SoylentNews is people
SoylentNews
https://www.theregister.co.uk/2018/04/04/microsoft_windows_defender_rar_bug/
A remote-code execution vulnerability in Windows Defender – a flaw that can be exploited by malicious .rar files to run malware on PCs – has been traced back to an open-source archiving tool Microsoft adopted for its own use.
[...] Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.
(Score: 1, Interesting) by Anonymous Coward on Monday April 09 2018, @08:22PM (25 children)
So we are sitting in front of machines that are a bajilianty times more powerful than a 1970s pocket calculator and somehow moving a few differently sized numbers around somehow trips things up in a way that not only crashes a program but also instantly opens the door for all teh ebil hackers.
Perhaps the real problem are these crappy cryptic convoluted C style programming languages that allow this to be a problem in the first place.
(Score: 5, Informative) by Anonymous Coward on Monday April 09 2018, @08:25PM (14 children)
Perhaps the real problem is that people who know very little about software development are paid to develop software. But no, blame the tool for giving programmers 'too much power'.
(Score: 3, Funny) by Bot on Monday April 09 2018, @10:51PM (10 children)
Friendly reminder that the ++ in C++ actually symbolizes cemetery crosses.
Account abandoned.
(Score: 2, Informative) by anubi on Tuesday April 10 2018, @02:29AM (9 children)
C++, like a power saw, can be used to make really fine work, rapidly.
It can also make a helluva mess, rapidly.
C++ has enormous power, as it was designed in an age where it was to be a "one size fits all".
If you wanted to "expand" C++, you did not even think of using another compiler... nah - you wrote a library of the functions you needed. C++ with libraries of anything special could do anything.
C++ has pointers. That made it extremely powerful; the only thing more powerful was an assembler.
And it was a really close call whether or not the C++ compiler would write tighter code than I could in an assembler.
My favorite was Borland's C++ ver 4.51 for Windows, and ver. 3.0 for DOS, the Windows version also came packaged as "C++ Builder" for Windows.
The assemblers and compilers were actually given away in the day, as premiums on a CDROM on the cover of "PC Plus" magazine.
And Borland also released an equivalent Pascal version for Windows... never got too much into that one though. Both +Fravia and Gibson Research used to talk a lot of using Assembler. I could write some really concise code with it. Took forever to write 10K of code, but boy was that code dense. I could do a helluva lot of stuff in 10K of code.
Incidentally, does anyone still do assembly anymore? That was my prime language in my younger years. You know, TASM, MASM, NASM, and lots of little custom variants...
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Flamebait) by PiMuNu on Tuesday April 10 2018, @03:03AM (8 children)
C++ is a real mess, however.
* Syntax is inconsistent - e.g. calling constructor with no arguments has different syntax to constructor with arguments
* Syntax is awful - ever tried doing anything complicated with templates? Ever done it *quickly*?
* How much implicit darkness does C++ do behind your back? Default constructors, "implicit" keyword, etc
(I use C++ as my main low-level programming language, I just don't like it)
(Score: 1) by anubi on Tuesday April 10 2018, @07:14AM (1 child)
Those are excellent points.
To me, the C++ is more like the English language... it has a few quite illogical exceptions, but I can use it to communicate to others. Its the most effective communications thing I have.
Gotta admit I would hate to lay out a web page in C++.
I do mostly embedded, so C++ for the big stuff and assembler for bit-banging the hardware driver.
I was programming Fortran 77 before, and really fell in love with C++ structures.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by PiMuNu on Tuesday April 10 2018, @08:46AM
It's a nice analogy...
(Score: 2) by tangomargarine on Tuesday April 10 2018, @04:24PM (5 children)
I've been under the impression that C++ is one of the most consistent languages you can find anywhere. Whether you *understand* or *agree with* why it does stuff a certain way is another thing.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @06:43PM
(Score: 2) by PiMuNu on Tuesday April 10 2018, @08:26PM (3 children)
Well, what does consistency really mean? I argue that it means doing what it does with the smallest possible number of syntactical exceptions/keywords/junk to remember (shannon entropy anyone?). C++ has absolutely tonnes of magic keywords and weird exceptions. I highlighted a few in GP. I found a list of keywords here for C++ (about 100 reserved words):
http://en.cppreference.com/w/cpp/keyword [cppreference.com]
Compare with python (about 40 reserved words):
https://www.programiz.com/python-programming/keyword-list [programiz.com]
and java (about 50 reserved words):
https://docs.oracle.com/javase/tutorial/java/nutsandbolts/_keywords.html [oracle.com]
Not definitive, but gives a feel for how complex the language is.
(Score: 2) by tangomargarine on Tuesday April 10 2018, @08:48PM (2 children)
"Fewest keywords" seems like a somewhat odd hill to make your stand on, but okay I guess. Fewer keywords is what I'd call more simple, not more consistent, though I can kind of see where you're coming from.
Python was explicitly designed (6 years later) to be elegant, and has things that it can't do that C++ can. From what I've read, Java would be more streamlined still if they had designed generics into it from the get-go instead of 1.2. But again, there's a lot of stuff Java can't do because of the JVM. So yes, naturally Python and Java will be simpler than C++. Kind of a tautology.
Erm...okay bleeding from the eyes now after looking that up and not sure what your point is. It sounds like you're arguing from a standpoint of which language is more "beautiful" than which, rather than the principle of least surprise.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by PiMuNu on Tuesday April 10 2018, @08:59PM (1 child)
Can you think of a better estimator of "easiest syntax"?
(Score: 2) by tangomargarine on Tuesday April 10 2018, @09:44PM
We weren't talking about "easiest." The original term was "most consistent," which ironically we are very lacking in this conversation.
I would generally agree that Java/Python are easier and more elegant to use. You want C++ for large, complex projects, that you want to be efficient and maintainable || embedded programming. Or at least that's my impression.
Mostly I'd contrast C++ with Ruby and JavaScript. I really don't like duck typing. Just the ideas of not being able to figure out what sort of data a variable holds from a glance at the code, having no compile-time checking--the only way to tell whether your code works is to run it--make me feel nervous and icky. Stuff like this [destroyallsoftware.com] just bends my principle of least astonishment over a chair and fucks it senseless.
Personally I think it would even be a better idea to teach students Ada than C++ as their first language (no, stop laughing! :) because it forces you to think in terms of diligent consistency. Programming isn't something you can just wildly chuck at a wall and hope for the best with. And I found my crash course in assembly pretty informative as to explaining why we do fundamental things certain ways in programming.
Still not sure whether I really like C++. I was doing a year of unit testing in it in 2016, and wrestling with the compiler output was a constant struggle. It would never outright lie but it usually seemed to be doing its best to mislead me as to what the problem was. Forget to initialize a member of a structure and it spits out some cryptic thing about memory alignment difficulties. Once you got into the right line of thinking about it, it usually made some perverse sort of sense, though. And C++ doesn't try to hide the fact that it's using pointers like Java. And you can specify how to pass parameters! Just being able to tell the code exactly what you want it to do is nice sometimes. No "Java is pass by value...except the value is the reference...except for primitives" mindtwisters.
I'm doing mostly JavaScript now, but prefer Java (CLI) or C# (GUI) for personal projects. Just going to trail off now. I'm 28 so that's my $0.02.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @03:00PM (2 children)
Sorry, but part of the problem really is that C's signed/unsigned handling is badly designed.
For example, if you compare a signed value with an unsigned value, then first the signed value is implicitly converted to unsigned, which can make it massively larger, and then that unsigned value is compared with the other unsigned value.
The right thing would have been to define signed/unsigned comparison to be just the comparison of the numbers those values represent, so if a is a negative signed value, and b is an unsigned value, a<b will give true.
"But that would have less performance!" Maybe. But then, if you need the performance, you can always explicitly cast to unsigned (or, alternatively, cast the unsigned value to signed!). That costs no performance, but makes the potential bug obvious. Or you could do what good C programmers do anyway: Just avoid comparing signed and unsigned values altogether. Except that the penalty for accidentally doing such a comparison would be a minimal reduction of code efficiency, rather than possibly a gaping security hole.
One might even argue that the compiler should not have allowed signed/unsigned comparisons in the first place, forcing programmers to explicitly decide for either signed or unsigned comparison, or explicitly writing the code needed to correctly handle mixed comparison.
And yes, C programmers should know about that problem, and to avoid it. But that doesn't mean there's no problem with C.
To make a car analogy: If a certain brand of car breaks down if you switch on the light while in the first gear, drivers of that car should really be educated about that problem, and certainly you'd expect an experienced driver to not turn on the lights while in the first gear. But that does not mean there's nothing wrong with a car which breaks down from switching on the lights while in the first gear.
(Score: 2) by tangomargarine on Tuesday April 10 2018, @04:19PM (1 child)
Doesn't the compiler spit out a warning on this, though? If you're blanket-suppressing warnings in C++ you kind of deserve what you get.
My previous job involved C++ work and I'll be the first to admit that what the compiler tells you can be pretty misleading. But at least you know there's *some* problem.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @04:51PM
Yes, compilers started to spit out warnings for this specific problem exactly because it is a problem (I have no idea if all of them do).
Actually, many compiler warnings are actually pointing out design flaws of the language. If the language were properly designed, you'd not need the warning.
(Score: 2) by turgid on Monday April 09 2018, @08:53PM (1 child)
Modula-2 FTW.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Interesting) by DannyB on Monday April 09 2018, @09:11PM
Back in the day, I liked Modula 3. At least the specification. As a Pascal programmer, I dreamed of being able to have Modula 3. But things moved on. I learned Lisp, and C seemed to take over the world.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 5, Interesting) by DannyB on Monday April 09 2018, @09:09PM (4 children)
C and C++ has its place. As does assembler.
That place is NOT writing application software. In fact it should not have a place writing basically anything in user space, other than perhaps infrequently things like codecs, encryption, compression, etc. And those should be library functions callable from sane programming languages.
C and C++ are great for microcontrollers. (But increasingly higher level languages work here as well.)
C and C++ are great for building the OS and drivers. But they are a very fragile building material for building the entire world that sits on top of that foundation. It can also be argued that even parts of the OS and drivers can be written in other link-compatible languages that compile to direct machine code without runtime library support.
At some point, the gains in human productivity are worth using higher level, more abstract languages. Even at the cost of some runtime efficiency. I remember talking to someone on vacation last June about this. In the context of applications. And my application is a web application. He said Java took too much memory and too many CPU cycles. I pointed out that, especially for web applications, Java, and other high level languages and frameworks are far superior to C / C++. My managers wouldn't bat an eyelash if I asked for more memory, but could beat my C / C++ competitor to market by six months to a year. You should be optimizing for dollars, not for bytes and cpu cycles.
Long ago very similar languages were had about writing in assembler (the one true way!) vs higher level languages like FORTRAN or C. And we see which way that turned out. In favor of abstractions and human productivity. Even though any decent assembly guy could hand code way better machine code than the compilers of the era produced.
Just IMO.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by FatPhil on Monday April 09 2018, @10:57PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by Subsentient on Tuesday April 10 2018, @01:15AM (2 children)
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by DannyB on Tuesday April 10 2018, @01:26PM
First, I think we live in different worlds. You are thinking close to the hardware. I'm thinking in terms of higher and higher level abstractions away from the hardware.
Your argument seems to be that Java is limited in capability. And that if people work hard enough they can learn to use C++ safely. That simply repeats the ancient Assembly language vs FORTRAN debates of decades ago, and we know how the high level language vs Assembly turned out in favor of high level languages despite their inefficiency.
My argument was that you should not be able to shoot yourself in the foot unless you go out of your way to do so. It should not be possible to accidentally shoot yourself in the foot.
As for limited in capability, I'll grant you that Java is definitely not a language for writing an OS, device drivers, and microcontroller code. I think I already made that abundantly clear. But for a language of "limited capability", it has libraries to do everything, and has been the #1 language on TIOBE and other language indexes for jobs for years and years now. Java is used in banks, even for high speed trading.
The fact that Java is so widely used must mean that it has something going for it. You might not recognize that that is, nor even like it. But it is very real. If there were one perfect programming language, everyone would be using it already.
I already mentioned that when arguing about runtime costs, you should be optimizing for dollars. For more memory and CPU, I get amazing runtime monitoring, dynamic class reloading, garbage collection, highly optimized compilation to native code -- for the SPECIFIC processor that we're running on at runtime, not just some generic ahead-of-time compilation to generic amd64 that will run on all processors. In short, for those machine costs you are so concerned with, I get huge business and productivity benefits. More memory and CPU is a cheap price to pay. You're thinking too low level -- for application code. But again, C / C++ are great for low level code. Just not for applications.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by DannyB on Friday April 13 2018, @04:45PM
I just want to point out:
https://www.technotification.com/2018/04/highly-demanded-programming-languages.html [technotification.com]
I see these from time to time. Just happened to stumble into one right now. As usual, Java is the number one language in demand.
I'm not saying anything bad or negative about other languages. My only point here is that if Java is in such demand, there must be some reason for that. Some perfectly valid dollars-and-sense reason.
As I said in my very first sentence earlier, all languages have a place. If there were a perfect language, we would ALL already be using it. Java has its warts like all others.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by leftover on Tuesday April 10 2018, @02:24AM
I have to agree with this plus add a spin. IMHO, the arcane convolutions in C are a clear problem for maintaining code. Even trying to debug your own code six months later is a PITA. C++ did some nice language things but, again IMHO, borked the whole field with Object-Oriented Programming. I hated OOP when it was first emerging and I still hate it now from both viewpoints of coder and manager. In OOP, the coder needs to mentally integrate all the external classes, methods, operators, namespaces, etc. plus entire new buckets of this shit added for every library used. Damned few people can achieve that for even a short time. The inevitable result is bugs and non-functionality, insane levels of bloat. In short, what we are seeing in the entire computing industry. Billion-dollar projects abandoned, mass-market products the never work cleanly for their entire lives, open-source fields populate with twenty alternatives that don't work, all adding up to a truly staggering waste of resources. Additionally, hiring only people who claim to be OOP super-performers will result in a corral full of bloviating assholes.
Algol had the right idea with good structure and just a little bit of abstraction. Adding more than a pinch of abstraction is as harmful as adding too much paprika to deviled eggs. Of current options, I find myself liking Google's Go enough to overcome my anger at their becoming evil. Pointers, optional dynamic typing and garbage collection, optional strong typing in a compiled language. It looks much like Python code written without OOP. Learn the simple language rules and you can write or debug any function|code put in front of you. You can be interrupted and not need four hours plus counseling to get back in the groove. I have written Go code for workstation clusters and microcontrollers. Does it hide all the differences between them? Nope, nor would I want it to.
(Don't even let me get started on the proliferation of event loops!)
Bent, folded, spindled, and mutilated.
(Score: 0) by Anonymous Coward on Tuesday April 10 2018, @07:56AM (1 child)
Nope.
Create a an unsigned integer x in any language of your choice. Then do a while(x >= 0). Your program will hang.
In fact, take any language with more than one variable type, and change a variable to a different type without understanding the consequences. You will run into problems.
A Javascript example:
if(0) // false.
if("0") // true
(Score: 2) by tangomargarine on Tuesday April 10 2018, @04:15PM
I like how your example ironically uses an *unsigned* integer. Does anybody other than the aforementioned C-style languages use unsigneds these days?
Well yeah, because JavaScript is horrible and ugly and no.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"