Is that a DLL in your pocket…

Shock! Horror! Bug found where Windows applications will open DLLs that are in the current working directory of a process!

Except it’s not a bug. It’s by design, and it’s existed since NT.

Microsoft is being smacked in the head by a required feature of Windows due to the initial weakness of the LoadLibrary call. If you don’t specify a path to the file to load, it uses the standard library search path.

Dear god, you would think that this was news. It is not news, nor has it been since the goddamned operating system shipped. Granted, the issue is severe, but the fact of the matter is if an application is executed using a working directory that isn’t under your control, then what can you do? if there are libraries in the same directory that launched the program that happen to share the name of system libraries then you’re hosed.

Hey, guess what asshole, if you link a linux binary with a search path containing ‘.’, then you get the same problem. It’s just as well that nobody links their binaries with -R. …. eh?

The documentation is blatant in this regard. I’ve known it was a security issue since I first learned of the LoadLibrary call, as any even half decent developer should have known when they started using the damned function.

The rule is simple. Resolve the full path to a library before you load it. Validate that it ‘looks right’ at that point. Then load it.

BTW .init section in .so files – so totally a security hole. You can’t dlopen a file to determine if it’s good without executing the .init code. Game over man, game f**king over!

My .init code does a setenv(“LD_LIBRARY_PATH”, “.” + getenv(“LD_LIBRARY_PATH”)) … now piss off and write secure code for once…

Password recovery from open applications

Well I had a minor hiccup today when I decided it was ‘password change day’. I duly went around changing the password on all my systems. Then I got back to work. 10 minutes later I turned to my other system and typed in the password.
… It didn’t work …
I smacked my head and said to myself “D’oh”, I need to use the new password. But I couldn’t remember all of it. All I had was a few characters I could remember and the fact that my mail program was checking the mail every few minutes and still working.

First I got the pid of thunderbird…

~% ps -fe | grep thunder
1000     17509     1  0 13:19 ?        00:00:00 /bin/sh /usr/bin/thunderbird
1000     17521 17509  0 13:19 ?        00:00:00 /bin/sh /usr/lib/thunderbird/run-mozilla.sh /usr/lib/thunderbird/thunderbird-bin
1000     17526 17521  0 13:19 ?        00:00:24 /usr/lib/thunderbird/thunderbird-bin
1000     19101 19006  0 14:09 pts/10   00:00:00 grep thunder

Then I got the address of the heap from the process’ maps

~% grep 'heap' /proc/17526/maps
08d02000-0a9ad000 rw-p 08d02000 00:00 0          [heap]

I compiled up memory_dumper, and ran it against the process and heap addresses listed.

% ./memory_dumper 08d02000 0a46a000 17526 heap

Then I ran strings on the resulting file, looking for the pattern that matched my remembered password

% strings heap | grep t%7
cheat%7Ladel
cheat%7Ladel
cheat%7Ladel
cheat%7Ladel
%

4 copies of the password in memory in the program. That is just in-freaking-sane. It should be present in the program only once, and should probably be concealed using some form of obfuscation. Mind you, it has kept the new password in my mind now, so I should be grateful.

And just in case you feel like trying the password listed, don’t. It’s not the real password 😉

Very heavy requirements

I have been buying sound cards for a loooooong time – my first add-on card was for a 512K Amsdrad PC512 and it produced either MIDI-based sound or replicated sample audio. It was not a cheap purchase at the time – I can’t remember the price any more, but it was quite a bit of savings at the time.

It came with a literal ‘wodge’ of 5.25" driver diskettes. you could use it to steady a table there were so many of them.

Later on, the disks changed to 3.5". This meant that they were thicker than the older disks, and amounted to a pile that simply got progressively larger. By the purchase of my last soundblaster card, I was looking at IIRC 10 disks, only a few of which were usable for drivers for DOS, the remainder were ‘assistant’ programs such as Dr. Sbaitso, which were to purposes useless.

I spent a long time kind-of caring about my sound card. I bought an SB live card for my main desktop and for several years things just worked. About 2 years ago got an SoundBlaster X-Fi card for notebooks for my Dell Insipron M1710. Honestly, the internal card was better than the add-on card. I didn’t really care as I paid for it in Yen, so it didn’t count towards cost.

In the last 6 months I bought a new rig. Reasonable price, and harkening back to my memories, I got an SB X-Fi XtremeGamer card. Not a large outlay (<€80). It no longer comes with a wodge of disks – it downloads software and updates from the internet.

The smallest update for this software seems to be 50MB. The sum total of the latest software update (to fix problems and to increase compatibility on Vista) is 235MB. I am 44MB into the update and I’m being told that there’s another 2.5 hours to go. I’m not on a slow link either. It just seems to be on their side.

Just to put this into perspective – The download for my soundcard is about 1/2 the size of a reasonable Linux distro… and it’s as slow as a wet weekend in June. By the time this update has downloaded I could have watched the entirety of the latest Harry Potter movie and still had time for a pint. It’s damned slow.

This is a sound card. Not the World Management Software Suite®. The update for my graphics card was 90MB and that was Driver + Support Software + PhysX Drivers. And it downloaded in less than 10 minutes.

Now that I recall, all the problems I seemed to have on the older machine could always be traced to limitations or issues with my sound card. A driver that wasn’t playing by the rules. Maybe it thought it was being edgy? I’ve seen too many BSODs to want edgy. I just want something that works…. and doesn’t need a 250MB update (that’s twice the size of OpenOffice)…

Oh, and Windows Live Writer — please convert euro, trademark and em-dash symbols before posting… we’re not all using UCS-16 encoding here. Some of us actually try to use the web in a platform independent manner…

Important! Must install! You will die without it!

CreativeWhine Oh get over yourself! I do not need to install the music management software on my computer and not having it installed is not the end of the world. It’s almost as bad as the apple updater suggesting you install Safari. Mind you, it’s nowhere near as annoying about it, and it doesn’t suggest that the world will end if you don’t download it (but, you know, it just might…)

Not a lot of font choice

Adobe Buzzword Font List This is the list of typefaces available in Adobe’s new Buzzword. It is really, really pretty; implemented in Flash, but when it comes to using it we discover that the two main fonts are missing – Times & Helvetica (or Times New Roman & Arial for ‘softies).
All the online offerings from the Adobe Beta are pretty nice, and cover the most fundamental of things, and some of the more useful features – like change tracking in Buzzword. It’s all flash; so I have the fear that it will crash my browser.
It’s yet to happen me on the mac, though; even though I keep losing the browser on Linux

You now have 5 update tasks running…

Aargh! google chrome comes with it’s own ‘updater’ which runs in the background checking for updates to the browser (along with the updater for google gears, I presume).
Add in the Java updater (oh, lets check once a month for updates but run 24-7)
The apple software updater
Liveupdate (probably 3)
Each of them is probably doing the same thing.

  • Wait until some time on the clock
  • Check for a network connection
  • Check if there’s new code to download
  • Display an obnoxious dialog saying ‘Update available‘ with an Ok or possibly Maybe next time pair of buttons
  • Download the update
  • Install the update
  • Require a reboot because it’s changing a file that’s in use
  • repeat until you head explodes

Ok. Time fricking out here people! There has got to be a better way. If only there was a single update mechanism that all these tools could use… Unfortunately, it’s the built in update mechanism from Microsoft/Apple and it’s closed to outside developers
As it is, most applications on the Mac perform an automated check for updates when they’re launched. It’s relatively painless, and works most of the time. Mind you the notification dialogs leave a lot to be desired (version n+1 is available, download here!) as opposed to a list of version n+1 changes – especially security updates.
Hopefully, they’re secure and have built in mechanisms to make sure that they’re not taking in a corrupted/malicious application.

Trust me…

Plaxo Assistant Cert It tells me to trust it. After all, it’s a certificate that’s signed by a CA that isn’t in the list of known certificate authorities.
I don’t trust certificates. There is a list of certificate authorities a mile long stored on my computer of groups who are to be trusted when a certificate is presented. I don’t know them from adam, and the certs from the Hong Kong post office are about as trusted as the ones from the Apple Root CA – get real people this is not security, this is just posturing. I trust them about as much as I trust the digital quicksand upon which they are based.
I’ve stopped caring anymore. The only thing that these certificates establish is a temporary private channel between me and the web server. The rest; it’s just smoke and mirrors.

First week into the use of Firefox3

It’s great. simply prettier and a lot more usable than Firefox 2. The awesome bar (the address bar) kicks ass. Much easier to use than the previous one. Bookmark management has been improved. The look and feel is nicer. I even ‘kind of‘ prefer the subtle dialog box improvement which turns up at the top of the form, which is like a wide series of websites that perform the same thing themselves.
This definitely has replaced my web browsers in Windows and Linux. There’s a very high chance that it will replace Safari on the Mac. The only niggle I have is that it doesn’t store your passwords in the Mac keychain, which I still feel is the better place to have them.
Damn the electric fence…

gravatar URIs

Short and simple: http://en.gravatar.com/avatar/<md5 hash of email address>?.
e.g. echo -e ‘bob@email.com’ | md5sum gives: c961431faea38ed65bfd982cf2e31bd0.
Optional add-ons are size (s=<Number of pixels>), content rating (r=<g, pg, r, or x>), and default (d=<escape encoded URI of an image or one of identicon, monsterid or wavatar>).
great place to do something akin to the ‘imitate a lotus notes password entry trick’.