log (2000/08/11 to 2000/08/17) |
older log newer log |
Wednesday, August 16, 2000
Those Wacky Unix Filenames! From Wired 8.09, September 2000, page 230: For example, even novice Internet users are often required to type Unix file specifications such as http:// -- hardly a standard for ease of use. Blame it all on the inventor of Unix, Tim Berners-Lee. Making the rounds: Last chance to Buy a VAX! Keith Dawson writes that he has also been following the political Web severs meme; see this recent TBTF entry. See the TBTF blog in general, for that matter; it's a good one. What are you doing? planning my next drug binge Cue the scary music! And more generally and at some length:
Or at least not all the time... *8) What are you doing? Trying to come up with a better way to live. I somehow neglected the Reform Party yesterday. Of course there are two of them! Note the very significant differences...
Long ago when I looked at some of the Web pages of the pre-primary candidates I mentioned the Secret Messages hidden on the Gore page. There're still Secret Messages there (messages, that is, in comments in the HTML source), and to Gore's credit they no longer have the clueless misuse of the phrase "open source" that they did then. Here's what it says now: Thanks for checking out our source code! I plan to use this space to post special messages to those who are helping to improve our web site -- by making our site the best it can be. The fact that you are peeking behind the scenes at our site means you can make an important difference to this Internet effort. I'm grateful for your help and support in this campaign. Now let's keep working to build the 21st Century of our dreams! Ian has revealed our secret plans to force politicians to display contributor logos on their clothing, so I will hint at some of the other schemes concocted at that soon-to-be-famous lunch: most of us resent the fact that politicians are controlled by the rich, who can afford to pay lots of money to get them to do certain major things. What if that were democratized, and you could pay a little money to get them to do minor things? And what if you could do it on the Web? Revolutionary, eh? Least interesting domain name of the day: fedworld.gov. On the other hand, I think it's cool that you can download the entire US Code from the Web. Not to mention the homepage of the Epsom Salt Council! Is your skin rough and bumpy from hiding under layers all winter? Epsom Salt is an excellent skin exfoliator. Super model Stephanie Seymour is quoted as saying she uses it from head to toe. The irrepressable Georgi Guninski has found yet another hole in IE, or actually in Windows when it uses IE to show you a folder as if it were a Web page. In other computer security news, someone has found a buffer overrun in a Gopher server; now that's nostalgia! Gnome seems to be Linux GUI of the Moment. The Linux users hereabouts have been known to say less-than-complimentary things about it; apparently it's all too much like Windows. On the other hand this is probably a religious issue, and I should stay out of it... Here's a page with some numbers on it! Unicode domain names! Run away, run away! A new issue of Crypto-Gram is out, and it has all sorts of interesting stuff, including some discussion of parser-mismatch issues of the kind that I ranted about the other day. Unicode interpretation is another obvious area for bugs, one that I didn't mention. Crypto-Gram reader letters make the case quite strongly for using the same code for security parsing and doing-stuff parsing. The new Crypto-Gram also has a large number of links that look worth following up (the News section in particular), and some nuggets of wisdom on security and viruses and vulnerabilities and stuff, including: It's not enough to release a patch. The press often gets this wrong. They think the sequence is: vulnerability publicized, patch released, security restored. In reality, it doesn't work that way. You don't regain security until you install the patch. Even though both of these vulnerabilities have been patched, I predict attack tools that use them. Words to live by! This guy walks into a bar -- bounces right off. Lots of rain and lightning and thunder here at the moment; what fun! If you're indoors, at least. Or if you like being out in storms. A view from the Esplanade during these events would show two thirds of the city battening down their camps, attempting to hold together their violently shaking shade structures with their hands, while the remaining third strolled the avenues, oblivious to the howling winds and swirling dust. That's from this interesting page of Burning Man stories. I daydream about going to Burning Man someday; ideally as, say, a LampLighter. Cool robes, prestigious volunteer do-gooder position, lotsa bizarre people doing strange things. Heaven! Speaking of party platforms, there's a note going around about the Web server "platforms" that the major candidates' sites are using, so I poked around a little bit at the parties. Here's a Table:
which makes almost amazingly perfect sense. It's also interesting to note the difference between democrats.org and this:
What are you doing? A reader writes: sitting on a towel in the kitchen enjoying a dish of ice cream, having just gotten out of the hot tub, after a day at the local clothing-optional beach... a little slice of heaven We in the rain envy you. Swinging back to politics, we have: Back in the Nixon era, his detractors referred to CREP (the "Committee to Re-Elect the President") as "Creep". Am I the only one who pronounces DNC as "Dunce"? From the same sebbo that gave us the Burning Man stories above, two sad links about the Democratic Party: Democratic Congresswoman bravely defies prudish Party spin-doctors, refuses to move fundraiser out of Playboy mansion, followed shortly by Democratic Congresswoman buckles to pressure, changes her mind. Do right-thinking enlightened people (like my readers) think that the Playboy mansion is in fact a bad thing? As I recall from my youth (when I did in fact read the words in my Dad's Playboys up in the attic, as well as staring at the pictures), Playboy and Hefner have always been very forward-thinking in things like sex and freedom and equality and stuff. I mean, certainly Andrea Drowkin doesn't like them, but it seems to me that they are on Our Side, and pretty Enlightened. Just how sad is it that the Democratic Party feels it has to avoid associating with them (although of course they'll take their money), in the name of "family values"? Bluccch! Or am I reading all this wrong, and is Playboy in fact something Bad? |
||||||||||||||||
|
Seeing-eye horses! (From Barry Hayes) Without comment, I merely repeat the tag line for a retrospective of the lives of famous rock stars on the Biography TV show: "Relive the times that no one can remember." I don't really want to just stop at my axioms, though. After all if some of your axioms are wrong, you're going to get to the wrong endpoint. So I want to examine my axioms, also, as a sort of ongoing thing. It's true that all I have to examine them against is my other axioms (and the evidence of my senses viewed through those axioms), and the conclusions that they lead me to. Which is sort of too bad, but also inevitable. Click on the Email address below..and enter "More info" on the subject line and click the Send icon. We will send you complete information about this incredible device that will make you an instant Piano Player. It's truely amazing! Truely. The original "Napster Bad" web-cartoon is now a whole family of web cartoons (most of which are in really awful taste for at least a few seconds, so be warned), as well as a line of T-shirts. It's a cultural phenom! And to end on a more serious note, No More Lies, by Arianna Huffington in a recent Salon. It's a conclusion shared by an overwhelming majority of Americans: More than 70 percent are now in favor of treatment over incarceration for those convicted of nonviolent drug charges. And the media -- in a growing number of editorials, columns and news stories -- have begun to actually shine a light on the drug war's casualties and call for new policies. I was sorta disappointed this morning when M had no particular reaction to the Monterey Jack cheese and banana omelette I made myself. I mean, I like cheese-and-banana omelettes for themselves of course. But apparently part of the whole cheese and banana omelette experience involves one's soulmate's disgusted and/or horrified and/or tolerantly amused attitude toward the dish. Live and learn! A loyal reader writes: Why does davidchess.com so disregard its loyal readership? It used to be that our witty remarks appeared nearly daily, gracefully intertwined with davidchess' own thrust and parry. No longer! Instead they fall, splat, in a heap at the end of a slow logday, as if to punctuate their insignificance. Have I been doing that? It's easy to fall into pernicious habits. In theory one should really throw everything away and start afresh (or start a fresh) every few months, just to get out of any ruts that might be developing. On the other hand, I kinda like ruts, the way the grass grows up on the edges, the little bits of dirt that break off and fall into the cracks when it's hot. Another reader writes, along the same lines: The greens, the air, it floats on the water like cheese. Moldy cheese, the kind used in salads in France, I hear... like lamps with broken bulbs plugged into potatos. And a third reader sums it all up: Zinc Speaking yet again of party platforms, Abada Abada recently linked to this anarchist anti-platform: But to tell the whole truth, the clownishness has its attractions. Where better than at these overexposed summit meetings of the office holders and their corporate patrons can we spotlight our repressive political system at its most phony and hypocritical - when "the people" choose "their" candidates for the highest political office in the State? Nowhere else is the myth of popular representation so clearly revealed than at these huge, hollow exercises in "democracy." (Jessamyn of Abada Abada is also one of the brilliant minds behind take back vermont .com, a lovely bit of co-optation.) |
||||||||||||||||
|
Reading: The Big Con. Deservedly a classic: easy reading, entertaining, informative, interestingly flavored. Might be all made up out of whole cloth for all I know, but it almost wouldn't matter. Expect more of a writeup when I finish it, if I remember. Geegaw points to a few interesting security links, including this writeup of a "security in email" seminar with the eminent Richard Smith, and (in sharp contrast) Disney's Surf Swell Island. Do take a look at the latter (requires Flash and who knows what-all); then next time you need to show someone what the Web would be like if something like the Communications Decency Act were in force, you'll know where to go...
Speaking of computer security, I will talk shop for the rest
of this entry by pasting in another, someone more technical, rant
from my internal weblog.
Uninterested readers can go play with
the visual mantras for awhile
instead.
Here's another nugget of security wisdom, somewhat
more technical than the one the other day.
In more detail, if one program is examining a datastream and
filtering it or judging it or altering it to avoid having it
cause bad effects in some other program, there will be
significant bugs unless the two programs use exactly
the same parser (same code, same version, etc.).
And if the judging program is a security program, there'll
be security bugs that opens the system to attack.
For example, one version of Internet Explorer had a
primary URL parser that would interpret the host part of
a URL like "http://2132799651/" as the single-integer form
of a numeric IP address, and go out to that address and
fetch the data it found there.
Every IP address has an equivalent single-integer form,
so such a URL can be constructed corresponding to any
normal URL.
But in that same version of Explorer there was another
parser, in the code that decided which security zone
a URL belonged to.
That parser interpreted the host part of a URL like
"http://2132799651/" as the name of a host
on the local LAN.
So an attacker could craft a URL that would cause
Explorer to go out into the Internet to a site under
bad-guy control, fetch back some data, and then
interpret that data as though it had come from the
security zone corresponding to the local LAN.
Not good! (See the Microsoft Security Bulletin on the subject
for some details.)
Another example of a security bug caused by parser
mismatch involves cookie parsing.
In some versions of IE (and I don't mean to pick on IE
in particular here) the primary parser would interpret
a URL like "http://www.foo.com%2ftrick%2f.bar.com" as referring
to a page "/trick/.bar.com" on the host "www.foo.com".
But the parser that decided which cookies to send with
the request parsed it differently, and would send the cookies
corresponding to the host "bar.com" rather than "foo.com"!
Also not good. (See this PeaceFire page for details,
as well as the
Microsoft Security Bulletin describing the patch to fix it.)
A similar problem was found in a filter
used by a Web-based mail service to
strip dangerous code from mail (i.e. turn it into text)
before delivering it to the user's browser.
The filter would detect and defang normal invocations
of javascript, but its parser
would not recognize partially encoded forms of the word,
like "jAvascript".
On the other hand, the parser in at least one popular
browser would interpret the encoded form as invoking
javascript, and run the associated code.
This could be exploited to slip dangerous script code
into supposedly-sanitized email messages.
(See
this BUGTRAQ posting for details.)
Yet another bug along the same lines is described in
this Microsoft Security Bulletin; again one parser was very
liberal and would accept various technically-invalid escape codes
as having special meanings, whereas the parser in the security
component of the system treated those codes as ordinary text.
Perusal of the BUGTRAQ archives will reveal numerous
similar problems, some considerably more complex.
Proxy servers attempting to block Java, firewalls
attempting to find FTP connections, and various other
security systems have proven to be avoidable due to
oddities in their parsers that didn't match the oddities
in the systems being protected.
The problems are usually in edge cases or odd cases,
and most often in a case where the parser being protected
is being "generous" in what it interprets, accepting
technically-invalid constructs that the parser in the security component
doesn't recognize as valid.
Which is not to say that other flavors of the problem can't
also occur, as when a firewall thinks it sees an outgoing FTP
connection that implicitly makes a corresponding incoming connection
OK, but in fact no such outgoing connection really existed.
The best solution to this is to use exactly the same
parser in the protector as in the protected.
When this can't be done, second-best is to ensure that
the protector has a very liberal parser, and will
recognize various edge cases that aren't technically
valid (but that some piece of the protected system
might accept regardless) as potentially accepted and
in need of filtering or special treatment (err, that is, on the
side of caution).
(If both parsers are coded to the same specification,
the specification is completely rigorous, and the
coding in both cases is exact, the problem won't arise.
But when was the last time you saw one program, let alone two,
that had those properties?)
No, this isn't easy!
That's why we security types get the Big Bucks...
*8)
|
||||||||||||||||
top |
earlier entries |