[ale] How to hack a bank

Thu Apr 29 08:58:29 EDT 2010

On Wed, Apr 28, 2010 at 22:53, George Allen <glallen01 at gmail.com> wrote:
> Hehe
>
> Like the Neil Stevenson book 'Snowcrash'...
>
> Embedded scripting language in the linguistic code of our brains makes
> us succeptible to buffer overflows (red herrings) and cross-site
> scripting (ideologys).

Or offers of millions from Nigerian princes.....

>
>
> On 4/28/10, Pete Hardie <pete.hardie at gmail.com> wrote:
>> Hell guys, even plain text isn't safe - look at how
>> <cult-of-your-choice> gets people with just words.
>>
>>
>> On Wed, Apr 28, 2010 at 18:20, George Allen <glallen01 at gmail.com> wrote:
>>> Glad to hear the discussion on LaTeX... I'm in the process of
>>> converting my girlfriend over before she starts her grad thesis.
>>>
>>> As far as document management/exchange and collaboration, there are so
>>> many systems like CVS,SVN,hg,and git that can *really* do versioning
>>> and merging, that it really sad to see ms word email attachments and
>>> sharepoint. No one in the MS world even has a clue what exists though.
>>> I was just explaining CVS today to someone who manages cisco router
>>> configs, and explaining that you can keep a TOTAL history of all
>>> changes and be able to compare any of them. A lot more than the
>>> current-last diff that SolarWinds gives you.
>>>
>>> Also- since, unlike the rest of the universe we (military) still on
>>> occasion have to deal with low bandwidth, high latency, un-reliable
>>> links... (HF radio for instance) It's much better to send a 16k-txt
>>> than 300k-word.
>>>
>>> Speaking of... Was reading about UUCP again lately... Anyone ever
>>> heard of Wizzy digital courier? Probably should be a new thread
>>> though.
>>>
>>> -George
>>>
>>> On 4/28/10, Michael Trausch <mike at trausch.us> wrote:
>>>> On Wed, 2010-04-28 at 14:56 -0600, JK wrote:
>>>>> On 4/28/2010 12:47 PM, Michael Trausch wrote:
>>>>> > Yet another reason to use the one truly secure format for information
>>>>> > interchange: plain text.
>>>>> >
>>>>> > Seriously, I don't understand why every non-trivial document format in
>>>>> > existence has to present a wide attack surface that can be relatively
>>>>> > easily used to enhance the vulnerability of any particular system or
>>>>> > network.  Just once, I'd like to see something as widely adopted as
>>>>> > PDF,
>>>>> > but without the sort of nasty teeth that PDF, MS Word, ODT, etc.,
>>>>> > bring
>>>>> > with them.
>>>>>
>>>>> Anything that needs an interpreter of any complexity is going to be
>>>>> vulnerable, and arguably anything that does non-trivial document
>>>>> formatting is in that category.  As a wise man (Knuth? Norvig?
>>>>> McCarthy?)
>>>>> once said, "All data is code".
>>>>
>>>> The problem isn't so much the interpretation of the formats as it is
>>>> adding things to them that enable scripting and the like.  I don't
>>>> understand why we need to be able to have word processing documents that
>>>> have BASIC, Python, Java, etc., programs embedded in them, or PDFs with
>>>> JavaScript, or whatever.  It seems just insane to me.
>>>>
>>>> Spreadsheets, I can _almost_ be convinced that they should have a small
>>>> domain-specific language that is designed to be easily sandboxed and
>>>> contained in a small, easily auditable source tree without all the bells
>>>> and whistles of Java or Python or whatever.  Maybe even constraining
>>>> such things to a very limited subset of non-network aware,
>>>> non-filesystem aware BASIC would be good.  That is, let it be a simple
>>>> mathematical system without API entrypoints into the spreadsheet
>>>> program, and let the spreadsheet do numbercrunching and nothing more.
>>>> But that's just my 2¢.
>>>>
>>>>> We need to learn how to create truly reliable software.  I think
>>>>> functional programming and automatic verification are going to be key,
>>>>> but those technologies are barely on anyone's real-world radar these
>>>>> days.
>>>>
>>>> Amen on the first point.  I don't know if functional programming is
>>>> going to be the thing that does it or not, but I do think it'd be rather
>>>> nifty to be able to have some sort of system that provides for a means
>>>> of formally verifying that code does what it was designed to do and
>>>> nothing more.  I don't foresee that being something that we'll see
>>>> anytime soon, however.
>>>>
>>>> I think that the biggest problem is that when people spec things out
>>>> they really don't think beyond what they've intended it for.  When
>>>> people write code, they do much the same thing.  They don't consider
>>>> what can potentially happen when the systems they are writing are
>>>> abused.  They instead only think about what happens when they are used
>>>> as intended.  And that's almost never where the vulnerabilities or the
>>>> bugs lie, since that's the stuff that is exercised the most.
>>>>
>>>>> Anyway, speaking of Knuth, there's always TeX. Closest thing we've
>>>>> got to a bug-free document formatting system.  So close that I don't
>>>>> believe anyone's collected more than $327.68 in bug fees yet.  That
>>>>> guy puts his money where his mouth is: http://en.wikipedia.org/wiki/TeX
>>>>
>>>> Indeed.  I personally use Xe(La)TeX when I need to format documents
>>>> these days, because of the ability to use all of the nifty features of
>>>> OpenType and use Unicode by way of UTF-8 directly, instead of having to
>>>> type all sorts of extra stuff.  Alas, I don't yet have all the fonts in
>>>> my personal collection that I want to be able to use when typesetting.
>>>>
>>>>> As for "widely adopted"... I actually got my girlfriend in grad
>>>>> school -- an English major, believe it or not -- to start using LaTeX,
>>>>> but I don't know if she stuck with it.  And I mostly use plain text
>>>>> these days, unless my employer forces me to use Word.
>>>>
>>>> I actually started using LaTeX (and soon after found XeTeX and XeLaTeX)
>>>> when I was doing lots of APA formatted papers.  I got utterly sick and
>>>> tired of formatting APA style in OpenOffice.org, and verifying that my
>>>> references all matched up with the citations in the text and all of
>>>> that.  When I started using XeLaTeX and BibTeX, I had a lot more time to
>>>> focus on the content, at least after I learned the basics of the system
>>>> enough to not have to look things up every time I wanted to do something
>>>> interesting.  :-)
>>>>
>>>> I was greatly surprised by just how much time I was able to save by
>>>> using LaTeX and not worrying about formatting at all.  I really haven't
>>>> been able to use a word processor again since, save for really trivial
>>>> things that do not require any level of structure.  I think a lot better
>>>> in terms of LaTeX.  If only they had a means of generating a word
>>>> processor document that didn't require tons of fixing up form a LaTeX
>>>> source document... *shrug*
>>>>
>>>>       --- Mike
>>>>
>>>> --
>>>> Even if their crude and anticompetitive business practices don't make
>>>> you think about using their software, their use of sweatshops and child
>>>> labor should:  boycott Microsoft like you would any other amoral child
>>>> abuser:  http://is.gd/btW8m
>>>>
>>>>
>>>
>>> --
>>> Sent from my mobile device
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>>
>>
>> --
>> Pete Hardie
>> --------
>> Better Living Through Bitmaps
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> --
> Sent from my mobile device
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
Pete Hardie
--------
Better Living Through Bitmaps