About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

Sloppy is Sloppy

Week of August 19, 2001

This is getting beyond bizarre -- there's got to be a way that they
can check for buffer overflows before they release these things, no?
How do you check?

And why doesn't Apache have these gaping holes? Is it the
open-source development model that makes Apache more secure?

Less code? An older program so most of the bugs are gone?

Or what?

I honestly don't think MS programmers are idiots, so WTF is the
problem here?

Are people just picking over IIS and finding every flaw? But they
must pick over Apache too, no?

> there's got to be a way that they can check for buffer overflows > before they release these things, no? How do you check? I'm not sure you can. The programming principle is easy, and it's written all over the Windows API as it already is. Let me give you an example. Say we're working with an ordinary application and we know the user has inputted something like a URL into a combobox such as your edit field in your location bar in Internet Explorer. That's called a combobox, even though Microsoft has screwed it up totally. The API you call to get the URL or whatever it is goes like this: SendMessage(hWnd, WM_GETTEXT, cchTextMax, (LPARAM) lpszText); - The hWnd is the identifying 'window handle' of the combobox. - The WM_GETTEXT is the message itself - 'gimme the text'. - The lpszText is a pointer to YOUR buffer where the text goes. But the most important of all is cchTextMax - this is the SIZE of your buffer. You tell the combobox how much buffer you have. By knowing this, the combobox cannot cause a buffer overflow. This principle is all over programming - at least in the Windows environment. Another example: GetDlgItemText(hWnd, nID, lpString, nMaxCount); You ask a window to get text from, for example, a combobox. - hWnd is again the identifier of the window. - nID is the identifier of the combobox within the window. - lpString is the pointer to YOUR buffer, where the text goes. And - AGAIN - nMaxCount is how much buffer you have, so the function does not overflow your buffer. It's written all over the API. Even in cases where you cannot know beforehand how big a buffer needs to be, you can always find out how much space to allocate. Suppose you do not want a static allocation sitting around to handle a combobox URL of up to 30,000 bytes. Piece of cake. First you call the combobox and ask it: 'Exactly how much text do you have anyway?' SendMessage(hWnd, WM_GETTEXTLENGTH...); Then you know, then you allocate enough space, then you get the buffer, then you don't have an overflow. > why doesn't Apache have these gaping holes? Precisely. > I honestly don't think MS programmers are idiots You are very kind, but this is where you are wrong, darlin'. Look closer at the US IT labour market. All these half-green cards. Look at how ppl work in Redmond - how Steve Ballmer treats them. MS does not want ppl with prior experience. They can't be brainwashed by Ballmer then. MS has never had 'names'. Cutler was a name. Look at how FEW bugs turned up in Cutler's NT. (Please realise that IIS is NOT part of Cutler's NT.) They are every bit as shitty programmers as you suspect, darlin', and that is the reason. They really are. I have worked with them and dealt with them, and I tell you, they really are that shitty - in fact, they're even worse. When ppl such as myself say MS is the software equivalent of McDonalds, we're not just trying to be cute. They truly are the equivalent. You no doubt are familiar with Paul Bocuse, the founder of the nouvelle cuisine. He has a fine restaurant in Lyon. Now imagine you took kitchen crew from a McDonalds restaurant and put them to work in Paul's restaurant. What would you get? You'd get a lot of buffer overflows is what. One final comment and I will let you go. My company has been perhaps the chief antagonist against bloat in the PC commercial software industry. But we have also been one of the chief antagonists against bugs in MS software, as evidenced by ILOVEYOU, SirCam, and Code Red. The reason? 'Sloppy is sloppy.' Bloat means you're dealing with sloppy programmers. The kind who work the McDonalds kitchen floor and drop hamburger patties all over the place. The kind who give you a hamburger where the mustard and ketchup are smeared all over the bun. Bugs means you're dealing with sloppy programmers too. It's the same thing. You ask for a hamburger without pickle and you get it anyway. You get TOO MUCH onions. You get a root beer when you ordered a Diet Coke, and the lid falls off because they didn't put it on right. Or they hand you a bag with the top all crunched instead of folded neatly, or they put the drinks in the same bag as your burgers and your burgers get all wet. It takes talent to be so dumb, it always has and it always will. It takes talent to be a sloppy programmer, but in the PC software industry they're all over the place. The stories about major bloopers are legendary and legion. How about Corel Draw 4, which was so bugged they withdrew it and later reintroduced it and finally denied ever releasing the bugged version in the first place? How about the whole 'beta campaign' thing we have today, with our 'GOLD' (sic) releases, our 'Release Candidates', etc. How can programmers release code to ANYONE if they don't check it out first? How can programmers write bugged, bloated and above all SLOPPY code in the first place? Good programmers don't do this, darlin'. They never have and they never will.
About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.