[ale] How to hack a bank

George Allen glallen01 at gmail.com
Wed Apr 28 22:53:58 EDT 2010 

Hehe

Like the Neil Stevenson book 'Snowcrash'...

Embedded scripting language in the linguistic code of our brains makes
us succeptible to buffer overflows (red herrings) and cross-site
scripting (ideologys).


On 4/28/10, Pete Hardie <pete.hardie at gmail.com> wrote:
> Hell guys, even plain text isn't safe - look at how
> <cult-of-your-choice> gets people with just words.
>
>
> On Wed, Apr 28, 2010 at 18:20, George Allen <glallen01 at gmail.com> wrote:
>> Glad to hear the discussion on LaTeX... I'm in the process of
>> converting my girlfriend over before she starts her grad thesis.
>>
>> As far as document management/exchange and collaboration, there are so
>> many systems like CVS,SVN,hg,and git that can *really* do versioning
>> and merging, that it really sad to see ms word email attachments and
>> sharepoint. No one in the MS world even has a clue what exists though.
>> I was just explaining CVS today to someone who manages cisco router
>> configs, and explaining that you can keep a TOTAL history of all
>> changes and be able to compare any of them. A lot more than the
>> current-last diff that SolarWinds gives you.
>>
>> Also- since, unlike the rest of the universe we (military) still on
>> occasion have to deal with low bandwidth, high latency, un-reliable
>> links... (HF radio for instance) It's much better to send a 16k-txt
>> than 300k-word.
>>
>> Speaking of... Was reading about UUCP again lately... Anyone ever
>> heard of Wizzy digital courier? Probably should be a new thread
>> though.
>>
>> -George
>>
>> On 4/28/10, Michael Trausch <mike at trausch.us> wrote:
>>> On Wed, 2010-04-28 at 14:56 -0600, JK wrote:
>>>> On 4/28/2010 12:47 PM, Michael Trausch wrote:
>>>> > Yet another reason to use the one truly secure format for information
>>>> > interchange: plain text.
>>>> >
>>>> > Seriously, I don't understand why every non-trivial document format in
>>>> > existence has to present a wide attack surface that can be relatively
>>>> > easily used to enhance the vulnerability of any particular system or
>>>> > network.  Just once, I'd like to see something as widely adopted as
>>>> > PDF,
>>>> > but without the sort of nasty teeth that PDF, MS Word, ODT, etc.,
>>>> > bring
>>>> > with them.
>>>>
>>>> Anything that needs an interpreter of any complexity is going to be
>>>> vulnerable, and arguably anything that does non-trivial document
>>>> formatting is in that category.  As a wise man (Knuth? Norvig?
>>>> McCarthy?)
>>>> once said, "All data is code".
>>>
>>> The problem isn't so much the interpretation of the formats as it is
>>> adding things to them that enable scripting and the like.  I don't
>>> understand why we need to be able to have word processing documents that
>>> have BASIC, Python, Java, etc., programs embedded in them, or PDFs with
>>> JavaScript, or whatever.  It seems just insane to me.
>>>
>>> Spreadsheets, I can _almost_ be convinced that they should have a small
>>> domain-specific language that is designed to be easily sandboxed and
>>> contained in a small, easily auditable source tree without all the bells
>>> and whistles of Java or Python or whatever.  Maybe even constraining
>>> such things to a very limited subset of non-network aware,
>>> non-filesystem aware BASIC would be good.  That is, let it be a simple
>>> mathematical system without API entrypoints into the spreadsheet
>>> program, and let the spreadsheet do numbercrunching and nothing more.
>>> But that's just my 2¢.
>>>
>>>> We need to learn how to create truly reliable software.  I think
>>>> functional programming and automatic verification are going to be key,
>>>> but those technologies are barely on anyone's real-world radar these
>>>> days.
>>>
>>> Amen on the first point.  I don't know if functional programming is
>>> going to be the thing that does it or not, but I do think it'd be rather
>>> nifty to be able to have some sort of system that provides for a means
>>> of formally verifying that code does what it was designed to do and
>>> nothing more.  I don't foresee that being something that we'll see
>>> anytime soon, however.
>>>
>>> I think that the biggest problem is that when people spec things out
>>> they really don't think beyond what they've intended it for.  When
>>> people write code, they do much the same thing.  They don't consider
>>> what can potentially happen when the systems they are writing are
>>> abused.  They instead only think about what happens when they are used
>>> as intended.  And that's almost never where the vulnerabilities or the
>>> bugs lie, since that's the stuff that is exercised the most.
>>>
>>>> Anyway, speaking of Knuth, there's always TeX. Closest thing we've
>>>> got to a bug-free document formatting system.  So close that I don't
>>>> believe anyone's collected more than $327.68 in bug fees yet.  That
>>>> guy puts his money where his mouth is: http://en.wikipedia.org/wiki/TeX
>>>
>>> Indeed.  I personally use Xe(La)TeX when I need to format documents
>>> these days, because of the ability to use all of the nifty features of
>>> OpenType and use Unicode by way of UTF-8 directly, instead of having to
>>> type all sorts of extra stuff.  Alas, I don't yet have all the fonts in
>>> my personal collection that I want to be able to use when typesetting.
>>>
>>>> As for "widely adopted"... I actually got my girlfriend in grad
>>>> school -- an English major, believe it or not -- to start using LaTeX,
>>>> but I don't know if she stuck with it.  And I mostly use plain text
>>>> these days, unless my employer forces me to use Word.
>>>
>>> I actually started using LaTeX (and soon after found XeTeX and XeLaTeX)
>>> when I was doing lots of APA formatted papers.  I got utterly sick and
>>> tired of formatting APA style in OpenOffice.org, and verifying that my
>>> references all matched up with the citations in the text and all of
>>> that.  When I started using XeLaTeX and BibTeX, I had a lot more time to
>>> focus on the content, at least after I learned the basics of the system
>>> enough to not have to look things up every time I wanted to do something
>>> interesting.  :-)
>>>
>>> I was greatly surprised by just how much time I was able to save by
>>> using LaTeX and not worrying about formatting at all.  I really haven't
>>> been able to use a word processor again since, save for really trivial
>>> things that do not require any level of structure.  I think a lot better
>>> in terms of LaTeX.  If only they had a means of generating a word
>>> processor document that didn't require tons of fixing up form a LaTeX
>>> source document... *shrug*
>>>
>>>       --- Mike
>>>
>>> --
>>> Even if their crude and anticompetitive business practices don't make
>>> you think about using their software, their use of sweatshops and child
>>> labor should:  boycott Microsoft like you would any other amoral child
>>> abuser:  http://is.gd/btW8m
>>>
>>>
>>
>> --
>> Sent from my mobile device
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> Pete Hardie
> --------
> Better Living Through Bitmaps
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
Sent from my mobile device

More information about the Ale mailing list