Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worst Bug or Shortcomings in a Standard?

Posted by Cliff on from the needed-more-time-on-the-drawing-board dept.

Alastair asks: "Just curious what the Slashdot crowd thinks are the worst bugs ever to creep into a standard? For mine, the various security vulnerabilities in WEP would make the grade. Also perhaps the lack of a protocol field in HDLC, and which most implementations added in a non-compatible way. I'm thinking here about bugs which result in partial or total irrelevance of the standard itself, as opposed to just a lack of interest in adopting it."

8 of 270 comments (clear)

  1. SMTP has no sender authentication. by OneDeeTenTee · · Score: 5, Interesting

    'Nuff said.

    --
    Stop the world; I need to get off.
    1. Re:SMTP has no sender authentication. by Homology · · Score: 3, Interesting
      'Nuff said.

      Not really. SMTP was designed a long time ago where there was little need for sender authentication. At that time the "Internet" (ARPAnet) was much smaller and friendlier than todays predatory Internet. Few at that time could imagine what Internat has become today. No need to blame those designers for lack of sender authentication.

      Now, the design of WEP is an entirely different matter. It was very well known that a design process of a new encryption protocoll should be public, but the designers decided to do this in secret. This was a bad decision going agains best practices.

    2. Re:SMTP has no sender authentication. by squiggleslash · · Score: 3, Interesting
      Why should it have had?

      SMTP is merely a transport system. Authentication, if wanted, was supposed to be part of the bodies of email messages according to whatever standard a user wanted.

      SMTP's lack of sender authentication is a modern-day fetish of the anti-spam crowd, and that anti-spam crowd only wants it because back when ISPs were deciding between giving users dedicated IP addresses or dynamically providing them, a debate that raged in the mid-nineties, they ended up going for the relatively anonymous dynamic IP addresses for the most part, which meant it became impossible to track email back to its original sender. Everything we've seen since with the explosion in spam and the more and more extreme methods of dealing with it really goes back to the fact that we no longer can associate an abusive user with an IP address.

      SMTP was designed at a time when the entire internet was peer to peer. In the process of turning it into a consumer product, many decisions have been made that while understandable (dynamic IP was seen as easier to maintain, roaming became seamless and efficient) nonetheless sat uneasily with how the Internet had been built thus far.

      --
      You are not alone. This is not normal. None of this is normal.
  2. "Referer" by typhoonius · · Score: 5, Interesting

    This is stupid, but it bugs me that we're stuck with "Referer" in HTTP.

  3. XML. For existing at all. by baadfood · · Score: 5, Interesting

    Sure a well defined markup language is nice but really, people seem to loose all rational sense when it comes to XML - It cannot be used in a project without the project becomming "XML"? Scripting languages have been capable of processing all manner of free form text files in the past but somehow XML is necessary for interoperation? Why do people somehow think that XML encapsulated data will be small and quick to parse and are then suprised when it isn't? Why are they so fucking proud when their server can generate some trivial number of XML packets per second? What nutjob actually thought XML is easy to read? And what is the difference between a node an an attribute? Really?

  4. Use of floating point for date/time by AndroidCat · · Score: 4, Interesting
    Microsoft, in their infinite wizzbang, uses a floating point representation for date/time in their OLE types, with the date (days from x) in the integer and time in the fraction. That's fine until you have to do math like timezone conversions. If you convert a local time to GMT then to someplace else and back, frequently your time is now off by 0.0000000001 seconds. That adds excitement to comparing two times, especially when only one has been converted to and from.

    It's not a huge problem to avoid, but unless you're draconian about using standard safe time math routines, it'll bite you .. eventually .. when you least expect it .. at a customer site running Martian Standard Time at local midnight. (Which will still be a bad hour for you to get a call no matter where it is.)

    And all because someone thought it would be pretty nifty to use floating point. Don't they teach the inherent dangers of round off or truncation errors in school these days? (And before someone automatically jumps on MS, with all the UNIX standards, what are you using? Is it safe?)

    --
    One line blog. I hear that they're called Twitters now.
  5. Re:DCE and DTE i RS232 by cow-orker · · Score: 3, Interesting

    Luckily, RS232 are dying ;-)

    Yeah, but Ethernet repeated the same mistake and is sure to stay for a while.

  6. NFS by tedgyz · · Score: 3, Interesting

    NFS is inherently flawed in it's transaction acknowledgement and retry behavior.

    Back before M$ had Linux to kick around, there was the UNIX-Haters Handbook. I worked at Apollo/HP with a UNIX-Hater zealot. He enlightened me on the serious flaws in NFS, which I had experienced first-hand on a few occasions.

    A quote from the book: (page 287)
    So even though NFS builds its reputation on being a "stateless" file system, it's all a big lie. The server is filled with state--a whole disk worth. Every single process on the client has state. It's only the NFS protocol that is stateless. And every single gross hack that's become part of the NFS "standard" is an attempt to cover up that lie, gloss it over, and try to make it seem that it isn't so bad.

    --
    "No matter where you go, there you are." -- Buckaroo Banzai