As well as POPFile's multi-category email filtering, I sell a commercial component that does multi-category Bayesian filtering for companies to embed in their own software. Bayesian and other statistical techniques are going to be cropping up everywhere there's text to analyze.
I think that their implementation contains exactly the same bug as Windows (as others have pointed out) and that if you take a look at the code you can easily see why (and it's not a backdoor).
First the file dlls/gdi/metafile.c contains a function called PlayMetaFileRecord with the following signature:
Which is simply WINE's implementation of the same Win32 API (which is documented here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/metafile_1yec.asp)
The third parameter (mr) is a METARECORD pointer (a METARECORD is just an entry in the metafile and is detailed here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/metafile_8j1u.asp) and is the all important header with the following definition:
typedef struct tagMETARECORD { DWORD rdSize; WORD rdFunction; WORD rdParm[1]; } METARECORD, *PMETARECORD;
With the rdSize being the size of the record in words, the rdFunction being the function and the rdParm the data (which in the case of an exploit would be executable code). PlayMetaFileRecord handles META_ESCAPE like this:
case META_ESCAPE: Escape( hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL); break;
You'll note that parameter 3 is a pointer into the metafile parameter block, i.e. if executed parameter 3 would execute code in the metafile. Now Escape has implemented like this (dlls/gdi/driver.c):
INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data, LPVOID out_data )
and the SETABORTPROC is handled with the following code:
case SETABORTPROC: return SetAbortProc( hdc, (ABORTPROC)in_data );
So if you have an ESCAPE/SETABORTPROC record in a metafile then under WINE the AbortProc is set to point into the metafile (since in_data is corresponds to &mr->rdParm[2]).
So it's quite clear from the WINE implementation that this is a way to set a pointer into the metafile for execution. All it would take is that the metafile's AbortProc is called and arbitrary code could be executed.
In WINE at least this looks nothing like an intentional backdoor. It looks more like a bug caused by the fact that Escape is rather powerful and can set a pointer to code.
Now it's possible in WINE (I believe) to force the AbortProc to execute with another ESCAPE record that has NEWFRAME as the function. Again looking at the Escape code you'll see that NEWFRAME has handled like this:
case NEWFRAME: return EndPage( hdc );
EndPage is a standard GDI function (see here for documentation: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/prntspol_0d6b.asp). If you take a look at the implementation in WINE you see the following code (dlls/gdi/printdrv.c):
INT WINAPI EndPage(HDC hdc) { ABORTPROC abort_proc; INT ret = 0; DC *dc = DC_GetDCPtr( hdc ); if(!dc) return SP_ERROR;
if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev ); abort_proc = dc->pAbortProc; GDI_ReleaseObj( hdc ); if (abort_proc && !abort_proc( hdc, 0 )) { EndDoc( hdc ); ret = 0; } return ret; }
As regular viewers of the excellent MTV educational show "Pimp My Ride" will already be informed Xzibit and colleagues recently installed a 12,000 Watt subwoofer in one of their patient's vehicules. The subwoofer itself is here: http://www.cardomain.com/sku/MTXT992244.
Despite being a WASP I must add that the car post-transformation was "phat".
My best mishap was the following: I decided to make bubble solution for my little girl. So I went on the Internet using my laptop and found a recipe that involved mixing water, glycerine, sugar and dish washing liquid.
The mixture makes very good, but very sticky bubbles. I made about a litre of it and put it in a jug. I then got up from the table and knocked over the jug onto my laptop keyboard.
Oops.
Luckily the laptop I have is almost sealed under the keyboard (there's a small hole for the keyboard connector) and I was able to remove the keyboard and simply wash it unde the tap and then dry it out. In fact you can pretty safely wash laptop keyboards once separated from the machine because there are no electronics in them, just a PCB with rubber keys on top.
This is pretty unlikely. There are a number of reasons why touch screens and eye input are inaccurate:
1. Your finger has very low resolution. You cannot position something very precisely with a finger on the screen no matter how sensitive the touch screen is.
2. Sticking your finger on the screen obscures your view of the very thing you are trying to point to thus making it harder.
3. Tracking your eyes suffers from a similar accuracy problem. Just try staring at a pixel on the screen and then move your eyes just enough to move exactly one pixel to the right.
The mouse is a good tool for precise positioning on screen because your hand can make very precise movements.
Next time you are undergoing surgery try asking the surgeon to direct the scalpel with his eyes.
It's just a case mod and consists of the following:
1. Buy a Mac G3 2. Through away all the electronicsy bits 3. Buy a PC 4. Put PC electronicsy bits inside the G3 case 5. Stick a Windows logo on case 6. ? 7. You are so not l33t
I really don't F5 the issue here F5. I like to check my F5 email regularly F5 because it's the only F5 interaction I get with F5 people. So I check F5 it about once every F5 minutes, whatever.
In Splinter of the Mind's Eye Luke recharges his lightsaber from a blaster. The thing that impressed me was not the rechargeable battery but that each had a connector compatible with the other than makes this possible.
Why, oh why, can't I plug my cell phone, PDA, and laptop together in a similar fashion when one needs power?
Not true. I remember a guy at work in late 90s who wouldn't type www.excite.com because he thought it wasn't work appropriate, and what about whitehouse.com?
The address of the New York Subway system (also called the MTA) is www.mta.info.
John.
Windows - Linux - Mac?
on
Return of the Mac
·
· Score: 4, Insightful
So, I was a die hard Windows user, been that way since 3.0 (3.11 and 2k were my favorite releases), but 18 months ago I switched to Linux (first SuSE and more recently FC3). And now I'm thinking of a PowerBook.
Leaving Windows wasn't a problem, but sticking with Linux is. Sure it's very fast on my machine, and I have all the familiar Unix tools from the GNU chain, but so much doesn't work right. Linux on the desktop is close to a joke. I've tried both GNOME and KDE and neither is bug free (cf. Win2K which was very, very stable), and there are so many hardware incompatibilities that it's a pain.
Ultimately, I want to support F/OSS, but I may have to switch because it's a productivity drain for me to discover that gnome-panel has crashed something and now Evolution can't open the File dialog. Ugh. Or figure out why gaim's icon disappears in the tray some of the time, or have gdesklets eat the CPU for no apparent reason, or...
Here's the bit that I've never understood in these "death of the OS" stories. It's all very well me using an application that is mostly running somewhere in the net, but I need local printing. And local printing means I need a whole lot of OS for printer driving.
Theory is that the dual core chips will run cooler than two single core chips and there's less real estate on the motherboard required (one socket and less glue circuitry).
Allen Morgan, a VC with the firm Mayfield, has a blog, where he's been dispensing wisdom on how to get funded. Read it here: http://allensblog.typepad.com/
OSDir.com: What's the most effective anti-spam technology that SpamAssassin uses right now?
Quinlan: I think network rules are the most effective single technology, in particular, the URI rules that use SURBL, looking for spammer domains in Web links.
The SURBL can be found here: http://www.surbl.org. It's a very good thing, so much so that spammers are starting to try to get around it by doing stuff like this:
Copy the following URL removing the space into your browser:
Slashdot Mirror
As well as POPFile's multi-category email filtering, I sell a commercial component that does multi-category Bayesian filtering for companies to embed in their own software. Bayesian and other statistical techniques are going to be cropping up everywhere there's text to analyze.
John.
I plugged all of my equipment into a powerstrip with a real switch on it. Switch it off and everything is definitely off; it wasn't rocket science.
John.
I think that their implementation contains exactly the same bug as Windows (as others have pointed out) and that if you take a look at the code you can easily see why (and it's not a backdoor).
/library/en-us/gdi/metafile_1yec.asp)
/library/en-us/gdi/metafile_8j1u.asp) and is the all important header with the following definition:
/library/en-us/gdi/prntspol_0d6b.asp). If you take a look at the implementation in WINE you see the following code (dlls/gdi/printdrv.c):
First the file dlls/gdi/metafile.c contains a function called PlayMetaFileRecord with the following signature:
BOOL WINAPI PlayMetaFileRecord( HDC hdc, HANDLETABLE *ht, METARECORD *mr, UINT handles )
Which is simply WINE's implementation of the same Win32 API (which is documented here: http://msdn.microsoft.com/library/default.asp?url=
The third parameter (mr) is a METARECORD pointer (a METARECORD is just an entry in the metafile and is detailed here: http://msdn.microsoft.com/library/default.asp?url=
typedef struct tagMETARECORD { DWORD rdSize; WORD rdFunction; WORD rdParm[1]; } METARECORD, *PMETARECORD;
With the rdSize being the size of the record in words, the rdFunction being the function and the rdParm the data (which in the case of an exploit would be executable code). PlayMetaFileRecord handles META_ESCAPE like this:
case META_ESCAPE:
Escape( hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
break;
You'll note that parameter 3 is a pointer into the metafile parameter block, i.e. if executed parameter 3 would execute code in the metafile. Now Escape has implemented like this (dlls/gdi/driver.c):
INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data, LPVOID out_data )
and the SETABORTPROC is handled with the following code:
case SETABORTPROC:
return SetAbortProc( hdc, (ABORTPROC)in_data );
So if you have an ESCAPE/SETABORTPROC record in a metafile then under WINE the AbortProc is set to point into the metafile (since in_data is corresponds to &mr->rdParm[2]).
So it's quite clear from the WINE implementation that this is a way to set a pointer into the metafile for execution. All it would take is that the metafile's AbortProc is called and arbitrary code could be executed.
In WINE at least this looks nothing like an intentional backdoor. It looks more like a bug caused by the fact that Escape is rather powerful and can set a pointer to code.
Now it's possible in WINE (I believe) to force the AbortProc to execute with another ESCAPE record that has NEWFRAME as the function. Again looking at the Escape code you'll see that NEWFRAME has handled like this:
case NEWFRAME:
return EndPage( hdc );
EndPage is a standard GDI function (see here for documentation: http://msdn.microsoft.com/library/default.asp?url=
INT WINAPI EndPage(HDC hdc)
{
ABORTPROC abort_proc;
INT ret = 0;
DC *dc = DC_GetDCPtr( hdc );
if(!dc) return SP_ERROR;
if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev );
abort_proc = dc->pAbortProc;
GDI_ReleaseObj( hdc );
if (abort_proc && !abort_proc( hdc, 0 ))
{
EndDoc( hdc );
ret = 0;
}
return ret;
}
Note that this function always called the Abo
According to Wikipedia he was involved in the assassination of a President and an Attorney General.
John.
As regular viewers of the excellent MTV educational show "Pimp My Ride" will already be informed Xzibit and colleagues recently installed a 12,000 Watt subwoofer in one of their patient's vehicules. The subwoofer itself is here: http://www.cardomain.com/sku/MTXT992244.
Despite being a WASP I must add that the car post-transformation was "phat".
John.
Where $Some == 0.
My best mishap was the following: I decided to make bubble solution for my little girl. So I went on the Internet using my laptop and found a recipe that involved mixing water, glycerine, sugar and dish washing liquid.
The mixture makes very good, but very sticky bubbles. I made about a litre of it and put it in a jug. I then got up from the table and knocked over the jug onto my laptop keyboard.
Oops.
Luckily the laptop I have is almost sealed under the keyboard (there's a small hole for the keyboard connector) and I was able to remove the keyboard and simply wash it unde the tap and then dry it out. In fact you can pretty safely wash laptop keyboards once separated from the machine because there are no electronics in them, just a PCB with rubber keys on top.
John.
What's more interesting, the new technology doesn't seem to be privacy intrusive
The only mention of the word "privacy" on the linked web page is the term "Privacy Policy" at the bottom of the page.
John.
I'm not going to say you're a moron, but how do you allow for legitimate unsolicited email from people?
Currently I receive lots of unsolicited mails from people that I want to hear from. Let's call these people "customers".
Your scheme would have me polling only people I have already talked to.
John.
This is pretty unlikely. There are a number of reasons why touch screens and eye input are inaccurate:
1. Your finger has very low resolution. You cannot position something very precisely with a finger on the screen no matter how sensitive the touch screen is.
2. Sticking your finger on the screen obscures your view of the very thing you are trying to point to thus making it harder.
3. Tracking your eyes suffers from a similar accuracy problem. Just try staring at a pixel on the screen and then move your eyes just enough to move exactly one pixel to the right.
The mouse is a good tool for precise positioning on screen because your hand can make very precise movements.
Next time you are undergoing surgery try asking the surgeon to direct the scalpel with his eyes.
John.
It's just a case mod and consists of the following:
1. Buy a Mac G3
2. Through away all the electronicsy bits
3. Buy a PC
4. Put PC electronicsy bits inside the G3 case
5. Stick a Windows logo on case
6. ?
7. You are so not l33t
John.
I really don't F5 the issue here F5. I like to check my F5 email regularly F5 because it's the only F5 interaction I get with F5 people. So I check F5 it about once every F5 minutes, whatever.
So you're saying "Chicks dig it"? Why the hell isn't that Mozilla's slogan?
John.
In Splinter of the Mind's Eye Luke recharges his lightsaber from a blaster. The thing that impressed me was not the rechargeable battery but that each had a connector compatible with the other than makes this possible.
Why, oh why, can't I plug my cell phone, PDA, and laptop together in a similar fashion when one needs power?
John.
Not true. I remember a guy at work in late 90s who wouldn't type www.excite.com because he thought it wasn't work appropriate, and what about whitehouse.com?
John.
The address of the New York Subway system (also called the MTA) is www.mta.info.
John.
So, I was a die hard Windows user, been that way since 3.0 (3.11 and 2k were my favorite releases), but 18 months ago I switched to Linux (first SuSE and more recently FC3). And now I'm thinking of a PowerBook.
Leaving Windows wasn't a problem, but sticking with Linux is. Sure it's very fast on my machine, and I have all the familiar Unix tools from the GNU chain, but so much doesn't work right. Linux on the desktop is close to a joke. I've tried both GNOME and KDE and neither is bug free (cf. Win2K which was very, very stable), and there are so many hardware incompatibilities that it's a pain.
Ultimately, I want to support F/OSS, but I may have to switch because it's a productivity drain for me to discover that gnome-panel has crashed something and now Evolution can't open the File dialog. Ugh. Or figure out why gaim's icon disappears in the tray some of the time, or have gdesklets eat the CPU for no apparent reason, or...
John.
:-)
But I just checked her dietary habits in the hacked database and she looks more like tubgirl now.
Can anyone explain why the parent directory: http://www.csuchico.edu/inf/new/ is browsable?
John.
Starbucks doesn't bother to ask for a PIN or signature under $20: http://www.boston.com/business/articles/2004/08/18 /swipe_hype_debit_the_small_stuff/
John.
Tank girl is in it?
Here's the bit that I've never understood in these "death of the OS" stories. It's all very well me using an application that is mostly running somewhere in the net, but I need local printing. And local printing means I need a whole lot of OS for printer driving.
John.
Theory is that the dual core chips will run cooler than two single core chips and there's less real estate on the motherboard required (one socket and less glue circuitry).
John.
Allen Morgan, a VC with the firm Mayfield, has a blog, where he's been dispensing wisdom on how to get funded. Read it here: http://allensblog.typepad.com/
John.
http://chris.kainaw.com/projects/ferriera/
I wouldn't worry too much. I receive spam with "POPFile" as a word in the spam and it still catches it as spam.
John.
The SURBL can be found here: http://www.surbl.org. It's a very good thing, so much so that spammers are starting to try to get around it by doing stuff like this:John.