[geeks] Odd uptick in spam...

Jonathan C. Patschke jp at celestrion.net
Fri Sep 7 08:38:03 CDT 2007 

On Fri, 7 Sep 2007, der Mouse wrote:

> The difference between Microsoft crapware and "better" systems like
> VMS or even the BSDs is very hard to codify.

The difference in the products, possibly.  The difference in the
attitudes between MSFT's developers and the BSD/VMS developers isn't.

MSFT still has, from what I've read of what their developers write, a
very pre-Internet concept of exploitable code.  Defects aren't security
issues until they're proven to be security issues.  A bug that just
causes some erroneous value to be passed around isn't a security bug
until someone details and actual code path to security-critical code and
demonstrates an exploit.

And even then, if it doesn't result in privilege escalation (just denial
of service), the response is generally "don't run bad code, then."
Raymond Chen's famous shooing-away of the message-pointer problem[0]
instead of recognizing it as a legitimate shortcoming of the platform is
a good example of this.

Everyone I've talked to who does work in the BSD circles and who used to
work on VMS ($ork has quite a few of ex-DEC folks) regards their
software as a point of pride.  It's not enough to get something out that
looks good, it has to be -Right-.


[0] Windows used to be a shared-memory environment: all applications
     could see each other's memory.  This changed with Win32.  However, a
     legacy of 16-bit Windows is that the API demands that some window
     messages contain pointers encapsulated in the 32-bit integer
     argument of the message.  Messages can be passed between
     applications.  Ergo, applications can crash each other by passing
     around perfectly valid messages that just happen to have the correct
     argument pointing into never-never land.  Most of the time the code
     that dereferences this pointer is MSFT runtime library code, not
     application code.  More interesting fun can be had by using this
     mechanism as code-injection.
-- 
Jonathan Patschke     )
Elgin, TX            (      "I detest logging filesystems."
USA                   )                    --Linus Torvalds

More information about the geeks mailing list