In other news today...
-
@Erufael said in In other news today...:
@LaoC said in In other news today...:
The bug concerns a crypto library that is well below 80kLOC. I think some basic research would likely come to the conclusion that this should be reasonably fixable in a month, so three is quite generous.
Yes, because the number of code lines is the only metric to gauge complexity. Especially when talking about a crypto library.
Filed under: Apple Stand
-
@Erufael said in In other news today...:
@LaoC said in In other news today...:
The bug concerns a crypto library that is well below 80kLOC. I think some basic research would likely come to the conclusion that this should be reasonably fixable in a month, so three is quite generous.
Yes, because the number of code lines is the only metric to gauge complexity. Especially when talking about a crypto library.
Not to mention that changing code in a library never has had any effect on the programs consuming said library in the history of mankind. Never, I tell you!
-
@Erufael said in In other news today...:
@LaoC said in In other news today...:
The bug concerns a crypto library that is well below 80kLOC. I think some basic research would likely come to the conclusion that this should be reasonably fixable in a month, so three is quite generous.
Yes, because the number of code lines is the only metric to gauge complexity. Especially when talking about a crypto library.
I never said it was—but that's what some basic research (which @Rhywden simply assumes Ormandy hasn't done) would take as a first approximation. It could also take into account that a crypto library is a component that's easily testable in isolation, unlike with many other bugs that only appear in complex interactions of other components and involve things like race conditions that are orders of magnitude harder to debug. Or that the bug involves malformed inputs, so it's likely a case of a forgotten validation. Or that the library mostly implements well-known algorithms that are available in dozens of other implementations for reference.
Then again, you may just be right and MS has managed to make it an unmanageable mess anyway. From the README:
SymCrypt is the core cryptographic function library currently used by Windows. [...]
At the moment this library only compiles with the Windows build system. Unfortunately this toolchain is not available outside Microsoft.From the code, here's how to use a varargs function
fatal()
:#define FATAL( text ) {fatal( __FILE__, __LINE__, text );} #define FATAL2( text, a ) {fatal( __FILE__, __LINE__, text, a );} #define FATAL3( text, a, b ) {fatal( __FILE__, __LINE__, text, a, b );} #define FATAL4( text, a, b, c ) {fatal( __FILE__, __LINE__, text, a, b, c );} #define FATAL5( text, a, b, c, d ) {fatal( __FILE__, __LINE__, text, a, b, c, d );} #define FATAL6( text, a, b, c, d, e ) {fatal( __FILE__, __LINE__, text, a, b, c, d, e );} #define CHECK( cond, text ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text );}; _Analysis_assume_( cond );} #define CHECK3( cond, text, a ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a );}; _Analysis_assume_( cond );} #define CHECK4( cond, text, a, b ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b );}; _Analysis_assume_( cond );} #define CHECK5( cond, text, a, b, c ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b, c );}; _Analysis_assume_( cond );}
-
@PJH said in In other news today...:
However, the Welsh government warned that this could breach the requirement to meet the limit “in the shortest possible time”.
That would mean dropping a 16-ton weight in the middle of the road and being done with it.
-
-
@PJH said in In other news today...:
2,000 lorries a day
I wonder how many buses. They're among the worst polluters, yet many local councils have a bit of a blind spot there.
-
@dkf said in In other news today...:
@PJH said in In other news today...:
2,000 lorries a day
I wonder how many buses. They're among the worst polluters, yet many local councils have a bit of a blind spot there.
Given its Wales, probably one.
A week.
-
Father Andrzej Trojanowski, the priest leading the project
"The number of people who need help is intensifying right now."
In Catholic Poland, number intensifies you.
Take note, all ye addicts:
He said internet addicts and yoga devotees were also at risk.
Local residents worried the center would not have adequate security.
Demons are known in the state of California to cause yoga and other weird shit. You wouldn't want to leak any over the neighborhood, would you?
-
@LaoC said in In other news today...:
Local residents worried the center would not have adequate security.
And then:
"People are worried about the potential for crazy people coming here," said Ksawery Nyks, 50, a longtime resident, the Washington Post reports.
The potential of crazy people coming there? I'd say that's pretty much guaranteed -- presumably somebody is going to be running the place.
-
@PJH said in In other news today...:
Given its Wales, probably one.
A week.It's South Wales. They have buses. And trains. And no coal any more.
-
@dkf said in In other news today...:
And trains. And no coal any more.
How do they power the trains, then? Or is there a toy one in Portmeirion?
-
@PJH said in In other news today...:
@dkf said in In other news today...:
And trains. And no coal any more.
How do they power the trains, then? Or is there a toy one in Portmeirion?
Ribbon springs and a lot of gears.
-
@Mingan said in In other news today...:
@PJH said in In other news today...:
@dkf said in In other news today...:
And trains. And no coal any more.
How do they power the trains, then? Or is there a toy one in Portmeirion?
Ribbon springs and a lot of gears.
-
@dcon I was thinking more like :
-
-
-
@TimeBandit Seems she at least got less than originally wanted:
Mauger said Brushett‘s conduct as a pedestrian must have contributed to the accident. “Ms Brushett must clearly have equal responsibility if she is crossing the road without looking – and if she is looking at her phone, even more so,” she said.
The judge’s ruling found that the parties shared responsibility, so while Brushett is guaranteed a payout, she will get only half of the full value of her claim.
-
-
Since we don't have a Russian Man thread:
-
Looks like somebody else wants to get out of the country before Brexit:
-
@LaoC said in In other news today...:
At the moment this library only compiles with the Windows build system. Unfortunately this toolchain is not available outside Microsoft.*
They have an open source library that nobody outside Microsoft can compile? What? How?!
From the code, here's how to use a varargs function
fatal()
:#define FATAL( text ) {fatal( __FILE__, __LINE__, text );} #define FATAL2( text, a ) {fatal( __FILE__, __LINE__, text, a );} #define FATAL3( text, a, b ) {fatal( __FILE__, __LINE__, text, a, b );} #define FATAL4( text, a, b, c ) {fatal( __FILE__, __LINE__, text, a, b, c );} #define FATAL5( text, a, b, c, d ) {fatal( __FILE__, __LINE__, text, a, b, c, d );} #define FATAL6( text, a, b, c, d, e ) {fatal( __FILE__, __LINE__, text, a, b, c, d, e );} #define CHECK( cond, text ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text );}; _Analysis_assume_( cond );} #define CHECK3( cond, text, a ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a );}; _Analysis_assume_( cond );} #define CHECK4( cond, text, a, b ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b );}; _Analysis_assume_( cond );} #define CHECK5( cond, text, a, b, c ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b, c );}; _Analysis_assume_( cond );}
Looks like pretty normal C. It's always ugly.
Wait, why is there a semicolon between theif
's braces and_Analysis_assume_
?
-
@PJH the second one didn't sync so well.
-
@topspin said in In other news today...:
@LaoC said in In other news today...:
At the moment this library only compiles with the Windows build system. Unfortunately this toolchain is not available outside Microsoft.*
They have an open source library that nobody outside Microsoft can compile? What? How?!
From the code, here's how to use a varargs function
fatal()
:#define FATAL( text ) {fatal( __FILE__, __LINE__, text );} #define FATAL2( text, a ) {fatal( __FILE__, __LINE__, text, a );} #define FATAL3( text, a, b ) {fatal( __FILE__, __LINE__, text, a, b );} #define FATAL4( text, a, b, c ) {fatal( __FILE__, __LINE__, text, a, b, c );} #define FATAL5( text, a, b, c, d ) {fatal( __FILE__, __LINE__, text, a, b, c, d );} #define FATAL6( text, a, b, c, d, e ) {fatal( __FILE__, __LINE__, text, a, b, c, d, e );} #define CHECK( cond, text ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text );}; _Analysis_assume_( cond );} #define CHECK3( cond, text, a ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a );}; _Analysis_assume_( cond );} #define CHECK4( cond, text, a, b ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b );}; _Analysis_assume_( cond );} #define CHECK5( cond, text, a, b, c ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b, c );}; _Analysis_assume_( cond );}
Looks like pretty normal C. It's always ugly.
Wait, why is there a semicolon between theif
's braces and_Analysis_assume_
?Because it's two statements?
-
@Tsaukpaetra said in In other news today...:
Because it's two statements?
It's redundant. Expanding...
#define CHECK5( cond, text, a, b, c ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b, c ); }; // <~~ this one _Analysis_assume_( cond ); }
-
@LaoC said in In other news today...:
From the code, here's how to use a varargs function
fatal()
:Am I glad we've got variadic macros in our compilers.
-
@LaoC Nope, I'm not assuming that he hasn't done research it's him not giving a fuck about the actual repercussions. As evidenced by the strict 90 days which someone pulled out of a hat.
When it launched, one of the principal innovations that Project Zero provided was a strict 90-day disclosure deadline along with a publicly visible bugtracker where the vulnerability disclosure process is documented.
"Innovation" my ass.
Most bugs are disclosed within 90 days of discovery regardless of whether or not a fix is available; in one instance Microsoft was given just one week's notice before a flaw in the Windows operating system was publicly disclosed - after having given rival Apple a full five months to resolve a similar security issue.
They're asshats, plain and simple.
-
@PleegWat said in In other news today...:
@LaoC said in In other news today...:
From the code, here's how to use a varargs function
fatal()
:Am I glad we've got variadic macros in our compilers.
Yeah, but does Microsoft? Honestly not sure.
Aren’t they stuck on some in-between of C89 and C99?
-
I foresee no possible way that this could go wrong:
-
@cvi said in In other news today...:
The potential of crazy people coming there? I'd say that's pretty much guaranteed -- presumably somebody is going to be running the place.
Demonic possession seems the most likely explanation of some of what I see in the world.
-
-
@boomzilla said in In other news today...:
Well, I see the music industry is about as good at off site backups of important stuff as everyone else.
-
@PleegWat said in In other news today...:
@LaoC said in In other news today...:
From the code, here's how to use a varargs function
fatal()
:Am I glad we've got variadic macros in our compilers.
But so does Microsoft.
@topspin said in In other news today...:
Yeah, but does Microsoft? Honestly not sure.
Aren’t they stuck on some in-between of C89 and C99?I've used them as of VS2005. It's probably the only bit of C99 they've added for C, but they have them.
-
This could go in the Cute Things thread...
-
@topspin said in In other news today...:
@LaoC said in In other news today...:
At the moment this library only compiles with the Windows build system. Unfortunately this toolchain is not available outside Microsoft.*
They have an open source library that nobody outside Microsoft can compile? What? How?!
From the code, here's how to use a varargs function
fatal()
:#define FATAL( text ) {fatal( __FILE__, __LINE__, text );} #define FATAL2( text, a ) {fatal( __FILE__, __LINE__, text, a );} #define FATAL3( text, a, b ) {fatal( __FILE__, __LINE__, text, a, b );} #define FATAL4( text, a, b, c ) {fatal( __FILE__, __LINE__, text, a, b, c );} #define FATAL5( text, a, b, c, d ) {fatal( __FILE__, __LINE__, text, a, b, c, d );} #define FATAL6( text, a, b, c, d, e ) {fatal( __FILE__, __LINE__, text, a, b, c, d, e );} #define CHECK( cond, text ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text );}; _Analysis_assume_( cond );} #define CHECK3( cond, text, a ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a );}; _Analysis_assume_( cond );} #define CHECK4( cond, text, a, b ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b );}; _Analysis_assume_( cond );} #define CHECK5( cond, text, a, b, c ) { if( !(cond) ) { fatal(__FILE__, __LINE__, text, a, b, c );}; _Analysis_assume_( cond );}
Looks like pretty normal C. It's always ugly.
Wait, why is there a semicolon between theif
's braces and_Analysis_assume_
?The numbering is just nasty and the
FATAL()
macros are completely superfluous and just there to pervert the idea of a varargs function. That semicolon separates the conditional block and something that's probably a pragma for the optimizer. It's also superfluous if the pragma is sane, but then it probably ain't.
-
@Rhywden said in In other news today...:
@LaoC Nope, I'm not assuming that he hasn't done research it's him not giving a fuck about the actual repercussions.
OK. It's just how I read "It would be better to do some basic research".
As evidenced by the strict 90 days which someone pulled out of a hat.
I still haven't heard an argument why MS would need more than 3 months to fix that library, other than "MS said so". I have cited some evidence why that should be plenty though.
Most bugs are disclosed within 90 days of discovery regardless of whether or not a fix is available; in one instance Microsoft was given just one week's notice before a flaw in the Windows operating system was publicly disclosed - after having given rival Apple a full five months to resolve a similar security issue.
They're asshats, plain and simple.
Whitehats. Easy to confuse ^^
-
@dkf said in In other news today...:
@PJH said in In other news today...:
Given its Wales, probably one.
A week.It's South Wales. They have buses. And trains. And no coal any more.
Also opens on a Sunday... or so the legend goes.
-
@remi said in In other news today...:
This could go in the Cute Things thread...
We did selectively breed them so that they appeal to us. This is not fucking news.
-
@DogsB said in In other news today...:
We did selectively breed them so that they appeal to us. This is not fucking news.
But... but... but... sad puppy eyes!!!
-
Also, one insider's joke in my home is that when our dog is making puppy eyes, she's rolling for "kawai" (as in, making a dice roll under a skill in an RPG). She then has a circumstantial bonus or malus depending on whether the person she's targeting is available to pet her, or whether she's waiting for her food but it's too soon etc.
Farting while looking at us with puppy eyes counts as a critical failure.
-
@remi said in In other news today...:
Scientists have found a muscle that allows dogs to make 'puppy eyes' and bond with humans.
It's near their eyes, scientists say.
-
@LaoC said in In other news today...:
I still haven't heard an argument why MS would need more than 3 months to fix that library, other than "MS said so". I have cited some evidence why that should be plenty though.
Circumstantial. Again, they're NOT hurting MS with this, they're hurting the customers.
Plus, in one instance they gave Apple five months and MS one week. Basically, those fuckers don't have any moral highground whatsoever. If they are not able to act responsibly then they shouldn't fucking work in that business.
They and not MS should be held liable for any damage arising from this.
-
Edit: not from today, but still
-
@topspin said in In other news today...:
Yeah, but does Microsoft? Honestly not sure.
Aren’t they stuck on some in-between of C89 and C99?IIRC, they're officially only supporting as much of C99 as is required to do relatively current versions of C++.
-
@DogsB said in In other news today...:
We did selectively breed them so that they appeal to some of us. This is not fucking news.
Some breeds that take this the farthest are abominable, like pugs. Poor guys.
-
-
@remi said in In other news today...:
This could go in the Cute Things thread...
I see that expression most when she is going to the bathroom.
I always thought she looked pitiful. Desperation is not appealing to anyone.
-
@Rhywden said in In other news today...:
@LaoC said in In other news today...:
I still haven't heard an argument why MS would need more than 3 months to fix that library, other than "MS said so". I have cited some evidence why that should be plenty though.
Circumstantial.
Sure. Still beats "none at all".
Again, they're NOT hurting MS with this, they're hurting the customers.
That argument always works the same no matter how long MS takes. And negotiating with them didn't work.
Actually it's less like you taking out your anger about a student on other students. It's more like you not getting your instruction cache warmed up and the school giving you the boot for it, even if it means your students will miss a week of classes, and then everybody going ohhh, can't do that, poor students!!!1 Yeah, that analogy is flawed: students usually don't choose their teacher.Plus, in one instance they gave Apple five months and MS one week.
That five months I've seen evidence of. Apple's bug was one that would have caused system compromise everywhere to the point of people having to reinstall everything and dealing with potentially all their data being leaked. Plus, it required Apple to redesign core parts of the OS,
execve()
and such, that's as far into OS black magic territory as you get. Microsoft's current one on the other hand is a DOS. Shit stops working, duh. You reboot it and continue.That one week's notice for MS? No idea which one that's supposed to have been.
Basically, those fuckers don't have any moral highground whatsoever. If they are not able to act responsibly then they shouldn't fucking work in that business.
Apple's case proves they can and do work responsibly. So again, you think you're better at estimating what a reasonable time to fix is than they are so they should turn to gardening or working for the NSA?
They and not MS should be held liable for any damage arising from this.
Shoot the messenger.
-
-
@dkf said in In other news today...:
IIRC, they're officially only supporting as much of C99 as is required to do
relativelycurrent versions of C++.They had a lapse in C++ updates when they massively pushed .NET for the early Metro versions around the time they produced the Windows Phone 7, but then they realized .NET ain't gonna cut it and they started supporting C++ again and since C++14 they add the feature as fast as the other compilers. After all the lead architect of Visual C++ is the convener of the C++ standard committee.
-