Larry Osterman's WebLog

Someone just pointed me to http://www.drhorrible.com, which is Joss Whedon’s newest epic.

The first two acts are up on the web (the final act will go up on Saturday).

They are spectacularly cool, especially to a musical nut.  I knew that Neil Patrick Harris had great musical chops (after all, he did Assassins on Broadway) but the rest was just fantastic.

Well worth checking out, there are some really funny bits.  They did a truly great job on it.

The Intertubes are all atwitter with reports that  Dell and other OEMs colluded with the RIAA to disable the Wave Out Mix option on new laptops.

Wow, what a tempest in a teapot.  I just LOVE watching conspiracy theories as the echo chamber does it’s magic.

And of course it’s almost certainly hogwash (I don’t know for sure, but I do know that some of the rumors are totally stupid).

First off, what is Wave Out Mix?  It’s an option that some audio manufacturers added to their audio hardware (Creative calls it “What U Hear”).  Typically the Wave Out Mix is implemented by connecting the analog output from the DAC (Digital-to-Audio Converter) to a specific input on the ADC (Analog-to-Digital Converter) which is labeled as “Wave Out Mix”.

If you record on the Wave Out Mix input, you will capture the samples that are being played via Wave Out.

In Windows Vista, by default we only enable microphone, line in and digital inputs to the audio hardware (the theory being that users typically only want to be able to listen to those inputs).  If the audio solution offers other inputs, they’re still there but we bury them somewhat. 

You can find those additional inputs in mmsys if you start the sound control panel and go to the “Recording” tab.  If you right click and select “Show Disabled Devices” you can enable those alternate inputs.

In addition, these days many OEMs don’t bother adding the Wave Out Mix support.  It costs slightly more to order chips with Wave Out Mix support than it does to order chips without the functionality, and OEMs are incredibly cost conscious.  The other reason is that for those OEMs that implemented the Wave Out Mix with an analog tap, you can achieve almost the same results with a $2.50 analog cable run between the output and the line in input of the machine.

Part of the reason that I know that this is just a conspiracy theory running rampant is that Windows Vista built the support for the Wave Out Mix input directly into the operating system.  If you pass the AUDCLNT_STREAMFLAGS_LOOPBACK flag to the IAudioClient::Initialize method, then the audio system will initialize the engine in loopback mode.  You can start capturing data off that IAudioClient object and you’ll get the post-mix output for the endpoint. 

The loopback support was designed primarily for use by AEC functionality (which needs to be able to know what samples are being played), but it also allows you to perform essentially the same functionality as the Wave Out Mix hardware used to do.

If you want to play with the loopback functionality, the WinAudio SDK sample application allows you to capture using the loopback functionality.

Last weekend we dropped Daniel off at Carnegie-Mellon for summer school (the CMU drama school’s pre-college musical theater program).  It was essentially the first time I’d gone back to CMU since I graduated (we visited for a couple of hours back in 1992, but we spent most of the time visiting friends in the area and very little time on campus). 

We got in on Friday afternoon, got our car and headed in.  I have to admit that it felt quite strange seeing all the landmarks as we drove in from the airport.  We got onto 376 and headed west towards CMU. 

We drove around the campus pointing out all the relevant locations to Daniel and Sharron.  Then we parked the car and took an impromptu tour of the campus.

Even after 25 years, the campus hasn’t changed very much.  They’ve built a couple of new buildings on the cut (a large swatch of lawn that runs from Forbes Ave to the Hunt Library).  I like the new performing arts center (not surprisingly, they have a killer theater), but not the new campus center (the space itself seems to be fine, I just dislike how the building looks).

My biggest shock happened when we entered Doherty Hall.  I hadn’t realized it, but the building still had the same smell to it.  I know it’s weird, but I associate memories with odors, and Doherty has a distinct smell that is still there.  I was also surprised that they hadn’t really changed the two big lecture halls in Doherty.  We then wandered over to Science^H^H^H^H^H^HWean hall and started looking at the various professors offices.  Wean 7500 (the big lecture hall in Wean) also hasn’t changed in the past 25 years (although they did upgrade the lobby outside the lecture hall, go figure that one).

We continued outside and eventually wandered up to Squirrel Hill to get dinner…

Saturday was spent moving Daniel into his dorm room and attending various and sundry orientations, many of which were quite good (and some were utterly tedious).  Vaguely humorously, I ran into one father who was dropping his daughter off for the pre-college musical theater program.  He mentioned that his son was working at Microsoft for the summer :).  Strange world. 

Sunday we went to Kennywood, which is Pittsburgh’s main amusement park (with some utterly killer roller coasters).  Fortunately it was threatening rain, so the crowds were light.  Again Kennywood is almost exactly as I remembered it; I have to say I was really impressed with what they’d done with the place – even though it’s on a major road, it feels both cozy and expansive at the same time.

Sunday evening we went to the O’s for dinner; we’d spent the past 15 or so years raving about the place to our kids, we figured it would be a shame not to go there.  The hot dogs were just as good as I’d remembered.  After dinner, we caught up with a friend from college and spent a couple of hours catching up on old times (which wasn’t nearly enough time). 

Monday we flew back to Seattle, we’re still tired from the trip, but it was a HUGE amount of fun.  I hadn’t realized just how much I had missed Pittsburgh all these years. 

Not surprisingly, as a peon, I don’t get to interact with Bill very often, so my few interactions are almost by definition memorable.

I’ve posted this story before, but it deserves to be recycled in honor of Bill’s last few days.

This happened back in the mid 1980’s, we were doing a project review for Lan Manager 1.0 with him. 

One portion of the meeting was about my component, DOS Lan Manager (basically an enhanced version of the MS-NET redirector, with support for a fair number of the Lan Manager APIs on the client).  My boss and I were given the job of presenting the data for that portion.

One of the slides (not Powerpoint, it didn’t exist at the time – Lucite slides on an overhead projector) we had covered the memory footprint of the DOS Lan Manager redirector.

For DOS LM 1.0, the redirector took up 64K of RAM.

And Bill went ballistic.

“What do you mean 64K?  When we wrote BASIC, it only took up 8K of RAM.  What the f*k do you think idiots think you’re doing?  Is this thing REALLY 8 F*ing BASIC’s?”

The only answer we could give him was “Yes”J.

To this day, I sometimes wonder if he complains that Windows XP is “16,000 F*ing BASIC’s”.

We didn't ignore Bill's comment, btw (you never want to do that).  We worked on reducing the footprint of the DOS redirector by first moving the data into LIM Extended memory, next by moving the code into expanded memory.  For LAN Manager 2.1, we finally managed to reduce the below 640K footprint of the DOS redirector to 128 bytes.  It took a lot of work, and some truly clever programming, but it did work.

Since the last one was recycled, here’s a bonus BillG memory.  I may have discussed this one in the past in a C9 video but I can’t find any references on my blog about it.

Shortly after my 15th anniversary at Microsoft, I got an invitation to a dinner at BillG’s house for all the employees with more than 15 years of service (I had just squeaked into that rather elite group).  There were about 100 of us with our significant others at the dinner, and not surprisingly Bill was totally mobbed (even among groups of old-timers Bill still gets loads of people pestering him, I guess it goes with the territory).  About half way through the dinner, Bill’s daughter and her nanny came out to play on the swings before bedtime. 

Bill immediately disentangled himself from his various conversations and went over to the swing-set and spent about 20 minutes pushing his daughter on the swings.  He could have ignored her and let the nanny deal with it, he could have simply given his daughter good night kisses and gone back to the party, but he didn’t.  He blew all these hideously senior Microsoft people off and went to spend time with his daughter.

That was when I realized how much parenthood had changed Bill for the better.

I’m going to be out of town tomorrow, so I won’t be able to post this on Bill’s last full time day at Microsoft, but I wanted to post a couple of anecdotes about Bill.

This one actually comes from Valorie, it was her first interaction with Bill…

Valorie was an intern back during the summer of 1985 in the Word group (she was working on testing Word for the ATT 3B5 minicomputer (yeah, we had a version of Word for Xenix machines back then)).

She was late at work one night and she noticed this madman skipping down the hall leaping at the ceiling tiles trying to tip them out of their frames.  She thought this was weird, but back in those days all sorts of strange things happened.  Employees used to have softball games in the hall (which were eventually stopped when someone accidentally smashed a relight with a bat), the Windows team used to climb onto the roof of the building and have impromptu jam sessions on the roof of the building.  Stuff like that happened fairly regularly, so a crazy man running down the hall swatting at the ceiling wasn’t a big deal.

She asked Libby, the person in the office next to her who the madman was and Libby replied: “Oh, that’s just my brother.” 

Valorie chalked it up to nepotism – over the years were a lot of siblings working at Microsoft (just off the top of my head, I can think of at least 4 pairs of siblings working there at the time), so she thought nothing of it.

Until a couple of days later when she noticed that her neighbors nameplate said:

Libby Gates

Valorie had several more interactions with Bill when she worked with Nathan Myhrvold, but this one was by far the most memorable.  I absolutely love the image of Bill Gates, skipping down the hall swatting at the ceiling, it’s SO different from the stereotypical image people have of Bill.

I have a couple of other BillG stories I want to tell, but they’ll have to wait until I come back next week.

Wow.

In the past, I've written about Oliver, the pony we bought a couple of years ago for my daughter to ride.  Sharron's long given up riding, but fortunately a young woman in our barn, Margaret Odom decided to take a flier on Oliver and the two have fallen in love.

Margaret's been doing really well on Oliver and we've always known that she's a skilled rider and that Oliver is a talented horse, but we just got notified that she's been invited to compete for the National Junior Dressage Championships in California next weekend (June 21-22).  Margaret is one of 12 junior riders nationally to receive this invitation.

She'll be competing in the same venue as the US Olympic dressage team will be holding the trials for the US National Dressage Team, and she'll be competing before the same judges as the National team.

This is absolutely huge, and I want to give her and Oliver a huge shout out.  I'm just bummed that we can't be there to watch her compete.

For whatever reason, various groups at Microsoft love to run banners and posters that promote their products on campus.  I'm not sure why they do it, I'd think that their money would be better spent advertising to (say) customers as opposed to advertising to co-workers, but hey, I don't control their budget.

Recently there's been a relatively cryptic series of banners circulating near my building that originally was a series of pictures of the back of people's heads, and recently changed to a series of faces (all with no text).

Yesterday I was on a shuttle with one of the PMs in my group and the conversation went something like this:

PM: Do you have any idea what those banners are advertising?

Me: Yeah, I figured it out a couple of weeks ago on my walk. They're Microsoft Advertising.

PM: I know it's Microsoft advertising, it's blindingly obvious that they're advertising something.

Me: No, it's Microsoft Advertising.

PM (somewhat exasperated): I know it's advertising.  I'm just trying to figure out what they're advertising.

Me: Microsoft Advertising.

PM: If you don't know, then why did you tell me you knew what they were?

Bud and Lou would be proud.

Tonight we're going to be attending the 2008 5th Avenue High School Musical Awards show.  It's the local equivalent of the Tony awards for High School musical productions.  This year Daniel won an Honorable Mention for his performance as Brownlow in Overlake's production of Oliver!  In addition, his cast mate Nick Wright has been nominated for an award for his role as Mr. Bumble.

It's cool to see Daniel and Nick's hard work being recognized.

I recently figured out a problem that I've been having with one of our internal tools.  The tool is used to automatically deploy our daily builds (extremely handy when you're doing that every other day to several test machines).  As a part of the tool, you need to include the password for a test account.

We normally use the tool from an automatic test harness, essentially I enter the 4 or 5 parameters to the test and it automatically runs the tool (and other stuff if necessary).

The problem I had was that I would enter my account and password but the tool kept failing after reporting invalid parameter errors.  It worked perfectly when I used a different account that is used by our testers, but when I tried using my preferred test account it kept on failing with some kind of command line parsing error.

Eventually I tracked down the actual command line being passed by the harness into the tool and I was immediately able to see the problem.

Being a security geek, my "password" is actually a passphrase - the theory is that passphrases are harder to crack than passwords because they are drawn from a larger dictionary.  So my passwords tend to be things like "The rain in Spain falls mainly on the plain".

In this case, the test harness took my password and passed it to the tool as follows (assuming that the command line for the test tool is "testtool.exe -useuser <username> <password>:

testtool.exe -useuser testaccount The rain in Spain falls mainly on the plain

Doh!  Either the test tool or the test harness wasn't handling the spaces correctly.  I tried an experiment and ran the test tool manually:

testtool.exe -useuser testaccount "The rain in Spain falls mainly on the plain"

and it worked!  So it appears that the problem was that the test harness wasn't correctly handling the spaces in my password.

So I went to the maintainer of the test harness and described the problem to him.

His response?  "I never knew you could have spaces in a password!  Wow, I didn't even think of that."

Sigh.

On Microsoft operating systems, spaces have been legal in filenames since MS-DOS 2.0 (about 1982) and in passwords since MS-NET 1.0 (about 1984).  I'm astonished that 25 years later there are people who still don't know that.

Not surprisingly, I'm the security contact for my small part of the Windows organization (it's called the Devices&Media group, which is within the WEX division).  As such, I'm responsible for providing security guidance and reviewing the threat models for our group (I've done a lot of them over the past few months :)).

Earlier this morning, one of the PMs for one of the teams in D&M stopped by my office with a thank you gift for the work I've done with his team.  He had noticed my 20 year old office tool kit and his team decided to replace it with something newer (and way cooler):

I sent them a private thank-you, but I've got to say publicly that I'm really touched - it was extraordinarily nice of them and I truly appreciate it.

PS: before anyone asks, the photo was taken with the toolkit resting on a test laptop (it's an old Toshiba M5).  In the background, you can see the Blibbet Hat I had made about 20 years ago at a local fair.

Apparently two years ago, someone ran a static analysis tool named "Valgrind" against the source code to OpenSSL in the Debian Linux distribution.  The Valgrind tool reported an issue with the OpenSSL package distributed by Debian, so the Debian team decided that they needed to fix this "security bug".

Unfortunately, the solution they chose to implement apparently removed all entropy from the OpenSSL random number generator.  As the OpenSSL team comments "Had Debian [contributed the patches to the package maintainers], we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was."

And it IS a terrible idea.  It means that for the past two years, all crypto done on Debian Linux distributions (and Debian derivatives like Ubuntu) has been done with a weak random number generator.  While this might seem to be geeky and esoteric, it's not.  It means that every cryptographic key that has been generated on a Debian or Ubuntu distribution needs to be recycled (after you pick up the fix).  If you don't, any data that was encrypted with the weak RNG can be easily decrypted.

Bruce Schneier has long said that cryptography is too important to be left to amateurs (I'm not sure of the exact quote, so I'm using a paraphrase).  That applies to all aspects of cryptography (including random number generators) - even tiny changes to algorithms can have profound effects on the security of the algorithm.   He's right - it's just too easy to get this stuff wrong.

The good news is that there IS a fix for the problem, users of Debian or Ubuntu should read the advisory and take whatever actions are necessary to protect their data.

I just ran into this post by Eric Brechner who is the director of Microsoft's Engineering Excellence center.

What really caught my eye was his opening paragraph:

I heard a remark the other day that seemed stupid on the surface, but when I really thought about it I realized it was completely idiotic and irresponsible. The remark was that it's better to crash and let Watson report the error than it is to catch the exception and try to correct it.

Wow.  I'm not going to mince words: What a profoundly stupid assertion to make.  Of course it's better to crash and let the OS handle the exception than to try to continue after an exception.

I have a HUGE issue with the concept that an application should catch exceptions[1] and attempt to correct them.  In my experience handling exceptions and attempting to continue is a recipe for disaster.  At best, it takes an easily debuggable problem into one that takes hours of debugging to resolve.  At it's worst, exception handling can either introduce security holes or render security mitigations irrelevant.

I have absolutely no problems with fail fast (which is what Eric suggests with his "Restart" option).  I think that restarting a process after the process crashes is a great idea (as long as you have a way to prevent crashes from spiraling out of control).  In Windows Vista, Microsoft built this functionality directly into the OS with the Restart Manager, if your application calls the RegisterApplicationRestart API, the OS will offer to restart your application if it crashes or is non responsive.  This concept also shows up in the service restart options in the ChangeServiceConfig2 API (if a service crashes, the OS will restart it if you've configured the OS to restart it).

I also agree with Eric's comment that asserts that cause crashes have no business living in production code, and I have no problems with asserts logging a failure and continuing (assuming that there's someone who is going to actually look at the log and can understand the contents of the log, otherwise the  logs just consume disk space). 

But I simply can't wrap my head around the idea that it's ok to catch exceptions and continue to run.  Back in the days of Windows 3.1 it might have been a good idea, but after the security fiascos of the early 2000s, any thoughts that you could continue to run after an exception has been thrown should have been removed forever.

The bottom line is that when an exception is thrown, your program is in an unknown state.  Attempting to continue in that unknown state is pointless and potentially extremely dangerous - you literally have no idea what's going on in your program.  Your best bet is to let the OS exception handler dump core and hopefully your customers will submit those crash dumps to you so you can post-mortem debug the problem.  Any other attempt at continuing is a recipe for disaster.

-------

[1] To be clear: I'm not necessarily talking about C++ exceptions here, just structured exceptions.  For some C++ and C# exceptions, it's ok to catch the exception and continue, assuming that you understand the root cause of the exception.  But if you don't know the exact cause of the exception you should never proceed.  For instance, if your binary tree class throws a "Tree Corrupt" exception, you really shouldn't continue to run, but if opening a file throws a "file not found" exception, it's likely to be ok.  For structured exceptions, I know of NO circumstance under which it is appropriate to continue running.

Edit: Cleaned up wording in the footnote.

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Flash. For those that don’t speak hacker-speak, in this case, a “game-over” vulnerability is one that can be easily weaponized (his techniques appear to be reliable and can be combined to run an arbitrary payload). As an added bonus, because it’s a vulnerability in Flash, it allows the attacker to write a cross-browser, cross-platform exploit – this puppy works just fine in both IE and Firefox (and potentially in Safari and Opera).

This vulnerability doesn’t affect Windows directly, but it DOES show how a determined attacker can take what was previously thought to be an unexploitable failure (a null pointer dereference) and turn it into something that can be used to 0wn the machine.

Every one of the “except not quite” issues that Thomas writes about in the article represented a stumbling block that the attacker (who had no access to the source to Flash) had to overcome – there are about 4 of them, but the attacker managed to overcome all of them.

This is seriously scary stuff.  People who have flash installed should run, not walk over to Adobe to pick up the update.  Please note that the security update comes with the following warning:

"Due to the possibility that these security enhancements and changes may impact existing Flash content, customers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition."

Edit2: It appears that the Adobe update center I linked to hasn't yet been updated with the fix, I followed their update proceedure, and my Flash plugin still had the vulnerable version number. 

Edit: Added a link to the relevant Adobe security advisory, thanks JD.

Michael Howard sent the following news article to one of our internal DL's this morning.  For some reason, I don't think it's going to hit the front page of Slashdot any time soon:

Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.

                                                :

"When we went in and did a further investigation, we found that there was an IRC bot installed on the system," Marshall said.

So Antioch's Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients.  Both of which the slashdot crowd claim only happens on "Windoze" machines.

At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue?  Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow "windows only".  Ubuntu even published a blog post that claimed that they "won" (IMHO they didn't, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows).  The reality is that nobody "wins" these contests (except maybe the security researcher who gets a shiny new computer at the end).  It's just a matter of time before the machine will get 0wned.

Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers.  It's far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.

Edit: Ubunto->Ubuntu (oops :))

Daniel just returned from a 10 day trip to Italy where his school chamber choir performed at the 2008 Choir International Festival in Verona.

One of the Choir parents just sent out an email pointing to two clips of the choir performing:

Dravidian Dithyr:

Wanting Memories (they cut off the beginning and the end of the song):

It's cool to see the choir on the web.