I was reading about Ekiga (Linux VoIP application) at
LWN and stumbled across this mention of
Worth mentioning is the proprietary Skype protocol, which has some
serious security implications, according to what researchers presented
(PDF) at the Black Hat Europe 2006 conference. Skype clients can be
abused for the purpose of port scanning, distributed Denial of Service
(dDoS) attacks and other unpleasant things.
The PDF says that although the Skype technology is clever, it is
“Impossible to protect from attacks”.
LWN reader “tajyrink” says that Skype “works around [NAT] by being a
P2P program, not just a VoIP program, by using ruthlessly the bandwidth
of other users even without them knowing about it.”
Innovative ways to fool people
Scott Granneman, 2006-05-04
Scott Granneman’s latest column looks at recent security examples where people have been fooled in increasingly innovative ways: from keyloggers used in a massive bank heist and new Trojans that encrypt data and request ransom money, to real financial rip-offs that extend out from online virtual gaming worlds like World of Warcraft.
It’s a fascinating read. Here’s an exerpt:
We now have computer sweatshops appearing in China and Mexico, in which
young men are paid a few dollars per day (or less) to sit and play games
like World of Warcraft and EverQuest for about 12 hours a day,
performing often mind-numbing tasks in order to create virtual wealth.
It was therefore inevitable that bad guys would see an opportunity to
steal money in settings like this. Now someone has.
New and better tools are usually a good thing. So it is when moving from Visual Studio 2003 to the 2005 edition. Advantages of moving C++ development to Visual Studio 2005, Team Edition Developer include…
- Global/shared property sheets allow developers to change a setting in one place and have it apply to all projects. This makes it vastly easier to add new include paths and libraries, etc.
- New /analyze static analysis option goes the extra mile in identifying bugs such as buffer overflow, memory leaks, failure to check return types, etc. This feature is only available in VS 2005 Team Edition Developer.
- Better debugger supports tracepoints and displays STL containers in a human-readable format! See http://blogs.msdn.com/andypennell/archive/2004/06/29/169002.aspx for more information.
- Improved remote debugging.
- More standards-compliant C++ compiler. See http://msdn2.microsoft.com/en-us/library/ms177253(vs.80).aspx
- Built-in profiler.
- Const-correctness checks in functions such as strchr, strstr, etc. help identify and prevent bugs.
- Organize sub-projects into solution folders.
- Can substitute more secure versions of strcpy, strcat, etc. automatically under certain conditions if we define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES. There’s also _CRT_SECURE_NO_DEPRECATE.
- More and better warnings.
- Dependency checking is faster. This means, for example, that cleaning a solution is much faster than with VS 2003.
- Stack smashing protection (the /GS flag) is more robust.
- printf family of functions support the C99 Standard of “%ll” and “%ull” for 64 bit integers in addition to the non-portable, Microsoft-only VS2003 “%I64d” syntax.
Costs of migrating to VS 2005:
- Compiled code size is slightly larger.
- The IDE requires more memory to run.
- Third party libraries and libc
- Template code may need to be modified.
It’s usually not a good idea to migrate a code base immediately, although it could be good way to anger management. Here’s what I recommend:
- Copy your top-level solution mysolution.sln to mysolution.vs2005.sln.
- Copy all sub-projects *.vcproj to *.vs2005.vcproj.
- Edit mysolution.vs2005.sln and chang all .vcproj references to .vs2005.vcproj.
- Open mysolution.vs2005.sln in VS 2005. It will migrate the project automatically.
- Add the new solution and project files to your source control system (Subversion, Perforce, CVS). This way, you won’t affect the day-to-day development operations of the rest of your team. You could write a script to automate the above steps so that it is easier to keep in-sync with the additions, renames and removals of includes, source, and so on from the VS 2003 solution.
- Compile and fix errors gradually.
- You may need a new version of Microsoft’s WTL, which is backwards compatible with VS 2003.
- You may need to fix template syntax issues.
- Fix const-correctness issues.
Eventually your team will become comfortable with VS 2005, and you can switch.
Are you interested in reading quality essays on subjects related to software development? If so, then treat yourself to Neil Kandalgaonkar’s Links to essays in the book Best Software Writing I, or buy the hardcopy.
In the interest of letting people get to the links quickly, I’m copying-and-pasting Neil Kandalgaonkar’s links:
Joel Spolsky – Introduction
This requires that mplayer is already installed. I use dvgrab to capture video from my camcorder.
dvgrab --autosplit --format dv2 --timestamp
mencoder INFILE -ovc lavc -lavcopts vcodec=mpeg4 -oac copy -o OUTFILE
I’ve got a photo-album generator for my digital photos, and I’ve enhanced it to include thumbnails for the movies some digital cameras generate (MOV, MPG, AVI). Here’s the perl script that does it: movie2gif.tar.gz
Figured this out using http://www.puschitz.com/SecuringLinux.shtml
portmap: 192.168.1.123 : allow
mountd: 192.168.1.123 : allow
rquotad: 192.168.1.123 : allow
myserver:/home/images /home/images nfs rsize=8192,wsize=8192,nosuid 0 0
Advantages of Fedora Core 5 over FC3/FC4:
- Faster boot times
- Faster Gnome desktop login
- Faster responsiveness in the Gnome user interface (snappier application menu, etc.)
- Suspend to disk and suspend to RAM
- New desktop applications: Beagle desktop search tool, F-spot photo manager, Tomboy note taking application.
- Firefox: Opening a new window is MUCH faster than with FC4.
- Most stable installer to date, in my opinion.
- New HAL integration (hardware abstraction layer) manages USB flash drives, and as a result, they mount on the user’s desktop more quickly than in the past.
- SELinux targetted policies are much more comprehensive
- Better wireless NIC support.
- Xen virtulization.
I find it easier to upgrade rather than reinstall. The upgrade process did not install the new applications that a fresh install would have provided. Therefore, I did a fresh install of FC5 on one machine, and grabbed the package list (FC5 Packages). Then, I upgraded another machine, grabbed the package list ("rpm -qa | sort > upgradepackages.txt“). I generated a ‘diff’ of the two files. Here are the main things I came up with when going from FC4 to FC5:
Missing desktop packages:
Missing non-desktop packages:
It’s always a good idea to read the release notes:
Install extra software using yum, or using the graphical application ‘pirut’, or view ‘extra’ packages with your browser:
Useful packages (from extras repository):
yum install yum-utils gtweakui themes-backgrounds-gnome nautilus-open-terminal nautilus-image-converter nautilus-actions
Update: A good reason to upgrade to GCC 4.1 is because the
-fstack-protector functionality is integrated in with the release — it’s not a patch anymore.