May 2006 Archives

Sun May 7 16:24:04 2006

Thanks to computer science

In Germany, we currently have a year of science. In this context, the federal department of education and research together with a company called "Wissenschaft im Dialog" (science in dialog) and the "Gesellschaft fuer Informatik e.V." (Informatics society) pronounced 2006 the year of informatics. Companies can order a "Dank Informatik" (thanks to computer science) sticker to show how computer science is good for the company as well as the general public.

The aim of this campaign is to inform the general public in informative, thrilling and entertaining ways about the importance of informatics. Another goal seems to be to draw more young people into the fields of computer science. All of the above are noble goals and should be supported.

Security is a topic, even in this campaign. For example, there was a discussion round in February at the university of Magdeburg. Reliability, on the other hand, is not a term that can be found on the campaign web site. This is interesting, since the two are closely related, although this seems to not be widely accepted yet.

The easiest way to understand why reliability and security are very close together is an imagined computer system that works exactly as it is supposed to be and is therefore extremely reliable. Does this system crash when being presented with long user inputs? Unlikely. Dependable and flexible security models that guarantee confidentiality, integrity and availability need reliable software foundations. Otherwise, they will get circumvented all the time by exploitation of faults in the software.

Back on the Informatikjahr web site, what fascinated me most was the event search functionality. When entering a search term, you get a list of events that cover the topic. When accidentally hitting the single tick key [ ' ], you end up with a web page of Wissenschaft im Dialog stating that this area is currently worked on. The image links are broken and the page descriptions are from a physics event in Dresden 2003. Of course, this looks suspiciously like a SQL injection vulnerability. Just to make sure, one can enter % in the search field to get all the events they have in the database.

Inspired by the flexible SQL interface unintentionally provided, I took a look at the HTTP Server string the site returns and found a SuSE installation of an Apache 1.3.27, mod_perl 1.27, mod_ssl 2.8.12, OpenSSL 0.9.6i as well as PHP 4.4.0. Most things in this list are outdated and some have severe known security issues. And just in case you accidentally deleted the icons directory from your Apache document root, you can get a fresh copy from Informatikjahr.de/icons/.

So we have an initiative that aims at showing the people of this country how important computer science is and hereby implicitly how dependent they are on correctly functioning computer systems. This might inspire people to get into computer science, may be to write software and even publish it, potentially open source, which are desirable outcomes. The campaign is underway and there is still half a year left, so may be we will see events concerning reliable systems, secure development, web application security and privacy as well as maintaining open source systems for reliability and security. But one thing is already obvious: We still have a long way to go, thanks to computer science.


Posted by FX | Permanent link