After reading the link for this story, I was amused to see that things really haven't changed in a number of places. Management doesn't worry about Web site security until it hits them where it hurts, their liability insurance premium, or when the executives spend some time in the cooler.
The majority of defacements I've seen described involve little more than vandelism, electronic tagging by lower lifeforms of script kiddies, that do very little harm to the company whose site is defaced. You "wash the walls" and go on. End of story.
Except that it isn't the end of the story.
What happens when the defacer decides to use your Web site to store a couple hundred cracked credit card numbers? How about the 600 MB of MP3s of copyrighted music material that appears in its own directory of your Web server? The kiddie porn? Can you imagine what would happen if a terrorist cookbook were to be uploaded to your site, given today's paranoia caused by the November 11 terrorist attack?
Shall I bring up the episode of Steve Jackson Games as an indication of the kind of risk that operators of public computer systems face when security is not a primary concern? Steve Jackson Games is apparently alive and well (and probably mad as hell about being mentioned in a Slashdot article) so the news isn't all bad, but the six months they were effectively out of business -- the publishing business -- must have hurt and hurt badly. Granted, the Secret Service has learned much since that 1990 fiasco, but can you imagine the long arm, and the long flatbed truck, coming and taking your computer systems because of the acts of some malicious script kiddie who does more than tagging?
Can your company afford to have its Web servers siezed and perhaps damaged because of the illegal acts of non-employees?
What you can do: tell your manager to contact your company's general legal counsel and request they research the legal liability, and the practical effects of law enforcement action, resulting from illegal acts committeed on public servers that have inadequate security controls. Emphasize that the research include short-term effects such as equipment seizure and forceable removal, damage inflicted during such action, and the expense of obtaining the timely return of the equipment.
If you run an e-commerce site, also be sure to ask about legal exposure in the event any web server containing crdit card records, customer information records, order histories, or credit search information is compromised and the information released to unauthorized people.
Steve Jackson Games was almost put out of business based on a bogus rumor. How would your company survive the legal onslaught from a script kiddie interested in more than just defacement?
What worries me is that it took someone three years to figure this out...
I think you may have jumped to a wrong conclusion here. It didn't take three years to figure out that spammers play around with unsecured routers. It took three years to prove via experiment and measurement the extent of the problem, and to quantify the extent of the problem.
When the little boy has cried "Wolf!" often enough, the lone cry is quickly ignored. When the little boy then yells "Wolf, range 600, bearing 219" the cry takes on a bit more significance, don't you think?
If you can't measure it, it's opinion not science. (No, I can't find who said it first -- it's not original with me.)
Why doesn't Slashdot take a poll of the OSs that hit it?
Well, for one thing there is this little problem that some of the HTTP proxy junkbuster packages can block the UserAgent information (like mine does) and so the numbers would be skewed.
You hardly need a separate function...to check for a basic buffer overflow you
need to know the array in question, how much data can fit in there, and how much data is attempted being stuffed in there. If you have
those 3 things, you can just put an if() in the code.
And just how many opportunities for making a mistake are you introducing with that viewpoint?
"If you have those three things, you can just put an if() in the code." True. Of course, you have to avoid an off-by-one boundary problem, you have to test against the length of the right array (I've done that one myself), you have to get the right index or pointer or whatever...in short, there are LOTS of ways of screwing up even with the right facts.
And in a million lines of code, there WILL be screw-ups, even with the best people.
Unfortunately when you have millions of lines of code, like Windows XP does, it is mind-numbing to go through all of them looking for
this kind of thing. So now the barn door is open and the buffer overflows have escaped into the code, and they will have to be
rounded up one at a time by being found "in the wild" as you put it.
I maintain a software engineer worty of the title would recognize just how stupid relying on code review alone is to catch something this important, and would instead prefer to reduce the number of opportunities for error by using a common routine where possible. Not to mention reducing the complexity of the coding of the parent routine, so that coding, testing, reviewing, and debugging effort are reduced.
In your work, how are you measured? I'm measured by how much code goes out the door marked "sold" without technical support calls.
So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.
It takes only one buffer overflow in the whole system that any number of developers, from one to one million, have worked on to make it vulnerable.
It doesn't matter how careful you are. Zero defects at the individual level is a pipe dream. The goal of software quality assurance is that you test code to determine whether it conforms to the specifications with no astonishing side effects. Structured implementation (use of safe libraries, re-use of validated code) can reduce the effort and increase the quality of code.
Want to eliminate buffer overflow? It's easy. Just write a routine ONCE that sucks up characters and puts it into a buffer, debug the corner cases ONCE to ensure you can't go beyond the boundaries, and use that routine for all your work, without exception. Not even when marketing comes in and says "Hey, you didn't come out on top in performance when HAL Magazine ran their tests!" Oh, and your QA people have to actually try to execute some kind of buffer overflow as one part of their suite of test cases...
When a buffer overflow is discovered "in the wild," you find out the source of the buffer overflow and take appropriate action -- against the coder and against QA as well. You have to show these people that you MEASURE them by this sort of stuff.
By the way, don't forget that code should check for attempts to go "outside the box" by using unusual character sequences like ".." in URLs, too. Again, write a single block of code that does the job right, test the hell out of the corner cases, and use that code, without exception.
A Google search yields some interesting approaches. I would like to see the adoption as part of the ANSI definition of the C language an extension to the STR* library routines that are length-safe, such as the STRL* routines found in NetBSD; see the man page and the discussion in the Secure Programs HOWTO.
Don't kid anyone. Buffer overflow can be avoided, by putting in place the proper process and discipline to do the job right.
Every time this analogy comes up, I am astonished at its ignorance. If you think that software is as easy to produce as water, you have
clearly never written a line of code yourself.
If you think that the analogy is wrong, then you have never published software in your life. Now that I have your attention...
Publishing software is exactly like publishing a newspaper in the nature of the effort. For those who never toured a newspaper office with an in-house press: You spend lots of effort creating, checking, and reforming the words and pictures, you spend another lot of effort getting those words and pictures into a form that will transfer ink to paper (rotogravure, offset, even hot-formed letterpress), you then bolt the plates to the press, and then you make your first impression. Many, many man-hours went into that first impression. Assuming you don't have to fix something ("Hey, Charlie, editorial wants to replate Page One for a hot-breaking story!") you then push "RUN" and "FASTER" and you start getting lots and lots of copies of the same thing. (Don't forget to press "SLOWER" then "STOP" when you get enough.)
In software, the major effort is expended to get the FIRST floppy or CD-ROM or DVD-ROM. After that, you just run the floppy copier or the press and you get lots and lots of copies of the same thing.
Unlike the newspaper or the bottled water, the final result is fairly easy and cheap to ship and carry.
Now, I could be pendatic and point out the amount of effort required to get that first bottle of water ready to ship, but I think I've said enough.:)
On the off chance that you are still compulsively monitoring this thread to see if any other comments trickle in (I know I did), I have a
few more questions
Compulsive? Only if I was checking several times an hour or more. YMMV
1) Do you think the proposed settlement is fair? I have my reservations, some of which I mentioned in my original responses. As you might guess, I'll be taking my own advice and submitting a public comment regarding my misgivings with the PFJ. By the way, several people have sent me their contributions, and I've been very impressed with the thought and consideration that has gone into them. That's very, very good.
2) Do you think you would have the technical chops to be hired by Microsoft as a programmer, if you for some reason chose to
apply? The "chop" I don't have is youth. I get the impression that Microsoft likes to get their technical people fresh out of school. I'm not sure that an over-40 guy would do well as fresh-caught talent.:)
3) The competitive impact statement implies that the job is a full-time one based in Redmond, WA. Do you plan to move there if
selected? I have no problems moving, although it might be better -- as this is a finite-term position -- to take an apartment in the Redmond area and keep my home in Nevada. Then again, there is all this here networking technology that Microsoft and others are advertising...
4) The committee can set a reasonable salary for itself (paid by Microsoft!). What would you think of charging and how many hours a
week would you expect to work? I've not thought about the money angle, and money would be one of the things that would be discussed, I'm sure. I know that I would be asking for far less than Microsoft's lawyers. The best guideline would be to determine what Microsoft pays for a comparable position in their compensation structure and use that as a starting point. In cash, not stock, of course. I would have to arrange my own health insurance, retirement, and all the other stuff that W2 people get as part of a compensation package, so there would be a multiplier to cover that. Plus a little extra because the gag order in the PFJ, coupled with the job load, will take me out of the journalism market for at least 30 months.
Working hours? You've got to be kidding. Unless there is a miracle, I expect that after the first two months I'll be putting in at least 80 hours a week. About what I'm used to as a technie, so no problem.
zero power of enforcement. If Microsoft ignores the panel, it just has to put up with the panel for another couple of years....when they
still don't have any power.
While as far as the general public is concerned the TC has a huge muzzle on its face, the reports the TC write up go to the Plaintiffs, and through them to the Judge.
Women hath no fury like a Judge scorned. Think back to the OJ trial, when Marsh Clark smart-mouthed Eto -- it cost her money. How about reporters who invoke Shield Laws when the judge doesn't think they apply? Who ends up in the cells? For months?
The TC has a whistle. Only the Plaintiffs and the Judge can hear it. Think the Judge will ignore it?
I think you were asking about the possibility of the TC becoming an ineffective paper tiger that
occasionally has meetings and issues documents, but never actually curbs Microsoft. Just as our state Public Utility Commissions
generally did nothing to stop the ILECs from destroying the DSL industry via sabotage and non-cooperation. That is a very real
concern I'd like to see addressed.
The Technical Oversight Committee will only be as effective as the Department of Justice and the Plaintiff States will let it become. In order to do that, the DoJ needs YOUR input -- click on that link at the top of this article that says "voice your opinion." Send your letter stating your opinions. The other links will provide you with the necessary background information. DO IT.
If you don't, then don't come crying to Slashdot because the TC has as much power over Microsoft's encroachment into competition as the Congress of the United States gave the FCC and the State Public Utility Commissions to right the wrongs committeed against the independent DSL industry.
If you won't, who will?
(PS: My last name is spelled with two ells at the end.)
He wants the perks that go with it.
Congressmen don't care about their salaries (though they have no trouble raising them) -- it is a pittance compared to the bribery
received from lobbyists of all sorts. Roman senatorial hopeful used to mortgage their entire estates and sell franchise rights to wealthy
investors to finance their elections, and it wasn't because they (or their backers) had strong moral opinions they wanted voiced.
He's following the money, and quick to deny it.
HOO HOO HA HA HEE HEE HEA HEA HOOOOOO!
Thank you for the BEST LAUGH I'VE HAD IN HOURS. If I had moderator points, I'd award as many "+1 Funny" as I could to your post. Thank you, thank you.
Oh, I grant you there are cases of people like building inspectors who have been successfully bribed, but the take is nowhere near enough to justify the heat and hassle once the bribe is discovered. When you really, really look at the job description for the TC, there is very little difference between the TC member and the building inspector. All it takes is for another building inspector to say "there is no way a competent BI would miss all this crap" to send the corrupt one to jail. Read about how a cabinet official was nailed, and the briber set free. No thank you.
No, if I wanted to follow the money, I would try to get onto a rules-making body. There, you can accept all the bribes you want and it's almost impossible to convict you for it. Unlike people who have to follow the rules, there is no way the people who make the rules can be found to "break the rules" unless they are very, very stupid. (Or unlucky.)
You allude to this in your supporting text, by pointing out the interests of the rulemakers (Congressmen and Roman senatorial hopefuls). Now make your argument by pointing to the quartermasters who became multimillionares by accepting bribes for generators, or policemen who retired from the force and started living on the rich side of town from the bribes they received on the job for looking the other way.
Is it just me, or do these
interviews with "famous" techies always seem to end with one of these [OS and machine] run downs.
Actually, after quite a while it hit me that you were in reality asking a very, very good question that just screamed for an answer. (No sarcasm intended.) I never made the observation myself, let alone realize that, absent any introduction, I would appear to have fallen into the same trap. Bless you.
If you go back to the original question list, you will see several people asking whether I had worked with anything other than Windows, what it would take me to switch if I was a Windows-only guy, and similar questions about my overall background.
Besides, what better time to mention the Xerox 820 sitting in my storage closet?
Unfortunately, Satch, you just lost 95% of the/. demographic there. I know what you're talking about, and the over-35 crowd knows
what you're talking about, but the rest of/. just gave a huge collective "WTF?"
And what should the response of the intelligent Slashdotter be after saying "WTF"?
RIGHT He calls up another window and is off to the search engine of his or her choice, where said Slashdotter will learn about the faux campaign conducted by the late comic, where much clean fun was poked at the real candidates and their positions.
Slashdot: where if you aren't careful you might learn something.
posting comments on your own interview is such a brilliant way to karma whore. i see that you have posted 10 comments to your own
interview. if you post just three more responses you should get you to the 50 cap with posts to this article alone, if you havent already.
What are you talking about? My karma has been stuck at 50 for a long, long time, because I almost never post any comment that results in a mod-down. (OK, children moderators, here is your chance to try to blast my karma if you are so inclined.) Before this article, I have articles which got +5 Interesting -- check my user page.
I'm posting because people are asking good questions that deserve answers. Period.
Satch, otherwise known as satch89450
(Posted without the +1 bonus because I'm no fool.)
Given you saying you won't lie, it wasn't from her asking "Does this make me look fat?", was it?
No. She was a technophobe, and the beginning of the end of my marriage was when I brought the first computer home, the Compaq sewing-machine-sized computer. When we married (so she said later) she never dreamed that I would bring technology into her house. Never mind that we lived on technology for a good six years before she decided to call it quits.
There was another source of tension that had a lot to do with us breaking up, but as far as I'm concerned that's her secret, and I'll not tell it in a public forum. I'm long since over being angry about it.
This is neither punishment nor assurance of competition. I assume you are referring to the PFJ.
The Department of Justice and the Plaintiff States have a real huge problem: their proposed remedy has to satisfy both the letter of the law and the perception of the Judge of the "public interest."
The people who continue to say "Break it up! Break it up!" fail to see the consequences of that kind of action. See my answer to Question 7 about ripple effects -- I talk about where we would be going if Microsoft were to be splintered. Once you have the "public interest" in mind, then you need to enhance your calm regarding revenge and retribution.
That aside, you bring up very good points: How do we convince Dell, Compaq, Gateway, and others that the playing field is indeed level? Make public the rules of the game, and then the industry will put forth a stalking horse to test it. (They always do.) Then we'll see.
How many six-month reports will it take to reopen the remedy phase? None, I hope. My expectation is that Microsoft will indeed toe the line, especially as they will now have a person whose sole job is to ensure they do from the inside. Three people will be on the outside watching for fouls. And the rest of the industry doesn't have to make big shifts to accomodate all this. Stable, we hope.
How will hardware makers be reasured that it's now OK to
release driver specs or even include drivers and source for non M$ OS? I'm sorry, I've not seen anything that suggests that any hardware company was pressured or convinced by Microsoft to withhold information or to no release drivers for other platforms. On the kernel hacker's mailing list, every time someone talks about a company not willing to release information, it's the company that has made the decision, not Microsoft. Some of the companies who do write drivers for Linux make it clear they won't release source because they have decided to keep the API to their software secret -- their choice. I am still miffed that Adaptec won't release hardware API information for their RAID controllers, because I have one and prefer the security model in Linux for my file servers.
What company has said "We won't release our API because Microsoft told us not to"?
Maybe I've missed something, but it's still not clear to me what your plan is. Have you been in touch with the DOJ, or with the
candidates Microsoft has proposed for their slot? Oddly, Roblimo's introduction promises you'll tell us your chances of getting the job
but if you did, I missed it.
My plan is simple: get noticed and considered by the lawyers at the Department of Justice and the Plaintiff States. I'm not asking for special favors, just a chance at the slot.
To that end, I tried to contact the Departement of Justice Anti-Trust Division and was told that it's "too soon" for them to take any applications or resumes. I also talked to the Office of the Attorney General in several of the Plaintiff states and was told pretty much the same thing: I'm too early.
I've written my Congressmen for assistance. The anthrax situtation affected both of my Senators, and that's interfered with them getting my information, let alone responding to it. My Representative may well be in a similar situation; I haven't followed up to my original letters sent at the beginning of November.
The Cringley thing came as a bit of a surprise. I had written to Mark because of our prior association at InfoWorld. I filled him in on all the facts -- we share friends and many of them know the story, so I suspected he had heard about it. He asked questions, I wrote answers, and the column was the astonishing result. I didn't seek that, just some advice from someone a little tighter in the industry than I am right now.
I've not been in touch with Microsoft, or any of the other candidates. If Microsoft wants to nominate me (worse than a snowball's chance, I'd say) I'd be happy to serve, so long as they understand that I wouldn't be there as "their guy."
As for my chances: Isn't that obvious?
I'm not known inside the Beltway
I'm not well-known in Redmond
I'm not known at all in the Capitols of any of the Plaintiff states
The industry knows me as a reviewer, but that's it. The magazines made it a point to keep reviewers out of the limelight -- except for columnists, and my column was more of a regular feature than an opinion piece.
You work the odds. My calculator doesn't have enough zeros.
Sorry for the lapse into negativeism. In Nevada, us residents are taught that even long odds come home. "If you don't bet, you can't win." Of course, then there are the people who don't know when to stop, the ones who end up hitchhiking home or taking up jobs in strip clubs or labor gangs. I won't bet it all against the long shot, but I will continue to tap the pot as long as I can afford to, until I win or lose. Then we'll see.
I would say that the one and only reason "comercial" software only last one year is because of the games M$ plays as a monopolist.
There is no technical reason for the bit rot seen on M$ platforms. Other OS do not have this problem at all.
(Shit. This is what I get for being a professional writer, and over-editing my submissions. I should know better by now.)
In the third draft of my answers, I mentioned that the reason for the annual cycle of commercial software stems from the wish of the software industry to keep revenue going even in a saturated marketplace, the changes in government regulations that manage to touch a huge number of business applications, and the yearly Battle of the Budget when IT departments have to "justify" their requests for the coming year by spending every dime in this year's budget. Not to mention deafening "NEW AND IMPROVED" rollouts at trade shows, shows whose dates are set over a year in advance -- before a particular software project is launched that has to meet the date or the marketing people say the product will die...
Look at the software sold for other operating systems, and software that are operating systems in their own right. The pattern is very similar.
With academic software, look for the pattern of changes and releases that coincide with the boundaries of marking periods (semester or quarter). Out with the old interns, in with the new...
In Open Source software projects, the only time pressure is internal, or anxiousness from the user base.
I want to hear about the time(s) you turned down sex for ethical reasons.
Well, let's see. There was the gift certificate for The Mustang Ranch that was tucked neatly into a press kit that was mailed to my home in Nevada. If I had known that the Ranch would be first run by the IRS and then closed when the government was hauled into court for running a brothal, I would have saved the thing -- it would be worth REAL money today. The press person who did this was a fool -- the Bunny Ranch is a much closer drive for me. People really should do their research.
The art of bribing people who you hope can help you is a delicate dance, and requires that the receiving party be equally as willing to accept the bribe as much as the offering party is to give it. Simply by ignoring the nuances and double entendres it's very easy to avoid impropriety.
I made the decision to avoid impropriety -- I didn't need the trouble, and I didn't need the hassle. I had enough trouble getting writing assignments to add ethics violations to the hurdles.
My wife left me ten years ago. I first moved to Nevada because she made me get the divorce, and I didn't want to pay an arm and a leg in New Jersey. The place grew on me, so I (for the most part) stayed.
So far I have managed to avoid further inter-gender entanglements.
The events and findings of the second MS anti-trust trial were more or less brought about by Microsoft's willful failure to follow either
the letter or the intent of the first consent decree. Given that history, why would anyone expect that any level of "oversight" would
prevent Microsoft from acting exactly as it did before?
See the answer to Question 6.
In the first decree, there was no method to collect information cheaply about minor infractions, and no process to deal with the minor infractions. The Department of Justice didn't have the staff in place to deal with minor complaints -- do you think that including a technical oversight committee in the Proposed Final Judgement indicates that the DoJ realizes this?
Think, man, THINK. Every six months like clockword the Plaintiffs will get a report about every little complaint against Microsoft that comes over the threshold of the TC's door. Every six months the Plaintiffs will have to decide whether the weight of the infractions in the report merit bringing the stack to the attention of the Court. Every six months Microsoft faces at best a possible contempt citation for its infractions (if any), with the real possibility in the face of poor performance the extension of the term of the Final Judgement because of bad behavior, and at worst a reopening of the remedy portion of the anti-trust trial because the "Final Judgement isn't working."
Almost everyone I know has taken sides on the Microsoft issue. I hope what you say is true.
One of the advantages of having knocked around the industry as a white-hat hacker, writer, developer, and at one point as a QA guy is that I got to meet, work, and play around a lot of Microsoft people. My story about the Microsoft representative to TIA is typical of many of my interactions with Microsoft people. If you can get their attention and their respect, they treat you properly and with respect. Good things come from that.
Case in point: The architects of NT were adament that no device driver should mess with floating-point registers in the IA-32 architecture. If a driver needed floating point registers, the NT architects provided a slow routine to save the registers and another slow routine to load them back up. (I don't know any more details than that -- this was an API description.) In a soft modem product, the slowness of the routine (opposed to saving the floating-point context to a fixed location directly) is a killer. The NT guys had to be convinced that soft modems needed to be an exception to the floating-point rule, the same as games had been granted exception status.
I want to stress this: at no time did the NT architects say "We are Microsoft, you do what we tell you to." Instead, they (and we) argued exclusively the technical merits of our positions.
I respect that kind of alligence to keeping it technical.
Slashdot Mirror
After reading the link for this story, I was amused to see that things really haven't changed in a number of places. Management doesn't worry about Web site security until it hits them where it hurts, their liability insurance premium, or when the executives spend some time in the cooler.
The majority of defacements I've seen described involve little more than vandelism, electronic tagging by lower lifeforms of script kiddies, that do very little harm to the company whose site is defaced. You "wash the walls" and go on. End of story.
Except that it isn't the end of the story.
What happens when the defacer decides to use your Web site to store a couple hundred cracked credit card numbers? How about the 600 MB of MP3s of copyrighted music material that appears in its own directory of your Web server? The kiddie porn? Can you imagine what would happen if a terrorist cookbook were to be uploaded to your site, given today's paranoia caused by the November 11 terrorist attack?
IANAL, but I recall the Mogur-BBS debacle when a BBS system was used to traffic in telephone calling card numbers. Some facts are missing from the account the link points to, but it's sufficiently accurate to be useful. Here is another account of the incident. Here is a more thoughtful retrospective and analysis.
Shall I bring up the episode of Steve Jackson Games as an indication of the kind of risk that operators of public computer systems face when security is not a primary concern? Steve Jackson Games is apparently alive and well (and probably mad as hell about being mentioned in a Slashdot article) so the news isn't all bad, but the six months they were effectively out of business -- the publishing business -- must have hurt and hurt badly. Granted, the Secret Service has learned much since that 1990 fiasco, but can you imagine the long arm, and the long flatbed truck, coming and taking your computer systems because of the acts of some malicious script kiddie who does more than tagging?
Can your company afford to have its Web servers siezed and perhaps damaged because of the illegal acts of non-employees?
What you can do: tell your manager to contact your company's general legal counsel and request they research the legal liability, and the practical effects of law enforcement action, resulting from illegal acts committeed on public servers that have inadequate security controls. Emphasize that the research include short-term effects such as equipment seizure and forceable removal, damage inflicted during such action, and the expense of obtaining the timely return of the equipment.
If you run an e-commerce site, also be sure to ask about legal exposure in the event any web server containing crdit card records, customer information records, order histories, or credit search information is compromised and the information released to unauthorized people.
Steve Jackson Games was almost put out of business based on a bogus rumor. How would your company survive the legal onslaught from a script kiddie interested in more than just defacement?
Exactly.... I can write 250,000 simicolons pretty fast, too.
Simicolons?
Are those supposed to be binary semicolons, the same way that "mebibytes" are supposed to be binary megabytes?
(Couldn't resist...)
What worries me is that it took someone three years to figure this out...
I think you may have jumped to a wrong conclusion here. It didn't take three years to figure out that spammers play around with unsecured routers. It took three years to prove via experiment and measurement the extent of the problem, and to quantify the extent of the problem.
When the little boy has cried "Wolf!" often enough, the lone cry is quickly ignored. When the little boy then yells "Wolf, range 600, bearing 219" the cry takes on a bit more significance, don't you think?
If you can't measure it, it's opinion not science. (No, I can't find who said it first -- it's not original with me.)
Why doesn't Slashdot take a poll of the OSs that hit it?
Well, for one thing there is this little problem that some of the HTTP proxy junkbuster packages can block the UserAgent information (like mine does) and so the numbers would be skewed.
Nice thought, though.
You hardly need a separate function...to check for a basic buffer overflow you need to know the array in question, how much data can fit in there, and how much data is attempted being stuffed in there. If you have those 3 things, you can just put an if() in the code.
And just how many opportunities for making a mistake are you introducing with that viewpoint?
"If you have those three things, you can just put an if() in the code." True. Of course, you have to avoid an off-by-one boundary problem, you have to test against the length of the right array (I've done that one myself), you have to get the right index or pointer or whatever...in short, there are LOTS of ways of screwing up even with the right facts.
And in a million lines of code, there WILL be screw-ups, even with the best people.
Unfortunately when you have millions of lines of code, like Windows XP does, it is mind-numbing to go through all of them looking for this kind of thing. So now the barn door is open and the buffer overflows have escaped into the code, and they will have to be rounded up one at a time by being found "in the wild" as you put it.
I maintain a software engineer worty of the title would recognize just how stupid relying on code review alone is to catch something this important, and would instead prefer to reduce the number of opportunities for error by using a common routine where possible. Not to mention reducing the complexity of the coding of the parent routine, so that coding, testing, reviewing, and debugging effort are reduced.In your work, how are you measured? I'm measured by how much code goes out the door marked "sold" without technical support calls.
So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.
It takes only one buffer overflow in the whole system that any number of developers, from one to one million, have worked on to make it vulnerable.
It doesn't matter how careful you are. Zero defects at the individual level is a pipe dream. The goal of software quality assurance is that you test code to determine whether it conforms to the specifications with no astonishing side effects. Structured implementation (use of safe libraries, re-use of validated code) can reduce the effort and increase the quality of code.
Want to eliminate buffer overflow? It's easy. Just write a routine ONCE that sucks up characters and puts it into a buffer, debug the corner cases ONCE to ensure you can't go beyond the boundaries, and use that routine for all your work, without exception. Not even when marketing comes in and says "Hey, you didn't come out on top in performance when HAL Magazine ran their tests!" Oh, and your QA people have to actually try to execute some kind of buffer overflow as one part of their suite of test cases...
When a buffer overflow is discovered "in the wild," you find out the source of the buffer overflow and take appropriate action -- against the coder and against QA as well. You have to show these people that you MEASURE them by this sort of stuff.
By the way, don't forget that code should check for attempts to go "outside the box" by using unusual character sequences like ".." in URLs, too. Again, write a single block of code that does the job right, test the hell out of the corner cases, and use that code, without exception.
A Google search yields some interesting approaches. I would like to see the adoption as part of the ANSI definition of the C language an extension to the STR* library routines that are length-safe, such as the STRL* routines found in NetBSD; see the man page and the discussion in the Secure Programs HOWTO.
Don't kid anyone. Buffer overflow can be avoided, by putting in place the proper process and discipline to do the job right.
Every time this analogy comes up, I am astonished at its ignorance. If you think that software is as easy to produce as water, you have clearly never written a line of code yourself.
If you think that the analogy is wrong, then you have never published software in your life. Now that I have your attention...
Publishing software is exactly like publishing a newspaper in the nature of the effort. For those who never toured a newspaper office with an in-house press: You spend lots of effort creating, checking, and reforming the words and pictures, you spend another lot of effort getting those words and pictures into a form that will transfer ink to paper (rotogravure, offset, even hot-formed letterpress), you then bolt the plates to the press, and then you make your first impression. Many, many man-hours went into that first impression. Assuming you don't have to fix something ("Hey, Charlie, editorial wants to replate Page One for a hot-breaking story!") you then push "RUN" and "FASTER" and you start getting lots and lots of copies of the same thing. (Don't forget to press "SLOWER" then "STOP" when you get enough.)
In software, the major effort is expended to get the FIRST floppy or CD-ROM or DVD-ROM. After that, you just run the floppy copier or the press and you get lots and lots of copies of the same thing.
Unlike the newspaper or the bottled water, the final result is fairly easy and cheap to ship and carry.
Now, I could be pendatic and point out the amount of effort required to get that first bottle of water ready to ship, but I think I've said enough. :)
On the off chance that you are still compulsively monitoring this thread to see if any other comments trickle in (I know I did), I have a few more questions
Compulsive? Only if I was checking several times an hour or more. YMMV
1) Do you think the proposed settlement is fair? I have my reservations, some of which I mentioned in my original responses. As you might guess, I'll be taking my own advice and submitting a public comment regarding my misgivings with the PFJ. By the way, several people have sent me their contributions, and I've been very impressed with the thought and consideration that has gone into them. That's very, very good.
2) Do you think you would have the technical chops to be hired by Microsoft as a programmer, if you for some reason chose to apply? The "chop" I don't have is youth. I get the impression that Microsoft likes to get their technical people fresh out of school. I'm not sure that an over-40 guy would do well as fresh-caught talent. :)
3) The competitive impact statement implies that the job is a full-time one based in Redmond, WA. Do you plan to move there if selected? I have no problems moving, although it might be better -- as this is a finite-term position -- to take an apartment in the Redmond area and keep my home in Nevada. Then again, there is all this here networking technology that Microsoft and others are advertising...
4) The committee can set a reasonable salary for itself (paid by Microsoft!). What would you think of charging and how many hours a week would you expect to work? I've not thought about the money angle, and money would be one of the things that would be discussed, I'm sure. I know that I would be asking for far less than Microsoft's lawyers. The best guideline would be to determine what Microsoft pays for a comparable position in their compensation structure and use that as a starting point. In cash, not stock, of course. I would have to arrange my own health insurance, retirement, and all the other stuff that W2 people get as part of a compensation package, so there would be a multiplier to cover that. Plus a little extra because the gag order in the PFJ, coupled with the job load, will take me out of the journalism market for at least 30 months.
Working hours? You've got to be kidding. Unless there is a miracle, I expect that after the first two months I'll be putting in at least 80 hours a week. About what I'm used to as a technie, so no problem.
Thanks. You're welcome.
zero power of enforcement. If Microsoft ignores the panel, it just has to put up with the panel for another couple of years....when they still don't have any power.
While as far as the general public is concerned the TC has a huge muzzle on its face, the reports the TC write up go to the Plaintiffs, and through them to the Judge.
Women hath no fury like a Judge scorned. Think back to the OJ trial, when Marsh Clark smart-mouthed Eto -- it cost her money. How about reporters who invoke Shield Laws when the judge doesn't think they apply? Who ends up in the cells? For months?
The TC has a whistle. Only the Plaintiffs and the Judge can hear it. Think the Judge will ignore it?
Can we really trust someone who values ethics more than sex? I think not, my friends, I think not.
Nomadic, I value sex quite highly. All my ethics does is affect my choice of women with whom to "associate."
Only a pig eats every bowl of ice cream he passes by, regardless of flavor.
I think you were asking about the possibility of the TC becoming an ineffective paper tiger that occasionally has meetings and issues documents, but never actually curbs Microsoft. Just as our state Public Utility Commissions generally did nothing to stop the ILECs from destroying the DSL industry via sabotage and non-cooperation. That is a very real concern I'd like to see addressed.
The Technical Oversight Committee will only be as effective as the Department of Justice and the Plaintiff States will let it become. In order to do that, the DoJ needs YOUR input -- click on that link at the top of this article that says "voice your opinion." Send your letter stating your opinions. The other links will provide you with the necessary background information. DO IT.
If you don't, then don't come crying to Slashdot because the TC has as much power over Microsoft's encroachment into competition as the Congress of the United States gave the FCC and the State Public Utility Commissions to right the wrongs committeed against the independent DSL industry.
If you won't, who will?
(PS: My last name is spelled with two ells at the end.)
He wants the perks that go with it. Congressmen don't care about their salaries (though they have no trouble raising them) -- it is a pittance compared to the bribery received from lobbyists of all sorts. Roman senatorial hopeful used to mortgage their entire estates and sell franchise rights to wealthy investors to finance their elections, and it wasn't because they (or their backers) had strong moral opinions they wanted voiced. He's following the money, and quick to deny it.
HOO HOO HA HA HEE HEE HEA HEA HOOOOOO!
Thank you for the BEST LAUGH I'VE HAD IN HOURS. If I had moderator points, I'd award as many "+1 Funny" as I could to your post. Thank you, thank you.
Oh, I grant you there are cases of people like building inspectors who have been successfully bribed, but the take is nowhere near enough to justify the heat and hassle once the bribe is discovered. When you really, really look at the job description for the TC, there is very little difference between the TC member and the building inspector. All it takes is for another building inspector to say "there is no way a competent BI would miss all this crap" to send the corrupt one to jail. Read about how a cabinet official was nailed, and the briber set free. No thank you.
No, if I wanted to follow the money, I would try to get onto a rules-making body. There, you can accept all the bribes you want and it's almost impossible to convict you for it. Unlike people who have to follow the rules, there is no way the people who make the rules can be found to "break the rules" unless they are very, very stupid. (Or unlucky.)
You allude to this in your supporting text, by pointing out the interests of the rulemakers (Congressmen and Roman senatorial hopefuls). Now make your argument by pointing to the quartermasters who became multimillionares by accepting bribes for generators, or policemen who retired from the force and started living on the rich side of town from the bribes they received on the job for looking the other way.
Follow the money, indeed!
Is it just me, or do these interviews with "famous" techies always seem to end with one of these [OS and machine] run downs.
Actually, after quite a while it hit me that you were in reality asking a very, very good question that just screamed for an answer. (No sarcasm intended.) I never made the observation myself, let alone realize that, absent any introduction, I would appear to have fallen into the same trap. Bless you.
If you go back to the original question list, you will see several people asking whether I had worked with anything other than Windows, what it would take me to switch if I was a Windows-only guy, and similar questions about my overall background.
Besides, what better time to mention the Xerox 820 sitting in my storage closet?
Unfortunately, Satch, you just lost 95% of the /. demographic there. I know what you're talking about, and the over-35 crowd knows
what you're talking about, but the rest of /. just gave a huge collective "WTF?"
And what should the response of the intelligent Slashdotter be after saying "WTF"?
RIGHT He calls up another window and is off to the search engine of his or her choice, where said Slashdotter will learn about the faux campaign conducted by the late comic, where much clean fun was poked at the real candidates and their positions.
Slashdot: where if you aren't careful you might learn something.
posting comments on your own interview is such a brilliant way to karma whore. i see that you have posted 10 comments to your own interview. if you post just three more responses you should get you to the 50 cap with posts to this article alone, if you havent already.
What are you talking about? My karma has been stuck at 50 for a long, long time, because I almost never post any comment that results in a mod-down. (OK, children moderators, here is your chance to try to blast my karma if you are so inclined.) Before this article, I have articles which got +5 Interesting -- check my user page.
I'm posting because people are asking good questions that deserve answers. Period.
Satch, otherwise known as satch89450
(Posted without the +1 bonus because I'm no fool.)
Given you saying you won't lie, it wasn't from her asking "Does this make me look fat?", was it?
No. She was a technophobe, and the beginning of the end of my marriage was when I brought the first computer home, the Compaq sewing-machine-sized computer. When we married (so she said later) she never dreamed that I would bring technology into her house. Never mind that we lived on technology for a good six years before she decided to call it quits.
There was another source of tension that had a lot to do with us breaking up, but as far as I'm concerned that's her secret, and I'll not tell it in a public forum. I'm long since over being angry about it.
Mostly.
I don't know, dude. This here is the first question y'all asked me that I couldn't answer!
And, yes, I know the difference between ignorance and apathy, but we don't have to retell THAT old joke, do we?
This is neither punishment nor assurance of competition. I assume you are referring to the PFJ. The Department of Justice and the Plaintiff States have a real huge problem: their proposed remedy has to satisfy both the letter of the law and the perception of the Judge of the "public interest."
The people who continue to say "Break it up! Break it up!" fail to see the consequences of that kind of action. See my answer to Question 7 about ripple effects -- I talk about where we would be going if Microsoft were to be splintered. Once you have the "public interest" in mind, then you need to enhance your calm regarding revenge and retribution.
That aside, you bring up very good points: How do we convince Dell, Compaq, Gateway, and others that the playing field is indeed level? Make public the rules of the game, and then the industry will put forth a stalking horse to test it. (They always do.) Then we'll see.
How many six-month reports will it take to reopen the remedy phase? None, I hope. My expectation is that Microsoft will indeed toe the line, especially as they will now have a person whose sole job is to ensure they do from the inside. Three people will be on the outside watching for fouls. And the rest of the industry doesn't have to make big shifts to accomodate all this. Stable, we hope.
How will hardware makers be reasured that it's now OK to release driver specs or even include drivers and source for non M$ OS? I'm sorry, I've not seen anything that suggests that any hardware company was pressured or convinced by Microsoft to withhold information or to no release drivers for other platforms. On the kernel hacker's mailing list, every time someone talks about a company not willing to release information, it's the company that has made the decision, not Microsoft. Some of the companies who do write drivers for Linux make it clear they won't release source because they have decided to keep the API to their software secret -- their choice. I am still miffed that Adaptec won't release hardware API information for their RAID controllers, because I have one and prefer the security model in Linux for my file servers.
What company has said "We won't release our API because Microsoft told us not to"?
Maybe I've missed something, but it's still not clear to me what your plan is. Have you been in touch with the DOJ, or with the candidates Microsoft has proposed for their slot? Oddly, Roblimo's introduction promises you'll tell us your chances of getting the job but if you did, I missed it.
My plan is simple: get noticed and considered by the lawyers at the Department of Justice and the Plaintiff States. I'm not asking for special favors, just a chance at the slot.
To that end, I tried to contact the Departement of Justice Anti-Trust Division and was told that it's "too soon" for them to take any applications or resumes. I also talked to the Office of the Attorney General in several of the Plaintiff states and was told pretty much the same thing: I'm too early.
I've written my Congressmen for assistance. The anthrax situtation affected both of my Senators, and that's interfered with them getting my information, let alone responding to it. My Representative may well be in a similar situation; I haven't followed up to my original letters sent at the beginning of November.
The Cringley thing came as a bit of a surprise. I had written to Mark because of our prior association at InfoWorld. I filled him in on all the facts -- we share friends and many of them know the story, so I suspected he had heard about it. He asked questions, I wrote answers, and the column was the astonishing result. I didn't seek that, just some advice from someone a little tighter in the industry than I am right now.
I've not been in touch with Microsoft, or any of the other candidates. If Microsoft wants to nominate me (worse than a snowball's chance, I'd say) I'd be happy to serve, so long as they understand that I wouldn't be there as "their guy."
As for my chances: Isn't that obvious?
You work the odds. My calculator doesn't have enough zeros.
Sorry for the lapse into negativeism. In Nevada, us residents are taught that even long odds come home. "If you don't bet, you can't win." Of course, then there are the people who don't know when to stop, the ones who end up hitchhiking home or taking up jobs in strip clubs or labor gangs. I won't bet it all against the long shot, but I will continue to tap the pot as long as I can afford to, until I win or lose. Then we'll see.
I would say that the one and only reason "comercial" software only last one year is because of the games M$ plays as a monopolist. There is no technical reason for the bit rot seen on M$ platforms. Other OS do not have this problem at all.
(Shit. This is what I get for being a professional writer, and over-editing my submissions. I should know better by now.)
In the third draft of my answers, I mentioned that the reason for the annual cycle of commercial software stems from the wish of the software industry to keep revenue going even in a saturated marketplace, the changes in government regulations that manage to touch a huge number of business applications, and the yearly Battle of the Budget when IT departments have to "justify" their requests for the coming year by spending every dime in this year's budget. Not to mention deafening "NEW AND IMPROVED" rollouts at trade shows, shows whose dates are set over a year in advance -- before a particular software project is launched that has to meet the date or the marketing people say the product will die...
Look at the software sold for other operating systems, and software that are operating systems in their own right. The pattern is very similar.
With academic software, look for the pattern of changes and releases that coincide with the boundaries of marking periods (semester or quarter). Out with the old interns, in with the new...
In Open Source software projects, the only time pressure is internal, or anxiousness from the user base.
I want to hear about the time(s) you turned down sex for ethical reasons.
Well, let's see. There was the gift certificate for The Mustang Ranch that was tucked neatly into a press kit that was mailed to my home in Nevada. If I had known that the Ranch would be first run by the IRS and then closed when the government was hauled into court for running a brothal, I would have saved the thing -- it would be worth REAL money today. The press person who did this was a fool -- the Bunny Ranch is a much closer drive for me. People really should do their research.
The art of bribing people who you hope can help you is a delicate dance, and requires that the receiving party be equally as willing to accept the bribe as much as the offering party is to give it. Simply by ignoring the nuances and double entendres it's very easy to avoid impropriety.
I made the decision to avoid impropriety -- I didn't need the trouble, and I didn't need the hassle. I had enough trouble getting writing assignments to add ethics violations to the hurdles.
Stephen Satchell (Virgo)
Boy, do I have YOU fooled! I'm an Aries.
Hmmm, all of the sudden I pity his wife :)
My wife left me ten years ago. I first moved to Nevada because she made me get the divorce, and I didn't want to pay an arm and a leg in New Jersey. The place grew on me, so I (for the most part) stayed.
So far I have managed to avoid further inter-gender entanglements.
See the answer to Question 6.
In the first decree, there was no method to collect information cheaply about minor infractions, and no process to deal with the minor infractions. The Department of Justice didn't have the staff in place to deal with minor complaints -- do you think that including a technical oversight committee in the Proposed Final Judgement indicates that the DoJ realizes this?
Think, man, THINK. Every six months like clockword the Plaintiffs will get a report about every little complaint against Microsoft that comes over the threshold of the TC's door. Every six months the Plaintiffs will have to decide whether the weight of the infractions in the report merit bringing the stack to the attention of the Court. Every six months Microsoft faces at best a possible contempt citation for its infractions (if any), with the real possibility in the face of poor performance the extension of the term of the Final Judgement because of bad behavior, and at worst a reopening of the remedy portion of the anti-trust trial because the "Final Judgement isn't working."
We treat murderers on probation less harshly.
One of the advantages of having knocked around the industry as a white-hat hacker, writer, developer, and at one point as a QA guy is that I got to meet, work, and play around a lot of Microsoft people. My story about the Microsoft representative to TIA is typical of many of my interactions with Microsoft people. If you can get their attention and their respect, they treat you properly and with respect. Good things come from that.
Case in point: The architects of NT were adament that no device driver should mess with floating-point registers in the IA-32 architecture. If a driver needed floating point registers, the NT architects provided a slow routine to save the registers and another slow routine to load them back up. (I don't know any more details than that -- this was an API description.) In a soft modem product, the slowness of the routine (opposed to saving the floating-point context to a fixed location directly) is a killer. The NT guys had to be convinced that soft modems needed to be an exception to the floating-point rule, the same as games had been granted exception status.
I want to stress this: at no time did the NT architects say "We are Microsoft, you do what we tell you to." Instead, they (and we) argued exclusively the technical merits of our positions.
I respect that kind of alligence to keeping it technical.