Posts by Michael Wojcik

Re: Surely

The deer sprang off but the bambi slipped. I had no time to brake so I drove the car into a ditch.

It's a tough choice, assuming you even spot it in time and have the presence of mind to make a conscious decision. Around here, where deer are the second or third most common cause of vehicular accidents (impairment is first; the statistics I've seen were from several years ago, and distraction may now have passed deer), the authorities and insurance companies frequently tell people not to swerve, just brake if possible and stay on the road, on the grounds that swerving is statistically more dangerous to the driver and passengers than hitting a deer.

I've never hit a deer with any of my cars, though I've had close calls, and once was hit by a deer. It jumped out from the woods into the side of the car. I wasn't going sideways, so that puts the deer entirely at fault. (Also I had the right of way. And it wasn't licensed or registered to operate on the public roads. Deer have little respect for the law.)

Re: Surely

My wife has seen them on the offramp

I was driving on Interstate 96 near Lansing, MI a couple of years ago. It was around 1 AM and snowing gently - typical mid-Michigan snow, big fluffy flakes spiraling down like something in a movie. Not yet accumulating on the road, so I was doing something close to the posted limit of 70 MPH; I-96 is a limited-access four-lane highway. The road was nearly deserted; I'd passed a semi a mile or two back, and there weren't any other vehicles in sight at the moment.

I'd been driving for about 14 hours, coming from Kansas.

If you've driven in snow showers at night, you know what it looks like - the hypnotic effect of flakes catching the light from the headlights and spinning past, while the segments of the dashed lane-separator line click by on the road. Flakes, dash, flakes, dash, flakes, deer standing in the left lane close enough that I could have slapped it had I stuck my arm out the window, dash, flakes, ...

By the time the headlights lit up the deer, I was maybe a car length away. I was just lucky it stood still. That truck I'd passed a little way back? Who knows. There wasn't any way to warn him about it.

I did swear vigorously for a few minutes, though. That helped.

And that's not the only time I've driven past a deer standing in the road on a highway at night.

Re: Really ?

even poor old Windows finally got them 4 years ago

Long before that, actually. There were virtual-desktop utilities for XP, and you could do it way back in NT 4 (and I believe in NT 3) if you wanted to write the Desktop-switching code yourself.

Re: Linux for the win

With X11, there is no "mouse interface native the unix os", assuming by "interface" you mean "consistent way of interpreting input from the mouse". Mouse events are handled and interpreted by the X11 client that currently has pointer focus - that can be the window manager or an application (or potentially the X11 root window, though in practice essentially everyone runs a window manager that intercepts events to the root window).

Mouse behaviors for applications are thus up to the application itself. Where you get consistent behavior, it's because applications are using toolkits (SDKs or frameworks) which implement that behavior, often using hints from the window manager, or in today's overengineered X11 world, some other component.

You could write a window manager that intercepts all mouse events, translates them as you prefer, and then forwards them to the window with pointer focus. That would have seemed an amusing exercise when I was 20; now it doesn't appeal, personally. I'd just suck it up and use the default behaviors.

Of course that's assuming you're using X11. I have no interest in Wayland and no idea how it works. X11 was good enough for me in the '80s, and it's good enough now.

Re: *IX

Yup. I recall adding a virtual-console driver for a prototype graphics card (when running in text mode) to BSD 4.3; that was the late '80s, but as jake says the capability had been in BSD for a while.

IBM's AS/400 had two virtual consoles per physical 5250 device, and I believe that was inherited from the predecessor S/3x systems. I don't know how far back that goes, but the 5250 and its twinax physical cabling (which provided the topology that let IBM do the virtual addressing of those consoles) dates back to the S/34, in 1977.

For GUI multiple virtual desktops, X11 had this capability in principle right from the start (that is, an X11 window manager could have implemented them), but I don't recall when they first became common. I also don't remember if any of the managers shipped in the stock X11R3 distribution, for example, supported multiple virtual desktops. (X11R3 supported multiple physical displays, of course, but that's a different feature.)

To be fair, multiple virtual desktops were available in Windows as far back as XP, using an add-on such as the one in PowerTools. The necessary OS support goes back as far as NT's WinStation and Desktop abstractions; it's just Microsoft couldn't be bothered to give users access to it.

OS/2 had multiple desktops in Warp, circa 1996. Still late to the party, but a lot earlier than Win10.

Re: Contact your credit card company.

I'd never seen "avec" used as a noun in English before (and, yeah, I'm not a fan of it either), but interestingly Wiktionary claims that it's used as a noun in Finnish, apparently as a synonym for "date" (I assume in the sense of "meeting") or "company".

Re: Everything under control

Looks like a lot of folks missed the joke icon. Or maybe all 13 fans of 3D TV are Reg readers.

Re: Contact your credit card company.

when I install a switch or an outlet on the electrical circuit of my home, I expect it to work for, I don't know, 50 years?

50 years is ambitious with a lot of modern consumer electrical gear, I'm afraid. In the US, GFCI outlets are required in a number of areas of a home, and the electronics in those often die after only a decade or two. I have one in the kitchen that needs replacing which was installed in 2003. I have my doubts about the longevity of AFCI circuit-breakers, too.

Basic SPST mechanical switches often last a long time, but I've seen older ones break at the handle as the material degrades. One time I was living in a rental house and I flipped on the light in the bathroom one morning, and the Bakelite switch shattered into power. Just completely gone, down to the actual sliding contact in the switch body. And the landlord was coming by that day. I had about 45 minutes to run to the hardware store, buy a replacement switch, and install it. My roommate actually had to stall the landlord down on the first floor with some bogus story about an intermittent plumbing issue while I was reattaching the cover plate upstairs.

Re: We shouldn't have skipped the time when it was the Intranet of Things

For most people, that's a license plate: too complicated

Sure. We all have limited fields of expertise. But there's nothing stopping one of these firms making and selling IoT crap from producing commercial equivalents of DCFusor's gadgets, without extraneous cloud-connection and phone-home crap tacked on. A DMZ port in the home router can be manually configured by those who know how, or opened using UPnP for those who don't (and who will therefore likely have UPnP enabled).

I get the impression from comments above that some home-automation vendors do offer products more or less along these lines. (It's not an area of technology I'm interested in, so I don't pay close attention to what's available.) In any case, it's possible for vendors to offer turnkey remotely-accessible home-automation systems that don't depend on some server outside the homeowner's control (aside from the actual networking infrastructure, of course).

Re: We shouldn't have skipped the time when it was the Intranet of Things

You might have video cameras. You might want to look at them from across town. You might need to be able to turn the lights on to see anything.

Why doesn't the camera have its own integrated LED lighting? Cheap and trivial, and it would save me from having to control two devices, with the associated additional complexity and points of failure.

Not that I have ever desired such a thing, even with owning houses in two states (indeed, two time zones). That's what I have neighbors for.

Re: Incorrect Reporting

Pyramid scheme, Ponzi theme [sic], Multi level marketing.

They are all the same.... Or am I wrong?

You're wrong. Ponzi schemes are not pyramid schemes. Ponzi schemes are flat, not hierarchical; the controllers pay investors leaving the pool using receipts from new investors. There's no pyramid.

MLM schemes are indeed pyramid schemes, with the addition of actual exchange (of goods, as with Amway / Alticor or Herbalife, or of real property, or of financial instruments, etc) between network members and a wider market. I'm not aware of any MLM schemes where the exchange economic activity hasn't been dwarfed by the membership economic activity, i.e. the transfers of wealth up the pyramid. I wouldn't touch them myself - at the very best they're hugely inefficient at their ostensible non-pyramid activity, and the property being marketed is often rubbish - but they're not pure pyramid schemes.

Also, all capitalist economic organizations require an influx of new participants to grow. Some are content to grow "organically" by selling something of (perceived) value to a market; some are even not particularly obsessed with growth and are comfortable more or less maintaining a consistent stream of income. But it's not the need for new participants that distinguishes pyramid schemes (including MLMs) and Ponzi schemes from non-fraudulent businesses - it's the excessive reliance on them.

Re: Quick question

This "probably" means it is exploitable via JavaScript, so, basically, you're 0wned by a web page.

If you read the original SPECTRE paper, you'll see that one of their demonstrations was indeed implemented in Javascript. Before the paper (and associated CVEs) went public, major browser manufacturers implemented mitigations for that particular attack. Subsequently other MDS issues in browser Javascript engines were pointed out, and then mitigated, over a number of iterations.

These days, it's likely difficult to mount a successful MDS attack in Javascript under a recent release of a major browser, particularly when hardware / firmware / OS mitigations against the most useful side channels are also enabled. I wouldn't rule it out, though.

Re: Quick question

But even if you can read someone else's bytes, actually knowing what that data represents (in someone else's application) is impossible.

The many successful MDS demonstrations, going back to the original SPECTRE paper, show that you are utterly incorrect.

So do many other untargeted-exfiltration exploits, such as Heartbleed. In fact it's often very easy to determine how to correctly interpret exfiltrated data.

When the Morris Worm came out, there was much public sentiment that Morris was some sort of wunderkind and overflowing the fingerd stack was a stroke of genius, unlikely to be reproduced any time soon. Then Levy published "Smashing the Stack for Fun and Profit" in phrack, demonstrating that it was actually quite easy to develop a stack-smashing exploit, and suddenly everyone and their basement-dwelling cousin was doing it.

Re: Quick question

The original Javascript SPECTRE attack might well have been a big deal had fixes not been pushed out before publication, because it would have been easy to deploy against normal users. It's a good example of responsible disclosure working as intended.

Re: How it might work

Yes. Or using an eval operation on anything else that provides it.

Re: How it might work

The classic presentation on the subject is "Marshalling [sic] Pickles from AppSecCali 2015. It's a good one; anyone interested in further detail on how this sort of thing is exploited in various languages and contexts might want to watch the video or at least browse the slides.

In the MITRE CWE scheme, it's CWE-502.

Re: Honk if you want to go faster

That's a fine sentiment, but it's pretty clear from context that Jon Postel intended the Interoperability Principle as a recommendation for the liberal interpretation of malformed data. That has frequently created security issues, as with, for example, permitting non-canonical UTF-8 sequences, which may bypass special-character blacklists but then be interpreted by parsers.

The Interoperability Principle was invaluable in promoting the spread of the Internet, TCP/IP, and many application protocols and languages (perhaps most notably HTTP and HTML). Over the past couple of decades it's increasingly become a liability.

Re: "... a misuse, which is contractually prohibited."

No discount for that customer on the next sale. And we mean it.

Re: Modern

Sure, but aside from computation, storage, networking, graphics, size, and power consumption, what do these new machines have that our '90s UNIX workstations didn't?

Eh, I miss those '80s and '90s boxes too. It was an exciting time.

Re: Modern

Mainframes, on the other hand, can support a stoutly built, average dimension house.

Was the XT/370 not a mainframe? It ran mainframe software.

What about the P/390? The Multiprise 3000?

Re: Reminds me of a compiler bug I encountered

This isn't the only issue I know of in the AIX 3 XL C implementation. I was working for IBM myself at the time, and spent a while tracking down an obscure bug: sometimes the GL openwin() call would fail for no good reason. First I narrowed this down to openwin failing after using the libnsf library to read NSF-format data files. Then I narrowed it down further to openwin failing after a certain free() in libnsf.

I confirmed that free was valid (a pointer returned by malloc or realloc, and not already freed), so I suspected heap corruption. So I interpolated all the heap functions with versions that dumped their parameters to a text file, then wrote an awk script which matched them up. They were all OK. I added canary pads before and after all areas to check for under- and overflow: nothing.

So I hacked my script to simply perform all the heap operations from the output file, touching a few bytes of each area, and then try openwin. And openwin failed.

Some binary searching later, and I had a precise reproduction: Allocate at least 11 areas of at least 64 bytes, and touch at least the first 8 bytes of each area, then free all 11, and then openwin fails. I fired that off to the XL C team.

Turned out to be a bug in the implementation of free().

Re: Good to know

"I see you are offering a beet salad today. Is that ISO 9001 certified?"

Or alternatively:

"I'll have what he's having." "I do apologize, sir, but I'm afraid our processes are not repeatable."

I hold on to mine until I have a good reason to sell it, because it pays dividends. But I always treat it as a high-risk investment that could disappear at any time; I don't depend on it for anything. I certainly don't consider it part of my retirement savings.

And, of course, in the US, it's advantageous to hold stock for at least a year if its value is increasing, in order to pay the smaller long-term capital gains tax.

And, of course, there have been many, many people who suffered under repressive governments with no sign of a rebellion, much less a revolution. Counting on a popular uprising to reform government is a mighty long shot.

Re: And it works!

I figured I'd wait to see if the US government manages to seize some or all of the profits. If not, I'll buy the book; if they do, I'll refrain, and just get it from the library or something.