Archive for the ‘security’ Category.
18 November 2006, 6:24 PM
I realize that this would have been more timely before the election, but I’ve come across a very good demonstration of how Diebold voting machines can be compromised without leaving any evidence behind. Seeing this stuff makes it seem much more real than reading about it.
and one more reminder to not trust Wikipedia more than you’d trust a friend of an acquaintance: the entry on Jim Sensenbrenner has had its “controversy” section removed. There is now no mention that Sensenbrenner introduced the controversial PATRIOT and Real ID Acts, nor is there a mention of his travel budget, which is paid for by special interests (against congressional rules) and is the largest of any Congressperson. edit: upon closer reading, these things are sprinkled in among the other sections in the page, but are not as easily accessible as they had been. So remember: don’t trust Wikipedia to be either correct or unbiased, any more than you’d trust anyone you’ve just met. Edit: and don’t trust the pages to keep the same format they have now.
1 November 2006, 10:07 PM
22 October 2006, 5:09 PM
I’m sure all the CS people reading this (and maybe even some of the non-CS types!) are familiar with buffer overflow attacks, and know how to both protect against them and exploit them in other people’s code, or at least have a vague idea about how to do it. However, fewer people have heard of format string attacks. Here’s a fairly detailed explanation, but I’ll summarize:
If, in your C or C++ code, you write printf(foo)
(where foo is typically a const char*
), it will just print foo to the screen. The one exception here is when foo contains the percent sign, in which case it prints corresponding things from the stack. If there are more %’s in the string than there are other things in the stack frame, it will begin printing out previous parts of foo itself. If foo was defined as input from a clever yet malicious user, they can craft strings that do nasty things to your program. Most importantly, they can read from (using %08x
) and even write to (using %n
) arbitrary locations in memory. Given that, they can pretty much do anything they want on your machine. Nifty!
The simple and obvious way to avoid this attack is to change all instances of printf(foo)
in your code to printf("%s", foo)
instead. The less obvious but much better solution is to not code in C or C++ ever again, and instead use a modern, high-level language like Python or Java (or if you’re Michael and worry about the speed of your program, use an actual low-level language like Assembly).
14 December 2005, 3:54 AM
The good news: the president of Diebold resigned after enough problems with the ethics of his company, his products, and his personal business dealings. I maintain that if people are hell-bent on electronic voting (and I personally am hell-bent against it), the system should be transparent and open-source so that anyone can both verify that it is correct and formulate improvements to the system.
The bad news: President Mahmoud Ahmadinejad of Iran claims that the Holocaust never happened. This is significantly less forgivable than claiming that Israel is a blot in the middle of the Arab world that should be wiped off it. It makes my blood boil to hear people say things like this. I might be able to understand the claims if the Holocaust had happened centuries ago, but some of the people who were in it are still alive today! Is President Ahmadinejad actually trying to claim that my grandfather did not get shipped to France to fight the Nazis? Is he claiming that 20 million Russians did not actually die in some fictional “World War,” and have merely been hiding in their basements lo these past sixty years? He certainly seems to be purporting that everything from Kristallnacht to Auschwitz is an elaborate hoax. Argh!
The ugly news: I have 3 tests to take, a 10-page paper to write, 4 assignments to grade (with 20-ish people turning in each one), 7-ish ACM problems to code up, and 3 more grad school apps that need to be finished this week. I wish I could say I’m almost home, but I’m not.