|
Tridge on Threads
From samba-technical:
What is it about the word "thread" that people find so damn sexy?
Maybe it needs a name change "slow-as-hell-no-memory-protection-locks-dont-work" API might be suitable, but I suspect the standards committees wouldn't like that one.
The MMU was added to CPUs for a very good reason. Why is it so hard to
understand that trying to avoid it is a bad idea?
posted at: 16:29 | path: /rants | permanent link to this entry
NFS (still) sucks
I can't believe that NFS still doesn't work between two
random (modern) Linux machines without one of them crashing or
generally crapping out. )-: I reckon Microsoft does a much better job
with CIFS at sharing files over a network protocol. posted at: 15:54 | path: /rants | permanent link to this entry
Virus Checker Emails
From the letters page on The Register:
It is Monday morning ... and I'm really pissed off.
Why?
Well, our incoming email has been disrupted this weekend - this is the
second time this year, and we're only up to April.
No it's not a server failure at our ISP, and no it's not a virus (not
directly anyway) ...we've effectively had a denial of service on our
incoming business email, because of all the auto-response emails
kindly advising us that a message we never sent included a virus.
If you are a Sys-Admin, or Keeper-of-the-Mail-Server, I would ask you
to read this very carefully - there's some important stuff further
down that could affect you ...and if you happen to be feeling sharp
pains about your person, this is because I'm busy throwing darts at
your effigy.
Look - I'm genuinely pleased that you've managed to set up your mail
servers so they automatically trap a live virus - excellent, well
done!
In fact my pleasure is not unlike that of a proud father whose
offspring has just managed his/her first poo into the potty instead of
all over the floor. But my pleasure has waned as you continue to tell
me about it - repeatedly.
So, let's establish a couple of facts...
1. Here at "Visible Form" we do NOT send out infected emails -
ever. We have NEVER done so, and will do our utmost in the future
to ensure that this remains the case. Like you, we run up-to-date
virus checkers on incoming and outgoing, we have a hardware
firewall, and our mail server ISP does NOT have an open relay - in
fact we can only send email via this ISP if we connect directly to
their system. The ISP we use for our day-to-day connection will
only allow us to use their mail servers and 'spoof' our own FROM
address if we've already asked for (and got) permission, which
includes providing evidence that we own the domains in question.
2. Most viruses spoof the FROM email address.
Do I really need to explain to you that this means the
virus-containing email DID NOT come from the FROM address? You do know
this, don't you?
You do KNOW this?
DO YOU KNOW THIS??
These are facts - read them slowly and repeatedly until they sink in.
Write this in big letters and put it up on the wall: "most VIRUS
emails SPOOF the FROM address".
I am pleased you've pooed in your potty - sorry, trapped a live virus
- but it was not sent from here, and I do not need to know about it. I
especially do not need to know about it several hundred, even
thousand, times.
You see, what has happened here is that the virus is no longer the
problem - we can all trap those if we have a mind to ...the real
problem is YOU - for every virus your systems detect you automatically
generate a reply to the email FROM address - unfortunately you've gone
back to pooing on the floor and making a mess everywhere.
Your action in allowing this state of affairs to continue does
absolutely nothing to resolve the real underlying issue of people with
unprotected computers, and the virus-writers themselves - instead it
is creating its own new problem which has every chance of bringing the
internet to a grinding halt in the not-too-distant future.
If you do nothing else today, go now and switch off your auto-response
to virus emails. Do it now - never mind Mrs Miggins in Accounts whose
macros are not working - switch off the auto-response now ...do it
...NOW!
If all of this fails to move you, or causes a "whatever", let me put
it another way...
Fact 1: You are causing me a denial of service with your thousands of
auto-response emails.
Fact 2: I know who you are - your auto-response emails identify you.
Fact 3: If you do not fix it, I will talk to your Chairman, MD, Chief
Officer and make it very clear that YOU are the cause of this problem.
Go switch it off NOW and I'll put my darts away!
Rob Kirkwood, owner Visible Form, Nottingham (UK)
Heh. Samba's email server is set to swallow virus responder emails if
it detects them, as it does with the viruses themselves. I was
feeling uncharitable this morning and changed the settings to bounce
Norton AntiVirus email responders back to the sender. I figure if
they are incompetent enough to send auto-response emails due to forged
emails (we even have SPF enabled) then they can eat a bounce. posted at: 13:15 | path: /rants | permanent link to this entry
Boneheaded command line switches considered dangerous
Nick Moffit has had a
nice article published on the Linux Journal site updating a web page
about mutt macros to drive bogofilter. In particular there was some
confusion about the renaming (or rather swapping) of command line
options:
"This disastrous change violates the Rule of Least
Surprise espoused in Raymond's recent publication, The Art of UNIX
Programming. The section on the Rule of Least Surprise quotes Henry
Spencer warning against programs that appear to do things in a
familiar fashion when they actually do something very different. The
bogofilter command accepts the same command-line switches now as it
did in November 2002, but then, suddenly, March 3, 2003, was opposite
day."
We dropped bogofilter like a week old oyster after this boneheaded
manuever. In further ESR news, he is further
luxuriating in ignorance in a riposte to the community's reaction to
his first article. posted at: 16:47 | path: /rants | permanent link to this entry
Let's all band together to sweep the problem under the rug instead of actually fixing it
From the Politech list:
Subject: Yet another Microsoft Security Flaw
[...]
I am also asking that those of you who have blogs and newsletters and
high traffic web sites post this warning on your front page and
include it in your newsletters. The best defense to this virus is to
stop it before it begins. As you all know - this virus will affect
non-windows users in that the new viruses turn windows computer into
spam robots and we are still getting the bounce messages from the last
virus. Let's see if we can stop this before it starts by first - patch
your computer now - then - tell everyone to patch theirs. You can cut
and paste this warning into your blog or newsletter.
How about we don't do that. Perhaps more people will have an
incentive to do something constructive about the virus problem instead of
constantly patching. posted at: 14:30 | path: /rants/microsoft | permanent link to this entry
Best Anti-ASN.1 Rant Ever
From Slashdot:
This isn't the third DIFFERENT bug in ASN.1 discovered recently - this is the third set of applications using the SAME REFERENCE IMPLEMENTATION of ASN.1 that was discovered to be vulnerable once it was discovered that the reference implementation was buggy. SNMP and SSL got hit, then just recently H.323 got hit, and I don't know what Microsoft parts just got hit (but it wouldn't surprise me if it's Netmeeting and maybe IE.)
Why? Because ASN.1 is the Mos Eisley of bit-twiddly protocols, and "you'll never find a more wretched hive of scum and villainy." AFAIK, there's nothing insecure about the protocol itself, but it's so ugly that everybody tends to reuse the reference implementation rather than rewriting their own. While that has some good aspects to it, some of the original reference implementation code wasn't always careful about checking bounds, etc., and eventually the University of Oulu folks did a proper study and found the holes.
[...]
Bit-twiddly space-saving data formats are almost always a Bad Idea. As they say, people who play with the bits deserve to be bitten. ASN.1 problems make many applications hard to write and harder to debug, but in the Open Source world, PGP has gone through several iterations of security-critical bugs because they were trying to steal bits, plus backwards compatibility issues make stealth versions difficult. The theory is that it's somehow more "efficient" to save a few bits of data storage or data transmission time by using variable-length formats, trading off the space for more CPU time and program space. This isn't totally off the wall, given 20 years of Moore's Law (which seems to have improved CPU and RAM price/performance by 10**5 - 10**6, disk by about 10**5, but smaller bandwidths by only 10**3-10**4), but the cost in programmer time, debugging time, and bug impact has been immense.
posted at: 12:00 | path: /rants | permanent link to this entry
Threads suck
Grr. Another day wasted tracking down a stupid threading bug, this
time caused by a cleanup function being called twice - once from a
method and another time from a destructor resulting in a mutex being
unlocked twice. Why do people insist on using threads? It always
ends in frustration and tears for all parties concerned.
I should write an Anti-Threads Manifesto or something similar. posted at: 12:51 | path: /rants | permanent link to this entry
Programming Interview Question
What does the following code do?
FooClass::FooClass(BarClass* rep) : _rep(rep)
{
assert(rep);
}
I had to ask someone wtf was going on here. (-: posted at: 14:41 | path: /rants/c++ | permanent link to this entry
The cost of operating system integration
I see several problems with integrating "non-core components" in to
an operating system. My example in this case is Internet Explorer.
- The component requires patching even if it is not being used.
From the latest update for Windows 2003 server:
"Security issues
identified in Internet Explorer could allow an attacker to compromise
systems with Internet Explorer installed (even if it not used as the
Web browser)."
It's a bit rich to use the phrase "systems with Internet Explorer
Installed" as if there is even a choice in the matter.
- Again, from Windows Update:
"After installation, you may have
to restart your computer."
Excuse me? Rebooting after upgrading a web browser?
- I've heard Tridge say that making technical decisions for
marketing or political reasons is nearly always a bad idea. I think
integrating IE into the operating system as an anti-competitive
measure is one of these bad ideas.
The problem that grates the most with me is the last one. Sacrificing
design quality for marketing reasons is one thing, but for political
(read antitrust) reasons is just insane.
posted at: 14:39 | path: /rants/microsoft | permanent link to this entry
The Microsoft Matrix
From http://satya.virtualave.net/msmatrix.html:
Like Keanu Reeves, most people's eyes will hurt when
they first look at the real world, because they've never used those
eyes before. But I've chosen that real world, because while the Matrix
of Linux has rules and regs every bit as stern -- and often sterner --
as the Matrix of Windows, that Big Difference pops up: unlike the
Microsoft Matrix, you can hack the Linux Matrix from the inside,
change that reality if you don't like it, and no-one will stop you --
they'll even applaud. You can unplug the steel tubes, squelch out of
the nutrient pod, and make your own way in the world. And having that
option -- even if you never use it -- makes a huge difference.
posted at: 11:48 | path: /rants/microsoft | permanent link to this entry |