Worst Bug or Shortcomings in a Standard?

Alastair asks: "Just curious what the Slashdot crowd thinks are the worst bugs ever to creep into a standard? For mine, the various security vulnerabilities in WEP would make the grade. Also perhaps the lack of a protocol field in HDLC, and which most implementations added in a non-compatible way. I'm thinking here about bugs which result in partial or total irrelevance of the standard itself, as opposed to just a lack of interest in adopting it."

SMTP has no sender authentication.

[OneDeeTenTee]

'Nuff said.

Re:SMTP has no sender authentication.

[Homology]

'Nuff said.

Not really. SMTP was designed a long time ago where there was little need for sender authentication. At that time the "Internet" (ARPAnet) was much smaller and friendlier than todays predatory Internet. Few at that time could imagine what Internat has become today. No need to blame those designers for lack of sender authentication.

Now, the design of WEP is an entirely different matter. It was very well known that a design process of a new encryption protocoll should be public, but the designers decided to do this in secret. This was a bad decision going agains best practices.

Re:SMTP has no sender authentication.

[squiggleslash]

Why should it have had?

SMTP is merely a transport system. Authentication, if wanted, was supposed to be part of the bodies of email messages according to whatever standard a user wanted.

SMTP's lack of sender authentication is a modern-day fetish of the anti-spam crowd, and that anti-spam crowd only wants it because back when ISPs were deciding between giving users dedicated IP addresses or dynamically providing them, a debate that raged in the mid-nineties, they ended up going for the relatively anonymous dynamic IP addresses for the most part, which meant it became impossible to track email back to its original sender. Everything we've seen since with the explosion in spam and the more and more extreme methods of dealing with it really goes back to the fact that we no longer can associate an abusive user with an IP address.

SMTP was designed at a time when the entire internet was peer to peer. In the process of turning it into a consumer product, many decisions have been made that while understandable (dynamic IP was seen as easier to maintain, roaming became seamless and efficient) nonetheless sat uneasily with how the Internet had been built thus far.

Re:SMTP has no sender authentication.

[squiggleslash]

Who certifies that your authentication is authentic? ICANN, Verisign, Network Solutions, .. Microsoft?

Depends. That's up to you. Back in the mid-nineties, there were various proposals and I think the major issue was the politics surrounding encryption (an indirect issue, but PGP was both an authentication system and encryption system) and the RSA patent more than disagreement on how it could work. PGP in particular used a pretty reasonable system that allowed you to create what boiled down to trusted networks. You'd certify your friends. Friends could certify each other. Get a key, see it's signed by people you know, and you can be pretty sure it's genuine.

It was a nice system but network and real politics really ensured it didn't take off. You had patents. You had paranoid government agencies enforcing export controls on encryption protocols. You had commercial enterprises making email clients who didn't want to enter that particular can of worms if they could get away with it.

The idea that the "anti-spam crowd" is a unified body is .. interesting. I'm sure that that being told that an idea was discussed years ago and rejected might be annoying, but have you really looked at the various trade-offs that were discussed then?

I think you're trying to find things to take issue with. Nobody ever suggested the anti-spam crowd is unified. If I were to say that only Dogs are particularly interested in peeing on lamp-posts, would you claim that this is unfair because you know a lot of dogs that do not do that kind of thing?

I also did explain the tradeoffs, in brief, in the whole accountable static IPs vs easy to administer and efficient with roaming dynamic IPs debate. (I could add paranoia over the supposed world wide shortage of IP addresses, but I don't think that was ever as big an issue as people maintained. If it had been, we'd be on IPv6 by now.)

Linux Installation

I wish there was a way to install programs common accross all versions of linux.

Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".

Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:

User: "How do I get Quake 3 to run in Linux?"
Zealot: "Oh that's easy! If you have Redhat, you have to download quake_3_rh_8_i686_010203_glibc.bin, then do chmod +x on the file. Then you have to su to root, make sure you type export LD_ASSUME_KERNEL=2.2.5 but ONLY if you have that latest libc6 installed. If you don't, don't set that environment variable or the installer will dump core. Before you run the installer, make sure you have the GL drivers for X installed. Get them at [some obscure web address], chmod +x the binary, then run it, but make sure you have at least 10MB free in /tmp or the installer will dump core. After the installer is done, edit /etc/X11/XF86Config and add a section called "GL" and put "driver nv" in it. Make sure you have the latest version of X and Linux kernel 2.6 or else X will segfault when you start. OK, run the Quake 3 installer and make sure you set the proper group and setuid permissions on quake3.bin. If you want sound, look here [link to another obscure web site], which is a short HOWTO on how to get sound in Quake 3. That's all there is to it!"

User: "How do I get Quake 3 to run in Windows?"
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"

So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.

Re:Linux Installation

[wayne606]

Take your pick:
Linux: everything is moderately hard
Windows: 95% of the time it's easy, 5% it's impossible

"Referer"

[typhoonius]

This is stupid, but it bugs me that we're stuck with "Referer" in HTTP.

Re:"Referer"

[AndroidCat]

*sigh*, another sad victim of Referer Madness.

Java

[mwvdlee]

Most people don't call it a "bug" but I do; the operator overloading of '+', '+=' and '=' in the Java specification's String class.

Why is this a bug? Because the creators of the standard explicitely denounce operator overloading yet they do it anyway for this exception. Operator overloading is explicitely not possible in Java... except this one time.

If it is so incredibly useful in this particular case that they would bend the specification for it, can't they understand that it would be useful for other classes (ie. Matrix classes or even the standard Number classes) too?

DCE and DTE i RS232

[geirt]

It should have been female connectors with only one pinout (e.g DCE) on all equipment supporting RS232, and all RS232 cables should be crossed (null modems).

Instead we have a complete mess with male and female connectors, straight and crossed cables. Is pin 2 receive or transmit? Dohhh.

Why female connectors on boxes? Male connectors are more fragile. If the pins break, replace (or repair) the cable. The female connector on the box is OK.

Luckily, RS232 are dying ;-)

Re:DCE and DTE i RS232

[cow-orker]

Luckily, RS232 are dying ;-)

Yeah, but Ethernet repeated the same mistake and is sure to stay for a while.

XML. For existing at all.

[baadfood]

Sure a well defined markup language is nice but really, people seem to loose all rational sense when it comes to XML - It cannot be used in a project without the project becomming "XML"? Scripting languages have been capable of processing all manner of free form text files in the past but somehow XML is necessary for interoperation? Why do people somehow think that XML encapsulated data will be small and quick to parse and are then suprised when it isn't? Why are they so fucking proud when their server can generate some trivial number of XML packets per second? What nutjob actually thought XML is easy to read? And what is the difference between a node an an attribute? Really?

Use of floating point for date/time

[AndroidCat]

Microsoft, in their infinite wizzbang, uses a floating point representation for date/time in their OLE types, with the date (days from x) in the integer and time in the fraction. That's fine until you have to do math like timezone conversions. If you convert a local time to GMT then to someplace else and back, frequently your time is now off by 0.0000000001 seconds. That adds excitement to comparing two times, especially when only one has been converted to and from.

It's not a huge problem to avoid, but unless you're draconian about using standard safe time math routines, it'll bite you .. eventually .. when you least expect it .. at a customer site running Martian Standard Time at local midnight. (Which will still be a bad hour for you to get a call no matter where it is.)

And all because someone thought it would be pretty nifty to use floating point. Don't they teach the inherent dangers of round off or truncation errors in school these days? (And before someone automatically jumps on MS, with all the UNIX standards, what are you using? Is it safe?)

Submarine patents

[SgtChaireBourne]

Submarine patents and other proprietary gimmicks, are bad.

A current example would be packing VC-1 into both Blu-ray and HD DVD.

Though software patents are currently only a problem in the U.S., I'd still say that they threat of stealth patents would be the worst bug. Proprietary material shouldn't get through the standards process.

Re:TCP, SMTP, POP3, HTTP, ...

[AndroidCat]

My wall sockets have little security either. At most there's a fuse, breaker or penny for protection. No user authentication or load request handshaking and management. It's shocking.

NFS

[tedgyz]

NFS is inherently flawed in it's transaction acknowledgement and retry behavior.

Back before M$ had Linux to kick around, there was the UNIX-Haters Handbook. I worked at Apollo/HP with a UNIX-Hater zealot. He enlightened me on the serious flaws in NFS, which I had experienced first-hand on a few occasions.

A quote from the book: (page 287)
So even though NFS builds its reputation on being a "stateless" file system, it's all a big lie. The server is filled with state--a whole disk worth. Every single process on the client has state. It's only the NFS protocol that is stateless. And every single gross hack that's become part of the NFS "standard" is an attempt to cover up that lie, gloss it over, and try to make it seem that it isn't so bad.

deprecated by w3c

[Ramses0]

This is by far the most egregious intentional hobbling of a standard by retarded people (the W3C). Ever since they deprecated the elements (and to a lesser extent: ) in a Markup Language, I have lost faith in their ability to properly evolve a standard.

See the HTML 4.0 recommendation. I literally hit something when I first read this back in '97 (yes, I sometimes read standards documents and RFC's for fun :^). It's also referenced in the original ('97) release.

The DIR element was designed to be used for creating multicolumn directory lists. The MENU element was designed to be used for single column menu lists. Both elements have the same structure as UL, just different rendering. In practice, a user agent will render a DIR or MENU list exactly as a UL list.

We strongly recommend using UL instead of these elements.

Remember that HTML is a markup language, and see above where the W3C intentionally took away contextual information from the document.

Keep in mind this was *after* the release of CSS1 (Cascading Style Sheets, level 1 W3C Recommendation 17 Dec 1996 vs. HTML 4.0 Specification W3C Recommendation 18-Dec-1997)

99% of websites on the planet have something you could consider a "menu", or "tabs" of some kind. Wouldn't it be nice if we had a particular tag for that, like "<menu>"? (we do ... or we did).

Nowadays, lots of people are linking to other people (a <dir>ectory) of people with blogrolls, wouldn't it be nice to wrap those in a <dir> list and style them separately, without using arbitrary <ul class="blah"> tags? Or perhaps a list of files available for download (<dir>), or a list of (perhaps) emails in a web mailing client.

Not that there's anything preventing use of ad-hoc class tags to achieve the same effect, but there is semantic information (especially in <menu>) that can be put to good use when standardized like this. Everybody complains about screen-readers, wrap / auto-skip anything in a menu tag. Make a special button that pops up (or reads) anything in a <menu>. Grr. The web could have been just a tiny bit better without that move by the W3C.

--Robert