March, 2009

  • The Old New Thing

    Engineering is about tradeoffs: How hard will you work to save 68KB of disk space?

    • 84 Comments

    One of the recurring themes in the comments to my explanation of the historical reasons why there are two copies of Notepad was to use a hard link (or possibly a symbolic link) to save having to waste the disk space for two whole copies of Notepad. As I like to say, engineering is about tradeoffs. Let's look at the cost-benefit analysis.

    On the one hand: Install two copies of Notepad. Cost: 68KB of disk space.

    On the other hand: Use hard links or symbolic links. Cost: Add support for hard links or symbolic links to the FAT filesystem, to the operating system Setup program, to file formats such as the Windows Imaging Format, and to the various disk duplication systems that system builders (and corporate customers) use for deploying Windows to thousands of machines. Don't forget to count the cost for design and testing.

    Imagine you're the scheduling manager for the Setup team. Which of these two options do you choose? 68KB of disk space or doing all the work to support hard links during Setup and then waiting for all the existing customers to upgrade their tools to versions which support hard links—which could take several years. Are you going to be the one to have to stand up in the Ship Room and say, "We can't ship Windows because ten of our customers hasn't upgraded their deployment tools yet, and I have no idea how long we're going to have to wait until they do"?

    And for those commenters who said that Windows should just get rid of one of the copies, you'll be pleased to know that Windows Server 2008 got rid of the copy in the Windows directory. There is now only one copy¹ of Notepad, and it's the one in the system32 directory. It wasn't long after the product was released that I learned of a program that hard-coded the one that no longer exists; I wish the vendors good luck in getting a patch out quickly.

    Footnotes

    ¹Nitpickers not welcome here. There is only one copy remaining of the two under discussion.

  • The Old New Thing

    Why is the Win32 epoch January 1, 1601?

    • 41 Comments

    Public Service Announcement: This weekend marks the start of Daylight Saving Time in most parts of the United States.

    The FILETIME structure records time in the form of 100-nanosecond intervals since January 1, 1601. Why was that date chosen?

    The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle that was active at the time Windows NT was being designed. In other words, it was chosen to make the math come out nicely.

    I actually have the email from Dave Cutler confirming this.

  • The Old New Thing

    Race you to the top: The Empire State Building Run-Up

    • 7 Comments

    The winner completes the race in just ten minutes and seven seconds, but the vertical climb is a killer: Straight up the 1576 steps of the Empire State Building to the Observation deck. (When I visit the Observation Deck of the Empire State Building, I use the elevator.)

    And when it's over, everybody goes to work.

    What else am I going to do, like go celebrate? Am I going to go have martinis at 11:30 in the morning? No, you slink into work and you sit at your desk, and you work all day, and when you're done you stand up and your back is stiff, and you call your wife, and you get yelled at, and you go home to your three kids. Just like another day.
  • The Old New Thing

    The Suggestion Box is for suggestions, that's why it's called a Suggestion Box

    • 28 Comments

    As you may have noticed, Mondays are generally used for responding to suggestions posted to the Suggestion Box. But often people post things into the Suggestion Box that aren't actually topic suggestions.

    Commenter Ulric decided to take up a slot in the suggestion box by pointing me to a funny video because he "couldn't resist." Actually, I was wrong about saying that it's not a topic suggestion. The video itself is the topic, so there you have it. Though I think some people may need to do a little better at exercising self-restraint.

    Commenter Yuhong Bao posted a series of entries to the suggestion box which seem to take the form of disconnected neuron activity.

    re: Memory Management Trickes Us

    That is probably AWE.

    re: ACPI keys: most evil UI misfeature ever?

    Before Windows XP, yes, but not anymore.

    re: How much is Win9x DOS?

    Well, first the DOS inside Win9x is started and then it starts win.com, which is a DOS application. Basically it is like Win3.1 in 386 enhanced mode which is also more like an OS than a DOS frontend.

    There doesn't appear to be anything actionable here. It's just random muttering.

    Please use the suggestion box for suggestions. If you want to comment on an entry, then post a comment to that entry. If comments for that entry are closed, then post your comment on your own Web site. (And if you just enjoy hearing yourself talk, then do that on your own Web site, too.)

    "But I want to comment on that entry even though comments are closed."

    Tough. Comments are closed. You had your chance. You don't call a radio show and say, "Hi, I know your topic today is the world financial crisis, but I have a comment about car safety, which was a topic you covered last month."

    Maybe what this Web site needs is a call screener, like radio shows have.

  • The Old New Thing

    Defense in depth means that you protect against exploits that don't exist yet

    • 27 Comments

    Defense in depth is about protecting against threats that are already being protected against, just in case the existing protection fails. This is why there is not merely a lock on your safety deposit box, but also a lock on the door to the safety deposit box room, and then a lock on the doors of the bank itself. This is why you wear your seat belt even though the car is equipped with air bags. This is why factories have multiple safety systems. It's why, when you put away a gun, you set the safety and remove the ammunition and lock the gun case.

    An insistent anonymous commenter refused to believe in this principle and couldn't distinguish between the absence of a known security vulnerability and the potential for one, believing that security is a boolean value, that you're either secure or you're insecure, and that if two systems are identical except that the second system has an additional safety check, this is proof that the first system must have been insecure.

    As I described in the comments to the article, there is the potential for bad things to happen if a COM data object is allowed into the process. Even though the CSRSS process never calls any of the potentially dangerous functions in a dangerous way, the potential for some other flaw to result in dangerous behavior creates enough risk that the trade-off tipped toward removing the potential for problems, even though the potential is currently (and hopefully will always remain) unrealized.

    Remember that one of the guidelines of security is that the more valuable the target, the more effort you put into securing it. In this case, CSRSS runs with System security privileges, which is even higher than Administrator. You want to erect a lot of barriers for this puppy.

    It's like a hospital that has the rule "No cell phones allowed in hospital rooms because they may interfere with the equipment." The staff instruct you to leave your phone outside, but you insist that your phone does not pose a problem because it's turned off, and besides, it doesn't use the same radio frequency as the monitoring equipment. Tough. Defense in depth. Even if it's turned off, even if uses a different radio frequency, they won't let it into the room.

    The same thing is true with data objects. CSRSS is careful to extract only the information it needs, but that's like walking into a hospital room with a cell phone whose antenna has been switched off. Sure, the antenna is off, but somebody might bump into you and accidentally turn it on, or there may be some software flaw in the phone that causes it to turn on spontaneously. Sure, you might argue that those failures aren't your fault, so you shouldn't be blamed for them, but try telling that to the person whose monitoring equipment failed to notify the hospital staff of an irregular heartbeat.

    People who study security vulnerabilities have quite a wide array of tricks available to them once they find even the tiniest crack. Even something as simple as a null pointer fault (in itself just a denial of service and not a source of pwnage) can be combined with other techniques and become a full-fledged exploit.

    For example, even though your cell phone antenna is off, its Bluetooth transceiver may still be on, and somebody might be able to hack into your Bluetooth headset and convince it to tell the cell phone, "Hey, I'd like to make a call. Please turn on your antenna." Even though this is a security flaw in the Bluetooth headset, it was used as a stepping stone into hacking your cell phone.

    There's also the possibility that you simply forgot that you had set a text message for delayed delivery, causing the phone to turn on its antenna when the delivery time is reached. Oops. You messed up, and now somebody is intensive care.

    As of this writing, there is no known exploit for drag and drop into console windows, but since drag and drop uses highly extensible technology (namely COM and data objects), the possibility that one of those extension points may be used as an attack vector was deemed too great a risk compared to the benefit of the feature. The anonymous commenter concludes,

    Now if this is not a security hole, then either Csrss doesn't execute code in OLE objects it receives, or it doesn't accept any OLE objects received, or isn't able to receive OLE objects at all. Which one is it?

    CSRSS does not execute untrusted code in OLE objects it receives, but the fact that OLE objects are in the CSRSS process at all give the security folks the heebie-jeebies. Although there is no known security hole, there is great potential for a security hole, and that's the reason for removing the potentially dangerous code from CSRSS even though it is (in theory) never executed.

    I bet you'd be nervous if somebody pointed a loaded gun at you even though the safety is engaged.

    Other discussion of defense in depth, including more examples:

  • The Old New Thing

    Caption contest: The pinball machine

    • 56 Comments

    I may regret this, but here's something new: A caption contest. One of my colleagues saw this picture on a company's Web site.

    Pinball machine with flipper about to strike ball.

    The original caption for this picture was something like Join our affiliate program or Score big with our affiliate program. Your mission is to come up with something funnier. Here are some ideas to get you started:

    • Do you have balls of steel? Maybe you can become an affiliate.
    • We love to flip off our affiliates.
    • When you become an affiliate, you're going to get whacked around a lot.
    • Sooner or later you'll end up in the hole.
    • We like to play games with you. Become an affiliate today!

    Now it's your turn. Keep it friendly.

  • The Old New Thing

    I drive a car the way most people use a computer

    • 82 Comments

    It was interesting to me reading the reactions to my adventures driving a manual transmission. People seemed to be spending a lot of time trying to convince me that if only I were to expend a bit more effort in learning the finer points of driving a manual transmission and log enough time behind the wheel, then the activity will become less taxing on my mental brainpower.

    But why should I care?

    To me, driving is not an end in itself. It is just a tool for solving the problem of getting from point A to point B. The less I have to learn about how to accomplish this task the better.

    My goal is not to become a car expert. My goal is to get to my destination conveniently. I don't want to "have greater control over the experience"; I don't want "more power"; heck, depending on where I'm going, I often prefer to take the bus, where I have no control over the experience at all!

    It occurred to me as I read commenter after commenter try to convince me that my own personal priorities were incorrect that I drive a car the same way most people use a computer. They don't want to know about the difference between ROM and RAM or how many floppy disks you can store in a 6 megabit cable modem. They just want to surf the web, send email, and look at pictures of their grandchildren. (Okay, they may want to do other stuff too, but knowing the difference between PIO and DMA is definitely not on the list.)

    There's no point trying to get these people to learn all these details about how computers work because they don't care. They just want to know where they need to click to see that picture of baby Annie. You can even tell them that the way they're doing it is suboptimal and there's a much more powerful way to view those pictures which also gives them the ability to alter the gamma curve and apply the correct color adjustment to the image to match their monitor's color temperature, but they won't care.

    And I don't blame them. Because I don't care either.

  • The Old New Thing

    What's the point of the MoveWindow function when we already have SetWindowPos?

    • 36 Comments

    Commenter Phil Quirk notes via the suggestion box, "MoveWindow is just a weird function. I guess it's easier to call than SetWindowPos, but that's the only thing it seems to have going for it."

    Yup, that's about right.

    The MoveWindow function doesn't really do anything you couldn't already do yourself with SetWindowPos. It's just a convenience function. And it you look at it pretty closely, it's really not that big of a convenience either, saving you one parameter (hwndInsertAfter) and replacing the flag SWP_NOREDRAW with a boolean parameter.

    Whoop-dee-doo.

    It shouldn't take too much imagination to figure out how this situation came about. It's the same reason why you have both CreateWindow and CreateWindowEx.

  • The Old New Thing

    The house no-electronics zone

    • 48 Comments

    In my house, I have designated two rooms as the no-electronics zone. No use of electronic gadgets is allowed. No television, laptops, PDAs, cell phones, handheld video games, you get the idea. The purpose of this section of the house is to interact with other people face-to-face.

    Now, exceptions have been made for extenuating circumstances. For example, when some of my friends were without electricity due to a power outage, I invited them to my house, and they were permitted to use their laptops in what would normally be the no-electronics zone.

    But those are the exceptions. So if you come to my house, remember: The living room and dining room form a no-electronics zone.

    [Update 1pm] Return of the nitpicker's corner: Once again, people get distracted by the minutiae and miss the point of the rule. The purpose of the rule is to encourage face-to-face interaction and to discourage activities which cause people to withdraw from each other.

    By electronic devices, I mean televisions, laptops, PDAs, cell phones, handheld video games, you get the idea. Digital watches, clocks, and lamps are acceptable, provided they do not prevent you from interacting with others. Checking the time is okay; playing Space Invaders on your digital watch is not. Digital cameras are acceptable if they are being used to take or share pictures. But sitting there sifting through pictures without talking to anyone is not.

    If Professor Stephen Hawking comes to visit, his electronic devices are being used to interact with other people and are therefore acceptable.

    I didn't feel the need to apply these common-sense rules to the basic principle, assuming that my readers understood the point I was making and didn't need a legalistic breakdown of what is and is not acceptable.

  • The Old New Thing

    Microspeak: Year-over-year

    • 17 Comments

    In economics, the attributive adjective year-over-year means compared to the same time last year. Examples: "Year-over-year sales show a marked improvement." "Expenses continue to fall year over year." (The hyphens disappear when the adjective is used predicatively.)

    I have only one citation, but it appears that the term has broadened its meaning inside Microsoft and is now merely a synonym for annual or year after year.

    We hold decision-makers accountable year over year for carrying out their plan.

    There is no obvious compared to the same time last year going on here. It's not like you are 15% more accountable this year than you were last year. Rather, the sentence merely says that reviewing how well the decision-makers are carrying out the plan takes place every year. (It may not be clear from the sentence above that that's what the sentence means, but it's clearer in the context of the entire document from which the sentence was extracted.)

Page 1 of 4 (33 items) 1234