‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15

Posted on November 1, 2014 by mea

The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks.

via ‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15 | Threatpost | The first stop for security news.

IEEE Guides Software Architects ToSecure Software Design

Posted on August 30, 2014 by mea

The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration. The 10, in no particular order, are:

Earn or give, but never assume, trust

Use an authentication mechanism that cannot be bypassed or tampered with

Authorize after you authenticate

Strictly separate data and control instructions, and never process control instructions received from untrusted sources

Define an approach that ensures all data are explicitly validated

Use cryptography correctly

Identify sensitive data and how they should be handled

Always consider the users

Understand how integrating external components changes your attack surface

Be flexible when considering future changes to objects and actors

via IEEE Guides Software Architects ToSecure Software Design | Threatpost | The first stop for security news.

Tenets of the UNIX Philosophy

Posted on August 27, 2014 by mea

The main tenets of the Unix Philosophy are as follows::

Small is beautiful.

Make each program do one thing well.

Build a prototype as soon as possible.

Choose portability over efficiency.

Store data in flat text files.

Use software leverage to your advantage.

Use shell scripts to increase leverage and portability.

Avoid captive user interfaces.

Make every program a filter.

via Tenets of the UNIX Philosophy

More on Heartbleed Ctd.

Posted on April 11, 2014 by mea

So then a bug shows up which leaks the content of memory mishandled by that layer. If the memoory had been properly returned via free, it would likely have been handed to munmap, and triggered a daemon crash instead of leaking your keys.

OpenSSL is not developed by a responsible team.

via Re: FYA: http: heartbleed.com.

Why the display server doesn’t matter

Posted on March 26, 2014 by mea

The result of this is the display server doesn’t matter much to applications because we have pretty good toolkits that already hide all this information from us. And it doesn’t matter much to drivers as they’re providing much the same operations to anything that uses them (i.e. buffer management and passing shaders around).

via Bob’s development blog: Why the display server doesn’t matter.

OSv, a new open-source operating system for virtual machines

Posted on September 17, 2013 by mea

These days, most applications running on virtual machines in the cloud run on top of Linux. We all love Linux, but as an all-encompassing operating system for everything from phones to supercomputers, Linux was never really designed for virtual machines; It is big and complex, and it offers features (such as multi-user and multi-process) which are today made redundant by the hypervisor and slow it down. Linux’s APIs are many times set in stone by decades of legacy code. All these cost in application performance, and make it harder to innovate.

This is why we developed OSv, a new operating system designed to run a single application on a virtual machine. As it runs a single application there is no need for kernel-userspace isolation, reducing context switch costs and unnecessary copying. A design from scratch allowed us to experiment with new ideas like lock-free mutexes (solving the Lock-Holder Preemption problem that plagues operating systems on virtual machines), extremely fast context switches, Van Jacobson’s network channels (see http://www.lemis.com/grog/Documentation/vj/lca06vj.pdf), and more. Also, OSv is released under the more permissive BSD license (not GPL like Linux), is tiny compared to Linux, and takes less than one second to boot and start the user’s application.

via Announce: OSv, a new open-source operating system for virtual machines.

Presentation slides can be seen here.

How Twitter Rebuilt Google’s Secret Weapon

Posted on May 15, 2013 by mea

Borg is a way of efficiently parceling work across Google’s vast fleet of computer servers, and according to Wilkes, the system is so effective, it has probably saved Google the cost of building an extra data center. Yes, an entire data center. That may seem like something from another world — and in a way, it is — but the new-age hardware and software that Google builds to run its enormous online empire usually trickles down to the rest of the web. And Borg is no exception.

via Return of the Borg: How Twitter Rebuilt Google’s Secret Weapon | Wired Enterprise | Wired.com.

At Twitter, a small team of engineers has built a similar system using a software platform originally developed by researchers at the University of California at Berkeley. Known as Mesos, this software platform is open source — meaning it’s freely available to anyone — and it’s gradually spreading to other operations as well.

iPad and file systems: failure of empathy

Posted on April 7, 2013 by mea

The easiest decision is no decision. Let’s have two user interfaces, two modes: The easy mode for my mother-in-law, and the pro mode for engineers, McKinsey consultants, and investment bankers. Such dual-mode systems haven’t been very popular so far, it’s been tried without success on PCs and Macs. (Re-reading this, I realise the Mac itself could be considered such a dual-mode machine: Fire up the Terminal app, and you have access to a certified Unix engine living inside)

via iPad and file systems: failure of empathy | Technology | guardian.co.uk.

Why We Should Build Software Like We Build Houses

Posted on February 1, 2013 by mea

Architects draw detailed plans before a brick is laid or a nail is hammered. Programmers and software engineers don’t. Can this be why houses seldom collapse and programs often crash?

via Why We Should Build Software Like We Build Houses | Wired Opinion | Wired.com.

This analogy made me laugh because software doesn’t have to fight gravity or -20F temperatures or whatever else planet Earth has in store for a physical structure. The gist of this article however seems to be that every software project should start with and needs a solid foundation of requirements. Shout out to system engineering!

Update: Here’s an interesting comment from slashdot and a shout out to awk.

If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization.
Gerald Weinberg

Trivia: Gerald Weinberg is the “w” in awk. Sadly, things haven’t changed much since back when.

Cheers,
Dave

Quake 3 Source Code Review

Posted on July 1, 2012 by mea

Since I had one week before my next contract I decided to finish my “cycle of id”. After Doom, Doom Iphone, Quake1, Quake2, Wolfenstein iPhone and Doom3 I decided to read the last codebase I did not review yet:

idTech3 the 3D engine that powers Quake III and Quake Live.

via Quake 3 Source Code Review: Architecture.

I was particularly impressed by :

The virtual machines system and the associated toolchain that altogether account for 30% of the code released. Under this perspective idTech3 is a mini operating system providing system calls to three processes.

The elegant network system based on snapshots and memory introspection.

Bucktown Bell

Cut to the chase.

Tag Archives: software architecture