| |
| Current Topic: Technology |
|
Stripe Snoop 2.0 preview screenshot |
|
|
|---|
| Topic: Technology |
10:32 pm EST, Nov 10, 2004 |
I've put in alot of work into Stripe Snoop over the last few months, and after a near-full re-write in C++, its all starting to come together. Reader hardware information is now kept in an XML config file that an auto-detection utility, rdetect, creates. All the reader/hardware is very abstracted into generic C++ classes, that makes adding support of new readers a snap. The database is now supports all tracks. So if you have a more advanced reader, you get more information, but if you don't, it still works! If you own a Mac, Stripe Snoop should work with serial based readers, if you have a Serial-to-USB converter, and the port is accessible through /dev. Contact me if you have a Mac! Stripe Snoop 2.0 will be released beta-testers on Nov 24th, and will be released on Dec 1st. Stripe Snoop 2.0 preview screenshot |
|
|
|---|
| Topic: Technology |
6:15 pm EST, Nov 10, 2004 |
] This document is intended as a comprehensive reference
] for the Standard C programming language, including its
] support library. One of the nicer C references I've found, and explictly explains the standard libraries that most posters on comp.lang.c don't seem to understand. I never knew there are a qsort in stdlib.h! Standard C Reference |
|
Proof of concept code for exploits |
|
|
|---|
| Topic: Technology |
9:21 pm EST, Nov 9, 2004 |
A site with lots of proof of concept source code for different vulnerablities, including the recent IFrame overflow effecting IE. Proof of concept code for exploits |
|
rfc3924 - Lawful Intercept in IP Networks |
|
|
|---|
| Topic: Technology |
6:13 pm EST, Nov 9, 2004 |
] For the purposes of this document, lawful intercept is
] the lawfully authorized interception and monitoring of
] communications. Service providers are being asked to meet
] legal and regulatory requirements for the interception of
] voice as well as data communications in IP networks in a
] variety of countries worldwide. Although requirements
] vary from country to country, some requirements remain
] common even though details such as delivery formats may
] differ. This document describes Cisco's Architecture for
] supporting lawful intercept in IP networks. It provides a
] general solution that has a minimum set of common
] interfaces. This document does not attempt to address any
] of the specific legal requirements or obligations that
] may exist in a particular country. Cisco architechure provisions to capture network traffic when required by law. Includes provisions for a VoIP "wiretap". Thought you'd like this Mike. rfc3924 - Lawful Intercept in IP Networks |
|
Jeff Duntemann responds to my email |
|
|
|---|
| Topic: Technology |
1:08 pm EST, Nov 9, 2004 |
I got a reply from Jeff today about his C/C++ article. My comments are at the end
From: Jeff Duntemann (jduntemann - @ - copperwood.com)
To: Acidus (acidus@yak.net)
Date: Tue, 9 Nov 2004 09:50:57 -0700
Subject: Re: C/C++ responsible for Buffer Overflows Billy-- Thanks for writing. The kicker isn't the C language per se--when I write C it looks (and works) pretty much like Pascal, which everybody in the C world seems to hate. The real problem lies in two areas: 1. The C "I can do anything I want or I'll hold my breath until I turn purple!" culture. Getting C programmers to adhere to coding standards is pure hell. 2. The standard C library. There's no real reason to use the string functions as they currently exist. There are numerous other functions (and rewrites of the canonican C string functions) that have built-in protections against overflows, e.g. strncpy(), strncmp(), and snprint(). My favorite is: size_t strlcpy (char *dst, const char *src, size_t size); This isn't part of standard clib, but if people used it, we'd see a LOT less of this sort of thing. The fact that people DON'T use it tells me that down on the front lines, programmers really don't care about buffer overflows. This is the C culture again. I'd really like to see a total rewrite of clib, with an eye toward preventing what we now know of hacker exploits. The damned thing is what, 25 years old now? I think it's way past time for an overhaul. But when I suggest it, you'd think I was saying we should torture newborn kittens. The truth is that C and clib are inseparable in the current C culture. To me, that means that we have to dump both. I agree that an executable stack is a bad idea--but it's easier to change CLIB than to make a major change in existing hardware. Since we're unlikely to be able to change clib, I've been pushing for managed languages like Java and C#. Lots of things to do today so I'll have to stop here. Again, thanks for writing and good luck. --73-- --JD--
While I agree that programmers will always make mistakes, there is a balance between smart languages and smart people. I choose requiring smart people every day, because besides performance issues, a language that is too smart can prevent an experienced coder from doing what they need to do. By Jeff's logic, a seg fault is the languages fault, because the language didn't prevent it. Some languages, such as Java and C++ allows for users to catch and handle errors, which is a nice compromise to an all out smart language. If you compile a C program using gets(), you will get a warning, telling you to use fgets(). In the same way, the compiler could warn about "dangerous" string functions. Organizations can put rules into their make and build commands, refusing to let them go into production code. The point is their are other options them simply saying "this is a bad language." Its not bad, its just not being used/managed in an intelligent fashion. |
|
A survey of pre-installed Linux from OEMs |
|
|
|---|
| Topic: Technology |
12:16 pm EST, Nov 9, 2004 |
I called around today to the big OEMs seeing who offered systems with Linux pre-installed. Gateway only offered SUSE 8, and only on certain servers. The highend systems had SUSE 8 available, but it didn't come pre-installed. You get a blank machine and Linux on CDs. Even rack mounted systems won't come with Linux pre-installed. Lower end servers do have a "No OS" as an option, so you can avoid the Microsoft tax. No 64bit chips or OSes here, even in your rack-mounted servers. The HP representative seemed thrilled when I asked about Linux. They offer Redhat on their higher end laptops and workstations, though SUSE, Mandrake, and other are certified to work as well (with nifty certification matrixes too). The regular HP people can't help you, you must order through their Small-Medium business group (1-800-888-0292). Sadly no 64bit chips or OSes here. Dell... Well, the home-office person actually knew what Linux was, but said she thought only the small business group had systems with Linux pre-installed. A transfer later I talked to the small business rep. I said I was interested in quotes on laptops or desktops with Linux pre-installed. Her reply: "OK, I think we can do that... just one thing, whats Linux?" I even had to spell it. She then had to check with Tech support to see if Linux was available, and it is only available on their nSeries of workstations, as Redhat. These are fairly nice machines, with SATA RAID built in for even the lowest model (sub $1000). I guess Dell needs to better train their reps about what they offer, though they do have a nice website about Linux. (http://linux.dell.com/desktops.shtml). Again no 64bit chips or OSes The biggest surprise was IBM. They do not offer Linux pre-installed on any of their Laptops or Desktops. They do have documentation on their site about installing Linux on different models of Thinkpads and desktops. IBM certainly made up for the lack of desktops/laptops with their Intellistation workstations. They have 2 lines of 64 bit 1 or 2 way SMP systems. The first line is based on AMD Opteron chips, with 64bit Redhat Linux or 32bit Windows XP available (though lesser models with Intel Xeons are available). The 2nd line is based on IBM's 64bit POWER chips. With hotswapable SCSI drives and other featuress, these are beasts and the high end model starts at $15,0000. Interestingly enough, only AIX is available on these, even though Linux runs fine on IBM's POWER-based servers. Linux is of course an option on all of IBM's eServers. All in all, I was happy that the OEMs offered Linux. I was a little disappointed about how well the advertised it on their websites however. Another surprised was the lack of lower end systems with Linux pre-installed. Aside from the occasional thin client with a 2.4 kernel, I couldn't find any sub $600 dollar machines running Linux from the major OEMs. Let face it, this is where Mom and Pop shop, and for Linux on the desktop to take off, the major OEMs need to push it more. Finally, IBM is the only choice if you want a 64bit system with Linux. Gateway Servers with Linux:
http://www.gateway.com/work/products/cp_srv_catalog.shtml HP Workstations and Notebooks with Linux:
http://www.hp.com/workstations/pws/index.html Dell nSeries Workstations with Linux:
http://www1.us.dell.com/content/products/compare.aspx/precn_n?c=us&cs=04&l=en&s=bsd IBM Intellistation workstations with Linux:
http://www-132.ibm.com/content/home/store_IBMPublicUSA/en_US/IntelliStation_workstations.html |
|
IBM: Fun Linux Animations |
|
|
|---|
| Topic: Technology |
11:56 am EST, Nov 9, 2004 |
] Why is IBM supporting Linux?
] Because we admire it, we believe in it, we need it and
] it's good for customers. And, well...it's a lot of fu Some fun little animations about Linux. Some are... well... a little strange. IBM: Fun Linux Animations |
|
Yahoo! Search - Looks like Google |
|
|
|---|
| Topic: Technology |
11:51 am EST, Nov 7, 2004 |
Its been 4 or 5 years since I've used yahoo to search, so maybe everyone else has noticed this. Yahoo's search page looks just like Google. Yahoo! Search - Looks like Google |
|
The Fifth HOPE - 25 presentations up |
|
|
|---|
| Topic: Technology |
9:41 am EST, Nov 6, 2004 |
] MP3 files are being created for our panels. Watch this
] website as new files are made available every Friday.
] Click on "L" to download a local copy to store on your
] machine, or click on "S" to stream the audio. Video
] copies of all panels will also be available from our
] online store.
They just added 25 new audio files of presentations. I recommend "hacker radio" by slipmode (with an appearance by yours truly). Also there was something called "when corporations attack" by some other people that are very familiar with memestream regulars. ;) I already recommended this URL. Thank to Stank for the heads-up. |
|
NSA - Security Configuration Guides |
|
|
|---|
| Topic: Technology |
9:14 am EST, Nov 6, 2004 |
] NSA initiatives in enhancing software security cover both
] proprietary and open source software, and we have
] successfully used both proprietary and open source models
] in our research activities. NSA's work to enhance the
] security of software is motivated by one simple
] consideration: use our resources as efficiently as
] possible to give NSA's customers the best possible
] security options in the most widely employed products.
] The objective of the NSA research program is to develop
] technologic advances that can be shared with the software
] development community through a variety of transfer
] mechanisms. NSA does not favor or promote any specific
] software product or business model. Rather, NSA is
] promoting enhanced security. NSA's guides to securing machines NSA - Security Configuration Guides |
|
