In this video from 1963, Corbató describes state-of-the art batch processing using mag tape, offloading input-output to an IBM 1620.
Showing posts with label security and crypto. Show all posts
Showing posts with label security and crypto. Show all posts
22 July 2019
13 April 2016
Rando
John D. Cook alerts us to a pitfall in seeding a random number generator (RNG) for multiple processes/threads (for instance, for a Monte Carlo simulation):
Applying the analog of the birthday problem to the RNG seeds explains why the project was launching processes with the same seed. Suppose you seed each process with an unsigned 16-bit integer. That means there are 65,536 possible seeds. Now suppose you launch 1,000 processes. With 65 times as many possible seeds as processes, surely every process should get its own seed, right? Not at all. There’s a 99.95% chance that two processes will have the same seed.
22 June 2012
Happy birthday, Alan
In honor of Alan Turing's centenary, Charles Severance visits Bletchley Park where Turing contributed to codebreaking in World War II, building on work by the Polish Cypher Bureau. Bletchley Park displays powered-up replicas of the hybrid electronic/electromechanical BOMBE and Colossus devices from that period.
Meanwhile, the editors of Nature evaluate Turing's legacy with a series of articles.
13 October 2010
'N Sync
At this shop, a developer uses a Windows laptop to shell into a virtualized machine running Linux where the source code is compiled into a web application. Most of us use Eclipse as a development studio. I had set up my Eclipse to edit my working copy of the code base directly on the virtual machine, mounting it as an SMB network drive. But over time, I found that some serious latencies would occur sporadically--Eclipse would take several minutes to open a short file of JavaScript, that sort of hassle. So, after some cajoling from colleague Jared, I followed his lead and moved my setup so that my working copy is on my laptop's hard drive. So now, instead of an edit-build-test-think cycle, I have an edit-rsync-build-test-think cycle, but the edit step is much faster.
But I was faced with a new annoyance. Every rsync or ssh to the VM required me to type my password. (The other way with SMB, I just left a shell window open already logged in to the VM.)
(Hunh. I suppose I could have set up rsync to pull from the VM rather than push from the laptop. Never thought of that.)
Anyway, the team's wiki links to a helpful crib on how to make RSA keys to perform an automatic login with ssh, but my first efforts failed. Colleague Harold provided the missing piece. He checked
But I was faced with a new annoyance. Every rsync or ssh to the VM required me to type my password. (The other way with SMB, I just left a shell window open already logged in to the VM.)
(Hunh. I suppose I could have set up rsync to pull from the VM rather than push from the laptop. Never thought of that.)
Anyway, the team's wiki links to a helpful crib on how to make RSA keys to perform an automatic login with ssh, but my first efforts failed. Colleague Harold provided the missing piece. He checked
/var/log/auth.log on the VM and found an error message that indicated the file permissions on my home directory were too open. We did a chmod 755 on my home directory, and I was in!
16 October 2008
XSRF and me
Security is not my long and strong suit. But recent postings by Scott Gilbertson on clickjacking and by Jeff Atwood on strategies to counteract cross-site request forgeries (XSRF) caught my attention.
While there aren't any good countermeasures against clickjakcing yet, there are practices that you can follow to mitigate XSRF attacks. But doesn't ASP.NET take care of all that for me? Not really. Todd Miranda demonstrates, in a 20-minute video, how the exploit works against an ASP.NET site and shows some basic techniques to cope.
While there aren't any good countermeasures against clickjakcing yet, there are practices that you can follow to mitigate XSRF attacks. But doesn't ASP.NET take care of all that for me? Not really. Todd Miranda demonstrates, in a 20-minute video, how the exploit works against an ASP.NET site and shows some basic techniques to cope.
21 May 2007
Mystery solved?
I may have figured out the intermittent problem that manifested itself with the error message:
It turns out that the web server on my development box was configured to allow anonymous access, with the "Internet Guest Account" identified as the proxy account. This is the account named IUSR_<server name>. Fairly standard set-up.
What we changed, what seems to have dealt with the problem, is to specifically grant permissions to IUSR_<server name> to the file system folder that the virtual directory was mapped to. From Windows Explorer, context-click the folder, pick Properties, then pick the Security tab. Because the web app writes log files under that folder, and the web site admin can also use the app to add and delete uploaded files (themes, templates, that sort of thing) under that folder, we granted Full Control to the Internet Guest Account.
YMMV. Reflecting on this, it occurs to me that it's probably not the best choice from a security point of view to allow the web app this degree of access. Config parameters that point to the log files and templates and themes would be a good idea: I will bring it up with the team.
The file web.sitemap required by XmlSiteMapProvider does not exist.
It turns out that the web server on my development box was configured to allow anonymous access, with the "Internet Guest Account" identified as the proxy account. This is the account named IUSR_<server name>. Fairly standard set-up.
What we changed, what seems to have dealt with the problem, is to specifically grant permissions to IUSR_<server name> to the file system folder that the virtual directory was mapped to. From Windows Explorer, context-click the folder, pick Properties, then pick the Security tab. Because the web app writes log files under that folder, and the web site admin can also use the app to add and delete uploaded files (themes, templates, that sort of thing) under that folder, we granted Full Control to the Internet Guest Account.
YMMV. Reflecting on this, it occurs to me that it's probably not the best choice from a security point of view to allow the web app this degree of access. Config parameters that point to the log files and templates and themes would be a good idea: I will bring it up with the team.
17 April 2007
Trust me
Mark C. Chu-Carroll explicates Ken Thompson's self-replicating backdoor that he inserted into an early version of the C compiler. (Reprint of Thompson's fess-up Turing Lecture; link via kottke.org).
Subscribe to:
Comments (Atom)