Liudvikas Bukys

Help Net Security – An Introduction To SQL Injection Attacks For Oracle Developers

Eric Rescorla: Is finding security holes a good idea?
actually analyzes the data on bug discovery. Conclusion of (the first draft of) the paper:

If finding security defects is a useful security activity, then it should
have some measurable effect on the software security defect rate. In this
paper, we have looked for such an effect and only found very weak evidence
of it. In the best case scenario we are able to make, the total defect
count has a half life of approximately 3.5 years. However, our data is
also consistent with there being no such effect at all. In either case,
the evidence that the effort being spent on bug finding is well spent
is weak.

Sniptools | Tips/Tricks | Reinstall Windows XP without product activation:

Isn’t it galling that we need to contact Microsoft for “permission” if we choose to reinstall a product that we already legally own and use, and have “stamped” so before?! Well, no worries, there is a trick for getting around product activation for Windows XP when reinstalling.

Sean McGrath questions the optimality of transformating XML with XSLT. He cites
Martin Fowler who finds XML easier to transform with a scripting language (Ruby in this case).

Martin Geddes:
Why NAT Isn’t As Bad As You Thought:

Please do sit down. Should the shock cause you to suddenly lose consciousness, I hereby disclaim all responsibility for any subsequent loss or injury. I’m about to defend the anthrax of the Internet: NAT.

…

Moaning that NAT is the devil’s technology doesn’t help you. Skype made the technology easy to use through an overlay network. Speak Freely didn’t, because that was seen as an impure thought. The real world clearly values usability over ideological correctness. The day may come when the NATted user of Skype can determine that they receive worse service (e.g. worse voice quality, or a slower frame rate on a video version of Skype.) They will then upgrade to a more expensive Internet connection with more IP addresses for all their proliferating gizmos.

IPv6 doesn’t solve this. The existence of a gazillion unused addresses doesn’t force your limited choice of suppliers to hand any of them over to you. They can simply refuse to route ones they didn’t allocate. Tough luck.

With my Internet architect hat on, I, as much as anyone,
deplore NAT and the present and future mistakes it makes. Same for my futurist hat on. With my security-conscious hat on, I have to say that NAT is the right choice for Joe Average. Preserving the choice in some form is important. I guess I should be inventing NAT-unfriendly protocols so that the price between NATted and unNATed service won’t diverge too much.

LA Times (requires regsitration):
China Authorities Battle Hard to Tighten the Web:

…The second approach uses technology to limit citizens’ ability to view what the government considers objectionable.

In recent months, China has become far savvier in this area, experts say. It wasn’t too long ago that it had to block an entire overseas website containing objectionable material, with questionable results. While blocking the Massachusetts Institute of Technology’s site prevented Chinese citizens from accessing encryption programs, for instance, it also frustrated future government engineers trying to apply to the institution.

Now Beijing can block access to a single page, or to links it finds objectionable.

“It sounds easy, but it’s been a deep technological problem,” said Ben Edelman with Harvard Law School’s Berkman Center for Internet and Society.

The firewalls around China require users seeking access to the rest of the Internet to go through a limited number of gateways controlled and monitored by Beijing. China also has improved its ability to divert or hijack requests for sensitive information, redirecting them to harmless sites or “timing out” the request. It’s also better able to block sites that constantly change their Web addresses, a tool used in the past to keep one step ahead of censors.

“With new technology, they’re now upgrading their system within a couple of months,” said Bill Xia, president of Dynamic Internet Technology, a U.S. company that develops technology to circumvent China’s filters. “They probably have to go through approvals, but I’m rather impressed by their speed.”

…

There are limits to the technology, however. You can’t block everything. So China has invested heavily in an expanded cyber police force that scours the Web looking for new sites to block, monitoring bulletin boards and identifying “undesirables.” Online rumor puts China’s cyber police at 30,000.

“That’s just a number,” said Michael Iannini, Beijing-based general manager with Nicholas International Consulting Services. “The point is they have a lot of people doing what they do to make sure you can’t do it.”

Markus Kuhn:
Photoshop CS Adds Banknote Image Detection, Blocking?:

These little yellow, green or orange 1 mm large circles have been on European banknotes for many years. I found them on German marks, British pounds and the euro notes. In the US, they showed up only very recently on the new 20$ bill. On some notes like the euro, the circles are blatantly obvious, whereas on others the artists carefully integrated them into their design. On the 20 pound note, they appear as “notes” in an unlikely short music score, in the old German 50 mark note, they are neatly embedded into the background pattern, and in the new 20 dollar bill, they are used as the 0 of all the yellow 20 number printed across the note. The constellation are probably detected by the fact that the squares of the distances of the circles are integer multiples of the smallest one.

I have later been told that this scheme was invented by Omron and that the circle patter also encodes the issuing bank.

[via Ed Felten:
Freedom to Tinker: Photoshop and Currency]

Meanwhile, here is a bad trend. From
Techdirt:

The other disturbing part about this revelation is that Adobe admits that they don’t even know how the blocking software works. They were given the code
by the Central Bank Counterfeit Deterrence Group without details on how it works or what it really does. In other words, the software could do a lot more than blocking images of currency. I doubt it really does at this point – but the fact that they would simply dump in a software component that they don’t know what it’s really doing, and then not tell customers about it is a bit disturbing.

There are useful legal links (in eight languages) at
http://www.rulesforuse.org
site run by the European Central Bank.

Kevin Kelly — Cool Tools:

No other merchant online or offline has provided the ease and accuracy of ordering as Amazon does. Still, in my experience there are occasionally glitches that their email-bots can’t deal with, usually entailing a minor billing snafu. In these rare cases you need Amazon.com’s almost-secret real-person customer service telephone number. You won’t find it on their website. I once got it by calling 800 directory assistance. In any case, they make it hard to find because a call costs Amazon more, so you should jot down this number for those special moments when only a human will do: 800-201-7575.

“Ditto” from me. Thanks for the legwork.

Luca Deri, in Improving Passive Packet Capture: Beyond Device Polling (pdf) shows
radical (and appalling) differences in packet capture performance among Windows, FreeBSD, and Linux machines, due to
differences in device drivers. The paper recommends use of device polling, and the author also implemented a ring-buffer version of libpcap.

[via TaoSecurity]

sourcefrog
via taint.org:

Their Computational
Clustering Technical Preview Toolkit includes the
PLAPACK Parallel
Linear Algebra Package, which is released
under the GPL.
Microsoft also ship some GPL’d GNU utilities in their Services
for Unix package.