Posted: August 29th, 2006
One of my favorite blogs just published a new essay All Aboard The Gravy Train:
Recently, some of the loudest rumblings have been coming from that quarter who current fascination is the scripting language Ruby, and its ORM library Rails. Think back to the last cycle of hype you saw in our industry, perhaps the Extreme Programming craze, and you’ll recognize many of the phenomena from that little reality excursion now reoccurring in the context of Rubyism. There are wild and unverifiable claims of improved productivity amidst the breathless ravings of fan boys declaring how cool it all is. There are comparisons against precursor technologies that highlight faults that are apparently obvious in hindsight, but which were significantly absent while those technologies were in fashion. And above all there is the frenetic scrambling of the “me too” crowd, rushing to see what the fuss is all about, desperately afraid that the bandwagon will pass them by, leaving them stranded in Dullsville, where nothing is cool and unemployment is at a record high.
It’s good to know that I’m not the only one out there with doubts about the quality of the software written by the jump-on-the-latest-bandwagon croud.
I’d just like to add one related comment: regardless of what the proponents of a certain programming language may tell you, you are not going to learn that language in 1 day, 1 week or even 1 month. It’s going to take you many years to be able to write reliable, secure, easy to maintain code with some speed. It will require a significant investment of time. Learning everything as you go is not sound software engineering. And also, the number of programming languages someone knows is not a good metric for how good of a programmer that person is.
Links:
Brooks’ No Silver Bullet or the entire The Mythical Man-Month.
Update (humorous): I just logged in to my desktop PC. Today’s fortune:
There are two ways to write error-free programs; only the third one works.
Posted: August 28th, 2006
Why Linux over XP? How Ubuntu Users Respond – and many of the reasons are valid for OSes other than Windows XP (coff*OSX*coff).
Posted: August 18th, 2006
Yet another great BOFH episode:
“Why’s it gone dark?”
“You need the power off when you install some things.”
“What things?”
“Hatchets mainly…”
Posted: August 17th, 2006
This blog was down for the past 24h or so… a scheduled server maintenence turned into a disaster when the database backup got corrupted somehow. Fortunately another backup (made at the same time) was found and the database restored.
All’s well that ends well.
except for my knife – she’s sad cuz she won’t be used today…
Posted: August 10th, 2006
F.E.A.R. Multiplayer to be made available for free:
08-08-2006 – Sierra Entertainment today announced that the multiplayer component from the award winning PC title F.E.A.R.™ (First Encounter Assault Recon), has been renamed F.E.A.R. Combat, and will be made available to the public as a free download on Thursday August 17th, 2006.
F.E.A.R. Combat is the complete multiplayer component of F.E.A.R. and includes all the updates, additional official maps and additional official game modes all in one downloadable file. F.E.A.R. Combat users will be able to play against the owners of the retail version of F.E.A.R. as well as the other F.E.A.R. Combat users.
F.E.A.R. Combat features:
- 10 Multiplayer Game modes.
- 19 Multiplayer Maps.
- 12 different weapons.
- Punkbuster support for anti cheat support.
- The capability to download user generated content.
To play F.E.A.R. Combat, consumers simply go to www.joinfear.com and register to obtain their free, Combat keycode. When the file is made available for download on Aug 17th 2006, consumers can install, enter their keycode, and get ready to join F.E.A.R. Combat!
F.E.A.R. Combat will be available for download on August 17th 2006.
Posted: August 9th, 2006
What Were They Thinking? Anti-Virus Software Gone Wrong made me wonder if it’s such a good idea to be runing anti-virus software. I’ve always used AV software in Windows and I’ve advised others to do so too but in the past (almost) 10 years all that the AV software has managed to do effectively is bug me. And I’m not talking about what it did to my 29a files or about it making a fuss about stuff like the admw0rm source code every now and then. I mean:
- they make PCs considerably more unstable – I’ve tracked back several windows crashes to AV software.
- kaspersky actually messed up my javascript the one time I used it. Who knows what else it would’ve messed up if I had continued to use it.
- norton made a reputation for itself as a major resource hog (I dunno if this has impreved in the last version of norton but I doubt it). And while others are better, the system always takes a considerable performance hit.
And as if that wasn’t enough, they also introduce more vulnerabillities. And all that for what? In the past 10 years AV software hasn’t protected my computer from a single real threat. Not one. And it offers very limited protection against new malware.
And this has nothing to do with the fact that I think current AV software is flawed by design (enumerating badness). What has AV software actually done for me? Nothing. So I’ve been introducing vulnerabillities and instability into my PC for nothing? But what about the future? What if I don’t use AV software and get infected by a virus that would’ve otherwise been detected and stopped by AV software?
I’ve decided to remove AV software from my PC. To be honest, I don’t use windows as much as I used to and that makes the decision much easier. I do encourage you to think about it – but I do not encourage anyone to remove AV software from their PC and I will continue to recommend the use of anti-virus software. I’m a very careful user, I take a lot of steps that are the reason why my PC hasn’t been infected by virus or worms.
While I was writing this post (about 3h ago) I received the following email:
From: pucik@overflow.pl
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [Overflow.pl] Clam AntiVirus Win32-UPX Heap Overflow…
Additional Links:
How To Keep Your Computer Spyware Free – Basic Windows Security – I need to update it but it’s still ok.
Posted: August 8th, 2006
When I made my first post about my new latptop, there were still two missing key hardware drivers – the nividia driver for the Nvidia GeForce Go 7400 and the wireless driver which I didn’t bother to compile by hand (and therefore didn’t mention). I’m happy to report that both the graphic card and the wireless driver now work out-of-the-box in ubuntu 6.06 after updating the kernel to the latest version. The graphic card has been working for quite a while (I simply forgot to mention it) – nvidia delivered the drivers on the promised date. The built-in webcam (which I didn’t mention because I had never tried to use) doesn’t work under linux. I don’t think the built-in bluetooth works either though I can’t be sure until I bother to try to use it.
Summary:
I can confirm all the hardware of the Sony Vaio FE11S works perfectly in linux (ubuntu 6.06 fully updated) with the _exception_ of the built-in webcam (NOT SUPPORTED BY LINUX) and the built-in bluetooth (haven’t tried to get it to work).
Posted: August 8th, 2006
I dumped the then over bloated KDE for GNOME when 2.6 came out. Eventually that decision forced me to change from my long time linux distro of choice, Slackware (slackware doesn’t officially support recent gnome versions, which means you’re stuck with dropline and a lot of problems). For a while, I jumped from distro to distro, not happy with any until I came across a worthy replacement for my slackware desktop: Ubuntu. I haven’t used KDE since the jump with the exception of livecd distros, namely feuplive. A few weeks ago, a friend of mine showed me his KDE desktop and I actually liked some of what I saw. Namely two applications: Katapult (sort like quicksilver, I’m told – just press ALT+SPACEBAR and type whatever) and Yakuake (it’s a konsole that drops down with the press of a button – F12 – and goes back up with another press of the same button). They are two of the best, most useful KDE applications out there and they work perfectly in Gnome. A far cry from a few years ago when KDE apps often didn’t work properly under gnome or just looked butt-uggly. amarok is still the best music player available for linux by a long shot (Gnome devs: get your act together and make a decent music player) – unfortunately I’m having problems with the amarok version I have and I’ll need to upgrade. Another KDE application I like is Krusader, a midnight commander for KDE.
Installing:
yakuake: sudo apt-get install yakuake
katapult: sudo apt-get install katapult
krusader: sudo apt-get install krusader kompare kmail krename kget lha unrar
amarok 1.4 (possibly buggy): instructions here.
Screenshots:
Yakuake
Katapult
Posted: August 8th, 2006
There are two things I’ve long decided not to blog about (to quote South Park, “I’m not touching that one with a 60 foot pole“):
1) The Arab-Israeli conflict
2) Mac OS
So you’ll forgive me (or not) if I totally sidestep the issue – the one Thomas Ptacek, Rui Carmo and others have been going on about – and quote Rui Carmo, totally out of context, to rant about something I’ve been meaning to rant for a while:
“bragging about what they can do before publishing their methods and results”
Unfortunately many security “experts” and “researchers” these days are big fat press whores. They spread FUD for weeks, even months, giving numerous interviews greatly exaggerating the risks exposed by their yet-to-published “research”. Or slightly better, their published research no one in the security community really gave a damn about. Or considerably worse, their never-to-be-openly-published “research”.
1) Unpublished research has no credibility. It is usually referred to as “claims” as in “I claim I’ve mastered cold fusion”. The person who made those claims might have credibility. Something they are likely about to lose, at least partially.
2) Greatly exaggerating the results (risks/benefits/whatever) of your research to the public not only harms your own credibility, it also harms the credibility of your peers. And FYI, withholding information on purpose to mislead others is just as bad as lying.
3) Not openly publishing your research and only sharing it with certain individuals in closed rooms (at a price) is shameful, unethical, should be criminal and might very well come back and bite you in the ass.
Not too long ago, real security experts would be ignored when presenting real problems to developers and to the general public. Today “security experts” are enjoying from quite a lot of (often undeserved) attention. Instead of using it responsibly, they will say almost anything to get their 15 minutes of fame. The problem? The public is getting increasingly skeptical and tired of hearing “wolf” when there are none. The security community risks alienating the public.
Individual “experts” aren’t the only ones to blame here and the trend to exaggerate risks didn’t appear in the last couple of years. Download a trial of any of the famous anti virus or personal IDS and see how they respond to something like finding the source code for the ADMw0rm in your windows XP box. Or how they respond to an nmap scan. Or take a look at third party advisories from a random “security services” company and look at how they label their advisories – you’ll probably see a lot of “Critical”/Red… you might even see something like “Extremely Critical” or as I like to call it “End of Days Stuff” kind of analogous to some WWIII mentions in the media (gotta love the Colbert Report). Oh and don’t blame the media for this. It’s a known fact that the current “news industry” is sensationalist and does not fact check or anything like it – it’s basically the “PR regurgitation industry”. They are just manipulated and they make money out of it so they don’t care.
I considered giving actual examples. Using names. quotes and links. That could (and probably would) be construed as personal attacks which is not what I want. Anyway chances are that if anyone in the computer security community reads this, they’ll know what I’m talking about.
Actually commenting on this case:
Is it good research? Probably (I haven’t looked at it but Maynor and Ellch are serious security experts). Is the Washington Post’s article sensationalist? Yes. Is it big news device drivers have security vulnerabilities? _NO_! (as a quick reference, read this 1yr old article at securityfocus). Who’s fault is it – the OS developers’ or the driver developers’? Both – OpenBSD devs are laughing and probably said something like “ahahaha and they gave us funny looks when we told vendors to shove their proprietary drivers where the sun doesn’t shine”.
I’m not going to get in the middle of the debate but one thing Rui is entirely right to question: “the way and sequence of events during which it was made public, before a comprehensive technical disclosure“. It was wrong – Maynor and Ellch failed to this right.
[Updated From Comments]:
What I think they should’ve done is publish their work BEFORE going to the press about it. Or at least be clear about what products are (known to be) vulnerable and under what circunstances. Otherwise it spreads FUD – even if that’s not the intent (which I’m sure it isn’t).
Posted: August 1st, 2006
Bugle is a collection of search queries which can help to identify software security bugs in source code available on the web. The list at the moment is rather small (you get the idea though), hopefully people will start sending more queries. Source code review is not a straight forward operation , using the list you will get pinpoints and not definite results.
If regular old google can be used to search for malware, I guess it’s not impressive to see google code search being used to audit code… still cool 
