Re: When will we get rid of this malady?
The worst part of that execle system call is had they left out the 1st 2 parameters, not combined the command and it's argument in a string, the code would have been smaller and correct.
790 publicly visible posts • joined 10 Jul 2009
If a system program needs to run another program, it should not use a shell as an intermediary.
I've been working with email systems for decades and it is amazing that the same bugs have shown up in so many different programs. My advice to anyone writing a email client is to go get a list of the top 5 major exploits of all the top email programs and make sure your code doesn't do any of them.
Ctrl-Alt-Del could be intercepted on x86 computers of that era. The 1st IBM PCs (5150, the ones with cassette ports) were the ones where it couldn't be intercepted as it sent a hard interrupt but that was removed by the days of the XT which implemented the reboot code in BIOS. Since an PC couldn't use that key combination, no early DOS programs supported its use and it was nearly unused by the time Microsoft needed a "force a login window" key. It had been used by a few games to adjust how they worked in "turbo" mode.
I don't care about design, I care about content.
So many CSS "experts" don't seem to understand they need to define things relative to character sizes and not pixels. If I zoom in to read something, everything needs to zoom in which seems to be something the chrome broke a long time ago and has just made worse with the newer versions. I use Safari because I can right click on all images and open them in a new window where I can zoom them enough to see. Lately Chome has decided I don't need that option on all images.
There is other idiocy as well like why does Atlassian have its own font and why can't they make it so it isn't fuzzy? Why can't my bank make a PDF that doesn't need the latest version of Acrobat to display? Oh they put style over contend and don't put their magic font in the file.
When your font description language requires a Turing complete system to run, someone is going to play with it. Put that in the trusted part of the OS and bad things will happen.
I've thought it was odd that there hasn't been a widespread abuse of this so far. You can get most browsers to load your own fount that happens to have an O that is drawn over and over and over again in an infinite loop.
Big Data by definition is the ability to de-anonymise data like this.
You take medicine A and B live in an post code area with a known pollution level. The Venn Diagram intersection of that consists of just you. Repeat for all the rest of the data and other factors. It gets even easier once you can start removing people from the data set since the birthday paradox can be used in reverse. A few trillion iterations through a large data set can keep a modern PC from sleeping for hours at a time.
I think they did figure out how to buy souls. Nearly every retirement fund in the world is now competing with these poor struggling Private Equity firms and many of the retirement funds are constrained in just what they can buy with their money. Two decades ago one of the larger US funds had about a billion a week (and 4 times that once a month) that was to be invested in "high tech" but there just wasn't enough shares to go around so the stock price of the tech companies went to insane levels and everyone was happy to watch the pyramid scheme until the bubble burst. A few friends noticed that at the end of their weekly investment cycle the retirement funds would buy things that weren't such a good deal but we couldn't predict which well enough to make use of it.
When the retirement funds have to start pullout cash over the next decade, I expect the Private Equity firms will be there with deals implying that the retirees have already sold their souls.
A revision from my last attempt at this...
So a billion dollars for about 10 million DNS records. The operation of that database should cost about $600,000 a year (figure $.06 cost per record which is high). Put another way, about $100 for every .org domain now needs to go to pay back the investment which is about $333 per non-squater. Figure in inflation and the price of the .org domains are going to go way up.
One of the great issues of any GPS system is you don't know exactly where anything is at any given time. You know were it was and you can predict where it is going to be but its only a very good guess. The satellites are being tracked but there is a delay between signal tracking them and getting the info into a computer half a continent away. The weather is going to delay signals in odd ways that usually allows compensation using different frequencies but only some times. The clocks are ticking away with some very high degree of accuracy yet subject to all the oddness that relativity in a gravity well has to offer. The ground stations are busy floating on land that is cruising in different directions at a few cm a year which was considered slow and stable until better GPS systems showed drift rate can vary over the months yet maintain a rock solid annual average. Yet in all that chaos, my phone still can display a map of where it is down to a few meters. I guess this problem demonstrated just how related the chaos of all guesses can be.
The perl 6 issue has caused much confusion and is limiting future adoption of perl.
Out of all the languages we use, perl 5 is the clear winner in dollars profit per line of code, lines of code needing changes per year and feature set per line of code. Some of the other languages have maintenance costs that are more than 4 times maintenance cost of the perl code base.
Raku has some very interesting concepts and I recommend watching one of Damian Conway's talks about its advanced features.
"Everybody else is allowed to add single digits provided they don't do it too often and have a full set of fingers."
When I first saw Randall Munroe's "Million, Billion, Trillion" on xkcd it started me thinking about how true his hypothesis was so I've been running tests on the theory. I'm assuming the subjects are all consenting adults but I'm not going to ask them if I can play with their brains as it would bias the experiment. It turns out that most people don't understand large numbers at all and this is especially true if they happen to be a politician or board member and there seems to be an inverse relationship between understanding large numbers and how successful they are in their field of endeavor which doesn't do much to give me hope for humanity or reasonable future tax bills.
Telegraphs are still used control some equipment inside expensive containment areas like matter colliders and reactor containment vessels.
The guy who created the system needed to talk to devices using one wire (as each additional wire could cost upwards of a million dollars to install), and was a amateur radio operator who knew Morse code. His idea was to use Morse code to talk to the equipment inside much like a serial port was used at the time. His boss insisted that he apply for a patent on the concept and after the patent office had correctly rejected most of the claims as being obvious, all he was left with was a patent for the telegraph just like the system used 100 years before.
SSH can be configured to use both a key and a server based password. If your key has a password, then you might have to enter the keys password, the system password and a one time password. System passwords are an additional obstacle to a hackers when users end up putting their private key on too many systems or are otherwise negligent in protecting their keys.
In todays prices it would take less than $10,000 in modern hardware to do as much processing as Google was doing at the time they took over as a better search engine than Altavista.
I do miss the "near" and quoted string of words feature of Altavista. I also miss the decent part number lookup that Google used to be very good at.
It looks like the sats might be sending bad ephemeris. GPS systems send a pulse out like "at the sound of the tone it will be "xx:xx:xx.0000000000". They also send out rough position info on all the other sats which allows a receiver to get a rough position. Once it has a rough position, then it uses speed of light to set its clock better and use that to gauge the difference between each sat and itself. It then will use the ephemeris data to get a precise idea of where the sat is and how fast its moving. That data includes atmosphere model hints as well as calculations for orbital wobble. For those who want to play at home, they are something like 12th order 3d polar coordinate polynomials. They include factors that change the wobble because of things like the Moons gravity as well as factors for Saturn and Jupiter. If there is a problem with the wobble model or the atmosphere model, these sorts of problems will show up.
We noticed. We lit up a new IPv6 link and our provider is still using 1999 BGP concepts on filters so we had to debug links without being able to see what filters they had, what routes they were accepting, a silly process that won't allow us to talk to the NOC combined with a "order" system that not only is clueless about IPv6 but crashes when it finds IPv6 addressees where it expects IPv4 ones.
RFC 7454 would imply more ISPs need to look into the "GE" and "LE" values on their BGP filter lists.
In our cases, the unused parts of our /32 were all going to Hurricane Electric San Jose. Makes be wonder if the routers are a fan of Dionne Warwick.
When I worked for a stock market data processing company, we noticed that the total amount of periodic buys that fit a specific pattern matched some of the retirement funds exactly. i.e. we knew what the fund bought before anyone except their management team. They had a fixed formula of taking their nearly billion dollars of new funds each week and investing it in what made the most sense according to their rules and then spreading out what ever was left using some other system that might have involved a dart board or dice. We could watch the option buys where others had spotted this and were gambling on the major buys but we didn't see much evidence of the secondary buys but knowing them would have been very profitable. If a small group saw this in the data more than two decades ago, who is playing the system now? Oddly enough, IBM seemed to be the catchall stock when there wasn't anything making news.
I've been hunting for a lower power AMD Ryzen appliance type server with no luck. I can't be the only one who is replacing very old gear with newer and finding I don't need anywhere close to what a modern server delivers. I want 1 RU, dual power supplies, ECC, dual ethernet, lights out management and the ability to put about the slowest modern cpu I can find in it. Not everyone can virtualize everything and the load is never going to need the power of a modern cpu.
I've had .amazon blocked in my dns for a long time. I run my own dns server that delegates to what I consider legit TLD and most country codes. Everything else gets an address that tells the proxy and email systems to drop the connection and it cuts out massive amounts of abuse.
The $130,000 is a trivial amount for most companies. When I worked in a sign shop in the 80s, the better neon restaurant signs would have cost $80,000 for one franchise location so if amazon gets their domain, everyone will have to have one too.
If your redirect garbage domains in house to your own server, change GET to the POST in the handling code and return a cookie and then the log can get much more interesting. A list of potential cookie names can be found in the VPN memory image and the thing gets chatty.
Someone needs to hack a dns local resolver like named/bind to do something useful with regex patterns. It would be so cool to be able to be able to tell it "add regexzone /^[a-z0-9]{32,64}/ ; file local_capture"
Power strips often have a cheap 10A circuit breaker in them. One that will get very warm yet never trip if you run 9.9 amps through it for hours. It will get warm enough to melt plastic. Once the load drops, it cools and now the circuit breaker doesn't work anymore so when you dump 14.9 amps into it, the main breaker won't trip until the thing melts enough to properly short out or catches fire.
Most so called stateful firewalls only look at TCP state so if the packet says its not new, it gets handed off through the firewall. Things like VPNs and VOIP tend to use stateless protocols so most firewalls don't do a proper stateful firewall with those packets. Most VPN software inserts packets on the trusted side of firewalls so there will be no end of security issues. Add in the fact that nearly no one checks for IPv6 even though it is on for nearly every bit of hardware around these days mean the old days of Untrusted/DMV/Trust network design was obsolete two decades ago. A modern firewall must be truly stateful (based on its own idea of state, not bits in the packet) and zone based (using names for groups of interfaces no matter what the ip addresses or vlan) or else these issues will keep showing up.
I use a trackball. I've had people turn it over and try to use it like a mouse.
My father found a bunch of trackballs cheap that ended up as Christmas presents. After a few weeks of using it, I was wondering why they aren't far more popular. I can't stand to use mice now with the exception of the Blit rat.
We used Sparc hardware but we don't have a workload to justify one new machine, let alone 3 redundant systems. The new base system has something like 4 million times the processing power of the first million dollar Sun machine I used.
I guess the Meltdown and Spectre aren't an issue for the fortune 500 or else sales of non-x86 systems would be up.
About half of data streams should have a leading 0 but a vast majority of numbers in a computer have a leading 0. When looking at raw data in a computer when doing reverse engineering, pointers will often have their top bits set but not look like negative numbers. Most other numbers have at least their top 4 bytes all zeros. Modern CPUs move around so many 64 bit numbers that are mostly zero bits that the power use is optimized for it.
I know there are still companies selling WinXP based products that have current licenses and current support from Microsoft. At the end of 2018, there are still large organizations that keep paying for XP support. The only thing that is clearly out of support is the home and small company issues.
Spectre and its friends are mostly academic as long as they are read only. This is the 1st published one implying the ability to change memory. Once there are published public read/write attacks, then the malware people will take notice and then everyone will be shopping for a new computers. Hackers aren't so interested in hacking a system with a one in a million chance of finding a banking password but if they have a one in a hundred chance of getting to an entire password list, they will.
I was woken up by what I thought were hacksaw sounds and I noticed a guy with the hood of his car up and working on something. The next day I notice that the parking meter was gone and there was a freshly cut pipe where it used to be. A few days latter all the parking meters were gone as it appeared that the proceeds from the night of the slow hacksaw went to buy a proper pipe cutter which was quick and silent. A few weeks later all the meters were replaced and someone had welded rods on the sides of the pipes. I'm guessing a prybar was the next weapon of choice based on the paint on the top of the newly added fulcrum. The next step was rods with angles and far more precision. At AU$10,000 per year per space, the council wasn't about to let that money go away.
A neighbor wanted to protest the increase in parking cost by getting a key made for the parking meters and then get a hundred copies made and distributed to the homeless before a long weekend. The plan would have put an enormous pressures on the council's finances. He want to call it "keys for the homeless"
A number of videos that my sister made of dance recitals have been found by adolescent boys and "fixed". The initial updates were crudely putting boy classmate's faces on the girls but I'm guessing someone found a pirate version of better video editing software so the fixes got better. Some of the latter work was fortune 500 tv commercial quality. And since these were adolescent boys, most can guess what else was added.
I worked for company made valve actuators which are the fancy motors that turn pipeline type valves and they had recently finished their new product. The first one installed in Australia at the Longford gas plant on 24 September 1998. I know the day because there is a wikipedia page about the explosion the next day. While the device had nothing to do with the fire, the local news paper had a nice front page photo of the damage to the plant so I sent that back to company with a nice note saying that it did work as advertised. The device had been in debug mode and had recorded quite a bits of data, some of which was used to figure out just what had happened the other side of the plant. At least the company had a nice photo of one of their test sites.