Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

OT: UK okays warrantless remote hacking of PCs

0 views
Skip to first unread message

Hammy

unread,
Jan 6, 2009, 10:07:16 AM1/6/09
to
This is OT but 90% of the stuff here is. But I thought people here
might (Eeyore) find it intresting. I found it at BBR.

"Police have been given the power to hack into personal computers
without a court warrant. The Home Office is facing anger and the
threat of a legal challenge after granting permission. Ministers are
also drawing up plans to allow police across the EU to collect
information from computers in Britain.

Remote searching can be achieved by sending an email containing a
virus to a suspect's computer which then transmits information about
email contents and web-browsing habits to a distant surveillance
team."

Full article here.

http://www.independent.co.uk/news/uk/home-news/new-powers-for-police-to-hack-your-pc-1225802.html

RFI-EMI-GUY

unread,
Jan 6, 2009, 10:19:50 AM1/6/09
to
What is to stop them from depositing some "evidence" during the hack?

--
Joe Leikhim K4SAT
"The RFI-EMI-GUY"©

"Use only Genuine Interocitor Parts" Tom Servo ;-P

Jim Thompson

unread,
Jan 6, 2009, 10:26:35 AM1/6/09
to

Sounds like a bunch of government propaganda to me.

Though it probably does work with M$ E-mail products.

With Eudora it's trivial to prevent any executable from functioning,
provided you don't have a penchant for opening unknown attachments.

...Jim Thompson
--
| James E.Thompson, P.E. | mens |
| Analog Innovations, Inc. | et |
| Analog/Mixed-Signal ASIC's and Discrete Systems | manus |
| Phoenix, Arizona 85048 Skype: Contacts Only | |
| Voice:(480)460-2350 Fax: Available upon request | Brass Rat |
| E-mail Icon at http://www.analog-innovations.com | 1962 |

I love to cook with wine Sometimes I even put it in the food

Eeyore

unread,
Jan 6, 2009, 2:05:47 PM1/6/09
to

Hammy wrote:

> This is OT but 90% of the stuff here is. But I thought people here
> might (Eeyore) find it intresting. I found it at BBR.
>
> "Police have been given the power to hack into personal computers
> without a court warrant. The Home Office is facing anger and the
> threat of a legal challenge after granting permission. Ministers are
> also drawing up plans to allow police across the EU to collect
> information from computers in Britain.
>
> Remote searching can be achieved by sending an email containing a
> virus to a suspect's computer which then transmits information about
> email contents and web-browsing habits to a distant surveillance
> team."

Have they never heard of anti-virus software and firewalls ? Or do they expect anti-virus vendors to
roll over and allow their spy programs through ? What a bonus for the compnay that won't comply.

How about we hack them instead ?

Graham

Raveninghorde

unread,
Jan 6, 2009, 2:29:43 PM1/6/09
to
On Tue, 06 Jan 2009 10:07:16 -0500, Hammy <spa...@hotmail.com> wrote:

Unfortunately England is a police state ruled by foreigners.

And that's igoring the EU were most law in enacted by the Council of
Ministers not by a elected assembly.

Gordon Brown and key ministers represent Scottish seats in parliament.

Scotland and Wales now have their own governments. Scotland is
responsible for its own health, education, social care policies etc.
Scotish (and Welsh) MPs vote on English health and education policies
which do not affect them. England therefore ends up with worse
services than Scotland and Wales because the outcome does not affect
the people who vote for these MPs.

Scotland and Wales have more MPs per capita than England amplifying
the above.

Scotland and Wales receive more per capita from the Government than
England.

We have more surveillance camaras per capita than any other country.

The Labour party got 42 day detention without trial through the house
of commons but lost in the house of Lords. We are back to only 28
days detetnion without trial.

The police arrested a senior member of the Conservative oppostion for
receiving leaked information from a civil servant.

Local councils use anti-terror powers to monitor dog fouling and
rubbish dumping.

I'm just waitng for Gordon Brown to cancel the next election.

But hey Labour are good old windmill building, high spending, high
taxing AGW believing socialists.

Roll on the revolution.

Jim Thompson

unread,
Jan 6, 2009, 2:55:04 PM1/6/09
to

And you guys chide our Constitution... WE still observe habeas corpus.

Dirk Bruere at NeoPax

unread,
Jan 6, 2009, 3:20:19 PM1/6/09
to

Journalists are under the impression that it's like StarTrek tech ie "It
will take a couple of minutes to crack the encryption and bypass their
firewalls" etc.

--
Dirk

http://www.transcendence.me.uk/ - Transcendence UK
http://www.theconsensus.org/ - A UK political party
http://www.onetribe.me.uk/wordpress/?cat=5 - Our podcasts on weird stuff

Raveninghorde

unread,
Jan 6, 2009, 3:49:14 PM1/6/09
to

I have no complaints about the US constitution. Don't lump me in with
the anti US brigade.

But if the time comes I'll take the wife and any remaining kids to
Australia or New Zealand.

Jim Thompson

unread,
Jan 6, 2009, 4:00:51 PM1/6/09
to
On Tue, 06 Jan 2009 20:49:14 +0000, Raveninghorde
<raveninghorde@invalid> wrote:

I have a client in Australia, and a potential one in New Zealand... I
look forward to going back for another visit or "stay" ;-)

Sylvia Else

unread,
Jan 6, 2009, 5:02:22 PM1/6/09
to

Someone who realises the police are attempting to get into their
computer could lead them a merry dance all over the country with
misinformation.

Sylvia.

Jim Thompson

unread,
Jan 6, 2009, 5:15:34 PM1/6/09
to

Doh! Nobody ever heard of a hardware firewall?

jo...@jjdesigns.fsnet.co.uk

unread,
Jan 6, 2009, 6:06:56 PM1/6/09
to

Hammy wrote:

At one time I liked to think our police state syndrome was being
driven forward by a cadre of super clever, motivated, shadowy, high
level, civil servants. Many years of detailed watching, revealed this
not to be the case.

Instead we sleepwalk to our 1984 nightmare through the careless
neglect of spineless, thick, career politicians, coupled with large
helpings of incompetance, idleness and gross technical illiteracy
amongst those who run our security/police services. The whole then
aided and abetted by herds of Euro funded management consultants
pushing their targets and measures and initiatives.
Southern France looks yet more and more attractive.

Hammy

unread,
Jan 6, 2009, 6:52:16 PM1/6/09
to
On Tue, 06 Jan 2009 20:49:14 +0000, Raveninghorde
<raveninghorde@invalid> wrote:


>I have no complaints about the US constitution. Don't lump me in with
>the anti US brigade.
>
>But if the time comes I'll take the wife and any remaining kids to
>Australia or New Zealand.

I wouldn't be packing my bags for Australia quite yet have you heard
of the great Aussie firewall. They are getting just as bad in
attempting to censorship the internet. Of course they only have are
best intrest at heart.

Hammy

unread,
Jan 6, 2009, 6:53:48 PM1/6/09
to
On Tue, 06 Jan 2009 19:05:47 +0000, Eeyore
<rabbitsfriend...@hotmail.com> wrote:


>Have they never heard of anti-virus software and firewalls ? Or do they expect anti-virus vendors to
>roll over and allow their spy programs through ? What a bonus for the compnay that won't comply.
>
>How about we hack them instead ?
>
>Graham

All software vendors will comply with the law. This could mean
allowing law enforcement "Trojans" free passage. You all should take
the time to read the EULA on the SW you install. This is pretty common
among most "you have the right to privacy as long as the law allows
it". In this case the law obviously doesn't.

I don't think a lot of people fully realize the implications of a law
like this to a supposed free society. What are the odds this wont be
abused?

The UK is going backwards turning into a China.

Michael A. Terrell

unread,
Jan 6, 2009, 6:59:43 PM1/6/09
to

Jim Thompson wrote:
>
> On Wed, 07 Jan 2009 09:02:22 +1100, Sylvia Else
> <syl...@not.at.this.address> wrote:
>
> >Hammy wrote:
> >> This is OT but 90% of the stuff here is. But I thought people here
> >> might (Eeyore) find it intresting. I found it at BBR.
> >>
> >> "Police have been given the power to hack into personal computers
> >> without a court warrant. The Home Office is facing anger and the
> >> threat of a legal challenge after granting permission. Ministers are
> >> also drawing up plans to allow police across the EU to collect
> >> information from computers in Britain.
> >>
> >> Remote searching can be achieved by sending an email containing a
> >> virus to a suspect's computer which then transmits information about
> >> email contents and web-browsing habits to a distant surveillance
> >> team."
> >>
> >> Full article here.
> >>
> >> http://www.independent.co.uk/news/uk/home-news/new-powers-for-police-to-hack-your-pc-1225802.html
> >
> >Someone who realises the police are attempting to get into their
> >computer could lead them a merry dance all over the country with
> >misinformation.
> >
> >Sylvia.
>
> Doh! Nobody ever heard of a hardware firewall?


Or a power switch?


--
http://improve-usenet.org/index.html

aioe.org, Goggle Groups, and Web TV users must request to be white
listed, or I will not see your messages.

If you have broadband, your ISP may have a NNTP news server included in
your account: http://www.usenettools.net/ISP.htm


There are two kinds of people on this earth:
The crazy, and the insane.
The first sign of insanity is denying that you're crazy.

Sylvia Else

unread,
Jan 6, 2009, 7:41:23 PM1/6/09
to
Jim Thompson wrote:
> On Wed, 07 Jan 2009 09:02:22 +1100, Sylvia Else
> <syl...@not.at.this.address> wrote:
>
>> Hammy wrote:
>>> This is OT but 90% of the stuff here is. But I thought people here
>>> might (Eeyore) find it intresting. I found it at BBR.
>>>
>>> "Police have been given the power to hack into personal computers
>>> without a court warrant. The Home Office is facing anger and the
>>> threat of a legal challenge after granting permission. Ministers are
>>> also drawing up plans to allow police across the EU to collect
>>> information from computers in Britain.
>>>
>>> Remote searching can be achieved by sending an email containing a
>>> virus to a suspect's computer which then transmits information about
>>> email contents and web-browsing habits to a distant surveillance
>>> team."
>>>
>>> Full article here.
>>>
>>> http://www.independent.co.uk/news/uk/home-news/new-powers-for-police-to-hack-your-pc-1225802.html
>> Someone who realises the police are attempting to get into their
>> computer could lead them a merry dance all over the country with
>> misinformation.
>>
>> Sylvia.
>
> Doh! Nobody ever heard of a hardware firewall?

Where's the fun in that?

However, a hardware firewall isn't going to prevent this. Leaving asside
movie style attacks involving guessed passwords and the like, hacking
exploits faults in software where data downloaded is used in a way
unintended by the user. The only way to prevent that is either to write
the software properly, or at least safely, (which software engineers
have demonstrated a frequent inability to do), or not to download data.

However, engaging in a mass attack, and being satisfied with
compromising some computers is one thing. Gaining access to a specific
targetted computer is quite another. I suspect those involved in this
new policy have been watching too much television.

Sylvia.

Sylvia Else

unread,
Jan 6, 2009, 7:44:32 PM1/6/09
to

Fortuately, so far it's only a proposal for an attempt. As yet, our
access in Australia is reasonably unfetterred. There is reasonable hope
that the minister involved will eventually get a clue and realise that
what he's proposing won't work in practice.

Sylvia.

Jim Thompson

unread,
Jan 6, 2009, 8:16:23 PM1/6/09
to
On Wed, 07 Jan 2009 11:41:23 +1100, Sylvia Else
<syl...@not.at.this.address> wrote:

Likely so ;-)

>
>Sylvia.

Several things...

My hardware firewall allows _no_ external access... not software
dependent... I pass all of grc.com's tests with flying colors.

Browsing, I use Firefox and allow no scripting of _any_ kind.

Once burned with an E-mail that I thought was a joke from a friend, I
blow away any unknown E-mails.

Jim Thompson

unread,
Jan 6, 2009, 8:25:09 PM1/6/09
to

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2009-01-07 at 01:20:33

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------

Sylvia Else

unread,
Jan 6, 2009, 9:04:24 PM1/6/09
to

All to the good, but you're still vulnerable to errors in the way
Mozilla, Acrobat (if you use it) etc, process ordinary documents. Things
may have improved since the days when Internet Explorer could be
subverted just by having a very long URL, but there are sure to be some
exploitable errors tucked away.

It doesn't help that software tends to be written in C and C++, which
are not safe languages - that is, programming mistakes can cause more
than just program failure, but allow corruption of data structures and
the execution of data (though belated hardware assistance to prevent the
latter is now available, as it already was on Xerox mainframes in the 70s).

Sylvia.

Jim Thompson

unread,
Jan 6, 2009, 9:11:52 PM1/6/09
to
On Wed, 07 Jan 2009 13:04:24 +1100, Sylvia Else
<syl...@not.at.this.address> wrote:

What is this "Internet Explorer" you mention ?:-)

Sylvia Else

unread,
Jan 6, 2009, 9:29:14 PM1/6/09
to

Oh, it's obsolete. You needn't worry about that. I just mentioned it as
an example.

Sylvia.

Eeyore

unread,
Jan 6, 2009, 11:48:24 PM1/6/09
to

Dirk Bruere at NeoPax wrote:

> Eeyore wrote:
> > Hammy wrote:
> >
> >> This is OT but 90% of the stuff here is. But I thought people here
> >> might (Eeyore) find it intresting. I found it at BBR.
> >>
> >> "Police have been given the power to hack into personal computers
> >> without a court warrant. The Home Office is facing anger and the
> >> threat of a legal challenge after granting permission. Ministers are
> >> also drawing up plans to allow police across the EU to collect
> >> information from computers in Britain.
> >>
> >> Remote searching can be achieved by sending an email containing a
> >> virus to a suspect's computer which then transmits information about
> >> email contents and web-browsing habits to a distant surveillance
> >> team."
> >
> > Have they never heard of anti-virus software and firewalls ? Or do they expect anti-virus vendors to
> > roll over and allow their spy programs through ? What a bonus for the compnay that won't comply.
> >
> > How about we hack them instead ?
>

> Journalists are under the impression that it's like StarTrek tech ie "It
> will take a couple of minutes to crack the encryption and bypass their
> firewalls" etc.

How about a DDOS on the Government ?

Graham

Eeyore

unread,
Jan 6, 2009, 11:51:01 PM1/6/09
to

Hammy wrote:

> Eeyore <rabbitsfriend...@hotmail.com> wrote:
>
> >Have they never heard of anti-virus software and firewalls ? Or do they expect anti-virus vendors to
> >roll over and allow their spy programs through ? What a bonus for the compnay that won't comply.
> >
> >How about we hack them instead ?
>

> All software vendors will comply with the law.

Law of WHICH COUNTRY ?

One of the best AV vendors is in Russia. Kapersky. Somehow I see them saying 'fuck you'. It would put
Symantec out of business too (Thank God) at last.


> This could mean
> allowing law enforcement "Trojans" free passage. You all should take
> the time to read the EULA on the SW you install. This is pretty common
> among most "you have the right to privacy as long as the law allows
> it". In this case the law obviously doesn't.
>
> I don't think a lot of people fully realize the implications of a law
> like this to a supposed free society. What are the odds this wont be
> abused?
>
> The UK is going backwards turning into a China.

No, it's more Stalinist actually.

Graham


Eeyore

unread,
Jan 6, 2009, 11:55:59 PM1/6/09
to

jo...@jjdesigns.fsnet.co.uk wrote:

No disagreement with Southern France especially as I was nearly bi-lingual at one point and spoke with
a Provencale accent (caught right here in St Albans).

I'm considering forming a new political party. Except it won't be a party where one side always blames
the other. It'll be an alliance of citizens. Was involved in one 30 years ago for an 'action group'.
Everyone pulled together. We had Conservatives, Labour, Liberals and even the local Communist guy
working together. It CAN be done when it's in everyone's interest.

Graham


Eeyore

unread,
Jan 6, 2009, 11:56:47 PM1/6/09
to

Sylvia Else wrote:

Mischief !

Graham

Eeyore

unread,
Jan 6, 2009, 11:58:08 PM1/6/09
to

Jim Thompson wrote:

> Doh! Nobody ever heard of a hardware firewall?

I've got hard and soft. I LOVE the way Zone Alarm warns you when a previously unauthorised program
trials to 'dial out'.

Graham

Eeyore

unread,
Jan 7, 2009, 12:00:02 AM1/7/09
to

Sylvia Else wrote:

And NOT to accept 'updates' frivolously like my damn neighbour who regularly gets himself in a pickle.

Graham

Eeyore

unread,
Jan 7, 2009, 12:01:04 AM1/7/09
to

Jim Thompson wrote:

> Once burned with an E-mail that I thought was a joke from a friend, I
> blow away any unknown E-mails.

I filter emails at the mail server.

Graham

Eeyore

unread,
Jan 7, 2009, 12:04:17 AM1/7/09
to

Sylvia Else wrote:

> It doesn't help that software tends to be written in C and C++, which
> are not safe languages - that is, programming mistakes can cause more
> than just program failure, but allow corruption of data structures and
> the execution of data (though belated hardware assistance to prevent the
> latter is now available, as it already was on Xerox mainframes in the 70s).

Loathesome languages. I was offered a job coding in C around 1984 but took one look at the source and
thought 'WTF' !

Graham

Sylvia Else

unread,
Jan 7, 2009, 12:07:09 AM1/7/09
to

Yes, but probably not legally so.

Sylvia.

Eeyore

unread,
Jan 7, 2009, 12:08:13 AM1/7/09
to

Jim Thompson wrote:

> GRC Port Authority Report created on UTC: 2009-01-07 at 01:20:33
>
> Results from scan of ports: 0-1055
>
> 0 Ports Open
> 0 Ports Closed
> 1056 Ports Stealth
> ---------------------
> 1056 Ports Tested
>
> ALL PORTS tested were found to be: STEALTH.
>
> TruStealth: PASSED - ALL tested ports were STEALTH,
> - NO unsolicited packets were received,
> - NO Ping reply (ICMP Echo) was received.

Which page is that on ? I pass Leak Test fine.

Graham

Eeyore

unread,
Jan 7, 2009, 12:09:47 AM1/7/09
to

Jim Thompson wrote:

> What is this "Internet Explorer" you mention ?:-)

Chuckle - LMAO ! I do so hope the next Windows is even worse, then Microsoft may RIP.

Graham

Sylvia Else

unread,
Jan 7, 2009, 12:10:42 AM1/7/09
to

Java doesn't look that different from C++, but is a safe language.

Microsoft's C# also looks similar, and is largely safe (assuming you
trust MS to implement it properly - they managed to get a Java VM wrong
in an exploitable way I seem to remember) but bizarrely has some
expressly unsafe operations.

Sylvia.

Eeyore

unread,
Jan 7, 2009, 12:12:41 AM1/7/09
to

Raveninghorde wrote:

> On Tue, 06 Jan 2009 10:07:16 -0500, Hammy <spa...@hotmail.com> wrote:
>
> >This is OT but 90% of the stuff here is. But I thought people here
> >might (Eeyore) find it intresting. I found it at BBR.
> >
> >"Police have been given the power to hack into personal computers
> >without a court warrant. The Home Office is facing anger and the
> >threat of a legal challenge after granting permission. Ministers are
> >also drawing up plans to allow police across the EU to collect
> >information from computers in Britain.
> >
> >Remote searching can be achieved by sending an email containing a
> >virus to a suspect's computer which then transmits information about
> >email contents and web-browsing habits to a distant surveillance
> >team."
> >
> >Full article here.
> >
> >http://www.independent.co.uk/news/uk/home-news/new-powers-for-police-to-hack-your-pc-1225802.html
>

> Unfortunately England is a police state ruled by foreigners.
>
> And that's igoring the EU were most law in enacted by the Council of
> Ministers not by a elected assembly.
>
> Gordon Brown and key ministers represent Scottish seats in parliament.
>
> Scotland and Wales now have their own governments. Scotland is
> responsible for its own health, education, social care policies etc.
> Scotish (and Welsh) MPs vote on English health and education policies
> which do not affect them. England therefore ends up with worse
> services than Scotland and Wales because the outcome does not affect
> the people who vote for these MPs.
>
> Scotland and Wales have more MPs per capita than England amplifying
> the above.
>
> Scotland and Wales receive more per capita from the Government than
> England.
>
> We have more surveillance camaras per capita than any other country.
>
> The Labour party got 42 day detention without trial through the house
> of commons but lost in the house of Lords. We are back to only 28
> days detetnion without trial.
>
> The police arrested a senior member of the Conservative oppostion for
> receiving leaked information from a civil servant.
>
> Local councils use anti-terror powers to monitor dog fouling and
> rubbish dumping.
>
> I'm just waitng for Gordon Brown to cancel the next election.
>
> But hey Labour are good old windmill building, high spending, high
> taxing AGW believing socialists.
>
> Roll on the revolution.

I have one in mind plus an entire new political system more akin to the Swiss model. Direct Democracy.

BTW, I like the US term 'Representative'. It might remind them what their damn job is instead of
feeding like pigs at the trough.

Graham


Eeyore

unread,
Jan 7, 2009, 12:13:37 AM1/7/09
to

Jim Thompson wrote:

> And you guys chide our Constitution... WE still observe habeas corpus.

No you do NOT.

Graham

Bill Sloman

unread,
Jan 7, 2009, 6:36:23 AM1/7/09
to

"Jim Thompson" <To-Email-Use-Th...@My-Web-Site.com> schreef in
bericht news:9nd7m4le1h9i3en2v...@4ax.com...
> And you guys chide our Constitution... WE still observe habeas corpus.

But not when it matters, as at Guantanamo Bay.

--
Bill Sloman, Nijmegen


Jim Thompson

unread,
Jan 7, 2009, 9:36:43 AM1/7/09
to
On Wed, 07 Jan 2009 13:29:14 +1100, Sylvia Else
<syl...@not.at.this.address> wrote:

[smirk :-]

Hammy

unread,
Jan 7, 2009, 10:09:22 AM1/7/09
to
On Wed, 07 Jan 2009 04:51:01 +0000, Eeyore
<rabbitsfriend...@hotmail.com> wrote:

>

>Law of WHICH COUNTRY ?
>
>One of the best AV vendors is in Russia. Kapersky. Somehow I see them saying 'fuck you'. It would put
>Symantec out of business too (Thank God) at last.

>> The UK is going backwards turning into a China.
>
>No, it's more Stalinist actually.
>
>Graham
>

What I was suggesting is for example if I were to impede a lawful
investigation I could be charged for among other things Obstruction of
justice. So for example if a software vendor were to detect and
eliminate a lawful intrusion method by a law enforcement agency this
could also be considered obstruction. It remains to be seen how far
they would use it but it's not at all far fetched. We all know how
lawyers are.

If you read TOS and EULA for ISP's and Software vendors they all state
that they will comply with a lawful investigation. In the case of the
UK a lawful investigation is remote hacking your PC. The UK will even
take request from other EU members to gather data off your PC.

I'm surprised there isn't more outrage in your country over this. Your
civil liberties are eroding considering you also retain DNA from
cleared individuals, have the highest per captia surveillance cameras
what's next RFID implants a birth? This is just what you know God only
knows what they aren't telling you.

Anybody who thinks this wont be abused knows nothing of human nature
and history and is a blithering idiot.

Joel Koltner

unread,
Jan 7, 2009, 12:51:06 PM1/7/09
to
"Sylvia Else" <syl...@not.at.this.address> wrote in message
news:49640da8$0$7111$afc3...@news.optusnet.com.au...

> It doesn't help that software tends to be written in C and C++, which are
> not safe languages - that is, programming mistakes can cause more than just
> program failure, but allow corruption of data structures and the execution
> of data

This is a somewhat misguided notion in that *not* using C/C++ just displaces
the problem: Instead of looking for exploits of an application directly, you
sit around looking for exploits of the virtual machines or system library or
"whatever it is" that's executer your "safer language." In general, it's not
at all a proven statement that exploiting *that* environment is any more
difficult than exploiting an application directly -- particular since "safe
language execution environments" tend to be updated more slowly than
applications themselves, so any exploits that are found tend to remain
effective for longer periods of time. (And think about something like the
ever-popular SQL insertion exploit -- doesn't mattter what language you wrote
your code in, if someone manages to get you to directly execute their string
on your database, they can still do whatever they want, limited only by the
permissions of the account you're using.)

I would agree that C/C++ typically it *easier* for novice/inexperienced
programmers to write exploitable code, I suppose, but the "solution" of "just
don't use them" is essentially the same as saying, "sports cars are dangerous,
therefore no one should be allowed to use them" rather than "sports cars are
dangerous, they're probably not the best first car for your 16-year-old."

---Joel


Dirk Bruere at NeoPax

unread,
Jan 7, 2009, 3:44:24 PM1/7/09
to

They'd never notice.
A bit like spam and viruses were not a problem until MPs learned to use
a keyboard.
Then it's NetPanic time, with cyberMuggers and pedos at every turn on
the Information Super Highway (and whatever happened to that???).

Remember - on the Net, if it's not fit for children to see it's not fit
for YOU.

--
Dirk

http://www.transcendence.me.uk/ - Transcendence UK
http://www.theconsensus.org/ - A UK political party
http://www.onetribe.me.uk/wordpress/?cat=5 - Our podcasts on weird stuff

Dirk Bruere at NeoPax

unread,
Jan 7, 2009, 3:47:04 PM1/7/09
to

The C# Express dev suite by MS is brilliant!
And free.

Spehro Pefhany

unread,
Jan 7, 2009, 3:53:33 PM1/7/09
to

Or, designing with discrete components is dangerous, there are so many
ways to make a marginal circuit...


Dirk Bruere at NeoPax

unread,
Jan 7, 2009, 4:23:46 PM1/7/09
to

Do it all in assembler - nothing easier or safer :-)

Sylvia Else

unread,
Jan 7, 2009, 6:53:14 PM1/7/09
to
Joel Koltner wrote:
> "Sylvia Else" <syl...@not.at.this.address> wrote in message
> news:49640da8$0$7111$afc3...@news.optusnet.com.au...
>> It doesn't help that software tends to be written in C and C++, which are
>> not safe languages - that is, programming mistakes can cause more than just
>> program failure, but allow corruption of data structures and the execution
>> of data
>
> This is a somewhat misguided notion in that *not* using C/C++ just displaces
> the problem: Instead of looking for exploits of an application directly, you
> sit around looking for exploits of the virtual machines or system library or
> "whatever it is" that's executer your "safer language." In general, it's not
> at all a proven statement that exploiting *that* environment is any more
> difficult than exploiting an application directly -- particular since "safe
> language execution environments" tend to be updated more slowly than
> applications themselves, so any exploits that are found tend to remain
> effective for longer periods of time.

The very fact that there's an extra level between the data representing
the exploit and the potentially exploitable code make an exploit that
much more difficult. In the Java environment at least (I don't know
about C#) much of the library code is itself written in Java, meaning
that the path from the data controlled by the hacker to the code that
could be exploited is tortuous.

But more significant is simply the fact that safe languages don't allow
certain types of inherently risky operation, and check other operations
for validity before performing them.

> (And think about something like the
> ever-popular SQL insertion exploit -- doesn't mattter what language you wrote
> your code in, if someone manages to get you to directly execute their string
> on your database, they can still do whatever they want, limited only by the
> permissions of the account you're using.)

Yes, some exploits are language insensitive. Still, at least things like
SQL insertion exploits are easier to address with programming standards,
and violations of standards are easier to spot (in code reviews that
everyone talks about, but few do). Buffer overflow exploits and the like
are frequently down to mistakes or naivety, and take detailed code
examination to find.

>
> I would agree that C/C++ typically it *easier* for novice/inexperienced
> programmers to write exploitable code, I suppose, but the "solution" of "just
> don't use them" is essentially the same as saying, "sports cars are dangerous,
> therefore no one should be allowed to use them" rather than "sports cars are
> dangerous, they're probably not the best first car for your 16-year-old."

I used to be of the view that we just needed to educate and manage our
software engineers better. But it doesn't work. The pool of people
capable of becoming competent at the required level is too small. In
practice, one has to use engineers of an average ability. The only way
to get safe software out of such people is to restrict them to safe
languages. It doesn't guarantee safety, but it makes it more likely, and
limits the areas where unsafe practices can still exist.

Sylvia.

Sylvia Else

unread,
Jan 7, 2009, 7:01:24 PM1/7/09
to
Hammy wrote:
> On Wed, 07 Jan 2009 04:51:01 +0000, Eeyore
> <rabbitsfriend...@hotmail.com> wrote:
>
>
>> Law of WHICH COUNTRY ?
>>
>> One of the best AV vendors is in Russia. Kapersky. Somehow I see them saying 'fuck you'. It would put
>> Symantec out of business too (Thank God) at last.
>
>
>>> The UK is going backwards turning into a China.
>> No, it's more Stalinist actually.
>>
>> Graham
>>
>
> What I was suggesting is for example if I were to impede a lawful
> investigation I could be charged for among other things Obstruction of
> justice. So for example if a software vendor were to detect and
> eliminate a lawful intrusion method by a law enforcement agency this
> could also be considered obstruction. It remains to be seen how far
> they would use it but it's not at all far fetched. We all know how
> lawyers are.

Locking a door would impede law enforcement officers who wanted to go
through it. That doesn't mean that locking the daw would be obstruction
unless it was done with the specific intent of impeding an officer.

Any intrusion method that law enforcement officers could use to gain
access to a computer could also be used by other people. Vendors of
software aimed at preventing intrusions are not intending that this
impede law enforcement officers any more than someone locking their door
at night is, and neither is unlawful.

>
> If you read TOS and EULA for ISP's and Software vendors they all state
> that they will comply with a lawful investigation. In the case of the
> UK a lawful investigation is remote hacking your PC. The UK will even
> take request from other EU members to gather data off your PC.

So Symantec might have to comply with a lawful investigation. But unless
they've deliberately built in back-doors, there's little they can
actually do, and they're not required to do what they cannot.

Law enforcement officials cannot require the back-doors be built in,
because at the time of the requirement, there's no identifiable
investigation that it's intended to assist.

The law could be changed to impose such a requirement, but it couldn't
be secret.

Sylvia.

Joel Koltner

unread,
Jan 7, 2009, 7:38:25 PM1/7/09
to
"Sylvia Else" <syl...@not.at.this.address> wrote in message
news:4965406b$0$19982$afc3...@news.optusnet.com.au...

> The very fact that there's an extra level between the data representing the
> exploit and the potentially exploitable code make an exploit that much more
> difficult.

It only makes them *harder to find*, not generally harder to use: You just
need one clever guy to package up the exploit nicely, and the next thing you
know, millions of script kiddies start using it.

The fact that Internet browser exploits are relatively common -- and HTML
isn't a "programming" language at all! (although I suppose Javascript is, just
barely) -- suggests to me that the onus for writing good quality code is
still much more a function of the individual writing that code rather than the
particular language they use: I wouldn't inherently trust a guy writing
nuclear reactor control code any more if he's using Java than if he's using C!

> But more significant is simply the fact that safe languages don't allow
> certain types of inherently risky operation, and check other operations for
> validity before performing them.

C++ allows one to have all those "niceties" (safe/smart pointers, arrays,
typechecking, etc.) while still retaining a nice, clean interface -- it's just
that, unlike "safe" languages, you're not being *forced* to use them if you
don't want to. (In C you can have it as well, although the code starts to
look awfully ugly.)

> I used to be of the view that we just needed to educate and manage our
> software engineers better. But it doesn't work.

Globally it might not, but in your own company it can... let your competitors
have the chaff. :-)

> The pool of people capable of becoming competent at the required level is
> too small.

I don't think that's true at all, but perhaps I'm just not experienced?/jaded?
enough? Getting really good people is always a problem, but they are out
there -- I think that most companies are just too willing to accept "average"
as "good enough" -- as one can point to companies where almost every single
person is noticeably above average in their fields, after all. (For a
large-scale example of this, just look at HP and Tektronix back in the
'60s/'70s -- you had to be a *particularly* sharp cookie to get into those
places at that time. ...and HP's first calculator, the HP-35, had a couple of
relatively minor bugs, whereas the current HP-35s had a whole boatload,
despite the engineers working on it having *much* better programming/debugging
tools than were available in 1972! Oh, and because I like to harp on this...
every registered owner of the original HP-35 was sent a letter informing them
of the bugs and offering to exchange the calculator free of charge if the
owner desired. With the HP-35s, HP *doesn't even have a list of bugs posted
on their web site*, much less offering replacements.)

> In practice, one has to use engineers of an average ability. The only way to
> get safe software out of such people is to restrict them to safe languages.

It's certainly one way, just not the only way IMO.

> It doesn't guarantee safety, but it makes it more likely, and limits the
> areas where unsafe practices can still exist.

OK, you make a lot of good points, and in general there's something to be said
for using "safer" languages so long as using them doesn't hamper productivity
(...when comparing outcomes wherein the same level of security was achieved in
all cases). To me this is sort of like "pair programming" where you take two
guys and they code along, one looking out for the bugs the other one might be
creating: Sure, it certainly will reduce the number of bugs and may
occasionally result in more efficient code too... but rather than taking two
"average" guys making, e.g., $50k/year, I'd much rather have one "outstanding"
guy and pay him $75k a year and expect the same results, and everyone wins.

---Joel


Sylvia Else

unread,
Jan 7, 2009, 8:00:58 PM1/7/09
to
Joel Koltner wrote:

> The fact that Internet browser exploits are relatively common -- and HTML
> isn't a "programming" language at all! (although I suppose Javascript is, just
> barely) -- suggests to me that the onus for writing good quality code is
> still much more a function of the individual writing that code rather than the
> particular language they use: I wouldn't inherently trust a guy writing
> nuclear reactor control code any more if he's using Java than if he's using C!

I'd lay odds that most HTML exploits are of some form of buffer
overflow/use of freed memory error in the code.

>> I used to be of the view that we just needed to educate and manage our
>> software engineers better. But it doesn't work.
>
> Globally it might not, but in your own company it can... let your competitors
> have the chaff. :-)

Well, it's a nice idea. But try telling the company owner that this or
that project can't start because we've yet to find the above average
staff required to man it. The owner is likely to think that we could be
less selective, and get the project underway.

Now, of course, if I owned my own company, things would be different.
But then, a false proposition implies any proposition.


> OK, you make a lot of good points, and in general there's something to be said
> for using "safer" languages so long as using them doesn't hamper productivity

Actually, it probably improves productivity. An awful lot of time can be
spent tracking down faults caused by pointer misuse, array overflows and
use of freed memory. I remember one instance (not perpetrated by me)
where data in memory was being corrupted by an instruction that had
itself been corrupted by a misused pointed. You can imagine how long
that took to resolve.

The main down side of safe languages is one of performance. But that
really isn't an issue these days, provided the software is designed to
scale properly across multiple systems (it usually isn't but that's a
story for another day).

> .. but rather than taking two
> "average" guys making, e.g., $50k/year, I'd much rather have one "outstanding"
> guy and pay him $75k a year and expect the same results, and everyone wins.

Yes, but employers rairly appreciate the difference between the value of
the $50K employeer and the $75K one. If you're the employer, fine. But
most people trying to develop software have to manage with the resources
they've given.

Sylvia.

John Larkin

unread,
Jan 7, 2009, 8:03:19 PM1/7/09
to

A good computer language should discourage tricky constructs,
cleverness, coding speed, and coding efficiency. It should be
plodding, tedious, constrained, and wordy. It should positively chase
away people who want to play programming games but don't care about
applications.

Cobol comes to mind.

Cobol was, of course, invented by Grace Hopper. Someone here recently
observed that English majors may make better programmers than CS
majors. There may be something going on here; the classic male geek
empathy-free visual-spatial game playing mentality may not be best way
to get good code.

John


jo...@jjdesigns.fsnet.co.uk

unread,
Jan 7, 2009, 8:05:47 PM1/7/09
to

Eeyore wrote:

I'm starting to wonder who of us now remain as actual 'citizens'.
Friday, filled up at my usual local muslim garage. Asked to sign
petition on counter from Galloway's 'Respect' party wrt recent jewish
adventure. For some reason I felt annoyed (irrational maybe but I felt
a bit betrayed?).
We're represented here by a muslim MP, there are many muslim members
on the local councils. We've massive local social problems centred on
lack of work/poverty/health/education/religion/immigration/crime, yet
have seen no petitions or mention of these things.
Yet, I'm then being specifically asked to support an unknown Southern
MP, supporting an alien people, on behalf of an alien muslim world.
Somewhere down the line we've lost our priorities.

Sylvia Else

unread,
Jan 7, 2009, 8:10:41 PM1/7/09
to
John Larkin wrote:

> A good computer language should discourage tricky constructs,
> cleverness, coding speed, and coding efficiency. It should be
> plodding, tedious, constrained, and wordy. It should positively chase
> away people who want to play programming games but don't care about
> applications.
>
> Cobol comes to mind.

It would be from hard to impossible to write many modern applications in
COBOL. The fact that COBOL compilers are not written in COBOL says
something.

Sylvia.

John Larkin

unread,
Jan 7, 2009, 8:14:08 PM1/7/09
to

What happened to i/d space separation? Even in the early 1970's you
could buy a minicomputer that had hardware-enforced page attributes;
it was *impossible* for code to modify code, or to overflow a stack
without a trap, or to execute data.

Even compilers for Intel crud should be able to position stuff so that
stacks don't overflow into code.

John


Jim Thompson

unread,
Jan 7, 2009, 8:31:49 PM1/7/09
to
On Wed, 07 Jan 2009 17:03:19 -0800, John Larkin
<jjla...@highNOTlandTHIStechnologyPART.com> wrote:

[snip]


>
>A good computer language should discourage tricky constructs,
>cleverness, coding speed, and coding efficiency. It should be
>plodding, tedious, constrained, and wordy. It should positively chase
>away people who want to play programming games but don't care about
>applications.
>
>Cobol comes to mind.
>
>Cobol was, of course, invented by Grace Hopper. Someone here recently
>observed that English majors may make better programmers than CS
>majors. There may be something going on here; the classic male geek
>empathy-free visual-spatial game playing mentality may not be best way
>to get good code.
>
>John
>

My oldest son is multi-lingual... and writes good code. I've always
associated good language skills with good software.

John Larkin

unread,
Jan 7, 2009, 9:16:26 PM1/7/09
to
On Wed, 07 Jan 2009 18:31:49 -0700, Jim Thompson
<To-Email-Use-Th...@My-Web-Site.com> wrote:

>On Wed, 07 Jan 2009 17:03:19 -0800, John Larkin
><jjla...@highNOTlandTHIStechnologyPART.com> wrote:
>
>[snip]
>>
>>A good computer language should discourage tricky constructs,
>>cleverness, coding speed, and coding efficiency. It should be
>>plodding, tedious, constrained, and wordy. It should positively chase
>>away people who want to play programming games but don't care about
>>applications.
>>
>>Cobol comes to mind.
>>
>>Cobol was, of course, invented by Grace Hopper. Someone here recently
>>observed that English majors may make better programmers than CS
>>majors. There may be something going on here; the classic male geek
>>empathy-free visual-spatial game playing mentality may not be best way
>>to get good code.
>>
>>John
>>
>
>My oldest son is multi-lingual... and writes good code. I've always
>associated good language skills with good software.
>
> ...Jim Thompson


And that's almost the reverse of the kind of people who program.

Programming is, after all, writing.

John

Sylvia Else

unread,
Jan 7, 2009, 9:20:03 PM1/7/09
to

It appears to have been an idea that Intel felt no need to adopt until
the issue of viruses arose. Their processors were after all designed in
an era when malicious code was essentially non-existent.

>
> Even compilers for Intel crud should be able to position stuff so that
> stacks don't overflow into code.

It's not so much stacks overflowing into code, as programs writing to
data in a way that corrupts the return address on the stack. If the
processor is willing to execute data, then the return address on the
stack can be made to point to some data. If that data has been provided
by an attacker - e.g. it might be part of what is meant to be a URL, or
an image, or something - then the attack succeeds. A fairly common way
in which this occurred was for an engineer to allocate a buffer on the
stack that was "bound to be big enough", and then not checking that it
actually was for the particular data being processed.

Of course, this is only one class of attack. SQL insertion attacks
(caused by naive processing of data used in SQL statements), directory
traversal, and cross-site scripting attacks are unrelated, both to it,
and to each other, and there are certainly yet more classes.

Sylvia.

Jon Kirwan

unread,
Jan 7, 2009, 10:24:47 PM1/7/09
to
On Thu, 08 Jan 2009 10:53:14 +1100, Sylvia Else
<syl...@not.at.this.address> wrote:

><snip>


>In practice, one has to use engineers of an average ability.

><snip>

Over time, the accessibility to becoming a programmer has broadened a
great deal and in the process the 'average' skill has likewise
plummeted. (Ph.D.s once represented the average, in days I personally
remember, but that would distract my point.) So the "average ability"
target isn't static, but continues a downward direction lowering the
floor you are shooting for.

When I started teaching at the largest University in my state as an
adjunct prof, 15 years ago or so, I was shocked by one of the students
coming to me during her 3rd undergrad year and telling me, "I'm not
sure I should have decided on a CS degree. I had been thinking about
accounting before, but decided programming would be 'less stress' and
still good pay for it." She wanted my thoughts. Shocked the first
time it happened. But I stopped being shocked as it became a vulgar
occurance. Back when I was studying, one didn't wonder if accounting
was an option. You KNEW that wasn't even a remote possibility and it
didn't even enter your mind.

Today, that has entirely been turned on its head and most anyone can
consider programming as an 8-5 occupation they trivially leave at the
business door when they head on home.

Jon

Sylvia Else

unread,
Jan 7, 2009, 11:24:11 PM1/7/09
to
Jon Kirwan wrote:

> When I started teaching at the largest University in my state as an
> adjunct prof, 15 years ago or so, I was shocked by one of the students
> coming to me during her 3rd undergrad year and telling me, "I'm not
> sure I should have decided on a CS degree. I had been thinking about
> accounting before, but decided programming would be 'less stress' and
> still good pay for it." She wanted my thoughts. Shocked the first
> time it happened. But I stopped being shocked as it became a vulgar
> occurance. Back when I was studying, one didn't wonder if accounting
> was an option. You KNEW that wasn't even a remote possibility and it
> didn't even enter your mind.

When I was doing my CS degree course, I wondered at the people doing
joint honours accounting and computer science. The mind sets required
for the two disciplines seems so far removed from each other that I
couldn't help feeling that anyone who chose that course must have made a
mistake, one way or the other.

Sylvia.

Martin Brown

unread,
Jan 8, 2009, 6:54:04 AM1/8/09
to
On Jan 7, 5:51 pm, "Joel Koltner" <zapwireDASHgro...@yahoo.com> wrote:
> "Sylvia Else" <syl...@not.at.this.address> wrote in message
>
> news:49640da8$0$7111$afc3...@news.optusnet.com.au...
>
> > It doesn't help that software tends to be written in C and C++, which are
> > not safe languages - that is, programming mistakes can cause more than just
> > program failure, but allow corruption of data structures and the execution
> > of data
>
> This is a somewhat misguided notion in that *not* using C/C++ just displaces
> the problem: Instead of looking for exploits of an application directly, you
> sit around looking for exploits of the virtual machines or system library or
> "whatever it is" that's executer your "safer language."  In general, it's not
> at all a proven statement that exploiting *that* environment is any more
> difficult than exploiting an application directly -- particular since "safe
> language execution environments" tend to be updated more slowly than
> applications themselves, so any exploits that are found tend to remain
> effective for longer periods of time.

It is very hard to execute data on a Harvard architecture machine.
Languages that avoid pointers but support rich structured data types
can avoid most of the C pitfalls of over running array bounds and
trampling return addresses with a pointer to malicious code. C/C++ on
a flat unprotected memory space is about as bad as it gets in terms of
making exploits really easy.

Although people don't like them these days segmented architecture
memory with permissions is an excellent defence against illicit
hostile code being put into a memory segment and then executed. The
belated NOEXECUTE flag is a fine example of shutting the stable door
on Wintel machines when there are still big holes in the walls.

> (And think about something like the
> ever-popular SQL insertion exploit -- doesn't mattter what language you wrote
> your code in, if someone manages to get you to directly execute their string
> on your database, they can still do whatever they want, limited only by the
> permissions of the account you're using.)
>
> I would agree that C/C++ typically it *easier* for novice/inexperienced
> programmers to write exploitable code, I suppose, but the "solution" of "just

This definition would appear to include most of the MS development
team.

> don't use them" is essentially the same as saying, "sports cars are dangerous,
> therefore no one should be allowed to use them" rather than "sports cars are
> dangerous, they're probably not the best first car for your 16-year-old."

The situation is more subtle than that. Even top programmers can make
fence post errors and minor typos that have disastrous consequences in
weakly typed languages where almost enything wil compile without
errors and with the mentality that anything is a pointer or can be
pointed at tiny errors can be devatating. The pointers for everything
in C makes it extremely vulnerable even with excellent engineers.

There are better languages that could be used for safety critical
applications. Modula2 was one of the simplest robust ones that had a
brief acceptance in some fields, and Ada is another heavyweight
(although a bit OTT for my tastes).

Using languages and development tools that can cover for the
deficiencies of human developers makes sense. CPU cycles are cheap and
getting cheaper - having the compiler or static analysis tools work
that bit harder to weed out bugs at compile time is well worthwhile.
Who really wants to see BSODs or have Vista lock up on them yet again?

Regards,
Martin Brown

Martin Brown

unread,
Jan 8, 2009, 7:16:18 AM1/8/09
to
On Jan 8, 1:14 am, John Larkin

It is possible on the Intel architecture - OS/2 used that model. There
is a small hit on changing privilige ring. Unfortunately the abysmal
IBM marketting droids so completely cocked up selling OS/2 that MS
Windows won the day. 386, 486 and Pentium are quite capable of running
with hardware enforced page attributes (although there are gotchas).
That said legacy h/w issues mean that even some Unix systems on Intel
CPUs are not immune to sophisticated exploits eg.

http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot.pdf


>
> Even compilers for Intel crud should be able to position stuff so that
> stacks don't overflow into code.

That isn't how it is done. The basic trick is that a fixed length
buffer on the stack is overflowed in such a way as to deliberately
overwrite the return address with a pointer to code you want executed
and the code itself. It isn't the compilers fault that C allows and
even encourages sloppy programming practices in the name of
efficiency.

Certain MS data structures are prone to being utilitised in this way
because they contain a "how long I am field" you only need to find a
structure where no matter what value is in the data the system
allocates the length that these usually fixed length objects always
have and you are in. The deadly ones are where the memory is allocated
fixed length but the data is copied using the value in the dataheader
(which is telling fibs) or until the next null byte. A variant of this
method has been used to break the MS JPEG codec.

Belatedly a no-execute flag has been added for data segments, since it
seems impossible to train the monkeys at Microsoft not to write
insecure code.

Regards,
Martin Brown

Martin Brown

unread,
Jan 8, 2009, 7:40:58 AM1/8/09
to
On Jan 8, 1:03 am, John Larkin

<jjlar...@highNOTlandTHIStechnologyPART.com> wrote:
> On Thu, 08 Jan 2009 10:53:14 +1100, Sylvia Else
>
> <syl...@not.at.this.address> wrote:
> >Joel Koltner wrote:

> >> I would agree that C/C++ typically it *easier* for novice/inexperienced
> >> programmers to write exploitable code, I suppose, but the "solution" of "just

Not just novice/inexperienced programmers - and that is the *big*
problem. Our software industry prefers shortest time to market over
reliability - after all you can just issue updates and security fixes
on a daily basis.

> >> don't use them" is essentially the same as saying, "sports cars are dangerous,
> >> therefore no one should be allowed to use them" rather than "sports cars are
> >> dangerous, they're probably not the best first car for your 16-year-old."
>
> >I used to be of the view that we just needed to educate and manage our
> >software engineers better. But it doesn't work. The pool of people
> >capable of becoming competent at the required level is too small. In
> >practice, one has to use engineers of an average ability. The only way
> >to get safe software out of such people is to restrict them to safe
> >languages. It doesn't guarantee safety, but it makes it more likely, and
> >limits the areas where unsafe practices can still exist.
>

> A good computer language should discourage tricky constructs,
> cleverness, coding speed, and coding efficiency. It should be
> plodding, tedious, constrained, and wordy. It should positively chase

Not quite. It isn't verbosity that is a good thing. It is opaque
cryptic terseness that is bad.

It should be precise enough that you have to write exactly what you
mean and if it is at all ambiguous you get a warning or an error
message and not have the compiler taking a wild guess about your
intentions. What you don't want to have are obscure unintuitive
operator precedence or implicit coercions between data types.

The distinction between interpretting a bit pattern as an address, an
integer or a floating point number needs considerable attention for
low level OS work. Do you mean the value of this floating point number
rounded to an integer (which might overflow if it is too big) or put
the binary representation of this floating point number into a 32bit
integer.

I sometimes think it would have been better if addresses were some
other length than 32 bits so that the interchangable use of "integers"
and "pointers" would not have gained such wide acceptance in C.

> away people who want to play programming games but don't care about
> applications.
>
> Cobol comes to mind.
>
> Cobol was, of course, invented by Grace Hopper. Someone here recently
> observed that English majors may make better programmers than CS
> majors. There may be something going on here; the classic male geek
> empathy-free visual-spatial game playing mentality may not be best way
> to get good code.

You are barking up the wrong tree. Any of the strongly typed languages
where you have to say exactly what you intend weed out a lot of the
classic C faults at compile time - and the optional bounds checking on
arrays can catch quite a lot of common fence post errors at runtime
too.

You can even program defensively in C or C++ but so few people do.
Good linguists can make very good programmers although they tend to
graduate to requirements analysis fairly quickly.

Regards,
Martin Brown

John Larkin

unread,
Jan 8, 2009, 11:15:04 AM1/8/09
to
On Thu, 8 Jan 2009 04:40:58 -0800 (PST), Martin Brown
<|||newspam|||@nezumi.demon.co.uk> wrote:


>> away people who want to play programming games but don't care about
>> applications.
>>
>> Cobol comes to mind.
>>
>> Cobol was, of course, invented by Grace Hopper. Someone here recently
>> observed that English majors may make better programmers than CS
>> majors. There may be something going on here; the classic male geek
>> empathy-free visual-spatial game playing mentality may not be best way
>> to get good code.
>
>You are barking up the wrong tree. Any of the strongly typed languages
>where you have to say exactly what you intend weed out a lot of the
>classic C faults at compile time - and the optional bounds checking on
>arrays can catch quite a lot of common fence post errors at runtime
>too.
>

Anyone can google "software failure" and see what a disaster current
programming languages and culture are. This mess not only costs
society maybe a trillion dollars a year, it is a major threat to
national security.

It's obscene that a practice with such abysmal results - 50% failure
rates for large projects, programs with thousands of bugs - should be
graced with academic titles like "computer science" and "software
engineering." No real science would be allowed such slop, climatology
excepted.

John


John Larkin

unread,
Jan 8, 2009, 11:23:11 AM1/8/09
to
On Thu, 08 Jan 2009 15:24:11 +1100, Sylvia Else
<syl...@not.at.this.address> wrote:

>
>When I was doing my CS degree course, I wondered at the people doing
>joint honours accounting and computer science. The mind sets required
>for the two disciplines seems so far removed from each other that I
>couldn't help feeling that anyone who chose that course must have made a
>mistake, one way or the other.
>
>Sylvia.

Makes sense to me. Who else could correctly program a complex
financial system? A programmer with no skills or interest in
accounting?

The best programmers are people who are experts in their application
and also know how to program. The best two programmers I know
(modestly excluding myself) were chemistry and physics majors who
taught themselves to program.

Reminds me of an actual case: during WWII, it was noted that aerial
gunners weren't very good. So at one training camp, just before the
final live-shooting exam, they switched the classes and had the cooks
and bakers class take the gunnery test. They did better than the
graduates of the gunnery school.

John

Jon Kirwan

unread,
Jan 8, 2009, 1:01:01 PM1/8/09
to
On Thu, 08 Jan 2009 08:23:11 -0800, John Larkin
<jjla...@highNOTlandTHIStechnologyPART.com> wrote:

>On Thu, 08 Jan 2009 15:24:11 +1100, Sylvia Else
><syl...@not.at.this.address> wrote:
>
>>When I was doing my CS degree course, I wondered at the people doing
>>joint honours accounting and computer science. The mind sets required
>>for the two disciplines seems so far removed from each other that I
>>couldn't help feeling that anyone who chose that course must have made a
>>mistake, one way or the other.
>>
>>Sylvia.
>
>Makes sense to me. Who else could correctly program a complex
>financial system? A programmer with no skills or interest in
>accounting?

Not to want to answer for Sylvia but in my comments prior to hers (not
just those quoted in her reply), I was talking about students who were
finding CS impossible going for themselves. There is no problem with
someone being competent in multiple disciplines and enjoying it, to
boot. On that score, I completely agree with you about people who
care about knowing an application space cold and treating programming,
in part, as merely an enabling or expanding skill.

>The best programmers are people who are experts in their application
>and also know how to program.

Often, that is the case. The overlap also helps ensure that things
don't "fall through the cracks" between various project people's
specialties. Sometimes, people don't want to extend themselves much
outsite their specialties and when it comes down to it, the programmer
is often the last person putting all the sensor physics, mathematics,
numerical methods, understanding of electronic systems behaviors,
etc., together. And if they aren't the type of person who enjoys
getting into multiple disciplines, they may actually retreat to
blaming others for not conveying sufficient details with sufficient
hand-holding rather than taking some responsibility for making sure
they have what they need.

>The best two programmers I know
>(modestly excluding myself) were chemistry and physics majors who
>taught themselves to program.

I'm a physics major. So who am I to disagree? ;)

>Reminds me of an actual case: during WWII, it was noted that aerial
>gunners weren't very good. So at one training camp, just before the
>final live-shooting exam, they switched the classes and had the cooks
>and bakers class take the gunnery test. They did better than the
>graduates of the gunnery school.

I don't know exactly how that applies to your earlier point, but it
sounds like a good story for something.

Jon

qrk

unread,
Jan 8, 2009, 2:06:24 PM1/8/09
to
On Wed, 07 Jan 2009 05:12:41 +0000, Eeyore
<rabbitsfriend...@hotmail.com> wrote:


>BTW, I like the US term 'Representative'. It might remind them what their damn job is instead of
>feeding like pigs at the trough.
>
>Graham
>
Please don't insult pigs!

Richard The Dreaded Libertarian

unread,
Jan 8, 2009, 2:07:44 PM1/8/09
to
On Tue, 06 Jan 2009 10:07:16 -0500, Hammy wrote:

> This is OT but 90% of the stuff here is. But I thought people here might
> (Eeyore) find it intresting. I found it at BBR.
>
> "Police have been given the power to hack into personal computers without
> a court warrant.

I guess Hitler is finally achieving his dream.

Thanks,
Rich

Joel Koltner

unread,
Jan 8, 2009, 1:16:17 PM1/8/09
to
"Jon Kirwan" <jo...@infinitefactors.org> wrote in message
news:7oram4d9biofsljp9...@4ax.com...

> Over time, the accessibility to becoming a programmer has broadened a
> great deal and in the process the 'average' skill has likewise
> plummeted.

Yes.

> (Ph.D.s once represented the average, in days I personally
> remember, but that would distract my point.)

I don't personally see much correlation between what degrees someone holds and
how good of a programmer they are. Using the "linguistics" tie that some
people here are mentioning, I think of it as the same low correlation between
whether or not someone has an English degree and their success at writing
books... or if you have a Music degree and becoming a superstar.

> When I started teaching at the largest University in my state as an
> adjunct prof, 15 years ago or so, I was shocked by one of the students
> coming to me during her 3rd undergrad year and telling me, "I'm not
> sure I should have decided on a CS degree. I had been thinking about
> accounting before, but decided programming would be 'less stress' and
> still good pay for it." She wanted my thoughts.

I'd guesstimate that at least 2/3 if not 3/4 of those entering college today
are looking for a degree that will provide a good paying job with little
stress. This is what you get in a society that now says everyone is
"supposed" to have a college degree, even if their idea of a fun job is
something more in line with being a millwright or a longshoreman.

---Joel


Joel Koltner

unread,
Jan 8, 2009, 1:06:04 PM1/8/09
to
"Sylvia Else" <syl...@not.at.this.address> wrote in message
news:496562d3$0$26314$afc3...@news.optusnet.com.au...

> John Larkin wrote:
>> What happened to i/d space separation?
> It appears to have been an idea that Intel felt no need to adopt until the
> issue of viruses arose.

I think of it more as just a historical artifact... when Intel was designing
the 8088, transistor cost was such that the additional logic needed for I/D
separation was non-negligible, and as the 8088 morphed into the
286/386/486/586, no one bothered to take a look at some of the core design
criteria... until virii came back to bite them, as you point out.

---Joel


Joel Koltner

unread,
Jan 8, 2009, 1:22:00 PM1/8/09
to
"Martin Brown" <|||newspam|||@nezumi.demon.co.uk> wrote in message
news:3c96112f-4f16-4f4f...@f11g2000vbf.googlegroups.com...

> It is very hard to execute data on a Harvard architecture machine.

I agree, Harvard architecture machines do provide a legitimate benefit there.
I'm perhaps a bit short-sighted on this as I grew up on assembly/C/C++ von
Newumann architectures.

Although people don't like them these days segmented architecture
memory with permissions is an excellent defence against illicit
hostile code being put into a memory segment and then executed. The
belated NOEXECUTE flag is a fine example of shutting the stable door
on Wintel machines when there are still big holes in the walls.

>> I would agree that C/C++ typically it *easier* for novice/inexperienced


>> programmers to write exploitable code, I suppose, but the "solution" of
>> "just
> This definition would appear to include most of the MS development
> team.

Haha... well, as a percentage of total developers at MS, I'd wager you're
correct -- even though I have absolutely zero concrete data in the matter. :-)

>There are better languages that could be used for safety critical
>applications. Modula2 was one of the simplest robust ones that had a
>brief acceptance in some fields, and Ada is another heavyweight
>(although a bit OTT for my tastes).

I haven't used Ada, although I have used the somewhat similar VHDL, and I'd
have to say... it's really rather annoying! When your compiler can tell you
quite specifically what syntactical errors you're making ("...this should have
been 'begin function' and not 'begin architecture' or somesuch...), it's a
sign that your language is overly wordy.

---Joel


Joel Koltner

unread,
Jan 8, 2009, 1:01:29 PM1/8/09
to
Hi Sylvia,

"Sylvia Else" <syl...@not.at.this.address> wrote in message

news:4965504a$0$20975$afc3...@news.optusnet.com.au...


> I'd lay odds that most HTML exploits are of some form of buffer overflow/use
> of freed memory error in the code.

Yep, I'd agree.

> Now, of course, if I owned my own company, things would be different. But
> then, a false proposition implies any proposition.

Well, you do also have *some* choice in where you work... particularly if
you're one of those above-average sorts... although I realize that the quality
of employer you end up with always involves a certain amount chance, and that
changing employers does become more difficult as one gets older and has a
spouse, kids, etc.

(I have a suspicion that the average employee quality at any given company is
relatively uncorrelated with the average employee quality of the entire
workforce... companies with well-above-average employees tend to be quite
discriminating in who they hire, whereas those with below-average employees
often exert effort to keep the "bright guys" down as well...)

> The main down side of safe languages is one of performance. But that really
> isn't an issue these days, provided the software is designed to scale
> properly across multiple systems (it usually isn't but that's a story for
> another day).

Yes, also agree... most software today is waiting on hard drives or the
Internet and not the CPU so much.

> Yes, but employers rairly appreciate the difference between the value of the
> $50K employeer and the $75K one.

Ding ding ding! Yep, very true.

---Joel


YD

unread,
Jan 8, 2009, 6:30:58 AM1/8/09
to
Late at night, by candle light, Jim Thompson
<To-Email-Use-Th...@My-Web-Site.com> penned this immortal
opus:

>On Tue, 06 Jan 2009 19:29:43 +0000, Raveninghorde
><raveninghorde@invalid> wrote:


>
>>On Tue, 06 Jan 2009 10:07:16 -0500, Hammy <spa...@hotmail.com> wrote:
>>
>>>This is OT but 90% of the stuff here is. But I thought people here
>>>might (Eeyore) find it intresting. I found it at BBR.
>>>
>>>"Police have been given the power to hack into personal computers

>>>without a court warrant. The Home Office is facing anger and the
>>>threat of a legal challenge after granting permission. Ministers are
>>>also drawing up plans to allow police across the EU to collect
>>>information from computers in Britain.
>>>
>>>Remote searching can be achieved by sending an email containing a
>>>virus to a suspect's computer which then transmits information about
>>>email contents and web-browsing habits to a distant surveillance
>>>team."
>>>
>>>Full article here.
>>>
>>>http://www.independent.co.uk/news/uk/home-news/new-powers-for-police-to-hack-your-pc-1225802.html
>>

>>Unfortunately England is a police state ruled by foreigners.
>>
>>And that's igoring the EU were most law in enacted by the Council of
>>Ministers not by a elected assembly.
>>
>>Gordon Brown and key ministers represent Scottish seats in parliament.
>>
>> Scotland and Wales now have their own governments. Scotland is
>>responsible for its own health, education, social care policies etc.
>>Scotish (and Welsh) MPs vote on English health and education policies
>>which do not affect them. England therefore ends up with worse
>>services than Scotland and Wales because the outcome does not affect
>>the people who vote for these MPs.
>>
>>Scotland and Wales have more MPs per capita than England amplifying
>>the above.
>>
>>Scotland and Wales receive more per capita from the Government than
>>England.
>>
>>We have more surveillance camaras per capita than any other country.
>>
>>The Labour party got 42 day detention without trial through the house
>>of commons but lost in the house of Lords. We are back to only 28
>>days detetnion without trial.
>>
>>The police arrested a senior member of the Conservative oppostion for
>>receiving leaked information from a civil servant.
>>
>>Local councils use anti-terror powers to monitor dog fouling and
>>rubbish dumping.
>>
>>I'm just waitng for Gordon Brown to cancel the next election.
>>
>>But hey Labour are good old windmill building, high spending, high
>>taxing AGW believing socialists.
>>
>>Roll on the revolution.
>
>And you guys chide our Constitution... WE still observe habeas corpus.
>
> ...Jim Thompson

Just insert the word terrorist somewhere in the claims for arrest and
that goes out the window.

- YD.
--
Remove HAT if replying by mail.

Jasen Betts

unread,
Jan 8, 2009, 3:27:07 PM1/8/09
to
On 2009-01-08, Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote:

> The distinction between interpretting a bit pattern as an address, an
> integer or a floating point number needs considerable attention for
> low level OS work. Do you mean the value of this floating point number
> rounded to an integer (which might overflow if it is too big) or put
> the binary representation of this floating point number into a 32bit
> integer.
>
> I sometimes think it would have been better if addresses were some
> other length than 32 bits so that the interchangable use of "integers"
> and "pointers" would not have gained such wide acceptance in C.

c basically gets that from assembler.

Dirk Bruere at NeoPax

unread,
Jan 8, 2009, 4:35:54 PM1/8/09
to

Actually, it should have been worded:
"Police have been given the power, but not necessarily the ability, to
hack into the personal computers of witless Luddite criminals without a
court warrant."

--
Dirk

http://www.transcendence.me.uk/ - Transcendence UK
http://www.theconsensus.org/ - A UK political party
http://www.onetribe.me.uk/wordpress/?cat=5 - Our podcasts on weird stuff

Dirk Bruere at NeoPax

unread,
Jan 8, 2009, 4:37:09 PM1/8/09
to

Yes - much better good old fashioned messages such as "Error 1267 -
refer to manual"

Joel Koltner

unread,
Jan 8, 2009, 5:00:41 PM1/8/09
to
"Dirk Bruere at NeoPax" <dirk....@gmail.com> wrote in message
news:6sn9vfF...@mid.individual.net...

> Joel Koltner wrote:
>> When your compiler can tell you quite specifically what syntactical errors
>> you're making ("...this should have been 'begin function' and not 'begin
>> architecture' or somesuch...), it's a sign that your language is overly
>> wordy.
>
> Yes - much better good old fashioned messages such as "Error 1267 - refer to
> manual"

Non-overly-wordy languages don't have such errors in the first place...


Sylvia Else

unread,
Jan 8, 2009, 7:39:48 PM1/8/09
to

The real problem is that the market tolerates such things. If a building
fell down the day after it was finished, someone would get seriously
sued. That very rarely happens in computing (it's not unprecedented, but
certainly rare).

Another problem is the extent to which companies get away with selling
vapourware, and overstating the capabilities of the stuff that actually
exists. In any other industry, the word "fraud" would come readily to mind.

Some years ago, I wrote this page

http://www.cryogenic.net/itscams.html

Sylvia.

jo...@jjdesigns.fsnet.co.uk

unread,
Jan 8, 2009, 7:50:52 PM1/8/09
to

John Larkin wrote:

Best programmer I know was originally a baker. Seems there's a hidden
resource out there.

Eeyore

unread,
Jan 8, 2009, 8:03:42 PM1/8/09
to

Richard The Dreaded Libertarian wrote:

His name is Adolf Stalin a.k.a. Gordon Brown.

Graham

John Larkin

unread,
Jan 8, 2009, 8:06:03 PM1/8/09
to

The point being that the gunnery education was worse than useless. cf
computer science?

John

Jim Thompson

unread,
Jan 8, 2009, 8:07:55 PM1/8/09
to

Is that really the way they spell "triple" in Aussie-land?

I'll ask my client in Adelaide :-)

...Jim Thompson
--
| James E.Thompson, P.E. | mens |
| Analog Innovations, Inc. | et |
| Analog/Mixed-Signal ASIC's and Discrete Systems | manus |
| Phoenix, Arizona 85048 Skype: Contacts Only | |
| Voice:(480)460-2350 Fax: Available upon request | Brass Rat |
| E-mail Icon at http://www.analog-innovations.com | 1962 |

I love to cook with wine Sometimes I even put it in the food

John Larkin

unread,
Jan 8, 2009, 8:28:25 PM1/8/09
to

Should be trippple.

John

Sylvia Else

unread,
Jan 8, 2009, 8:43:07 PM1/8/09
to
Jim Thompson wrote:

> Is that really the way they spell "triple" in Aussie-land?

It should be.

Fixed.

Sylvia.

Jon Kirwan

unread,
Jan 9, 2009, 2:30:27 AM1/9/09
to
On Thu, 08 Jan 2009 17:06:03 -0800, John Larkin
<jjla...@highNOTlandTHIStechnologyPART.com> wrote:

><snip>


>The point being that the gunnery education was worse than useless. cf
>computer science?

Could be true. Don't ask me about it. I have taught it at University
level because they needed someone to fill in for a while, until they
could "find a steady." But physics is my world, not computer science,
and at the time I was learning I think people were better served
learning computer science on the side, not as a field of study absent
others. It's the way I did it. Never took a single computer science
course in my life.

So no argument from me about that period. I'm not sure about today.
The general argument you make may still hold substantial water, but I
can imagine some possible cases where one might debate things a
little. Still, I'd probably want to take your side on it.

Jon

Martin Brown

unread,
Jan 9, 2009, 4:12:47 AM1/9/09
to
On Jan 8, 4:15 pm, John Larkin

<jjlar...@highNOTlandTHIStechnologyPART.com> wrote:
> On Thu, 8 Jan 2009 04:40:58 -0800 (PST), Martin Brown
>
> <|||newspam...@nezumi.demon.co.uk> wrote:
> >> away people who want to play programming games but don't care about
> >> applications.
>
> >> Cobol comes to mind.
>
> >> Cobol was, of course, invented by Grace Hopper. Someone here recently
> >> observed that English majors may make better programmers than CS
> >> majors. There may be something going on here; the classic male geek
> >> empathy-free visual-spatial game playing mentality may not be best way
> >> to get good code.
>
> >You are barking up the wrong tree. Any of the strongly typed languages
> >where you have to say exactly what you intend weed out a lot of the
> >classic C faults at compile time - and the optional bounds checking on
> >arrays can catch quite a lot of common fence post errors at runtime
> >too.
>
> Anyone can google "software failure" and see what a disaster current
> programming languages and culture are. This mess not only costs
> society maybe a trillion dollars a year, it is a major threat to
> national security.

It generally isn't the computer languages that are to blame for major
software project failures!
If you had to list the top five causes in order of priority they are

Bad planning
Inconsistent requirements
Inadequate specifications
Poor change control
Inadequate testing

Add to that the slimy salesman who takes his commission for making the
sale and moves jobs before the shit hits the fan and you have a recipe
for total and utter disaster. I have been on both sides of the
transaction so I know very well what happens.

UK has 8 Chinook 2 helicopters since 1995 that cannot fly in cloudy
weather and in some cases crash spontaneously due to phantom engine
faults thanks to innumerate halfwits specifying the kit and Boeings
intransigence.

http://www.timesonline.co.uk/tol/news/politics/article2584509.ece

A mishap with a Chinook crashing in low cloud/fog took out almost the
entire UK anti-terrorist team with specialist knowledge of the IRA.
It didn't help that they were flying without a black box flight
recorder. The MOD chose to blame pilot error for the accident. Noone
else does.

http://news.scotsman.com/chinookinquiry/RAF-put-UKs-top-antiterrorist.2530836.jp

Would you want to fly on a dual rotor helicopter with dodgy engine
fadecs? I suggest you read the link above to see what a total MFU this
one has been from start to end (now more than a decade and still
counting).

> It's obscene that a practice with such abysmal results - 50% failure
> rates for large projects, programs with thousands of bugs - should be
> graced with academic titles like "computer science" and "software
> engineering." No real science would be allowed such slop, climatology
> excepted.

I am inclined to agree that "software engineering" is still immature
to the point of not being engineering. The trouble is there are lots
of people calling themselves software engineers and no quality
control.

Computer science is a legitimate academic subject and the researchers
there are doing stuff that will improve things. Much of what is taught
is important and useful stuff and there are some excellent
researchers. Mathematica is a spinoff of pure academic research that
started life as much simpler algrebra systems in the 80's. Plenty of
developments in academia have improved performance and testability
that you are choosing to ignore.

Regards,
Martin Brown

Martin Brown

unread,
Jan 9, 2009, 4:27:49 AM1/9/09
to
On Jan 8, 6:22 pm, "Joel Koltner" <zapwireDASHgro...@yahoo.com> wrote:
> "Martin Brown" <|||newspam...@nezumi.demon.co.uk> wrote in message

>
> news:3c96112f-4f16-4f4f...@f11g2000vbf.googlegroups.com...
>
> > It is very hard to execute data on a Harvard architecture machine.
>
> I agree, Harvard architecture machines do provide a legitimate benefit there.
> I'm perhaps a bit short-sighted on this as I grew up on assembly/C/C++ von
> Newumann architectures.

They are making a comeback in some microcontrollers.

We could go to segmented non-flat memory architectures if people
really believed security mattered. The trouble is that a truly secure
Windows OS would break all the legacy peeky pokey games code. And to
be fair computer games are actually a lot more reliable than the
average consumer shrink wrap software.

> >> I would agree that C/C++ typically it *easier* for novice/inexperienced
> >> programmers to write exploitable code, I suppose, but the "solution" of
> >> "just
> > This definition would appear to include most of the MS development
> > team.
>
> Haha... well, as a percentage of total developers at MS, I'd wager you're
> correct -- even though I have absolutely zero concrete data in the matter. :-)
>
> >There are better languages that could be used for safety critical
> >applications. Modula2 was one of the simplest robust ones that had a
> >brief acceptance in some fields, and Ada is another heavyweight
> >(although a bit OTT for my tastes).
>
> I haven't used Ada, although I have used the somewhat similar VHDL, and I'd
> have to say... it's really rather annoying!  When your compiler can tell you
> quite specifically what syntactical errors you're making ("...this should have
> been 'begin function' and not 'begin architecture' or somesuch...), it's a
> sign that your language is overly wordy.

Better to have the extra word than to find that the compiler has
silently made the wrong assumption about what you had intended.
Allowing the compiler to suggest corrections during compilation is one
way out of this - several modern compilers and IDEs can highlight
things they don't like and/or offer continuations. Syntax directed
editors are a step in the right direction.

The error messages that really wind me up are of the form "missing
END" or "missing }" detected at end of file (rather than pointing at
or giving the line number of the unbound opening bracket). I have lost
count of the number of compilers where this happens when a single
mismatched opening bracket sneaks in.

Regards,
Martin Brown

Martin Brown

unread,
Jan 9, 2009, 4:38:27 AM1/9/09
to
On Jan 8, 8:27 pm, Jasen Betts <ja...@xnet.co.nz> wrote:

That has only been true in the era of 32bit CPUs.

Prior to that the physical address space of a machine was typically
twice the width of its working registers (although some had a more
limited subset). And in the very early days the length of a byte was
not always 8 bits.

Regards,
Martin Brown

Jasen Betts

unread,
Jan 9, 2009, 5:24:25 AM1/9/09
to
On 2009-01-09, Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote:
> On Jan 8, 8:27 pm, Jasen Betts <ja...@xnet.co.nz> wrote:
>> On 2009-01-08, Martin Brown <|||newspam...@nezumi.demon.co.uk> wrote:
>>
>> > The distinction between interpretting a bit pattern as an address, an
>> > integer or a floating point number needs considerable attention for
>> > low level OS work. Do you mean the value of this floating point number
>> > rounded to an integer (which might overflow if it is too big) or put
>> > the binary representation of this floating point number into a 32bit
>> > integer.
>>
>> > I sometimes think it would have been better if addresses were some
>> > other length than 32 bits so that the interchangable use of "integers"
>> > and "pointers" would not have gained such wide acceptance in C.
>>
>> c basically gets that from assembler.
>
> That has only been true in the era of 32bit CPUs.

No, it was (often) true in dos on the 8088

the Z-80 also had registers that could hold a 16 bit pointer or do 16
bit arithmetic.

I don't know a whole lot about the architecture of the vax that the
first C compiler was developed on, but I'd be most surprised if it
didnt use the same registers for both arithmetic and indirection.

Sylvia Else

unread,
Jan 9, 2009, 5:49:28 AM1/9/09
to

I think this integer versus pointer thing is a bit of red herring
anyway. Early versions of 'C' were a bit strange by modern standards,
but ANSI C requires that pointers have a defined type before they can be
used.

The problems lie in the fact that pointers can be manipulated in ways
that mean there is no guarantee that the pointer actually points at
something of the type specified for the pointer. And in any case, the
memory pointed at might have been freed back to the memory pool and
reused, or might be in a stack frame that no longer exists. Such errors
are easily made, and create potentially exploitable holes (if you're
lucky the program simply breaks, but there are no guarantees).

It doesn't help that management can be so indifferent. Way back when,
I'd implemented memory routines for C that performed various checks for
improper memory use - for example guard values at the beginning and end
of allocated memory areas that were checked when the memory was release.
When these checks were flagging errors in a piece of software that was
not otherwise failing in any obvious way, my manager asked me whether I
could just suppress the error messages that resulted. I point blank refused.

Sylvia.

Rich Grise

unread,
Jan 9, 2009, 2:00:35 PM1/9/09
to
On Wed, 07 Jan 2009 17:14:08 -0800, John Larkin wrote:
>
> What happened to i/d space separation?

The intel engineers weren't smart enough to figure out how to
use/implement it?

Thanks,
Rich

krw

unread,
Jan 9, 2009, 2:36:34 PM1/9/09
to
In article <pan.2009.01.09....@example.net>,
ri...@example.net says...>

Nah, they figured out the harvard architecture for the 8051. ;-)


John Larkin

unread,
Jan 9, 2009, 3:33:47 PM1/9/09
to

Most of Intel's architectures were horrible kluges, out of the
mainstream of computing. One can say the same about Microsoft's
software.

John

Nobody

unread,
Jan 9, 2009, 7:25:06 PM1/9/09
to
On Thu, 08 Jan 2009 04:16:18 -0800, Martin Brown wrote:

>> Even compilers for Intel crud should be able to position stuff so that
>> stacks don't overflow into code.
>
> That isn't how it is done. The basic trick is that a fixed length
> buffer on the stack is overflowed in such a way as to deliberately
> overwrite the return address with a pointer to code you want executed
> and the code itself. It isn't the compilers fault that C allows and
> even encourages sloppy programming practices in the name of
> efficiency.

It isn't C's fault that compiler (and OS) developers provide the simplest
implementation rather than the most robust. C doesn't actually require you
to use a single stack for both data and return addresses, nor a common
address space for code and data.

Nor is it C's fault that programmers omit bounds checking (or, more
generally, that they are writing applications using a language which was
created for writing operating systems and device drivers). Sure, there are
languages which will do bounds checking for you. But you wouldn't want to
(or even be able to) use many of them for writing device drivers or
code which needs to fit into a few KiB of RAM.

Sylvia Else

unread,
Jan 9, 2009, 7:58:05 PM1/9/09
to
Nobody wrote:
> On Thu, 08 Jan 2009 04:16:18 -0800, Martin Brown wrote:
>
>>> Even compilers for Intel crud should be able to position stuff so that
>>> stacks don't overflow into code.
>> That isn't how it is done. The basic trick is that a fixed length
>> buffer on the stack is overflowed in such a way as to deliberately
>> overwrite the return address with a pointer to code you want executed
>> and the code itself. It isn't the compilers fault that C allows and
>> even encourages sloppy programming practices in the name of
>> efficiency.
>
> It isn't C's fault that compiler (and OS) developers provide the simplest
> implementation rather than the most robust. C doesn't actually require you
> to use a single stack for both data and return addresses, nor a common
> address space for code and data.
>
> Nor is it C's fault that programmers omit bounds checking

It's not just the omission of bounds checking by programmers that has
caused problems. Sometimes programmers have tried to do the right thing,
but simply got their code wrong. Humans are fallible, and it's an easy
mistake to make. Some errors are quite subtle - even code that is
superficially correct can be subverted if it's vulnerable to specified
sizes that are treated as signed quantities on one place, and unsigned
in others.

What's required is someone with deep pockets who suffers damage at the
hands of faulty MS software written in C or C++ to sue for negligence -
the negligence being that the software was written in those languages.
Then the message might start to get out that using these languages for
application software is just too risky.

I'm not holding my breath though.

Sylvia.


krw

unread,
Jan 9, 2009, 8:27:00 PM1/9/09
to

Much of the x86 cruft was to maintain backward compatability. IBM has
done the same, though more successfully. ;-)

>One can say the same about Microsoft's software.

There you have me. M$ hasn't even tried to maintian backward
compatability. Different interests.

Sylvia Else

unread,
Jan 9, 2009, 8:36:37 PM1/9/09
to

I would have thought they have, simply because otherwise they'd have
create major obstacles to upgrades. Many MSDOS programs will run happily
under Windows XP - even those that think they're directly controlling a
sound card.

Sylvia.

Nobody

unread,
Jan 10, 2009, 10:39:50 AM1/10/09
to
On Sat, 10 Jan 2009 11:58:05 +1100, Sylvia Else wrote:

>> Nor is it C's fault that programmers omit bounds checking
>
> It's not just the omission of bounds checking by programmers that has
> caused problems. Sometimes programmers have tried to do the right thing,
> but simply got their code wrong. Humans are fallible, and it's an easy
> mistake to make. Some errors are quite subtle - even code that is
> superficially correct can be subverted if it's vulnerable to specified
> sizes that are treated as signed quantities on one place, and unsigned
> in others.

Yep; I believe that was covered in the remainder of the sentence:

>> (or, more generally, that they are writing applications using a
>> language which was created for writing operating systems and device
>> drivers)

> What's required is someone with deep pockets who suffers damage at the

> hands of faulty MS software written in C or C++ to sue for negligence -
> the negligence being that the software was written in those languages.
> Then the message might start to get out that using these languages for
> application software is just too risky.

I can't really think of anyone with pockets deep enough to really worry
Microsoft. The DoJ doesn't seem to have troubled them much, and they only
seem to worry about the EU insofar as they'll catch flak from the rest of
the Fortune500 if they're seen as triggering further regulation.

More significantly, I'm not so sure that you can argue that any
specific fault in C/C++ software amounts to "negligence" simply for using
C/C++ either.

Sure, a higher-level language might have caught a particular bug, but it
might also have introduced a few of its own. Higher-level languages often
have quite complex semantics, while C's are rather simple (although
sometimes counter-intuitive if you don't have a background in digital
logic).

PHP doesn't have buffer overruns, but it's infamous for injection
attacks, XSS, CSRF etc. In the same way that leaving bounds checking to
the programmer is inviting insufficient bounds checking, requiring
programmers to perform code (SQL, HTML, XML, /bin/sh, etc) generation
using generic string manipulation operations (rather than operating upon a
tree via e.g. DOM) is inviting injection attacks.

And most dynamic/interpreted languages will only perform the most
rudimentary static analysis (i.e. parsing), so you may miss quite blatant
bugs if you fail to test a specific branch. Errors in code which handling
errors (particularly obscure or awkward ones) is quite often lacking in
this area.

OTOH, compiled languages will generally catch code which is
never going to work, particularly if you have a rich type system like
Haskell. This is a long way from formal verification, but it's still
better than you get from most dynamic languages.

Then there's the Law Of Unintended Consequences. Reducing the minimum
skill level has a tendency to reduce the average skill level as well.
Although I quite like Python as a language, the quality of many of the
popular libraries (even some of those included in the core package) is
pretty dire compared to similar libraries written in C, C++, Fortran,
and the like.

Actually, straying too far from the herd can increase the risk, not just
the risk of liability, but the risk of creating the defect in the first
place. If you're using a popular language, both its pitfalls and
their solutions become known more widely and more quickly, it's
easier to obtain skilled workers, easier to obtain training, compiler bugs
get discovered faster, etc.

And I probably still write most of my code in C. C++ if the OO abstraction
is likely to be fundamental to the design, but otherwise it's not worth
the trouble. Lisp or Python if I need a dynamic language (I prefer Lisp as
a language, but Python is more mainstream right now). Other languages if
the language has a feature which will significantly simplify the task at
hand, doesn't have major obstacles, and a minority language isn't a
problem (Haskell often fills this role).

I suspect that Java is probably the most likely candidate to take over
from C/C++ as the new application language (what COBOL was before the
industry was rebooted by PCs and the rump of the industry (mainframes)
became a niche).

It doesn't let you do the really dangerous stuff (e.g. unchecked pointer
manipulations), it isn't that far from C++ (but with some of the biggest
pitfalls filled over), doesn't force too much BS onto you, isn't
ridiculously slow, and seems to still be gaining substantial market share.

The main obstacle to Java is that it doesn't facilitate (and
could even harm) Microsoft's dominance, which is about the only factor
which ever matters to Microsoft. Although the same is probably true for
most large companies, most companies don't get to operate like a
modern-day East India Company.

So in the meantime, Microsoft is trying to make the world use C#, those
who haven't been assimilated are either sticking with C/C++, migrating to
Java, or are Web 2.0 developers who will continue to produce bug-ridden
code until the economy recovers and their career takes an upward turn into
burger-flipping.

krw

unread,
Jan 10, 2009, 11:15:02 AM1/10/09
to

Because one program works dosn't make backward compatability. Those
that directly control hardware will not work.

Nobody

unread,
Jan 10, 2009, 2:12:34 PM1/10/09
to
On Sat, 10 Jan 2009 10:15:02 -0600, krw wrote:

>>> There you have me. M$ hasn't even tried to maintian backward
>>> compatability. Different interests.
>>
>>I would have thought they have, simply because otherwise they'd have
>>create major obstacles to upgrades. Many MSDOS programs will run happily
>>under Windows XP - even those that think they're directly controlling a
>>sound card.
>
> Because one program works dosn't make backward compatability. Those
> that directly control hardware will not work.

Windows doesn't allow programs to directly control hardware; only device
drivers can do that.

If the program tries to use INB/OUTB, the CPU will trap it and pass it
to the OS. The software doesn't even know that it isn't getting direct
hardware access.

Likewise for running DOS games in a console window. The code writes to
page 0xA000 on the assumption that it's writing to VGA memory, when it's
actually just writing to a block of RAM Windows has set up.

I suggest reading up on the privilege mechanisms provided by modern CPUs
(286 and onward for x86) before making assertions which are both readily
falsifiable (write code which accesses the "hardware" directly, then run
it) and self-contradictory (if the program really is accessing the
hardware directly, the OS simply doesn't come into the picture;
compatibility is a hardware issue).

As for the original contention: if you want DOS compatibility beyond the
level which Windows provides, then you're going to need a copy of DOS and
an old PC. Because if you try to install that copy of DOS on a current
system, it ain't going to happen. The Mobo/BIOS vendors don't give a
damn whether DOS 6.x runs on their hardware; if the BIOS provides enough
support to let you install Windows, it's done its job.

I'm not sure that Microsoft is that much worse than any other developer
when it comes to compatibility. Sometimes they keep stuff which should
have been drowned at birth because they can't afford to break
compatibility, other times they break compatibility for no benefit to the
end user simply to drive upgrade revenues.


krw

unread,
Jan 10, 2009, 4:11:41 PM1/10/09
to
On Sat, 10 Jan 2009 19:12:34 +0000, Nobody <nob...@nowhere.com> wrote:

>On Sat, 10 Jan 2009 10:15:02 -0600, krw wrote:
>
>>>> There you have me. M$ hasn't even tried to maintian backward
>>>> compatability. Different interests.
>>>
>>>I would have thought they have, simply because otherwise they'd have
>>>create major obstacles to upgrades. Many MSDOS programs will run happily
>>>under Windows XP - even those that think they're directly controlling a
>>>sound card.
>>
>> Because one program works dosn't make backward compatability. Those
>> that directly control hardware will not work.
>
>Windows doesn't allow programs to directly control hardware; only device
>drivers can do that.

Duh, ya think?

>If the program tries to use INB/OUTB, the CPU will trap it and pass it
>to the OS. The software doesn't even know that it isn't getting direct
>hardware access.
>
>Likewise for running DOS games in a console window. The code writes to
>page 0xA000 on the assumption that it's writing to VGA memory, when it's
>actually just writing to a block of RAM Windows has set up.
>
>I suggest reading up on the privilege mechanisms provided by modern CPUs
>(286 and onward for x86) before making assertions which are both readily
>falsifiable (write code which accesses the "hardware" directly, then run
>it) and self-contradictory (if the program really is accessing the
>hardware directly, the OS simply doesn't come into the picture;
>compatibility is a hardware issue).
>
>As for the original contention: if you want DOS compatibility beyond the
>level which Windows provides, then you're going to need a copy of DOS and
>an old PC. Because if you try to install that copy of DOS on a current
>system, it ain't going to happen. The Mobo/BIOS vendors don't give a
>damn whether DOS 6.x runs on their hardware; if the BIOS provides enough
>support to let you install Windows, it's done its job.
>
>I'm not sure that Microsoft is that much worse than any other developer
>when it comes to compatibility. Sometimes they keep stuff which should
>have been drowned at birth because they can't afford to break
>compatibility, other times they break compatibility for no benefit to the
>end user simply to drive upgrade revenues.

You're clearly a kid.

Sylvia Else

unread,
Jan 10, 2009, 5:52:13 PM1/10/09
to
krw wrote:

>
> Because one program works dosn't make backward compatability. Those
> that directly control hardware will not work.

Programs that used sound cards were directly controlling hardware. Some
of them still work under XP, because they now functioning in a limited
virtual hardware environment.

Sylvia.

Sylvia Else

unread,
Jan 10, 2009, 6:17:02 PM1/10/09
to
Nobody wrote:
>
> PHP doesn't have buffer overruns, but it's infamous for injection
> attacks, XSS, CSRF etc. In the same way that leaving bounds checking to
> the programmer is inviting insufficient bounds checking, requiring
> programmers to perform code (SQL, HTML, XML, /bin/sh, etc) generation
> using generic string manipulation operations (rather than operating upon a
> tree via e.g. DOM) is inviting injection attacks.

PHP is a backwards step anyway, having abandoned strong typing, but even
there it is easier to avoid vulnerabilities through coding standards
(requiring the use of an established library of methods for such things)
then it is to avoid buffer overflows and such like in C/C++. Of course,
coding standards have to be enforced with code reviews, but at least the
latter have a chance of finding breaches. Spotting a buffer overflow in
someone else's code requires considerable work - particularly if the
problem is that they've included bounds checking but got it wrong.

> I suspect that Java is probably the most likely candidate to take over
> from C/C++ as the new application language (what COBOL was before the
> industry was rebooted by PCs and the rump of the industry (mainframes)
> became a niche).

I would like to think that you're right, but I see little evidence of it.

> So in the meantime, Microsoft is trying to make the world use C#, those
> who haven't been assimilated are either sticking with C/C++, migrating to
> Java, or are Web 2.0 developers who will continue to produce bug-ridden
> code until the economy recovers and their career takes an upward turn into
> burger-flipping.
>

I don't see an economic recovery having that effect. If anything it's
more likely that existing burger flippers will migrate into software
development, because managers don't realise that these people have
negative value.

Sylvia.

It is loading more messages.
0 new messages