Awesome, that would be cool. I kno about the average securityfocus and things, but I'd really like to start keeping up with the security section of things, as well as looking at theory, the new attacks published, etc to gain a better understanding of it. So, any resources or whatever anyone can offer would be awesome. I used to listen to the security now podcast, but the guy could turn his hour and a half podcasts into 30 minutes minus the hums and ha's. :)
On 11/18/2010 1:46 PM, Sina Bahram wrote:
Sure, I can send you some papers, including one of the ones I published in that space. I'll send those to you off line. I warn you that it requires a good understanding of operating systems, because the authors only get 10 pages, double column, 9 point font, and they don't waste time explaining what a page fault handler does, but know that anything you don't understand, you can simply ask about or look up in Wikipedia. Now, you did mention one thing that I'd like to touch on. You mentioned damaging the hard drive. Damaging it without root privilege might be a bit tricky, although possible of course, but damaging the data on it could be very likely ... You write 0's to the wrong places using a raw enough addressing mode, and you can corrupt file systems and do all sorts of nasty stuff. So be careful with disk IO, as corrupting data is doable if you're not careful. As far as being scared of c++, I would say that I'm scared of a hammer when some crazy person is aiming it at my head; otherwise, I use it to construct things made out of wood and nails, so a tool is a tool is a tool., is the moral of that particular metaphor. Take care, Sina -----Original Message----- From: programmingblind-bounce@xxxxxxxxxxxxx [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of Littlefield, Tyler Sent: Thursday, November 18, 2010 3:34 PM To: programmingblind@xxxxxxxxxxxxx Subject: Re: Good resource for beginning programmers Awesome. Well, the point was to keep the OP from getting scared away from c++ in the thought that as alix posted, you could ruen your harddrive, bla bla. On another note, I am kind of curious about some of these attacks you talked about. Is there a good place to learn about them? I can understand the page fault handler; I'd assume you'd just do whatever you want then call the one before or whatever, but I'd like to learn a lot more of the theory behind the attacks, try the code on a box that I can afford to crash a time or 10, etc. On 11/18/2010 1:31 PM, Sina Bahram wrote:Oh for sure. Otherwise, all you're going to do is simply crash your own program. It's hard to even get a old fashioned blue screen anymore, much less accidentally corrupt someone else's address space. Take care, Sina -----Original Message----- From: programmingblind-bounce@xxxxxxxxxxxxx [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of Littlefield, Tyler Sent: Thursday, November 18, 2010 3:28 PM To: programmingblind@xxxxxxxxxxxxx Subject: Re: Good resource for beginning programmers Hahaha. That sounds fun. I guess the point I'm trying to make: you have to intentionally try to get to this point. You can do these lovely things, but in order to get there, you have to knowinglyescolate privileges, inject code, whatever.On 11/18/2010 1:24 PM, Sina Bahram wrote:Nope, none of them require API's. You can do some really weird things with privilege escalation, and then it's all over. Jump to lib attacks, return oriented programming, jump oriented programming, basic stack smashing, basic heap overflows, dll injection, ring -1, -2, and -3 level attacks dependingon virtualization technologies being used, page table corruption attacks, chain of trust invalidation, etc, etc, etc.That's only the latest stuff. You'd be amazed how many attacks from pre 2005 still work. For example, you overwrite the interrupt descriptor table, grab some debug registers, point one of them at your page fault exception handler, and it's over ... There is noway to detect that sucker, no matter how good your antivirus is.Take care, Sina -----Original Message----- From: programmingblind-bounce@xxxxxxxxxxxxx [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of Littlefield, Tyler Sent: Thursday, November 18, 2010 3:18 PM To: programmingblind@xxxxxxxxxxxxx Subject: Re: Good resource for beginning programmers Well, you need to go through an API usually, no? It's not going to happen with a dangling pointer in a normal app. On 11/18/2010 1:16 PM, Sina Bahram wrote:Not hard at all, just minorly annoying. Take care, Sina -----Original Message----- From: programmingblind-bounce@xxxxxxxxxxxxx [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of Littlefield, Tyler Sent: Thursday, November 18, 2010 3:04 PM To: programmingblind@xxxxxxxxxxxxx Subject: Re: Good resource for beginning programmers That's what I was getting at; the whole virtual addressing and stuff. He was making it sound as if: int i[10] i[10]=300 Was going to make things go boom. :) I jus didn't want the OP to be scared off. Windows and *nix both have virtual addressing, so accessing bob's process from joe's process is fairly hard. On 11/18/2010 12:57 PM, qubit wrote:Hi Ty -- I am not sure about windows so take this with a grain of salt, but it is true that an OS does have some protections, such as preventing writing to someone else's virtual memory, to guard against malware. However a truely pathological C++ program can use pointers to do some interesting things with stack frames that will cause a lot of very strange behavior. But no, it won't go outside the process's virtual space, fortunately. And perhaps it varies with the OS. Keep in mind though that a debugger is just a program, and needs to have the ability to control a process and therefore needs to be able to write to addresses that are otherwise protected. I particularly enjoyed debugger development when I was working in language support. It is fascinating to me to see how a process is implemented. --le ----- Original Message ----- From: "Littlefield, Tyler"<tyler@xxxxxxxxxxxxx> To:<programmingblind@xxxxxxxxxxxxx> Sent: Wednesday, November 17, 2010 7:32 PM Subject: Re: Good resource for beginning programmers You're making c++ sound way way to dangerous. If you mess up with a pointer, unless you're programming at a way way low level and directly accessing the harddrive, you're not going to trash anything. You have access to memory, but like I said before when you went off on this "c++ can blow up the world," thing, the OS protects programmers from themselves. Or sort of, anyway. On 11/17/2010 6:20 PM, Alex Midence wrote:Good lord, no! php might be written in c++ but, I promise you that you can not do the same things. Php won't have stuff like template metaprogramming, generic programming nor will it compile right down to binary like c++. If you write stuff in c++, it runs lightning fast. I don't know the syntax to php but, I'm pretty sure it's too different from c++ to be concsidered a dialect. Python is definitely nothing like c in its syntax. And, you could never program a driver in Python. It would take forever if it runs at all. They are not dialects of the languages they are written in. I wish someone who was a bonified computer scientist could jump in and explain this in terms more fitting. Scripting languages are used primarily for tweaking. Look at the Jaws scripting language, for instance. Languages like Python and lua are used to customize applicatiosn written in stuff like c++ so that they don't have to rewrite the whole app and recompile it just for a few modifications. It's hard to explain. Honestly, you will just have to do some research until you find something that explains it to you in a way that will make sense to you. Yes, the lines between some scripting languages and programming languages are becoming blurred but the great yawning chasm that will never be crossed is still the interpreted versus compiled chasm. You might technically be able to write an application from the ground up in pure Python but, I promise you that if that thing goes toe to toe with another version of the same application written in c++, it will lose every time. By the time the Python app is done printing out its welcome message, the c++ app has done what was asked of it and closed. This is because there are too many layers between the app and the binary code for it. It's first got to go through the interpreter which then puts it into binary. The app written in c++ runs right on the system itself. You have to go to something like c or asm to get lower level. The isntructions to the computer don't have to be translated before execution. The day when what you mention with regard to making something like c++ available to the nonprogrammer is way way far off in the future if it will ever come. I frandkly hope it doesn't The thought of some nonprogrammers I know with acces to that kind of computing power is frightening. I mean, you can tell the computer exactly what to do right down to what goes where in each individual piece of memory. There are no shortcuts in that language. And, there shouldn't be. It gives you so many chances to shoot yourself in the foot that if you aren't down in the inner workings of it, as it were, under the proverbial hood, you won't be able to control what it does. You could realistically totally trash a hard drive if you screw up just right with pointers and if you do something like overflowing an array of 10 items with say 100 or something like that. I hear you can do some serious damage with stuff like that. Can't see that kind of damage being caused by php or python. Alex M On 11/17/10, Client Services<operations@xxxxxxxxxxxxxxx> wrote:Hi- Thank you for that explanation. Seems like the line between programming and scripting languages is getting blurred. Are scripting languages becoming as powerful as a programming language? Or do they just bring the best out of the programming language they are written in. If PHP and Python are written in C and C++, then why can't they make PHP and Python to be more like a CMS and useable by non-programmers? In summary, if I have this correct, a scripting language is actually written in a programming language and is just a way of accessing and using the given programming language. When I use PHP and Python, I am actually using C and C++, just in a unique dialect? That is assuming Python and PHP are written in C or C++. So somehow, PHP and Python were supposed to make C or what ever programming language easier to use? Is this accurate? Sorry for the dumb questions. H.R. Soltani -----Original Message----- From: programmingblind-bounce@xxxxxxxxxxxxx [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of Christopher Sent: Wednesday, November 17, 2010 6:24 PM To: programmingblind@xxxxxxxxxxxxx Subject: Re: Good resource for beginning programmers This is one of my pet peeves. A programming language is a language that is, in the majority of the cases, compiled to native machine code -and- used for application development (i.e. C, C++, D) A scripting language is a language that is, in the majority of the cases, interpreted -and- used to control applications, and sometimes application development in general (i.e. Python, PHP, Ruby, AutoIT, etc.) Java was not a true programming language until recently when it decided to compile its bytecode on-the-fly. C# has always been a programming language because it has always compiled its MSIL on-the-fly. PHP and Python are both written in C and are both interpreted. (PHP might be written in C++.) I refuse to call a non-compiled language a programming language, regardless of the language. So, here is a simple test to see what is a programming language and what is a scripting language. 1. Can you write a full application in the language? If yes, then is the language compiled? If yes, then it is a programming language. 2. Can you write a full application in the language? If yes, then is the language compiled? If no, then it is a scripting language. 3. Can you write a full application in the language? If no, then it is a scripting language. On 11/17/2010 2:24 PM, Alex Midence wrote:I am not at a stage in my learning where I can do well at explaining this so, I have provided some links for you to explore: Scripting language http://en.wikipedia.org/wiki/Scripting_language Programming language: http://en.wikipedia.org/wiki/Programming_language Be warned: This will create more questions for you. Have fun!!! Alex M On 11/17/10, Client Services<operations@xxxxxxxxxxxxxxx> wrote:Hi- What is the difference between a scripting language and a programming language? So if PHP and Python are scripting languages, what programming languagearethey written in? And why are they called scripting languages? H.R. Soltani -----Original Message----- From: programmingblind-bounce@xxxxxxxxxxxxx [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of Alex Midence Sent: Wednesday, November 17, 2010 3:52 PM To: programmingblind@xxxxxxxxxxxxx Subject: Re: Good resource for beginning programmers You've got scripting languages and programming languages there. Javascript is client side scripting. Websites run scripts on the visitor's machine to dynamically change themselves according to stimuli. Php is a scripting language that does dynamic webpage changing among other things from the server side. It is used in conjunction with database solutions like my sql and the like. Java and C are both programming languages. Java is a high level object-oriented language that runs on a virtual machine. It is used to create applets and web apps for all sorts of functions. Java is also used to create desktop applicaitons like, for instance, Eclipse, Open Office, and things of that nature. C is a low-level procedural programming language that is used for desktop aplications and low-level programming such as drivers, utilities and the like. Certain platforms are also written in C like, for instance, Windoes is in C. I believe Gnome was also written in C. I went into this detail because your post indicated that you thought these were all web development languages and they are not. Python is a scripting language that can do a lot of the same things programming languages can do and has a reputation for being easy to learn and fostering rapid development. An applications that php could not create, IMHO is a screen reader. Python was used to create two of them. Hope that helps, Alex M On 11/17/10, Client Services<operations@xxxxxxxxxxxxxxx> wrote:Hi everybody- I am trying to decide where to start as far as learning programming. I decided I would focus on 1. PHP, 2. JavaScript, 3. Java, 4. C I figured these are being used the most in web development and custom applications. So, where does Python come in? How would you comparePythonwith Java, PHP, and C?? Can anybody give me an example of what cannot be developed in PHP whichcanbe developed in Python? Or how about Java vs Python if PHP is to lowly? I have just heard PHPhaslimitations. H.R. Soltani__________ View the list's information and change your settings at //www.freelists.org/list/programmingblind __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind__________ View the list's information and change your settings at //www.freelists.org/list/programmingblind__________ View the list's information and change your settings at //www.freelists.org/list/programmingblind __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind__________ View the list's information and change your settings at //www.freelists.org/list/programmingblind
-- Thanks, Ty __________View the list's information and change your settings at //www.freelists.org/list/programmingblind
