Microsoft Port 25 interviews Miguel de Icaza

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Link to interview doesn't work.

[RingDev]

Just goto http://port25.technet.com/ [technet.com] and click the link on the front page.

-Rick

Re:Link to interview doesn't work.

[RingDev]

The -- (two hyphens) is resolving to %E2%80%94

The link should be: http://port25.technet.com/archive/2006/08/11/Let_2 700_s-talk-Mono_3A00_--Sam-interviews-Miguel-de-Ic aza.aspx [technet.com]

but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.

-Rick

Re:Enlighten me

[dyamkovoy]

strcpy copies one string into a location without caring about how much space there actually is. Meaning a hacker (or careless programmer) can write too much into that location and overwrite important data (such as the stack). See Buffer Overflow [wikipedia.org].

Re:Enlighten me

[tankbob]

strcpy works by reading the source string and copying to the destination until it encounters a null character.

If the source string is longer than the allocated destination buffer then data can overflow into your program code. This could be exploited to execute arbitary code.

strncpy should be used instead as it allows you to specify the maximum number of chars to copy.

strcpy ok sometimes

[KidSock]

I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else. For example the below is perfectly legit:

    char buf[6];
    strcpy(buf, "hello");

In fact, to truly protect yourself from invalid input you frequently need to write a state machine style input parser. It's the parser that ensures all strings are properly terminated which would mean all downstream copies could be performed safely with strcpy.

It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

Re:Microsoft employee-wannabe

[Anonymous Coward]

...but if you have some sort of argument about why Microsoft did not get the desktop right (at least in comparison to GNOME/KDE), I'm sure we'd all love to hear it.

1. No select->middle-click->paste buffer.

2. Ctrl-C/V/X behave inconsistently (it is entirely too easy to lose everything on the clipboard).

3. No tools out of the box to automate user tasks like bash or perl.

4. Crappy handling of file types.

5. No virtual desktops. (The powertoy hack called MSVDM doesn't actually work.)

6. Lack of support for standards: PostScript, PDF, MP3, DVD, NFS, SSH, SCP.

7. The Registry.

Re:Enlighten me

[cortana]

Yes, and that's not such a serious problem--only a Denial of Service attack. But consider the case where your memory is arranged like this:

char foo[10]  int authenticated
[            ][                 ]

Memory boxes not to scale. Or maybe sizeof(int) on this platform is really large. ;)

Anyway, if you screw up and copy an 11-byte string over foo, the final byte will be written into authenticated. Now imagine that authenticated is a flag which stores whether the user is permitted to perform a priviliged operation.

What is interesting, but not really surprising, is that Microsoft chose to replace the unsafe functions such as strcpy with their own safe variants with names like safe_strcpy (though I can't remember the exact name, it's something like that). They could have just recommended people used already-existing functions such as strncpy or strlcpy, instead of adding yet another incompatibility obstacle that must be surmounted when porting software from/to the Windows platform...

Re:Microsoft employee-wannabe

[ciggieposeur]

Even the Microsoft CLI is more friendly than Unix, what with the "help" command.


~$ help
GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
These shell commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled. ...


The Linux desktop has become quite usable - but it got there by copying Microsoft, and that is no shit...KDE and Gnome are both pretty hardcore ripoffs of Windows, although GNOME also manages to copy MacOS at the same time... Unfortunately, [Unix] only got there by copying Windows, which kind of blows the whole usability argument to kingdom come.

I disagree. Windows never had selection buffer, virtual desktops, or remote desktop, items I absolutely require to be reasonably productive on X. KDE/GNOME brought us unified widget sets and control panels, and both were certainly inspired by both Windows and MacOS, but they go so far beyond Windows in overall functionality it's not even funny.