There's a new batch of pictures. This batch is with my uncle Sabi and with my cousin Selim. Of course, the kids play a key role in the pictures :-)
See: http://yeda.cs.technion.ac.il/~yona/aviv/2007/2.2007/index.html
Sunday, February 25, 2007
Negative Security and Positive Security
I find myself a lot lately explaining the difference between positive security and negative security.
Positive Security: a security policy based on modeling of the application or the system that is being defended. Things that agree with the model are considered legal while all other things are suspicious to be illegal.
Negative Security: a security policy based on modeling of the malicious things (e.g., attacks, worms, viruses, and so on). So that things that agree with the model are considered suspicious to be illegal while all other things are considered as legal.
Positive Security: a security policy based on modeling of the application or the system that is being defended. Things that agree with the model are considered legal while all other things are suspicious to be illegal.
Negative Security: a security policy based on modeling of the malicious things (e.g., attacks, worms, viruses, and so on). So that things that agree with the model are considered suspicious to be illegal while all other things are considered as legal.
Warming liquids for babies in a microwave oven
I saw a discussion in a Tapuz forum about heating baby liquid food in a microwave oven.
One person claimed that this is forbidden, and I got curious and started asking questions.
See: http://www.tapuz.co.il/tapuzforum/main/Viewmsg.asp?forum=149&msgid=94429245
One person claimed that this is forbidden, and I got curious and started asking questions.
See: http://www.tapuz.co.il/tapuzforum/main/Viewmsg.asp?forum=149&msgid=94429245
Monday, February 19, 2007
Should XML parsers know anything about XML namespaces?
I asked a question about XML namespaces on the xml-dev mailing list
The resulting discussion yields that:
* xml parsers know nothing about namespaces
* namespace processing should be done by the application that uses the XML parser
* a validating XML parser should be namespace aware
The resulting discussion yields that:
* xml parsers know nothing about namespaces
* namespace processing should be done by the application that uses the XML parser
* a validating XML parser should be namespace aware
Saturday, February 17, 2007
Today while walking and touring in a field we saw mating Coccinella septempunctata beatles
Today while walking and touring in a field we saw mating Coccinella septempunctata beatles.
Aviv was enjoying himself not only with his new discoveries in the field, but also by stepping into every possible puddle we came across.
A few flowers from my garden after the last rain
See the new Hyacinthus flowers in my garden moments after the recent rain.
A new niece was born on the 15th
My sister in law, Irit gave birth to a healthy baby girl two days ago. The name of the new-born baby is still to be determined.
Wednesday, February 14, 2007
Some of my reading for today
Wei Zhang and R. van Engelen: "A Table-Driven Streaming XML Parsing Methodology for High-Performance Web Services". ICWS '06. International Conference on Web Services, 2006. September 2006. pp 197-204
David F. Bacon. Realtime Garbage Collection. IBM Research. ACM Queue Vol 5. No. 1 - February 2007.Automata theory for XML researchers. F. Neven. ACM SIGMOD Record. Volume 31 , Issue 3 (September 2002). Pages: 39 - 46. 2002.
Bryan Ford. Packrat Parsing: a Practical Linear-Time Algorithm with Backtracking. Master's Thesis. Massachusetts Institute of Technology.
Sunday, February 11, 2007
Planting in my garden
I spent an hour on Friday in the Meltser nursery and filled up my Ford Connect with dozens of plants, among them were:
begonia plants
Fuchsia plants
Viola hederacea plants
Hydrocotyle ranunculoides
and a few more types.
I'll try and place some images of them soon.
The garden in front of the entrance to our house is now fully planted.
The garden in the back still needs a lot of work:
* removal of many branches that I pruned from the neighbors' trees which invaded our garden while casting shade -- too much shade
* re-new the grass: replace the al-toro grass with a derben grass
* continue planting in shaded places.
begonia plants
Fuchsia plants
Viola hederacea plants
Hydrocotyle ranunculoides
and a few more types.
I'll try and place some images of them soon.
The garden in front of the entrance to our house is now fully planted.
The garden in the back still needs a lot of work:
* removal of many branches that I pruned from the neighbors' trees which invaded our garden while casting shade -- too much shade
* re-new the grass: replace the al-toro grass with a derben grass
* continue planting in shaded places.
Friday, February 9, 2007
Finally, a picture of my family
I took today a picture of my family (using timer...).
Finally, all 5 of us in the same time in the same picture.
Wednesday, February 7, 2007
About israel.pm monthly meetings
I replied on the israel.pm mailing list and explained about the monthly meetings.
See: http://perl.org.il/pipermail/perl/2007-February/008421.html
See: http://perl.org.il/pipermail/perl/2007-February/008421.html
My parents got back from Thailand
It seems that they had fun.
I'm looking forward to looking at the few thousands of pictures that they took and to listen to them describing their experiences.
I'm looking forward to looking at the few thousands of pictures that they took and to listen to them describing their experiences.
Tuesday, February 6, 2007
XML Parser attacks -- talk I gave today at the israel.pm meeting
I gave a talk today about XML Parser Attacks in the monthly meeting of israel.pm.
See: http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/index.html
I will probably have a few revisions on it sometime in the future.
See: http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/index.html
I will probably have a few revisions on it sometime in the future.
Monday, February 5, 2007
We bought Purim (פורים) outfits for the kids
We bought Purim (פורים) outfits for the kids:
Aviv will dress up as a pirate.
Sivan will dress up as Snow White.
Nir will be dressed up with the kids' stuff from previous years :-)
Aviv will dress up as a pirate.
Sivan will dress up as Snow White.
Nir will be dressed up with the kids' stuff from previous years :-)
I just submitted another patent idea to a patent committee at work
I have just sent another patent idea to the patent committee at work. The idea is about automatic detection of zero-day-attacks and automatic creation of signatures from the resulting examples.
Let's wait and see what the verdict will be...
Let's wait and see what the verdict will be...
Sunday, February 4, 2007
Swimming lessons
Lately, I'm thinking about a swimming course for Aviv. Last year he really enjoyed attending swimming classes.
As soon as the season starts, I'll check the local swimming pool for possibilities.
In the picture you can see Aviv in a swimming lesson. This picture was taken last June.
Two new recruites
Two people that I recommended for work have been found qualified and wanted to come work with us in Tel-Aviv. Hurray!
I was very impressed with them and I'm sure they will be great.
It turns out that with these two, 10% of the workers in our R&D center were recruited through me :-)
I'm trying to get at least 3 additional people in the following weeks.
I was very impressed with them and I'm sure they will be great.
It turns out that with these two, 10% of the workers in our R&D center were recruited through me :-)
I'm trying to get at least 3 additional people in the following weeks.
A discussion about my picture of the Cyclamen persicum in the photography forum in Tapuz
My photograph caused a bit of discussion.
See: http://www.tapuz.co.il/tapuzforum/main/Viewmsg.asp?forum=215&msgid=93455507
See: http://www.tapuz.co.il/tapuzforum/main/Viewmsg.asp?forum=215&msgid=93455507
Saturday, February 3, 2007
Cyclamen Persicum
Among the hundreds of bulbs that I places in many locations in our garden, I also placed 100 or so bulbs of Cyclamen Persicum. All from the "wild" kind. I bought all the bulbs from יודפת.In the picture you see the first blossom.
Anemone coronaria
There are many blossoms of Anemone coronaria in our home garden. I placed many bulbs in several locations in the garden. I placed them in layers and during a period of a few weeks.You can see in the picture some of the first blossoms.
Friday, February 2, 2007
Dawn in Kfar-Yona
I went today a few minutes before dawn to setup my camera and take a few shots.
While today was clear, since this evening it begun to get more and more gray and rainy. Tomorrow is expected to be accompanied by heavy rains.
Thursday, February 1, 2007
XML processor attacks continues
Following my blog post from yesterday about XML processor attacks, I'd like to add additional information based on a discussion which I started on the xml-dev mailing list.
David Megginson says that:
* XML REC does not specify or limits any name, literal lengths, number of attributes, depth of nested elements and so on. As a result these are a target for DoD attack on the XML processor. He suggests a few tests that can be used on an XML processor to make sure whether or not it can terminate processor prior to running out of its resources and make a graceful exit rather than crash. He states that any XML parser should have built in limitations on such properties.
* He also lists the risks in allowing processing of external fragments.
* He explains how access to an external resource, e.g., a schema or DTD, can be subject to a DoS if the location has been compromised.
derek denny-brown says that:
* a naive implementation of duplicate attribute detection or a namespace prefix lookup, e.g., using a stack implementation where the Nth string is being matched against the other N-1 strings, has an O(N^2) complexity. He also suggests that if the implementation is hash based and the attacker can guess your hashing algorithm, then the O(N^2) complexity for processing time can also be imposed on the parser.
* he also estimates that it would be quite hard to craft an attack that leverages these vulnerabilities to do much damage since the scan is extremely fast, so by limiting the size of the accepted document such attacks can be practically blocked.
Richard Salz says that:
* it should be pretty easy to cause a DoS with short messages with a very large (he gives 1 million as an example) elements depth. Another example would be badly fragmented nested elements. He further gives examples of very long element names, attribute names, namespace prefixes, and excessively long attribute or namespace declarations values.
* he states that the a-symmetrical nature gives advantage to the attacker as producing an attack is as simple as printing text while processing the received documents in such cases yields expensive computation.
I'm still collecting material and organizing it, and I hope that I will be able in the next few days to write a detailed and more organized summary on the subject. I'll post it here on my blog and will probably also announce its availability on xml-dev at least to be polite and write back my conclusions and contributions to the discussion.
David Megginson says that:
* XML REC does not specify or limits any name, literal lengths, number of attributes, depth of nested elements and so on. As a result these are a target for DoD attack on the XML processor. He suggests a few tests that can be used on an XML processor to make sure whether or not it can terminate processor prior to running out of its resources and make a graceful exit rather than crash. He states that any XML parser should have built in limitations on such properties.
* He also lists the risks in allowing processing of external fragments.
* He explains how access to an external resource, e.g., a schema or DTD, can be subject to a DoS if the location has been compromised.
derek denny-brown says that:
* a naive implementation of duplicate attribute detection or a namespace prefix lookup, e.g., using a stack implementation where the Nth string is being matched against the other N-1 strings, has an O(N^2) complexity. He also suggests that if the implementation is hash based and the attacker can guess your hashing algorithm, then the O(N^2) complexity for processing time can also be imposed on the parser.
* he also estimates that it would be quite hard to craft an attack that leverages these vulnerabilities to do much damage since the scan is extremely fast, so by limiting the size of the accepted document such attacks can be practically blocked.
Richard Salz says that:
* it should be pretty easy to cause a DoS with short messages with a very large (he gives 1 million as an example) elements depth. Another example would be badly fragmented nested elements. He further gives examples of very long element names, attribute names, namespace prefixes, and excessively long attribute or namespace declarations values.
* he states that the a-symmetrical nature gives advantage to the attacker as producing an attack is as simple as printing text while processing the received documents in such cases yields expensive computation.
I'm still collecting material and organizing it, and I hope that I will be able in the next few days to write a detailed and more organized summary on the subject. I'll post it here on my blog and will probably also announce its availability on xml-dev at least to be polite and write back my conclusions and contributions to the discussion.
Subscribe to:
Posts (Atom)