There are two very annoying bugs that have been around and known since "1.0.0" that still have not been fixed:
- Many times, when you copy and paste from Firefox, the clipboard gets cleared and nothing gets copied into it. Once this happens, not cutting and pasting for you until you restart Firefox.
- If a DNS query does not respond immediately, Firefox will hang until it does. Ever heard of CreateThread and pthread_create? Or ADNS for that matter?
If the source were not so insanely complicated and difficult to build, I'd fix these myself. I work with malware that's easier to reverse engineer than Firefox's source.
The DMCA is entirely about the same thing. The DMCA says you're not allowed to make a derivative work of a pair of NOP's to a particular location. The only thing that makes the DMCA worse than this decision is that instructions of how to patch (also known as a "crack") are illegal too.
If I do, then the copying of a DVD is immaterial, as long as I do not retain a copy after I sell it.
This is not true. Copying is always illegal unless you can prove that it is one of the strict authorized conditions. Backup copies are explicitly legal, and temporary copies used in facilitating playback - namely copying to RAM and/or a page file - are ignored as copies under case law. Fair use is another exception. The burden of proving one of these cases is on you.
When I got out of the theater after The Siege, there were people of Arab descent outside the theater distributing pamphlets asking people not to see the movie because it portrayed Arabs as terrorists.
I wish they would have actually *seen* that movie before they did that. What they said is technically true, but they didn't know the context at all, that there was a moral lesson about the evils of racial profiling (and related things like taking away rights to protect against terrorism).
Melissa
Add Access Control Lists!!
on
EXT4 Is Coming
·
· Score: 1
If they're going to make an ext4, why not add access control lists and extended attributes, which have been sorely needed for some time?
The next Microsoft OS is quite likely to be based entirely on interpreted/dynamically compiled languages, obviously the CLR. The actions over the last 2 or so years seem to indicate that Microsoft wishes to deprecate native code. They would probably run existing x86 Windows programs in a sandbox so that untrusted code (aka all native code) cannot damage the system. The OS would deny even the computer owner the right to run native code with any authority unless it's signed by Microsoft. We can already see this coming with Vista: unsigned code cannot run in the kernel at all in x64, and in all versions unsigned code cannot request that dialog box to ask the user permission for admin access. (This last one was never announced by Microsoft and was slipped into a build. Developers filed it as a bug; Microsoft declared "as design" with no comment whatsoever.)
It works great for DRM, because sandboxed code cannot manipulate other code. If implemented correctly, something that Microsoft has shown to be possible with the 360 (though with native code), it would be unbreakable other than at the hardware level. Microsoft would make it so that only Microsoft-signed programs are allowed to run natively, whereas.NET programs could run unsigned. (They'd probably require signing to do anything interesting like write files to disk.)
This is terrible and I hope Microsoft meets a lot of resistance.
Nobody should get pushed around by stupid patents, and that includes your enemies. Don't side against someone simply because you don't like them. It's in your best interests to defend Microsoft here...
From recent actions by Microsoft, it appears that Microsoft's goal is to make native code unsuitable. It is very likely that NT 7.0 will not run native code unless it is digitally signed (or it is so sandboxed that it doesn't matter).
It is impossible to hack DRM when you can't run native code, and that's probably what it's all about.
They force us to use this at work. It frequently denies access without asking the user or notifying the user. If we don't disable CSA first, we can't use any Perl script that does system() because CSA will silently deny access. The network admins can't figure out how to get Perl special-cased.
Also, much of its hooking can be bypassed by someone who knows the NT API. Many of their hooks are patches to ntdll.dll in each process's memory that can easily be bypassed.
The main "security" of CSA comes from the fact that not many trojan writers have it. If they had it and designed their trojans with it in mind, they'd run circles around it. >_<
To separate out like this, you'd need to have each program run as a different user, and not give that user any rights.
You can't run them as the normal user. Even if you remove all the privileges, it is still the same user SID (Windows's UID). By default, a process's ACL allows debug access for the same user. That is, if program A and program B run as the same SID, then by default process A can manipulate process B and vice versa. Thus, if you did this, the program could do NtWriteVirtualMemory on any other non-sandboxed process to inject code.
Windows Vista can separate users' processes into the normal and elevated security processes, but it does nothing to stop processes at the same level from manipulating each other.
Don't see it as a security flaw that Windows does this. It is simply following the access control list. (It's not just the ACL that matters. An owner of a kernel object may set the ACL regardless of the ACL, so as long as the owner SID remains the same the processes can manipulate one another.)
I don't know why people give so much credence to Coverity. I don't see how it could possibly know what are bugs and what aren't. Didn't mathematicians and computer science people show this already as the Halting Problem? "Bugs per line of code" from a program is a ridiculous measurement to use.
I've never used Coverity since it's impossible to get the program, but it wouldn't surprise me if it called anything that wasn't safe or good coding style a "bug". Like, yell at you if you use "strcpy". Or if you don't check for a NULL pointer when it can't be.
What sucks is that some businesses in which the managers aren't programmers are starting to require that all code checked in pass tests of this kind with no exceptions. It hasn't happened at my company yet, thankfully.
Of course, this comes from someone writing assembly language on a regular basis. >_
Review bias doesn't come from advertising so much, as you explain above. The primary influence is from publishers refusing to give magazine early access to the games unless they gave a good review to the publisher's previous game.
The only real way to end the corruption of the review system is to get a set of trusted critics. The movie critics have Roger Ebert and a few others (David Ansen?). Once a critic is trusted enough by the movie-watching public, the critic is able to tell off the studios. If a studio doesn't let Ebert watch a movie because of the bad review they think he'll give, he won't hesitate to present that fact to his audience. This is usually worse press than allowing the bad review.
(Whether you agree with Ebert's movie taste is irrelevant; I'm talking about his influence.)
To set something like this up would take a while and would be risky. The magazine would need to be prepared to give bad reviews even if it meant not getting next month's beta games. They would need the courage to not worry so much that their competitors got it. They can fight back against the publisher by publicizing that they were denied access to beta games due to the publisher's bullying like Ebert does. Finally, they need the integrity to write honest reviews, and not be in awe just because they got to see a new unfinished game. And they need to be willing to give good reviews where deserved even if the publisher shafted them.
When and if something like this happens, maybe game reviews will actually mean something again.
...for the 10 people that will be there. That's about how many people care about the cause and could take the time to be there. As much as I support the cause, the nerds of the world are electorally non-existent.
That old saying was always implied yelling "fire!" when there isn't one. If there is a fire, such as when burning gasoline is on you, then there's nothing wrong with it.
You do have a right to party, it was called "peaceably assemble". Minus the marijuana and underage alcohol though. As much as those should be legal, there's nothing in the Constitution that makes it illegal for states or the feds to ban it.
There are many compiler and IDE bugs in Visual Studio 8 that are causing problems for all the developers that had to switch for various reasons. These bugs are well-known on the Visual Studio 8 forums. Microsoft has labeled the bugs as "fixed".
However, they refuse to release a fix for another 5 months - SP1 in October. Unlike Open Source, you can't even compile the fix yourself, unless you're very good with a hex editor and IDA.
For anyone in this particular situation, download the beta Vista WDK (Windows Driver Kit). It comes with the latest cl.exe built from their source control. This solves a lot of the compiler bugs. It won't solve the even more IDE bugs in VS8, however.
No 64 bit and no mouse button equals no mac for me. Unlike a desktop Mac, there's nothing you can do to have a second mouse button on a laptop - other than an external mouse, which isn't acceptable to me.
The hack only allows piracy. As Microsoft said, the rest of the security system isn't broken at all.
That's the sad part. It's very obvious that Microsoft cares much more about preventing Linux, Xbox Media Center and Game Shark much much much much more than they care about preventing piracy.
The 360's security against unauthorized software undoubtedly cost millions of dollars to develop, and an unknown amount to manufacture. Meanwhile, the anti-piracy system of the 360 is almost identical to the Xbox's weak system. They barely changed anything, even though they knew it was already broken.
By the way, the piracy hack for 360 was finished months ago. They probably spent the rest of that time designing their stuff to make it incredibly hard for Microsoft to detect it through Xbox Live.
Expect Microsoft to very soon reflash the drive of anyone connecting to the Internet with a version with no back doors and that checks digital signatures of future flashes. And they'll do this instantly upon detecting a connected network cable without asking for your permission.
Software pirates will just use IDA Pro instead of GCC to get the job done. The part they've always cared about (Don't Steal Mac OS.kext) was never open source anyway.
If Apple says that software pirates are the only reason, don't believe them.
Slashdot Mirror
There are two very annoying bugs that have been around and known since "1.0.0" that still have not been fixed:
- Many times, when you copy and paste from Firefox, the clipboard gets cleared and nothing gets copied into it. Once this happens, not cutting and pasting for you until you restart Firefox.
- If a DNS query does not respond immediately, Firefox will hang until it does. Ever heard of CreateThread and pthread_create? Or ADNS for that matter?
If the source were not so insanely complicated and difficult to build, I'd fix these myself. I work with malware that's easier to reverse engineer than Firefox's source.
Melissa
The DMCA is entirely about the same thing. The DMCA says you're not allowed to make a derivative work of a pair of NOP's to a particular location. The only thing that makes the DMCA worse than this decision is that instructions of how to patch (also known as a "crack") are illegal too.
Melissa
If I do, then the copying of a DVD is immaterial, as long as I do not retain a copy after I sell it.
This is not true. Copying is always illegal unless you can prove that it is one of the strict authorized conditions. Backup copies are explicitly legal, and temporary copies used in facilitating playback - namely copying to RAM and/or a page file - are ignored as copies under case law. Fair use is another exception. The burden of proving one of these cases is on you.
Melissa
When I got out of the theater after The Siege, there were people of Arab descent outside the theater distributing pamphlets asking people not to see the movie because it portrayed Arabs as terrorists.
I wish they would have actually *seen* that movie before they did that. What they said is technically true, but they didn't know the context at all, that there was a moral lesson about the evils of racial profiling (and related things like taking away rights to protect against terrorism).
Melissa
If they're going to make an ext4, why not add access control lists and extended attributes, which have been sorely needed for some time?
melissa
The next Microsoft OS is quite likely to be based entirely on interpreted/dynamically compiled languages, obviously the CLR. The actions over the last 2 or so years seem to indicate that Microsoft wishes to deprecate native code. They would probably run existing x86 Windows programs in a sandbox so that untrusted code (aka all native code) cannot damage the system. The OS would deny even the computer owner the right to run native code with any authority unless it's signed by Microsoft. We can already see this coming with Vista: unsigned code cannot run in the kernel at all in x64, and in all versions unsigned code cannot request that dialog box to ask the user permission for admin access. (This last one was never announced by Microsoft and was slipped into a build. Developers filed it as a bug; Microsoft declared "as design" with no comment whatsoever.)
.NET programs could run unsigned. (They'd probably require signing to do anything interesting like write files to disk.)
It works great for DRM, because sandboxed code cannot manipulate other code. If implemented correctly, something that Microsoft has shown to be possible with the 360 (though with native code), it would be unbreakable other than at the hardware level. Microsoft would make it so that only Microsoft-signed programs are allowed to run natively, whereas
This is terrible and I hope Microsoft meets a lot of resistance.
Melissa
My refusal to use Flash is much more about my hatred of Adobe and their software practices than about the security holes, which I know can be handled.
Firefox needs its own Flash player that doesn't rely on crap from Adobe.
Melissa
Ready to get -1 flamebait...
Nobody should get pushed around by stupid patents, and that includes your enemies. Don't side against someone simply because you don't like them. It's in your best interests to defend Microsoft here...
Melissa
From recent actions by Microsoft, it appears that Microsoft's goal is to make native code unsuitable. It is very likely that NT 7.0 will not run native code unless it is digitally signed (or it is so sandboxed that it doesn't matter).
It is impossible to hack DRM when you can't run native code, and that's probably what it's all about.
Melissa
They force us to use this at work. It frequently denies access without asking the user or notifying the user. If we don't disable CSA first, we can't use any Perl script that does system() because CSA will silently deny access. The network admins can't figure out how to get Perl special-cased.
Also, much of its hooking can be bypassed by someone who knows the NT API. Many of their hooks are patches to ntdll.dll in each process's memory that can easily be bypassed.
The main "security" of CSA comes from the fact that not many trojan writers have it. If they had it and designed their trojans with it in mind, they'd run circles around it. >_<
Melissa
No, for a setuid program (Windows's "Run As"), the new application runs as a different user than the person using it. This works.
Melissa
To separate out like this, you'd need to have each program run as a different user, and not give that user any rights.
You can't run them as the normal user. Even if you remove all the privileges, it is still the same user SID (Windows's UID). By default, a process's ACL allows debug access for the same user. That is, if program A and program B run as the same SID, then by default process A can manipulate process B and vice versa. Thus, if you did this, the program could do NtWriteVirtualMemory on any other non-sandboxed process to inject code.
Windows Vista can separate users' processes into the normal and elevated security processes, but it does nothing to stop processes at the same level from manipulating each other.
Don't see it as a security flaw that Windows does this. It is simply following the access control list. (It's not just the ACL that matters. An owner of a kernel object may set the ACL regardless of the ACL, so as long as the owner SID remains the same the processes can manipulate one another.)
Melissa
I don't know why people give so much credence to Coverity. I don't see how it could possibly know what are bugs and what aren't. Didn't mathematicians and computer science people show this already as the Halting Problem? "Bugs per line of code" from a program is a ridiculous measurement to use.
I've never used Coverity since it's impossible to get the program, but it wouldn't surprise me if it called anything that wasn't safe or good coding style a "bug". Like, yell at you if you use "strcpy". Or if you don't check for a NULL pointer when it can't be.
What sucks is that some businesses in which the managers aren't programmers are starting to require that all code checked in pass tests of this kind with no exceptions. It hasn't happened at my company yet, thankfully.
Of course, this comes from someone writing assembly language on a regular basis. >_
Melissa
Review bias doesn't come from advertising so much, as you explain above. The primary influence is from publishers refusing to give magazine early access to the games unless they gave a good review to the publisher's previous game.
The only real way to end the corruption of the review system is to get a set of trusted critics. The movie critics have Roger Ebert and a few others (David Ansen?). Once a critic is trusted enough by the movie-watching public, the critic is able to tell off the studios. If a studio doesn't let Ebert watch a movie because of the bad review they think he'll give, he won't hesitate to present that fact to his audience. This is usually worse press than allowing the bad review.
(Whether you agree with Ebert's movie taste is irrelevant; I'm talking about his influence.)
To set something like this up would take a while and would be risky. The magazine would need to be prepared to give bad reviews even if it meant not getting next month's beta games. They would need the courage to not worry so much that their competitors got it. They can fight back against the publisher by publicizing that they were denied access to beta games due to the publisher's bullying like Ebert does. Finally, they need the integrity to write honest reviews, and not be in awe just because they got to see a new unfinished game. And they need to be willing to give good reviews where deserved even if the publisher shafted them.
When and if something like this happens, maybe game reviews will actually mean something again.
Melissa
Lucas is one of the worst when it comes to copyright. Remember when he didn't want to release Star Wars 4-6 on DVD because people would pirate it?
Melissa
...for the 10 people that will be there. That's about how many people care about the cause and could take the time to be there. As much as I support the cause, the nerds of the world are electorally non-existent.
Melissa
That old saying was always implied yelling "fire!" when there isn't one. If there is a fire, such as when burning gasoline is on you, then there's nothing wrong with it.
Melissa
FFTs are also useful for squaring large numbers with a modulo. That's what http://www.mersenne.org/ uses them for.
Melissa
...we've added a dozen new "security" updates to help prevent you from using the console as you wish!
You do have a right to party, it was called "peaceably assemble". Minus the marijuana and underage alcohol though. As much as those should be legal, there's nothing in the Constitution that makes it illegal for states or the feds to ban it.
Melissa
There are many compiler and IDE bugs in Visual Studio 8 that are causing problems for all the developers that had to switch for various reasons. These bugs are well-known on the Visual Studio 8 forums. Microsoft has labeled the bugs as "fixed".
However, they refuse to release a fix for another 5 months - SP1 in October. Unlike Open Source, you can't even compile the fix yourself, unless you're very good with a hex editor and IDA.
For anyone in this particular situation, download the beta Vista WDK (Windows Driver Kit). It comes with the latest cl.exe built from their source control. This solves a lot of the compiler bugs. It won't solve the even more IDE bugs in VS8, however.
Melissa
No 64 bit and no mouse button equals no mac for me. Unlike a desktop Mac, there's nothing you can do to have a second mouse button on a laptop - other than an external mouse, which isn't acceptable to me.
Melissa
The hack only allows piracy. As Microsoft said, the rest of the security system isn't broken at all.
That's the sad part. It's very obvious that Microsoft cares much more about preventing Linux, Xbox Media Center and Game Shark much much much much more than they care about preventing piracy.
The 360's security against unauthorized software undoubtedly cost millions of dollars to develop, and an unknown amount to manufacture. Meanwhile, the anti-piracy system of the 360 is almost identical to the Xbox's weak system. They barely changed anything, even though they knew it was already broken.
By the way, the piracy hack for 360 was finished months ago. They probably spent the rest of that time designing their stuff to make it incredibly hard for Microsoft to detect it through Xbox Live.
Expect Microsoft to very soon reflash the drive of anyone connecting to the Internet with a version with no back doors and that checks digital signatures of future flashes. And they'll do this instantly upon detecting a connected network cable without asking for your permission.
Melissa
Unlike every other brand of laptop, Apple's laptops don't have a right mouse button.
Intel still hasn't made a 64 bit laptop chip yet.
Melissa
Software pirates will just use IDA Pro instead of GCC to get the job done. The part they've always cared about (Don't Steal Mac OS.kext) was never open source anyway.
If Apple says that software pirates are the only reason, don't believe them.
Melissa