In other news today...
-
@PleegWat Acorn DFS says yes, but that was a terrible FS. The original FAT filesystem also only has one directory.
-
@PleegWat said in In other news today...:
@boomzilla said in In other news today...:
But what good is even a floppy without a filesystem??!
Is it really a filesystem if it does not support directories?
Then it would be a directorysystem
-
@boomzilla said in In other news today...:
is anyone thinking there's a here. Don't fix what ain't broke, and the system worked fine, so they didn't touch it. But now their supply of spare parts is running low, and they are not made any more, so they are upgrading.
I think I already mentioned the pictures of a case of 3.5" floppies with a B-737 software upgrade that a colleague sent a few years back.
Her husband is an aircraft mechanic, and one day he was bringing such case from the smaller airport with the maintenance facility to the main airport, because they forgot to put it back in the plane when the maintenance was done.
-
@boomzilla said in In other news today...:
Bonus s:
San Francisco Municipal Transportation Agency's director of transportation Jeffrey Tumlin told ABC that the city's automatic light-rail control system is running on outdated tech and "relies on three five-inch floppy disks" to boot up. The reporter was holding a 3.5-inch disk in the broadcast, so may have just skipped the word "point".
The agency noted that its system was installed in 1998, when floppies were still in common use and, er, "computers didn't have hard drives."
And before folks start panicking, it's worth remembering that use of floppy disks is not uncommon in embedded systems.
But what good is even a floppy without a filesystem??!
The tunnelbana in Stockholm used relay bank programs until 10 years ago or so. Pretty cool to see a room of pillars of relays rattling on, controlling traffic.
-
@Bulb said in In other news today...:
Don't fix what ain't broke, and the system worked fine, so they didn't touch it.
Just wait until they rewrite it in node and you'll suddenly need a bunch of DVDs to store it.
-
The āClub Pretā membership allows a customer to order up to five barista-made drinks a day for a monthly subscription of Ā£30.
How are they making money on this? How much is the markup on the shit they sell? Questions need answers!
-
@DogsB pretty sure the answer is that the vast majority of people donāt actually spend Ā£30 worth a month but try it out for a couple of weeks and forget to cancel the sub.
-
@Arantor said in In other news today...:
@DogsB pretty sure the answer is that the vast majority of people donāt actually spend Ā£30 worth a month but try it out for a couple of weeks and forget to cancel the sub.
Also known as the
Planet Fitness Made Me Fat Conspiracygym membership model
-
@izzion said in In other news today...:
@Arantor said in In other news today...:
@DogsB pretty sure the answer is that the vast majority of people donāt actually spend Ā£30 worth a month but try it out for a couple of weeks and forget to cancel the sub.
Also known as the
Planet Fitness Made Me Fat Conspiracygym membership modelIt's only the same model if they make you jump over tall buildings (in a single bound) in order to cancel.
-
@DogsB said in In other news today...:
How are they making money on this?
I don't know how anybody tolerates Pret coffee once a month, let alone five times a day.
-
-
@Arantor Seems that the problem is that windows command API is rubbish if it requires things that use it to properly escape things to avoid all kinds of problems.
-
@Arantor I'm going to make a
myrust_real_escape_string()
joke, of course, but... how is that a problem of Rust? Or even Windows, for that matter? The latter design is wonky, yes, as OSS fanbois like to remind everyone as if splitting arguments was some Nobel Peace Prize shit. But whose job is it really not to allow arbitrary user input there, anyway?
-
@Carnage said in In other news today...:
@Arantor Seems that the problem is that windows command API is rubbish if it requires things that use it to properly escape things to avoid all kinds of problems.
The problem is that on Windows there's at least half a dozen different conventions how arguments are escaped, all of them badly documented and inconsistent.
-
Found on the linked articles list:
Despite the onebox, the actual article (as of right now) has this headline:
JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat
Why do headline writers always insist on making them as unreadable as possible? It took me like 2 minutes pondering whose mother they were talking about here and WTF that means. Granted, this one might just be a vocabulary issue, but most of the time they fuck up the grammar of headlines to be completely unparseable. Mostly notice this on
/.
. Just write a readable sentence FFS.
-
@topspin said in In other news today...:
Why do headline writers always insist on making them as unreadable as possible?
-
@Carnage said in In other news today...:
@Arantor Seems that the problem is that windows command API is rubbish if it requires things that use it to properly escape things to avoid all kinds of problems.
The Windows command API is rubbish - it passes the entire thing as a single string. Splitting is the appās problem, therefore the appās languageās stdlib problem.
-
@topspin TFA has a readable title but it does use a British vernacular which is why it might seem otherwise.
āKeeping mumā or āmumās the wordā is Britslang for ākeeping something quiet/secretā
-
@topspin said in In other news today...:
Why do headline writers always insist on making them as unreadable as possible? It took me like 2 minutes pondering whose mother they were talking about here
-
What's more, "mum" has had that meaning (its original) for six hundred years now. If anything, it's using it to mean "mother" that's the slang form.
-
@Arantor said in In other news today...:
@topspin TFA has a readable title but it does use a British vernacular which is why it might seem otherwise.
āKeeping mumā or āmumās the wordā is Britslang for ākeeping something quiet/secretā
I'd expect Americans to know that word, too. It's fairly common in this meaning. Less so as "mom," where it definitely sounds British to us.
For instance, first hit on a news search for "keep mum" for me:
-
@Applied-Mediocrity said in In other news today...:
@Arantor I'm going to make a
myrust_real_escape_string()
joke, of course, but... how is that a problem of Rust? Or even Windows, for that matter? The latter design is wonky, yes, as OSS fanbois like to remind everyone as if splitting arguments was some Nobel Peace Prize shit. But whose job is it really not to allow arbitrary user input there, anyway?The application should have its own constraints for the user input, but it has to rely on the Rust standard library to pass the arguments to the launched process in a way they will be understood as intended. If it didn't do that, it is the standard library's fault. Which exists only because the Windows API is poorly designed, but the Rust standard library authors knew that.
-
@Bulb said in In other news today...:
it has to rely on the Rust standard library to pass the arguments to the launched process in a way they will be understood as intended
It literally doesn't. It must pass them exactly as written, because that is the only intended functionality. Understanding Command Prompt hijinks is application developer's responsibility, or else don't bloody call batch files and especially don't pass arbitrary user inputs to them.
-
@Applied-Mediocrity Yes, it does, because of the impedance mismatch between platforms.
When launching a Windows-specific application, the launcher's developer has to understand the peculiarities of how the launchee interprets its command-line, but when a portable application launches another portable application, the standard library must ensure that the way it passes the arguments on Windows matches the way the standard library on Windows will parse them in the launchee. Because author of a portable application must not be expected to know the quirks of all the platforms.
And before you say bat and cmd are Windows-specific, there is a lot of tools that are portable, but have a platform-dependent wrapper script to launch them that another portable application might be expected to launch without needing to know the details of the platform.
-
@Bulb It doesn't literally for the same reason you believe it does. Cross-platform is a bald-faced lie. You have to learn each platform's intricacies, no matter what some framework or stdlib sold to you.
So, if you're writing a Windows application and for some absolutely dumbass reason want to call batch files from it, sanitize the untrusted inputs or find out. Better yet, sanitize it anyway.
Chances are you're putting it in some log files, which may need parsing later, or storing in some other way where some eval might stumble upon them.
-
@Applied-Mediocrity So you want the application to arbitrary restrict input that would be perfectly valid if it was correctly quoted as the function promises to doā½
-
@Bulb do note that as per TFA, Go, Erlang, Ruby, Python, PHP and Node.js all have this issue and both Rust and Haskell have already released patches for it.
I find it funny that this is being mildly assumed as a Rust specific issue, I think it just happened to be reported there first.
-
@Arantor said in In other news today...:
I find it funny that this is being mildly assumed as a Rust specific issue
Probably due to a fundamental misunderstanding of what Rust claims to solve.
Kind of similar to arguments like "but it has anunsafe
keyword, so it's just as bad as everything else".
-
@Bulb said in In other news today...:
@Applied-Mediocrity So you want the application to arbitrary restrict input that would be perfectly valid if it was correctly quoted as the function promises to doā½
You cannot ever assume something which works on one platform will also work on another. Different platforms support different versions of POSIX/SUS/BSD/whatever with different extensions. Windows is the biggest deviator of the lot, but definitely not the only one.
It's just in the specific case of argument passing it's far easier to do right in the unixes than it is on Windows.
-
@Bulb Not arbitrar[il]y. Deliberately, and by having the knowledge and experience how all the tools you directly involve work, and what are their pitfalls. Nothing in tech is "it just works", everything has stupid edge cases. Some shit has only edge cases, come to think of it. You're writing a Windows application that calls batch files? Well, it's about 40 years old, and the bad design is being kept because excavator. You can either accept it or you can't, but you can't do shit about it.
Dealing with untrusted input is infosec 101. It is always your job to ensure that all user input is rendered safe ASAP. Fail early, don't kick the garbage can down the road.
It is not the job of any stdlib to save you from yourself. They may elect to do so, if they want, and it's appreciated, but that is entirely optional, and not CVE-worthy.
-
@topspin said in In other news today...:
Probably due to a fundamental misunderstanding of what Rust claims to solve.
Not really. More because the Rust maintainers and community are generally more sensitive to reliability and security issues.
@Arantor said in In other news today...:
note that as per TFA, Go, Erlang, Ruby, Python, PHP and Node.js all have this issue ā¦
So I clicked through to the technical description, and holy fuck quoting argument so that cmd.exe doesn't do any additional expansions is INSANE:
Since spaces canāt be escaped properly outside of the double-quoted string, you have to use double quotes to wrap the command arguments.
However, inside the double-quoted string,%
canāt be escaped properly.To solve this situation, the following tricky escaping is required:
- Disable the automatic escaping that uses the backslash (
\
) provided by the runtime. - Apply the following steps to each argument:
- Replace percent sign (
%
) with%%cd:~,%
. - Replace the backslash (
\
) in front of the double quote ("
) with two backslashes (\\
). - Replace the double quote (
"
) with two double quotes (""
). - Remove newline characters (
\n
). - Enclose the argument with double quotes (
"
).
- Replace percent sign (
By replacing
%
with%%cd:~,%
,%cd:~,%
will be expanded to an empty string, and the command prompt fails to expand the actual variable, so the % will be treated as a normal character.Please note that if delayed expansion is enabled via the registry value
DelayedExpansion
, it must be disabled by explicitly callingcmd.exe
with the/V:OFF
option.
Also, note that the escaping for%
requires the command extension to be enabled. If itās disabled via the registry valueEnableExtensions
, it must be enabled with the/E:ON
option.ā¦ the insane
%%cd:~,%
sequence is because apparently^%
ends up taken as^%
rather than%
as expected from^
being the escape character.Ā Ā Ā
- Disable the automatic escaping that uses the backslash (
-
@Applied-Mediocrity said in In other news today...:
@Bulb Not arbitrar[il]y.
Arbitrarily. If the argument is a text, it might legitimately contain
"
s,&
s and%
s. You shouldn't be disallowing them because cmd.exe is shitĀ¹The library takes a list of arguments, and promises to pass each as a separate argument. If it does not work, it is a bug in the library. The user is allowed to assume it will actually do that, and if it does not, it is a vulnerability in the library.
Ā¹ Well, maybe you actually should, because cmd.exe being shit means it's almost impossible to correctly work with such argument inside the batch file too, so the script probably isn't going to work correctly anyway. The library should still pass the argument as a single argument as it declares.
-
@Applied-Mediocrity said in In other news today...:
as OSS fanbois like to remind everyone as if splitting arguments was some Nobel Peace Prize shit
That is offensive to commercial Unix fanbois.
-
-
@Bulb what if they're using PowerShell instead of cmd.exe?
-
Now for something completely different: SCIENCE!
-
-
@Dragoon said in In other news today...:
a novel quantum state
Do they have a quantum flag? And a quantum president? A quantum army?
One moment, more intersting: is there a quantum currency with quantum blockchains?
-
@Dragoon said in In other news today...:
Now for something completely different: SCIENCE!
Unraveling the behavior of nanoconfined water and ice in extreme conditions
A study conducted in obviously
-
@Bulb said in In other news today...:
@Applied-Mediocrity So you want the application to arbitrary restrict input that would be perfectly valid if it was correctly quoted as the function promises to doā½
There are a very large number of problems with all this, not least that it depends on accurately determining whether the target command is going to be interpreted using
cmd
rules, or MSVC rules, or something else. And then you need to be passing an attacker-controlled value that way, which would be anyway.This all sounds like the sort of "problem" that stems from a face-off between many ways of Doing It Wrong. The only winning move is not to play, to declare that this is not something that can be made right and to prominently advise programmers to not do it. (Pass the untrusted values properly quoted in a doc, such as JSON or XML, or through a database row.)
-
@Applied-Mediocrity said in In other news today...:
@Dragoon said in In other news today...:
Cool dice tray! Where can I buy one?
Three of the sides will allow the dice to roll off. This is a terrible dice tray.
-
@PotatoEngineer :clarkson: It's cool!
Well, you're not wrong, but how many dice trays (or die themselves, for that matter) are actually being used for their supposedly intended purpose?
-
@PotatoEngineer said in In other news today...:
@Applied-Mediocrity said in In other news today...:
@Dragoon said in In other news today...:
Cool dice tray! Where can I buy one?
Three of the sides will allow the dice to roll off.
It adds some danger which makes rolling the dice more exciting
-
@loopback0 If you roll a natural 20 but crit fail the actual dice roll, how does that count?
-
@hungrier said in In other news today...:
@loopback0 If you roll a natural 20 but crit fail the actual dice roll, how does that count?
Yes
-
@Arantor said in In other news today...:
@Bulb what if they're using PowerShell instead of cmd.exe?
Be gone devil!
-
According to data shared by six companies, the EUās new laws have led to a spike in users for independent browser companies, such as Cyprus-based Aloha Browser
-
@DogsB I didn't see that list yet, but I did see a list of search engines offered on phone initialization. Besides the usual suspects (ddg is a usual suspect by now) it had two potentially interesting entries,
and something like three āecologicalā search engines that I didn't care to rememberāor bookmark.
-
@Applied-Mediocrity said in In other news today...:
@Bulb said in In other news today...:
it has to rely on the Rust standard library to pass the arguments to the launched process in a way they will be understood as intended
It literally doesn't. It must pass them exactly as written, because that is the only intended functionality. Understanding Command Prompt hijinks is application developer's responsibility, or else don't bloody call batch files and especially don't pass arbitrary user inputs to them.
This is one of my peeves with Powershell, as something that would be totally fine in Command Prompt gets reinterpreted in PowersHell before the program gets called at all and can lead to results...
-
Emulating a ninty console is a bold first move.