the value of X

defensive programming

BBC NEWS | Technology | ‘Critical’ flaw found in Windows

Microsoft has issued a warning about a critical security flaw that affects most versions of its Windows software.
[ . . . ]
The flaw, found by eEye Security, would allow a specially crafted MIDI instruction to swamp the cache, or buffer, in DirectX and allow a hidden program within it to run on the target machine.

Such buffer overflow bugs are quite a common way for malicious programs to infect a machine.

Microsoft has issued an alert about the flaw and a patch to close the loophole. It said that currently there were no known exploits of the bug.

The instruction could get into a computer by being put on a webpage.

It can also be put into an e-mail message that uses web formatting.

Secure C Programming

Buffer Overflows
A buffer overflow is what happens when programs try to store more data in a variable than it has been allocated space for. For example, suppose you have a variable called name that’s defined as an array of 10 characters. There is room for 9 characters, plus the terminating null. By default, C does no bounds checking at run-time, so it is very easy for the user of a badly written program to over flow a buffer. Consider this code fragment:

char name [10];
printf ("Enter your name: ");
fflush (stdout);
gets (name);

If the user of this program enters a name that’s less than 10 characters, all is well. But if they enter a longer string, the stack will get stomped on and data corruption can occur, causing a core dump, or worse, giving the user shell prompt. If the program is running as root, this would be disastrous.

So what can you do to avoid these buffer overflow problems? One answer is to provide really big buffers that “no one will ever overflow”. This is a bad idea because it hasn’t fixed the problem; it merely makes it harder to accidentally overflow the buffer. But it won’t stop a malicious user from deliberately overflowing the buffer. To do that, you need to use functions that let you specify a maximum number of characters to copy. If you change the line that reads

gets (name);
fgets (name, 10, stdin);

it doesn’t matter how many characters the user types in response to the prompt, as only the first 9 characters will be copied into the variable name. (With this example, you also have to remove the n character from the end of the name, as fgets() doesn’t remove it.)

This is, literally, what you learn in a 1st quarter programming class, especially if you learn C or C++. Given no bounds-checking or other safety harnesses, it’s up to the programmer to verify with test cases that his code can’t be misused or exploited by either a naive or cunning end-user, person or process. A Google search for “profiling+tools+buffer+overflow+bounds+checking” turns up some research and tools on this topic.

The fact this bug is in Windows Server 2003 suggests those much-discussed code reviews aren’t being taken all the seriously.

The slush pile

your own radio station

O’Reilly Network: Unsung Heros and Other iTunes Tips [July 31, 2003]

[ . . . . ] there’s a lot of good music on my iPod that I just don’t seem to get to. And that’s a waste.

[ . . . . ] So I created a new smart playlist titled “Unsung Heros.” In the parameters for the list I set Last Played -> is not in the last -> 30 days, and then I set up a couple more limiters such as Album -> does not contain -> Christmas so Bing Crosby doesn’t constantly appear at the top of my list. One other parameter I set is Limit to 50 songs -> selected by song name.

But not like this:

BBC NEWS | Technology | UK bans iPod gadget

A N Micro, the UK distributor of the iTrip, said use of the device was prohibited under the Wireless Telegraphy Act of 1949.


one of everything? no problem

Public Project

Welcome to Browser Cam!
Browser Cam creates screen captures of your web pages loaded in any browser, and on any operating system, so you’ll be 100% sure your web pages look good-and work right-on any platform.

I used the free trial today to see what some new things I was trying would look like. I discovered the fieldset CSS tag and decided to redo a page with a form to take advantage of it. In most cases, it looks fine, only irretrievably broken in IE5.5 (it crashes?!), but it is disappointing that the 1 px rule around the form and around the legend only renders in KHTML-based browsers and even there not uniformly. Sadly, IE5’s violent reaction means I can’t use it.

blows against the empire

art is what people will buy

BW Online | July 30, 2003 | Why iTunes Has Bands on the Run

At the heart of the debate is this question: Who should decide what’s art, the artist or the public? The Chili Peppers and Metallica say they — and they alone — should decide how fans should listen to and keep their music.

[ . . . . ] Apple’s (APPL ) iTunes is a tool of liberation. It gives them the freedom to pick and choose, and, in essence, make their own compilations from favorite tracks. [ . . . ] In fact, the opportunity to compile personalized play lists and track selections may be one of the service’s biggest draws.