Posts by Michael Wojcik

Re: OReally?

I can believe it, for some of the systems universities were running in the '80s. Drives were much slower. Filesystems lacked some of the optimizations of modern ones.¹ On shared systems contention for CPU and memory resources could be fierce - and they made use of disk-backed virtual memory extensively, increasing contention for the storage system.

And if the filesystem were an NFS mount, over 10BaseT or similar ... it would have been agonizing.

¹Note that readdir(2) updates the atime of the directory inode, and unlink(2) updates the ctime. In the Old Times rm -r could quickly fill the write cache just with metadata updates.

Re: while(1) { fork(); }

Any POSIX-compliant OS since 1994 (and many UNIXes prior to that) is excellent at defending against trivial fork bombs and many other simple resource-exhaustion DoS attacks, given a moderately competent system administrator.

Re: Press CTRL-C before logging in

I was also studying Computer Science at a university in the 1980s

I was as well.

(yes I am an old git)

I don't think this qualifies us as "old" by Reg readership standards. There are still a number of folks here who were working in the industry in the 1970s. Not sure if we have any regulars who were doing significant IT stuff in the '60s, but I wouldn't be surprised.

The best defence against it was to press Control-C before logging in, to exit the prank script.

Yes, that's worth a try, though a clever script author would (assuming UNIX here) trap the signals they could, or even better suppress all line-discipline signal generation using stty.

But then this is why the SAK was invented.

Re: Who hasn't done something similar?

Under Unix it spawns a new process. Cue the system dying due to running out of PIDs!

Admins who don't set reasonable resource limits (setrlimit / ulimit) get what they deserve.¹

I've seen this plenty of times at customer sites. They report some problem, and it turns out one of their applications has an inadvertent fork bomb or filled up a small /var partition or what have you. "Isn't there some way we can prevent this?" they ask. Yes. Employ a system administrator who actually knows the OS you're running.

¹Granted, depending on how long ago this was, it might have been a UNIX variant that didn't have setrlimit. But setrlimit's been around for a while. Man page history says it appeared in BSD 4.1c, and while I'm not sure when AT&T UNIX picked it up (don't have my reference books handy), it was incorporated into POSIX.1 in Issue 4, Version 2, in 1994. As far as I can remember it was in all the UNIX variants I was using in the early 1990s. (I don't remember using it in anything in the '80s.)

Re: Friend did something similar

Yes. There are various sorts of well-formed pathological zip files (and similarly for other archive formats), well-documented in forums such as BUGTRAQ and VULN-DEV. The topic may have come up in an article in PoC||GTFO, too; I have a vague memory of that.

Anyway, this is why modern malware scanners generally have configurable limits on directory depth, expansion factor, and nesting for archives and other compound file formats. If a limit is reached, the scanner treats the file as malicious.

Of course this is an arms war, with attackers finding new looping constructs the scanner developers forgot to limit, creating polyglot files that scanners interpret incorrectly (or at least not in the way that end users interpret them), and so forth.

Re: Caps

SSg7 is ONE of our resident KOOKS, of the variety ADDICTED to random BLOCK capitals. Skipping SSg7's posts USUALLY means nothing more than missing A BIT of entertainment.

Re: Surely...

However what they have done could still be considered unauthorised access to a computer system.

Could it? My reading of the article - I haven't investigated the details, because frankly I don't much care - is that they simply changed the code in their wallet app to move the balances to wallets they control. Someone who uses their wallet app might have grounds for claiming violation of contract if they have some sort of agreement that Komodo won't do that, but I don't see any "unauthorized access". The users decided to install and run the Komodo wallet software. It's authorized.

Re: because everyone is abandoning their duty of care

It's not a binary choice. Software security is a process, and part of that process can, and should, be implementing improvements to third-party dependency handling. Some people in this thread seem to regard that as all or nothing: either you inspect every line or you throw up your hands and let automated package managers pull anything, whenever they want.

This is true of every aspect of security, in every domain. Security is never finished or perfect. That doesn't mean we shouldn't do anything.

Re: Just goes to show

The OP's theory is lovely, but it's completely unworkable.

Rubbish. There's a world of options between "I've personally reviewed every single line of source in my external dependencies" and "I let npm download arbitrary updates every time I build".

For every project I've ever worked on, it's entirely possible to keep a manifest of every single third-party dependency, know what versions I'm using, know when they're updated and why, and check the provenance of those updates. Which is good, since those projects all are required to conform to those requirements.

None of those projects would ever have incorporated a new dependency automatically. Yes, someone could still fail to perform due diligence when that dependency was added to the existing component; but that's a far cry from letting a package manager simply add it to the product automatically.

There are far too many software products - particularly web-based ones - where the development teams have no idea what dependencies they're pulling in. That's lazy negligence.

Re: Nice write up! Excellent fact checking!

a meal conveniently delivered in a bucket (that one might later find useful as a receptacle for vomit)

Ooh, I wouldn't recommend it. For KFC vomit you really want something deeper, to cut down on overspray. I'd also want something tougher than coated paper.

Re: Nice write up! Excellent fact checking!

And what sort of assholes run those companies, as Uzi Nissan discovered.

Re: Making it up?

Outside the realms of overtly creative accountancy, the rules of finance are fairly deterministic

I'm not an accountant, but I believe this claim is wildly inaccurate.

First, we're talking here about accounting, not finance. The latter, as a term of art, generally refers specifically to the analysis of assets and liabilities; the former is broader, dealing with various non-financial aspects of economic entities as well.

Second, which rules? GAAP? IFRS? In this case, I believe (haven't bothered to confirm, but this is usual for US and UK) we have an organization using the former purchasing one that used the latter.

Third, even the most surface understanding of GAAP or IFRS shows how many more or less subjective decisions are made when accounting for various events under them. Just look at a summary of GAAP or IFRS, such as Wikipedia's; it will be full of loaded phrases such as "as long as it is reasonable to do so", "may be charged", "decided based on", "should be considered", "selection of", "measured in either".

It's not a matter of throwing a bunch of numbers into a spreadsheet and toting them up at the bottom.

But there are contradictory facts.

Are there? Or are there simply diverse contributing factors?

Lesjak and others said from the start that Autonomy was overvalued by HP. Apotheker admitted he didn't perform due diligence - he didn't read the auditors' preliminary report, ignored those who did, and completed the purchase and fired the auditors before the final report was ready. That suggests a significant portion of the blame goes to Apotheker and his supporters.

Hussein was convicted. He may have been wrongfully convicted, but the conviction (on all 14 counts) is at least an argument for improper accounting and misrepresentation by Autonomy. That puts some blame on Autonomy.

Whitman's and Lynch's testimony and related evidence strongly suggests HP's internal culture was badly broken in ways that impeded sales of Autonomy products after the acquisition. That puts more blame on Apotheker and some on Whitman, and on their management teams.

None of these are contradictory. All of those parties¹ could have contributed to the gross overpayment for Autonomy and the subsequent failure of the Autonomy product portfolio within HP. There needn't be a single villain in this story.

HP(E)'s attempt to salvage the reputation of its board and CEOs in this debacle by crying foul does seem to be floundering in this trial, as no one is coming off very well. But I expect that means the case ultimately won't be strong enough to find for the plaintiff (HPE), which depending on your interpretation would either vindicate Lynch and Autonomy or acknowledge mutual bad behavior.

¹Except perhaps Lesjak, who seems to have been the Cassandra of the original deal. Whitman appears to be trying to lay the primary responsibility for HP's accusation of fraud by Autonomy at her feet; whether that's valid, and if so whether that accusation was made in good faith, are still open questions.

CVE-2019-12477 has nothing to do with UPnP or DLNA, as two seconds of research would have shown you (and the me-too idiots who replied to your post).

If you're going to be too lazy to read or think, why not spare us your efforts at commenting as well?

Re: The shell wars.

csh was my first shell-of-choice; then it was tcsh, which I merrily built on all the UNIX flavors I used, for several years.

But while I don't know if I'd call csh "evil", I did become disenchanted with t?csh's misfeatures and infelicities. I started using ksh variants on most of my systems, and gradually moved to a mix of ksh and bash - the latter on machines I administered, and the former on various shared systems where I was too lazy to bother running chsh and setting up a bash-friendly .profile and .bashrc.

I've found ksh and bash are generally more consistent, sensible, and feature-rich than csh and tcsh.

I played around a bit with various other shells (zsh, scsh, probably others that I've forgotten); I even spent a few days on my Solaris box using dbx as the shell in a couple of xterms, just to see what it would be like. (Solaris dbx is ksh-complete.) bash seems to be one of my local minima, though, and nothing's annealed me out of it yet.

Re: Anecdotal datapoint...

$ set -o vi

You are a very naughty boy!

I'd rather laugh with the sinners than cry with the saints.

Re: I can see why this was a thing.

I think every ISP I've ever used provided email accounts, and still do. Many of them provided "web space", though I think most of them have dropped that. I've never bothered using those bundled services, and I suspect neither have the vast majority of customers.

Re: The more this goes on...

That's also what Microsoft did when Bill Gates was at the helm.

Agreed. Look at Microsoft's first big acquisition: PowerPoint, in 1987, for ~ $2.8e7 in 2011 dollars.

Then look at Balmer's Boondoggle: Skype, in 2011, for ~ $8.5e9. Two orders of magnitude more, adjusted for inflation.

Which has driven more revenue / year, in absolute terms or relative to purchase price? Even if we adjust for how much cash Microsoft had at the time of purchase, and allowing for the fact that PowerPoint is part of the Office bundle and it's hard to separate the major components of that product into their individual contributions, I think it's hard to see how PowerPoint wasn't a much, much smarter move. (I don't much like PowerPoint myself, but it's obviously a hugely popular product in markets that are willing to buy many licenses for it.)

Re: I actually own one

Yes, this single subjective anecdote certainly outweighs all other evidence.

Re: Autopilot is itself Incomplete

Agreed. Unfortunately Tesla isn't the only manufacturer that's going this route.

I currently have a 2015 Volvo, and I suspect I'll never buy a newer one, having seen how many of the physical controls have gone away in my wife's 2018 model. Touchscreens for drivers are an imbecilic idea.

I rented a Hyundai Santa Fe once (you take what you can get at the airport rental agencies), and the idiotainment screen in it didn't dim with the instrument lights, either automatically when it got dark or using the manual instrument-light dimmer control. It was extremely distracting and irritating to drive that thing at night.

Re: Why not save the planet at the same time?

Perhaps we need a new protocol, APP, and engineer that from the ground up to be a distributed app / client / server environment without all the layered mess and complexity of the current approach.

This has been done So. Many. Times.

Eternal September is eternal.

Re: Why not save the planet at the same time?

I haven't attempted to do any calculations, but I'm willing to bet that the costs of processing HTTP and HTML are orders of magnitude less than those of processing all the images web pages are festooned with, often scaled by every single client because the site developer couldn't be bothered to scale the source images.

And those will be many orders of magnitude less than the costs of running all the damn scripts.

For many pages, the cycles burned by HTTPS crypto dwarf what was used to generate the actual requests and responses. Should we get rid of that?

And, of course, there are other uses of IT which consume a hell of a lot more resources than traditional web activity does. You're optimizing the wrong target.

And even with false economies aside, there have been various proposals and attempts to replace HTTP and HTML over the years. Hyper-G was an HTTP replacement that offered bidirectional linking, for example. BEEP tried to serve as the one-protocol-for-all that HTTP became. Any number of sophomores have proposed tokenized HTML variants, only to have it pointed out to them that all significant servers and user agents support HTTP compression, if that's what you want. (And, of course, we had various attempts at TLS compression, which were a disaster.)

These things don't catch on because the effort of replacing HTTP and HTML would be enormous, and would need a similarly enormous reward to be justifiable.

As it is, HTTP/2 is a very substantial change from HTTP/1.1, and largely designed to reduce the consumption of various resources. HTTP/3 will go further. I'm not fond of HTTP/2 and HTTP/3 myself, because they make my job more difficult with little return for my use cases, but for organizations that serve a lot of content they make sense.

Re: If it hadn't before...

In AmEnglish, yes. In BrEnglish, collective nouns are often treated as grammatically plural. This is well-established usage. You frequently see it in reference to corporations, for example ("Micro Focus have announced...").

Essentially AmEnglish conventional usage leans toward making the verb agree in number with the syntactic number of the noun, while BrEnglish leans toward making the verb agree in number with the semantic number of the noun.

Neither is any more "correct" than the other, of course, unless you subscribe to the religion of linguistic prescriptivism.

Re: Who watches cartoon porn anyway?

Two yen symbols? How is this possible, even in a cartoon? It defies the very laws of visual representation!

On a slightly more serious note, human fetishes are essentially unlimited. There's really no point in asking "how could someone be aroused by X?" for any X. There's always someone out there who can form a libidinal attachment to it. That's the psychological foundation of Rule 34.

Re: hmmm...

AI powered is great if the AI is as smart as a smart human personal assistant would be to anticipate your needs.

Ugh. If I wanted that, I'd have a human assistant. No thanks.

Though, frankly, this particular abuse of "powered" is generally a reliable sign that I don't want whatever shit some idiot is trying to sell me anyway. My OS is powered by electricity. It might have features that make use of ML or other AI techniques (insofar as "AI" has any useful meaning), but it's not "powered" by them.

(And "always connected" can Fuck Right Off, too.)

Re: The future is called Powerpoint

the state is separated from the operating system; compute is separated from applications

Since this statement is nonsensical, it doesn't really matter what its consequences might be. Parker is just spouting a lot of vague bullshit.

There are ways to resolve such issues, but are far from being simple.

For the most part they're very simple indeed: make your data structure and API changes backward compatible. I've been doing that in systems as complex as most of the Windows subsystems for decades, and so have plenty of other developers.

Microsoft's problem in this area is primarily a cultural one, not a technical one. It's the same reason for "DLL Hell" and the abomination that is SxS. They can't be bothered to enforce a backward-compatibility policy on their developers.

Remember, the ad agency isn't in the business of selling North Face stuff to us, they are in the business of selling adverts to North Face.

Yes. Every time I see an agonizingly awful advertisement¹ I think "what moron decided to buy this from the agency?!!". Then I reflect that selling advertisements to the client is what they do, after all. Presumably they're good enough at it to stay in business.

¹Today's shibboleth: the "Microsoft AI" ads that are running on some TV streaming service my wife has been watching in the other room. Every time I overhear one I am filled with rage. I suppose this means the campaign is a success, since I remember it.