On Aug 17, 7:00 pm, Kless [email protected] wrote:
Is secure use constants?
I come from Python and it isn’t recommended there.
Ops! I was wrong! I mean global variables instead of constants. Sorry!
On Aug 17, 7:00 pm, Kless [email protected] wrote:
Is secure use constants?
I come from Python and it isn’t recommended there.
Ops! I was wrong! I mean global variables instead of constants. Sorry!
On Mon, Aug 18, 2008 at 4:26 AM, loolek [email protected] wrote:
(A bunch of stuff about trying to be l33t.)
There are many of ways, peter, to secure Ruby. Maybe, you should ask
_why.
That pun is intended.
_why made an open Ruby programming irb interface on the internet. You
can almost do anything you want on that site
(http://tryruby.hobix.com). Constant security, blah.
Todd
On Aug 17, 2008, at 10:51 PM, loolek wrote:
““causes a warning””
"This is interesting, do you have a rubydoc link to this topic ? "
And don’t forget this Q.
$ ruby -e ‘C = “once”; C = “oops”’
-e:1: warning: already initialized constant C
James Edward G. II
Why does loolek feel so much like Ilias? Hmm…
James Edward G. II
"Ok, first, how does the “bad guy”, whoever they are, get the ability
to “overwrite” it? They shouldn’t even be on the same network, let
alone in
my memory space.
And, for that matter, if they were in my memory space, they can do a
hell of a
lot worse than “overwriting a constant”.
This topic turned to interesting “ruby hacker” lessons. But first let
me answare your Qs ->
“Ok, first … whoever they are”
a. May be ter*rist or whatever, don’ really matter. But they are only
one guy.
“get the ability to “overwrite” it?”
Secound, play that -> i am the bad guy…
a. I was won the ruby programmer job at the plant -> I’m in!
b. I hacked the box of the security guy of the plant (home machine).
Why? Becouse he/she is got connection to the inner plant network
(SSH). So i am in again! (idea from Kevin)
c. I gave a really cool video game CD to my “new friend Joe”, who is
working at the plant. Why? Becouse he will install it on the inner
box, just for fun. The game will install me among the cool game. So i
am in again!
d. Maybe in the plant, there is some “hard but alive” way -> between
the local and public lan.
e. Should i continue?
“let alone in my memory space.”
Hmm, how do you mean this? The ruby code will guard the memory/
hardware/io/etc. I really don’t get you?
But anyway -> i was first hacked the unpatched Linux kernel… Should
i continue the “how”?
a. I thought only only the CPU’s protected mode can do this kind of
job. Or i am wrong?
“WE are saying is that you are wrong about how to go about being
secure.”
I think “hypotheticaly” -> i am right. In other words, you STILL don’t
see the DANGER that the week coding language cousing?
“hell of a lot worse than “overwriting a constant””
Oh yes, i see now -> you don’t smell the dager still, becouse you
asking this silly Q. But okay, what worse could happen?
a. You are dead.
b. Your home city is dead too.
c. You mom is dead too.
d. The water in your area is posioned for a long time.
e. etc.
peter
"$ ruby -e ‘C = “once”; C = “oops”’
-e:1: warning: already initialized constant C "
Okay, but i don’t decide yet to use ruby or not. So i have not
installed Ruby so far…
So ask again, PLZ send me a RubyDoc link about this topic !
The Google search dosn’t fint this frase ->
google says: “Your search - site:rubydoc.org “already initialized
constant” - did not match any documents.”
peter
This site is a bad ruby “demo”, or i dont know. I followed the
instructions →
type help ← the result is an error
type 2 + 6 ← the result is Bad Gateway error
502 Bad Gateway2 + 6
Where was i wrong ?
peter
Why does loolek feel so much like Ilias? Hmm…
James Edward G. II
Hmm…
The UrbanDictionary.com says:
A person prone to sexual intercourse with an animal; most commonly a
canine.
I hope that’s his tail you’re scratching. I wouldn’t have picked
you as an Ilias.
Scruffy looks sad. I thought he knew not to play stick with Ilias.
I don’t trust that Ilias guy. Atleast Rocky’s not constipates
anymore.
How do you mean this ?
peter
Why does loolek feel so much like Ilias? Hmm…
James Edward G. II
Could you teach me ? → What is Ilias means in this situation ? I know
Ilias is a good book. But the urbandictionary.com says:
A person prone to sexual intercourse with an animal; most commonly a
canine.
I hope that’s his tail you’re scratching. I wouldn’t have picked
you as an Ilias.
Scruffy looks sad. I thought he knew not to play stick with Ilias.
I don’t trust that Ilias guy. Atleast Rocky’s not constipates
anymore.
How could i mean this frase ?
And just an another Q → what this is mean to me → l33t ?
Sorry, but i am just an uneducated hungarian guy.
peter
On Tue, Aug 19, 2008 at 3:37 AM, Pit C. [email protected]
wrote:
So I think Ruby isn’t the right language for you.
Neither is any language that resides in memory or has any connection
to the pysical world.
http://imgs.xkcd.com/comics/real_programmers.png from
xkcd: Real Programmers
2008/8/18 loolek [email protected]:
"$ ruby -e ‘C = “once”; C = “oops”’
-e:1: warning: already initialized constant C "Okay, but i don’t decide yet to use ruby or not. So i have not
installed Ruby so far…
Peter, in Ruby others can change almost everything that you have
written, and they can change it at runtime, without having access to
your code: constants, classes, methods, instance variables, and so on.
So I think Ruby isn’t the right language for you.
Regards,
Pit
On Aug 18, 8:37 pm, Pit C. [email protected] wrote:
your code: constants, classes, methods, instance variables, and so on.
So I think Ruby isn’t the right language for you.Regards,
Pit
“Peter, in Ruby others can change almost everything that you have
written,”
Cool, could you give me a good link for self Ruby education ?
“So I think Ruby isn’t the right language for you.”
A big no → i mean: i could decide what good for me and not you !!!
peter
Come on, Captian or Phlip or who ever → give me a CORRECT link PLZ !
Or i have to think this → the Ruby lang is not documented well ?
I wrote → “the google search machine didn’t find that error msg @
ruby-doc.org” → so what’s up guys ?
peter
2008/8/18 loolek [email protected]:
Cool, could you give me a good link for self Ruby education ?
Peter, I’m sure you’ll be able to find the official Ruby homepage and
navigate from there to the introductory documentation. Specific
questions like the not-so-constant constants in Ruby as in this thread
are normally answered here on ruby-talk.
“So I think Ruby isn’t the right language for you.”
A big no → i mean: i could decide what good for me and not you !!!
That’s exactly why I wrote “I think”, not “I decide for you”. From
your questions I got the impression that you are looking for a
language which allows you to create tightly sealed programs. On the
other hand, Ruby is one of the most open and flexible languages I
know.
Maybe you can tell us more about what you are really looking for, what
kind of programs you want to create, etc. Many of us here on ruby-talk
know a lot of other programming languages and could tell you what we
think would be the right language for your purposes. Again: of course
it is you who finally has to make the decision.
Regards,
Pit
From: loolek [mailto:[email protected]]
i hope i can help =)
http://www.ruby-doc.org/docs/ProgrammingRuby/html/language.html
http://www.ruby-doc.org/docs/UsersGuide/rg/constants.html
also, you may want to read about $SAFE variable
http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html
do not worry about documentation (it is only for anglois (guy decoux)
:). read the ruby source. it’s very readable and unambiguous. then once
you’ve mastered the source, do not forget to contribute to the ruby
docs. ruby docs may need improvement, but it is improving… (ruby is a
community effort; if you like it, good; if you want to contribute, good;
if do not like it, good too. your choice as always
kind regards -botp
2008/8/19 loolek [email protected]:
Come on, Captian or Phlip or who ever → give me a CORRECT link PLZ !
I wrote → “the google search machine didn’t find that error msg @
ruby-doc.org” → so what’s up guys ?
You have to look better. Google gives me at least the following two
links from ruby-doc to that error message:
http://www.ruby-doc.org/docs/UsersGuide/rg/constants.html
Programming Ruby: The Pragmatic Programmer's Guide
And as a bonus here’s a direct link to the very part of the second
page with the error message:
Programming Ruby: The Pragmatic Programmer's Guide
Not too hard to find, isn’t it?
Regards,
Pit
On Monday 18 August 2008 13:06:43 loolek wrote:
This site is a bad ruby “demo”, or i dont know.
Point is, it is a site which, when it works properly – and it’s worked
perfectly for me in Firefox so far – allows any random user who wanders
in
off the Internet to run arbitrary Ruby code on the server.
So it’s an example of how to create a very secure ruby sandbox.
And here’s the sandbox-specific stuff:
On Monday 18 August 2008 04:26:43 loolek wrote:
a. May be ter*rist or whatever, don’ really matter. But they are only
one guy.
“Them”, then. I was referring to one guy.
“get the ability to “overwrite” it?”
Secound, play that -> i am the bad guy…
a. I was won the ruby programmer job at the plant -> I’m in!
You won the Ruby programmer job at the plant.
Congratulations, you can now edit the Ruby source code where that
constant was
defined! It really doesn’t matter at this point.
b. I hacked the box of the security guy of the plant (home machine).
Why? Becouse he/she is got connection to the inner plant network
(SSH). So i am in again! (idea from Kevin)
Again, you’ve SSH’d in to the machine… Now, what, exactly, is stopping
you
from simply killing that process, editing the source (maybe copying it
to a
temporary location), and running it again?
e. Should i continue?
The rest of your examples only highlight the problem:
Once you’re in, you’re in. What possible scenario could he insert Ruby
code
into a running process, without being able to also change the constant
anyway?
And what possible language could he not do this in? It’s harder to
change a
constant in a running C program, but one buffer overflow and you can do
it.
“let alone in my memory space.”
Hmm, how do you mean this? The ruby code will guard the memory/
hardware/io/etc. I really don’t get you?
Well, I’m assuming that if he can modify a Ruby program that is
executing, he
is doing so by editing its memory – which means he has access to the
memory
space of the program.
Which means that no matter what language the program is written in, he
can now
change any part of it, full stop.
I suppose it’s possible that you’re stupid enough to use eval in places
you
shouldn’t. That’s the only other way I can think of.
But anyway -> i was first hacked the unpatched Linux kernel… Should
i continue the “how”?
Great – so you can now modify ANY memory, ANYWHERE on the system.
Again: NO language will protect ANY so-called “constant” from being
modified
here – except maybe Verilog.
Do you know why Verilog can? Because it compiles to hardware – meaning
the
only possible way to change the constant would be with a soldering iron.
Do you know why it’s “maybe”? Because if any part of the program is
software,
and needs that constant, you can always change the one line that reads
the
constant from hardware to read a different value instead.
“WE are saying is that you are wrong about how to go about being
secure.”I think “hypotheticaly” -> i am right. In other words, you STILL don’t
see the DANGER that the week coding language cousing?
That’s not an argument. This has officially descended into “No it’s not!
Yes
it is!”
I don’t think it’s a “week coding language”. You do. Unless you’re
willing to
say why you think it’s weak, we aren’t going to get beyond
name-calling.
And I’m not going to respond to any more trolling from you.
“hell of a lot worse than “overwriting a constant””
Oh yes, i see now -> you don’t smell the dager still, becouse you
asking this silly Q. But okay, what worse could happen?
No, missing the point:
If he can get into a situation where it’s possible for him to modify a
Ruby
constant, that kind of implies that he can do ANYTHING to the Ruby
program,
through any of the methods you mentioned above.
Which means that if he wants to make it go boom, he can still do all of
the
following:
a. You are dead.
b. Your home city is dead too.
c. You mom is dead too.
d. The water in your area is posioned for a long time.
e. etc.
What was the point of listing them?
Again, these are not caused by Ruby. These are caused by the fundamental
nature of how modern operating systems work.
If anyone can get their code ANYWHERE NEAR your hypothetical nuclear
reactor,
they damned well better be trusted.
If your nuclear reactor isn’t hypothetical, quit now.
One example: Suppose you’ve somehow gotten this figured out, and you
have your
constants.rb file, which almost no one has access to. In there, you
have:
COOLING_TOLERANCE = 12345
Your attacker realizes that they can’t change that file, and they can’t
change
the constant in the program. Fine, so he goes and edits cooling_rods.rb,
where the constant is actually used. He replaces this line:
lower_rods if temp >= COOLING_TOLERANCE
With this one:
raise_rods
Ok, so you make cooling_rods.rb readonly. Fine, so he goes anywhere else
in
the program, and edits a file he’s allowed to edit, and adds the
following:
loop { raise_rods }
Again, you could sandbox it properly. You could make sure that his code
never
gets to touch the raise_rods function. But you’re always going to miss
something – maybe he’s just a designer, writing the UI. So he goes in
and
swaps these two buttons:
START REACTION
EMERGENCY SHUTDOWN
So now, when someone needs to perform an emergency shutdown, they push
START
REACTION instead, and the reactor goes boom.
The right solution is to simply not let him touch the program that
controls
the cooling rods. Let him read log output from that program to build his
pretty graphs.
David M. wrote:
a. You are dead.
b. Your home city is dead too.
c. You mom is dead too.
d. The water in your area is posioned for a long time.
e. etc.What was the point of listing them?
To pad the post out without the need to learn or pull in any actual
programming
details.
And I’m not going to respond to any more trolling from you.
You appear to be the last one! (-:
On Tuesday 19 August 2008 23:21:31 Phlip wrote:
David M. wrote:
And I’m not going to respond to any more trolling from you.
You appear to be the last one! (-:
Today, at a cafe, I asked “Can I order…”
And she deadpanned “No.”
AND I BOUGHT IT!!
I’m so easily trolled
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs