[ale] How to hack a bank

Michael Trausch mike at trausch.us
Wed Apr 28 17:18:46 EDT 2010


On Wed, 2010-04-28 at 14:56 -0600, JK wrote:
> On 4/28/2010 12:47 PM, Michael Trausch wrote:
> > Yet another reason to use the one truly secure format for information
> > interchange: plain text.
> >
> > Seriously, I don't understand why every non-trivial document format in
> > existence has to present a wide attack surface that can be relatively
> > easily used to enhance the vulnerability of any particular system or
> > network.  Just once, I'd like to see something as widely adopted as PDF,
> > but without the sort of nasty teeth that PDF, MS Word, ODT, etc., bring
> > with them.
> 
> Anything that needs an interpreter of any complexity is going to be
> vulnerable, and arguably anything that does non-trivial document
> formatting is in that category.  As a wise man (Knuth? Norvig? McCarthy?)
> once said, "All data is code".

The problem isn't so much the interpretation of the formats as it is
adding things to them that enable scripting and the like.  I don't
understand why we need to be able to have word processing documents that
have BASIC, Python, Java, etc., programs embedded in them, or PDFs with
JavaScript, or whatever.  It seems just insane to me.

Spreadsheets, I can _almost_ be convinced that they should have a small
domain-specific language that is designed to be easily sandboxed and
contained in a small, easily auditable source tree without all the bells
and whistles of Java or Python or whatever.  Maybe even constraining
such things to a very limited subset of non-network aware,
non-filesystem aware BASIC would be good.  That is, let it be a simple
mathematical system without API entrypoints into the spreadsheet
program, and let the spreadsheet do numbercrunching and nothing more.
But that's just my 2¢.

> We need to learn how to create truly reliable software.  I think
> functional programming and automatic verification are going to be key,
> but those technologies are barely on anyone's real-world radar these
> days.

Amen on the first point.  I don't know if functional programming is
going to be the thing that does it or not, but I do think it'd be rather
nifty to be able to have some sort of system that provides for a means
of formally verifying that code does what it was designed to do and
nothing more.  I don't foresee that being something that we'll see
anytime soon, however.

I think that the biggest problem is that when people spec things out
they really don't think beyond what they've intended it for.  When
people write code, they do much the same thing.  They don't consider
what can potentially happen when the systems they are writing are
abused.  They instead only think about what happens when they are used
as intended.  And that's almost never where the vulnerabilities or the
bugs lie, since that's the stuff that is exercised the most.

> Anyway, speaking of Knuth, there's always TeX. Closest thing we've
> got to a bug-free document formatting system.  So close that I don't
> believe anyone's collected more than $327.68 in bug fees yet.  That
> guy puts his money where his mouth is: http://en.wikipedia.org/wiki/TeX

Indeed.  I personally use Xe(La)TeX when I need to format documents
these days, because of the ability to use all of the nifty features of
OpenType and use Unicode by way of UTF-8 directly, instead of having to
type all sorts of extra stuff.  Alas, I don't yet have all the fonts in
my personal collection that I want to be able to use when typesetting.

> As for "widely adopted"... I actually got my girlfriend in grad
> school -- an English major, believe it or not -- to start using LaTeX,
> but I don't know if she stuck with it.  And I mostly use plain text
> these days, unless my employer forces me to use Word.

I actually started using LaTeX (and soon after found XeTeX and XeLaTeX)
when I was doing lots of APA formatted papers.  I got utterly sick and
tired of formatting APA style in OpenOffice.org, and verifying that my
references all matched up with the citations in the text and all of
that.  When I started using XeLaTeX and BibTeX, I had a lot more time to
focus on the content, at least after I learned the basics of the system
enough to not have to look things up every time I wanted to do something
interesting.  :-)

I was greatly surprised by just how much time I was able to save by
using LaTeX and not worrying about formatting at all.  I really haven't
been able to use a word processor again since, save for really trivial
things that do not require any level of structure.  I think a lot better
in terms of LaTeX.  If only they had a means of generating a word
processor document that didn't require tons of fixing up form a LaTeX
source document... *shrug*

	--- Mike 

-- 
Even if their crude and anticompetitive business practices don't make
you think about using their software, their use of sweatshops and child
labor should:  boycott Microsoft like you would any other amoral child
abuser:  http://is.gd/btW8m

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20100428/0e82464b/attachment-0001.bin 


More information about the Ale mailing list