Mongrel web server

Here’s an interview with Zed Shaw, the author of the Mongrel web server — a web server for the Ruby programming language that is good for use in combination with Ruby on Rails and other Ruby-based web-app frameworks. It’s interesting in that it’s fast, secure, cross-platform, and it’s not a heavyweight solution (compared to Apache). Why is it more secure than Apache at the HTTP protocol level? Mongrel utilizes the Ragel State Machine Compiler
to generate the protocol parser, “and that is very strict and seems to block a huge number of attack attempts simply because it is so exacting.”

Hard Drive Encryption: PGP Disk, LUKS, BitLocker

Why encrypt a hard drive? It makes it safer to dispose of an old hard disk… your data won’t fall into the wrong hands. This only matters if you want data to remain confidential. Laptop owners should consider using hard disk encryption.

When is it a bad idea to encrypt a hard drive? First, if you have a dual-boot computer (Linux and Windows), and you want Linux to be able to access all of the data on the Windows drive. Second, when the data confidentiality is of low concern and the data availability is of high importance.

Bruce Schneier writes about Microsoft BitLocker, which will be available in Windows Vista:

BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM). Basically, it encrypts the C drive with a computer-generated key. In its basic mode, an attacker can still access the data on the drive by guessing the user’s password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer.

PGP Disk is a current solution — no need to wait for Vista. On Linux, there are many solutions. The most current is LUKS and dm-crypt:

Apparently, HAL in Fedora recognizes LUKS volumes. It’s also possible to encrypt only your home directory with LUKS.

Update 5 June 2006

See also http://www.truecrypt.org/ and Wikipedia’s guide to disk encryption software.

Security Myths and Passwords

Professor Eugene Spafford “is one of the most senior and recognized leaders in the field of computing.” Here’s what he has to say about password security.


http://www.cerias.purdue.edu/weblogs/spaf/general/post-30

In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.

Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.

Read the article for more details.

Article: Innovative ways to fool people

Innovative ways to fool people
Scott Granneman, 2006-05-04
http://www.securityfocus.com/print/columnists/401

Scott Granneman’s latest column looks at recent security examples where people have been fooled in increasingly innovative ways: from keyloggers used in a massive bank heist and new Trojans that encrypt data and request ransom money, to real financial rip-offs that extend out from online virtual gaming worlds like World of Warcraft.

It’s a fascinating read. Here’s an exerpt:

We now have computer sweatshops appearing in China and Mexico, in which
young men are paid a few dollars per day (or less) to sit and play games
like World of Warcraft and EverQuest for about 12 hours a day,
performing often mind-numbing tasks in order to create virtual wealth.

It was therefore inevitable that bad guys would see an opportunity to
steal money in settings like this. Now someone has.

Why migrate a C++ project to Visual Studio 2005?

New and better tools are usually a good thing. So it is when moving from Visual Studio 2003 to the 2005 edition. Advantages of moving C++ development to Visual Studio 2005, Team Edition Developer include…

  1. Global/shared property sheets allow developers to change a setting in one place and have it apply to all projects. This makes it vastly easier to add new include paths and libraries, etc.
  2. New /analyze static analysis option goes the extra mile in identifying bugs such as buffer overflow, memory leaks, failure to check return types, etc. This feature is only available in VS 2005 Team Edition Developer.
  3. Better debugger supports tracepoints and displays STL containers in a human-readable format! See http://blogs.msdn.com/andypennell/archive/2004/06/29/169002.aspx for more information.
  4. Improved remote debugging.
  5. More standards-compliant C++ compiler. See http://msdn2.microsoft.com/en-us/library/ms177253(vs.80).aspx
  6. Built-in profiler.
  7. Const-correctness checks in functions such as strchr, strstr, etc. help identify and prevent bugs.
  8. Organize sub-projects into solution folders.
  9. Can substitute more secure versions of strcpy, strcat, etc. automatically under certain conditions if we define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES. There’s also _CRT_SECURE_NO_DEPRECATE.
  10. More and better warnings.
  11. Dependency checking is faster. This means, for example, that cleaning a solution is much faster than with VS 2003.
  12. Stack smashing protection (the /GS flag) is more robust.
  13. printf family of functions support the C99 Standard of “%ll” and “%ull” for 64 bit integers in addition to the non-portable, Microsoft-only VS2003 “%I64d” syntax.

Costs of migrating to VS 2005:

  1. Compiled code size is slightly larger.
  2. The IDE requires more memory to run.
  3. Third party libraries and libc
  4. Template code may need to be modified.

Additional resources:

Migration Strategy

It’s usually not a good idea to migrate a code base immediately, although it could be good way to anger management. Here’s what I recommend:

  1. Copy your top-level solution mysolution.sln to mysolution.vs2005.sln.
  2. Copy all sub-projects *.vcproj to *.vs2005.vcproj.
  3. Edit mysolution.vs2005.sln and chang all .vcproj references to .vs2005.vcproj.
  4. Open mysolution.vs2005.sln in VS 2005. It will migrate the project automatically.
  5. Add the new solution and project files to your source control system (Subversion, Perforce, CVS). This way, you won’t affect the day-to-day development operations of the rest of your team. You could write a script to automate the above steps so that it is easier to keep in-sync with the additions, renames and removals of includes, source, and so on from the VS 2003 solution.
  6. Compile and fix errors gradually.
    • You may need a new version of Microsoft’s WTL, which is backwards compatible with VS 2003.
    • You may need to fix template syntax issues.
    • Fix const-correctness issues.

Eventually your team will become comfortable with VS 2005, and you can switch.

Best essays on software

Are you interested in reading quality essays on subjects related to software development? If so, then treat yourself to Neil Kandalgaonkar’s Links to essays in the book Best Software Writing I, or buy the hardcopy.

In the interest of letting people get to the links quickly, I’m copying-and-pasting Neil Kandalgaonkar’s links:


Joel Spolsky – Introduction

Refactoring Rules

Tried-and-true refactoring rules:

  1. Find the smallest change that could possibly work, and check it in. “If I make this change, it will change nothing else.”
  2. Revert early, and revert often. If you lose a half-day of work because the refactoring change is too large, that’s okay. Better to start over than to cost the rest of the team precious time struggling with a broken build.
  3. Do not write new code while refactoring.
  4. Always use cut-and-paste, never copy-and-paste.
  5. Just because the unit tests pass, doesn’t mean that the product still works after your refactor. You may need to add new unit tests before you refactor. And you may need to do some acceptance-testing for things that aren’t unit-testable.

General Advice:

  1. Don’t checkin changes to the version control system just before you go home. Wait for the next day.

Types of Refactoring:

  1. Refer to Martin Fowler’s “Refactoring” book
  2. Refer to Fowler’s website: http://www.refactoring.com/ and his catalog of refactorings

Advantages of Fedora Core 5 over FC3/FC4

Advantages of Fedora Core 5 over FC3/FC4:

  • Faster boot times
  • Faster Gnome desktop login
  • Faster responsiveness in the Gnome user interface (snappier application menu, etc.)
  • Suspend to disk and suspend to RAM
  • New desktop applications: Beagle desktop search tool, F-spot photo manager, Tomboy note taking application.
  • Firefox: Opening a new window is MUCH faster than with FC4.
  • Most stable installer to date, in my opinion.
  • New HAL integration (hardware abstraction layer) manages USB flash drives, and as a result, they mount on the user’s desktop more quickly than in the past.
  • SELinux targetted policies are much more comprehensive
  • Better wireless NIC support.
  • Xen virtulization.

I find it easier to upgrade rather than reinstall. The upgrade process did not install the new applications that a fresh install would have provided. Therefore, I did a fresh install of FC5 on one machine, and grabbed the package list (FC5 Packages). Then, I upgraded another machine, grabbed the package list ("rpm -qa | sort > upgradepackages.txt“). I generated a ‘diff’ of the two files. Here are the main things I came up with when going from FC4 to FC5:

Missing desktop packages:

  • beagle
  • f-spot
  • frysk
  • tomboy
  • gnome-backgrounds
  • gnome-power-manager
  • gnome-screensaver
  • gnome-user-share
  • nautilus-sendto
  • hal-gnome

Missing non-desktop packages:

  • xorg-x11-fonts-truetype
  • smartmontools
  • systemtap
  • hplip
  • longrun
  • irqbalance
  • glx-utils
  • gmime
  • gmime-sharp
  • dbus-sharp
  • dcraw
  • evolution-sharp

It’s always a good idea to read the release notes:
http://fedora.redhat.com/docs/release-notes/fc5/
Install extra software using yum, or using the graphical application ‘pirut’, or view ‘extra’ packages with your browser:
http://fedoraproject.org/extras/5/i386/repodata/repoview/graphical-internet.group.html
Useful packages (from extras repository):

yum install yum-utils gtweakui themes-backgrounds-gnome nautilus-open-terminal nautilus-image-converter nautilus-actions