a lot harder to see these

    bugs
    > >(and that can be even simple ones, let alone the convoluted nonsense that
    > >one gets in a "mature" codebase). I can even voulenteer the simlest of

    the
    > >most obvious - one of our major products still proclaims a copyright date

    of
    > >2004. Trivial, yes. On every bloody screen, yes.

    >
    > Has anything in the product changed this year? (I know, I see that one
    > fairly frequently.)


    (Sorry - not ignoring you, been away!)

    Yep - semi-major releases every six months, temporary-fix [t-fix] releases
    with either a bugfix or new functionality every week or two.

    > >Used to be that one peer-reviewed on a module fashion (can't say if it
    > >happens now, but that was certinaly the vogue when I started coding
    > >profrssionally in the late eighties)

    >
    > But how big was the code base? There's a heck of a difference trying
    > to stay aware of something in a program of 100,000 lines verses several
    > tens of millions. Late 80s? Heres a simple comparison:
    >
    > 73091 Aug 17 1991 linux-0.01.tar.gz
    > 1259161 Mar 12 1994 linux-1.0.tar.gz
    > 2354612 Aug 1 1995 linux-1.2.13.tar.gz
    > 7269221 Nov 16 1998 linux-2.0.36.tar.gz
    > 19343412 Mar 25 2001 linux-2.2.19.tar.gz
    > 37009983 Jan 5 2003 linux-2.4.24.tar.gz
    > 49087256 Nov 11 05:39 linux-2.6.14.2.tar.gz
    >
    > You get quite a few lines in a 49 Megabyte tarball, and this does not
    > include the GNU C libraries this depends on.


    Hmm. Good question. probably in the region of 100-150k in toto, of which
    only one section was something I hadn't touched at some point.

    Thing is, though, this is was system for performing a specific task - the
    Linux example above would include - I assume! - all of the layered stuff,
    rather than just be the OS? In other words, lots of different things, whose
    only common trait is that the sit on the same platform.

    > >My experience indicates that it's damned difficult to actually catch a
    > >bug - you can catch a style that indicates a liekly proliferation of bugs

    >
    > I know what you are saying - but by the same token, it's not impossible.
    > I don't have a cite, but in November 2003, but someone "got to" the
    > Linux source tree, and inserted a backdoor. The file change was detected
    > by the versioning system (Bitkeeper), and my understanding is that the
    > flaw was detected AND UNDERSTOOD by several of the maintainers rather
    > quickly... try www.freedom-to-tinker.com/?p=472 according to google.


    Oh, I've caught bugs that way myself - many, many times. My argument is that
    it's simply not very efficient - and usually only works if you're looking
    for a known specific bug.

    > >Dunno about where you live, but in the UK programming is paid in a

    similar
    > >way to Dickensian clerks

    >
    > EXPN?


    You'd have to do it for love, rather than money. Unless you freelance, or
    split out into management, there aren't a lot of openings for highly-paid
    techies over here. I "got lucky" in my last two roles, after spending six
    whole weeks being bored rigid as a Business Analyst. Wanted to get rid of
    three-four hours on the train each day, commuting to work in a City of
    London firm.

    > enjoy the trip to the Sunny South - winter is coming. In another
    > two or three weeks, I'm going to have to turn on the heaters in the
    > morning - temperature only got up to 30C today.


    Just got back from Stanstead - yesterday I was sitting on a beach; a couple
    of hours ago I was standing on the apron in 1C... brrrrr! :eek:)

    H1K
     
    Hairy One Kenobi, Nov 24, 2005
    #17
  18. Imhotep

    Moe Trin Guest

    On Thu, 24 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <Zv9hf.1200$>, Hairy One Kenobi wrote:

    >Yep - semi-major releases every six months, temporary-fix [t-fix] releases
    >with either a bugfix or new functionality every week or two.


    Sounds like something fell off the checklist

    >Hmm. Good question. probably in the region of 100-150k in toto, of which
    >only one section was something I hadn't touched at some point.


    Even a hundred thousand lines isn't something you can remember where
    this or that function, or some information, might be hiding. Recently,
    I had to fumble my way through a source looking to see if a variable was
    hard coded or not. The only way I succeeded was because I can use a tool
    named 'grep' to locate strings in a file. There were no less than 159
    files in 14 subdirectories, totalling 78285 lines of C. And regarding
    copyright data - each file had one, and if my scripting it right, five
    files have been changed this year, but don't mention 2005 in the
    copyright lines. You're not alone.

    >Thing is, though, this is was system for performing a specific task - the
    >Linux example above would include - I assume! - all of the layered stuff,
    >rather than just be the OS? In other words, lots of different things, whose
    >only common trait is that the sit on the same platform.


    No, that 49 Meg tarball is just the kernel of the O/S. There is a lot more
    needed to get the computer to even boot - never mind the the tools needed
    to do anything. For one example, the source files for 'Fedora Core 4' (a
    current Linux distribution) total 2.57 Gigabytes of tarballs. You don't
    need all of that stuff - probably a mere 750 Megs worth would do. But I
    also remember when a "distribution" was 50 or 70 floppies worth of source
    which you downloaded over the phone.

    >Oh, I've caught bugs that way myself - many, many times. My argument is that
    >it's simply not very efficient - and usually only works if you're looking
    >for a known specific bug.


    Looking on Bugtraq, you'll occasionally see something that was discovered
    in an audit of the source code. But thousands of times more often, it's
    been discovered by someone looking to see why this or that happens.

    >You'd have to do it for love, rather than money. Unless you freelance, or
    >split out into management, there aren't a lot of openings for highly-paid
    >techies over here.


    In reality, it's like that most everywhere. I did hear that Google is
    looking, and offering new grads a starting salary of six figures plus
    stock (and the location 40 miles South of San Francisco - three miles
    from where I used to live - is pretty good), but the burn out rate is
    rather high too.

    >I "got lucky" in my last two roles, after spending six whole weeks being
    >bored rigid as a Business Analyst. Wanted to get rid of three-four hours
    >on the train each day, commuting to work in a City of London firm.


    Can't say about the job, but the idea of working in the City is not all
    that appealing. A commute that far (especially by train)... no, thank you.

    >Just got back from Stanstead - yesterday I was sitting on a beach; a couple
    >of hours ago I was standing on the apron in 1C... brrrrr! :eek:)


    Today's a holiday here, and this is the biggest travel weekend of the year.
    I used to visit family on the East coast (six hours by air, not including
    a plane change somewhere), but it's to cold for me any more. I go back
    in mid-summer. My sister indicated temps in 5-10C range today. Heck,
    my un-heated swimming pool is warmer than that, and I'm not going near it
    because it's to cold.

    Old guy
     
    Moe Trin, Nov 24, 2005
    #18
  19. "Moe Trin" <> wrote in message
    news:...
    > On Thu, 24 Nov 2005, in the Usenet newsgroup alt.computer.security, in

    article
    > <Zv9hf.1200$>, Hairy One Kenobi wrote:
    >
    > >Yep - semi-major releases every six months, temporary-fix [t-fix]

    releases
    > >with either a bugfix or new functionality every week or two.

    >
    > Sounds like something fell off the checklist
    >
    > >Hmm. Good question. probably in the region of 100-150k in toto, of which
    > >only one section was something I hadn't touched at some point.

    >
    > Even a hundred thousand lines isn't something you can remember where
    > this or that function, or some information, might be hiding.


    Agreed.. if OS. This was (extremely!) proprietary. Think "next competitor
    catching-up, nail the b***ard!". That was pretty much our mission statement,
    which was why we got the job instead of Development. Still remember the
    comment from the Marketing chap when he discovered that it's not a good idea
    to show high-level prospects their own page on a Development system. The
    address of the insurance company was "underhanded", unstead of "Underhill".
    One of the lasses had an outstanding claim on her car insurance...)

    If one can be proud that one's software has been turned-off, then I'm fairly
    damned happy that mine lasted just over ten years.. a big chunk of it is
    still in operation, from 1992, but that particular bit was something that I
    considered uniquely, well, /mine/. Won't bore you with the details, but
    took 32k lines of code, beat it into around 5k of code that - in the overall
    system - worked slightly in excess of 15 times faster, and was far more
    resilient to boot.

    Who gives a **** if you are entirely hack-proof (cough!), if one twat of an
    Operator can delete the live database by mistake, and then do a runner?
    Although I was denim-wearing Development, and not permitted to touch
    Production (or, at the end, even Staging) systems, this is the origin of my
    conviction about good backups.

    TBH, I doubt that one soul on this planet noticed - but it's why I *always*
    include backups in any general definition of "security". As an aside, the
    xCI code (the one bit I didn't get involved in) was the bit that had..
    issues.. when driven at high speed. Although I wouldn't be human if I said
    that I didn't rather enjoy Chris' squirming at finding his software
    crapping-out every three minutes or so.

    I wouldn't recommend it for a life's ambition, but "evil" can but fun at
    times.. or at least entertaining, hovering over someone's desk, asking "has
    it crashed yet?" ;o)

    Oh, and the reason that it crashed? You'll love this - buffer overflow.
    Despite the obvious, the progger in question hard-coded a 16-unit queue. I'm
    not Jewish, but.. schmuck!

    > Recently,
    > I had to fumble my way through a source looking to see if a variable was
    > hard coded or not. The only way I succeeded was because I can use a tool
    > named 'grep' to locate strings in a file. There were no less than 159
    > files in 14 subdirectories, totalling 78285 lines of C. And regarding
    > copyright data - each file had one, and if my scripting it right, five
    > files have been changed this year, but don't mention 2005 in the
    > copyright lines. You're not alone.


    "Variables won't, Constant's don't". C assumptions about cAPS-lOCK are still
    a little frightening to an (cough) "alternative" language progger. Although
    I don't do COBOL. Life's too short.

    > >Thing is, though, this is was system for performing a specific task - the
    > >Linux example above would include - I assume! - all of the layered stuff,
    > >rather than just be the OS? In other words, lots of different things,

    whose
    > >only common trait is that the sit on the same platform.

    >
    > No, that 49 Meg tarball is just the kernel of the O/S. There is a lot more
    > needed to get the computer to even boot - never mind the the tools needed
    > to do anything. For one example, the source files for 'Fedora Core 4' (a
    > current Linux distribution) total 2.57 Gigabytes of tarballs. You don't
    > need all of that stuff - probably a mere 750 Megs worth would do. But I
    > also remember when a "distribution" was 50 or 70 floppies worth of source
    > which you downloaded over the phone.


    Yikes!

    (And I /truly/ mean that).

    WTF happened to the Mach kernel that everyone was on about a decade or so?
    Did everyone get bored, or simply stop bothering?

    Fads and fashion are one thing, but a kernel is.. well, just *is*. Bloody
    NT4 all over again... let's face it - if IBM can do it on a Mainframe and
    (stands to be corrected) hands the whole lot over to OS developers, then
    someone's got a serious PITA. Their head.

    > >You'd have to do it for love, rather than money. Unless you freelance, or
    > >split out into management, there aren't a lot of openings for highly-paid
    > >techies over here.

    >
    > In reality, it's like that most everywhere. I did hear that Google is
    > looking, and offering new grads a starting salary of six figures plus
    > stock (and the location 40 miles South of San Francisco - three miles
    > from where I used to live - is pretty good), but the burn out rate is
    > rather high too.


    Not sure I'd agree with that, at least in the UK. Last experience with
    employing new grads was back (oh sh**, I /now/ feel old...) ten years ago.
    Arrogance to ability ratio around 8:1; the latest types I've seen attain a
    much higher number (!), but seem to fold into spin-speak when questioned.
    Met Office reckon on a cold Winter. Could probably burn them for fuel, or
    something ;o)

    Anyway. Let's call a decent progger (as opposed to Developer = Systems
    Analyst/Progger/Project Manager/PHB Victim) at around GBP12-18k. If you're
    good at it, you'd earn more stacking supermarket shelves.

    The Developer is more your burn-out candidate.. the good ones are *very*
    good (I'm fortunate that several work for the same company; I'm now "field
    sales" which - roughly translated, according to a colleague and good
    friend - means "I make the lies come true" ;o)

    > >I "got lucky" in my last two roles, after spending six whole weeks being
    > >bored rigid as a Business Analyst. Wanted to get rid of three-four hours
    > >on the train each day, commuting to work in a City of London firm.

    >
    > Can't say about the job, but the idea of working in the City is not all
    > that appealing. A commute that far (especially by train)... no, thank you.


    'Twas the only way to make decent money. In the unlikely event that the
    comment didn't translate too well, British "City" == USAian "Wall Street".

    <snip bit about nice weather and Thanksgiving 'cos I'm feeling jealous>

    <Dick van Dyke>
    Avagudun..!
    </Cor blimey, Mark Poppins>

    H1K
     
    Hairy One Kenobi, Nov 25, 2005
    #19
  20. Imhotep

    Moe Trin Guest

    On Fri, 25 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <a_shf.3517$>, Hairy One Kenobi wrote:

    >Agreed.. if OS. This was (extremely!) proprietary. Think "next competitor
    >catching-up, nail the b***ard!".


    Not sure how to read that - remember what microsoft did to Digital Research.
    But then, Gary Killdall had a reason to be antagonistic.

    >The address of the insurance company was "underhanded", unstead of
    >"Underhill". One of the lasses had an outstanding claim on her car
    >insurance...)


    Nah, that never happened in the "real world"... Surely.... <runs around
    the corner and tries to stop snickering to loudly>

    >Who gives a **** if you are entirely hack-proof (cough!), if one twat of an
    >Operator can delete the live database by mistake, and then do a runner?


    Leaving aside the "hack-proof" concept, I don't know of any company that
    hasn't had an operator (or even root) take careful aim, and put a .45
    caliber (11 m/m) chunk of lead squarely through the wobbley bits. Someone
    in another newsgroup (yesterday) identified a similar problem as
    "testicular malletosis".

    >TBH, I doubt that one soul on this planet noticed - but it's why I *always*
    >include backups in any general definition of "security".


    The person was lucky - I still recall one of the 'registrars' who was
    cleaning up after the Summer interns had left, deleting their old home
    directories. People who wield UID 0 really need to look two or three times
    before pressing that <Enter> key. Usual problem - an extra space in the
    worst possible location - rm'd an entire hard drive (not just a directory
    or partition - no, let's go for the whole d?mn thing) instead of a single
    (ex-)users directory. Hey, there were only 250 users on that drive, and
    they only lost everything between last nights backups and about 10 AM
    when she hit the <Enter> key - and we were able to restore to last-night's
    backup by about noon or so... I really thought we were going to have a
    major incident then, as some of the users were somewhat more than "miffed".

    >I wouldn't recommend it for a life's ambition, but "evil" can but fun at
    >times.. or at least entertaining,


    "I am root. If you see me laughing, you better have a backup."

    >hovering over someone's desk, asking "has it crashed yet?" ;o)


    Top 100 things you don't want the sysadmin to say:
    45. Was that YOUR directory?

    >Oh, and the reason that it crashed? You'll love this - buffer overflow.
    >Despite the obvious, the progger in question hard-coded a 16-unit queue. I'm
    >not Jewish, but.. schmuck!


    I am constantly amazed that after (what) 33 years, this is still a problem.
    This can't be news to the instructors of programming language classes, For
    _years_ we've been screaming about checking/validating input before even
    looking at it - yet someone asks in a newsgroup this morning asks what can
    go wrong if allowed to pass unchecked user supplied variables to a PHP
    script. "Nothing, of course - what could _possibly_ go wrong?"

    >"Variables won't, Constant's don't".


    "These are not the variables you are looking for... move along"

    But then, how many programmer types are still calling whole d*mn modules
    "test"?

    >Yikes!


    One of the Linux FAQs still talks about running Linux on an 80386 with
    4 Megs of RAM, though I think it recommends swap files to bring the total
    up to 8 Megs of virtual memory. In fact, my home firewall is a 386SX-16
    with 8 Megs of RAM (and 8 of swap), but most distribution installation
    programs won't even start with less than 128 Megs.

    >WTF happened to the Mach kernel that everyone was on about a decade or so?
    >Did everyone get bored, or simply stop bothering?


    That's straying into advocacy, but let's just say that Linus did a better
    PR job, and has a clue about getting free programmers to work together.
    Look at the ChangeLog file on a 2.6.x kernel, and you'll see literally
    thousands of names. Mach never had a chance in that environment.

    >Not sure I'd agree with that, at least in the UK. Last experience with
    >employing new grads was back (oh sh**, I /now/ feel old...) ten years ago.


    We still get new grads annually. Slight advantage - most of them did time
    here as interns, so we know something about them. On the other hand, the
    interns gain real-life experience, but are rarely in a position to do much
    harm.

    >Arrogance to ability ratio around 8:1; the latest types I've seen attain a
    >much higher number (!), but seem to fold into spin-speak when questioned.


    Don't those types normally end up in Sales/Marketing?

    >Met Office reckon on a cold Winter. Could probably burn them for fuel, or
    >something ;o)


    Problem with that is when you need to burn them, the state environmental
    protection agency frequently has declared it a 'no burn' day because of
    air quality. (Joking aside - many of the houses here have fireplaces, but
    we rarely can use them. When it would be desirable, we usually have a
    temperature inversion, trapping pollutants in the air, so the State Air
    Quality Board bans fires, and recommends waiting until dark to refuel
    cars, etc.)

    >Anyway. Let's call a decent progger (as opposed to Developer = Systems
    >Analyst/Progger/Project Manager/PHB Victim) at around GBP12-18k. If you're
    >good at it, you'd earn more stacking supermarket shelves.


    Fsck! That's down near the Federal Poverty level. Flipping burgers is
    another way to make more.

    >The Developer is more your burn-out candidate.


    The poor sod who's got to deliver (at something remotely resembling the
    schedule) that something that marketing sold, at a bottom line cost that
    doesn't destroy the company. That's why I'm happy to be in an R&D
    facility. Yes, we've got to deliver exciting new products, but inventions
    don't have schedules.

    >'Twas the only way to make decent money.


    A likely excuse.

    >In the unlikely event that the comment didn't translate too well, British
    >"City" == USAian "Wall Street".


    Know it well enough. A neighbor (used to be?) a subscriber to the FTL.

    ><snip bit about nice weather and Thanksgiving 'cos I'm feeling jealous>


    This is the time of year we get the visitors - we call 'em "snow birds" -
    from the North. You can spot 'em on the streets easy enough - they're the
    ones in scanty clothing. The residents are the ones wearing jackets and
    heavy coats. The real estate people love 'em, as they buy houses in this
    place with the lovely weather. Come May when the thermometer hits 40C (or
    July, when it hits 50), it's a different story for some reason.

    ><Dick van Dyke>
    >Avagudun..!


    Thankee, Guv'nr

    ></Cor blimey, Mark Poppins>


    Old guy
     
    Moe Trin, Nov 25, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. °Mike°
    Replies:
    1
    Views:
    437
    Michael
    Aug 2, 2003
  2. DC
    Replies:
    15
    Views:
    608
    @}-}-------Rosee
    Aug 2, 2003
  3. Thund3rstruck
    Replies:
    2
    Views:
    424
    °Mike°
    Aug 2, 2003
  4. Replies:
    3
    Views:
    15,436
    JF Mezei
    Mar 7, 2007
  5. n3td3v
    Replies:
    6
    Views:
    1,716
    unruh
    Jan 10, 2010
Loading...

Share This Page