Cisco 2014 Annual Security Report: Java continues to be most vulnerable of all web exploits

Cisco provides a report on computer security which contains a number of key findings:

  1. Java comprises 91% of all web exploits.
  2. 99% of mobile malware targets Android.
  3. Java is the exploit that criminals choose first, since it delivers the best return on investment.
  4. Continue reading

Ignoring Security Certificate Errors in Google Chrome

Unfortunately Google gets quite draconian to users: When using Google Chrome to surf a web page with a certificate problem you simply cannot view the web-site. There is no dialog, where you can say: It’s o.k., I accept the risk. This behaviour occurs at least with versions 31.0.1650.63 and 32.0.1700.77.

If you want to view web-sites with certificate problems you have to start Google Chrome like this

google-chrome --ignore-certificate-errors

More command-line arguments for Chrome can be found here: List of Chromium Command Line Switches.

One prominent example for a web-site with a certificate problem is Intel. Intel is able to power the world’s most powerful computer, Tianhe-2, with more than 3 million cores, but they are not able to get their web-site right.

Addendum 23-Mar-2014: Google Chrome 33.0.1750.152 fixed the issue. Now it is possible to say: “Proceed anyway”, and therefore accept the risk and proceed with an invalid certificate.

Changing euid (effective user ID)

Sometimes you have to create applications in an environment where you are not able to su to root, or use sudo. Nevertheless you are working with two or more user IDs to make your application work. For example, your business application is running under user ID 1555 (let’s call this user u1555), while your web-server is running under user ID 1000 (let’s call this user u1000). You want to switch from u1000 to u1555 without explicitly providing the password of u1555.

Continue reading

Working with System V IPC queues in Perl and PHP

In continuation of Working with System V IPC queues a month ago this post will show how to access IPC queues with Perl and PHP. A typical scenario is that a web application wants an external application to process data coming from the web application. In that scenario a lot of messages/tasks from the web application can be queued up in an IPC queue for succesive processing by another program independent from the web application and possibly with more access rights.

For using System V queues in PHP you have to make sure that PHP has been compiled with POSIX support. With Red Hat you need php-process, in Ubuntu it is present by default.

Continue reading

Effort Estimation Using Learning Curves

A couple of times I had to conduct effort estimations which contained a number of repetitive tasks. The question was, how long does it take to finish all these tasks. For example, I had to provide estimates how many days it would cost to program an interface between one system interfacing to a couple of other systems to exchange some kind of data (trading products in my particular case). There were many systems involved, and many kind of data types (in my case futures, swaps, bonds, money markets, etc.).

It is common wisdom that you gain experience and become faster by applying the same solution tactics to the same problem. Of course, the effort per problem cannot go to zero or approach zero. There must be a lower limit on how far we can decrease each effort for each task even when we have learned for a long period of time. All this is the topic of learning curves.

Continue reading