[ale] How to hack a bank

George Allen glallen01 at gmail.com
Wed Apr 28 18:20:03 EDT 2010


Glad to hear the discussion on LaTeX... I'm in the process of
converting my girlfriend over before she starts her grad thesis.

As far as document management/exchange and collaboration, there are so
many systems like CVS,SVN,hg,and git that can *really* do versioning
and merging, that it really sad to see ms word email attachments and
sharepoint. No one in the MS world even has a clue what exists though.
I was just explaining CVS today to someone who manages cisco router
configs, and explaining that you can keep a TOTAL history of all
changes and be able to compare any of them. A lot more than the
current-last diff that SolarWinds gives you.

Also- since, unlike the rest of the universe we (military) still on
occasion have to deal with low bandwidth, high latency, un-reliable
links... (HF radio for instance) It's much better to send a 16k-txt
than 300k-word.

Speaking of... Was reading about UUCP again lately... Anyone ever
heard of Wizzy digital courier? Probably should be a new thread
though.

-George

On 4/28/10, Michael Trausch <mike at trausch.us> wrote:
> On Wed, 2010-04-28 at 14:56 -0600, JK wrote:
>> On 4/28/2010 12:47 PM, Michael Trausch wrote:
>> > Yet another reason to use the one truly secure format for information
>> > interchange: plain text.
>> >
>> > Seriously, I don't understand why every non-trivial document format in
>> > existence has to present a wide attack surface that can be relatively
>> > easily used to enhance the vulnerability of any particular system or
>> > network.  Just once, I'd like to see something as widely adopted as PDF,
>> > but without the sort of nasty teeth that PDF, MS Word, ODT, etc., bring
>> > with them.
>>
>> Anything that needs an interpreter of any complexity is going to be
>> vulnerable, and arguably anything that does non-trivial document
>> formatting is in that category.  As a wise man (Knuth? Norvig? McCarthy?)
>> once said, "All data is code".
>
> The problem isn't so much the interpretation of the formats as it is
> adding things to them that enable scripting and the like.  I don't
> understand why we need to be able to have word processing documents that
> have BASIC, Python, Java, etc., programs embedded in them, or PDFs with
> JavaScript, or whatever.  It seems just insane to me.
>
> Spreadsheets, I can _almost_ be convinced that they should have a small
> domain-specific language that is designed to be easily sandboxed and
> contained in a small, easily auditable source tree without all the bells
> and whistles of Java or Python or whatever.  Maybe even constraining
> such things to a very limited subset of non-network aware,
> non-filesystem aware BASIC would be good.  That is, let it be a simple
> mathematical system without API entrypoints into the spreadsheet
> program, and let the spreadsheet do numbercrunching and nothing more.
> But that's just my 2¢.
>
>> We need to learn how to create truly reliable software.  I think
>> functional programming and automatic verification are going to be key,
>> but those technologies are barely on anyone's real-world radar these
>> days.
>
> Amen on the first point.  I don't know if functional programming is
> going to be the thing that does it or not, but I do think it'd be rather
> nifty to be able to have some sort of system that provides for a means
> of formally verifying that code does what it was designed to do and
> nothing more.  I don't foresee that being something that we'll see
> anytime soon, however.
>
> I think that the biggest problem is that when people spec things out
> they really don't think beyond what they've intended it for.  When
> people write code, they do much the same thing.  They don't consider
> what can potentially happen when the systems they are writing are
> abused.  They instead only think about what happens when they are used
> as intended.  And that's almost never where the vulnerabilities or the
> bugs lie, since that's the stuff that is exercised the most.
>
>> Anyway, speaking of Knuth, there's always TeX. Closest thing we've
>> got to a bug-free document formatting system.  So close that I don't
>> believe anyone's collected more than $327.68 in bug fees yet.  That
>> guy puts his money where his mouth is: http://en.wikipedia.org/wiki/TeX
>
> Indeed.  I personally use Xe(La)TeX when I need to format documents
> these days, because of the ability to use all of the nifty features of
> OpenType and use Unicode by way of UTF-8 directly, instead of having to
> type all sorts of extra stuff.  Alas, I don't yet have all the fonts in
> my personal collection that I want to be able to use when typesetting.
>
>> As for "widely adopted"... I actually got my girlfriend in grad
>> school -- an English major, believe it or not -- to start using LaTeX,
>> but I don't know if she stuck with it.  And I mostly use plain text
>> these days, unless my employer forces me to use Word.
>
> I actually started using LaTeX (and soon after found XeTeX and XeLaTeX)
> when I was doing lots of APA formatted papers.  I got utterly sick and
> tired of formatting APA style in OpenOffice.org, and verifying that my
> references all matched up with the citations in the text and all of
> that.  When I started using XeLaTeX and BibTeX, I had a lot more time to
> focus on the content, at least after I learned the basics of the system
> enough to not have to look things up every time I wanted to do something
> interesting.  :-)
>
> I was greatly surprised by just how much time I was able to save by
> using LaTeX and not worrying about formatting at all.  I really haven't
> been able to use a word processor again since, save for really trivial
> things that do not require any level of structure.  I think a lot better
> in terms of LaTeX.  If only they had a means of generating a word
> processor document that didn't require tons of fixing up form a LaTeX
> source document... *shrug*
>
> 	--- Mike
>
> --
> Even if their crude and anticompetitive business practices don't make
> you think about using their software, their use of sweatshops and child
> labor should:  boycott Microsoft like you would any other amoral child
> abuser:  http://is.gd/btW8m
>
>

-- 
Sent from my mobile device



More information about the Ale mailing list