K
Kless
Is secure use constants?
I come from Python and it isn't recommended there.
I come from Python and it isn't recommended there.
P
Phlip
Kless said:
Use constants to avoid repeating a literal with the same meaning, such as '42',
in various locations in your code.
What do you mean by "secure"? Neither Ruby nor Python are secure from reverse
engineering, because all the source is hanging out visible for all to see!
L
loolek
private static final int 42;
Or something like this...
D
Dejan Dimic
How do you come up with this question?
CONSTANTS are perhaps more secure in comparison to loops.
Be avare of the interations.
P
Phlip
loolek said:
What is secure about that? Nobody can ever change it?
Even in C, a language designed to compile directly to machine language with no
questions asked, you can still force a constant to change. You get "undefined
behavior", but you can still do it.
Don't worry about your constants changing. Just write clean code, and pay
attention to your warnings & test results, and you will be okay.
L
loolek
"Nobody can ever change it?"
Yes, yes -> i mean, under the java vm security control -> nobody can
change it.
That's cool for me -> but means nothing for a serious hacker...
peter
Yes, yes -> i mean, under the java vm security control -> nobody can
change it.
That's cool for me -> but means nothing for a serious hacker...
peter
L
loolek
"Don't worry about your constants changing."
My job is -> be full secure !!!
So, i am worring about this -> "small ruby leak"....
Do you need a case study -> for this "bad" situation, becouse a week
constant guarding (for example in C)?
"Just write clean code, and pay attention to your warnings & test
results, and you will be okay."
Thanks buddy.........you help a lot
peter
My job is -> be full secure !!!
So, i am worring about this -> "small ruby leak"....
Do you need a case study -> for this "bad" situation, becouse a week
constant guarding (for example in C)?
"Just write clean code, and pay attention to your warnings & test
results, and you will be okay."
Thanks buddy.........you help a lot
peter
T
Tim Hunter
loolek said:
I admit it, I'm largely ignorant of security issues. What kind of bad
thing can you do with Ruby constants?
P
Phlip
loolek said:
Static type checking (constant, private, etc.) only provide negative
reinforcement that code might work as designed. Unit tests provide positive
reinforcement that your features behave as expected. Code with wall-to-wall unit
tests is better than any code with all kinds of constants, privates, and typechecks.
M
Marc Heiler
I admit it, I'm largely ignorant of security issues. What kind of
It depends on the coder in question:
- matz once single handedly trapped Chuck Norris within a constant void.
- Lesser ruby coders may utterly fail in doing so, ending up as bloody
BBQ.
Also, there exists believable rumours that one can do time travels with
constants, if used in the right way (full moon, 12 fresh sheep, some old
gold coins and a pirate curse...)
But again beware, only those strong in will may succeed...
It depends on the coder in question:
- matz once single handedly trapped Chuck Norris within a constant void.
- Lesser ruby coders may utterly fail in doing so, ending up as bloody
BBQ.
Also, there exists believable rumours that one can do time travels with
constants, if used in the right way (full moon, 12 fresh sheep, some old
gold coins and a pirate curse...)
But again beware, only those strong in will may succeed...
L
loolek
"What kind of bad thing can you do with Ruby constants? "
I think this is not the question of ruby. Imagine this -> there is a
constant that holds the value that triggers the cooler sticks in a
nuclear power plant. Than the bad guy "overwrites" it, what comes
next ?
A BIG CRASH BANG
"I'm largely ignorant"
Are you sure, you will be ingnorant if you where living in the next
city from the plant ?
peter
I think this is not the question of ruby. Imagine this -> there is a
constant that holds the value that triggers the cooler sticks in a
nuclear power plant. Than the bad guy "overwrites" it, what comes
next ?
A BIG CRASH BANG
"I'm largely ignorant"
Are you sure, you will be ingnorant if you where living in the next
city from the plant ?
peter
L
loolek
"Static"
The JVM do this dynamically, how do you mean "static" ?
"only provide negative reinforcement ... wall-to-wall unit tests is
better"
Could you explain this more detailed, i dont get it what are you
thinking about ?
peter
The JVM do this dynamically, how do you mean "static" ?
"only provide negative reinforcement ... wall-to-wall unit tests is
better"
Could you explain this more detailed, i dont get it what are you
thinking about ?
peter
L
loolek
"Unit tests provide positive reinforcement that your features behave
as expected."
Yehh, if you know how to write bulletproof unit tests......
peter
as expected."
Yehh, if you know how to write bulletproof unit tests......
peter
P
Phlip
loolek said:
Okay, you and I are bidding for that contract. (In an imaginary, old-fashioned
world where government contract bids are competitive!
I tell them I will use a constant there.
You tell them you will write unit tests for all your code.
Who should get the contract?
And note that, in Ruby, changing the immediate value of a constant ("immediate"
meaning it is a small integer only), causes a warning.
L
loolek
"You tell them you will write unit tests for all your code."
Wrong, i will never work for the goverment -> the job is yours whitout
a BID...
Double wrong, i never write unit tests, becouse i sad it -> unit tests
NEVER discovers all of the security holes (remember FULL security).
"meaning it is a small integer only"
Yeah, this small door will be enough for that clever/fast bad guy ->
BANG AGAIN
"causes a warning"
This is interesting, do you have a rubydoc link to this topic ?
peter
Wrong, i will never work for the goverment -> the job is yours whitout
a BID...
Double wrong, i never write unit tests, becouse i sad it -> unit tests
NEVER discovers all of the security holes (remember FULL security).
"meaning it is a small integer only"
Yeah, this small door will be enough for that clever/fast bad guy ->
BANG AGAIN
"causes a warning"
This is interesting, do you have a rubydoc link to this topic ?
peter
L
loolek
"right?"
Nope, PLZ explain it.
peter
Nope, PLZ explain it.
peter
L
loolek
""causes a warning""
"This is interesting, do you have a rubydoc link to this topic ? "
And don't forget this Q.
peter
"This is interesting, do you have a rubydoc link to this topic ? "
And don't forget this Q.
peter
D
David Masover
Ok, first, how does the "bad guy", whoever they are, get the ability
to "overwrite" it? They shouldn't even be on the same _network_, let alone in
my memory space.
And, for that matter, if they were in my memory space, they can do a hell of a
lot worse than "overwriting a constant".
Here, I think XKCD explains this better than I could:
http://xkcd.com/463/
Sorry, but the magnitude of possible failure doesn't prove your point.
No one is saying that it's OK to be less secure. What we are saying is that
you are wrong about how to go about being secure.
In other words, we are saying that your attitude towards security is more
likely to blow up that hypothetical plant than, say, proper unit testing.
K
Kless
Ops! I was wrong! I mean global variables instead of constants. Sorry!
L
loolek
"Ok, first, how does the "bad guy", whoever they are, get the ability
to "overwrite" it? They shouldn't even be on the same _network_, let
alone in
my memory space.
And, for that matter, if they were in my memory space, they can do a
hell of a
lot worse than "overwriting a constant".
This topic turned to interesting "ruby hacker" lessons. But first let
me answare your Qs ->
"Ok, first ... whoever they are"
a. May be ter*rist or whatever, don' really matter. But they are only
one guy.
"get the ability to "overwrite" it?"
Secound, play that -> i am the bad guy...
a. I was won the ruby programmer job at the plant -> I'm in!
b. I hacked the box of the security guy of the plant (home machine).
Why? Becouse he/she is got connection to the inner plant network
(SSH). So i am in again! (idea from Kevin)
c. I gave a really cool video game CD to my "new friend Joe", who is
working at the plant. Why? Becouse he will install it on the inner
box, just for fun. The game will install me among the cool game. So i
am in again!
d. Maybe in the plant, there is some "hard but alive" way -> between
the local and public lan.
e. Should i continue?
"let alone in my memory space."
Hmm, how do you mean this? The ruby code will guard the memory/
hardware/io/etc. I really don't get you?
But anyway -> i was first hacked the unpatched Linux kernel... Should
i continue the "how"?
a. I thought only only the CPU's protected mode can do this kind of
job. Or i am wrong?
"WE are saying is that you are wrong about how to go about being
secure."
I think "hypotheticaly" -> i am right. In other words, you STILL don't
see the DANGER that the week coding language cousing?
"hell of a lot worse than "overwriting a constant""
Oh yes, i see now -> you don't smell the dager still, becouse you
asking this silly Q. But okay, what worse could happen?
a. You are dead.
b. Your home city is dead too.
c. You mom is dead too.
d. The water in your area is posioned for a long time.
e. etc.
peter
to "overwrite" it? They shouldn't even be on the same _network_, let
alone in
my memory space.
And, for that matter, if they were in my memory space, they can do a
hell of a
lot worse than "overwriting a constant".
This topic turned to interesting "ruby hacker" lessons. But first let
me answare your Qs ->
"Ok, first ... whoever they are"
a. May be ter*rist or whatever, don' really matter. But they are only
one guy.
"get the ability to "overwrite" it?"
Secound, play that -> i am the bad guy...
a. I was won the ruby programmer job at the plant -> I'm in!
b. I hacked the box of the security guy of the plant (home machine).
Why? Becouse he/she is got connection to the inner plant network
(SSH). So i am in again! (idea from Kevin)
c. I gave a really cool video game CD to my "new friend Joe", who is
working at the plant. Why? Becouse he will install it on the inner
box, just for fun. The game will install me among the cool game. So i
am in again!
d. Maybe in the plant, there is some "hard but alive" way -> between
the local and public lan.
e. Should i continue?
"let alone in my memory space."
Hmm, how do you mean this? The ruby code will guard the memory/
hardware/io/etc. I really don't get you?
But anyway -> i was first hacked the unpatched Linux kernel... Should
i continue the "how"?
a. I thought only only the CPU's protected mode can do this kind of
job. Or i am wrong?
"WE are saying is that you are wrong about how to go about being
secure."
I think "hypotheticaly" -> i am right. In other words, you STILL don't
see the DANGER that the week coding language cousing?
"hell of a lot worse than "overwriting a constant""
Oh yes, i see now -> you don't smell the dager still, becouse you
asking this silly Q. But okay, what worse could happen?
a. You are dead.
b. Your home city is dead too.
c. You mom is dead too.
d. The water in your area is posioned for a long time.
e. etc.
peter