1351 posts • joined 10 Apr 2007
Re: "Trust the OS" - If only it were that simple...
This exploit isn't about buffer overruns as such - that is where you throw too much data at a process and it overwrites executable code with whatever you threw at it. This exploit cannot be detected using memory bounds checking, because it is not violating any memory bound.
When an application allocates memory, this memory is in an "undefined" state. For a cold started system or a block of memory that has never been allocated yet, this memory is usually all zeroes, however there is no guarantee of even this. Hence "undefined".
This exploit allocates 64k of memory, which being "undefined" will generally contain whatever application or process last wrote. Due to deficiencies in the code one byte of memory is copied to this and the whole 64k of memory is returned. It's pot luck what is in this 64k block of memory, but keep on requesting memory and you will eventually get something interesting back.
There are various preventatives for this, such as zeroing the memory on allocation, but for a low level library this is inefficient and as the block of memory should have been overwritten entirely a pointless exercise in wasting processor time. Another is to zero the memory on de-allocation, again for many low level processes this is also inefficient as a relatively simple process could then take 20x longer to complete, multiply a low level task by the number of calls to it and the overall system impact could be disastrous. On the other hand, a code process that stores passwords and private keys should damn well clear the memory after use, but again this is an efficiency argument compared to what can be done on an otherwise "trusted" system.
Re: Rust would help, but there's a reason it's not used there
That is the problem. There are some very clever code analysis systems that can help to spot these kind of mistakes, but they can't spot everything.
Re: This attitude is not the key to success
System libraries usually need to be implemented in the most efficient possible way. That efficiency is achieved by working as close as possible to the "bare metal" — And C gets you there.
BOLD TALK ... FROM THE EIGHTIES! Well, already in 1984: The Lilith
Writing in C means you have to be much more careful
THIS ZIMMER FRAME REALLY GETS ME THERE FASTER, I JUST HAVE TO BE CAREFUL WHEN GOING DOWNSTAIRS. SURE I BROKE MY NECK A FEW TIMES, BUT IT'S NOT GONNA HAPPEN AGAIN.
This kind attitude to coding is exactly why many current applications and indeed operating systems are so staggeringly inefficient and slow compared to the equivalent of even a few years ago despite the hardware being orders of magnitude faster.
The lower level the API the less appropriate it is that it is implemented using "managed" code. If you had an understanding about just how much more processor resources (memory and CPU cycles) are consumed by managed code than unmanaged code then you would understand. Some things are appropriate implemented one way, some another. No one programming technique is appropriate for all cases and attempting to use one across all or to use the wrong technique is utterly stupid.
Re: I don't get it..
I don't get it either, all the open source morons have been saying for years their OSS crap is more secure, then we get things like this. Oh and the 23 year old x windows vuln exposed a few months ago.
Hint: down arrow is below, morons lol :)
Mistakes are made equally in Open Source Software and Closed Source Software. The point with OSS is that it can be made more secure. This kind of fault in closed source may never get spotted or reported and then you'll be in an even worse situation where you don't know about the fault or how long it's been there.
Re: Read between the lines
In this case it would appear that those responsible forgot that they were dealing with a work-force based in the UK and treated them as if they were in the US.
A common mistake made by many Americans, they seem unable to realise that laws differ and that laws of the USA are not universal.
The gulf in differences in quite staggering... effectively in the US an employee has no rights whatsoever compared to the UK. AFAIK many of these rights come from contract law where both parties have to agree to contractual changes, rather than a company just making changes as they feel fit.
The 5+5 is a home deal and the licensing is explicit in that the software may only be used for personal purposes.
In many ways the rental of the cloud software is another backwards step, because where previously multiple users could use the same system with the same licenced software on it, now the users themselves are licenced. I many organisations this won't be practically different from before but in some it will be.
Re: Am I the only one...
You've neatly summarised just why it isn't fine... because it's not usable as is and you have to alter its initial behavior to make it useful.
The underlying Windows 8 OS part is good, the awful "not-metro" interface kludged on top of it is not - it's acceptable for a hand held touch screen device, nothing else. Unfortunately users are generally forced into the "not-metro" interface far too often even with the "Boot to desktop" option found and checked.
Re: Bring the App Store to Windows 7!
Please stop posting sense. Otherwise Microsoft may have to come out with all kinds of marketing-speak technobabble as to why that just isn't possible and never will be even though they own both the OS and the application layer on top of it.
Is it me or does the sale price of some of these items feel a bit low considering their significance in the achievements of mankind? Incidental stuff used by film stars often sells for considerably more.
Actually, I think I'd be perfect because I absolutely don't want to do it (but somebody has to).
Where's that quote from? Something about the best politicians being the ones that don't want to be?
For some reason I suddenly have a desire to watch Monty Python again... :)
The particularly upsetting thing about it all, is that if any of us (non MP) did something like this in business we'd be instantly fired (no bonus, golden handshake or anything) and then given a civil case for recovery.
Whereas she can lie, cheat and steal and then attempt to cover it up, probably using more tax payer money, and then gets off with a limp apology and doubtless a cushy job somewhere else.
Thorough enough review, but one has to wonder about the sensibility from Dell in waving such a device around if it can be savaged so thoroughly. Unless of course that's the aim and it is an alpha or beta test going on rather than a review of a released product.
Re: Thank god I have an old car
No it isn't, 90% of it is about marketing. A touchscreen in a car is not progress by any definition for example. And networking all the systems together to provide functionality thats not required isn't progress either.
I agree that a touchscreen in a car isn't exactly progress. The "user interface" of a car works through not putting too much burden on the user (the driver). Physical knobs and buttons are good as they can be operated without the driver having to focus on a non-tactile touchscreen to check that the function that they hope is there is in being displayed and that their finger is in the right place.
Why is the functionality not required? You're making a broad statement based on your preferences. Better control of the car and its performance helps fuel economy and safety. A suitably experienced driver familiar with their car may be arguably safer than a less experienced driver however driving isn't about just these "super drivers", it's about all the more normal drivers. A smartly controlled system will most likely save fuel compared to even the most experienced "fuel saving" drivers.
Re: Thank god I have an old car
No offence mate, but you really need to go on an engineering course if you think ANY of the things you've listed require a networked system in the first place, never mind one running IP over ethernet.
Yes , CAN bus already exists and its already overkill. As for "air conditioning, windows and mirrors to control, seat positioning, lighting" needing networking - sorry, were you trying to be funny or have you really drunk so much of the kool aid that you just can't see a simple way of doing these utterly simple tasks?
While at a fundamental level, it's true that nothing I listed requires a networked system in the first place, the same could be said of your phone, your computer and your printer. After all, you could just retype all of your contacts again in your phone, or use a hand held phone book and a pen. You could just write your reports rather than typing them on your computer and printing them out. However it's about progress... and progress in the device engineering front is steadily heading towards more and smarter control of devices. This allows much more efficient and accurate operation and much better diagnostics... and this requires a lot more sensors and a result is a lot more and better communication. In a car, a CAN connected ABS system can report traction problems to a central system, it can report back for each individual wheel if necessary and this can be fed back into all manner of systems, cross referenced with other sensors and devices (e.g. temperature sensors) and the operating parameters adjusted appropriately (ABS in the wet, dry and cold, potentially icy, conditions really does need different operation profiles). This is just one small example of ABS and systems where command and response is vital.
Why wouldn't lighting, air conditioning, mirrors, seat positioning and lighting need networking? If you've ever driven a vehicle with multiple driver profiles it's an enormous benefit having your own driving preferences compared to a partners and being able to switch between them quickly and safely.
I'm all for simple, however simple doesn't always equate to efficient, optimal or useful.
Re: Thank god I have an old car
Electric cars are even simpler than internal combustion - some electronics to charge the battery and run the motor. Done. Dump all the other crap and save weight and space. I can't really see why it needs an internal network running over ethernet other than it being some geeks wet dream.
A hell of an over-simplification there. In a conventional car there are many systems that communicate and are managed through the ECU - both monitoring and control systems or just a convenient way to integrate everything (often the monitoring is separate to the control systems). In the majority of vehicles these operate over a variety of the CAN Bus, as it's a simple bus and very resilient to the hostile environment of a motor vehicle. However an electric vehicle will be a considerably less hostile environment than a combustion engine system therefore there is scope for different systems. For example there is also a variety of the CAN protocol that can run over IP although this scheme is generally more used in an industrial environment than motor.
So why shouldn't there be an internal network running ethernet / IP? It's a good opportunity to take advantage of standard interfaces between components which is always a good thing compared to proprietary connectors and interfaces. A modern electric vehicle consists of a lot more than just a charger, battery and motor - there's all the battery management, battery level management and notification (e.g. "you have 12 miles remaining - charge soon"), recharge braking, ABS, tyre and other pressure monitors, audio system, navigation system, suspension management, air conditioning, windows and mirrors to control, seat positioning, lighting, dash board notifications and so on.
If you've done PPTs in the corporate world, you'd understand how nice using a touch interface on a screen that big is.
You mean stock whiteboard / projector systems? They're not often physical touch, even less often multi-touch with the enhanced control that can bring. This is aside from decent size "displays" where touching them isn't feasible unless you are 8' tall with arms that match. It may be marginally incorrect, but a sub 5' sales woman repeatedly jumping to reach parts of a whiteboard system is something that is hard not to find amusing and wipe from your mind...
Mirror the display onto a tablet, touch that without having to lean across a larger screen covering it. This also means that the presenter can remain facing the audience. iPads already have have this functionality. Not that interactive white boards don't have a use, but on many corporate occasions this would be better.
I'd highly doubt that an iTV (hmm, possibly name issue there) Apple TV would be touch based. It's just not a remotely sensible way to interact with a large screen unless you are either (a) a small child who watches TV from 2" away or (b) Microsoft and insist on using a touch interface where it's not useful.
Instead I'd expect to be able to use an iPad, or possibly an iPhone to control the device. Possibly to play content back on one or more of these devices as well. Even just supporting audio would be a dream in many houses where viewers can listen to the tv at their own volume without disturbing anybody else.
Apple would doubtless be tempted to put in proprietary speaker links, to fair quality, but somewhat overpriced speakers.
A more visionary Apple would turn the device into an entertainment hub, pretty much iTunes on a TV with wireless link to local devices. Such an iTunes in essence ought to require little more than a reasonable processor, local (cache) storage and a display and this kind of spec is getting there with many "smart" TVs and set top boxes.
In all this time of the BYOD pushers releasing press notices and other such "advertising" as they can get away with... I've still yet to fully understand just who BYOD will actually benefit other than the pushers of BYOD management systems.
The majority of staff use a computer as a tool to do a job. If it works, that's its requirements taken care of. Power users, of various types, have always required more specialised systems and a good corporate IT department will cater for these as well and in practice, in a given organisation there won't be more than a few different distinct power user requirements, although there may always be the odd specific case.
"Bring your own mobile device"... now that does have value as an employee would then not have to carry multiple devices around. There is also the cynical point of view that an employee is more likely to take care of their own mobile device than a company one.
Re: .NET - wasted opportunity
I thought at the time it was a clever move, as it meant MS could still punt a .NET version of Office to other OS users - Mac and Linux being key.
Why did it never pan out that way ?
- The MS Office code uses a lot specific, private calls to the Operating System and is not restricted to the published APIs.
- For marketing reasons Microsoft chose to re-implement / merge the Windows visual interface control code in the application itself rather than pass rendering of user interface elements to the Operating System. This does present a consistent interface but is against the point of a windowing environment such as the Windows shell.
- MS Office uses a lot of Windows specific features and functions. Such as the registry, ActiveX, and local and domain security functionality. These would have to be abstracted properly within the code base, skipped or re-implemented somehow in a different Operating System.
- .NET is .dll hell taken to extreme levels. MS would have to specifically recreate this level of pain for other Operating Systems.
Re: What's the problem?
Precisely my thoughts. Most people see the word "database" and makes the assumption that this implies a networked or online data repository on a computer system. A set of documents in a filing cabinet is a database and this is made quite clear in the (EU) Data Protection Act.
Re: I think this is important
While I agree that there is now more obvious gender targetting of lego, to a large part this always the case. The "city" lego was usually shown pictures with girls and boys. The "space" lego was usually shown with pictures of boys. The rather older "house" lego (where you built rooms and had articulated characters) was usually shown with girls.
However dump all the pieces in a box and they become the building blocks that a much wider variety of things can be built of - but that's the enduring beauty of lego, what you can do with it. The more specific the piece then usually the less options for re-use there are but even this encourages creativity - want a satellite dish for the side of a house but don't have one, use a water character's "tray" instead.. want a downlighter for a light but don't have one, use a satellite dish... and so on.
The interesting thing about the blue = boy, pink = girl colour gender assignment is that this is a relatively recent assignment; It used to be the other way around. It's also interesting to note that it wasn't that long ago that up until a reasonable age boys and girls were dressed near identically.
Exactly my thoughts on this. Statistics, lies and damn statistics.
I remember wishing that they had other expressions other than "gormless grin" or that there was a difference between male and female faces. The enterprising among us got hold of marker pens and draw faces on (aka mauled with a marker) the reverse of the head to give us some variety.
Re: Still hate the tiles and the window decorations
I still really wish that Microsoft had gone the OpenGL route rather than the (frequent) abomination that is DirectX. It's not that DirectX is inheritently bad (it's steadily improved a lot since the earlier versions), it's just that working with it compared to OpenGL there is a lot of boilerplate, inefficiencies and lock-ins and more than a few cases where a little more transparency would be nice as it would help figuring out what is actually going on, or just going wrong :). OpenGL has it's faults as well and comparing OpenGL (graphics) to DirectX (graphics, video, audio, input and more) isn't exactly a fair or straight comparison but a more standard approach would have benefitted everybody including Microsoft and the implementations of OpenGL would have improved as well. Instead we generally have to use a further level of abstraction to try to develop in a more cross platform manner and this introduces a whole host of new problems.
Embedding good support for OpenGL within the windows UI would be a dream for many standard (i.e. not game) application developers compared to the pain of all the work arounds to produce good quality, efficient, embedded imagery otherwise.
This would still leave windows as a platform competing against others, but it could then compete more fairly and if Microsoft worked hard to produce the best experience and the best (non-lockin) services to support it all they'd be onto a really good thing. Instead games and gamers are steadily moving to other platforms.
Re: Production Line
You are very correct about building things more appropriately in the first place. However the commercial computer industry is very young, it has changed massively in its time due to huge advances in technology and along the way common sense has often given way to convenience or greed. In this case I mean greed through trying to get a product out as quick as possible, ignoring the future or best practices. This applies equally to the designers of industrial machinery utilising the advantages that computers could give them.
This is where defined standards are critical to everything. We wouldn't have the Internet we have today without defined standards which are, relatively, vendor neutral. Individual vendors will always want to push their take on something which shouldn't really be seen as a wholly bad thing, as long as the end result is sensible. The more open these standards are the better as it allows the implementation of a solution by multiple, competing vendors and interoperability between systems. Again, we wouldn't have the World Wide Web without this - instead we'd be mired in the locked in blight that was AOL, Compuserve and similar.
Standards benefit many levels, for example Virgin Media uses cable modems that adhere to the DOCSIS standard. This allows VM to select the "best" or "most appropriate" solution for them which need not be a single supplier or manufacturer. The residential power plugs we take for granted all use a defined standard, with defined tolerances and performance - consider the nightmare this would be without this basic standard - an extended form of travel plug nightmare. For reference, in the early days of computers and PCs, many used proprietary connectors for the other end of the power cable rather than the IEC form that is now uniform internationally.
Ideally the designers of industrial machinery mentioned here should have used defined communication standards and definitely not use closed, proprietary protocols such as NetBEUI / NetBIOS and similar. Unfortunately these short-sighted decisions are often made in the pursuit of new technology and fast (i.e. cheap) development time. At the time these devices were designed, more open protocols such as CAN (CAN-Open), CAN/TCP or the many other protocols may have not been available or the devices that were available just did not have the right functionality.
Ummmm... thanks for that, but it's annoyingly incomplete: "At least some of the sheep are OK". How do we identify which sheep are OK and which aren't? This could be very, very important for survival at some point.
untidy networked strands
Checks under desk... uh-oh... checks cabinet... oh dear.
It appears we may have a serious infestation here. Haven't spotted the spiders themselves yet though...
Re: You won't miss it till it's gone.
I agree, Lotus Notes had an appalling user interface even when new and it never improved. It did, however, have a lot of very useful features that many users missed in the obligatory move to Microsoft Outlook and Exchange. Microsoft haven't done much with Outlook except re-skin the main interface every few years (the same old back end dialogs are in place in places even in the latest "metro" version, the same old bugs and useless HTML rending are there as well), made it slower and even more resource hungry and bloated it with lock-in features that most users never notice or use.
On the other hand, has email functionality reached the limit of what is sensible? At which point refinements in email client user interfaces are just that.
Re: Crowd source it
You haven't been thinking about the commercial aspect of it fully: this pound shop could sell these mini-towers. A complete win all round for capitalism.
Re: 10 Downing Street
I know, this is one is so outrageous that it's obvious... it's when there is a degree of plausability to it that it becomes more difficult.
Also, don't forget the article a few weeks ago that mathematics is sexy.
...and that it's the 1st of April :)
Re: "strings" as decompiler?
Sounds like this is the kind of developer who has absolutely no clue whatsoever how anything actually works by way of memory, code or anything else much... However he did fess up to it and (despite the headline here) doesn't seem to be attacking AWS. You don't always have to learn from your own mistakes.
In some ways in a modern environment it could be argued that a developer shouldn't need to know everything that's going on behind the scenes, however good developers should be aware of what's going on.
Searching a delivered package is a world away from decompiling an app. In any case, just how does this developer think the likes of Google and Amazon check that apps are not doing anything untoward? Or in this case, just plain dumb.
Re: One thing I want to know...
That'll be the journalisming monkeys then... I know, I know, with a poor pun and obscure reference like that I'll get me coat...
Re: Daily FAIL
*Insert item* causes cancer and reduces house prices.
*Insert item* causes cancer, reduces house prices and creates an in influx of criminal child molesting immigrants.
Re: FruitExpert Launches Free* Online course in lemon see-sawing!
- Yougurt Weaving
I nearly applied for this course but then you made a classic marketing mistake - you outsourced your spell checking... possibly to Nigerians, which reminds me - a lost relative of mine seems to have passed away but there are difficulties in releasing his money...
Re: I'm sure you were railing against something
I think the rather pleasing lady was there to demonstrate that some people do have bends... and even use them. She is not a nobend.
Re: Fee! Fi! Foe! Fums!
I think we need a Register Standard Unit for this?
Re: 1 in 16 boys? seams low
At one point long ago I was a teenage boy and, before the Internet, we had these things called "magazines". Tatty, torn and old they may have been, but every boy had access to them somehow - either through raiding sibling's or even parent's collections or friends who had.
Most of us survived to be relatively normal despite this level of smut in the formative years of our youth.
Re: And yet....
..countries such as France and Holland that have easier access to "smut" and have far more relaxed attitudes to sex in general have lower teenage pregnancies.
Yes, but pandering to parents that don't parent and to pretend that sex and nudity do not have a place in a modern, upstanding society is a wonderful way to appeal to idiots. Or "voters" as the politicians like to refer to them.
If you think the System Restore is bad, wait until you get a handle on the ball-ache mess that is "winsxs". It has to be on your system drive, will happily chew through gigabytes of valuable SSD space and there is very little sensible that can be done about it. In general it tends to always grow in size and never reduces.
Re: Stay with Win7
I'm with you on the usability - it's hopeless on anything other than a (handheld) touchscreen device and even then not great due to the frequent reverts into desktop mode which just doesn't quite work on a handheld device...
However when it comes to reliability, I've always found it to be pretty reliable, especially since 8.1 which removed some annoying problems with settings being occasionally forgotten.
Re: @Nick Ryan - @ bigtimehustler Taxing Income is Immoral and counter productive.
True. VAT is not on food yet, but it is creeping that way.
Re: @ bigtimehustler Taxing Income is Immoral and counter productive.
@ Graham Marsden
When you describe it like that, consumption taxes really do look bad. I'd never thought of it like that.
On the other hand, should the goods and services that a company produces not be taxable? This is what it would require to remove consumption taxes and in order to keep the same "tax income" for a government, income would have to be taxed at an extremely high rate.
Of course, we get taxed on our income, taxed when we spend, pay additional taxes for services, taxed when we save and finally taxed when we die.
Re: Hey Satya, free tip..
True. My opinion is that they'd do much better sticking with just "Azure".
Not that sense and marketing go hand in hand with Microsoft - they had "hotmail" as a strong brand, so fucked around with the name repeatedly until now nobody is entirely sure what Microsoft call it, just that it's "not as good as it used to be" (probably through confusion rather than anything else).
Re: Attempting to give a damn...
Guru Meditation (error)?
AudioGrabber - it might be old, but it's stable and does just what is needed to rip CDs.
AgentRansack - a great way to search for, or in, files without a resource hungry indexing service. One of the few tools other than 7zip and (a restricted) Notepad++ that I routinely deploy on servers.
Picasa - works well on low powered systems and does a good job of all the basic photo manipulations you might need. You don't need to connect it online.
RTF allows embedding of images and Microsoft regularly get their image parsers broken allowing embedded code execution. Most likely it is this rather than the parsing of text as executable code needs to be stored and a binary (ish) image blob is ideal for this.
RTF is a Microsoft format created by Microsoft, for Microsoft. I believe it was introduced at some point between the Mac and DOS versions to allow them to actually exchange files as the .doc format was (surprise surprise) a bastardised binary stream mess that was changed as regularly as possible and in insane ways to ensure that competing packages couldn't use .doc files properly (and when they make a mess of them, they get the blame).
Re: Floppy drives
The 3.5" drives were mostly either 720K or 1.44M. The Mac version used variable-speed rotation to squeeze 800K on an otherwise 720K disk, which made the older disks incompatible with newer drives. We ran into that when we got our first iMac--the 800K floppies for Civilization wouldn't work with any USB drives.
IIRC technically the 3'5" disks were either 1M or 2M, however the necessary formatting and index structures reduced this down somewhat. PCs were the worst for this, getting only 720k from a disk. Macs were a pain with the drives that had variable spin speeds depending on where over the surface the head was - while sounding odd this did make some sense regarding controlling the amount of data in each sector. The Amiga was pioneering in that it could interface with pretty much anything due to a commendable and open DOS (Disk Operating System) that from the start allowed different file systems, or even paramaterised file systems, to be added as long as they complied with the defined API. I vaguely remember hearing about 960K formatted disks however these had to be good quality disks or had even less reliability than normal disks. Atari STs used a largely standard 1M PC disk format.
For an exercise in enterprising programming though, the floppy drive unit for the Commodore 64 features the same processor as the Commodore 64 itself and it could be programmed to execute remote code.
Re: Myth 6
Cheers for the heads up on one of the alternatives - somehow never come across these before.
While the BT-100 do have an element of cool about them... the BT-200 definitely don't. Google's Glass easily has the BT-200 beaten on looks - the lack of cable and monstrous arms helps a bit.
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Rejoice, Windows fans: Stable 64-bit Chromium drops for Win 7 and 8
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...