Is Security Research Always Useful?

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Security for Web Developers. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

Another example of incredibly weird security research is found in the article, When the good guys are wielding the lasers. I have to admit it’s interesting in a James Bond sort of way, but we’re talking about lasers mounted on drones. This attack at least has the advantage of distance (1 km or 0.6 mi). However, you have to wonder just how the laser was able to get a line of sight with the attack object, a printer in this case. If a device is critical enough that someone separates it from the Internet, it’s also quite likely that the device won’t be sitting in front of a window where someone can use a laser to access it.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about. Likewise, reading articles such as, Software developers aren’t implementing encryption correctly and 4 fatal problems with PKI help you understand why your security measures may not always work as well as anticipated.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at [email protected].

 

Code::Blocks on the Mac

A lot of Mac users have written to complain about the stability of Code::Blocks 8.02 on the Mac. This is the version used for the 2nd Edition of C++ All-in-One for Dummies. My first recommendation is that you obtain a copy of C++ All-In-One for Dummies, 3rd Edition if at all possible. This edition of the book contains additional installation details, updated examples, and all sorts of extras that will make your C++ learning experience so much better. Of course, not everyone will want to make the upgrade, but I stick by previous posts saying that some examples won’t work as well as they might if you use a different version of Code::Blocks than specified in the books. However, I also feel your pain. I personally didn’t experience stability problems with the 8.02 release and I’m sure others didn’t either, but enough people have complained that I feel obliged to discuss the issue in a post.

The Code::Blocks 13.12 version used for the 3rd Edition book is considerably more stable than the 8.02 version used for the 2nd edition book. If you really must continue using the 2nd edition book with your Mac, I suggest that you update to Code::Blocks 13.12 if you find that the 8.02 version causes you problems. If you go this route, please be sure to read the Using Code::Blocks 13.12 with C++ All-in-One for Dummies post. It provides you with information you absolutely must have in order to use the updated version successfully.

I always want to hear your book-specific input at [email protected]. Your input helps me create better books and it also allows me to provide posts like this one that help readers work around potential issues. Thank you for your continued support of my books!

 

C++ Data Type Usage

The Going Overboard section on page 43 of C++ All-In-One for Dummies, 3rd Edition talks about the problems that can occur when you try to stuff a number that’s too large into a specific data type. The problem with the example shown:

    cout << 8762547892451 * 10 / 2 * 3 + 25 << endl;

is that it doesn’t actually result in an error. C++ accepts the large number by using a data type that can hold it automatically, rather than using a default data type of long as would have happened in the past. It’s nice that C++ automatically fixes ambiguous code for you, but it also means that the example doesn’t work as described in the book. In order to see the example as originally intended, you need to change the code to read:

    long MyLong = 8762547892451 * 10 / 2 * 3 + 25;
    cout << MyLong << endl;

The code will now produce an error, just as described in the book, because the data type isn’t ambiguous any longer. The error message does differ slightly. What you’ll see is an error message of:

warning: overflow in implicit constant conversion [-Woverflow]

Except for having to make the code less ambiguous, the section should continue to work as it did before. Please let me know if you have any questions or concerns about this example at [email protected].

 

Security = Scrutiny

There is a myth among administrators and developers that it’s possible to keep a machine free of viruses, adware, Trojans, and other forms of malware simply by disconnecting it from the Internet. I’m showing my age (yet again), but machines were being infected with all sorts of malware long before the Internet became any sort of connectivity solution for any system. At one time it was floppy disks that were the culprit, but all sorts of other avenues of attack present themselves. To dismiss things like evil USB drives that take over systems, even systems not connected to the Internet, is akin to closing your eyes and hoping an opponent doesn’t choose to hit you while you’re not looking. After all, it wouldn’t be fair. However, whoever said that life was fair or that anyone involved in security plays by the rules? If you want to keep your systems free of malware, then you need to be alert and scrutinize them continually.

Let’s look at this issue another way. If you refused to do anything about the burglar rummaging around on the first floor while you listened in your bedroom on the second floor, the police would think you’re pretty odd. The first thing they’ll ask you is why you don’t have an alarm system implemented into your home. Or if you do have one, wouldn’t it have been a good idea to set it in the first place, so more people would have been notified about this security breach. In addition to alarm systems, some homeowners also have the Best CCTV Camera Kits installed around their homes. They would be able to provide a good image of the burglar. However, it’s still important to try and do something to actually stop the burglar. Whatever you do, you can’t just stand back and do nothing. More importantly, you’d have a really hard time getting any sort of sympathy or empathy from them. After all, if you just let a burglar take your things while you blithely refuse to acknowledge the burglar’s presence, whose fault is that? (Getting bonked on the back of the head while you are looking is another story.) That’s why you need to monitor your systems, even if they aren’t connected to the Internet. Someone wants to ruin your day and they’re not playing around. Hackers are dead serious about grabbing every bit of usable data on your system and using it to make your life truly terrible. Your misery makes them sublimely happy. Really, take my word for it.

The reason I’m discussing this issue is that I’m still seeing stories like, “Chinese hacker group among first to target networks isolated from Internet.” So, what about all those networks that were hacked before the Internet became a connectivity solution? Hackers have been taking networks down for a considerable time period and it doesn’t take an Internet connection to do it. The story is an interesting one because the technique used demonstrates that hackers don’t have to be particularly good at their profession to break into many networks. It’s also alarming because some of the networks targeted were contractors for the US military.

There is no tool, software, connection method, or secret incantation that can protect your system from determined hackers. I’ve said this in every writing about security. Yes, you can use a number of tools to make it more difficult to get through and to dissuade someone who truly isn’t all that determined. Unfortunately, no matter how high you make the walls of your server fortress, the hacker can always go just a bit further to climb them. Headlines such as “Advanced Attackers go Undetected for a Median of 229 Days; Only One-Third of Organizations Identify Breaches on Their Own” tell me that most organizations could do more to scrutinize their networks. Every writing I read about informed security is that you can’t trust anyone or anything when you’re responsible for security, yet organizations continue to ignore that burglar on the first floor.

There is the question of whether it’s possible to detect and handle every threat. The answer is that it isn’t. Truly gifted hackers will blindside you can cause terrifying damage to your systems every time. Monitoring can mitigate the damage and help you recover more quickly, but the fact is that it’s definitely possible to do better. Let me know your thoughts about security at [email protected].

C++ Switch Statement Using Strings

Readers sometimes ask me the same question often enough that I feel compelled to provide the answer on my blog so that everyone has the benefit of seeing it. C++ does have a switch statement, but you need to use a numeric value with it as described in my book, C++ All-In-One for Dummies, 3rd Edition (see page 233 for details). A number of C# developers who are also learning to use C++ have asked me about using strings in the switch statement, which is clearly impossible without some fancy programming technique.

Fortunately, I have found a method for implementing switches using strings on CodeGuru. As the author states, it’s not a perfect solution and you may not find it works for you, but it is an ingenious coding technique and you should at least look at it. It’s better than saying the goal isn’t achievable using any means. To get a better idea of the methods other coders have used to overcome this problem, check out online discussions, such as Why switch statement cannot be applied on strings?.

Of course, I’m always on the lookout for other good solutions to reader problems. If you have a solution to this issue of using strings with the C++ switch statement, please contact me at [email protected]. I always want to keep the door open to an even more innovative solutions. In the meantime, keep those e-mails coming!

 

C++ All-in-One for Dummies, 3rd Edition, Error

It seems to be my week for reporting errors! Just yesterday I reported one in Beginning Programming with Python For Dummies. Today I’m reporting an error in C++ All-In-One for Dummies, 3rd Edition. If you look in Book I Chapter 3 on page 67, you see Listing 3-6. The listing title tells you that this example uses brackets to access an individual character in a string, which is precisely what it does. However, what the example is supposed to do is show you how to create the string in the first place. Look at Listing 3-7 on page 68 and you see an example that performs this task. The two listings are switched. As you go through the book, please use Listing 3-7 first and Listing 3-6 second. I’m sorry about any confusion caused by the error. Please contact me at [email protected] if you have any questions about this or any other error in the book. I’ll be only too happy to help.

 

Understanding the Continuing Need for C++

I maintain statistics on all my books, including C++ All-In-One for Dummies, 3rd Edition. These statistics are based on reader e-mail and other sources of input that I get. I even take the comments on Amazon.com into account. One of the most common C++ questions I get (not the most common, but it’s up there) is why someone would want to use the language in the first place. It’s true, C++ isn’t the language to use if you’re creating a database application. However, it is the language to use if you’re writing low-level code that has to run fast. C++ also sees use in a vast number of libraries because library code has to be fast. For example, check out the Python libraries at some point and you’ll find C++ staring back at you. In fact, part of the Python documentation discusses how to use C++ to create extensions.

I decided to look through some of my past notes to see if there was some succinct discussion of just why C++ is a useful language for the average developer to know. That’s when I ran across an InfoWorld article entitled, “Stroustrup: Why the 35-year-old C++ still dominates ‘real’ dev.” Given that the guy being interviewed is Bjarne Stroustrup, the inventor of C++, it’s a great source of information. The interview is revealing because it’s obvious that Bjarne is taking a measured view of C++ and not simply telling everyone to use it for every occasion (quite the contrary, in fact).

The bottom line in C++ development is speed. Along with speed, you also get flexibility and great access to the hardware. As with anything, you pay a price for getting these features. In the case of C++, you’ll experience increased development time, greater complexity, and more difficulty in locating bugs. Some people are taking a new route to C++ speed though and that’s to write their code in one language and move it to C++ from there. For example, some Python developers are now cross-compiling their code into C++ to gain a speed advantage. You can read about it in the InfoWorld article entitled, “Python-to-C++ compiler promises speedier execution.”

A lot of readers will close a message to me asking whether there is a single language they can learn to do everything well. Unfortunately, there isn’t any such language and given the nature of computer languages, I doubt there ever will be. Every language has a niche for which it’s indispensable. The smart developer has a toolbox full of languages suited for every job the developer intends to tackle.

Do you find that you really don’t understand how the languages in my books can help you? Let me know your book-specific language questions at [email protected]. It’s always my goal that you understand how the material you’ve learned while reading one of my books will eventually help you in the long run. After all, what’s the point of reading a book that doesn’t help you in some material way? Thanks, as always, for your staunch support of my writing efforts!

 

Avoiding Unwanted Spaces

Some time back, I created the Adding a Location to the Windows Path blog post to help readers make better use of some of my book examples. Adding a location to the path makes it possible for Windows to locate applications with greater ease. However, that post didn’t make it clear that a space in a path would cause problems. For example, a path such as, C:\Windows; C:\Python33 (note the space) won’t work. In order for the path to work, each individual path must be separated from the others with just a semicolon, such as C:\Windows;C:\Python33. If you’ve added a path to your Windows setup and find that Windows can’t locate the applications you want to use, please check for an unwanted space in the path.

The limitation on using spaces in a path makes sense because you also have to restrict their use at the command line. For example, typing Dir /A D (with a space between the A and the D) will produce an error. In order to obtain the correct results, you must type Dir /AD and press Enter. The reason the space causes a problem is because the command processor treats spaces as a delimiter, a separator between command elements. The space tells the command processor that one element has ended and a new one has started.

Spaces can creep into commands with relative ease. All it takes is a relatively simple tap on the spacebar at the wrong time. In addition, spaces can be hard to spot when you use certain fonts. When working in an editor to create batch files or other permanently stored command forms, always use a mono-space font, such as Courier New, to make spaces easier to spot. The point is to look for unwanted spaces when a command line feature doesn’t work properly and you know you have typed the correct command.

As a reminder from my books, the command line can also be case sensitive in some cases. Make sure you check your commands to ensure they’re formatted correctly. Let me know about your book-specific command line issue at [email protected].

 

C++ All-in-One for Dummies 3rd Edition Extras

A number of you have pointed out that the extras for C++ All-In-One for Dummies, 3rd Edition on the Dummies site are a bit confused at the moment. Thank you, as always, for your input. I always appreciate getting your e-mails on any topic that affects the usability of my books. The publisher has assured me that the links will be cleaned up. Of course, eventually getting the links fixed won’t help you today. With this in mind, here is a list of the actual extras for this book—the elements that I’ll support and that provide support for the book:

To access a particular extra, just click its link in the list. Of the items you can download, the items that I most strongly suggest you download are the code examples. Downloading the code examples will save you considerable time, reduce potential errors, and make your experience with the book a lot better. If you want to type the examples in by hand, try them first using the downloaded code and then type them in. Using this two-step process makes it possible for you to easily see typos that you make as you work with the code on your own.

Remember that this edition of the book uses a newer IDE, Code::Blocks 13.12. Even though some examples will work with the older versions of Code::Blocks used in the second edition, other examples won’t. Upgrading your copy of Code::Blocks to version 13.12 ensures that you see the examples as they are meant to work. A few readers have asked about the requirements for using the extras and you really do need Code::Blocks 13.12 to use them correctly. You can also get by with a compiler that provides C++ 14 support, but you’ll need to modify the procedures to use that compiler, rather than Code::Blocks. I don’t provide support for other compilers because I don’t have them installed on my system.

Please let me know if you have any other questions about the extras for this book. It’s important to me that you get the maximum value from your purchase. Report any problems to me at [email protected]. Of course, I always want to hear your book-related queries as well.

 

Fixed C++ Book Link

Last week I announced the release of C++ All-In-One for Dummies, 3rd Edition and told you about a link for the book extras at http://www.dummies.com/extras/cplusplusaio/. Unfortunately, the link didn’t work for a while. Clicking the link produced an error message, rather than a page full of useful content. The publisher has fixed the link and you can now gain access to a lot of really cool book extras:

All these extras will make your reading experience even better. Make sure you check them all out. Of course, I always want to hear your book concerns, especially when it’s something major like not being able to find needed content. Please feel free to contact me at [email protected] with your book-specific question.