Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
Sorting the Mail: Agile Databases, Vulnerable Applications, and Optimized Code
 
SSH and Known_Hosts Vulnerabilities Threaten Grid
 
Service Research: Focusing on Requirements for Technology, not the Technology
 
TiddlyWiki: Ohmygosh, I'm in Love.
 
3I: Individualized Interactive Instruction
 
Three Defects We Can Do Without: Memory Leaks, Buffer Overflows, and Unclosed Files
 
Windows Genuine Advantage: So, did I fail the test or did the test fail?
 
Hark, Is That a Pattern I See Before Me?
 
NSS2: All Things to All People through Perfect Software
 
Are You A Problem Witch or a Solution Witch?

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12
2004-12-26
2005-01-30
2005-02-06
2005-03-06
2005-03-13
2005-03-20
2005-04-03
2005-04-10
2005-04-17
2005-04-24
2005-05-01
2005-05-08
2005-05-15

Sorting the Mail: Agile Databases, Vulnerable Applications, and Optimized Code

ACM News Service: Quick Picks.  I don’t have time to dig into these deeper, but I don’t want to lose them, either:

• “Join the Evolution” — Scott Ambler’s invitation to “Agile Database Techniques.” I’m interested in the modeling, refactoring, and coupling issues.  I’m also curious how much business entities are able to adhere to the problem space rather than be solution-space artifacts.
• “Developers’ Growing Challenge” — Peter Coffee’s eWeek article on the problems of vulnerabilities in line-of-business applications and how developers are ill-equipped to deal with it and soon tools will make it harder.  Now there’s a challenge for simplifying rather than covering over fragile complexity.
• “Researchers Speed, Optimize Code With New Open Source Tools” — This is about optimization of computer codes for certain large-scale computations.  It would be interesting to see how generic this is and what its domain of application could turn out to be.  (This goes deep in my files, but filed it is.)

posted by orcmid at 5/19/2005 09:26:48 PM, rating data by NewsGator Online

SSH and Known_Hosts Vulnerabilities Threaten Grid

ACM News Service: Researchers Reveal Holes in Grid.  SSH is not new technology, and apparently that is no assurance of confirmed security.  MIT CSAIL researcher Will Stockwell refers to a critical and widespread SSH flaw along with visibility of known_hosts files (demonstrated by probing 92 systems to obtain 8,000 unique addresses) that is enough to permit attack by a simple worm that disrupts a grid or supercomputer system.  Compromised versions of SSH have already been exploited in attacking TeraGrid and National Supercomputing Center machines.

Well, it just keeps getting better, doesn’t it.  This blurb had me looking around for a handy Bruce Schneier quote in my blog clippings, but I didn’t have to go that far.

The Paul Roberts 2005-05-13 eWeek article has this great quote from Schneier on the holes in SSH and the prospects for a cascade attack:

“Nobody realized they were there. Security involves someone saying, 'You can do this,'” said Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., of Cupertino, Calif., and a widely respected cryptographer.

This strikes me as an ugly consequence of Dijstra’s assurance that it is only possible to demonstrate flaws, not the absence of flaws [my paraphrasing].  Although Dijkstra had great hopes for provably-correct programs, we know that the gap between theory and practice is immense in this case. It takes a different kind of mind to seek weaknesses rather than completed work, and how do we keep that sort of skill from wandering over to the dark side where the juice seems to be?

This and other discussions were held at the International Workshop on Cluster Security held as part of IEEE CCGrid in Cardiff, Wales, earlier in May.

posted by orcmid at 5/17/2005 03:38:53 PM, rating data by NewsGator Online