Search Results

Search found 271 results on 11 pages for 'turing completeness'.

Page 6/11 | < Previous Page | 2 3 4 5 6 7 8 9 10 11  | Next Page >

  • Is Programming == Math?

    - by moffdub
    I've heard many times that all programming is really a subset of math. Some suggest that OO, at its roots, is mathematically based. I don't get the connection. Aside from some obvious examples: using induction to prove a recursive algorithm formal correctness proofs functional languages lambda calculus asymptotic complexity DFAs, NFAs, Turing Machines, and theoretical computation in general the fact that everything on the box is binary In what ways is programming really a subset of math? I'm looking for an explanation that might have relevance to enterprise/OO development (if there is a strong enough connection, that is). Thanks in advance. Edit: as I stated in a comment to an answer, math is uber important to programming, but what I struggle with is the "subset" argument.

    Read the article

  • Books about the philosophy of software development

    - by anon
    The first time I read The Mythical Man Month, I found the book utterly boring, a waste of my time, and thought it was written by some management guru that never wrote a line of code. A few years later, I realized Fred Brooks won the Turing award. Some years after that, after a few large development projects, I started understanding what he was talking about. Are there any other books about software development on a meta/philosophical level—not in the sense of design patterns, templates, or even lisp macros—but at a level where ideas are expressed without code?

    Read the article

  • What makes good software good?

    - by Jonta
    People probably have a lot of different answers here, like good...: scalability, speed, usability, stability, consistency, completeness, absence of bugs, accessibility, documentation, code-quality and so on. There are a lot of philosophies on development of software. Like the UNIX-philosophy. Often vague and not easy to understand. I am looking for statements such as the one cited below. Which you can ask about the software when it's in the design-stage, is ready to be coded, and has been coded and is ready for launch. The software I am talking about, is of course the software made for the end-user. Ken Rockwell wrote: "I expect that it will let me get more accomplished in less time." (Here one could ask "will this let me get more accomplished in less time?")

    Read the article

  • How to get Tomcat Working on WIndows 7?

    - by Zakir Hossain
    I have installed Apache Tomcat 5.X/6.X on my Winodws 7 PC. After the installaiton the service starts fine when I check the Start Tomcat box and click finish. However If I try to start the tomcat configuration tool or monitor tool from the start menu I can not start any of the Tomcat's services. I get an error in a message box stating "Access Deined. Unable to open Tomcat 5.5". What seems to be the problem? and How can I solve it? Even restarting the PC won't help. I also have JDK and JRE installed. Turing the firewall doesn't work too. Please Help! Note that I'm running 32bit Version of Windows 7.

    Read the article

  • Implementing Brainf*ck loops in an interpreter

    - by sub
    I want to build a Brainf*ck (Damn that name) interpreter in my freshly created programming language to prove it's turing-completeness. Now, everything is clear so far (<+-,.) - except one thing: The loops ([]). I assume that you know the (extremely hard) BF syntax from here on: How do I implement the BF loops in my interpreter? How could the pseudocode look like? What should I do when the interpreter reaches a loop beginning ([) or a loop end (])? Checking if the loop should continue or stop is not the problem (current cell==0), but: When and where do I have to check? How to know where the loop beginning is located? How to handle nested loops? As loops can be nested I suppose that I can't just use a variable containing the starting position of the current loop. I've seen very small BF interpreters implemented in various languages, I wonder how they managed to get the loops working but can't figure it out.

    Read the article

  • What Simple Changes Made the Biggest Improvements to Your Delphi Programs

    - by lkessler
    I have a Delphi 2009 program that handles a lot of data and needs to be as fast as possible and not use too much memory. What small simple changes have you made to your Delphi code that had the biggest impact on the performance of you program by noticeably reducing execution time or memory use? Thanks everyone for all your answers. Many great tips. For completeness, I'll post a few important articles on Delphi optimization that I found. Before you start optimizing Delphi code at About.com Speed and Size: Top 10 Tricks also at About.com Code Optimization Fundamentals and Delphi Optimization Guidelines at High Performance Delphi, relating to Delphi 7 but still very pertinent.

    Read the article

  • Which OOD approach should I take?

    - by Sorush Rabiee
    According to Niklaus Wirth, Algorithms + Data Structures = Programs. So I use this as a start point to object-oriented modeling and inheritance design: in a way that I separate the 'Objects' from 'Operations'. then look for patterns and inheritance hierarchy. But now after practice I guess it's not a good idea for every modeling problem, because sometimes it's not effective. (I mean there is no possibility of developing (or is very hard to develop) codes of Turing-Completed languages based on this paradigm.) What is your viewpoint for designing an OOD structure as an experienced programmer?

    Read the article

  • TeX on iPad compatible with Apple's policy?

    - by Yuji
    Hi, As a nerd, I think it would be nice to have a TeX editor on the iPad. But TeX is a Turing-complete language, and it is arguably a general-purpose compiler/interpreter. Does that make it unacceptable to the App Store? Furthermore, if somebody ports TeX compiler to javascript and runs inside WebKit, does it make acceptable to the App Store? FYI, here's the section of the developer's agreement: 3.3.2 An Application may not itself install or launch other executable code by any means, including without limitation through the use of a plug-in architecture, calling other frameworks, other APIs or otherwise. No interpreted code may be downloaded and used in an Application except for code that is interpreted and run by Apple's Published APIs and builtin interpreter(s).

    Read the article

  • [Java] Form data transition into entity beans to persist them by the server side ORM

    - by cscsaba242
    Hello guys, Is there any good explanation or tutorial which describes the common way how can we create entity beans from the received data of the form ? The main reason of my question the treating the received ids (e.g id of country,city and so forth) which is the way from the id to entity ? Example: ................Client side form username:String countryid:Integer (could be a drop down) ................Server side entities public class UserBean { String username; CountryBean Country; } public class CountryBean { String cityname; Integer id; } ............................................ Maybe the question is dependent of the used technology, but I guess there is a very common way. I would like to comprehend the conventional approach of this problem. (For the sake of the completeness I would like to save the form data (received by Stripes) by JPA) Thanks advance. cscsaba242

    Read the article

  • Crashing the OS X Pasteboard

    - by Ben Packard
    I have an application that reads in text by emulating CMD-C copy commands and reading the pasteboard - unfortunately this the only way to achieve what I need. Occasionally, something goes wrong in execution (not sure yet if it's related to the copy command or not) and the app crashes. Once in a while, this has a knock on effect on the system-wide pasteboard - any other application that is running will crash if I attempt a copy, cut, or paste. Is there a robust way to handle this - something I should be doing with the NSPasteboard before exiting? Any information on what might be happening is appreciated. For completeness, here are the only snippets of code that access the pasteboard: Reading from the pasteboard: NSString *pBoardText = [[NSPasteboard generalPasteboard]stringForType:NSStringPboardType]; Initially clearing the pasteboard (I run this only once, at launch): [[NSPasteboard generalPasteboard] declareTypes: [NSArray arrayWithObject:NSStringPboardType] owner: self]; [[NSPasteboard generalPasteboard] setString: @"" forType: NSStringPboardType];

    Read the article

  • math syntax checker written in python

    - by neurino
    All I need is to check, using python, if a string is a valid math expression or not. For simplicity let's say I just need + - * / operators (+ - as unary too) with numbers and nested parenthesis. I add also simple variable names for completeness. So I can test this way: test("-3 * (2 + 1)") #valid test("-3 * ") #NOT valid test("v1 + v2") #valid test("v2 - 2v") #NOT valid ("2v" not a valid variable name) I tried pyparsing but just trying the example: "simple algebraic expression parser, that performs +,-,*,/ and ^ arithmetic operations" I get passed invalid code and also trying to fix it I always get wrong syntaxes being parsed without raising Exceptions just try: >>>test('9', 9) 9 qwerty = 9.0 ['9'] => ['9'] >>>test('9 qwerty', 9) 9 qwerty = 9.0 ['9'] => ['9'] both test pass... o_O Any advice?

    Read the article

  • How can I create XML from Perl?

    - by pkaeding
    Hello I need to create XML in Perl. From what I read, XML::LibXML is great for parsing and using XML that comes from somewhere else. Does anyone have any suggestions for an XML Writer? Is XML::Writer still maintained? Does anyone like/use it? In addition to feature-completeness, I am interested an easy-to-use syntax, so please describe the syntax and any other reasons why you like that module in your answer. Please respond with one suggestion per answer, and if someone has already answered with your favorite, please vote that answer up. Hopefully it will be easy to see what is most popular. Thanks!

    Read the article

  • ruby / rails boolean method naming conventions

    - by Dennis
    I have a short question on ruby / rails method naming conventions or good practice. Consider the following methods: # some methods performing some sort of 'action' def action; end def action!; end # some methods checking if performing 'action' is permitted def action?; end def can_action?; end def action_allowed?; end So I wonder, which of the three ampersand-methods would be the "best" way to ask for permissions. I would go with the first one somehow, but in some cases I think this might be confused with meaning has_performed_action?. So the second approach might make that clearer but is also a bit more verbose. The third one is actually just for completeness. I don't really like that one. So are there any commonly agreed-on good practices for that?

    Read the article

  • criteria of software program being intelligent

    - by bobah
    Just out of curiosity, assuming there exists an software life form. How would you detect him/her? What are your criteria of figuring out if something/someone is intelligent or not? It seems to me that it should be quite simple to create such software once you set the right target (not just following a naive "mimic human-pass Turing Test" way). When posting an answer try also finding a counter example. I have real difficuly inventing anything consistent which I myself agree with. Warmup

    Read the article

  • When did the idea of macros (user-defined code transformation) appear?

    - by Jay
    I have read McCarthy's 1960 paper on LISP and found no reference to anything that's similar to user-defined macros or normal order evaluation. I was wondering when marcos first appeared in programming language history (and also in Lisp history): When was the idea of user-defined code transformation (before interpretation or compilation) first described (theoretically)? What was the first programming language implementation to have Lisp-like macros (by "Lisp-like" I mean "using a readable Turing-complete language to do code-transformation")? (including non-Lisps -- Forth for example is quite old, but I'm not sure if the first Forth implementation already had "IMMEDIATE") What was the first Lisp dialect to have macros? Thank you!

    Read the article

  • Is catching NumberFormatException a bad practice?

    - by integeruser
    I have to parse a String that can assume hex values or other non-hex values 0xff, 0x31 or A, PC, label, and so on. I use this code to divide the two cases: String input = readInput(); try { int hex = Integer.decode(input); // use hex ... } catch (NumberFormatException e) { // input is not a hex, continue parsing } Can this code be considered "ugly" or difficult to read? Are there other (maybe more elegant) solutions? EDIT : I want to clarify that (in my case) a wrong input doesn't exist: i just need to distinguish if it is a hex number, or not. And just for completeness, i'm making a simple assebler for DCPU-16.

    Read the article

  • Toorcon 15 (2013)

    - by danx
    The Toorcon gang (senior staff): h1kari (founder), nfiltr8, and Geo Introduction to Toorcon 15 (2013) A Tale of One Software Bypass of MS Windows 8 Secure Boot Breaching SSL, One Byte at a Time Running at 99%: Surviving an Application DoS Security Response in the Age of Mass Customized Attacks x86 Rewriting: Defeating RoP and other Shinanighans Clowntown Express: interesting bugs and running a bug bounty program Active Fingerprinting of Encrypted VPNs Making Attacks Go Backwards Mask Your Checksums—The Gorry Details Adventures with weird machines thirty years after "Reflections on Trusting Trust" Introduction to Toorcon 15 (2013) Toorcon 15 is the 15th annual security conference held in San Diego. I've attended about a third of them and blogged about previous conferences I attended here starting in 2003. As always, I've only summarized the talks I attended and interested me enough to write about them. Be aware that I may have misrepresented the speaker's remarks and that they are not my remarks or opinion, or those of my employer, so don't quote me or them. Those seeking further details may contact the speakers directly or use The Google. For some talks, I have a URL for further information. A Tale of One Software Bypass of MS Windows 8 Secure Boot Andrew Furtak and Oleksandr Bazhaniuk Yuri Bulygin, Oleksandr ("Alex") Bazhaniuk, and (not present) Andrew Furtak Yuri and Alex talked about UEFI and Bootkits and bypassing MS Windows 8 Secure Boot, with vendor recommendations. They previously gave this talk at the BlackHat 2013 conference. MS Windows 8 Secure Boot Overview UEFI (Unified Extensible Firmware Interface) is interface between hardware and OS. UEFI is processor and architecture independent. Malware can replace bootloader (bootx64.efi, bootmgfw.efi). Once replaced can modify kernel. Trivial to replace bootloader. Today many legacy bootkits—UEFI replaces them most of them. MS Windows 8 Secure Boot verifies everything you load, either through signatures or hashes. UEFI firmware relies on secure update (with signed update). You would think Secure Boot would rely on ROM (such as used for phones0, but you can't do that for PCs—PCs use writable memory with signatures DXE core verifies the UEFI boat loader(s) OS Loader (winload.efi, winresume.efi) verifies the OS kernel A chain of trust is established with a root key (Platform Key, PK), which is a cert belonging to the platform vendor. Key Exchange Keys (KEKs) verify an "authorized" database (db), and "forbidden" database (dbx). X.509 certs with SHA-1/SHA-256 hashes. Keys are stored in non-volatile (NV) flash-based NVRAM. Boot Services (BS) allow adding/deleting keys (can't be accessed once OS starts—which uses Run-Time (RT)). Root cert uses RSA-2048 public keys and PKCS#7 format signatures. SecureBoot — enable disable image signature checks SetupMode — update keys, self-signed keys, and secure boot variables CustomMode — allows updating keys Secure Boot policy settings are: always execute, never execute, allow execute on security violation, defer execute on security violation, deny execute on security violation, query user on security violation Attacking MS Windows 8 Secure Boot Secure Boot does NOT protect from physical access. Can disable from console. Each BIOS vendor implements Secure Boot differently. There are several platform and BIOS vendors. It becomes a "zoo" of implementations—which can be taken advantage of. Secure Boot is secure only when all vendors implement it correctly. Allow only UEFI firmware signed updates protect UEFI firmware from direct modification in flash memory protect FW update components program SPI controller securely protect secure boot policy settings in nvram protect runtime api disable compatibility support module which allows unsigned legacy Can corrupt the Platform Key (PK) EFI root certificate variable in SPI flash. If PK is not found, FW enters setup mode wich secure boot turned off. Can also exploit TPM in a similar manner. One is not supposed to be able to directly modify the PK in SPI flash from the OS though. But they found a bug that they can exploit from User Mode (undisclosed) and demoed the exploit. It loaded and ran their own bootkit. The exploit requires a reboot. Multiple vendors are vulnerable. They will disclose this exploit to vendors in the future. Recommendations: allow only signed updates protect UEFI fw in ROM protect EFI variable store in ROM Breaching SSL, One Byte at a Time Yoel Gluck and Angelo Prado Angelo Prado and Yoel Gluck, Salesforce.com CRIME is software that performs a "compression oracle attack." This is possible because the SSL protocol doesn't hide length, and because SSL compresses the header. CRIME requests with every possible character and measures the ciphertext length. Look for the plaintext which compresses the most and looks for the cookie one byte-at-a-time. SSL Compression uses LZ77 to reduce redundancy. Huffman coding replaces common byte sequences with shorter codes. US CERT thinks the SSL compression problem is fixed, but it isn't. They convinced CERT that it wasn't fixed and they issued a CVE. BREACH, breachattrack.com BREACH exploits the SSL response body (Accept-Encoding response, Content-Encoding). It takes advantage of the fact that the response is not compressed. BREACH uses gzip and needs fairly "stable" pages that are static for ~30 seconds. It needs attacker-supplied content (say from a web form or added to a URL parameter). BREACH listens to a session's requests and responses, then inserts extra requests and responses. Eventually, BREACH guesses a session's secret key. Can use compression to guess contents one byte at-a-time. For example, "Supersecret SupersecreX" (a wrong guess) compresses 10 bytes, and "Supersecret Supersecret" (a correct guess) compresses 11 bytes, so it can find each character by guessing every character. To start the guess, BREACH needs at least three known initial characters in the response sequence. Compression length then "leaks" information. Some roadblocks include no winners (all guesses wrong) or too many winners (multiple possibilities that compress the same). The solutions include: lookahead (guess 2 or 3 characters at-a-time instead of 1 character). Expensive rollback to last known conflict check compression ratio can brute-force first 3 "bootstrap" characters, if needed (expensive) block ciphers hide exact plain text length. Solution is to align response in advance to block size Mitigations length: use variable padding secrets: dynamic CSRF tokens per request secret: change over time separate secret to input-less servlets Future work eiter understand DEFLATE/GZIP HTTPS extensions Running at 99%: Surviving an Application DoS Ryan Huber Ryan Huber, Risk I/O Ryan first discussed various ways to do a denial of service (DoS) attack against web services. One usual method is to find a slow web page and do several wgets. Or download large files. Apache is not well suited at handling a large number of connections, but one can put something in front of it Can use Apache alternatives, such as nginx How to identify malicious hosts short, sudden web requests user-agent is obvious (curl, python) same url requested repeatedly no web page referer (not normal) hidden links. hide a link and see if a bot gets it restricted access if not your geo IP (unless the website is global) missing common headers in request regular timing first seen IP at beginning of attack count requests per hosts (usually a very large number) Use of captcha can mitigate attacks, but you'll lose a lot of genuine users. Bouncer, goo.gl/c2vyEc and www.github.com/rawdigits/Bouncer Bouncer is software written by Ryan in netflow. Bouncer has a small, unobtrusive footprint and detects DoS attempts. It closes blacklisted sockets immediately (not nice about it, no proper close connection). Aggregator collects requests and controls your web proxies. Need NTP on the front end web servers for clean data for use by bouncer. Bouncer is also useful for a popularity storm ("Slashdotting") and scraper storms. Future features: gzip collection data, documentation, consumer library, multitask, logging destroyed connections. Takeaways: DoS mitigation is easier with a complete picture Bouncer designed to make it easier to detect and defend DoS—not a complete cure Security Response in the Age of Mass Customized Attacks Peleus Uhley and Karthik Raman Peleus Uhley and Karthik Raman, Adobe ASSET, blogs.adobe.com/asset/ Peleus and Karthik talked about response to mass-customized exploits. Attackers behave much like a business. "Mass customization" refers to concept discussed in the book Future Perfect by Stan Davis of Harvard Business School. Mass customization is differentiating a product for an individual customer, but at a mass production price. For example, the same individual with a debit card receives basically the same customized ATM experience around the world. Or designing your own PC from commodity parts. Exploit kits are another example of mass customization. The kits support multiple browsers and plugins, allows new modules. Exploit kits are cheap and customizable. Organized gangs use exploit kits. A group at Berkeley looked at 77,000 malicious websites (Grier et al., "Manufacturing Compromise: The Emergence of Exploit-as-a-Service", 2012). They found 10,000 distinct binaries among them, but derived from only a dozen or so exploit kits. Characteristics of Mass Malware: potent, resilient, relatively low cost Technical characteristics: multiple OS, multipe payloads, multiple scenarios, multiple languages, obfuscation Response time for 0-day exploits has gone down from ~40 days 5 years ago to about ~10 days now. So the drive with malware is towards mass customized exploits, to avoid detection There's plenty of evicence that exploit development has Project Manager bureaucracy. They infer from the malware edicts to: support all versions of reader support all versions of windows support all versions of flash support all browsers write large complex, difficult to main code (8750 lines of JavaScript for example Exploits have "loose coupling" of multipe versions of software (adobe), OS, and browser. This allows specific attacks against specific versions of multiple pieces of software. Also allows exploits of more obscure software/OS/browsers and obscure versions. Gave examples of exploits that exploited 2, 3, 6, or 14 separate bugs. However, these complete exploits are more likely to be buggy or fragile in themselves and easier to defeat. Future research includes normalizing malware and Javascript. Conclusion: The coming trend is that mass-malware with mass zero-day attacks will result in mass customization of attacks. x86 Rewriting: Defeating RoP and other Shinanighans Richard Wartell Richard Wartell The attack vector we are addressing here is: First some malware causes a buffer overflow. The malware has no program access, but input access and buffer overflow code onto stack Later the stack became non-executable. The workaround malware used was to write a bogus return address to the stack jumping to malware Later came ASLR (Address Space Layout Randomization) to randomize memory layout and make addresses non-deterministic. The workaround malware used was to jump t existing code segments in the program that can be used in bad ways "RoP" is Return-oriented Programming attacks. RoP attacks use your own code and write return address on stack to (existing) expoitable code found in program ("gadgets"). Pinkie Pie was paid $60K last year for a RoP attack. One solution is using anti-RoP compilers that compile source code with NO return instructions. ASLR does not randomize address space, just "gadgets". IPR/ILR ("Instruction Location Randomization") randomizes each instruction with a virtual machine. Richard's goal was to randomize a binary with no source code access. He created "STIR" (Self-Transofrming Instruction Relocation). STIR disassembles binary and operates on "basic blocks" of code. The STIR disassembler is conservative in what to disassemble. Each basic block is moved to a random location in memory. Next, STIR writes new code sections with copies of "basic blocks" of code in randomized locations. The old code is copied and rewritten with jumps to new code. the original code sections in the file is marked non-executible. STIR has better entropy than ASLR in location of code. Makes brute force attacks much harder. STIR runs on MS Windows (PEM) and Linux (ELF). It eliminated 99.96% or more "gadgets" (i.e., moved the address). Overhead usually 5-10% on MS Windows, about 1.5-4% on Linux (but some code actually runs faster!). The unique thing about STIR is it requires no source access and the modified binary fully works! Current work is to rewrite code to enforce security policies. For example, don't create a *.{exe,msi,bat} file. Or don't connect to the network after reading from the disk. Clowntown Express: interesting bugs and running a bug bounty program Collin Greene Collin Greene, Facebook Collin talked about Facebook's bug bounty program. Background at FB: FB has good security frameworks, such as security teams, external audits, and cc'ing on diffs. But there's lots of "deep, dark, forgotten" parts of legacy FB code. Collin gave several examples of bountied bugs. Some bounty submissions were on software purchased from a third-party (but bounty claimers don't know and don't care). We use security questions, as does everyone else, but they are basically insecure (often easily discoverable). Collin didn't expect many bugs from the bounty program, but they ended getting 20+ good bugs in first 24 hours and good submissions continue to come in. Bug bounties bring people in with different perspectives, and are paid only for success. Bug bounty is a better use of a fixed amount of time and money versus just code review or static code analysis. The Bounty program started July 2011 and paid out $1.5 million to date. 14% of the submissions have been high priority problems that needed to be fixed immediately. The best bugs come from a small % of submitters (as with everything else)—the top paid submitters are paid 6 figures a year. Spammers like to backstab competitors. The youngest sumitter was 13. Some submitters have been hired. Bug bounties also allows to see bugs that were missed by tools or reviews, allowing improvement in the process. Bug bounties might not work for traditional software companies where the product has release cycle or is not on Internet. Active Fingerprinting of Encrypted VPNs Anna Shubina Anna Shubina, Dartmouth Institute for Security, Technology, and Society (I missed the start of her talk because another track went overtime. But I have the DVD of the talk, so I'll expand later) IPsec leaves fingerprints. Using netcat, one can easily visually distinguish various crypto chaining modes just from packet timing on a chart (example, DES-CBC versus AES-CBC) One can tell a lot about VPNs just from ping roundtrips (such as what router is used) Delayed packets are not informative about a network, especially if far away from the network More needed to explore about how TCP works in real life with respect to timing Making Attacks Go Backwards Fuzzynop FuzzyNop, Mandiant This talk is not about threat attribution (finding who), product solutions, politics, or sales pitches. But who are making these malware threats? It's not a single person or group—they have diverse skill levels. There's a lot of fat-fingered fumblers out there. Always look for low-hanging fruit first: "hiding" malware in the temp, recycle, or root directories creation of unnamed scheduled tasks obvious names of files and syscalls ("ClearEventLog") uncleared event logs. Clearing event log in itself, and time of clearing, is a red flag and good first clue to look for on a suspect system Reverse engineering is hard. Disassembler use takes practice and skill. A popular tool is IDA Pro, but it takes multiple interactive iterations to get a clean disassembly. Key loggers are used a lot in targeted attacks. They are typically custom code or built in a backdoor. A big tip-off is that non-printable characters need to be printed out (such as "[Ctrl]" "[RightShift]") or time stamp printf strings. Look for these in files. Presence is not proof they are used. Absence is not proof they are not used. Java exploits. Can parse jar file with idxparser.py and decomile Java file. Java typially used to target tech companies. Backdoors are the main persistence mechanism (provided externally) for malware. Also malware typically needs command and control. Application of Artificial Intelligence in Ad-Hoc Static Code Analysis John Ashaman John Ashaman, Security Innovation Initially John tried to analyze open source files with open source static analysis tools, but these showed thousands of false positives. Also tried using grep, but tis fails to find anything even mildly complex. So next John decided to write his own tool. His approach was to first generate a call graph then analyze the graph. However, the problem is that making a call graph is really hard. For example, one problem is "evil" coding techniques, such as passing function pointer. First the tool generated an Abstract Syntax Tree (AST) with the nodes created from method declarations and edges created from method use. Then the tool generated a control flow graph with the goal to find a path through the AST (a maze) from source to sink. The algorithm is to look at adjacent nodes to see if any are "scary" (a vulnerability), using heuristics for search order. The tool, called "Scat" (Static Code Analysis Tool), currently looks for C# vulnerabilities and some simple PHP. Later, he plans to add more PHP, then JSP and Java. For more information see his posts in Security Innovation blog and NRefactory on GitHub. Mask Your Checksums—The Gorry Details Eric (XlogicX) Davisson Eric (XlogicX) Davisson Sometimes in emailing or posting TCP/IP packets to analyze problems, you may want to mask the IP address. But to do this correctly, you need to mask the checksum too, or you'll leak information about the IP. Problem reports found in stackoverflow.com, sans.org, and pastebin.org are usually not masked, but a few companies do care. If only the IP is masked, the IP may be guessed from checksum (that is, it leaks data). Other parts of packet may leak more data about the IP. TCP and IP checksums both refer to the same data, so can get more bits of information out of using both checksums than just using one checksum. Also, one can usually determine the OS from the TTL field and ports in a packet header. If we get hundreds of possible results (16x each masked nibble that is unknown), one can do other things to narrow the results, such as look at packet contents for domain or geo information. With hundreds of results, can import as CSV format into a spreadsheet. Can corelate with geo data and see where each possibility is located. Eric then demoed a real email report with a masked IP packet attached. Was able to find the exact IP address, given the geo and university of the sender. Point is if you're going to mask a packet, do it right. Eric wouldn't usually bother, but do it correctly if at all, to not create a false impression of security. Adventures with weird machines thirty years after "Reflections on Trusting Trust" Sergey Bratus Sergey Bratus, Dartmouth College (and Julian Bangert and Rebecca Shapiro, not present) "Reflections on Trusting Trust" refers to Ken Thompson's classic 1984 paper. "You can't trust code that you did not totally create yourself." There's invisible links in the chain-of-trust, such as "well-installed microcode bugs" or in the compiler, and other planted bugs. Thompson showed how a compiler can introduce and propagate bugs in unmodified source. But suppose if there's no bugs and you trust the author, can you trust the code? Hell No! There's too many factors—it's Babylonian in nature. Why not? Well, Input is not well-defined/recognized (code's assumptions about "checked" input will be violated (bug/vunerabiliy). For example, HTML is recursive, but Regex checking is not recursive. Input well-formed but so complex there's no telling what it does For example, ELF file parsing is complex and has multiple ways of parsing. Input is seen differently by different pieces of program or toolchain Any Input is a program input executes on input handlers (drives state changes & transitions) only a well-defined execution model can be trusted (regex/DFA, PDA, CFG) Input handler either is a "recognizer" for the inputs as a well-defined language (see langsec.org) or it's a "virtual machine" for inputs to drive into pwn-age ELF ABI (UNIX/Linux executible file format) case study. Problems can arise from these steps (without planting bugs): compiler linker loader ld.so/rtld relocator DWARF (debugger info) exceptions The problem is you can't really automatically analyze code (it's the "halting problem" and undecidable). Only solution is to freeze code and sign it. But you can't freeze everything! Can't freeze ASLR or loading—must have tables and metadata. Any sufficiently complex input data is the same as VM byte code Example, ELF relocation entries + dynamic symbols == a Turing Complete Machine (TM). @bxsays created a Turing machine in Linux from relocation data (not code) in an ELF file. For more information, see Rebecca "bx" Shapiro's presentation from last year's Toorcon, "Programming Weird Machines with ELF Metadata" @bxsays did same thing with Mach-O bytecode Or a DWARF exception handling data .eh_frame + glibc == Turning Machine X86 MMU (IDT, GDT, TSS): used address translation to create a Turning Machine. Page handler reads and writes (on page fault) memory. Uses a page table, which can be used as Turning Machine byte code. Example on Github using this TM that will fly a glider across the screen Next Sergey talked about "Parser Differentials". That having one input format, but two parsers, will create confusion and opportunity for exploitation. For example, CSRs are parsed during creation by cert requestor and again by another parser at the CA. Another example is ELF—several parsers in OS tool chain, which are all different. Can have two different Program Headers (PHDRs) because ld.so parses multiple PHDRs. The second PHDR can completely transform the executable. This is described in paper in the first issue of International Journal of PoC. Conclusions trusting computers not only about bugs! Bugs are part of a problem, but no by far all of it complex data formats means bugs no "chain of trust" in Babylon! (that is, with parser differentials) we need to squeeze complexity out of data until data stops being "code equivalent" Further information See and langsec.org. USENIX WOOT 2013 (Workshop on Offensive Technologies) for "weird machines" papers and videos.

    Read the article

  • AIIM, Oracle and Keste - Talking Social Business in LA

    - by Brian Dirking
    We had a great event today in Los Angeles - AIIM, Oracle and Keste presented on how organizations are making social business work. Atle Skjekkeland of AIIM presented How Social Business Is Driving Innovation. Atle talked about a number of fascinating points, such as how answers to questions come from unexpected sources. Atle cited the fact that 38% of organizations get half or more of answers from unexpected sources, which speaks to the wisdom of the crowds and how people are benefiting from open communications tools to get answers to their questions. He also had a number of hilarious examples of companies that don't get it. If Comcast were to go to YouTube and search Comcast, they would see the number one hit after their paid ad is a video of one of their technicians asleep on a customer's couch. Seems when he called the office for support he was put on hold so long he fell asleep. Dan O'Leary and Atle Skjekkeland After Atle's presentation I presented on Solving the Innovation Challenge with Oracle WebCenter. Atle had talked about McKinsey's research titled The Rise Of The Networked Enterprise: Web 2.0 Finds Its Payday. I brought in some new McKinsey research that built on that article. The new article is How Social Technologies Are Extending The Organization. A survey of 4,200 Global Executives brought three conclusions for the future: Boundaries among employees, vendors and customers will blur Employee teams will self-organize Data-driven decisions will rise These three items were themes that repeated through the day as we went through examples of what customers are doing today.  Next up was Vince Casarez of Keste. Vince was scheduled to profile one customer, but in an incredible 3 for 1 deal, Vince profiled Alcatel-Lucent, Qualcomm, and NetApp. Each of these implementations had content consolidation elements, as well as user engagement requirements that Keste was able to address with Oracle WebCenter. Vince Casarez of Keste And we had a couple of good tweets worth reprinting here. danieloleary Daniel O'Leary Learning about user engagement and social platforms from @bdirking #AIIM LA and @oracle event pic.twitter.com/1aNcLEUs danieloleary Daniel O'Leary Users want to be able to share data and activity streams, work at organizations that embrace social via @bdirking skjekkeland Atle Skjekkeland RT @danieloleary: Learning about user engagement and social platforms from @bdirking #AIIM LA and @oracle event pic.twitter.com/EWRYpvJa danieloleary Daniel O'Leary Thanks again to @bdirking for an amazing event in LA today, really impressed with the completeness of web center JimLundy Jim Lundy @ @danieloleary @bdirking yes, it is looking good - Web Center shadrachwhite Shadrach White @ @bdirking @heybenito I heard the #AIIM event in LA was a hit We had some great conversations through they day, many thanks to everyone who joined in. We look forward to continuing the conversation - thanks again to everyone who attended!

    Read the article

  • Post Crosstalk 2012

    - by David Dorf
    This year the Oracle Retail users conference, Crosstalk, had a 20% increase in attendees, which was driven by both new customers and those acquired via Endeca.  As the product assets of Oracle have grown, so has the completeness of the solution set.  This year was marked by the breadth of omni-channel stories. Rose Spicer and her marketing team (see photo on left) always strive for an equal balance of retailer presentations, networking opportunities, and unique experiences -- this year was no exception.  We had 41 different retailers from China, Russia, South Africa, Brazil, Chile, US, Canada and the UK sharing their insights with one another. In all there were 251 executives from 120 iconic brands such as Daphne, Kohl's, Morrisons, Abercrombie & Fitch, Hot Topic, Talbots, Petco, Deckers, Sportmaster, Mr. Price, Falabella, and Disney to name a few. From a product perspective, there were a few new developments from Oracle Retail: Endeca's search engine has been integrated into the ATG commerce platform. The latest Retail Analytics application, Oracle Retail Customer Analytics, is generally available. Oracle Retail previewed a new fully-integrated mobile POS. But the real benefit of attending Crosstalk was hearing about the experiences of retailers and partners.  Here are are a few interesting facts I picked up: At Kohl's, the most popular website accessed by customers within their stores is Facebook.  With all the buzz about showrooming, I was really expecting it to be Amazon. Daphne, a Chinese shoe retailer, is opening 3 new stores per day.  Being located near the factories allows them to have a very agile supply chain as well. Disney Stores have increased sales by 25% at stores upgraded to include Mobile POS.  They continue to lead the pack with excellent customer experiences. Quicksilver reported that 1 in 5 visits to their website comes from a tablet.  More evidence that tablets are replacing traditional PCs in households. By tagging shoes with RFID, Saks is able to ensure all shoe models are on display.  If a model is not being displayed, it has no chance of being sold. Additionally, there were awards, store tours on Michigan Avenue, fireworks at Navy Pier, and the Oracle Retail house band, Bolo313, performing at Solider Field.  Speaking of which, a few retailers got on stage and jammed with band -- possible rival to Rock & Roll Retail? You can always find the latest info from us at the Retail Rack. The next events on tap are the Partner Summit followed by OpenWorld.

    Read the article

  • Media keys play/pause globally worked in 12.10, not in 13.10

    - by Stéphane Gourichon
    Laptop media keys On Asus n55sf laptop, there are a dedicated keys for volume up, volume down, mute, [play/pause], stop, launch (plus a dozen Fn-key combinations). In 12.10 most worked. (Overall is seems unrelated to desktop environment used, stating it for the sake of completeness.) On Ubuntu 12.10 under XFCE they just worked. That is: when a player like rhythmbox or totem was started, it would alternate between play and pause. Interestingly, if several were started, they would alternate independently. E.g. use mouse to pause rhythmbox, launch totem, and one hit on [play/pause] key would pause one and resume the other. Keys Next,Previous and Stop worked as expected in any program. In 13.10 most still work, but play/skip related ignored. On Xubuntu 13.10 (XFCE too) the volume keys work but the [play/pause], stop, next and prev are ignored. Not tried regular Ubuntu 13.10 (Unity). Search before you ask Here are a few facts: https://wiki.ubuntu.com/Hotkeys/Architecture is ummutable and mentions Ubuntu 9.10. https://wiki.ubuntu.com/Hotkeys/Troubleshooting is also outdated as it mentions /usr/share/doc/udev/README.keymap.txt which no longer exists. On 12.10 and 13.10 versions, at XFCE level (as visible by xfconf-query or using xfce4-settings-manager) there are a couple of shortcut for keys like XF86Calculator or XF86TouchpadToggle but nothing related to volume prev/next/play/stop, which is okay. XF86Audio substring doesn't appear in /etc (which is normal) Kernel-level test: "showkey -s" on console shows that keys Next,Play/Pause,Previous,Stop are keycodes 163,164,165,166. Nothing relevant in /etc about that. Reports https://bugs.launchpad.net/ubuntu/+source/udev/+bug/1072371 and https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1012365 suggest to adjust at udev level. Alas, the udev tutorials I found ( e.g. https://wiki.debian.org/udev ) don't even mention keyboard. A thread in french seems to deal with a similar issue: https://forum.ubuntu-fr.org/viewtopic.php?id=1395051. @sudo evtest /dev/input/event3@, in X as well as on plain console, reports events on key pressed and repeats, but nothing when pressing those media keys. Is udev a dead end ? Questions How did it work in 12.10 ? Through udev ? Something else ? Any other hint ?

    Read the article

  • SQL Contests – Solution – Identify the Database Celebrity

    - by Pinal Dave
    Last week we were running contest Identify the Database Celebrity and we had received a fantastic response to the contest. Thank you to the kind folks at NuoDB as they had offered two USD 100 Amazon Gift Cards to the winners of the contest. We had also additional contest that users have to download and install NuoDB and identified the sample database. You can read about the contest over here. Here is the answer to the questions which we had asked earlier in the contest. Part 1: Identify Database Celebrity Personality 1 – Edgar Frank “Ted” Codd (August 19, 1923 – April 18, 2003) was an English computer scientist who, while working for IBM, invented the relational model for database management, the theoretical basis for relational databases. He made other valuable contributions to computer science, but the relational model, a very influential general theory of data management, remains his most mentioned achievement. (Wki) Personality 2 – James Nicholas “Jim” Gray (born January 12, 1944; lost at sea January 28, 2007; declared deceased May 16, 2012) was an American computer scientist who received the Turing Award in 1998 “for seminal contributions to database and transaction processing research and technical leadership in system implementation.” (Wiki) Personality 3 – Jim Starkey (born January 6, 1949 in Illinois) is a database architect responsible for developing InterBase, the first relational database to support multi-versioning, the blob column type, type event alerts, arrays and triggers. Starkey is the founder of several companies, including the web application development and database tool company Netfrastructure and NuoDB. (Wiki) Part 2: Identify NuoDB Samples Database Names In this part of the contest one has to Download NuoDB and install the sample database Hockey. Hockey is sample database and contains few tables. Users have to install sample database and inform the name of the sample databases. Here is the valid answer. HOCKEY PLAYERS SCORING TEAM Once again, it was indeed fun to run this contest. I have received great feedback about it and lots of people wants me to run similar contest in future. I promise to run similar interesting contests in the near future. Winners Within next two days, we will let winners send emails. Winners will have to confirm their email address and NuoDB team will send them directly Amazon Cards. Once again it was indeed fun to run this contest. Reference: Pinal Dave (http://blog.SQLAuthority.com) Filed under: PostADay, SQL, SQL Authority, SQL Query, SQL Server, SQL Tips and Tricks, T SQL

    Read the article

  • ArchBeat Link-o-Rama for 2012-06-22

    - by Bob Rhubart
    Guide to integration architecture | Stephanie Mann "The landscape of integration architecture is shifting as service-oriented and cloud-based architecture take the fore," says Stephanie Mann. "To ensure success, enterprise architects and developers are turning to lighter-weight infrastructure to support more complex integration projects." FY13 Oracle PartnerNetwork Kickoff - Tues June 26, 2012 Join us for a one-hour live online event hosted by the Oracle PartnerNetwork team as we kickoff FY13. Other dates/times for EMEA/LAD/JAPAN/APAC. Click the link for details. Why should you choose Oracle WebLogic 12c instead of JBoss EAP 6? | Ricardo Ferreira Okay, you would expect an Oracle guy to make this argument. But Ferreira takes a very deep, very detailed technical dive into the issue. So hear the man out, will ya? Hibernate4 and Coherence | Rene van Wijk According to Oracle ACE Rene van Wijk, "there are two ways to integrate Hibernate and Coherence." In this post he illustrates one of them. Simple Made Easy | Rich Hickey Rich Hickey discusses simplicity, why it is important, how to achieve it in design and how to recognize its absence in the tools, language constructs and libraries in this presentation from QCon London 2012. Starting a cluster | Mark Nelson Fusion Middleware A-Team blogger Mark Nelson looks at Oracle SOA Suite, Oracle BPM, and Oracle Coherence, three products that are " commonly clustered, and which have somewhat different requirements." Why building SaaS well means giving up your servers | GigaOM The biggest benefit to PaaS, reports GigaOM's Derrick Harris, "might be a better product because the company is able to focus on building the app rather than managing servers." Personas - what, why & how | Mascha van Oosterhout "To be able to create a successful, user-friendly website or application," says Mascha van Oosterhout, "every decision you take, whether you are part of the marketing team, the design team or the development team, should be based on what you know about the user." Thought for the Day "Machines take me by surprise with great frequency." — Alan Turing(June 23, 1912 - June 7, 1954) Source: Brainy Quote

    Read the article

  • How to load stacking chunks on the fly?

    - by Brettetete
    I'm currently working on an infinite world, mostly inspired by minecraft. A Chunk consists of 16x16x16 blocks. A block(cube) is 1x1x1. This runs very smoothly with a ViewRange of 12 Chunks (12x16) on my computer. Fine. When I change the Chunk height to 256 this becomes - obviously - incredible laggy. So what I basically want to do is stacking chunks. That means my world could be [8,16,8] Chunks large. The question is now how to generate chunks on the fly? At the moment I generate not existing chunks circular around my position (near to far). Since I don't stack chunks yet, this is not very complex. As important side note here: I also want to have biomes, with different min/max height. So in Biome Flatlands the highest layer with blocks would be 8 (8x16) - in Biome Mountains the highest layer with blocks would be 14 (14x16). Just as example. What I could do would be loading 1 Chunk above and below me for example. But here the problem would be, that transitions between different bioms could be larger than one chunk on y. My current chunk loading in action For the completeness here my current chunk loading "algorithm" private IEnumerator UpdateChunks(){ for (int i = 1; i < VIEW_RANGE; i += ChunkWidth) { float vr = i; for (float x = transform.position.x - vr; x < transform.position.x + vr; x += ChunkWidth) { for (float z = transform.position.z - vr; z < transform.position.z + vr; z += ChunkWidth) { _pos.Set(x, 0, z); // no y, yet _pos.x = Mathf.Floor(_pos.x/ChunkWidth)*ChunkWidth; _pos.z = Mathf.Floor(_pos.z/ChunkWidth)*ChunkWidth; Chunk chunk = Chunk.FindChunk(_pos); // If Chunk is already created, continue if (chunk != null) continue; // Create a new Chunk.. chunk = (Chunk) Instantiate(ChunkFab, _pos, Quaternion.identity); } } // Skip to next frame yield return 0; } }

    Read the article

  • Oracle Leader in Transportation Management

    - by John Murphy
    Oracle Named a Leader in the Transportation Management Systems Market by Leading Analyst Firm Redwood Shores, Calif. – October 15, 2012 News Facts Gartner, Inc. has placed Oracle Transportation Management in the Leaders Quadrant of its 2012 report, “Magic Quadrant for Transportation Management Systems (TMS).” (1) Gartner Magic Quadrants position vendors within a particular market segment based on their completeness of vision and ability to execute on that vision. According to the report, “Multiple subcomponents make up a comprehensive TMS across planning (for example, load consolidation, routing, mode selection and carrier selection) and execution (for example, tendering loads to carriers, shipment track and trace, and freight audit and payment).” Built on modern, flexible, Internet based architecture, Oracle Transportation Management is a global transportation and logistics operations system that allows companies to minimize cost, optimize service levels, support sustainability initiatives, and create flexible business process automation within their transportation and logistics networks. With a share of 26% of worldwide software revenue for 2011, Oracle is also number one in TMS vendor share according to Gartner’s report, “Market Trends: A Golden Opportunity in the Transportation Management System Market, 2012 – 2016.” (2) Supporting Quote “Shippers and logistics service providers face increasingly complex challenges as they try to reduce costs, secure capacity and improve overall freight efficiency,” said Derek Gittoes, vice president, logistics product strategy, Oracle. “We believe our high standing in both Gartner reports is a reflection of Oracle’s commitment to addressing these challenges by delivering the industry’s broadest and deepest transportation management platform. With a flexible and modern platform, we are able to support customers with both basic transportation needs, as well as those with highly complex logistics requirements.” Supporting Resources Magic Quadrant for Transportation Management Systems Market Trends: A Golden Opportunity in the Transportation Management System Market, 2012 – 2016 Oracle Transportation Management (1) Gartner, Inc., “Magic Quadrant for Transportation Management Systems,” by C. Dwight Klappich, August 23, 2012 (2) Gartner, Inc., “Market Trends: A Golden Opportunity in the Transportation Management System Market, 2012 – 2016,” by Chad Eschinger and C. Dwight Klappich, September 24, 2012. About Oracle Applications Over 65,000 customers worldwide rely on Oracle's complete, open and integrated enterprise applications to achieve superior results. Oracle provides a secure path for customers to benefit from the latest technology advances that improve the customer software experience and drive better business performance. Oracle Applications Unlimited is Oracle's commitment to customer choice through continuous investment and innovation in current applications offerings. Oracle's next-generation Fusion Applications build upon that commitment, and are designed to work with and evolve Oracle's Applications Unlimited offerings. Oracle's lifetime support policy helps ensure customers will continue to have a choice in upgrade paths, based on their enterprise needs. For more information on the latest Oracle Applications releases go towww.oracle.com/applications About Oracle Oracle engineers hardware and software to work together in the cloud and in your data center. For more information about Oracle (NASDAQ:ORCL), visit www.oracle.com. Trademarks Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. ###   Karen [email protected] Simon JonesBlanc & [email protected]

    Read the article

  • schedule compliance and keeping technical supports and resolving issues

    - by imays
    I am an entrepreneur of a small software developer company. The flagship product is developed by myself and my company grew up to 14 people. One of pride is that we've never have to be invested or loaned. The core development team is 5 people. 3 are seniors and 2 are juniors. After the first release, we've received many issues from our customers. Most of them are bug issues, customization needs, usage questions and upgrade requests. The issues from customers are incoming many times everyday, so it takes little time or much time of our developers. Because of our product is a software development kit(SDK) so most of questions can be answered only from our developers. And, for resolving bug issues, developers must be involved. Estimating time to resolve bug is hard. I fully understand it. However, our developers insist they cannot set the any due date of each project because they are busy doing technical supports and bug fixes by issues from customers everyday. Of course, they never do overwork. I suggested them an idea to divide the team into two parts: one for focusing on development by milestones, other for doing technical supports and bug fixes without setting due days. Then we could announce release plan officially. After the finish of release, two parts exchange the role for next milestone. However, they say they "NO, because it is impossible to share knowledge and design document fully." They still say they cannot set the release date and they request me to alter the due date flexibly. They does not fix the due date of each milestone. Fortunately, our company is not loaned and invested so we are not chocked. But I think it is bad idea to keep this situation. I know the story of ant and grasshopper. Our customers are tired of waiting forever of our release date. Companies consume limited time and money. If flexible due date without limit could be acceptable, could they accept flexible salary day? What is the root cause of our problem? All that I want is to fix and achieve precisely due date of each milestone without losing frequent technical supports. I think there must be solution for this situation. Please answer me. Thanks in advance. PS. Our tools and ways of project management are Trello, Mantis-like issue tracker, shared calendar software and scrum(collected cards into series of 'small and high completeness' projects).

    Read the article

< Previous Page | 2 3 4 5 6 7 8 9 10 11  | Next Page >