Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Slashdot Tries Something New; Audience Responds!

Arslan ibn Da'ud Re:Why? (2219 comments)

There are MANY reasons to hate the beta but using Javascript is not one of them

Nonsense! Javascript slows down the browsing experience. Doesn't matter how fast your hardware is; it is always faster without Javascript. Not to mention security issues.

I sure hope someone at Dice is testing beta using lynx! (or links)

about 9 months ago
top

Google To Encrypt All Keyword Searches

Arslan ibn Da'ud Re:Illusion of privacy (224 comments)

Government agencies have been caught lying, but they don't have the same legal requirements to citizens as publicly-traded companies have to shareholders.

I think I've found the problem right there!

1 year,22 days
top

Interviews: Ask James Randi About Investigating the Truth

Arslan ibn Da'ud Re:Is it true (386 comments)

I SOOOOO want to see this answered!

about a year and a half ago
top

Book Review: The CERT Oracle Secure Coding Standard For Java

Arslan ibn Da'ud Re:Pretty decent general coding practices (66 comments)

Thanks for this notice. I've added it to our 'Errata', so it should be fixed in the next reprinting.

It is more a style issue rather than a correctness issue (the code in the book *is* correct), but we should also be promiting good style too :)

more than 2 years ago
top

Book Review: The CERT Oracle Secure Coding Standard For Java

Arslan ibn Da'ud Re:But Java is secure! (66 comments)

out of interest why does free not null out the pointer

Well, C's free() is a library function, so it only gets a pointed-to value, not the actual pointer itself. But if free() could magically null the pointer, would that solve your problem? Your program could have other copies of the pointer that free() wouldn't know about; those would still be dangerous.

Java's GC fixes this problem by freeing memory only when it knows no object references point to it.

more than 2 years ago
top

Book Review: The CERT Oracle Secure Coding Standard For Java

Arslan ibn Da'ud Re:But Java is secure! (66 comments)

Doesn't anyone remember that when Java first came out that it was marketed as a secure alternative to C and C++? Proponents claimed that Java got the security model right, and that we could all just get down to solving the problems at hand, rather than having to worry about writing insecure code.

Agreed. Java did get some things right. When was the last time someone took advantage of a buffer overflow in a Java program? (I'm talking about the Java language here, not about vulnerabilities in particular implementations of Java.) The fact that it garbage-collects memory for you is not only convenient, but closes off a whole class of vulerabilities like double-free, that still plague C/C++ programmers.

On top of that, Java provides a standard API for concurrency...standard C and C++ didn't provide any threading model until this year.

And Java provides a framework allowing a program to run hostile code and still maintain control. C has no such capability; if your C program runs hostile code, game over, you're pwned. So I'd say Java did solve some of the biggest problems affecting C...buffer overflows and memory-allocation errors. I'd say that makes Java more secure than C. The problems outlined in the book can mostly be applied to C as well, though you'll have to go outside the standard to do them (eg for multithreaded code).

There are many reasons to use Java, but as this book clearly demonstrates, security is not one of them. The notion that a language automatically provides security is flawed, at best. The best a language can do is provide a mental model which encourages secure coding. The rest is on the programmer.

I'd say that no language provides security, as perfect security is an impossible dream...we can strive for it, and approach it, but never quite reach it. So I'd rather say that Java provides more security than C.

more than 2 years ago
top

Book Review: The CERT Oracle Secure Coding Standard For Java

Arslan ibn Da'ud Re:FUCKING ENGLISH, DO YOU SPEAK IT (66 comments)

a fine balance between enhancing delivery excellence and releasing a software product in consonance with deadlines.

Can I get this translated into English, please? I try to avoid parsing marketroid and/or manager babble. ;)

No, but here is a translation you'll understand:

Project code = getProject();
int softwareQuality = QA.getQuality( code);
Date deadline = Boss.getDeadline();
Date completionDate = estimateRemainingWork( Project.codingQuality);
while (completionDate > deadline) {
    Project.codingQuality--;
    completionDate = estimateRemainingWork( Project.codingQuality);
}

more than 2 years ago
top

Book Review: The CERT Oracle Secure Coding Standard For Java

Arslan ibn Da'ud Re:Don't you just love Java (66 comments)

I think that needs to be updated:

Pwn once.
Patch everywhere.

more than 2 years ago
top

Book Review: The CERT Oracle Secure Coding Standard For Java

Arslan ibn Da'ud Re:750 pages? (66 comments)

Let me explain...no there is too much. Let me sum up.

I've read 1000-page technical books that had no filler (at least none that I could find). They just had a LOT of ground to cover. Sigh. How do you distinguish the books with mostly filler from the books that aren't? You gotta slog through the whole thing. Or you gotta trust that that review you're reading was done by someone who slogged through the whole thing.

Sounds like you want more of a tutorial in the style of K\&R, rather than a reference book like this.

more than 2 years ago
top

Book Review: The CERT Oracle Secure Coding Standard For Java

Arslan ibn Da'ud Re:Pretty decent general coding practices (66 comments)

Disclaimer: I'm one of the authors.

Really, what is wanted is a set of books, each for a different required confidence level. This would make an excellent book #1 in the set. Book #2 onwards would need to add to the book before, explaining where a certain methodology simply won't work at the more stringent level and what you replace it with. For example, their compliant solution on page 25 for doPrivilegedAction() is good for a basic level of confidence but has flaws. There's magic numbers (an 8 for the maximum length of a username), the program flow isn't great (check for a maximum length doesn't actually trip an exception), some parameters aren't sanity-checked (the password is passed straight to the hash function without knowing if it meets the size requirements for the function or if there's anything in the string that might break things). It's perfectly good for a basic level of good practice, but I wouldn't consider it adequate for more advanced levels.

I'm not sure what you are referring to on page 25, there is no doPrivileged() block there. But go ahead & contact me with specific criticisms or comments on the rules.

Some of the problems you cite arise from the main purpose of the code examples, which is to be illustrative, rather than to be functional. For example, I'll agree that magic numbers in code are generally a bad idea, and should be replaced with constants. In fact, we considered adding a rule about this to the book, and nixed it because that is purely a maintainability issue, with no direct ramifications to security. (That is, you'd have to work hard to contrive an example where failing to use magic numbers makes your program vulnerable rather than just buggy.)

Using 'magic numbers' also makes the code bigger, and a little harder to read. For code whose purpose is to work properly, this extra code size is no big deal, but when the code's purpose is to serve as an illustration in a book, this bloat is more problematic. If the code has to appear on a PowerPoint slide, this bloat can be critical.

(Having everything in one single book and coding to an insanely high standard is why the DoD's efforts for higher quality code ultimately failed. It had nothing to do the limits of what people can do, it had everything to do with what people have time to do. You need a good baseline and build from it.) The thing that concerns me is that Oracle will probably consider this sufficient for everyone, which it isn't. The standards are not even up to the quality needed by e-Commerce and should not be used directly from this book for that purpose. This is a foundation layer, it isn't the entire edifice.

I suspect the ediface you are imagining is a tower of babel...it will never be complete. True security is an impossible dream, that we can asymptotically approach yet never attain. In this book, we tried to focus on the insecure coding practices being made today; we ignored 'theoretical' insecure coding practices that aren't being widely done today. Mainly to keep the project a manageable size :)

more than 2 years ago
top

Groklaw Declares Victory, No More Articles

Arslan ibn Da'ud Re:Disappointed (265 comments)

That's what you get for skipping the article.

more than 3 years ago
top

Why the IRS Should Automatically Fill In Returns With What It Knows

Arslan ibn Da'ud Re:What do you think happens today? (613 comments)

So let me see if I get this straight...

The current system allows a taxpayer to be dishonest, but catches him if he is.

The proposed change prevents a taxpayer from being dishonest (by informing him of what the IRS already knows of his finances), and only gives him a chance to correct the records.

So how is catching taxpayer dishonesty an advantage, again?

more than 4 years ago
top

Staying Afloat In a Sea of iPhone Apps

Arslan ibn Da'ud Re:Frustrating For Developers (149 comments)

Not everyone has iTunes installed on every machine?

But then... how would you live?

Quietly.

more than 5 years ago
top

Staying Afloat In a Sea of iPhone Apps

Arslan ibn Da'ud Re:Frustrating For Developers (149 comments)

Might I recommend that if you wish to provide a link to an iPhone app, don't link directly to iTunes. Not everyone has iTunes installed on every machine? (Last I checked there was no Linux version.) Instead provide a link to your app via AppBeacon.

For instance: Velocity

They mirror the info iTunes provides, also providing a iTunes link. But that way I can review your app on my linux box and buy it directly, or buy it later on my mac laptop. (No, I don't work for AppBeacon, just a satisfied netizen.)

more than 5 years ago
top

Vint Cerf Imagines the Net's Future At NASA

Arslan ibn Da'ud Re:Seriously? (67 comments)

Last week I stepped in some dog poop. Does that count?

more than 5 years ago
top

Railway Workers Get Daily Smile Scans

Arslan ibn Da'ud Re:fake vs genuine (385 comments)

For people who have to deal with members of the public on a daily basis, being able to produce a smile that seems genuine may make a difference in how their customers perceive their service.

I can't tell a fake smile from a real one, but I sure can spot the oxymoron in that sentence. So the goal is to present a fake smile that others think is genuine?

more than 5 years ago
top

Man Attacked In Ohio For Providing Iran Proxies

Arslan ibn Da'ud Re:The Grotesquely Ugly Truth (467 comments)

Wish I had mod points to bump you up.

Good thing you don't then. GP is a troll; has made the same post elsewhere on this topic, as well as several previous Iranian topics. Was soundly refuted last time. (Hint: The US's deserves a lot of blame.)

more than 5 years ago
top

Dinosaur Posture Still Wrong, Says Study

Arslan ibn Da'ud Dinosaur posture is bad (226 comments)

because the dinosaurs didn't have a WiiFit!

ok i'll go back to my corner now.

more than 5 years ago
top

Mozilla Preparing To Scrap Tabbed Browsing?

Arslan ibn Da'ud Re:Bah (554 comments)

If I manage my life using Notepad and text files, is Notepad my new OS?

Yes, if by 'Notepad' you mean 'Emacs' :D

more than 5 years ago
top

Flash Drive Roundup

Arslan ibn Da'ud Re:They're in cereal boxes (311 comments)

Ha! Don't you try to outweird me. I get stranger things than you free with my breakfast cereal!

more than 5 years ago

Submissions

top

Interview with an Adware Developer

Arslan ibn Da'ud Arslan ibn Da'ud writes  |  more than 5 years ago

Arslan ibn Da'ud writes "Bruce Schneier has an interesting interview with a developer of adware who explains, in gory detail, how Internet Explorer can be exploited to show adware. Once exploited, the ad-showing software embeds itself using a variety of techniques making removal extremely difficult. Interesting note in that the developer targets IE users because they "tend to be the less savvy chunk of the market", in addition to being the biggest."
Link to Original Source

Journals

Arslan ibn Da'ud has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?