March, 2009

  • The Old New Thing

    Engineering is about tradeoffs: How hard will you work to save 68KB of disk space?

    • 84 Comments

    One of the recurring themes in the comments to my explanation of the historical reasons why there are two copies of Notepad was to use a hard link (or possibly a symbolic link) to save having to waste the disk space for two whole copies of Notepad. As I like to say, engineering is about tradeoffs. Let's look at the cost-benefit analysis.

    On the one hand: Install two copies of Notepad. Cost: 68KB of disk space.

    On the other hand: Use hard links or symbolic links. Cost: Add support for hard links or symbolic links to the FAT filesystem, to the operating system Setup program, to file formats such as the Windows Imaging Format, and to the various disk duplication systems that system builders (and corporate customers) use for deploying Windows to thousands of machines. Don't forget to count the cost for design and testing.

    Imagine you're the scheduling manager for the Setup team. Which of these two options do you choose? 68KB of disk space or doing all the work to support hard links during Setup and then waiting for all the existing customers to upgrade their tools to versions which support hard links—which could take several years. Are you going to be the one to have to stand up in the Ship Room and say, "We can't ship Windows because ten of our customers hasn't upgraded their deployment tools yet, and I have no idea how long we're going to have to wait until they do"?

    And for those commenters who said that Windows should just get rid of one of the copies, you'll be pleased to know that Windows Server 2008 got rid of the copy in the Windows directory. There is now only one copy¹ of Notepad, and it's the one in the system32 directory. It wasn't long after the product was released that I learned of a program that hard-coded the one that no longer exists; I wish the vendors good luck in getting a patch out quickly.

    Footnotes

    ¹Nitpickers not welcome here. There is only one copy remaining of the two under discussion.

  • The Old New Thing

    Why is the Win32 epoch January 1, 1601?

    • 41 Comments

    Public Service Announcement: This weekend marks the start of Daylight Saving Time in most parts of the United States.

    The FILETIME structure records time in the form of 100-nanosecond intervals since January 1, 1601. Why was that date chosen?

    The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle that was active at the time Windows NT was being designed. In other words, it was chosen to make the math come out nicely.

    I actually have the email from Dave Cutler confirming this.

  • The Old New Thing

    Race you to the top: The Empire State Building Run-Up

    • 7 Comments

    The winner completes the race in just ten minutes and seven seconds, but the vertical climb is a killer: Straight up the 1576 steps of the Empire State Building to the Observation deck. (When I visit the Observation Deck of the Empire State Building, I use the elevator.)

    And when it's over, everybody goes to work.

    What else am I going to do, like go celebrate? Am I going to go have martinis at 11:30 in the morning? No, you slink into work and you sit at your desk, and you work all day, and when you're done you stand up and your back is stiff, and you call your wife, and you get yelled at, and you go home to your three kids. Just like another day.
  • The Old New Thing

    The Suggestion Box is for suggestions, that's why it's called a Suggestion Box

    • 28 Comments

    As you may have noticed, Mondays are generally used for responding to suggestions posted to the Suggestion Box. But often people post things into the Suggestion Box that aren't actually topic suggestions.

    Commenter Ulric decided to take up a slot in the suggestion box by pointing me to a funny video because he "couldn't resist." Actually, I was wrong about saying that it's not a topic suggestion. The video itself is the topic, so there you have it. Though I think some people may need to do a little better at exercising self-restraint.

    Commenter Yuhong Bao posted a series of entries to the suggestion box which seem to take the form of disconnected neuron activity.

    re: Memory Management Trickes Us

    That is probably AWE.

    re: ACPI keys: most evil UI misfeature ever?

    Before Windows XP, yes, but not anymore.

    re: How much is Win9x DOS?

    Well, first the DOS inside Win9x is started and then it starts win.com, which is a DOS application. Basically it is like Win3.1 in 386 enhanced mode which is also more like an OS than a DOS frontend.

    There doesn't appear to be anything actionable here. It's just random muttering.

    Please use the suggestion box for suggestions. If you want to comment on an entry, then post a comment to that entry. If comments for that entry are closed, then post your comment on your own Web site. (And if you just enjoy hearing yourself talk, then do that on your own Web site, too.)

    "But I want to comment on that entry even though comments are closed."

    Tough. Comments are closed. You had your chance. You don't call a radio show and say, "Hi, I know your topic today is the world financial crisis, but I have a comment about car safety, which was a topic you covered last month."

    Maybe what this Web site needs is a call screener, like radio shows have.

  • The Old New Thing

    Caption contest: The pinball machine

    • 56 Comments

    I may regret this, but here's something new: A caption contest. One of my colleagues saw this picture on a company's Web site.

    Pinball machine with flipper about to strike ball.

    The original caption for this picture was something like Join our affiliate program or Score big with our affiliate program. Your mission is to come up with something funnier. Here are some ideas to get you started:

    • Do you have balls of steel? Maybe you can become an affiliate.
    • We love to flip off our affiliates.
    • When you become an affiliate, you're going to get whacked around a lot.
    • Sooner or later you'll end up in the hole.
    • We like to play games with you. Become an affiliate today!

    Now it's your turn. Keep it friendly.

  • The Old New Thing

    Defense in depth means that you protect against exploits that don't exist yet

    • 27 Comments

    Defense in depth is about protecting against threats that are already being protected against, just in case the existing protection fails. This is why there is not merely a lock on your safety deposit box, but also a lock on the door to the safety deposit box room, and then a lock on the doors of the bank itself. This is why you wear your seat belt even though the car is equipped with air bags. This is why factories have multiple safety systems. It's why, when you put away a gun, you set the safety and remove the ammunition and lock the gun case.

    An insistent anonymous commenter refused to believe in this principle and couldn't distinguish between the absence of a known security vulnerability and the potential for one, believing that security is a boolean value, that you're either secure or you're insecure, and that if two systems are identical except that the second system has an additional safety check, this is proof that the first system must have been insecure.

    As I described in the comments to the article, there is the potential for bad things to happen if a COM data object is allowed into the process. Even though the CSRSS process never calls any of the potentially dangerous functions in a dangerous way, the potential for some other flaw to result in dangerous behavior creates enough risk that the trade-off tipped toward removing the potential for problems, even though the potential is currently (and hopefully will always remain) unrealized.

    Remember that one of the guidelines of security is that the more valuable the target, the more effort you put into securing it. In this case, CSRSS runs with System security privileges, which is even higher than Administrator. You want to erect a lot of barriers for this puppy.

    It's like a hospital that has the rule "No cell phones allowed in hospital rooms because they may interfere with the equipment." The staff instruct you to leave your phone outside, but you insist that your phone does not pose a problem because it's turned off, and besides, it doesn't use the same radio frequency as the monitoring equipment. Tough. Defense in depth. Even if it's turned off, even if uses a different radio frequency, they won't let it into the room.

    The same thing is true with data objects. CSRSS is careful to extract only the information it needs, but that's like walking into a hospital room with a cell phone whose antenna has been switched off. Sure, the antenna is off, but somebody might bump into you and accidentally turn it on, or there may be some software flaw in the phone that causes it to turn on spontaneously. Sure, you might argue that those failures aren't your fault, so you shouldn't be blamed for them, but try telling that to the person whose monitoring equipment failed to notify the hospital staff of an irregular heartbeat.

    People who study security vulnerabilities have quite a wide array of tricks available to them once they find even the tiniest crack. Even something as simple as a null pointer fault (in itself just a denial of service and not a source of pwnage) can be combined with other techniques and become a full-fledged exploit.

    For example, even though your cell phone antenna is off, its Bluetooth transceiver may still be on, and somebody might be able to hack into your Bluetooth headset and convince it to tell the cell phone, "Hey, I'd like to make a call. Please turn on your antenna." Even though this is a security flaw in the Bluetooth headset, it was used as a stepping stone into hacking your cell phone.

    There's also the possibility that you simply forgot that you had set a text message for delayed delivery, causing the phone to turn on its antenna when the delivery time is reached. Oops. You messed up, and now somebody is intensive care.

    As of this writing, there is no known exploit for drag and drop into console windows, but since drag and drop uses highly extensible technology (namely COM and data objects), the possibility that one of those extension points may be used as an attack vector was deemed too great a risk compared to the benefit of the feature. The anonymous commenter concludes,

    Now if this is not a security hole, then either Csrss doesn't execute code in OLE objects it receives, or it doesn't accept any OLE objects received, or isn't able to receive OLE objects at all. Which one is it?

    CSRSS does not execute untrusted code in OLE objects it receives, but the fact that OLE objects are in the CSRSS process at all give the security folks the heebie-jeebies. Although there is no known security hole, there is great potential for a security hole, and that's the reason for removing the potentially dangerous code from CSRSS even though it is (in theory) never executed.

    I bet you'd be nervous if somebody pointed a loaded gun at you even though the safety is engaged.

    Other discussion of defense in depth, including more examples:

  • The Old New Thing

    I drive a car the way most people use a computer

    • 82 Comments

    It was interesting to me reading the reactions to my adventures driving a manual transmission. People seemed to be spending a lot of time trying to convince me that if only I were to expend a bit more effort in learning the finer points of driving a manual transmission and log enough time behind the wheel, then the activity will become less taxing on my mental brainpower.

    But why should I care?

    To me, driving is not an end in itself. It is just a tool for solving the problem of getting from point A to point B. The less I have to learn about how to accomplish this task the better.

    My goal is not to become a car expert. My goal is to get to my destination conveniently. I don't want to "have greater control over the experience"; I don't want "more power"; heck, depending on where I'm going, I often prefer to take the bus, where I have no control over the experience at all!

    It occurred to me as I read commenter after commenter try to convince me that my own personal priorities were incorrect that I drive a car the same way most people use a computer. They don't want to know about the difference between ROM and RAM or how many floppy disks you can store in a 6 megabit cable modem. They just want to surf the web, send email, and look at pictures of their grandchildren. (Okay, they may want to do other stuff too, but knowing the difference between PIO and DMA is definitely not on the list.)

    There's no point trying to get these people to learn all these details about how computers work because they don't care. They just want to know where they need to click to see that picture of baby Annie. You can even tell them that the way they're doing it is suboptimal and there's a much more powerful way to view those pictures which also gives them the ability to alter the gamma curve and apply the correct color adjustment to the image to match their monitor's color temperature, but they won't care.

    And I don't blame them. Because I don't care either.

  • The Old New Thing

    What's the point of the MoveWindow function when we already have SetWindowPos?

    • 36 Comments

    Commenter Phil Quirk notes via the suggestion box, "MoveWindow is just a weird function. I guess it's easier to call than SetWindowPos, but that's the only thing it seems to have going for it."

    Yup, that's about right.

    The MoveWindow function doesn't really do anything you couldn't already do yourself with SetWindowPos. It's just a convenience function. And it you look at it pretty closely, it's really not that big of a convenience either, saving you one parameter (hwndInsertAfter) and replacing the flag SWP_NOREDRAW with a boolean parameter.

    Whoop-dee-doo.

    It shouldn't take too much imagination to figure out how this situation came about. It's the same reason why you have both CreateWindow and CreateWindowEx.

  • The Old New Thing

    If Twitter is micro-blogging, then is what I'm doing macro-tweeting?

    • 16 Comments

    Here are a collection of brief messages not worthy of a full blog entry. I think I'm going to call it macro-tweeting.

    • Went to pick up my new suit, only to discover that instead of altering it, the store returned the suit to inventory.
      • @raymond: Customer service fail!
      • @raymond: Hey, at least they didn't charge you a restocking fee!
      • @ian: Got re-fitted. Clerk: "How do I ring this up?" Salesman: "You don't. He already paid for it."
    • Silver lining: Found my long-lost camera recharger while organizing documents for my IRS compliance examination.
    • Current record against Chilly Hilly: 2 wins, 1 loss.
    • Learned another Chinese word. Only 2960 to go. Should be ready for basic conversation around 2097.
    • Unpacking a blender.
      • @raymond: Makin' smoothies, eh?
    • Less impressed with friend's 10,000-BTU hotpot burner, now that I found the sticker on my own El Lame-O burner that reads 9,925.
    • Got schooled in dumpling-making.
    • If, at the dinner table, a four-year-old offers to play the game Guess what's in my mouth, you should decline.

  • The Old New Thing

    Double secret auto-arrange probation

    • 35 Comments

    When you view a folder for the first time, Explorer arranges the items in a nice default pattern. And when items are added to the folder, they get added to the end. And when you delete an item from the folder... the other items auto-arrange to close the gap? But wait, if you look at the View options, the Auto-Arrange option is not set.

    So are we auto-arranging or not auto-arranging?

    Well, yes, but only until you touch it.

    As long as you express no interest in the placement of icons in a folder (and the desktop counts as a folder), then Explorer will auto-arrange them. But once you move an icon around, Explorer will turn off its double secret auto-arrangement and leave the icon arrangement to you.

    (Programmatically, this mode is known as LVS_EX_AUTOAUTOARRANGE.)

Page 1 of 4 (33 items) 1234