DOCSLIB.ORG

OPINION Security Columns Standards Book Reviews

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
OPINION Security Columns Standards Book Reviews DECEMBER 2008 VOLUME 33 NUMBER 6 OPINION Musings 2 Rik Farrow SECURITY Masquerade: Simulating a Thousand Victims 6 Sam Small, JoShua maSon, Ryan macaRthuR, and Fabian monRoSe THE USENIX MAGAZINE SCADA: Issues, Vulnerabilities, and Future Directions 14 tim yaRdley Highly Predictive Blacklisting 21 Jian Zhang, PhilliP Porr aS, and JohanneS ullRich Investigating Argos 29 Jeffrey beRg, evan teRan, and Sam StoveR Architecture and Threat Analysis of a Campus Wireless Network 36 calvin Ardi and daniel chen CoLUMns Practical Perl Tools: This Column Is Password-Protected. 46 david n. blank-edelman Pete’s All Things Sun: The Death of Solaris 51 PeteR baeR galvin iVoyeur: You Should Write an NEB Module, Revisited 57 david JoSePhSen /dev/random 61 RobeRt g. Ferrell STANDARDs Update on Standards: Diary of a Standards Geek, Part 2 63 nick Stoughton BooK REVIEWS Book Reviews 68 eliZabeth Zwicky et al. USEniX NOTES Thanks to Our Volunteers 72 ellie young ConFERENCES Security ’08 Reports 75 WOOT ’08 Reports 99 EVT ’08 Reports 102 HotSec ’08 Reports 109 Metricon 3.0 114 The Advanced Computing Systems Association DecCovers.indd 1 11/13/08 10:36:40 AM Upcoming Events 1s t Wo r k s h o p o n t h e th e o r y a n d pr a c t i c e o f 6t h USENIX sy M p o s i um o n ne t W o r k e d sy s t e M s pr o v e n a n c e (taPP ’09) de s i g n a n d iM p l e M e n t a t i o n (NSDI ’09) Co-located with FAST ’09 Sponsored by USENIX in cooperation with ACM SIGCOMM February 23, 2009, San FranciSco, CA, uSa and ACM SIGOPS http://www.usenix.org/tapp09 april 22–24, 2009, boSton, Ma, uSa http://www.usenix.org/nsdi09 7t h USENIX co n f e r e n c e o n fi l e a n d st o r a g e technologies (FAST ’09) 12t h Wo r k s h o p o n ho t to p i c s in op e r a t i n g Sponsored by USENIX in cooperation with ACM SIGOPS, sy s t e M s (ho t OS XII) IEEE Mass Storage Systems Technical Committee (MSSTC), Sponsored by USENIX in cooperation with the IEEE Technical and IEEE TCOS Committee on Operating Systems (TCOS) February 24–27, 2009, San FranciSco, CA, uSa May 18–20, 2009, Monte Verità, SWitzerlanD http://www.usenix.org/fast09 http://www.usenix.org/hotos09 Paper submissions due: January 13, 2009 2009 ACM SIGPLAN/SIGOPS international co n f e r e n c e o n vi r t U a l eX e c U t i o n en v i r o n M e n t s 2009 USENIX an n U a l te c h n i c a l co n f e r e n c e (VEE ’09) June 14–19, 2009, San Diego, CA, uSa Sponsored by ACM SIGPLAN and SIGOPS in cooperation with http://www.usenix.org/usenix09 USENIX Paper submissions due: January 9, 2009 March 11–13, 2009, WaShington, D.c., uSa http://www.cs.purdue.edu/VEE09/ 18t h USENIX se c U r i t y sy M p o s i um auguSt 12–14, 2009, Montreal, canaDa fi r s t USENIX Wo r k s h o p o n ho t to p i c s in http://www.usenix.org/sec09 Paper submissions due: February 4, 2009 pa r a l l e l i s M (ho t pa r ’09) March 30–31, 2009, berkeley, CA http://www.usenix.org/hotpar09 23r d la r g e installation sy s t e M ad M inistration co n f e r e n c e (LISA ’09) Sponsored by USENIX and SAGE 8t h international Wo r k s h o p o n pe e r -t o -pe e r noVeMber 1–6, 2009, BALTIMORE, MD, uSa sy s t e M s (IPTPS ’09) http://www.usenix.org/lisa09 Co-located with NSDI ’09 april 21, 2009, boSton, Ma, uSa http://www.usenix.org/iptps09 Submissions due: January 9, 2009 2n d USENIX Wo r k s h o p o n la r g e -sc a l e eX p l o i t s a n d eM e r g e n t th r e a t s (LEET ’09) Co-located with NSDI ’09 april 21, 2009, boSton, Ma, uSa http://www.usenix.org/leet09 Submissions due: January 16, 2009 For a complete list of all USENIX & USENIX co-sponsored events, see http://www.usenix.org/events. DecCovers.indd 2 11/17/08 11:56:12 AM OPINION Musings 2 Rik FArrOw SECURITY Masquerade: Simulating a Thousand Victims 6 SAm Small, JoshuA Mason, ryan MacArThur, and FAbian Monrose SCADA: Issues, Vulnerabilities, and Future Directions 14 TIm yArdley Highly Predictive Blacklisting 21 contents JIan Zhang, Phillip POrr as, and JOhanneS UllrIch Investigating Argos 29 Jeffrey berG, evan Teran, and SAm Stover Architecture and Threat Analysis of a Campus Wireless Network 36 Calvin Ardi and DanieL cheN CoLUMns Practical Perl Tools: This Column Is Password-Protected. 46 DAvid N. Blank-EdeLman Pete’s All Things Sun: The Death of Solaris 51 PeTer Baer Galvin VOL. 33, #6, December 2008 iVoyeur: You Should Write an NEB Module, Editor ;login: is the official Revisited 57 Rik Farrow magazine of the DAvid JosePhSeN USENIX Association. [email protected] /dev/random 61 Managing Editor ;login: (ISSN 1044-6397) is RoberT G. FerreLL Jane-Ellen Long published bi-monthly by the [email protected] USENIX Association, 2560 Ninth Street, Suite 215, STANDARDs Copy Editor Berkeley, CA 94710. Update on Standards: Diary of a Standards David Couzens Geek, Part 2 63 [email protected] $90 of each member’s annual NIck StouGhton dues is for an annual sub- produCtion scription to ;login:. Subscrip- Casey Henderson tions for nonmembers are Jane-Ellen Long $120 per year. BooK REVIEWS Book Reviews 68 Michele Nelson ElizabeTh ZwIcky eT al. Periodicals postage paid at typEsEttEr Berkeley, CA, and additional Star Type offices. [email protected] USEniX NOTES Thanks to Our Volunteers 72 POSTMASTER: Send address Ellie Young USEniX assoCiation changes to ;login:, 2560 Ninth Street, USENIX Association, Suite 215, Berkeley, 2560 Ninth Street, ConFERENCES Security ’08 Reports 75 California 94710 Suite 215, Berkeley, Phone: (510) 528-8649 CA 94710. WOOT ’08 Reports 99 FAX: (510) 548-5738 ©2008 USENIX Association http://www.usenix.org EVT ’08 Reports 102 http://www.sage.org USENIX is a registered trade- mark of the USENIX Associa- HotSec ’08 Reports 109 tion. Many of the designations Metricon 3.0 114 used by manufacturers and sellers to distinguish their products are claimed as trade- marks. USENIX acknowledges all trademarks herein. Where those designations appear in this publication and USENIX is aware of a trademark claim, the designations have been printed in caps or initial caps. ;LOGIN: December 2008 ArTIcLe TITLe 1 Login_DEC08_final.indd 1 11/13/08 10:35:34 AM It’s a beautIful day outsIde, but the nights are tending toward cold. And by Rik Farrow the time you read this column, fall will be changing into real winter. I love this time of year, when overheated summer days have passed and milder weather rules. The change into really cooler weather has musings always felt stimulating to me. These changes got me thinking about the changes [email protected] we’ve seen in the computer industry. Some obvious ones have to do with the price versus performance of desktop computers. Software has changed too, as desktop CPUs became fast enough to include in su- percomputers. Even graphics processors are evolv- ing into array processors useful for calculations having nothing to do with games. But even as there are changes, there are also those things that seem almost changeless. Peek from the Past I started reading an article referenced by Jason Dusek (October 2008 ;login:) by Alan Kay. Kay is one of the creators of SmallTalk, but what really struck me was how he was thinking about comput- ers in 1967 [1]. Kaye envisioned under-five-pound, wirelessly connected tablet computers used specifi- cally for helping children learn. He mused about this in the day when graphical displays were rare, and a computer that could run one was the size of a desk with a mainframe for a backend. Today, SmallTalk runs on the XO as Squeak [2], and it grew directly out of Kay’s ideas surrounding the DynaBook, that tablet computer he envisioned in the 1960s. Kay’s vision included both software and the hard- ware that would support it. And it is really great to learn that this distant vision has actually become reality in some form. But I would like to see more. If you read Kay’s article, you might be struck by how much of the computer architectures of the 1960s remains familiar. Kay worked his way through college as a programmer for the Air Force, using Burroughs mainframes. His second system, a B5000, had segmented storage, high-level language compilers, byte-code execution, automated mech- anisms for subroutine calling and multiprocess switching, pure code for sharing, and memory pro- tection mechanisms. This was in 1961 and should all sound familiar except for the name of the main- frame company. 2 ;LOGIN: vOL.
Load more

Recommended publications
  • ROADS and BRIDGES: the UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface
    Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure WRITTEN BY Nadia Eghbal 2 Open up your phone. Your social media, your news, your medical records, your bank: they are all using free and public code. Contents 3 Table of Contents 4 Preface 58 Challenges Facing Digital Infrastructure 5 Foreword 59 Open source’s complicated relationship with money 8 Executive Summary 66 Why digital infrastructure support 11 Introduction problems are accelerating 77 The hidden costs of ignoring infrastructure 18 History and Background of Digital Infrastructure 89 Sustaining Digital Infrastructure 19 How software gets built 90 Business models for digital infrastructure 23 How not charging for software transformed society 97 Finding a sponsor or donor for an infrastructure project 29 A brief history of free and public software and the people who made it 106 Why is it so hard to fund these projects? 109 Institutional efforts to support digital infrastructure 37 How The Current System Works 38 What is digital infrastructure, and how 124 Opportunities Ahead does it get built? 125 Developing effective support strategies 46 How are digital infrastructure projects managed and supported? 127 Priming the landscape 136 The crossroads we face 53 Why do people keep contributing to these projects, when they’re not getting paid for it? 139 Appendix 140 Glossary 142 Acknowledgements ROADS AND BRIDGES: THE UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface Our modern society—everything from hospitals to stock markets to newspapers to social media—runs on software. But take a closer look, and you’ll find that the tools we use to build software are buckling under demand.
    [Show full text]
  • Security Now! #731 - 09-10-19 Deepfakes
    Security Now! #731 - 09-10-19 DeepFakes This week on Security Now! This week we look at a forced two-day recess of all schools in Flagstaff, Arizona, the case of a Ransomware operator being too greedy, Apple's controversial response to Google's posting last week about the watering hole attacks, Zerodium's new payout schedule and what it might mean, the final full public disclosure of BlueKeep exploitation code, some potentially serious flaws found and fixed in PHP that may require our listener's attention, some SQRL news, miscellany, and closing-the-loop feedback from a listener. Then we take our first look on this podcast into the growing problem and threat of "DeepFake" media content. All Flagstaff Arizona Schools Cancelled Thursday, August 5th And not surprisingly, recess is extended through Friday: https://www.fusd1.org/facts https://www.facebook.com/FUSD1/ ​ ​ And Saturday... Security Now! #730 1 And Sunday... Security News A lesson for greedy ransomware: Ask for too much… and you get nothing! After two months of silence, last Wednesday Mayor Jon Mitchell of New Bedford, Massachusetts held their first press conference to tell the interesting story of their ransomware attack... The city's IT network was hit with the Ryuk (ree-ook) ransomware which, by the way, Malwarebytes now places at the top of the list of file-encrypting malware targeting businesses. It'll be interesting to see whether So-Dino-Kee-Bee's affiliate marketing model is able to displace Ryuk. But, in any event, very fortunately for the city of New Bedford, hackers breached the city's IT network and got Ryuk running in the wee hours of the morning following the annual 4th of July holiday.
    [Show full text]
  • The Quality Attribute Design Strategy for a Social Network Data Analysis System
    Rochester Institute of Technology RIT Scholar Works Theses 5-2016 The Quality Attribute Design Strategy for a Social Network Data Analysis System Ziyi Bai [email protected] Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Bai, Ziyi, "The Quality Attribute Design Strategy for a Social Network Data Analysis System" (2016). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. The Quality Attribute Design Strategy for a Social Network Data Analysis System by Ziyi Bai A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Software Engineering Supervised by Dr. Scott Hawker Department of Software Engineering B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology Rochester, New York May 2016 ii The thesis “The Quality Attribute Design Strategy for a Social Network Data Analy- sis System” by Ziyi Bai has been examined and approved by the following Examination Committee: Dr. Scott Hawker Associate Professor Thesis Committee Chair Dr. Christopher Homan Associate Professor Dr. Stephanie Ludi Professor iii Acknowledgments Dr.Scott Hawker, I can confidently state that without your guidance I would not have accomplished my achievement. Your support has impacted my future for the better. Thank you for everything. Dr. Chris Homan, I am so thankful that you reached out to me and provided the requirements for this thesis.
    [Show full text]
  • Download Slide (PDF Document)
    When Django is too bloated Specialized Web-Applications with Werkzeug EuroPython 2017 – Rimini, Italy Niklas Meinzer @NiklasMM Gotthard Base Tunnel Photographer: Patrick Neumann Python is amazing for web developers! ● Bottle ● BlueBream ● CherryPy ● CubicWeb ● Grok ● Nagare ● Pyjs ● Pylons ● TACTIC ● Tornado ● TurboGears ● web2py ● Webware ● Zope 2 Why would I want to use less? ● Learn how stuff works Why would I want to use less? ● Avoid over-engineering – Wastes time and resources – Makes updates harder – It’s a security risk. Why would I want to use less? ● You want to do something very specific ● Plan, manage and document chemotherapy treatments ● Built with modern web technology ● Used by hospitals in three European countries Patient Data Lab Data HL7 REST Pharmacy System Database Printers Werkzeug = German for “tool” ● Developed by pocoo team @ pocoo.org – Flask, Sphinx, Jinja2 ● A “WSGI utility” ● Very lightweight ● No ORM, No templating engine, etc ● The basis of Flask and others Werkzeug Features Overview ● WSGI – WSGI 1.0 compatible, WSGI Helpers ● Wrapping of requests and responses ● HTTP Utilities – Header processing, form data parsing, cookies ● Unicode support ● URL routing system ● Testing tools – Testclient, Environment builder ● Interactive Debugger in the Browser A simple Application A simple Application URL Routing Middlewares ● Separate parts of the Application as wsgi apps ● Combine as needed Request Static files DB Part of Application conn with DB access User Dispatcher auth Part of Application without DB access Response HTTP Utilities ● Work with HTTP dates ● Read and dump cookies ● Parse form data Using the test client Using the test client - pytest fixtures Using the test client - pytest fixtures Interactive debugger in the Browser Endless possibilities ● Connect to a database with SQLalchemy ● Use Jinja2 to render documents ● Use Celery to schedule asynchronous tasks ● Talk to 3rd party APIs with requests ● Make syscalls ● Remote control a robot to perform tasks at home Thank you! @NiklasMM NiklasMM Photographer: Patrick Neumann.
    [Show full text]
  • Boosting Public Participation in Urban Planning Through the Use of Web GIS Technology: a Case Study of Stockholm County
    DEGREE PROJECT IN REGIONAL PLANNING, SECOND LEVEL STOCKHOLM 2014 Boosting Public Participation in Urban Planning Through the Use of Web GIS Technology: A Case Study of Stockholm County MAHNAZ NAROOIE SoM EX 2014-16 ___________________________________________ KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ARCHITECTURE AND THE BUILT ENVIRONMENT Department of Urban Planning and Environment Division of Urban and Regional Studies Abstract Providing citizens with the robust and suitable tools to effectively participate in the planning process is a necessity nowadays. Also, changes in the capabilities and popularity of new technologies have dramatically raised the number of technology-based tools that are potentially available for enhancing public participation in the planning process. This study explores both the theoretical aspect of collaborative planning and the effects that Web- based Public Participatory GIS (WPPGIS) applications and Information and Communication Technologies (ICT) has on the planning process. Findings indicate that the WPPGIS applications have the potential for increasing participation. It is also found that besides the contextual elements like the attitudes of planners and decision makers, the technological features such as proper user interface, price of software, technical and literacy skills are seen as crucial hindrances to bridging the planning process and technology-based solutions. This research also attempts to combine IAP2 Public Participation Spectrum and technological functionalities into a single framework to understand the implementation of WPPGIS applications in Stockholm, the capital of Sweden. Finally, based on the given criteria and assessment of the reviewed applications, this study concludes with the design and implementation of a prototype WPPGIS application using Open-Source Technologies (OST).
    [Show full text]
  • That Ain't You: Detecting Spearphishing Emails Before They
    That Ain't You: Blocking Spearphishing Emails Before They Are Sent Gianluca Stringhinix and Olivier Thonnardz xUniversity College London z Amadeus [email protected] [email protected] Abstract 1 Introduction Companies and organizations are constantly under One of the ways in which attackers try to steal sen- attack by cybercriminals trying to infiltrate corpo- sitive information from corporations is by sending rate networks with the ultimate goal of stealing sen- spearphishing emails. This type of emails typically sitive information from the company. Such an attack appear to be sent by one of the victim's cowork- is often started by sending a spearphishing email. At- ers, but have instead been crafted by an attacker. tackers can breach into a company's network in many A particularly insidious type of spearphishing emails ways, for example by leveraging advanced malware are the ones that do not only claim to come from schemes [21]. After entering the network, attackers a trusted party, but were actually sent from that will perform additional activities aimed at gaining party's legitimate email account that was compro- access to more computers in the network, until they mised in the first place. In this paper, we pro- are able to reach the sensitive information that they pose a radical change of focus in the techniques used are looking for. This process is called lateral move- for detecting such malicious emails: instead of look- ment. Attackers typically infiltrate a corporate net- ing for particular features that are indicative of at- work, gain access to internal machines within a com- tack emails, we look for possible indicators of im- pany and acquire sensitive information by sending personation of the legitimate owners.
    [Show full text]
  • “Talk” on Albanian Territories (1392–1402)
    Doctoral Dissertation A Model to Decode Venetian Senate Deliberations: Pregadi “Talk” on Albanian Territories (1392–1402) By: Grabiela Rojas Molina Supervisors: Gerhard Jaritz and Katalin Szende Submitted to the Medieval Studies Department Central European University, Budapest In partial fulfillment of the requirements for the degree of Doctor of Philosophy in Medieval Studies, Budapest, Hungary 2020 CEU eTD Collection To my parents CEU eTD Collection Table of Contents Acknowledgments .................................................................................................................................. 1 List of Maps, Charts and Tables .......................................................................................................... 2 Introduction ............................................................................................................................................ 3 A Survey of the Scholarship ........................................................................................................................... 8 a) The Myth of Venice ........................................................................................................................... 8 b) The Humanistic Outlook .................................................................................................................. 11 c) Chronicles, Histories and Diaries ..................................................................................................... 14 d) Albania as a Field of Study .............................................................................................................
    [Show full text]
  • Progressive Authentication in Ios
    Progressive Authentication in iOS Genghis Chau, Denis Plotnikov, Edwin Zhang December 12th, 2014 1 Overview In today's increasingly mobile-centric world, more people are beginning to use their smart- phones for important tasks. This means that many applications will need increased security in order to prevent any unauthorized access. Especially since applications are often always logged in, a careless user who leaves his or her phone unlocked is vulnerable to having po- tentially malicious users easily access sensitive information in apps like mailing or banking applications. In order to counter this on the iOS platform, we build a framework that al- lows developers to use per-app authentication. We tackle this problem from the developer's perspective, as OS-level modifications are much more difficult due to iOS source code being unavailable for analysis. Along with the framework, we complement the system with addi- tional authentication methods, including a server that allows for using one-time passcodes to log into applications. Finally, we discuss further extensions to our work, and their security implications. 2 Background 2.1 Design Our contribution is providing an iOS framework for developers to use in order to force users to reauthenticate when they browse away from the application. This prevents mali- cious attackers from having access to all applications if they are able to get past the phone lock. Currently, a number of authentication schemes are available for use in our framework, including an alphanumeric password, TouchID, Android-style lock patterns, and one-time passcodes. We also provide an Django server that will allow users to generate the one-time passcodes to log into the application.
    [Show full text]
  • Discussion Paper Countering Spam: How to Craft an Effective Anti-Spam
    DISCUSSION PAPER COUNTERING SPAM: HOW TO CRAFT AN EFFECTIVE ANTI-SPAM LAW International Telecommunication Union This paper has been prepared for the ITU World Summit on the Information Society (WSIS) thematic workshop on Countering Spam, organized under the ITU New Initiatives Programme by the Strategy and Policy Unit (SPU). The paper was written by Matthew B. Prince, CEO and co-founder of Unspam, LLC, a Chicago-based business and government consulting company helping to draft and enforce effective anti-spam laws. He is a member of the Illinois Bar and an Adjunct Professor at the John Marshall Law School. He received his J.D. from the University of Chicago Law School and his B.A. from Trinity College, Hartford, Connecticut. For more information visit: http://www.unspam.com/. The meeting project is managed by Robert Shaw ([email protected]) and Claudia Sarrocco ([email protected]) of the Strategy and Policy Unit (SPU) and the series is organized under the overall responsibility of Tim Kelly, Head, SPU. This and the other papers in the series are edited by Joanna Goodrick. The views expressed in this paper are those of the author and do not necessarily represent those of ITU or its membership. 1 Introduction Since the first anti-spam law worldwide was passed in 1997, at least 75 governments around the world have passed anti-spam laws.1 That first anti-spam law was in fact passed at state-level in the United States, by the state of Nevada.2 The anti-spam laws in existence today take the form of so-called “opt-in” or “opt-out” regulations.
    [Show full text]
  • Characterizing Spam Traffic and Spammers
    2007 International Conference on Convergence Information Technology Characterizing Spam traffic and Spammers Cynthia Dhinakaran and Jae Kwang Lee , Department of Computer Engineering Hannam University, South Korea Dhinaharan Nagamalai Wireilla Net Solutions Inc, Chennai, India, Abstract upraise of Asian power houses like China and India, the number of email users have increased tremendously There is a tremendous increase in spam traffic [15]. These days spam has become a serious problem these days [2]. Spam messages muddle up users inbox, to the Internet Community [8]. Spam is defined as consume network resources, and build up DDoS unsolicited, unwanted mail that endangers the very attacks, spread worms and viruses. Our goal is to existence of the e-mail system with massive and present a definite figure about the characteristics of uncontrollable amounts of message [4]. Spam brings spam and spammers. Since spammers change their worms, viruses and unwanted data to the user’s mode of operation to counter anti spam technology, mailbox. Spammers are different from hackers. continues evaluation of the characteristics of spam and Spammers are well organized business people or spammers technology has become mandatory. These organizations that want to make money. DDoS attacks, evaluations help us to enhance the existing technology spy ware installations, worms are not negligible to combat spam effectively. We collected 400 thousand portion of spam traffic. According to research [5] most spam mails from a spam trap set up in a corporate spam originates from USA, South Korea, and China mail server for a period of 14 months form January respectively. Nearly 80% of all spam are received from 2006 to February 2007.
    [Show full text]
  • Doloto: Code Splitting for Network-Bound Web 2.0 Applications
    Doloto: Code Splitting for Network-Bound Web 2.0 Applications Benjamin Livshits Emre Kıcıman Microsoft Research Microsoft Research ABSTRACT cations, techniques outlines in this paper can be readily incorpo- Modern Web 2.0 applications, such as GMail, Live Maps, Face- rated into the next generation of distributing compilers such as Sil- book and many others, use a combination of Dynamic HTML, verlight [12] and Volta [11]. JavaScript and other Web browser technologies commonly referred to as AJAX to push application execution to the client web browser. 1. INTRODUCTION This improves the responsiveness of these network-bound applica- Over the last several years, we have witnessed the creation of a tions, but the shift of application execution from a back-end server new generation of sophisticated distributed Web 2.0 applications as to the client also often dramatically increases the amount of code diverse as GMail, Live Maps, RedFin, MySpace, and NetFlix. A that must first be downloaded to the browser. This creates an unfor- key enabler for these applications is their use of client-side code— tunate Catch-22: to create responsive distributed Web 2.0 applica- usually JavaScript executed within the Web browser—to provide tions developers move code to the client, but for an application to a smooth and performant experience for users while the rendered be responsive, the code must first be transferred there, which takes Web page is dynamically updated in response to user actions and time. client-server interactions. As the sophistication and feature sets of In this paper, we present DOLOTO1, an optimization tool for these Web applications grow, however, downloading their client- Web 2.0 applications.
    [Show full text]
  • Criminals Become Tech Savvy
    Attack Trends Elias Levy, [email protected] Ivan Arce, [email protected] Criminals Become Tech Savvy n this installment of Attack Trends, I’ll look at the growing 2003 alone. Fraud schemes are usu- ELIAS LEVY ally peddled by individuals who Symantec convergence of technically savvy computer crackers with spam potential victims (www. brightmail.com/brc_fraud-stats. financially motivated criminals. Historically, most com- html), such as the Nigerian, or 419, scam (see the 419 Coalition’s Web puter crime on the Internet has not been financially moti- site at http://home.rica.net/alphae/ I 419coal/). But as the number of vated: it was the result of either curious or malicious technical fraud cases has increased, so has the public’s awareness of them; fraudsters attackers, called crackers. This changed Increasingly on the defensive, are increasingly forced to resort to as the Internet became more com- spammers are fighting back by be- more intricate schemes. mercialized and more of the public has coming more sophisticated, generat- We’re now seeing the practice of gone online. Financially motivated ing unique messages, and finding new “phishing” gaining popularity with actors in the fauna of the Internet’s open proxies or SMTP relays to send fraudsters. Using this scheme, crimi- seedy underbelly—spammers and messages and hide their true sources. nals create email messages with re- fraudsters—soon joined crackers to turn addresses, links, and branding exploit this new potential goldmine. Fraud that seem to come from trusted, Internet fraud has also become a se- well-known organizations; the hope Spam rious problem.
    [Show full text]