[ale] How to hack a bank

Pete Hardie pete.hardie at gmail.com
Wed Apr 28 22:14:17 EDT 2010


Hell guys, even plain text isn't safe - look at how
<cult-of-your-choice> gets people with just words.


On Wed, Apr 28, 2010 at 18:20, George Allen <glallen01 at gmail.com> wrote:
> Glad to hear the discussion on LaTeX... I'm in the process of
> converting my girlfriend over before she starts her grad thesis.
>
> As far as document management/exchange and collaboration, there are so
> many systems like CVS,SVN,hg,and git that can *really* do versioning
> and merging, that it really sad to see ms word email attachments and
> sharepoint. No one in the MS world even has a clue what exists though.
> I was just explaining CVS today to someone who manages cisco router
> configs, and explaining that you can keep a TOTAL history of all
> changes and be able to compare any of them. A lot more than the
> current-last diff that SolarWinds gives you.
>
> Also- since, unlike the rest of the universe we (military) still on
> occasion have to deal with low bandwidth, high latency, un-reliable
> links... (HF radio for instance) It's much better to send a 16k-txt
> than 300k-word.
>
> Speaking of... Was reading about UUCP again lately... Anyone ever
> heard of Wizzy digital courier? Probably should be a new thread
> though.
>
> -George
>
> On 4/28/10, Michael Trausch <mike at trausch.us> wrote:
>> On Wed, 2010-04-28 at 14:56 -0600, JK wrote:
>>> On 4/28/2010 12:47 PM, Michael Trausch wrote:
>>> > Yet another reason to use the one truly secure format for information
>>> > interchange: plain text.
>>> >
>>> > Seriously, I don't understand why every non-trivial document format in
>>> > existence has to present a wide attack surface that can be relatively
>>> > easily used to enhance the vulnerability of any particular system or
>>> > network.  Just once, I'd like to see something as widely adopted as PDF,
>>> > but without the sort of nasty teeth that PDF, MS Word, ODT, etc., bring
>>> > with them.
>>>
>>> Anything that needs an interpreter of any complexity is going to be
>>> vulnerable, and arguably anything that does non-trivial document
>>> formatting is in that category.  As a wise man (Knuth? Norvig? McCarthy?)
>>> once said, "All data is code".
>>
>> The problem isn't so much the interpretation of the formats as it is
>> adding things to them that enable scripting and the like.  I don't
>> understand why we need to be able to have word processing documents that
>> have BASIC, Python, Java, etc., programs embedded in them, or PDFs with
>> JavaScript, or whatever.  It seems just insane to me.
>>
>> Spreadsheets, I can _almost_ be convinced that they should have a small
>> domain-specific language that is designed to be easily sandboxed and
>> contained in a small, easily auditable source tree without all the bells
>> and whistles of Java or Python or whatever.  Maybe even constraining
>> such things to a very limited subset of non-network aware,
>> non-filesystem aware BASIC would be good.  That is, let it be a simple
>> mathematical system without API entrypoints into the spreadsheet
>> program, and let the spreadsheet do numbercrunching and nothing more.
>> But that's just my 2¢.
>>
>>> We need to learn how to create truly reliable software.  I think
>>> functional programming and automatic verification are going to be key,
>>> but those technologies are barely on anyone's real-world radar these
>>> days.
>>
>> Amen on the first point.  I don't know if functional programming is
>> going to be the thing that does it or not, but I do think it'd be rather
>> nifty to be able to have some sort of system that provides for a means
>> of formally verifying that code does what it was designed to do and
>> nothing more.  I don't foresee that being something that we'll see
>> anytime soon, however.
>>
>> I think that the biggest problem is that when people spec things out
>> they really don't think beyond what they've intended it for.  When
>> people write code, they do much the same thing.  They don't consider
>> what can potentially happen when the systems they are writing are
>> abused.  They instead only think about what happens when they are used
>> as intended.  And that's almost never where the vulnerabilities or the
>> bugs lie, since that's the stuff that is exercised the most.
>>
>>> Anyway, speaking of Knuth, there's always TeX. Closest thing we've
>>> got to a bug-free document formatting system.  So close that I don't
>>> believe anyone's collected more than $327.68 in bug fees yet.  That
>>> guy puts his money where his mouth is: http://en.wikipedia.org/wiki/TeX
>>
>> Indeed.  I personally use Xe(La)TeX when I need to format documents
>> these days, because of the ability to use all of the nifty features of
>> OpenType and use Unicode by way of UTF-8 directly, instead of having to
>> type all sorts of extra stuff.  Alas, I don't yet have all the fonts in
>> my personal collection that I want to be able to use when typesetting.
>>
>>> As for "widely adopted"... I actually got my girlfriend in grad
>>> school -- an English major, believe it or not -- to start using LaTeX,
>>> but I don't know if she stuck with it.  And I mostly use plain text
>>> these days, unless my employer forces me to use Word.
>>
>> I actually started using LaTeX (and soon after found XeTeX and XeLaTeX)
>> when I was doing lots of APA formatted papers.  I got utterly sick and
>> tired of formatting APA style in OpenOffice.org, and verifying that my
>> references all matched up with the citations in the text and all of
>> that.  When I started using XeLaTeX and BibTeX, I had a lot more time to
>> focus on the content, at least after I learned the basics of the system
>> enough to not have to look things up every time I wanted to do something
>> interesting.  :-)
>>
>> I was greatly surprised by just how much time I was able to save by
>> using LaTeX and not worrying about formatting at all.  I really haven't
>> been able to use a word processor again since, save for really trivial
>> things that do not require any level of structure.  I think a lot better
>> in terms of LaTeX.  If only they had a means of generating a word
>> processor document that didn't require tons of fixing up form a LaTeX
>> source document... *shrug*
>>
>>       --- Mike
>>
>> --
>> Even if their crude and anticompetitive business practices don't make
>> you think about using their software, their use of sweatshops and child
>> labor should:  boycott Microsoft like you would any other amoral child
>> abuser:  http://is.gd/btW8m
>>
>>
>
> --
> Sent from my mobile device
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
Pete Hardie
--------
Better Living Through Bitmaps



More information about the Ale mailing list