Fred Palma | Computer Scientist

By Ben Lisbakken, Developer Programs Engineer

For me, documentation isn’t always enough to learn about APIs; I need examples that I can play with. That’s why I started a fun project recently–a tool for teaching developers how to use Google’s JavaScript APIs: the AJAX API Playground. I have been working on this in my 20% time and today I am proud to announce that we are launching the AJAX API Playground as the official way that Google will show JavaScript samples!

The AJAX API Playground is currently loaded with over 170 samples for 8 Google JavaScript APIs (Maps, Search, Feeds, Calendar, Visualization, Language, Blogger, Libraries and Earth) that you can edit and run to help you explore what Google’s APIs have to offer. There are also save and export features. The save feature allows you to hold onto an edited sample so you can continue working on it later, while export lets you modify a sample and publish the code to a permanent url.

As the AJAX API Playground is built on App Engine, you can create your own App Engine instance to show off your code samples. The code is open sourced under an Apache 2.0 license and uses several open source libraries and tools, including jQuery, jQuery UI, YUI Compressor, and CodeMirror. You can find the code on Google Project Hosting and learn about adding samples on the project wiki.

Stay tuned for more samples for more APIs. Enjoy!

From: Google Code Blog

Tags: Google by Fred
No Comments »

Tim Bernes-Lee talks about the future of the web.
Campus Party 2009 São Paulo Brasil

Tags: W3C, computer science, web by Fred
No Comments »

SEO starter guide from Google
Site explorer from Yahoo! Search
Webmaster tools from Google Take a tour
136 SEO Tools from seocompany.ca
Website site report from grader

Tags: SEO, Uncategorized by Fred
No Comments »

We love Linux! Nós amamos o Linux!
Campus Party 2009 São Paulo Brasil

Tags: Uncategorized by Fred
1 Comment »

Based on the widely-recognized and seldom-disrespected human rights to enjoy and memorize works of art one can access, and to grant and accept access to them, this article claims legitimate rights to preserve access to works, to convert works to different formats and media, to download and to upload works on the Internet, and to receive and to share works in P2P networks. The full enjoyment of these human rights amounts to self defense against the constant attacks to them.

We shouldn’t feel guilty or ashamed for sharing and downloading digital files. However, the brain washing promoted by the publishing industries of music, cinema and software twists our notions of right and wrong. Confused and scared, we give up rights and accept restrictive laws that serve their greed, in detriment of society. Arguing that so-twisted laws prove us wrong and guilty, they seek even more legal power over us, while pretending to have it already. But they don’t, and they can’t, as long as our human rights are respected.

Disclaimer: the author is not a lawyer. Nothing in this article should be construed as legal advice. However, if you’re ever threatened or sued by the publishing industries or the anti-copying police forces they’re establishing, show this article to your lawyer.

The right to enjoy

Article 27. (1) Everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits.

– Universal Declaration of Human Rights, December 10, 1948

If you’re walking on the street and you find a wallet on the ground, you’ll probably pick it up and try to locate its owner to return it. If, while searching for some document that identifies the owner, you find a piece of paper with a poem in it, reading it is all right. You don’t have to ask for permission (license) from the author of the poem, or from the owner of the wallet: you’re entitled to read it and enjoy it. As long as you put it back in place, you won’t have taken anything from anyone. On the other hand, taking the money from the wallet wouldn’t be right, for it would deprive its legitimate owner of it. Publishing industries attempt to confuse us hiding this crucial difference.

If you walk a bit further and hear your neighbor sing a song in the shower, that’s all right. You don’t have to ask for permission (license) from the composer of the song, or from its performer: you’re entitled to listen to it and enjoy it, and even memorize it and sing it for yourself and your friends at a later time.

You hear the bells from the church and you know that at about that time your VCR will be powering off, after taping your favorite broadcast TV show, so you can watch it as you get back home from work. You don’t have to ask for permission (license) from the director, the studio or the TV broadcaster: you’re entitled to record it and watch it at a later time, along with your family and friends.

You get home, you power on your portable computer and load into its drive a DVD you rented. You don’t have to ask for permission (license) from the director, the studio, the DVD publisher or the rental shop to watch the movie, and this involves such tasks as copying the movie from the DVD media to the computer memory, unscrambling the regional encoding, decompressing the video and the audio, copying the video to the digital display memory and converting it to pixel patterns on the screen and then to light waves, copying the audio to the digital audio amplifier and converting it to mechanical vibrations and then sound waves, and finally converting this all into neural impulses and into temporary or permanent memories. Since you’re entitled to watch the movie, you can copy, convert, memorize and replay the whole or the parts, without depending on anyone’s permission.

The right to enjoy an artistic work you’ve had access to is a practical issue. It would be ridiculous to have to ask for permission before reading a piece of paper, and then, once you get it, find out that the permission was spelled out right there. It would be ridiculous to have to somehow refrain from listening to a song that’s playing around you. It would be ridiculous to be deprived of a TV show just because it’s broadcast to all at an inconvenient time. It would be insane to have to ask for permission for each of the conversion and copying steps involved in enjoying an artistic work. It would be insane to have to ask for permission to retain the work in your memory, or to force yourself to forget it in case you fail to locate someone who could and would grant it.

Fortunately, that’s not the way it is! There’s nothing wrong in any of these things, and no law stops you from doing them. There shouldn’t be any: it would be unjust, and it would violate fundamental human rights. You have a right to enjoy works of art you have access to, and to take part in the cultural life in your society. No law should ever take that right away from you.

The right to share

Article 19. Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

– Universal Declaration of Human Rights, December 10, 1948

Say you have a very large collection of books, and you’re disappointed that few people get to read them. You decide to donate them to a public library. You don’t have to ask anyone for permission to make the donation, and the library doesn’t have to ask anyone for permission to lend the books to whomever might be interested in them.

If publishing industries had it their way, you’d have to lock your CD, tape, DVD, and book collections in safes whenever you had guests, lest they should borrow any of them. Instead, you’re not only entitled to display them: you can also play them for your visitors, and let them borrow your copies and listen to them, watch them or read them wherever and whenever they like.

Laws that prohibited receiving and imparting information and ideas would violate fundamental human rights.

The right to preserve

Article 28. Everyone is entitled to a social and international order in which the rights and freedoms set forth in this Declaration can be fully realized.

– Universal Declaration of Human Rights, December 10, 1948

When you buy CDs, DVDs, books, etc, what you’re buying is access to the work, rather than its supporting medium or a supposed license for enjoying it: you don’t need any license for that. In fact, if the medium gets damaged, any decent publisher will replace the broken copy of the work, for no more than a nominal fee that covers media, packaging and shipping costs, so that you can retain the access you’d paid for.

If the publisher goes bankrupt or runs out of copies, you don’t have to let your only copy of the work degrade till you lose access. If the publisher is not decent, it might actually plan for the copies to degrade, to sell access repeatedly until it starts denying access to the work, indefinitely, to all of society. Such a plan is not supposed to work. In fact, several jurisdictions explicitly permit, beyond any doubt, backup copies and copies for personal use, in spite of any exclusive copying rights of an artistic work society might have granted to anyone else.

This explicit permission, albeit welcome, is not strictly necessary. It’s all right to remember works one had access to. However, few have perfect or photographic memory, so we’re taught to use auxiliary memory to record things that matter: to take notes of classes, meetings and findings, to take pictures and record movies of important events in our lives, and even to make backups of information we store in primary and auxiliary memory.

A backup copy of a work is nothing but a memory extension, so that you can more accurately and better remember the work, to recall it and enjoy it at a later time.

No laws can or should stop you from keeping memories and enjoying them, for without memory, the rights to enjoy and to share cannot be fully realized.

The right to convert

Along the same lines, if your old LPs and cassette tapes are degrading, and you worry about finding needles, magnets or motors to fix your players in case they break, you can find comfort in that you are entitled to preserve your access to the works, even if this requires converting them to another form and storing them in other pieces of auxiliary memory.

Say, you can play them into a computer and record them onto electronic, magnetic, optical or any other kind of memory, to time-shift into the future your remaining ability to play the works as many times as you might want.

You can further convert the works to different encoding formats, if that’s what it takes for you to be able to enjoy them, while driving your car, walking on the street or sitting at a bus or train with a portable music or video player, or another kind of computer.

Remember, there isn’t, and there shouldn’t be, any law that stops you from copying and converting a work as accessory steps in the process of enjoying it, or from backing up the results of these accessory steps for future use. You are not supposed to be bound by the limitations of the medium, format or players selected by the party who granted you access to a work: once you gain access to it, you’re entitled to enjoy it however you like.

The combined right to share and preserve

Say a friend wants to borrow a DVD from you, but her dog is famous for its taste for DVDs. You might consider declining your friend’s request, but why should you? You might as well just make a backup copy of the DVD, to preserve your access to the work, and then let your friend take home the “original” copy, or the backup copy you made.

Your friend, in turn, might fail to watch the movie before the time she agreed to return it, or want to watch it a few more times. To preserve her access, extending her memory and time-shifting her ability to enjoy the work as many times as she liked, she could return your copy after making a backup copy of her own. Or call you to ask whether she could keep the copy. She may even refrain from calling, if she knows you will just call her if you ever need it.

In fact, you might have an agreement with her, so you’ll keep backups for each other. Even over the Internet! Although each of you maintains other backups at home, that won’t protect one’s files should one’s house burn down, for example.

So, she reserves part of her computer’s disk space for you to hold your files, and you reserve part of yours for her. You trust each other enough to not be worried about privacy issues, but you also know that you’re backing up each others’ picture, song and movie collections, and that’s as fine as if the pictures, songs and movies were backed up onto off-site CDs, DVDs, tapes, whatever.

And then, since you’re not required to police access to works (in fact, we saw you’re entitled to share it with your friends), you’re not required to encrypt the data or have her agree never to look at those files.

Your arrangement might even include an understanding that you agree that each one can access the pictures, songs and movies in the backups maintained for the other. No further permission is required

The rights to download and upload files

Say you’re going on a trip, taking in your portable computer some papers you want to read. Concerned about theft and loss, you post the files on your web site as well, so that you can get to them on any cybercafe. You don’t have to ask anyone for permission to do this: you’re just preserving your access to them.

These files are for personal use, so at first you don’t tell anyone about the URLs. However, during the trip, you get an e-mail from a friend, and she asks about a paper you’d mentioned to her. It’s one of the papers you’d uploaded to your web site, so you send her the URL. You’re entitled to share works you have access to with your friends. The fact that you can’t meet them personally to hand them copies in physical media shouldn’t get in the way. They, in turn, are entitled to enjoy them and preserve them once you grant them access. Neither of you has to ask anyone for permission.

Your friend passes on the URL to another friend, who then posts it to a private mailing list, and the message later on is forwarded to a public mailing list. People from all over start downloading the file from your web site. That’s fine, you’re entitled to share the work with every one of them. Even if you weren’t, you’re not required to police access to the site any more than you’re required to hide your DVD collection when a friend visits you. Similarly, those who download it aren’t required to police you on whether you have any permission you might need in order to grant them access to the work, any more than they’d have to check whether you’re entitled to lend them a DVD.

Edit Link Top

The right to P2Preserve

Your cross-backup arrangement works so well that, when you read about a peer-to-peer distributed backup system, you jump into it. As before, each peer offers a portion of their hard disks to host others’ backups, and in turn has portions of their own disks backed up on the network.

One major advantage is that the backups are replicated among various participants, so that even if a few drop off the network, the backup files remain available. The system is also clever enough to tell when multiple users want to back up the same file, avoiding wastage.

Of course you keep your personal files encrypted on such a backup system, for you don’t trust everyone out there as much as you trust your friend. But for files you’d normally share with friends, why would you prevent wastage reduction?

One day you get an e-mail from another peer in the network, asking whether you’d mind if she kept a copy of a song she found out she was backing up for you. What a silly question! She was already keeping that copy, and she had evidently already gained access to the song, so it’s obvious she can keep it. But she thought asking couldn’t hurt. It didn’t: it gave rise to a good friendship.

The right to P2Participate

One day you accidentally remove a file from your computer. You ask the network for a backup, and you find it’s restored so quickly you can hardly believe it! By chance, another peer had just backed up a copy of that file in the network, and it happened to be transferred to your computer shortly before you requested the restore.

Turns out this person seems to like the same songs you do. You recognize most of them, but there are a few you hadn’t heard before, and they’re just the sort of thing you love! So you keep a copy of the songs that this new friend shared with you. You also send him a thank-you note with some musical tips, and you become close friends.

Nowadays, every time you purchase a CD or a DVD you like, you preserve it in the folder backed up by P2P. Nothing stops you from using the network as memory to preserve your access to the works, or from permitting your friends to gain access to them. And every now and then you get e-mail from a new friend thanking you for that.

One interesting aspect of this network is that, when a peer drops off, the network will make up for the loss creating more replicas of the files that were in the peer. You don’t have to ask anyone for permission to transfer around the files you host for others, any more than an ISP needs to ask anyone for permission to transfer the files you requested from third parties, or to cache them.

When you join a P2P network just to download a file, the situation is slightly different, for you have a much better notion of what you’re downloading and transmitting. However, as we saw before, it’s all right to download an artistic work and to share access to it with a friend. If someone who’s entitled to share access with you and others asks for your help in extending it to the others, why not help?

But what about the poor publishing industry?

Article 27. (2) Everyone has the right to the protection of the moral and material interests resulting from any scientific, literary or artistic production of which he is the author.

– Universal Declaration of Human Rights, December 10, 1948

Under the false pretense of helping authors, whom the inhumane publishing industry exploits as much as it does us, it will probably keep on trying to limit what people can do, by technical and legal means, inventing technological barriers to deny fundamental rights, threatening to sue and to throw people in jail for exercising them, and hiring legislators to pass laws that take further rights away from us.

But why should society accept laws that undermine fundamental human rights, as well as such bases of society as friendship and sharing? Sharing with friends yields no material interest, therefore not even an author could invoke the human right of protection of material interests to oppose it.

Tele-revolution

If some day we develop teleportation, and the technology becomes widely available at low cost, businesses that depended on the difficulty of transporting people and goods from one place to another would have to revise their strategies. Some might adapt and find other just ways to earn money; others would press to preserve their obsolete business models.

But imagine if telegraph had been forbidden because of concerns from the postal industry. If telephone, e-mail and instant messaging had been forbidden because of concerns from the telegraph industry. If mobile phones or calls over the Internet had been forbidden because of concerns from the landline phone industry.

It doesn’t make sense for society to prohibit or limit the use of teleportation just to maintain the scarcity that enabled transport businesses to profit; certainly not unless this deprivation somehow brings greater good to society at large.

Multi-revolution

If some day we develop object multiplication technology, and it becomes widely available at low cost, businesses that depended on the difficulty of producing replicable objects or substances would have to revise their strategies. Some might adapt and find other just ways to earn money; others would press to preserve their obsolete business models.

But imagine if the bread producers attempted to prohibit the multiplication of bread for the hungry. If the fashion industry attempted to prohibit the replication of clothes for the shivering. If the pharmaceutic industry attempted to prohibit the copying of medicines for the ill. If the farming and seed industries attempted to prohibit the reproduction of soy, corn, potato, wheat, rice, beans and other kinds of food. Nonsense! It’s no wonder that some find it so hard to believe that intelligent people could be misled into crucifying someone for multiplying and sharing fish and bread, and for teaching others how to perform such miracles.

It doesn’t make sense for society to prohibit or limit the use of multiplication, just to maintain the scarcity that enabled manufactures to profit; certainly not unless this deprivation somehow brings greater good to society at large.

Inter-revolution

Turns out computers connected to the Internet can perform remote multiplication of digital works. Businesses that depend on the difficulty of replicating and transporting these works have to revise their strategies urgently. Some have already adapted and found other just ways to earn money; others have been pressing to preserve their obsolete business models.

But it doesn’t make sense for societies to prohibit or limit the use of digital multiplication, local or remote, just to restore the scarcity that enabled publishers to profit before this advance; certainly not unless this deprivation somehow brings greater good to society at large.

Anti-revolution

All laws in a democratic society should bring benefit to society. Copyright, for example, is a limited monopoly granted by society, as an incentive to the publication of artistic works, so that they can be enjoyed and used by all, even though some limited uses, that would be impossible without the publication, have to wait for the expiration of the monopoly.

There is no indication that granting publishers more power over authors and us will bring about any benefit to all. Criminalizing alleged violations of copyrights isn’t improving the artistic quality of the published works. Extending copyrights’ duration retroactively every time Mickey Mouse is about to finally enter the public domain isn’t giving us more Walt Disney works, neither new (how could it?) nor the well-known ones. Giving publishers powers of legislators and judges, by passing laws that prohibit us from escaping technical limitations designed into their products, even to perform acts we are entitled to, would deny society the very benefits that justify the monopoly: enabling everyone to enjoy and use the works, even after some short delay.

We should all keep in mind that copyright was designed so as to permit private enjoyment, private performance, and sharing and preserving culture, and that we’d need very good reasons for all to deprive ourselves from any of that. We must fight attempts to turn these laws inside-out, for they would benefit few in detriment of most.

Fundamental rights and self defense

Article 10. Everyone is entitled in full equality to a fair and public hearing by an independent and impartial tribunal, in the determination of his rights and obligations and of any criminal charge against him.

– Universal Declaration of Human Rights, December 10, 1948

When some provision of law or proposed bills appear to conflict with fundamental rights, we’re entitled to and supposed to stand up for our rights, and oppose laws that deny them or cast doubt on them.

Since these are fundamental rights, they shouldn’t be outlawed. Even if there are criminal provisions that appear to cover them, in a state of law the regular enjoyment of civil rights can’t be regarded as a crime.

As for private means to attack fundamental rights, that the industry resorts to every now and again to impose restrictions that violate human rights, deflecting the attack to enjoy the civil rights amounts to acting in self defense, which, in a state of law, can’t be regarded as a crime either.

Written for the proceedings of the First Congresso Estadual de Software Livre do do Ceará, CESoL-CE, held in Fortaleza, Ceará, Brazil, from August 18-23, 2008.

Copyright 2008 Alexandre Oliva
Copyright 2008 FSFLA

Permission is granted to make and distribute verbatim copies of this entire document worldwide without royalty, provided the copyright notice, the document’s official URL, and this permission notice are preserved.

http://fsfla.org/texto/copying-and-sharing-in-self-defense
Alexandre Oliva <lxoliva@fsfla.org>

Tags: politics by Fred
No Comments »

Type:
sudo apt-get install ubuntu-restricted-extras flashplugin-nonfree mozilla-mplayer

And enjoy!

Tags: Linux, Operational System, Uncategorized by Fred
No Comments »

www.campusparty.com.br
The event started (09/01/19 – 22:43 – São Paulo).
It will have Tim Berners-Lee and Jon “Maddog” Hall.
Thanks Rubens Queiroz from dicas-l and Sérgio Amadeu. They gave me the Campus Party 2009 subscription. Thanks Caio Nakashima to give me the opportunity to go to the event.

The event provides 10 G/sec transfer rate. I’m getting 11724.1 KB/sec.

Tags: Internet by Fred
No Comments »

Experts Announce Agreement on the 25 Most Dangerous Programming Errors – And How to Fix Them
From SANS

January 12, 2009 -  Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 – and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.

People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS’s National Cyber Security Division and NSA’s Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University. The MITRE and the SANS Institute managed the Top 25 Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE’s project engineers came from the US Department of Homeland Security’s National Cyber Security Division. The Information Assurance Division at NSA and National Cybersecurity Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.

What was remarkable about the process was how quickly all the experts came to agreement, despite some heated discussion. “There appears to be broad agreement on the programming errors,” says SANS Director, Mason Brown, “Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.”

The Office of the Director of National Intelligence expressed its support saying, “We believe that integrity of hardware and software products is a critical element of cybersecurity. Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation’s critical infrastructure depend on commercial products for business operations. The Top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education.”

Until now, most guidance focused on the ‘vulnerabilities’ that result from programming errors. This is helpful. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 web site provides detailed and authoritative information on mitigation. “Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens.” said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

Each entry at the Top 25 Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

CATEGORY: Insecure Interaction Between Components

CWE-20: Improper Input Validation

It’s the number one killer of healthy software, so you’re just asking for trouble if you don’t ensure that your input conforms to expectations…MORE >>

CWE-116: Improper Encoding or Escaping of Output

Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days…MORE >>

CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

If attackers can influence the SQL that you use to communicate with your database, then they can…MORE >>

CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications…If you’re not careful, attackers can…MORE >>

CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers…MORE >>

CWE-319: Cleartext Transmission of Sensitive Information

If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many…MORE >>

CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim…MORE >>

CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable…MORE >>

CWE-209: Error Message Information Leak

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data…MORE >>

CATEGORY: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

Buffer overflows are Mother Nature’s little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you’re…MORE >>

CWE-642: External Control of Critical State Data

There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can…MORE >>

CWE-73: External Control of File Name or Path

When you use an outsider’s input while constructing a filename, you’re taking a chance. If you’re not careful, an attacker could… MORE >>

CWE-426: Untrusted Search Path

If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker’s choosing. This causes the software to access the wrong resources at the wrong time…MORE >>

CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)

For ease of development, sometimes you can’t beat using a couple lines of code to employ lots of functionality. It’s even cooler when…MORE >>

CWE-494: Download of Code Without Integrity Check

You don’t need to be a guru to realize that if you download code and execute it, you’re trusting that the source of that code isn’t malicious. But attackers can perform all sorts of tricks…MORE >>

CWE-404: Improper Resource Shutdown or Release

When your precious system resources have reached their end-of-life, you need to…MORE >>

CWE-665: Improper Initialization

Just as you should start your day with a healthy breakfast, proper initialization helps to ensure…MORE >>

CWE-682: Incorrect Calculation

When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to…MORE >>

CATEGORY: Porous Defenses

CWE-285: Improper Access Control (Authorization)

If you don’t ensure that your software’s users are only doing what they’re allowed to, then attackers will try to exploit your improper authorization and…MORE >>

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers…MORE >>

CWE-259: Hard-Coded Password

Hard-coding a secret account and password into your software’s authentication module is…MORE >>

CWE-732: Insecure Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world – well, that’s just what they’ll become…MORE >>

CWE-330: Use of Insufficiently Random Values

If you use security features that require good randomness, but you don’t provide it, then you’ll have attackers laughing all the way to the bank…MORE >>

CWE-250: Execution with Unnecessary Privileges

Spider Man, the well-known comic superhero, lives by the motto “With great power comes great responsibility.” Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky…MORE >>

CWE-602: Client-Side Enforcement of Server-Side Security

Remember that underneath that fancy GUI, it’s just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls…MORE >>

Resources to Help Eliminate The Top 25 Errors

The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
www.sans.org/top25
cwe.mitre.org/top25/

MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. cwe.mitre.org/

SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.
Email spa@sans.org for details
And see www.sans-ssi.org/certification/ for the GSSP Blueprints

SAFECode – The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf

Nearly a dozen software companies offer automated tools that test programs for these errors. SANS maintains case studies of user experience with these and other security tools at www.sans.org/whatworks.

New York State has produced draft procurement standards to allow companies to buy software with security baked in.

Draft New York State procurement language will be posted at www.sans.org/appseccontract.

For additional information on any of these:
SANS: Mason Brown, mbrown@sans.org
MITRE: Bob Martin, ramartin@mitre.org
MITRE: Steve Christey, coley@mitre.org

Which People and Organizations Made Substantive Contributions to the Top 25 Errors List?

Robert C. Seacord, CERT
Pascal Meunier, CERIAS, Purdue University
Matt Bishop, University of California, Davis
Kenneth van Wyk, KRvW Associates
Masato Terada, Information-Technology Promotion Agency (IPA), (Japan)
Sean Barnum, Cigital, Inc.
Mahesh Saptarshi and Cassio Goldschmidt, Symantec Corporation
Adam Hahn, MITRE
Jeff Williams, Aspect Security
Carsten Eiram, Secunia
Josh Drake, iDefense Labs at VeriSign, Inc.
Chuck Willis, MANDIANT
Michael Howard, Microsoft
Bruce Lowenthal, Oracle Corporation
Mark J. Cox, Red Hat Inc.
Jacob West, Fortify Software
Djenana Campara, Hatha Systems
James Walden, Northern Kentucky University
Frank Kim, ThinkSec
Chris Eng and Chris Wysopal, Veracode, Inc.
Ryan Barnett, Breach Security
Antonio Fontes, New Access SA, (Switzerland)
Mark Fioravanti II, Missing Link Security Inc.
Ketan Vyas, Tata Consultancy Services (TCS)
Lindsey Cheng, Ian Peters and Tom Burgess, Secured Sciences Group, LLC
Hardik Parekh and Matthew Coles, RSA – Security Division of EMC Corporation
Mouse
Ivan Ristic
Apple Product Security
Software Assurance Forum for Excellence in Code (SAFECode)
Core Security Technologies Inc.
Depository Trust & Clearing Corporation (DTCC)
The working group at the first OWASP ESAPI Summit
National Security Agency (NSA) Information Assurance Division
Department of Homeland Security (DHS) National Cyber Security Division

Robert Martin, CWE Project Leader at MITRE heralded the effort of these contributors by saying, “It is gratifying to see the amount of collaboration and energy that all these serious, security-savvy people invested in making this list as accurate and authoritative as it can be. Very impressive!”

How Will the Top 25 Errors Be Used?

The Top 25 Errors will have four major impacts:

• Software buyers will be able to buy much safer software.
• Programmers will have tools that consistently measure the security of the software they are writing.
• Colleges will be able to teach secure coding more confidently.
• Employers will be able to ensure they have programmers who can write more secure code.

First, software buyers will be able to buy much safer software.

Buyers will require that software vendors certify in writing that the code they are delivering is free of these 25 programming errors. Certification shifts responsibility to the vendor for correcting the errors and for any damage caused by those errors. The standard procurement language under development by the State of New York and other state governments already is being adjusted to use the Top 25 Errors. Over time the multi-national Common Criteria program may also adopt the Top 25 as one approach for ensuring code purchased by the US government is free of the Top 25 errors.

Second, programmers will have tools that consistently measure the security of the software they are writing.

Software testing tools will use the Top 25 in their evaluations and provide scores for the level of secure coding in software being tested. In parallel with this announcement, on January 12, one of the leading software testing vendors is announcing that its software will be able to test for and report on the presence of a large fraction of the Top 25 Errors. Application development teams will use such testing software during the development process.

Colleges will be able to teach secure coding more confidently.

Colleges and others who prepare programmers will use the Top 25 Errors as a foundation for curriculum that ensures their students know how to avoid the critical programming errors. One of the colleges that participated in developing the Top 25, UC Davis, has already established a secure coding clinic where student-written software is reviewed for the key programming errors that lead to critical security vulnerabilities. The Top 25 enables the clinic to prioritize errors in its review. Other colleges are beginning to emulate the secure coding clinics.

Employers will be able to ensure they have programmers who can write more secure code.

Employers will use the Top 25 Errors list as a guide for evaluating and improving skills of programmers they hire and of outsourced programming talent. More than 100 large employers are already using a common assessment tool called the GSSP (GIAC Secure Software Programmer) to measure secure coding skills. The GSSP exams are being reviewed in an effort to fully incorporate and highlight mastery of programming knowledge needed to find and eliminate or avoid the Top 25. More data on the GSSP may be found at http://www.sans-ssi.org/ and organizations with at least 500 programmers may have up to 100 of those programmers? secure coding skills assessed confidentially and at no cost. Email spa@sans.org to get that started.

Courses are available that teach secure coding skills to programmers in C/C++, in Java, and in .NET languages. Information at http://www.sans-ssi.org/courses/

How Important Are the Top 25 Errors?

We asked several of the participants why they thought this effort was important enough to merit a significant amount of their time and expertise. Here are a few of their answers. More are at the end of the announcement.

National Security Agency’s Information Assurance Directorate

“The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology. There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively.”
-Tony Sager, National Security Agency’s Information Assurance Directorate

US Department of Energy:

“The CWE/SANS Top 25 effort is extremely valuable and will provide many organizations with a tangible way to begin addressing software security problems.”
- Michael Klosterman, SCADA Operations, Western Area Power Association, US Department of Energy

Depository Trust:

“The CWE-SANS Top 25 Errors is a vital tool for organizations that believe in a risk-based approach to software security enabling them to assess the specific vulnerabilities identified in their environments compared with a composite perspective of risk from industry recognized experts.”
- Jim Routh, CISO, The Depository Trust & Clearing Corporation

Microsoft:

“The 2009 CWE/SANS Top 25 Programming Errors project is a great resource to help software developers identify which security vulnerabilities are the most important to understand, prevent and fix.”
- Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corp.

OWASP Foundation:

“When facing a huge application portfolio that could contain many thousands of instances of over 700 different types of weaknesses, knowing where to start is a daunting task. Done right, stamping out the CWE Top 25 can not only make you significantly more secure but can cut your software development costs.”
- Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair

Symantec:

“The 2009 CWE/SANS Top 25 Programming Errors reflects the kinds of issues we’ve seen in application software and helps provide us with actionable direction to continuously improve the security of our software.”
- Wesley H. Higaki, Director, Software Assurance, Office of the CTO, Symantec Corporation

Software Assurance Consortium:

“As an advocate for the consumer, this is viewed as a giant step forward in providing security for all users. It increases awareness of the various levels of secure software by highlighting its effects on our daily use of all software products. The CWE/SANS Top 25 effort adds the capability to our tool box which in turn aids the SwAC in our mission to bring together Industry and Government to transform the security and dependability of all software products.”
- Dan Wolf, Director, Software Assurance Consortium.

EMC:

“The Top 25 List puts a powerful tool into the hands of the programmers along with every person involved in designing and developing software. The simple fact that such a list now exists will allow software assurance to be practiced more effectively.”
- Dan Reddy, Consulting Product Manager, EMC Product Security Office

Purdue:

“The CWE Top 25 should be watched because targeting the most troublesome programming mistakes can potentially reduce the occurrence of vulnerabilities and our exposure at a national level, while diminishing our undesirable dependence on patches.”
- Pascal Meunier, CERIAS, Purdue University

Secunia:

“This Top 25 is without a doubt one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The list, which has been created based on feedback from many experts in the security industry, focuses on selection criteria like severity and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today. The Top 25 is compiled in a easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won’t make the same mistakes in 2009 as they’ve made previously.”
- Carsten Eiram, Chief Security Specialist, Secunia.

Ken van Wyk:

“This list of programming errors should be enormously useful to the community. It serves to help us all get our collective “arms around” understanding the most common security defects in our code, just as the OWASP Top 10 helps us understand the attacks against those defects.”
- Kenneth R. van Wyk, KRvW Associates, LLC

Veracode:

“A prioritized list of security issues is the starting point to make software security practical in the business world of resource constraints and ship dates. The Top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers.”
- Chris Wysopal, Co-Founder and CTO of Veracode, Inc.

Core Security Technologies:

“This is the first serious attempt at building a taxonomy of software security weaknesses and flaws with an emphasis on the practical application of identifying, preventing and fixing or mitigating the issues they pose. It is a necessary and long overdue step towards creating a common language for the software development and security communities in need of a more rational way to address what are currently the most urgent and relevant software security problems.”
- Ivan Arce, CTO of Core Security Technologies Inc.

Breach Security:

“The CWE/SANS Top 25 List is an excellent tactical resource for organizations to prioritize and remediate the root causes of today’s successful attacks. This should be required reading for all developers as it is a “Cliff Notes” version of essential secure coding principles.”
- Ryan C. Barnett, Director of Application Security Research, Breach Security

McAfee:

“The 2009 CWE/SANS Top 25 Programming Errors effort is right on target. By educating software developers on the most important issues and showing them how to avoid writing security bugs, this effort will help programmers correct code issues before they become security problems.”
- Kent Landfield, Director, Risk and Compliance Security Research, McAfee, Inc.

Ounce Lab:

“Let’s use this list as a way to jumpstart the solutions – make 2009 a year to make things happen and solve these problems that have been around way too long. Far too many solutions exist out there to help address these all-too-common errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late.”
- Ryan Berg, Co-Founder and Chief Scientist, Ounce Labs

Grammatech:

“Bugs in software are a plague on our profession and bad for business. They are inevitable, yet understanding of which bugs are most important is often gained the hard and expensive way when they show up in the field. The CWE/SANS Top 25 effort will raise awareness of the huge variety of different kinds of defects that can occur, and will help programmers focus on those that matter most to application quality and security.”
- Paul Anderson – Vice President of Engineering, Grammatech Inc.

TOP 25 Most Dangerous Programming Errors and How To Fix Them

Tags: security by Fred
No Comments »