These are general questions from an ignorant c.l.l lurker. I apologize
if these are dumb questions.
Lisp enthusiasts like to tout how flexible the language is and
appropriate for intelligent applications. It would seem that this
would make it an ideal language for hacking or prevention of hacking
over networks.
So my questions:
Is Lisp a suitable tool for sophisticated hacking and/or security? Why
or why not?
Is it used much for these purposes? (I realize the people who do these
types of things don't advertise what they do or how they do it.)
Thanks,
- NS
············@yahoo.com (nevada) writes:
> These are general questions from an ignorant c.l.l lurker. I apologize
> if these are dumb questions.
>
> Lisp enthusiasts like to tout how flexible the language is and
> appropriate for intelligent applications. It would seem that this
> would make it an ideal language for hacking or prevention of hacking
> over networks.
Your use of the word "hacking", while "mainstream" may be annoying and
irritating to several people. I don't mean to be harsh, but please be
careful.
>
> So my questions:
>
> Is Lisp a suitable tool for sophisticated hacking and/or security? Why
> or why not?
>
> Is it used much for these purposes? (I realize the people who do these
> types of things don't advertise what they do or how they do it.)
One of the greatest "hacks"� I heard of recently was "how to obtain
thousands of Yahoo mailboxes for mass spamming"?
Yahoo requires you to fill in a form where you have to read a fuzzy
word in an image. The word is randomly generated.
How do you write a system that reads the word and asks for the Yahoo
mailbox?
The answer is simple: set up a system that ask a user to read the word
for you, while not telling him that you will use his (male pronoun
mandatory) natural brain computing power to actually request a Yahoo
mailbox. What would this system be? A porn site, of course.
So the question you are asking can be turned into: is CL a good
language to set up porn sites? Well, of course.
A more serious question would be. Is CL suited to write a word
recognition program? The answer is yes again.
Cheers
� "Consistency is the hobgoblin of little minds" :)
--
Marco Antoniotti ========================================================
NYU Courant Bioinformatics Group tel. +1 - 212 - 998 3488
719 Broadway 12th Floor fax +1 - 212 - 995 4122
New York, NY 10003, USA http://bioinformatics.cat.nyu.edu
"Hello New York! We'll do what we can!"
Bill Murray in `Ghostbusters'.
············@yahoo.com (nevada) writes:
> appropriate for intelligent applications. It would seem that this
> would make it an ideal language for hacking or prevention of hacking
> over networks.
If you set yourself up a good development environment, it's great for
hacking over networks. For example, shortly before I read your
question, I was hacking on a project I'm working on, using an IDE with
lots of language- and environmnet-specific support -- all this, over a
network! Sometimes, when I'm sitting at a machine running an X
server, I'll hack over a network, using Hemlock, which is running in
the very same Lisp image as what I'm hacking.
Now for the good part. Here's where Lisp really shines for hacking
over networks. The other day, I was sitting in front of a dual-headed
Sun workstation. I had a cmucl image running on a machine we'll call
Server A, which was running Hemlock. So now we've got the setup
similar to above, with the Hemlock on Server A displaying on Head 0 of
this workstation. BUT, I had another cmucl image running on Server B,
running the program that I was hacking on -- using the Hemlock on
Server A! -- and it was displaying in a whole lot of windows on Head 1
of my workstation. I'll draw you a picture:
_________ _________
| 0 | | 1 |<-- displays here --------+
| Hemlock | | App | |
|_________| |_________| ----+-----
^ \--------------/ /--|_Server_B_|<-+
| |_Sparcstation_|=------ network -----< __________ |- A manipulates the
| \--|_Server_A_|--+ image running on B!
| |
+------------------------- displays here --------+
I know of no other environment that allows for such a sophisticated
level of hacking over a network. It's amazing!
As for the other part of your question, I think Common Lisp is to
flexible to prevent hacking over networks. You could try to prevent
us from hacking over networks, but if for some reason we don't want to
be in the same room as the machine we're hacking on (maybe it's loud
or hot or in a basement with no windows), Lispers will take full
advantage of all the power and flexibility the language gives us, to
hack over networks.
(decf *sarcasm-level* 3)
Big ups to the CMU folks who developed Hemlock, it really is damn cool.
--
/|_ .-----------------------.
,' .\ / | No to Imperialist war |
,--' _,' | Wage class war! |
/ / `-----------------------'
( -. |
| ) |
(`-. '--.)
`. )----'
Anecdotally, one of the first projects I did in Lisp (9 months ago) was
write a serial number generator for one of our products. Often, when
coming up with serial number schemes, one wants an algorithm that makes it
computationally difficult to create/discover a valid number, but
computiationally simple to verify it. Ideally, the operation should be
one-way (not reversible) and the operations of verifying a number should not
be useful in creating one.
I have done this a few times before in other languages, but there were a
number of built in Lisp features (very large numbers, mapping ) that made it
a pleasant project.
Chris Perkins
http://www.medialab.com
············@yahoo.com (nevada) writes:
> These are general questions from an ignorant c.l.l lurker. I apologize
> if these are dumb questions.
>
> Lisp enthusiasts like to tout how flexible the language is and
> appropriate for intelligent applications. It would seem that this
> would make it an ideal language for hacking
Perhaps you mean "cracking"? The term "hacking", as discussed here before,
is used only incorrectly to mean anything specifically security-related.
> or prevention of hacking over networks.
>
> So my questions:
>
> Is Lisp a suitable tool for sophisticated hacking and/or security?
Lisp is a suitable tool for intelligent tools.
I know of no Lisp network servers that have ever been broken into by silly
means like buffer overruns. You have to go to a lot of special trouble in
Lisp to write code that has this kind of gaping hole. By default it tries
not to let you. That's not to say it's impossible.
Lisp has been used in commercial settings to do things like fraud detection
(American Express) and criminal investigation (various government
organizations), but I don't assume that's not the kind of security you
meant. You didn't mention the word "networking" but somehow I always feel
that's what people mean when they talk about security. I don't know why
that would be.
> Why or why not?
Turing proved that any pretty basic piece of linguistic technology is
computationally equivalent at some level to any other. As such, it's pretty
clear that Lisp can be used for good or bad, like most technologies. I'm
not sure I see your point, other than to stir trouble.
It's just a language. What you do with it is what matters. That's called
a program. Lisp doesn't decide programs, you do.
I don't think anyone here is going to offer you examples of how to crack
someone else's system.
I don't think that if anyone had code that could stop cracking, it would be
wise for them to publish that either.
And WHAT IF the answer was that there were no programs that used Lisp
for cracking? Or to prevent it? Would that somehow be proof of
anything at all? Certainly I don't think the failure of a user base
to build certain applications is a proof of anything at all about the
language in which they fail to build such applications.
> Is it used much for these purposes? (I realize the people who do these
> types of things don't advertise what they do or how they do it.)
(Then you have, to some degree, answered your own question.)
What is your real question?
You seem to portray a certain neutrality about whether you want to crack
or stop cracking. I find that troubling.
This doesn't sound like something that you're going to put into a book report
for school.
This is a strange first question for someone outside our language users to
enter with.
I'm not one to point fingers at people and say "flamebait" so instead I'll
just say "I think you have begun your conversation in a less than productive
way".
Yes, I meant cracking rather than hacking.
I was not intending to be provocative or unproductive. I was reading
about Check Point (firewalls) in Forbes and was curious whether Lisp
would be a uniquely good tool in security or lack of security. For
example, "Lisp created or solved this difficult security issue which
other languages could not have done as well."
> Turing proved that any pretty basic piece of linguistic technology is
> computationally equivalent at some level to any other. As such, it's pretty
> clear that Lisp can be used for good or bad, like most technologies. I'm
> not sure I see your point, other than to stir trouble.
This pretty much answers my question.
I don't have any point - least of all to stir trouble or flaming. I
was asking in a general (and ignorant) way about the suitability of
Lisp in a specific real-world situation. Did not intend anything else.
- NS
Kent M Pitman wrote:
> ············@yahoo.com (nevada) writes:
>
> > These are general questions from an ignorant c.l.l lurker. I
apologize
> > if these are dumb questions.
> >
> > Lisp enthusiasts like to tout how flexible the language is and
> > appropriate for intelligent applications. It would seem that this
> > would make it an ideal language for hacking
>
> Perhaps you mean "cracking"? The term "hacking", as discussed here
before,
> is used only incorrectly to mean anything specifically
security-related.
>
> > or prevention of hacking over networks.
> >
> > So my questions:
> >
> > Is Lisp a suitable tool for sophisticated hacking and/or security?
>
> Lisp is a suitable tool for intelligent tools.
>
> I know of no Lisp network servers that have ever been broken into by
silly
> means like buffer overruns. You have to go to a lot of special
trouble in
> Lisp to write code that has this kind of gaping hole. By default it
tries
> not to let you. That's not to say it's impossible.
>
> Lisp has been used in commercial settings to do things like fraud
detection
> (American Express) and criminal investigation (various government
> organizations), but I don't assume that's not the kind of security
you
> meant. You didn't mention the word "networking" but somehow I always
feel
> that's what people mean when they talk about security. I don't know
why
> that would be.
>
> > Why or why not?
>
> Turing proved that any pretty basic piece of linguistic technology is
> computationally equivalent at some level to any other. As such, it's
pretty
> clear that Lisp can be used for good or bad, like most technologies.
I'm
> not sure I see your point, other than to stir trouble.
>
> It's just a language. What you do with it is what matters. That's
called
> a program. Lisp doesn't decide programs, you do.
>
> I don't think anyone here is going to offer you examples of how to
crack
> someone else's system.
>
> I don't think that if anyone had code that could stop cracking, it
would be
> wise for them to publish that either.
>
> And WHAT IF the answer was that there were no programs that used Lisp
> for cracking? Or to prevent it? Would that somehow be proof of
> anything at all? Certainly I don't think the failure of a user base
> to build certain applications is a proof of anything at all about the
> language in which they fail to build such applications.
>
> > Is it used much for these purposes? (I realize the people who do
these
> > types of things don't advertise what they do or how they do it.)
>
> (Then you have, to some degree, answered your own question.)
>
> What is your real question?
>
> You seem to portray a certain neutrality about whether you want to
crack
> or stop cracking. I find that troubling.
>
> This doesn't sound like something that you're going to put into a
book report
> for school.
>
> This is a strange first question for someone outside our language
users to
> enter with.
>
> I'm not one to point fingers at people and say "flamebait" so instead
I'll
> just say "I think you have begun your conversation in a less than
productive
> way".
I wounder if Lisp has been used to write worms or source code viruses.
It was be an ideal language for that kind of security research because
of it's powerful macro system.
Would make Concept 97 look like child's play--could embed a compiler or
scripting language in the worm/virii that allows the automatic
generation of
worms or virii -- the ultimate virus/worm creation tool kit could be
created in Lisp.
Has anyone does any virus or anti-virus stuff in Lisp, Scheme, or (off
topic a little bit) Prolog.
Lisp as a program genrating programming language would be ideal for
virus/worm toolkits. :-D ;) would show how powerful Lisp really is.
nevada wrote:
> Is Lisp a suitable tool for sophisticated hacking and/or security? Why
> or why not?
>
> Is it used much for these purposes? (I realize the people who do these
> types of things don't advertise what they do or how they do it.)
One place that doesn't advertise it is the Los Alamos National Labs.
IIRC, they have a "Red Team" and a "Blue Team" that square off with
cracking agents. The article in the Times a year+ ago mentioned one
failed protection scheme--it was probably ok, except for their not
turning off the eval functionality and using clear-text to communicate.
:)
Eric
brain fart--sorry.
It's the IDART team at Sandia: www.sandia.govidart/index.htm
and don't be surprised to find out little more:
"Reports and information generated by IDART assessments are
typically of a proprietary or sensitive nature; however,
certain IDART customers wish all or some of their assessment
made publicly available. This page lists selected assessment
information for these customers. "
... and the one link sends you to a page where anything interesting
requires a password.
Eric
>>>>> "nevada" == nevada <············@yahoo.com> writes:
nevada> These are general questions from an ignorant c.l.l
nevada> lurker. I apologize if these are dumb questions.
<handwave>
I am no Lisp expert, but I work in the computer security arena. I
usually code my tools (or quick hacks) in the system programming
language of whatever it is I'm hacking on, e.g. C++ on Windows, C on
UNIX. This is necessary because the bindings to kernel-layer
functionality are usually missing in higher-level languages such as
Perl, Python, or Common Lisp, e.g. packet capture (via BSD's bpf
driver), access control lists (especially the low-level Win32 stuff).
OK, well, "missing" is a strong word. Maybe "inconvenient" is more
accurate.
That's not to say that Perl, Python, or Lisp isn't appropriate for,
say, writing an intrusion detection system, or building a firewall.
All I mean by the above is that I am lazy. ;) I'm sure I would be
using Lisp too, if I were hacking on a machine where that's the system
programming language (e.g. a Symbolics LispM).
P.S. Actually, I've been thinking about everyone's favorite bit of
vaporware---LispOS. If one writes the network layer in Common Lisp, I
could conceive a firewall package that exists as a set of Lisp macros
that, upon invocation, compile filter code directly to machine
language and link it into the network stack dynamically. I mean, most
firewalls are configured as state machines already, so the macros
would be just sugar to facilitate programming them.
</handwave>
--
Matthew X. Economou <···············@irtnog.org> - Unsafe at any clock speed!
"We're born with a number of powerful instincts, which are found across all
cultures. Chief amongst these are a dislike of snakes, a fear of falling,
and a hatred of popup windows." --Vlatko Juric-Kokic
"Matthew X. Economou" <···············@irtnog.org> wrote in message news:<···············@eco-fs1.irtnog.org>...
> >>>>> "nevada" == nevada <············@yahoo.com> writes:
>
> nevada> These are general questions from an ignorant c.l.l
> nevada> lurker. I apologize if these are dumb questions.
>
> <handwave>
>
> I am no Lisp expert, but I work in the computer security arena. I
> usually code my tools (or quick hacks) in the system programming
> language of whatever it is I'm hacking on, e.g. C++ on Windows, C on
> UNIX. This is necessary because the bindings to kernel-layer
> functionality are usually missing in higher-level languages such as
> Perl, Python, or Common Lisp, e.g. packet capture (via BSD's bpf
> driver), access control lists (especially the low-level Win32 stuff).
>
> OK, well, "missing" is a strong word. Maybe "inconvenient" is more
> accurate.
>
Some time back I wrote a Lisp interpreter that got embedded into a
Linux security kernel (see below) :
http://www.intes.odessa.ua/vxe/index.html
"VXE (Virtual eXecuting Environment) protects UNIX servers from such
intruders, hacker attacks from network and so on. It protects software
subsystems, such as: SMTP, POP, HTTP and any other subsystem, already
installed on the server. There is no need to change configuration of
existing software - just PROTECT it."
Cheers.
On 12 Mar 2002 23:37:13 -0800, ······@ozemail.com.au (Bill Birch) wrote:
> "VXE (Virtual eXecuting Environment) protects UNIX servers from such
> intruders, hacker attacks from network and so on. It protects software
^^^^^^
You should have known better...
Paolo
--
EncyCMUCLopedia * Extensive collection of CMU Common Lisp documentation
http://www.paoloamoroso.it/ency/README
[http://cvs2.cons.org:8000/cmucl/doc/EncyCMUCLopedia/]
In a previous life as a security software developer, I recall reading
a paper about a real-time threat-analysis system which did "intelligent"
analysis of incoming log data to identify those threats. If aging memory
serves, the system ran on Symbolics lisp machines. This was around 1990.
The paper was in a "regular" security conference proceedings, though I
can't remember which one. The work was done by consultants at some Big
Government Agency, so it's not likely that the code has been open-sourced.
;-)
* Nick Geovanis "The nuclear bomb. Does that bother you?
| IT Computing Svcs I just want you to think big"
| Northwestern Univ - Pres. Richard M. Nixon
| ··········@nwu.edu April 25, 1972
+------------------->
············@yahoo.com (nevada) writes:
> Is Lisp a suitable tool for sophisticated [...] security?
We use Lisp for several significant security-related applications
here, including security and privacy audits, forensic analysis, and
electronic discovery. (These are sold as services, rather than
products, but obviously we don't do all of the work ourselves by hand.
We would have tanked by now if we were that silly. :-)
The only other language that threatens Lisp for the productivity of an
analyst on these kinds of tasks is Perl. (That's actually an
overstatement, as less well-known languages like Snobol or various
domain specific langauges would also be pretty well-suited for some of
the things we're doing, but I'm trying to limit the consideration to
the set of well-known and general purpose languages.)
Having stated all of that, however, there are still some things that
we need to do in C, largely to get the kind of interfaces to kernel
state data that we need in cases of intrusion detection, intelligent
logging, etc. Wherever possible, we build just enough C to talk to
Lisp and work through foreign function interfaces. That can be a
pain, but getting C to read stuff and hand it off to Lisp is much less
painful than trying to build a high-level system in a language
designed for building kernels.
Like anything else, the question of a language's appropriateness has
to do with the specific task at hand. If the primary task is talking
to a library like BPF, C is better suited. If higher-level analysis
is necessary, a more expressive language is probably better.
"Security" isn't a specific application; it's really more of a
property that can be found in any application (operating systems,
databases, networks, etc.), so the question of how to work securely is
largely a question of how to do the task at hand the right way.
--
Matt Curtin, Founder Interhack Corporation http://web.interhack.com/
Author, Developing Trust: Online Privacy and Security (Apress, 2001)
Knight, Lambda Calculus | Certum quod factum. --Giovanni Battista Vico