December, 2005

  • The Old New Thing

    Your debugging code can be a security hole

    • 18 Comments

    When you're developing your debugging code, don't forget that just because it's only for debugging doesn't mean that you can forget about security.

    I remember one customer who asked (paraphrased)

    We have a service, and for testing purposes we want to be able to connect to this service and extract the private data that the service is managing, the data that normally nobody should be allowed to see. That way, we can compare it against what we think the data should be. This is just for testing purposes and will not be called during normal operation. How do you recommend we do this?

    Remember that the bad guys don't care whether the code you wrote was for normal use or for diagnostic purposes. If it's there, they will attack it.

    The customer went to a lot of effort to protect this internal data, making sure that none of the service operations disclose it directly, but then in a haze of "this would make debugging easier", they lost their heads and added a debugging backdoor that gives direct access to this data that they had worked so hard to protect.

    It doesn't matter how much you protect the front door if you leave the service entrance wide open.

    I have a printer driver that insists on creating a log file in the root of the drive. This log file, which is world-readable, contains, among other things, the URLs of every single web page I have printed. If I log on as an administrator and delete the log file, it just comes back the next time I print a document.

    I assume the printer vendor created this log file for diagnostic purposes, but it also creates a security hole. Everybody on the system can see the URL of any web page that was printed by anybody else.

  • The Old New Thing

    On the inability to support hardware that nobody makes any more

    • 67 Comments

    Windows Vista will not have support for really old DVD drives. (The information below was kindly provided to me by the optical storage driver team.)

    When PC DVD drives first came out in 1998, the drives themselves did not have support for region codes but instead relied on (and in fact the DVD specification required) the operating system to enforce region coding, with the further understanding that starting on January 1, 2000 all newly-manufactured drives would support region coding in hardware rather than relying on software enforcement. For the purpose of this discussion, I will call the two types of drives "old" (manufactured before 2000) and "new" (manufactured on or after January 1, 2000).

    It is that software enforcement that is going away. Turns out that the enforcement of region coding in software had its own problems:

    • It was impossible for third-parties to compile their own CDROM.SYS from the source code in the DDK because the region code enforcement code was not included in the DDK.
    • The region code enforcement code would sometimes mistake a new drive for an old one, resulting in customers unable to play DVDs. Even worse, the driver test team could not reproduce the problem reliably, and the problem went away entirely once a debugger was attached to the system.
    • The code to support the older drives is complex, and the drives that the optical storage team purchased prior to January 1, 2000 are dead or dying. Consequently, testing the code that provides support for old drives has become increasingly difficult, and when the last old drive finally gives up the ghost, testing will become impossible altogether.

    These were among the considerations which contributed to the decision to stop supporting these old drives.

    What does this mean for you? Almost certainly, the answer is "absolutely nothing".

    First, there is no change to the way data is read from DVD drives, so data discs will still work the same way as they do today. Second, all new DVD drives will continue to run as they did before; the only change is that the risk of mis-identification as an old drive has been removed. Only if you have an old drive will you notice anything different, namely that encrypted/regionalized DVD movies will no longer play. And since the average drive lifetime is only three years, the number of such old drives that are still working is vanishingly small. Not even the optical drive test team can manage to keep their old drives alive that long.

  • The Old New Thing

    The not-entirely-unwitting victims of the Daily Show interview

    • 7 Comments

    NPR's On the Media covers the world of the fake news interview, the leading example of which in the United States is The Daily Show with Jon Stewart. Despite what you may think, the people interviewed by the likes of Ed Helms and Samantha Bee actually know that they're being interviewed by a fake news show and go along with it anyway.

    But that doesn't mean that they know what's coming.

    In a related story, MSNBC looks at what happens to some of those interviewees after the episode airs.

    [Typos corrected 9:30am]

  • The Old New Thing

    Using a physical object as a reminder

    • 8 Comments

    On our team, we have a mailing list where people can report problems. Those people could be testers from our team or they could be people from elsewhere in the company. Everybody on the team is expected to keep an eye on the messages and debug problems in their area. The job of monitoring the mailing list to ensure that every issue is ultimately addressed rotates according to a predetermined schedule, and in addition to receiving a piece of reminder mail at 4pm the business day before it's your turn, you will also find a Mickey Mouse ears hat on your desk when you arrive in the morning.

    I bought this hat in Disneyland a few years ago and somehow managed to convince the person operating the sewing machine to stitch the name "Dev O'Day" on the back. "It's an Irish name," I explained, but it also stands for "Developer of the Day", which is the title we use for the person who monitors the mailing list.

    One of our team members went on vacation to Disneyland the following year and brought back a back-up hat, which sits in my office. The back-up hat is occasionally brought into service when the primary Dev O'Day hat goes missing, at which point a Search and Rescue mission is undertaken to locate the hat and restore it to circulation. (It's usually just sitting in the office of someone who was Developer of the Day recently and merely forgot to hand the hat off at the end of the day.)

  • The Old New Thing

    Rory Blyth explains the difference between 720p and 1080i

    • 7 Comments

    720p vs. 1080i - The Great HD TV Debate EXPLAINED and SOLVED. So now you know.

  • The Old New Thing

    Whimsical embarrassment as a gentle form of reprimand

    • 39 Comments

    A few months ago, I messed up a cross-component check-in and broke the build. I'm not proud of it. (In my excitement over finally having passed a few weeks' worth of testing requirements, I absently submitted only one of the components for check-in! My change was 99% within one component, and I forgot about the other 1%.) My submission cleared the "single-component check-in" queue at around 4:30am, and before I got a chance to fix the problem at 8am, a complex job was submitted into the "multi-component check-in" queue. That job failed, of course, because I neglected to update the second component.

    A few hours later, I was greeted with a large inflatable bunny rabbit (looks similar to this guy) in my office. His name is "Bug Bunny", and it is my lot to be Bug's keeper until somebody else breaks the build. (But hey, at least I fixed it before 5pm. At 5pm, my team's lab kicks off its nightly builds, and if you break those builds, the next morning's "official team build" doesn't get released, and testers don't have anything to install.)

    I suspect many groups have an object with a similar purpose, namely to be "bestowed upon" the person who most recently messed up.

  • The Old New Thing

    Humanity's greatest invention, according to seventh grade students

    • 42 Comments

    When I read that Ecologist Magazine is co-sponsoring an essay contest on the topic What is Humanity's worst Invention?, it reminded me of a related essay exercise assigned to seventh-graders by a friend of mine. The students (typically thirteen years of age) were given the topic What is humanity's greatest invention or discovery? Here are some of the greatest inventions and discoveries of all time, according to these students:

    pencils airplanes vaccines refrigerators
    pets craftsman tools steam engines iPods
    alarm clocks laptops shoes transportation
    computers microbes medicine microphones
    tomatoes cars light bulbs batteries
    fire hair products toilets spear tips
    marrying a princess incandescent light

    Some sentences written in support of these claims:

    • The invention of the light bulb has literally shed light on the world.
    • The first car ever invented was the Mercedes around the early 1800s.
    • You might have to actually wash the plates (without electricity).
    • The car was first invented by Harrison Ford.
    • the one thing that makes nerds drool when they here [sic] it's [sic] name: videogames
    • We all know that IPODS have a great deal of greatness.
    • A light bulb comes with a switch to turn it off.
    • All they had to eat was tin biscuits.
    • What if someone discovers a machine to make you love forever? You couldn't have that without electricity!
    • The light bolb helps in menny dirfpeant ways.
    • This realy cool pen could wright and use the couckulater
    • Wagons can have horses pull them while riding in them.
    • It can be used for evel porpoises such as bombs.
    • Thomas Edison was a very smart, experimental man.
    • Cars make it possible for people to have space time.
    • Without electricity, housework would take all day!
    • The computer has easily beat out the dog in the man's best friend race these days.
    • The riders are throwing themselves off cliffs and hitting trees. These are happy people.
    • The catskane will be even more helpful in the furter.
    • Many school assignments would be close to impossible, or even cancelled if computers were never invented.
    • The airplane was invented by the Write brothers.
    • When the austronaughts go up into the bitch black space.
    • Without these things (electricicity) there wouldn't be a AC/DC or Led Zeppelin and that would be torture.
    • If you forgot to make your mom a birthday cake, you would need a light bulb to read the recipe
    • Back then the only domesticated animals were calvary, poultry and livestock.
    • Cars are good because they are the fastest way in and out for the C.I.A.
    • The tomato, I believe is a harmless fruit that has been around for hundreds of years.
    • When the cavemen were around they probably didn't stress good hygine, but they did likely emphasize beauty. Cavemen and women used bones from animals as hair rollers or ornaments and used animal fat for gel in their hair.
    • If you open your heart to a cat and love it forever, it will eventually love you back.

    That last one is my favorite. There's something poetic about it.

    Update 1pm: It should have gone without saying that these are hardly representative samples of the students' work but rather the most amusing ones.

  • The Old New Thing

    When a token changes its meaning mid-stream

    • 11 Comments

    The project leader for the initial version of Internet Explorer was well-known for wearing Hawaiian shirts. I'm told that the team managers decided to take one of those shirts and use it as an award to the team member who fixed the most bugs or some similar thing. What the team managers failed to take into account that nobody actually liked having a Hawaiian shirt hanging in their office, especially not one that was worn by somebody else. If you happened to be the person who fixed the most bugs, you sort of reluctantly accepted the shirt even though you really didn't want it.

    And then a wonderful thing happened: The meaning of the shirt flipped.

    I don't know the details. I suspect at one point, somebody who "won" the shirt just left it in somebody else's office as a way of getting rid of it. This simple gesture was the turning point. The shirt became a symbol of disapproval. I believe the unofficial rule was that in order to get rid of the shirt, you had to find somebody who messed up at least as bad as whatever you did to earn the shirt in the first place.

    It took a while before the team managers even realized what happened to their "award".

  • The Old New Thing

    It's always a good idea to check your sources

    • 35 Comments

    For a while, our cafeteria was trying to sell three-packs of bottled water. A sign proudly announced:

    Drink more water: What you should know about H2O

    Drink plenty of water throughout the day. Make it easy. Carry a bottle of water when you commute to work or run errands.

    This is what I should know about H2O?

    "Drink more water": Notice that they didn't specify a target amount. Just drink more.

    "Carry a bottle of water when you commute": I should drive with one hand on the wheel and the other hand clutching a bottle of water? Isn't that dangerous?

    And who is providing this "helpful" information?

    Source: International Bottled Water Association

    Hardly an impartial organization.

  • The Old New Thing

    Using floppy disks as semaphore tokens

    • 19 Comments

    In the very early days of Windows 95, the distribution servers were not particularly powerful. The load of having the entire team installing the most recent build when it came out put undue strain on the server. The solution (until better hardware could be obtained) was to have a stack of floppy disks in the office of the "build shepherd". (The job of "Build Shepherd" was to perform the initial diagnosis of problems with the build itself or with verification testing and make sure the right developer is called in to address the problem.)

    If you wanted to install the latest build, you had to go to the Build Shepherd's office and take one of the specially-marked floppy disks. When you finished installing, you returned the disk.

    In other words, the floppy disk acted as a real-world semaphore token.

  • Page 3 of 4 (33 items) 1234