Posts by patrickstar

Re: @jake

This is just about the weirdest misconception I have ever heard...

The Apple GUI code was Pascal and 68k ASM.

The Windows (NT) GUI code is C and C++ (plus a tiny bit of ASM for the various archs supported, none of which is even remotely similar to 68k).

The non-NT Windows GUI code is C and C++ as well, plus quite a bit of ASM (x86).

The reason for the flat memory model and lack of any finer separation than user/kernel is that NT was always intended to be portable - they had to go with the common denominator across all relevant archs with MMUs. In fact, NT wasn't even originally developed for x86 and the x86 port was done pretty late in the development of the first version.

That being said, segmented protected mode and multiple rings certainly have a point (apart from scaring youngsters about the horrors we had to endure).

Atleast earlier in its life (1.x, 286 16-bit protected mode) OS/2 used this with quite good results.

Re: Nice for abandonware

"MS inflicted Win9x, not much more than Win3.x with the VFW & Win32s bundled optimised for gaming on businesses that would have been far better using NT3.5 or OS/2 Warp. A burden for them and business till XP (Win 5.1, Win2K was the unfinished Win 5.0). Idiots, though commercially sucessful, it was the source of most of the stupid design decisions and badly written SW on NT after 1995."

A lot of people who are now rabid Linux fanboys and general MS haters (or was at some point, like me in my younger days) switched to Linux from Win95/98 and still think "Windows" is like that

.

Win95* was a pretty darn impressive hack with a lot of sheer sorcery needed to build an environment that's simultaneously a new 32-bit system with all the bells and whistles, still very backwards compatible with 16-bit Windows and DOS stuff (even to the point of supporting DOS-only hardware drivers!) and had good performance on the systems of the day.

But this came at great costs in terms of stability, functionality and elegance. Which people without an understanding of the underlying reasons behind it - and more importantly, having never tried NT in any meaningful way - quickly assumed was because of "M$" incompetence when writing their "Windoze" (after all, Linux was clearly better, and also made you feel superior to common users after mastering it or even managing to install it and getting X running in high res).

So if they had just started pushing NT sooner, maybe we would have less annoying Linux fanboys...

Still, I'm not sure I can blame them for not doing it at that point in time. I really think the 9x stop-gap was needed to get people to start developing the shiny new Win32 applications, and NT wasn't exactly nice with 8 or even 4MB RAM which were common then.

They should probably have skipped Win Me though and simply launched XP at that point in time...

* Actually the biggest change from a technical viewpoint was arguably when Windows got 32BFA, which arrived in the 3.11 minor release, but...

Re: Nice for abandonware

A piece of related interesting/useless trivia is that the original NT team was actually called the Portable Systems Group.

Re: Naive Question

MS goes to great pains to maintain backwards compatibility, even to the point of "emulating" bugs/mis-features of APIs and layout of internal data structures when old code has come to rely on it.

With rare exceptions, stuff that runs on NT 4 or even 9x will run just fine on modern systems. The only caveat being the lack of support for DOS and 16 bit Windows applications on 64 bit systems.

Unfortunately, with the amount of software actually having been written for Windows - including weird in-house stuff - those rare exceptions still add up to quite a lot.

The bigger issue for things like medical equipment is probably the drivers. If you do it properly, drivers from Windows 2000 and onwards should work on modern systems (as long as they are the same bit-ness), but there's a lot of room for not doing things properly when developing drivers.

And it's a lot harder to work around when it happens (read: often impossible without the source code to the driver or the ability to re-implement it from scratch) - no such things as application compatibility hacks for drivers.

Windows has had ARM support for quite some time too... there's even a distribution for Pi's like yours (unfortunately not called Raspows).

It's really great that they seem to claim him taking it apart was somehow needed to exploit it. 'No ordinary user would do that', etc.

Like they don't even understand the difference between reverse engineering your own hardware to evaluate a product and find vulnerabilities vs. exploiting vulnerabilities once they are known.

Re: The NOMX site

The vast majority of "home" ISPs do not offer static IP addresses, much less control over PTR records.

I'd even suspect that the vast majority of homes in the US or the world aren't even covered by an ISP offering either under reasonable conditions.

Even with a static IP address, chances are it's on the Spamhaus PBL or similar. There seems to be a total absence of any notice about a need for submitting yearly PBL removal requests on the NOMX site...

Potentially even worse, if your neighbor gets infected by spamming malware, chances are the entire range is going to be considered dirty by blocklists for quite some time, and as an end-user you are going to have very little recourse in this case.

Running a mail server on a home connection is basically throwing a dice as to whether your mail will arrive, and keep arriving. Which is fine for the hobbyist (who wouldn't buy a NOMX to begin with but rather set the mail server up on their own), but not for a mass-market product.

Having every end-user be able to speak SMTP directly with the world has been tried. As soon as the spam problem started escalating, pretty much everyone involved in delivering email (except the spammers) quickly agreed this was a Very Bad Idea.

Re: The NOMX site

There's nothing wrong with using a Pi or similar board as part of a product. This is, in fact, basically how you build embedded networking gear and similar gizmos nowadays. Most products of this kind are basically the vendor's reference design, perhaps with some light modifications.

There isn't even necessarily much wrong with hawking a product based on standard software and a web interface on top of it (though you should definitely provide updating facilities, and not only because of security issues).

There is however much wrong with stating that said product is the most secure e-mail solution ever, some sort of innovative security revolution, and literally having "Everything else is insecure" as your motto.

Even avoiding the 'hard' issues like the lack of end-to-end encryption, secure storage, the vendor's hostile response to basic security testing, the sure-fire snake oil of a challenge with artificial conditions, etc this product has a huge issue when sold for personal/home use. Namely that it's utterly useless for that.

You can't run a mail server on a home connection and expect it to be able to deliver mail to the Internet without using a relay/smarthost. You can't even use its 'super-innovative' feature of sending directly to other NOMX boxes using SMTP on port 26, since most connections have a dynamic IP address.

These cameras tend to be IR so they work in the dark without having a flash distracting/blinding the driver.

Thus the color of any light is irrelevant.

Re: Cobol

It's been said that the curly brace syntax is so popular simply because it looks cool.

Compare VB.NET to C#. They are basically the same language - just that one looks lame and the other cool. Guess which one is the most popular, by far...

I bet that if Ada had curly brace syntax it would be where C++ is today... and modern software would be slightly less awful.

This is probably closer to the truth than you intended. Lots of stuff in banks happen with text files. Not so much permanent storage as Money transfer, though. Sometimes even transferred by plain old FTP.

Re: C-pound? ANYTHING BUT C-POUND!

Uhm, you are aware that there is a fully open source implementation of the .NET runtime?

You can run your C# applications on Linux just fine.

And that the languages is basically Java but with the worst mistakes fixed, and some nifty new features?

It's not the best thing since sliced bread, but I'd certainly prefer it to Java...

Re: Advatage/disadvantge

Javascript/ECMAscript syntax actually only requires the semicolon when it's needed to resolve ambiguities.

Which might avoid cancer of the semi-colon, but leads to fun situations like:

return { foo: "bar" };

and

return

{

foo: "bar"

};

not doing the same thing.

Re: Tut tut tut

I operate lots of Windows servers on the Internet. And lots of Linux servers. As well as several other OSes. For some reason, they tend not to get hacked, regardless of OS.

Might have something to do with the fact that I don't do dumb things like expose port 139/445 to the world, regardless of whether it's the Windows, Samba, or Solaris implementation.

Re: Can you hack my DOS 6.22?

Back in the days, DOS boxes were frequently crawling with virii.

And BBS systems running on DOS were frequently hacked.

Even simply stuff like ANSI bombs were a thing too (print ANSI escape sequences to re-map the keyboard to do nasty things next time you pressed a key). Or shell escape hacks.

Since DOS has no memory protection at all, plus pre-dates secure coding practices, I'd assume you'd be quite royally screwed if you ran some sort of network server on DOS and someone was actually out to get you. Maybe your average DOS application is a little less worse off since Pascal was a lot more common than C, but still.

(Yes, there are network services and Ethernet drivers for DOS - I haven't done much TCP/IP personally though, maybe setting up a BBS for inbound telnet or such. I have run a lot of TCP/IP on Win 3.1x though, and it's not much better protection wise).

Re: Tut tut tut

If security is your concern, then you are just as (if not more) screwed with Samba. It has a truly atrocious history of vulnerabilities.

Just like it's standard procedure for the clerk to check the signature for transactions without a PIN?

And by "standard", I mean "never actually done".

Re: Really?

This policy predates chip-and-pin, so, no.

Apparently another commentard was able to point to the relevant legislation that seems to be the reason for the difference.

Re: Really?

In the US, VISA has adopted a policy that basically says the cardholder shouldn't ever lose money because of fraud. You can just do a chargeback without any fuss.

In Europe, not so good. I don't know the formal differences or what the reason is, but there's a lot more resistance from many card issuers.

There has even been some news stories here about people being signed up for recurring charges against their will and the issuer's response being along the lines of "You must have clicked OK so that means you agreed to it! No chargeback for you, come back never!".

Such a scam would never fly in the US, and neither would the merchant account used for long since it'd be nuked once resulting flood of chargebacks arrived.

The point is that doing so is supposed to cost more than what you can gain from abusing the card. Just like changing/reading the PIN of the card would.

Re: Money first, patches later

Not that I'm a fan of Orrible, but for those of you with a shitload of legacy systems and no support:

The remote is fixed in the freely downloadable version.

dtappgather shouldn't be present on a server, and if it is, you can just remove the SUID bit.

By your logic, noone could ever publish anything that's illegal anywhere in the world.

I am very sure you can easily see the problems with this approach.