In The Register, Shaun Nichols discusses the way Microsoft has effectively hidden the extent and severity of security changes in this month’s Windows 10 patch:
Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers.
In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead scattered details of changes across a new portal: Microsoft’s Security Update Guide.
Billed by Redmond as “the authoritative source of information on our security updates,” the portal merely obfuscates discovered vulnerabilities and the fixes available for them. Rather than neatly split patches into bulletins as in previous months, Microsoft has dumped the lot into an unwieldy, buggy and confusing table that links out to a sprawl of advisories and patch installation instructions.
Punters and sysadmins unable to handle the overload of info are left with a fact-light summary of April’s patches – or a single bullet point buried at the end of a list of tweaks to, for instance, Windows 10.
Now, ordinary folk are probably happy with installing these changes as soon as possible, silently and automatically, without worrying about the nitty-gritty details of the fixed flaws. However, IT pros, and anyone else curious or who wants to test patches before deploying them, will have to fish through the portal’s table for details of individual updates.
Crucially, none of these programming blunders are mentioned in the PR-friendly summary put out today by Microsoft – a multibillion-dollar corporation that appears to care more about its image as a secure software vendor than coming clean on where its well-paid engineers cocked up. The summary lists “security updates” for “Microsoft Windows,” “Microsoft Office,” and “Internet Explorer” without version numbers or details.
ESR performs a useful service in pulling together a document on what all hackers used to need to know, regardless of the particular technical interest they followed. I was never technical enough to be a hacker, but I worked with many of them, so I had to know (or know where to find) much of this information, too.
One fine day in January 2017 I was reminded of something I had half-noticed a few times over the previous decade. That is, younger hackers don’t know the bit structure of ASCII and the meaning of the odder control characters in it.
This is knowledge every fledgling hacker used to absorb through their pores. It’s nobody’s fault this changed; the obsolescence of hardware terminals and the RS-232 protocol is what did it. Tools generate culture; sometimes, when a tool becomes obsolete, a bit of cultural commonality quietly evaporates. It can be difficult to notice that this has happened.
This document is a collection of facts about ASCII and related technologies, notably hardware terminals and RS-232 and modems. This is lore that was at one time near-universal and is no longer. It’s not likely to be directly useful today – until you trip over some piece of still-functioning technology where it’s relevant (like a GPS puck), or it makes sense of some old-fart war story. Even so, it’s good to know anyway, for cultural-literacy reasons.
One thing this collection has that tends to be indefinite in the minds of older hackers is calendar dates. Those of us who lived through all this tend to have remembered order and dependencies but not exact timing; here, I did the research to pin a lot of that down. I’ve noticed that people have a tendency to retrospectively back-date the technologies that interest them, so even if you did live through the era it describes you might get a few surprises from reading.
There are references to Unix in here because I am mainly attempting to educate younger open-source hackers working on Unix-derived systems such as Linux and the BSDs. If those terms mean nothing to you, the rest of this document probably won’t either.
Cory Doctorow reports on a hopeful sign that we might be able to get rid of one of the more pernicious aspects of the DMCA rules:
Section 1201 of the 1998 Digital Millennium Copyright Act makes it both a crime and a civil offense to tamper with software locks that control access to copyrighted works — more commonly known as “Digital Rights Management” or DRM. As the number of products with software in them has exploded, the manufacturers of these products have figured out that they can force their customers to use their own property in ways that benefit the company’s shareholders, not the products’ owners — all they have to do is design those products so that using them in other ways requires breaking some DRM.
The conversion of companies’ commercial preferences into legally enforceable rights has been especially devastating to the repair sector, a huge slice of the US economy, as much as 4% of GDP, composed mostly of small mom-n-pop storefront operations that create jobs right in local communities, because repair is a local business. No one wants to send their car, or even their phone, to China or India for servicing.
Three states are considering “Right to Repair” bills that would override the DMCA’s provisions, making it legal to break DRM to effect repairs, ending the bizarre situation where cat litter boxes are given the same copyright protection as the DVD of Sleeping Beauty. Grassroots campaigns in Nebraska, Minnesota, and New York prompted the introduction of these bills and there’s more on the way. EFF and the Right to Repair coalition are pushing for national legislation too, in the form of the Unlocking Technology Act.
The #gotofail episode will become a text book example of not just poor attention to detail, but moreover, the importance of disciplined logic, rigor, elegance, and fundamental coding theory.
A still deeper lesson in all this is the fragility of software. Prof Arie van Deursen nicely describes the iOS7 routine as “brittle”. I want to suggest that all software is tragically fragile. It takes just one line of silly code to bring security to its knees. The sheer non-linearity of software — the ability for one line of software anywhere in a hundred million lines to have unbounded impact on the rest of the system — is what separates development from conventional engineering practice. Software doesn’t obey the laws of physics. No non-trivial software can ever be fully tested, and we have gone too far for the software we live with to be comprehensively proof read. We have yet to build the sorts of software tools and best practice and habits that would merit the title “engineering”.
I’d like to close with a philosophical musing that might have appealed to my old mentors at Telectronics. Post-modernists today can rejoice that the real world has come to pivot precariously on pure text. It is weird and wonderful that technicians are arguing about the layout of source code — as if they are poetry critics.
We have come to depend daily on great obscure texts, drafted not by people we can truthfully call “engineers” but by a largely anarchic community we would be better of calling playwrights.
Bundling refers to when two or more goods are sold together as a package. Microsoft Office, Cable TV, Lexis-Nexis, and Spotify all provide examples of bundling. What if there were no bundling and you had to pay for Cable TV by channel rather than purchasing channels in bundles? Would you end up paying more or less? We explore this question and others in this video.
Posted something at the work blog today about these apps that help you do things you previously did with low-tech means, like assembling grocery lists. One of the comments praised a grocery app that gave you turn-by-turn instructions in your store. I never, ever want to hear my phone say “You have arrived at frozen breaded chicken patties.” The idea of people walking through a store, pushing a cart, staring at the screen to see where the coffee is located — as opposed to looking up for the word COFFEE — is the sort of thing from a comedic dystopia. Then: story in the WSJ the other day about someone else starting a service that delivers groceries to your house. The predicate for the business: “no one likes to go grocery shopping.”
I love to go grocery shopping. I went grocery shopping tonight; hit four stores in 90 minutes. Explain to me how it is possible to have an understanding of modern American culture without going to the grocery store. Someone who grocery-shops weekly has a better grasp on our civilization than somoene who spends four years getting a doctorate in Marketing. If they offer such things. I suspect that anyone interested in marketing gets out there and markets as soon as possible, and a doctorate would be useful only for teaching other people about Marketing, which you’ve never done, but studied.
It’s like Journalism school. Saying you understand Journalism because you went to Journalism school is like saying you have a command of the basics of Dentistry because you used a pencil to black out the teeth in a picture of someone’s head.
At The Register, Iain Thomson explains a new sneaky way for unscrupulous companies to snag your personal data without your knowledge or consent:
Earlier this week the Center for Democracy and Technology (CDT) warned that an Indian firm called SilverPush has technology that allows adverts to ping inaudible commands to smartphones and tablets.
Now someone has reverse-engineered the code and published it for everyone to check.
SilverPush’s software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. These signals, in the range of 18kHz to 19.95kHz, are too high pitched for most humans to hear, but can be decoded by software.
An application that uses SilverPush’s code can pick up these messages from the phone or tablet’s builtin microphone, and be directed to send information such as the handheld’s IMEI number, location, operating system version, and potentially the identity of the owner, to the application’s backend servers.
Imagine sitting in front of the telly with your smartphone nearby. An advert comes on during the show you’re watching, and it has a SilverPush ultrasonic message embedded in it. This is picked up by an app on your mobile, which pings a media network with information about you, and could even display followup ads and links on your handheld.
How it works … the transfer of sound-encoded information from a TV to a phone to a backend server
“This kind of technology is fundamentally surreptitious in that it doesn’t require consent; if it did require it then the number of users would drop,” Joe Hall, chief technologist at CDT told The Register on Thursday. “It lacks the ability to have consumers say that they don’t want this and not be associated by the software.”
Hall pointed out that very few of the applications that include the SilverPush SDK tell users about it, so there was no informed consent. This makes such software technically illegal in Europe and possibly in the US.
Eric S. Raymond explains how technical documentation can manage the difficult task of being both demonstrably complete and technically correct and yet totally fail to meet the needs of the real audience:
I was using “hieratic” in a sense like this:
hieratic, adj. Of computer documentation, impenetrable because the author never sees outside his own intimate knowledge of the subject and is therefore unable to identify or meet the expository needs of newcomers. It might as well be written in hieroglyphics.
Hieratic documentation can be all of complete, correct, and nearly useless at the same time. I think we need this word to distinguish subtle disasters like the waf book – or most of the NTP documentation before I got at it – from the more obvious disasters of documentation that is incorrect, incomplete, or poorly written simply considered as expository prose.
Eric S. Raymond on the demands for political correctness even within the hacker community:
I’m not going to analyze SJW ideology here except to point out, again, why the hacker culture must consider anyone who holds it an enemy. This is because we must be a cult of meritocracy. We must constantly demand merit – performance, intelligence, dedication, and technical excellence – of ourselves and each other.
Now that the Internet – the hacker culture’s creation! – is everywhere, and civilization is increasingly software-dependent, we have a duty, the duty I wrote about in Holding Up The Sky. The invisible gears have to turn. The shared software infrastructure of civilization has to work, or economies will seize up and people will die. And for large sections of that infrastructure, it’s on us – us! – to keep it working. Because nobody else is going to step up.
We dare not give less than our best. If we fall away from meritocracy – if we allow the SJWs to remake us as they wish, into a hell-pit of competitive grievance-mongering and political favoritism for the designated victim group of the week – we will betray not only what is best in our own traditions but the entire civilization that we serve.
This isn’t about women in tech, or minorities in tech, or gays in tech. The hacker culture’s norm about inclusion is clear: anybody who can pull the freight is welcome, and twitching about things like skin color or shape of genitalia or what thing you like to stick into what thing is beyond wrong into silly. This is about whether we will allow “diversity” issues to be used as wedges to fracture our community, degrade the quality of our work, and draw us away from our duty.
When hackers fail our own standards of meritocracy, as we sometimes do, it’s up to us to fix it from within our own tradition: judge by the work alone, you are what you do, shut up and show us the code. A movement whose favored tools include the rage mob, the dox, and faked incidents of bigotry is not morally competent to judge us or instruct us.
I have been participating in and running open-source projects for a quarter-century. In all that time I never had to know or care whether my fellow contributors were white, black, male, female, straight, gay, or from the planet Mars, only whether their code was good. The SJWs want to make me care; they want to make all of us obsess about this, to the point of having quotas and struggle sessions and what amounts to political officers threatening us if we are insufficiently “diverse”.
It has been suggested that djangoconcardiff might be a troll emulating an SJW, and we should thus take him less seriously. The problem with this idea is that no SJW disclaimed him – more generally, that “Social Justice” has reached a sort of Poe’s Law singularity at which the behavior of trolls and true believers becomes indistinguishable even to each other, and has the same emergent effects.
On one occasion, as Master Foo was traveling to a conference with a few of his senior disciples, he was accosted by a hardware designer.
The hardware designer said: “It is rumored that you are a great programmer. How many lines of code do you write per year?”
Master Foo replied with a question: “How many square inches of silicon do you lay out per year?”
“Why…we hardware designers never measure our work in that way,” the man said.
“And why not?” Master Foo inquired.
“If we did so,” the hardware designer replied, “we would be tempted to design chips so large that they cannot be fabricated – and, if they were fabricated, their overwhelming complexity would make it be impossible to generate proper test vectors for them.”
Master Foo smiled, and bowed to the hardware designer.
In that moment, the hardware designer achieved enlightenment.
I was raised as a Methodist and I was a believer until the age of eleven. Then I lost faith and became an annoying atheist for decades. In recent years I’ve come to see religion as a valid user interface to reality. The so-called “truth” of the universe is irrelevant because our tiny brains aren’t equipped to understand it anyway.
Our human understanding of reality is like describing an elephant to a space alien by saying an elephant is grey. That is not nearly enough detail. And you have no way to know if the alien perceives color the same way you do. After enduring your inadequate explanation of the elephant, the alien would understand as much about elephants as humans understand about reality.
In the software world, user interfaces keep human perceptions comfortably away from the underlying reality of zeroes and ones that would be incomprehensible to most of us. And the zeroes and ones keep us away from the underlying reality of the chip architecture. And that begs a further question: What the heck is an electron and why does it do what it does? And so on. We use software, but we don’t truly understand it at any deep level. We only know what the software is doing for us at the moment.
Religion is similar to software, and it doesn’t matter which religion you pick. What matters is that the user interface of religious practice “works” in some sense. The same is true if you are a non-believer and your filter on life is science alone. What matters to you is that your worldview works in some consistent fashion.
At Techdirt, Mike Masnick looks at a recent Supreme Court case that asks that very question:
The Obama administration made a really dangerous and ignorant argument to the Supreme Court yesterday, which could have an insanely damaging impact on innovation — and it appears to be because Solicitor General Donald Verrilli (yes, the MPAA’s old top lawyer) is absolutely clueless about some rather basic concepts concerning programming. That the government would file such an ignorant brief with the Supreme Court is profoundly embarrassing. It makes such basic technological and legal errors that it may be the epitome of government malfeasance in a legal issue.
We’ve written a few times about the important copyright question at the heart of the Oracle v. Google case (which started as a side show to the rest of the case): are software APIs covered by copyright. What’s kind of amazing is that the way you think about this issue seems to turn on a simple question: do you actually understand how programming and software work or not? If you don’t understand, then you think it’s obvious that APIs are covered by copyright. If you do understand, you recognize that APIs are more or less a recipe — instructions on how to connect — and thus you recognize how incredibly stupid it would be to claim that’s covered by copyright. Just as stupid as claiming that the layout of a program’s pulldown menus can be covered by copyright.
The judge in the district court, William Alsup, actually learned to code Java to help him better understand the issues. And then wrote such a detailed ruling on the issue that it seemed obvious that he was writing it for the judges who’d be handling the appeal, rather than for the parties in the case.
Ever have one of those fever dreams where you’re moving through the terrain of a video game? Want to recreate that experience for some reason? You’ll want to download Doomdream:
Ever play a video game so often that it shows up in your dreams?
That’s the idea behind Doomdream, an interactive experience created by Ian MacLarty to simulate what his own dreams look like after he’s been playing the classic 1993 shooter Doom all day.
Although there are no enemies, no combat or really any plot, it generates a labyrinth of pixelated gray tunnels and bloody stalagmites for you to wander in forever, recreating the nightmare of so many players who got lost in the purgatory of Doom‘s looping levels, searching fruitlessly for an exit sign.
Undead Lab’s State of Decay became a cult hit when it released back in 2013. Last year, the developer announced State of Decay: Year One Survival Edition. This updated iteration packs in previously released DLC along with a 1080p graphical overhaul. And once the visuals became clearer, developer Undead Labs realized their contracted help for the game hid an abundance of phalluses in the game.
While working on State of Decay, Undead Labs hired contractors to help build some of the backgrounds. For reasons unknown, those contractors scattered a collage of genitalia across the backgrounds. However, the original version of the game was a low enough resolution that the naughty bits flew under the testing radar.
“Some of our contractors worked a ridiculous amount of genitalia into the background,” says Geoffrey Card, senior designer at Undead Labs in an interview with XBLA Fans.